It’s been a while since we’ve reviewed an OCR settlement that wasn’t about the patient right of access initiative. Things are a changin’, and in more ways than one. OCR announced the Peachstate settlement just this week that got our attention. How this case ended up being investigated in the first place is interesting. And as usual, the headline doesn’t tell the whole story. So, let’s dive in and check it out.
In this episode:
Peachstate Not A Peachy OCR Settlement – Ep 307
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
The HIPAA Boot Camp
Virtual Edition Aug 17-19, 2021
Great idea! Share Help Me With HIPAA with one person this week!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
HIPAA Say What!?!
[06:26] “… as I’m building our HIPAA program, I came across some things I do not completely understand, even after reading the government sites and guidance. So another question, is there a podcast that goes into detail about what is required for an audit, how frequently you need to do one (I think I read 6 per year?), how best to document the audit details, and common mistakes?”Let’s be clear what we mean when we say audits first. To us, that is a regular review of your policies and procedures to confirm they are working properly and being followed. HIPAA has no specific audit requirements other than you should do them based on what is reasonable and appropriate for your environment.
Each of your policies and procedures should require some level of auditing for performance. For example, your plans for having an up to date and monitored patch management program should be confirmed with regular reports that are actually reviewed. To some, that could be considered an audit.
However, you should also review all of your policies and procedures themselves to make sure they are still adequate and functioning. Our Free HIPAA Compliance Management Plans give you an idea of what we suggest.
Peachstate Not A Peachy OCR Settlement
[12:14] A new OCR settlement was As always, the money is what most people look at and we say it is the CAP that really matters. That is definitely the case on this one.The official press release about the settlement is where we always like to start because the quote from the OCR Director that is always included sets the stage. The headline reads: Clinical Laboratory Pays $25,000 to Settle Potential HIPAA Security Rule Violations. They always announce these enforcement actions to send a message to the community as a whole about what is considered unacceptable efforts for managing privacy and security in healthcare.
The announcement says:
In December 2017, OCR initiated a compliance review of Peachstate to determine its compliance with the HIPAA Privacy and Security Rules. OCR’s investigation found systemic noncompliance with the HIPAA Security Rule, including failures to conduct an enterprise-wide risk analysis, implement risk management and audit controls, and maintain documentation of HIPAA Security Rule policies and procedures.
And the quote, as expected, points out this is not a good thing that they found.
Key notes here: “systemic noncompliance” used in conjunction with your organization is never what you want to see. The point that says “failure to implement basic Security Rule requirements” is also not one you ever want to see associated with your name.
It is one thing to show your work and it is inadequate because they will usually help you out. It seems they had nothing to offer when that first investigation notification letter was received based on some of the wording in this agreement. Even more important is what is in the 3 year correction action plan or CAP. Yes, 3 years. Haven’t seen one of those since Med Informatics a few years ago. Let’s check out what they found.
What happened?
[17:59] On January 7, 2015, the VA reported a breach involving the VA’s Telehealth Services Program managed by its business associate, Authentidate Holding Corporation (AHC).
On August 31, 2016, OCR opened their compliance review of AHC. During that review, it was learned that AHC and Peachstate had earlier entered into a “reverse merger” on January 27, 2016. That is when AHC acquired Peachstate.
OCR opened a new compliance review into the Peachstate clinical labs at that point.
Just to clarify, VA breach causes investigation into a BA called AHC. AHC and Peachstate did their reverse merger so OCR started a new investigation of them.
First, what is a reverse merger? It is one of the millions of tricky moves that businesses make between public companies and privacy companies. In most mergers the public company buys the private company and brings them into the enterprise. In these cases, the private company is bought by the public company but not to be absorbed by it. The privacy company continues operation but is now operating as a public company. No need for IPOs and all the vetting and paperwork. Those things can take months and even years.
That means that AHC acquired Peachstate but then Peachstate began operating its labs within the public holding company on top of the things they were already doing which got them in this mess.
This alone is unique. OCR has always said they will go wherever the investigation takes them once they start until they decide they are done. This one was like a well known battery bunny!
Official findings from the investigation
[21:42] If we are seeing a case related to the Security Rule, you know one thing that will always be in there with almost certainty. Let’s just start there with the Peachstate settlement findings:- Failed to conduct a proper SRA. Not unexpected. If you failed to do this part properly, you know what comes next.
- Failed to implement a security risk management plan. This is pretty much automatic. You can’t have a proper risk management plan if you never determine what risks you are going to manage.
- Failed to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic PHI. Note that it says procedural. We need to discuss logs again and point out that just because you don’t have systems to review logs doesn’t mean you get a pass. Find a way to do it procedurally. Of course, these issues fall behind the other two above.
- Failed to maintain written policies and procedures and to maintain written record of any action, activity, or assessments required by HIPAA (all of Subpart C) or their own policies and procedures because they didn’t have them in the first place.
