Testimony by Susan Miller and Michael Uhl for the May 1, 2007 NCVHS Subcommittee on Standards and Security Hearing

WEDI logo

Statement To

DEPARTMENT OF HEALTH AND HUMAN SERVICES

NATIONAL COMMITTEE ON VITAL AND HEALTH STATISTICS

SUBCOMMITTEE ON STANDARDS, AND SECURITY

May 1, 2007

Presented By: Susan A. Miller, JD

Founding Co-chair WEDI SNIP Security and Privacy Workgroup

Chairpersons and members of the sub-committee, I am Susan A. Miller, JD. I am a founding Co-chair of the WEDI Strategic National Implementation Process (SNIP) Security and Privacy Workgroup and have a national HIPAA and healthcare legal and consulting practice. I work with and for HIPAA providers, clearinghouses, health plans, trade associations, and state and federal agencies.

On behalf of WEDI, thank you for the opportunity to present testimony concerning the HIPAA security rule, including remote access issues and how the industry is dealing with security requirements: what is working, what is not working, and why.

My three Security and Privacy Workgroup co-chairs, Leslie Berkeyheiser, David Ginsberg, and Mark Cone, assisted me in preparing for this testimony. I am going to present general observations about how the industry is dealing with the HIPAA security requirements, and then discuss remote access and its issues.

Introduction
WEDI is in the process of deploying a comprehensive plan to address many topics regarding the HIPAA Security Rule and its implications. Our activities are in the planning or early development stages. With this in mind and the fairly limited time to respond to the request for testimony, I want to emphasize that the information WEDI has available is limited to anecdotal information from a small segment of WEDI’s membership. This is an initial step in our process to examine industry status regarding HIPAA security implementation and compliance. We cannot draw specific conclusions or make sustentative recommendations at this time as our work is not complete. A near term activity will include a formal survey to gather more comprehensive data across the entire industry. WEDI intends to approach CMS for collaboration and support on developing a survey tool to address this topic.

At this point, WEDI has collected anecdotal reports that demonstrate misunderstanding and under-implementation of the Security Rule and related compliance issues in the industry.

The Privacy Rule implementation requires tangible steps that tend to be similar across covered entities. For example, every provider with a direct treatment relationship with patients is required to have a Privacy Notice and to make it available. In contrast, the Security Rule implementation is much more flexible. Entities are expected to customize implementation. The Security Rule also includes a compilation of best practices. Under those practices, an entity would perform a comprehensive risk analysis including consideration of what standards apply to its unique organization. The application of addressable implementation specifications is left to be determined based on risk analysis findings and documentation of the approach taken. There is no formal guidance about whether or how to conduct, interpret or apply a risk analysis.

The flexibility built into the security rule provides entities with the ability to tailor security protections to best meet their business and operational needs based on their unique threats. It would be useful, however, if the Centers for Medicare & Medicaid Services (CMS) could provide additional education and guidance to help some covered entities to reach an understanding of how best to implement the security rule.

Basic Problem Areas and Key Focus
Frequently, the co-chairs observe simple and fixable problems at their client organizations; they observe behaviors in conflict with organizational policy. Many of these are in the areas of administrative safeguards. For instance:

Conversations involving patient care and treatment conducted via speaker phones in offices with doors open
PHI data posted on bulletin boards to enhance training and workforce communication
Lack of organizational policies and procedures
Workforce members aware, or aware of others using some of the newer portable devices, such as jump drives, for media storage; such tools often may not meet an organization’s security controls
Organizations not conducting inventories of remote devices and storage media
Passwords posted near computers with passwords on them, or passwords shared by multiple workforce members
Paper with PHI on it placed in confidential areas or recycle bins and contents left for days or weeks before being shredded
Un-logged, unsupervised open visitor access to areas where PHI is accessed
Lack of, incomplete, or out of date disaster recovery planning
Lack of a formal audit process and program
Lack of regular, periodic, security risk assessments, risk analysis within the security rule

The industry and CMS should promote ongoing risk analysis, risk management, auditing, and self monitoring. Compliance reminders and best practices could be disseminated periodically. For example:

Organizations should constantly monitor HIPAA policy training of new workforce; existing workforce members should be provided regular updated or refresher training.
Organizations should track the length of time it takes to remove system access of workforce members who leave the organization.
Organizations should develop routine reporting mechanisms for alerting senior management about security incidents and effectiveness of sanctions.

The security rule defines a security incident as an attempted or successful unauthorized access or use. When coupled with the requirement of security incident reporting, it creates a perceived or actual need to report potentially thousands of unsuccessful access attempts most organizations face on a daily basis that are prevented by use of intrusion detection and prevention software. Redefining a security incident to exclude unsuccessful attempts would simplify implementation of the rule.

WEDI SNIP can assist CMS in developing sample forms, checklists and various metrics so that covered entities can monitor their compliance.

