CISOs of healthcare organizations are responsible for policies and procedures that safeguard the security and privacy of protected health information
Policies and procedures are required by various provisions of the Health Insurance Portability and Accountability Act of 1996.
The importance of policies and procedures is two-fold. First, they serve as mandatory written reference guides for employees of hospitals, medical centers, and other covered entities and business associates. Second, they form the basis for the employee training that is also mandated by HIPAA.
As the CISO, CIO, or similar security executive for your hospital or HIPAA covered entity, you are responsible for the policies and procedures required by HIPAA. Written documentation that is incomplete, out of date, or poorly enforced can result in HIPAA violations that incur financial penalties and corrective actions imposed by the HHS Office for Civil Rights (OCR). The HHS OCR website is loaded with real life examples.
Requirements Under HIPAA
HIPAA law requires specific administrative, technical, and physical safeguards to be implemented and maintained for the purpose of (1) ensuring the confidentiality, integrity, and availability of protected health information in all its forms, and (2) preventing unauthorized or inappropriate access, use, or disclosure of PHI and ePHI.
The HIPAA Privacy Rule, Security Rule, and Data Breach Notification Rule all require written policies and procedures that support these safeguards, along with employee training to implement them.
Security Rule Requirements for Policies and Procedures
The HIPAA Security Rule is concerned primarily with safeguarding protected health information in electronic or digital form (ePHI). Not surprisingly, requirements for policies and procedures are evident throughout the Security Rule. Below are a few specific examples.
- Designate a security official to be responsible for developing, implementing, maintaining, and enforcing security policies and procedures.
- Implement policies and procedures that allow only authorized persons to access ePHI that is appropriate to their work (i.e., role-based access), as well as policies and procedures to ensure ePHI is not improperly altered or destroyed.
- Implement policies and procedures to specify proper use of and access to workstations and electronic media, and also governing the transfer, removal, disposal, and re-use of electronic media, to ensure appropriate protection of ePHI.
- Provide appropriate supervision of employees who work with ePHI. Train all in your organization's security policies and procedures. Document and apply appropriate sanctions against those who violate them.
- Perform a periodic assessment of how well the security policies and procedures meet Security Rule requirements. Periodically review and update documentation to reflect environmental or organizational changes that impact ePHI security.
Examples of Privacy Rule Requirements
Below are examples of written policies and procedures required by HIPAA’s Privacy Rule, which is concerned with minimum necessary use and disclosure of PHI.
Designate a privacy official responsible for developing and implementing your hospital's or healthcare organization's privacy policies and procedures.
Develop and implement policies and procedures that limit the disclosure of PHI to the minimum amount reasonably necessary to achieve the purpose of the disclosure.
Develop and implement policies and procedures that restrict access and use of PHI based on the specific roles of employees. Identify the employees or classes of employees who need access to PHI to perform their duties, the categories of PHI they need access to, and any conditions under which they need the information to do their jobs.
Develop and implement written privacy policies and procedures that are consistent with the Privacy Rule. Establish procedures for individuals to complain about the hospital’s compliance with its privacy policies and procedures and the Privacy Rule. Explain those procedures in the hospital’s privacy practices notice.
Train all workforce members in privacy policies and procedures as necessary and appropriate for them to do their jobs. Include employees, volunteers, trainees, and others whose conduct is under direct control of the healthcare organization even if they are not paid by your organization or hospital. Document and apply appropriate sanctions against those who violate privacy policies and procedures or the Privacy Rule.
Business Associates Must Also Comply
If your hospital engages business associates to perform healthcare activities on your behalf, you are required to have a written contract or other arrangement with each business associate. It must (1) establish specifically what the business associate has been engaged to do for your organization, and (2) require the business associate to comply with the HIPAA Rules’ requirements to safeguard the privacy and security of PHI and ePHI.
In addition to these contractual obligations, business associates are directly liable for compliance with certain provisions of the HIPAA Rules.
OCR Actively Investigates Violations
The HHS Office for Civil Rights investigates all complaints of potential HIPAA violations. Complaints may come from patients, visitors, your own hospital employees, and others who may observe or experience a potential violation of the HIPAA Rules.
Below are three examples of hospitals OCR found in violation of HIPAA requirements related to written policies and procedures.
Violations: Minimum Necessary Standard; Confidential Communication.
OCR found that a hospital employee did not observe minimum necessary requirements when leaving a phone message with the daughter of a patient detailing her medical condition and treatment plan. Confidential communication requirements were violated, as well, when the message was left on the home phone, rather than the work number as instructed by the patient.
OCR required that the hospital (1) develop and implement a new procedure to ensure minimum necessary information in phone messages, (2) train employees in the new procedure including specific direction as to what information could be left in a message, (3) train employees to review patient contact instructions, and (4) include the new procedures in refresher privacy training as well as in mandatory annual compliance training.
Violations: Impermissible Uses and Disclosures; Authorizations.
