HIPAA Summit Review Part 2 – Ep 403 

Today, we cover part two of our review of the HIPAA Summit. We will cover notes from a privacy officer roundtable, security tips from IT’s point of view, key points from crisis vendors and a very interesting discussion around mergers and acquisitions. Listen in to pick up where we left off from part 1 of our 2023 HIPAA Summit Review.

In this episode:

HIPAA Summit Review Part 2 – Ep 403

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

Great idea! Share Help Me With HIPAA with one person this week!

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

Thanks to our donors.

[03:15] Privacy officer roundtable

Privacy roundtable notes:

• Better to be proactively reporting breaches to OCR and say you are sorry now rather than to avoid or hide reporting. That goes for the organization and the workforce. Everyone should know it.
• Reporting by workforce members should be handled with compassion and empathy, not the “gotcha” approach that discourages reporting.
• Make sure everyone knows “Tom”. If anything seems wrong or goes wrong, call “Tom.”
• Stressing the importance of Privacy and IT overlap is working better than in the past. Without it, we get nowhere.
• It is important to understand that the HIPAA law is not some new law that we all have to figure out. There really is no excuse for not having a robust HIPAA program in any established business.
• Snooping is still a big concern that doesn’t automatically improve without watching it closely and training effectively. The more private the data, the more likely the snooping (specialists, mental health, substance abuse, HIV, etc).
• Create 60-90 sec video training on FAQs and “frequent flier” issues coming into privacy and security officers’ wheelhouse. For example, the difference between anonymized and de-identified. One says it can never be reidentified, while the other says we removed the identifiers, but it may be possible to re-identify it.
• Use any gimmicks, games, and activities that can promote the privacy program. You never know what will “stick.”
• There is no such thing as a “forever BA.” Make sure someone is following up on their risk management and confirming that PHI is protected or properly destroyed when it should be.

[18:57] Security Points

Planning for longterm IT outages:

• Include a way to handle help desk calls. People constantly calling to find out when things will be back up and running is not productive for the team in any way. How do you route calls for “real” needs?
• IT needs to be protected during an incident/outage. They have one leadership contact and their incident contacts. Every second they are dealing with something besides the problem means they are not dealing with the problem.
  • Normal IT channels are not available during a crisis – everyone must know that before one happens.
• IT should not be the ones at the top of the IRT/BCP/DR org chart. Someone else should handle the response while the IT team is allowed to focus on the issue at hand – keeping the business up and running.
• Leadership should focus on how to support the crisis team in place and work with them just like all other staff.
• Include BCP and tabletop exercises in board/leadership discussions. They need to be aware that the real world we live in means you could be limited or have no access for 12, 36, 72 hours or more.
• Make templates for notices that need to go to a lot of folks. Work with PR and Marketing in advance to have things prepared.
  • Staff
  • Board
  • Partners
  • Patients
  • Community
  • Media
• Anything you can prepare for communications in advance will keep response time for messaging to a minimum which helps keep things from going off the rails.
• Make sure your Business Impact Analysis (BIA) includes more than just PHI. What do you need to keep the business running for 2 weeks without normal operations? Start there and then expand to 1 month.
  • Set RTO, RPO on every item in the BIA
  • Entire plan should be built based on findings of the BIA. That is your key to getting things up and running again.
• Don’t let your plan be “credenza ware” for executive staff. That includes a digital version.
• Now is the time to review your plan. Especially if you haven’t had an outage in a while. Build relationships now.
• “Luck favors the prepared.”

[31:47] What crisis vendors want you to know.

• “We can do this together” should be the message from the first phone call.
• Have the relationships set up in advance.
• Other key elements of your plan must address Who, Where, & How.
  • List of people who know how things work – network, firewalls, servers, cloud services, email configuration, etc.
  • Include the primary and at least one backup person.
• Make sure you do tabletop exercises that include those at the board level.
• There are a lot of legal risks involved, not just compliance. In today’s world, you must realize you will likely be dealing with at least one plaintiff in a civil suit also. Getting things under privilege is expensive, but required. Also, be careful that the attorney is prepared to hire the teams you bring in and that your coverage will pay for it.

[37:36] Can ChatGPT cause more problems than just privacy concerns?

We all know you should absolutely not put any confidential information into any of these AI tools today. But:

• What if you use it to write code that you use internally?
• What if the code you are using or you are debugging code that is proprietary?
• What if you have it build code for you that creates problems that you have to worry about now?

• Access to records. There is still a problem with providers saying they can’t email records to patients when asked to do so. That is not true.
• Amendment of records. Dealing with bad data in your records. HIPAA lets you amend within a certain time frame, but… Let’s say a patient has chronic problems over 10 years. The records show several diagnosis codes that turn out to be wrong. But by the time they determined they were wrong and what the problem was really about, they were beyond the legal amendment time frame. How do you address the fact that this data is actually an incorrect diagnosis?

[41:49] Mergers & Acquisition discussion

This was one of the best discussions for me during the Summit.

They discussed the things they look for when evaluating a “target” organization for Mergers & Acquisitions. I think this provides a unique opportunity to look at your privacy and security program through a true business perspective. Would you want to merge with or acquire your own organization? Will the status of your privacy and security program make you want to walk away or pay way less money to take on the liabilities?

• Start with the end result in mind – what do you want to know – the main risks for privacy and security within the entity.
• If you have to do HIPAA from scratch, it is often a heavy lift that should be considered in the negotiations.

Things to watch for when doing the review:

• Policies and procedures that are submitted for review look like a binder was put together on the plane heading to the meeting.
• Does it look like the BAAs are signed like they are simply an insurance policy to prove compliance, not actually defining the requirements and services?
  • Some BAAs are signed by non-BA service providers. They essentially “elected” to commit to following HIPAA by signing a BAA when not necessary.
• De-Identification of data is a great example of why BAA should be reviewed. They had an “expert” review the de-identified data to confirm it met requirements. Turns out the “expert” was an expert in analysis of traffic patterns, not in deidentification of data. Make sure someone is looking at data sharing apps and services to find these things. “Can’t be a yodeling expert who approved your deidentified data logic.”
• If there has been a breach, how has it been received by the public? Will the M&A improve trust or take you down with them?
  • Relayed a story with a “target” in an open investigation. They found so many problems it became a money pit and they eventually just had to shut down the business they acquired.
  • Another case, they asked for details about a recent ransomware attack being investigated by OCR. Companies doing acquisition want to see the data request and response. They were told that the information is privileged and they can’t see it. Attorneys had to talk and C suite leaders had to talk to make anything move forward.

There was a lot more I learned from the 2023 HIPAA Summit, but the topics we covered in these latest podcasts are the topics I thought were most important and interesting. We will expand on several of these topics in upcoming episodes, but it’s important to understand that these items are things being seen, reviewed, discussed and questioned by, not only OCR during an investigation but potentially others. You never know who might start asking questions about your privacy and security program.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

Special thanks to our sponsors Security First IT and Kardon.