New HIPAA Safe Harbor – Ep 286 

Either an incentive or safe harbor is out there for HIPAA. A safe harbor is a legal term that refers to laws and regulations that specify that certain actions will be considered not to violate a given rule. It is often used to clarify big standards like HIPAA. Encryption is one of those things under the breach rules. What we could call a new HIPAA safe harbor rule is out there floating around now. HIPAA incentive may be the preferred way. Both forms tell you it is a good thing. What is it that is new?

In this episode:

New HIPAA Safe Harbor – Ep 286

Share Help Me With HIPAA with one person this week!

Thanks to our donors.  We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com.

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

HIPAA Say What!?!

[07:51] A new review hit this week that included a question. Yes, that is odd to us but we aim to please! Especially when the review is funny!

Truly a life saver!

☆☆☆☆☆

I have been nerding out to this AMAZING “HIPHHHA” (jk guys) HIPAA* to assert my advocacy rights for a loved one in a long term health facility. I would love if you guys could address the CMS 1135 waivers as it relates to patients’ record rights in this COVID-19 era. Best podcast to help patient advocates yet! Thank you both! C

Slickcart via Apple Podcasts ·United States of America ·12/10/2020

First, Slickcart, you should not try to push us over the edge here! We worry about HIPAA. Did you know that CMS1135 waivers are open to cover the whole freaking healthcare operation?!? During this pandemic things are moving Ferris Bueller kind of fast at hospitals.

Knowing how messed up this can be right now for facilities that are dealing with surges in their patient needs due to COVID-19, I just support their ability to get through it. On the other hand, for the few groups that are not dealing with this crisis I certainly hope they are NOT using these waivers to get around patient access rights under HIPAA. The need to get records where they need to be was challenging for patients before the continued chaos that our healthcare system has endured this year.

The pandemic hasn’t put all providers in the same place. Unfortunately, all we know is that you mentioned a “long term health facility”. I can tell you for sure that our clients who have been dealing with this thing since the beginning include primary care and long term health. When we say HIPAA is about patient care, we mean it for sure. But, we are also aware of the load on our healthcare system this year. Without specifics we can only tell you this. The 1135 waivers are not supposed to give providers a pass in providing care and records of that care during the pandemic. They are supposed to provide the leeway providers need to respond to the pandemic without making regulations more important than addressing the sheer volume of patients and their needs due to the situation in play. In a lot of these hospitals they have people that pulled from all over the organization to fill gaps needed just to manage the volume. There may not be resources available to respond to requests for records when they are treating patients in the gift shop like they are in LA this week.

HIPAA Safe Harbor

[14:25] So Whiskey Tango Foxtrot, where do I even begin to choose a topic for today! As we are planning this episode there is so much going on around us that my head is spinning more than usual! The proposed updates to the Privacy Rule were on the plan for today but every minute something new is distracting and important.

When we recorded our last episode we had just heard that FireEye found a breach releasing their pen testing tools. Wow! That has become so very much more since then! We can tell you for sure that what we already know about the SolarWinds data breach situation is beyond scary.

Worrying about the supply chain has been on our radar for years. In the last couple of years the MSPs supply chain became even more concerning. This thing will likely never be fully revealed to all of us. What we do know, though, is that the tides will be turning sooner towards making sure supply chain issues are tightened up..

Can what HIPAA says be changing before our eyes?

We mentioned before that changes could be coming to HIPAA in 2020. Looks like we finally get to see what kind of changes are suggested. HHS announced that they have published a list of proposed changes to the HIPAA Privacy Rule open for public comment (NPRM). They are about creating clear definitions of uses and disclosures for changes in the healthcare system for patient services. The original request for input covered three areas.

1. Promoting information disclosure for care coordination and case management.
2. Promoting parental and caregiver involvement and addressing the opioid crisis and serious mental illness (SMI).
3. Notice of Privacy Practices (NPP)

At a glance there was nothing surprising but there are a couple of things that will be interesting to see the comments made to the proposed rules. Adding specific definitions of what the right of access means and includes, for example, will be a key element to watch. After all the enforcement and continued level of complaints this topic will be particularly important to see the response.

With 12 enforcement actions over the failure to provide patient access to their records within the 30 day time frame it is sort of scary to see them propose changing that to 15 days. Yes, cut the number in half. I don’t think the ones they have made an example of in these recent enforcement actions would be any different. It isn’t like they supplied the records on day 35 instead of 30. Some of them were years later.

The exciting part is the suggestion we have been discussing for some time that gets rid of the need for patients to sign off that they received the notice of privacy practices. Most patients never ready the notice if you gave it to them for years. Now, you have to ask for it in order to read it even though the documents you sign say you have received it. I know, no one reads them except nerds like me.