OCR confirmed that a state health sciences center disclosed PHI to a patient’s employer without patient authorization. Among the corrective actions mandated by OCR, the hospital was required to (1) mitigate harm caused to the patient (which often takes the form of compensation), (2) revise its procedures requiring patient authorization prior to releasing PHI to an employer, and (3) train all staff in the corrected procedures.
Violation: Impermissible Uses and Disclosures.
In response to a subpoena that was not accompanied by a court order, a hospital impermissibly disclosed the PHI of one of its patients. OCR found that the hospital failed to (1) determine that reasonable efforts were made to ensure the patient had received notice of the request, and (2) verify that the party seeking the PHI made reasonable efforts to obtain a qualified protective order. OCR required that the hospital create detailed procedures for subpoena handling, train all relevant employees in the new procedures, and implement other corrective measures.
Typical Corrective Action Plan for Policies and Procedures
Regardless of the nature of the primary violation investigated by the OCR, in the vast majority of OCR investigations failures in policies, procedures, and employee training are also found. The list below is a typical example of what a hospital or any HIPAA covered entity must agree to do as part of its overall corrective action plan. (Note: To reduce redundancy and aid readability, the original OCR language has been abbreviated without affecting substance.)
Developing Policies and Procedures
Develop, maintain, and revise written policies and procedures to comply with Federal standards that govern the privacy of individually identifiable health information (45 C.F.R. § 160 and Subparts A and E of Part 164, the “Privacy Rule”)
Provide such policies and procedures to HHS within sixty (60) days of the Effective Date for review and approval. Upon receiving recommended changes from HHS, revise policies and procedures and provide to HHS for review and approval within thirty (30) days. Implement within thirty (30) days of receiving HHS approval.
Distributing and Updating
Distribute these policies and procedures to all members of the workforce and relevant business associates within thirty (30) days of HHS approval and to new members of the workforce within thirty (30) days of start date.
During distribution, require and obtain signed written or electronic initial compliance certification from all employees and relevant business associates stating they have read, understand, and shall abide by the policies and procedures.
Assess, update, and revise policies and procedures at least annually, or more frequently as needed. Provide revised policies and procedures to HHS for review and approval. Within thirty (30) days of the effective date of any substantive revisions, distribute revised policies and procedures to all employees and relevant business associates and require new compliance certifications.
The policies and procedures shall include all obligations required under 45 C.F.R. § 164.524 and all its subparts, an accurate definition of a Designated Record Set as defined in the Privacy Rule, and standardized procedures for responding to requests for access pursuant to 45 C.F.R. § 164.524. In addition, they shall include:
Protocols for training all employees and business associates involved in receiving or fulfilling access requests to ensure compliance with the policies and procedures;
Protocols for training those involved in maintaining designated record sets and other PHI to ensure compliance with the policies and procedures; and
Application of appropriate sanctions against employees who fail to comply with the policies and procedures required by HIPAA.
Upon approval by HHS, provide training for each workforce member and relevant business associate within sixty (60) days and at least every twelve (12) months. Train each new individual within thirty (30) days of their start date.
Require and obtain from each workforce member and relevant business associate who is required to attend training certification, in electronic or written form, that they have received the training and on what date.
Review training at least annually and update to reflect changes in Federal law or HHS guidance, issues discovered during audits or reviews, and other relevant developments.
Next Steps for Your Hospital/Covered Entity
In addition to corrective action plans like those above, virtually every settlement of a hospital violation includes the payment of a financial penalty to the OCR. Penalties vary based on the number and nature of compliance failures as well as the degree of impact on patients and other stakeholders. Recent penalties have ranged from $80,000 paid by Children’s Hospital & Medical Center of Omaha to $875,000 paid by Oklahoma State University’s Center for Health Services.
Regardless of the size of your organization or your security budget, being required by law to pay a financial penalty and bring policies and procedures into compliance is an onerous task that few hospitals have the resources or desire to undertake.
Many CISOs, CIOs, and CSOs prefer a less expensive, more proactive approach to make sure their hospitals have documented all of the policies and procedures required by HIPAA. One popular step is to engage the services of a Virtual CISO to conduct a review of your policies and procedures. At 24By7Security, our VCISOs are highly qualified and experienced in helping hospitals and large healthcare providers establish and document their policies and procedures in compliance with HIPAA Rules. An alternative step is to conduct a HIPAA risk assessment, which will reveal missing and incomplete policies and procedures as well as a substantial amount of other useful information. This will also meet the annual assessment requirement.
As your healthcare organization's or hospital’s chief security/privacy officer, it’s your responsibility to ensure complete HIPAA compliance, including the required policies and procedures. Contact us to schedule a complimentary consultation to determine which next step is right for you.
REMINDER: Is your hospital observing Data Privacy Week January 22-28? As a CISO, CSO, or similar high-ranking security executive, you can leverage Data Privacy Week to refresh data privacy awareness throughout your organization. Sign up as a Data Privacy Champion and join 24By7Security and hundreds of other security-conscious organizations in advocating for effective data privacy all year long.