More specifically regarding the actual Security rule, the industry is in need of further education or best practice ideas in the following areas:

HIPAA Security Rule Requirements Outline

Administrative Safeguards
	System Activity Review	Access logs and audit trails.
	Contingency Planning	Organizations may be reluctant to consider adverse events and may need assistance with key points or action items when building a disaster recovery and business continuity plan.
	Business Associates	Guidance could be provided about appropriate safeguards to protect downstream information and what represents ‘due diligence’ as it relates to business associates.
Physical Safeguards
	Device and Media Controls	Smaller organizations could use help setting expectations for documenting and tracking types of software, hardware, device and media controls.
Technical Safeguards
	Integrity	Updating the Remote Guidance document for and with specific and new technology changes.
	Email and Encryption Usage	Given that the use of encrypted email has become more cost effective, user friendly and accepted since the rule was first promulgated, CMS may want to revisit this area when the Security rule is updated.
	Audit Trails	System activity reviews as distinguished from administrative audit review.

Privacy and Security are Inter-twined
Privacy and Security can overlap within organizations. However, just as HHS separates oversight of these Rules, many covered entity organizations address Privacy and Security in distinct environments. For example, many hospitals assign Privacy to the Privacy Officer or Compliance Officer, while the Security becomes the responsibility of Information Technology. WEDI has consistently suggested that organizations implement one set of policies and procedures to cover all forms of PHI (electronic, paper and spoken information). WEDI would like to investigate how the Security Rule requirements can be correlated to and integrated with the Privacy Rule requirements. Doing so could make both sets of requirements and their procedures more understandable to the staff members doing the work.

CMS December 2006 Guidance on Remote Access
WEDI regards the CMS guidance on safeguarding PHI that is accessed remotely, published in December 2006, as an important resource on the Security Rule. The WEDI SNIP Security and Privacy Workgroup has begun drafting a white paper on the CMS Guidance to be released on May 16, 2007 at the WEDI Annual Meeting in Baltimore. We have invited CMS to join our presentation, and they have accepted.

Covered entities have reported that they liked the list of standards included in the initial security notice of proposed rule making (NPRM). The Security and Privacy Workgroup has drafted a cross-walk from the Guidance requirements to the Security Rule requirements for the white paper. The Privacy and Security Workgroup supports such tables and information as a way to further educate and help the industry.

There has also been concern expressed from members of the industry about the OIG intention to audit a Georgia hospital regarding HIPAA Security compliance unrelated to an underlying complaint or to a fraud and abuse review.

Lessons from HISPC
The Health Information Security and Privacy Collaborative (HISPC) projects have focused on the variations of state laws relating to the HIPAA Security and Privacy Rules and on efforts to implement electronic health record implementation, reinforcing the importance of basic security to the healthcare industry. Areas covered in the initial HIPAA Security Rule such as standards for access, authorization, authentication and audit trails could be expanded and addressed within the Guidance Document. Further clarification and/or assistance in some of these areas to the industry would greatly assist the overall Health Information Exchange (HIE).

WEDI acknowledges that there are still many issues and questions in security that remain to be addressed. WEDI is willing and able to leverage its knowledge, industry expertise and resources to work in partnership with CMS to address the challenges in security.

WEDI Recommendations:
WEDI is prepared to assist CMS in getting the word out about the Guidance document. We have the following activities planned to support this outreach:

A CMS HIPAA Security Guidance white paper is scheduled for release at the May 2007 Annual WEDI Meeting in Baltimore, MD.
A session scheduled at our May 2007 national conference titled ‘What does the CMS HIPAA Security Guidance for Remote Access Really Say?’
An audio conference series in late summer about the CMS HIPAA Security Guidance document and its recommended implementation.
A security pre-conference to be held at the WEDI November 2007 meeting in Orlando, FL.
WEDI is willing to hold a HIPAA Security hearing in order to further assess the industry stance on these issues. The WEDI Board will send the HHS Secretary its findings from the hearings.
WEDI understands that the guidance will shortly become an NPRM. We will hold a Policy Advisory Group [PAG] meeting when it is released. The WEDI Board will send the HHS Secretary its findings from the PAG.
WEDI understands that CMS is considering a further security NPRM. We will hold a Policy Advisory Group [PAG] meeting when it is released. The WEDI Board will send the HHS Secretary its findings from the PAG.
WEDI is willing to collaborate with CMS in surveying the industry in HIPAA security implementation and remote access issues.
WEDI SNIP is willing to assist CMS in developing sample forms, checklists and various metrics so that covered entities can monitor their compliance.

Thank you for your thoughtful consideration of these comments.

Respectfully submitted,

Susan A. Miller, JD

WEDI Security & Privacy Workgroup Co-chair

Michael Ubl

WEDI Board Chair-elect