Share this article on:
Over the course of the next year, OIG is expecting to increase oversight of the Department of Health and Human Services’ Office for Civil Rights.
OIG will also be looking closely at a specific area of HIPAA compliance: How hospitals are complying with the HIPAA Security Rule requirement for contingency planning for emergencies.
HIPAA Requirements for Coping in Emergencies
The administrative safeguards of the HIPAA Security Rule (45 CFR, Part 164 § 308(7)(i)) require all covered entities to be able to continue to function during emergency situations. Access to Protected Health Information (PHI) must be maintained at all times. Should access be lost, it must be restored as a priority. In order for covered entities to be able to do this, proactive steps must be taken. It is essential that policies and procedures are developed that can be implemented in case of disaster. Rapid action is required, and every individual must be aware of his or her responsibilities in case of emergency.
This applies to emergency situations such as natural disasters, as well as at times when EHR systems or other electronic equipment used to store PHI is damaged or compromised, such as during cyberattacks. Procedures will need to kick in in case of fire, sabotage, or during system failures.
Covered entities must have an emergency response plan which can be implemented immediately to ensure essential medical care can still be provided to patients. For that to be the case, access to PHI will be required. It must be assumed that access to any item of equipment could be lost, so covered entities must perform regular data backups and have policies that cover all emergency situations.
Policies and procedures must be developed to ensure that data is backed up. Restoring data from backups must be tested to make sure that data is recoverable. Hospitals and other healthcare providers must be able to reconstruct data without loss. An exact copy of PHI must therefore exist. If backups are stored off-site or require transportation, encryption will ensure that loss of physical media will not expose any patient data.
Steps must be taken to ensure that in the event of a disaster, critical business practices can continue and data security protections persist when operating in emergency mode. Policies and procedures must be developed to ensure this is the case.
Periodic assessments should be conducted to ensure that policies remain valid. It is necessary to revise policies as and when necessary, such as following upgrades to new equipment used to store PHI, or after the installation of new software systems.
Covered entities should also perform an HIPAA applications and data criticality analysis, unless it can be shown why it is not relevant for an organization. It is no use determining which systems are most critical when operating in emergency mode as it will waste valuable time. Covered entities must be aware of the order that systems need to be restored or repaired.
OIG to Assess How the OCR is Overseeing the Security of ePHI
Two reports issued earlier this year by OIG strongly criticized OCR for failing to make sufficient efforts to oversee covered entities’ compliance efforts, in particular regarding the ongoing delays to the audit program. The next round of HIPAA-compliance audits has been much delayed, and a permanent audit program appears to be no closer to becoming a reality. Since the issuing of the PIG reports, OCR has announced that the compliance audit program will be starting in early 2016, with a Q1, 2016., start expected.
OIG previously found priorities had not been established and HITECH Act requirements had yet to be implemented. As a result, OCR had not managed to obtain sufficient assurances that covered entities were complying with HIPAA and HITECH. Instead, OCRs efforts to enforce HIPAA rules were largely reactionary, with audits and assessments for HIPAA violations only being conducted following self-reported security breaches and complaints received from the public.
OIG has stated in the 2016 Work Plan that more oversight of OCR is on the cards over the coming 12 months.
State-based marketplaces information system security controls will also be reviewed. In the Work Plan, OIG has announced:
We will conduct vulnerability scans of Web-based systems using automated tools that seek to identify known security vulnerabilities and discover possible methods of attack that can lead to unauthorized access or the exfiltration of data.
OIG Adds Oversight of Medical Device Security
Further oversight will involve assessing the role of the Federal Trade Commission (FTC) to determine whether medical devices contain sufficient controls to safeguard recorded PHI, in particular, those medical devices that are connected to hospital networks.
In recent months there have been increasing concerns raised about the security of medical devices. Medical devices have been discovered to contain vulnerabilities which could potentially be exploited, allowing malicious outsiders to gain access to PHI or even EHRs.
Many of the devices transmit data via wireless networks which must be appropriately secured. At present, the manufacturers of these devices are required to produce Manufacturer Disclosure Statement for Medical Device Security (MDS2) forms, which can be used by HIPAA-covered entities to assess the level of security. These must be studied by covered entities before a decision is made to use the devices.