The case for standardizing PHI breach disclosure

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.govhealthit.com/news/case-standardizing-phi-disclosure

With the barrage of highly publicized Protected Health Information breaches
affecting small and large health systems, organizations should expect that
privacy and security measures for PHI will come under even greater scrutiny
by regulators.

Most notably, the Office for Civil Rights (OCR) HIPAA Phase 2 audits, which
are scheduled to begin this year, are likely to be more demanding than the
Phase 1 pilot audits. These privacy, security and breach notification
audits will determine if the health system has performed an adequate
security risk assessment (SRA) and subsequently developed a remediation
plan based on the findings of its SRA. Until the top issues noted in the
SRA have been resolved, OCR will monitor the health system’s progress on
its remediation plan.

Due to this auditing process, forward-thinking facilities have determined
that a centralized, enterprise-wide PHI disclosure process offers greater
oversight that ensures security and privacy protocols are followed and
documented. A standardized strategy for PHI disclosure that is supported by
technology, better prepares a health system for an audit, but can also
greatly reduce the PHI disclosure management burden, strengthen control of
the process and improve communication between departments, including the
ambulatory setting.

Rarely a ‘cyber-attack’
The PHI breaches that received the most attention in 2014 were the result
of cyber-attacks, but these incidents are still rare, according to survey
results reported last year by the Ponemon Institute. In fact, 46 percent of
survey respondents reported that unauthorized PHI disclosure was attributed
to unintentional employee negligence — not including theft of a laptop or
other device containing PHI.

This inadvertent negligence can be attributed to inconsistent
organizational policies, processes not being followed and uncertainty by
staff with different levels of training and experience. Unfortunately,
during a HIPAA Phase 2 audit, OCR may characterize this type of
inconsistency as a demonstration of “willful neglect” — defined as the
conscious, intentional failure or reckless indifference to compliance — if
no steps are taken to remedy the situation.

Healthcare entities that still operate in a “hybrid” environment, in which
some departments or facilities continue using paper forms and fax machines
in addition to electronic exchange of information, exacerbate the PHI
disclosure management risk. In these environments, the required PHI
accounting of disclosures (AOD) and oversight is a particular challenge,
which leads to less than optimal compliance. Only 25 percent of Ponemon
Institute survey respondents report “full compliance” with the AOD
requirements, and 31 percent had developed an “ad-hoc” process just to
comply with the rule.

How disclosure can mitigate risk
After performing an SRA and noting many of the PHI disclosure management
challenges, the organization may decide to pursue an enterprise-wide
approach to disclosure management. This approach offers hospitals and
healthcare systems the ability to utilize software and services that can be
deployed as a common tracking platform across the enterprise including
health information management (HIM), the business office, radiology, other
ancillary departments and physician practices.

By implementing a centralized system to handle the access and disclosure of
PHI, healthcare facilities obtain the interdepartmental communication,
policy enforcement, oversight level, quality assurance and transparency
necessary to comply with the increasingly complex, technologically-driven,
regulatory and legislative environment. Not only does this strategy address
current PHI disclosure compliance gaps and risks, it also prepares the
hospital or health system for the future.

More importantly, if the healthcare facility is selected for an OCR Phase 2
HIPAA audit, a centralized, enterprise-wide process provides ample
documentation to demonstrate compliance with security, privacy and breach
notification requirements associated with PHI disclosure.

Disclosure management now a priority
By all accounts, this looks to be a significant PHI security and privacy
investigation and enforcement year for regulators. Organizations can
respond by addressing and documenting, at a minimum, their SRA’s
most-urgent recommendations with the goal of completing all recommendations
before the next fiscal year HIPAA audit.

For many healthcare entities, standardizing PHI disclosure management
across the enterprise – including long-term care, home care, rehabilitation
facilities and physician practices – may address many of the SRA
recommendations, while delivering other benefits. By standardizing
processes and applying best PHI disclosure management practices across the
system, healthcare leaders can ensure better enforcement of disclosure
policies, a manageable workflow and a consistent experience for patients
and requesters.

Not only does this approach protect a patient’s privacy, it also aligns the
health system with meaningful use goals for hospitals and eligible
providers, and helps protect the institution against breaches, financial
risk, lawsuits and reputational damage.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!