There are four big ones. Take that list and go check your program. Because the $25,000 fine is not a big deal here. Most companies would gladly pay that and so would their insurance providers. The CAP, now that is the big deal.
3 Year Correct Action Plan Requirements
[32:40] Within 90 days:Conduct a comprehensive, enterprise-wide risk analysis of the security threats and vulnerabilities of all electronic PHI created, received, maintained or transmitted by Peachstate, including all electronic media, workstations, and information systems owned, controlled or leased by Peachstate, which store or can access electronic PHI. As part of this process, Peachstate shall develop a complete inventory of all electronic equipment, data systems, and applications that contain or store ePHI which will then be incorporated in its risk analysis.
Then there will be the review of the report and findings which could result in more effort until OCR feels it is adequate.
SRA
The requirement to annually review it is included in there also.
RM Plan
The risk management plan must be included within the first 90 days too.
The risk management plan shall be forwarded to HHS for review and approval within 90 days of the Effective Date. HHS shall approve, or, if necessary, require revisions to Peachstate’s risk management plan.
Within 30 days of HHS’s approval of the risk management plan, Peachstate shall finalize and officially adopt the risk management plan in accordance with its applicable administrative procedures
Policies and Procedures
Then, you need to get your policies and procedures done really quickly.
Within 30 days of HHS’s approval of the risk analysis and risk management plan Peachstate shall provide such policies and procedures to HHS for review and approval. Upon receiving any required changes to such policies and procedures from HHS, Peachstate shall have 30 days to revise the policies and procedures accordingly and provide the revised policies and procedures to HHS for review and approval. This process shall continue until HHS approves such policies and procedures.
Get them distributed to all members of the workforce within 30 days of HHS’s approval of their policies and to new members of the workforce within 15 days of the beginning of service.
We started talking about the need to audit your policies and procedures well guess what they included in here:
Assess, update, and revise, as necessary, the policies and procedures at least annually.
Every single change must be approved by HHS and then distributed to staff within the same time frames as the original. That is for 3 years.
Reporting of any workforce violations
Reporting of any case where workforce members failed to comply, what happened, how was it handled, etc. – for three years.
Training
Submit a full training plan within 30 days of approval of the policies and procedures. Once it is approved then train everyone within 30 days of that approval and then at a minimum of every 12 months afterwards. New workforce members have 15 days to do their training.
This nice little notice reiterates why we say generic training alone does not cut it.
Peachstate shall review the training at least annually, and, where appropriate, update the training to reflect changes in Federal law or HHS guidance, any issues discovered during audits or reviews, and any other relevant developments.
Monitoring
[40:56] This is the big new thing. Never seen it in a CAP that I can recall.Designation of Independent Monitor. Within 60 days of the Effective Date, Peachstate shall designate an individual or entity, to be a monitor and to review Peachstate’s compliance with this CAP. The Monitor must certify in writing that it has expertise in compliance with the HIPAA Security Rule and is able to perform the reviews described below in a professionally independent fashion taking into account any other business relationships or other engagements that may exist. Within the above-referenced time period, Peachstate shall submit the name and qualifications of the designated individual or entity to HHS for HHS’s approval. Upon receiving such approval, Peachstate shall enter into an agreement with the Monitor for the reviews specified below.
But then there are specific requirements for the Monitor to perform under the CAP.
retain and make available to HHS, upon request, all work papers, supporting documentation, correspondence, and draft reports, including those exchanged between the Monitor and Peachstate, related to the reviews. Peachstate shall maintain for inspection and copying, and shall provide to HHS, upon request, all documents and records relating to compliance with this CAP for six (6) years from the effective date.
There are specific requirements for the reviews, reports and responses that must be done and even how they could choose to remove or terminate the selected Monitor during the 3 years and replace them.
It even says OCR can question what the Monitor reviews and reports include if they think they are failing on their part to hold Peachtree accountable.
One more point they stick in there: HHS can still come in and investigate themselves even with the Monitor in place.
Here is a link to the CAP. Check it out yourself.
Peachstate Resolution Agreement and Corrective Action Plan
Regular reporting of status
As always, there is the requirement to submit status reports and attestations that put leadership on the line.
Attestation signed by an owner or officer of Peachstate attesting that the policies and procedures are being implemented, have been distributed to all appropriate members of the workforce, and that Peachstate has obtained all of the compliance certifications.
This one requires more attestations and reporting than we’ve ever seen. Things like:
A summary/description of all engagements between Peachstate and the Monitor, including, but not limited to, any outside financial audits, compliance program engagements, or reimbursement consulting, if different from what was submitted as part of the Implementation Report;
Wow… just wow.
Things are changing, folks. OCR resolution agreements are a great way to educate yourself on what you should be doing. OCR includes the items they are looking for in the CAP. Be looking for even more changes as HHS starts to implement the HITECH amendment for recognized security practices. Is your privacy and security program at a level to avoid being subject to a CAP like this one?
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.
