Security management process is the foundation for compliance with HIPAA Security Rule

Security management process can be an organization’s biggest strength or biggest weakness, and most organizations lack one or all of the components that establish a security management process. In a Health Care Compliance Association (HCCA) webinar entitled, “Is Your Security Management Process Your Biggest Risk?” presenters Kezai Cook-Robinson and Ahmad M. Sabbarini of Ernst & Young LLP emphasized that a security management process is the foundation for an organization’s compliance with the Health Insurance Portability and Accountability Act’s (HIPAA) (P.L. 104-191) Security Rule.

Under 45 C.F.R. Sec. 164.308(a)(1) a covered entity or business associate is required to implement policies and procedures to prevent, detect, contain, and correct security violations. This process requires covered entities and business associates to implement standards and required implementation specifications and to implement, when appropriate and reasonable, addressable implementation specifications through risk analysis, risk management, sanction policy, and information system activity review.

Risk analysis

Covered entities and business associates must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate. This means, said the presenters, that covered entities and business associates must conduct an enterprise-wide risk analysis and develop a current, comprehensive, and thorough risk analysis of security risks and vulnerabilities to include the electronic personal health information (e-PHI) created, received, maintained, or transmitted by the organizations’ facilities and applications. This should be done periodically (calendar-based) and in response to events (event-based triggers).

As part of the risk analysis, organizations should conduct a comprehensive inventory of e-PHI. Assets can be grouped into a common grouping for purposes of the inventory—for example, if work stations have the same number and type of e-PHI, they can be grouped into one asset category. In addition, to save time and money, organizations should start with lists that have already created from financial statements and privacy compliance activities.

Risk management

Covered entities and business associates should establish and implement an organization-wide risk management plan to address and mitigate any security risks and vulnerabilities found in the risk analysis. It should include a process and timeline for an organization’s implementation, evaluation, and revision of its risk remediation activities. The presenters noted that the higher the risk, the more robust controls are needed.

Sanctions policy and information system activity review

The security management process also requires covered entities and business associates to apply appropriate sanctions against workforce members who fail to comply with security policies and procedures and to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.


“Document, document, document,” said Cook-Robinson, because “it does not exist unless it’s in writing.” She advised that covered entities and business associates document and keep as records the analyses, decision making, and rationale for overall risk assessments, as well as individual risk analyses for implemented safeguards.

NIST guidelines

Cook-Robinson and Sabbarini also advised organizations to align as necessary with the guidelines and frameworks that HHS leverages, including the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (CSF) and NIST 800-30.

Compliance programs should keep a sharp eye on all communications

Every word written or spoken in connection with a health care practice presents the potential for risk. At a Wolters Kluwer webinar entitled, Health Care Communication Risks—From a Compliance Perspective, two presenters pointed out various areas of concern and ways for compliance professionals to approach them. Robert Liles, managing partner at Liles Parker PLLC, and Paul Weidenfeld, chief legal officer of Exclusion Screening LLC, spoke from years of experience on topics such as criminal issues, administrative concerns, employment, and documentation.

Text messages

The presenters noted that smartphones, while convenient, have caused countless compliance issues. Communications as seemingly private and innocuous as a text message present a significant risk, as law enforcement can easily obtain information about texts that a service provider might tell a customer is unavailable. One example offered in the webinar told of a dentist who extracted a tooth from a sedated patient while on a hoverboard, then texted a video of the event to a friend; another example came from an office manager who texted her mother to tell her of pulling two teeth from a sedated patient.

Exam recordings

Many states have one-party consent laws for recording communications, and in such states only the party taping the conversation needs to know that it is being recorded. In these states, a patient might record a physician during an appointment or procedure without obtaining the physician’s permission. Such recordings can be used in malpractice cases, such as a recent case during which a physician made disparaging comments during a colonoscopy, before which a patient had started recording the procedure on his phone. The presenters suggested posting specific policies concerning such recordings, recommending language that prohibits use of recording devices unless specifically permitted by the provider.

Reducing risk

The presenters spoke of the seven elements to an effective compliance program identified by the HHS Office of Inspector General:

  • implementing written policies, procedures, and standards;
  • designating a compliance officer and committee;
  • conducting effective training an education;
  • developing effective communication;
  • enforcing standards;
  • conducting internal audits; and
  • responding promptly to detected offenses and developing corrective action.

