Innovative Computer Systems | The HIPAA Omnibus Rule

The HIPAA Omnibus Rule

Over the past seven years, there have been many government mandates for health care that you should know and understand. Being that the HIPAA Omnibus Rule had a considerable impact on the healthcare industry, we put together a breakdown of what is expected by HHS and their auditors.

Service Providers are Accountable

Firstly, it’s important to know that technology providers servicing healthcare providers have access to their Electronic Protected Health Information (ePHI). With that in mind, the same regulations apply to technology vendors. Some of these providers include technology services providers, EHR vendors, copier companies, appointment reminder services, cleaning services, and other sub-contractors.

What is ePHI?

Before we continue, it’s important to understand that ePHI includes any of the following:

Names
Addresses
Geographic subdivisions smaller than a state
All elements of dates directly related to the individual (Dates of birth, marriage, death, etc.)
Telephone numbers
Facsimile numbers
Driver’s license numbers
Email addresses
Social security numbers
Medical record numbers
Health plan beneficiary numbers
Account numbers, certificate/license numbers
Vehicle identifiers and serial numbers
Device identifiers and serial numbers
Web Universal Resource Locators (URLs)
Internet Protocol (IP) address numbers
Biometric identifiers
Full face photographic images and any comparable images

Changes of Note

Under the Omnibus Rule, covered entities and business associates are liable for the acts of their respective business associate agents. Therefore, HHS is required to initiate a formal investigation when a party appears to have exhibited willful neglect. Since the ruling, the HITECH ACT provided increased civil monetary penalty structures. As a result, HHS may impose civil fines up to $1.5 million per violation with no upper limit. This rule also replaces the breach notification rule’s “harm” threshold with a more objective standard

Practice Security Policy

A solid security policy includes mechanisms to implement all “required” and “addressable” specifications for protection of ePHI. This policy should include standards to ensure adequate and efficient security measures. It should also include administrative safeguards, physical safeguards, and technical safeguards

Periodic Audits: The Bounty Hunters are Coming!

CMS Audits fines for Eligible Professionals (EP), Business Associates (BA) and sub-contractors Fines increased from $100 to $50,000 up to $1.5 Million per year, There are new criminal liabilities and no maximum fine. In addition, The Department of Health and Human Services (HHS) non-compliance fines return to HHS’ coffers and (by law) individuals will participate in sharing the proceeds. State Attorney Generals can now bring civil actions on behalf of their citizens. Liability chain in place with an expanded definition of Business Associates (BA).

Business Associates and subcontractors are now statutorily obligated. Data Breach Notification requirements have changed. Up to 10% of all attesting EP’s audited. After an audit, 23% of EP’s failed to meet Meaningful Use standards. 99% of failing EP’s did not meet appropriate measures and objectives. A provider that fails just one element of a Meaningful Use audit must return the entire incentive payment for that year and the next participating year. To date, the most common violation is their Security Risk Assessment. More specifically, a lack of adequate documentation to support some of the responses provided during attestation.

Meaningful Use Security Objectives

Objective: Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities. Measure: Conduct or review a security risk analysis by the requirements of 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process. Exclusion: None

Additional Information

EP’s must conduct a Security Risk Analysis of certified EHR technology and implement updates as necessary. Then, a security update is required if any deficiencies are identified during the analysis,

The Following Must be Regularly Documented and Maintained

Always document administrative procedures to ensure that security plans, policies, procedures, and training are in place. Record physical safeguards to provide security controls for all media and devices. Also document technical security services, to provide specific authentication, authorization, access and audit controls. Finally, document tTechnical security mechanisms, to establish controls over communications/networking

Employee Requirements

Practice users are responsible for the security of all data which may come to them in whatever format. This means the Practice is responsible for maintaining ongoing training programs, and inform all users of these requirements. Have all staff wear a name badge, and challenge unrecognized personnel. Also, secure laptops with a cable lock when unattended. Unattended computers should always be password locked by the user when leaving the work area.

Prohibited Activities

Deliberately crashing an information system is strictly forbidden. Attempting to break into an information resource or to bypass a security feature. Introducing, or trying to present, computer viruses, Trojan horses, peer-to-peer (“P2P”) or other malicious code into an information system. Browsing. The willful, unauthorized access or inspection of confidential or sensitive information. Personal or Unauthorized Software: Violating or attempting to violate the terms of use or license agreement of any software product utilized by the Practice is strictly prohibited. Furthermore, engaging in any illegal activity for any purpose strictly forbidden.

Electronic Communication, E-mail, Internet Usage

Practice provided resources, such as individual computer workstations or laptops, computer systems, networks, e-mail, and Internet software and services are intended for business purposes. However, even incidental personal use is not permitted. Employees must not violate any of the following. This includes the act of pirating software, music, books and/or videos or the use of pirated software, music, books and/or videos and the illegal duplication and/or distribution of information and other intellectual property that is under copyright. Use of Practice information resources for or in support of illegal purposes as defined by federal, state or local law is strictly prohibited.

Use of Practice information resources for personal or commercial profit is strictly prohibited. All political activities are strictly prohibited on Practice premises. Furthermore, the practice encourages all of its staff to vote and participate in the election process. However, these activities must not be performed using business assets or resources. Harassment: The Practice strives to maintain a workplace free of harassment, and that is sensitive to the diversity of its employees. Junk E-mail – All communications using IT resources shall be purposeful and appropriate. For example, distributing “junk” mail such as advertisements, pornography, or solicitations is prohibited.