I feel pretty certain that paperwork madness will go away. I know we have been looking at the idea of getting rid of it for 4 or 5 years. The struggle is real people. But, keep in mind that you better have your ducks in a row where the rest of the requirements for the NPP are involved. We find many groups do not have that under control today but if you no longer are supposed to supply one to the patient the other requirements will be open to more strict monitoring.

Frankly, there are so many other issues going on right now that the Privacy Rule NPRM has been pushed aside. There may be other topics from it but there are just too many other things getting our attention right now!

What is this new HIPAA Safe Harbor or Incentive?

The bill amends the HITECH act to provide for a liability “safe harbor” to minimize the enforcement requirements OCR follows in relation to the Security Rule. There are 3 specific impacts to enforcement that it adds if you can prove you have followed what it designates as “recognized security practices”.

1.  mitigate fines issued in civil money penalty cases
2.  result in the early, favorable termination of an audit done under the random audit requirements
3.  mitigate the remedies negotiated between OCR and organizations who reach settlements and CAP arrangements (the thing we see the most)

You have to show you have been following these “recognized security practices” for the prior 12 months. It isn’t something you can suddenly start doing to solve a problem that already occurred. If you want this safe harbor option you have to have it built in to your organization well in advance of problems occurring.

Recognized security practices definition

So what are these “recognized security practices”? This is where we get to celebrate! What have we been recommending for years? Use the NIST Cybersecurity Framework or HICP (since it came out) to build your security program rather than just worrying about HIPAA compliance. While those are our preferred methods the definition does include “other” standards.

The term ‘recognized security practices’ means the standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the National Institute of Standards and Technology Act, the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities. Such practices shall be determined by the covered entity or business associate, consistent with the HIPAA Security rule

That 2(c) bit is the law that directed NIST to create the Cybersecurity Framework for Critical Infrastructure Industries. So the specifically designated practices are NIST CSF and 405d or HICP. Yep, it feels good. Of course, we have also discussed the use of CIS20 which would certainly meet these definitions and of course the HITRUST folks will be all over this one telling you to pay them to confirm you are doing these things.

What Kardon and HMWH Say

[41:48]The good news is that our clients are already well down the right path by working with us and learning from our Help Me With HIPAA podcasts.

• Kardon Security Risk Analysis and Assessment reports have been referencing NIST CSF requirements for years.
• Kardon Policies and Procedures Solution cross referenced to the NIST CSF day one.
• Kardon’s newly released Healthcare Security Awareness video series is built specifically following the HICP 5 threats discussions and examples so you can tap into all the freely available information released by 405d and it matches
• We have taught NIST CSF in our HIPAA Boot Camps each time plus HICP in each one after it came out.
  • We also cover the CIS 20 and other framework concepts in the HBC
• We have tons of podcast episodes about these topics that have been out there since we began this journey. The first time we talked about NIST CSF was in August 2015 we covered CIS 20, HITRUST, and HICP several times.
• Both Donna and David are on the 405d Task Force

We can easily say that our clients have been working with the basics of these recognized security practices at some level right now.  We just need to fill in the parts they may be missing. The more groups have done with us the better off you are the minute this is signed. We are very excited to share this news with all of the groups we have been putting through our systems. It was hard work but we promised them it was worth it. Now, they are way ahead of others who just worried about checking HIPAA boxes. Those “do HIPAA the easiest way possible” followers have to start from scratch and build programs that go beyond worrying about minimal compliance requirements. Yes, HIPAA is the floor. These standards worry about building formal cybersecurity programs.

Important notes

• You have to prove you have been doing it for 12 months. Start now to build your proof.
• It is not a requirement, you do not have to do this to meet HIPAA regulations. There is no penalty for choosing not to do this.
• It is not a guarantee that you will get some sort of pass in enforcement, it just means they must take it into account with you when they are doing the enforcement.

We will be interviewing John Miller in a couple of weeks to discuss the pressures all the ransomware and cyberattacks have put on the cybersecurity insurance policies. Something tells me the lawyers and insurance companies will be very interested in making sure you do the work to reduce those liabilities. Who wouldn’t want to do that? There will be plenty to discuss with John and others like Erik Decker in the coming weeks as this progresses.

We have so many plans already in place to use the NIST CSF and HICP “recognized security practices” for new programs rolling out in 2021. This is very exciting for us and we will definitely be talking about where this goes from here.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word.  As always, send in your questions and ideas!

Special thanks to our sponsors Security First IT and Kardon.