BreachExchange mailing list archives
The case for standardizing PHI breach disclosure
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Tue, 2 Jun 2015 20:33:07 -0600
http://www.govhealthit.com/news/case-standardizing-phi-disclosure With the barrage of highly publicized Protected Health Information breaches affecting small and large health systems, organizations should expect that privacy and security measures for PHI will come under even greater scrutiny by regulators. Most notably, the Office for Civil Rights (OCR) HIPAA Phase 2 audits, which are scheduled to begin this year, are likely to be more demanding than the Phase 1 pilot audits. These privacy, security and breach notification audits will determine if the health system has performed an adequate security risk assessment (SRA) and subsequently developed a remediation plan based on the findings of its SRA. Until the top issues noted in the SRA have been resolved, OCR will monitor the health system’s progress on its remediation plan. Due to this auditing process, forward-thinking facilities have determined that a centralized, enterprise-wide PHI disclosure process offers greater oversight that ensures security and privacy protocols are followed and documented. A standardized strategy for PHI disclosure that is supported by technology, better prepares a health system for an audit, but can also greatly reduce the PHI disclosure management burden, strengthen control of the process and improve communication between departments, including the ambulatory setting. Rarely a ‘cyber-attack’ The PHI breaches that received the most attention in 2014 were the result of cyber-attacks, but these incidents are still rare, according to survey results reported last year by the Ponemon Institute. In fact, 46 percent of survey respondents reported that unauthorized PHI disclosure was attributed to unintentional employee negligence — not including theft of a laptop or other device containing PHI. This inadvertent negligence can be attributed to inconsistent organizational policies, processes not being followed and uncertainty by staff with different levels of training and experience. Unfortunately, during a HIPAA Phase 2 audit, OCR may characterize this type of inconsistency as a demonstration of “willful neglect” — defined as the conscious, intentional failure or reckless indifference to compliance — if no steps are taken to remedy the situation. Healthcare entities that still operate in a “hybrid” environment, in which some departments or facilities continue using paper forms and fax machines in addition to electronic exchange of information, exacerbate the PHI disclosure management risk. In these environments, the required PHI accounting of disclosures (AOD) and oversight is a particular challenge, which leads to less than optimal compliance. Only 25 percent of Ponemon Institute survey respondents report “full compliance” with the AOD requirements, and 31 percent had developed an “ad-hoc” process just to comply with the rule. How disclosure can mitigate risk After performing an SRA and noting many of the PHI disclosure management challenges, the organization may decide to pursue an enterprise-wide approach to disclosure management. This approach offers hospitals and healthcare systems the ability to utilize software and services that can be deployed as a common tracking platform across the enterprise including health information management (HIM), the business office, radiology, other ancillary departments and physician practices. By implementing a centralized system to handle the access and disclosure of PHI, healthcare facilities obtain the interdepartmental communication, policy enforcement, oversight level, quality assurance and transparency necessary to comply with the increasingly complex, technologically-driven, regulatory and legislative environment. Not only does this strategy address current PHI disclosure compliance gaps and risks, it also prepares the hospital or health system for the future. More importantly, if the healthcare facility is selected for an OCR Phase 2 HIPAA audit, a centralized, enterprise-wide process provides ample documentation to demonstrate compliance with security, privacy and breach notification requirements associated with PHI disclosure. Disclosure management now a priority By all accounts, this looks to be a significant PHI security and privacy investigation and enforcement year for regulators. Organizations can respond by addressing and documenting, at a minimum, their SRA’s most-urgent recommendations with the goal of completing all recommendations before the next fiscal year HIPAA audit. For many healthcare entities, standardizing PHI disclosure management across the enterprise – including long-term care, home care, rehabilitation facilities and physician practices – may address many of the SRA recommendations, while delivering other benefits. By standardizing processes and applying best PHI disclosure management practices across the system, healthcare leaders can ensure better enforcement of disclosure policies, a manageable workflow and a consistent experience for patients and requesters. Not only does this approach protect a patient’s privacy, it also aligns the health system with meaningful use goals for hospitals and eligible providers, and helps protect the institution against breaches, financial risk, lawsuits and reputational damage.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- The case for standardizing PHI breach disclosure Audrey McNeil (Jun 08)