Internet Access

The Internet access provided by the Practice should not be used for entertainment. All internet activity must be monitored, and excessive use of internet bandwidth for personal use will result in disciplinary action. Block non-business Internet sites such as Facebook, YouTube, Twitter and personal email.

Reporting Software Malfunctions

Users should inform the appropriate Practice personnel when the user’s software does not appear to be functioning correctly. The failure, whether accidental or deliberate, may pose an information security risk. If the user, or the user’s manager or supervisor, suspects a computer virus infection, the Practice computer virus policy should be followed, and these steps should be taken immediately. Stop using the computer. Do not carry out any commands, including commands to save data. Do not close any of the computer’s windows or programs. Do not turn off the computer or peripheral devices. If possible, physically disconnect the computer from networks to which it is attached. Inform the appropriate personnel or Practice ISO as soon as possible.

Write down any unusual behavior of the computer (screen messages, unexpected disk access, abnormal responses to commands) and the time when they were first noticed. Write down any changes in hardware, software, or software use that preceded the malfunction. Do not attempt to remove a suspected virus!

Report Security Incidents

A user is defined as any person authorized to access an information resource. Users are responsible for the following. Report perceived security incidents on a continuous basis to the appropriate supervisor or security person. Hands-on security reporting. Formally report all security incidents or violations of the security policy immediately to the Privacy officer. Report any perceived security incident to either their immediate supervisor or to their department head.

Transfer of Sensitive / Confidential Information

When confidential or sensitive information from one individual is received by another individual while conducting official business, the receiving individual shall maintain the confidentiality or sensitivity of the information in accordance with the conditions imposed by the providing individual. All employees must recognize the sensitive nature of data maintained by the Practice and hold all data in the strictest confidence. Any purposeful release of data to which an employee may have access is a violation of Practice policy and will result in personnel action, and may lead to legal action.

Internet Considerations

The following security and administration issues shall govern Internet usage. Prior approval of the Practice Privacy Officer or appropriate personnel authorized by the Practice shall be obtained before.The Internet, or other external network connection, is established; Information (including notices, memoranda, documentation, and software) is made available on any Internet-accessible computer (e.g. the web or FTP server) or device; Users may not install or download any software (applications, screen savers, etc.). If users have a need for additional software, the user is to contact their supervisor; Use shall be consistent with the goals of the Practice. For example, the network can be used to market services. However, using company systems for personal gain is prohibited.

Confidential or sensitive data shall be encrypted before being transmitted through the Internet.The encryption software used, and the specific encryption keys (e.g. passwords, passphrases), shall be escrowed with the Practice Privacy Officer or appropriate personnel, to ensure they are safely maintained/stored. The use of encryption software and keys, which have not been escrowed as prescribed above, is prohibited and may make the user subject to disciplinary action.

Installation of Authentication and Encryption Certificates on the Email System

All medical practice email system require an SSL Certificate. This certificate will encrypt internet traffic sent or received from any device.

Use of Barracuda Encryption Email

To safeguard attachments via email, the use of the Barracuda Encryption feature will force email recipients to use Barracuda’s secure portal to read sensitive email. Using this system, staff can safely send ePHI over email. For added security, attachments can be password protected.

Identification and Authentication

Individual users shall have unique login IDs and passwords. Therefore, an access control system shall identify each user and prevent unauthorized users from entering or using information resources. Security requirements for user identification include assigning each user a unique ID. These users shall then be responsible for the use and misuse of their login ID.

Passwords

Require User IDs and passwords to gain access to all networks and workstations. Also, all passwords are restricted by a corporate-wide password policy to be of a “strong” nature. This means that all passwords must conform to restrictions and limitations that are designed to make the password difficult to guess. Password Length, Require passwords to be an eight character minimum. Content Requirements: Passwords must contain a combination of uppercase, lowercase, numeric and special characters. Change Frequency: Passwords must be changed bi-annually. Modify compromised passwords immediately. Reuse – Any of the previous twelve passwords cannot be used. Restrictions on Sharing Passwords – Passwords shall not be shared, written on paper, or stored within a file or database on a workstation.

In Summary

Periodic Vulnerability Assessment and HIPAA Compliance Scans are critical your practice’s security. In addition to these scans, policies and procedures are also important. So, if your practice needs help implementing anything mentioned in this article, or the HIPAA Omnibus Rule, call us for more information.

About Innovative Computer Systems

Innovative Computer Systems is a Managed Services Provider specializing in Healthcare Information Technology (HIT) and Corporate Business Technology. We work closely with our clients to understand their daily workflow requirements. Some of our clients include leaders in Ophthalmology, Facility Maintenance, Pediatrics, Law, Urology, Dermatology, Commercial Real Estate, Internal Medicine and Ambulatory Surgery.

December 15, 2015 By Steve Gerbino Health Care HIPAA Managed IT Services Healthcare Security Security Risk Analysis

About the author

Steve Gerbino is the Founder and CEO of Innovative Computer Systems. With over two decades of IT experience, his mission is to provide the best Information Systems and support for Healthcare Practices and Small Businesses.