One important piece of a program is a compliance hotline to allow employees an opportunity to report compliance issues. Employees should be able to do so anonymously, but also be able to provider his or her name with confidence in the organization’s confidentiality. Employees must be assured that they will not be retaliated against for reporting issues in the organization.

Survey shows top compliance risks go from culture to cybercrimes in 2016

How did more than 900 compliance and ethics professionals respond to a survey asking which compliance risks they would be focusing on in 2016? Overall, the respondents identified cybersecurity and cybercrime (39 percent), social media compliance risks (38 percent), leveraging compliance practices with business practices for greater efficiency/effectiveness (34 percent), creating and maintaining an ethical culture (32 percent), and more effective internal investigations (31 percent) as their top concerns, the Health Care Compliance Association (HCCA) and the Society of Corporate Compliance and Ethics (SCCE) announced on February 22, 2016.

Survey results

In January of 2016, the HCCA and SCCE sent out a survey that included a list of 38 topics and requested respondents to select no more than ten topics on the list to determine which topics were uniquely important to compliance and ethics professionals in 2016.  According to the survey report, “Compliance and Ethics Hot Topics for 2016,” responses varied by respondent type in terms of ranking, however, overall many of the five top hot topics identified appeared in the breakdown of all of the company or job types at some level.

In-house compliance practitioners were totally in step with the overall results, while respondents from small companies identified the same five hot topics but not in the same order.  Nonprofit respondents identified False Claims Act (FCA) enforcement rather than creating/maintaining an ethic culture in their top five.

Consultants and solution providers identified leveraging compliance practices with business practices for greater efficiency/effectiveness as its number one hot topic and cybersecurity and social media compliance as number two and three of their list, respectively. Interestingly, consultants and solution providers also named FCA enforcement (33 percent) and the Yates memo with increased prosecution of individuals (31 percent) as number four and five of in their list of hot topics.

Respondents from multinational, publicly traded, and large companies each listed third-party risk as number one, and respondents from privately held companies listed third party risk as number five. All four entities listed cybersecurity and leveraging compliance practices with business practices for greater efficiency/effectiveness among their top five.

Cyber security was first on the list for educational institutions and increasing the breath of skills of the compliance team was second. Government employers ranked creating/maintaining an ethical culture, first; cybersecurity, fourth; and increasing the breath of skills of the compliance team, fifth. Social media compliance risks appeared on both lists.

What can be learned from the survey

According to SCCE and HCCA CEO Roy Snell, the survey results show that “compliance is spanning the spectrum from culture to cybercrime. That’s an enormous mandate and really talks to how much businesses have come to rely on compliance programs to ensure that their organizations operate properly.” Wolters Kluwer contacted Snell to find out what else can be learned from the survey results.

Question:  How have the risk areas compliance and ethics officers face changed in the past few years and why?

Answer: “The risk areas covered by compliance professionals have broadened. In the beginning, the risks were more fundamental and common. Now the risks are more esoteric, such as cybersecurity.”

Question: Why do large companies, publicly traded companies, and multinational companies consider third party risks the number one risk for their organizations?

Answer: “Part of it may be that it’s a new risk area that has not received much attention in the past. There has been recent interest in this area by enforcement. It can be a huge public relations issue because some of the problems caused by third parties that are happening in other countries are considered unacceptable to our culture. It took a while for companies to accept the fact that they are accountable for the actions of those [to whom] they subcontract some of their work.”

Question: “False Claims Act enforcement appears on a couple of respondent types top five list, but it did not make the top five. Why, in light of the Yates Memo, the increased risk of prosecution of individuals, the publication overpayment final rule, and increasing numbers of FCA claims, do you think that FCA enforcement did not make it to the top 5?”

Answer: “The False Claims Act is primarily designed to deal with industries that contract with the government. Some industries do a lot of work for the government, some do very little.”

Question: Creating and maintaining an ethical culture appeared on most respondent type lists (between 31 percent and 35 percent) and was ranked number one (45 percent) on the government employers list. With all of the focus on compliance including guidances, laws, regulations, and memos why would respondents of various types select creating and maintaining an ethical culture as a hot topic?  What are the obstacles compliance and ethical professionals face in creating and maintain an ethical culture?

Answer: “I think you hit the nail on the head in your last sentence of the question. There are obstacles. Building an ethical culture is like pushing Jello up hill. It’s not an exact science and there is employee turnover. Building an ethical culture will probably always be on the list because it is such an important part of a compliance program, a difficult and never-ending battle. I am not sure why culture is more important to those in government. It may be they have a more difficult environment for some reason. It may simply be that they consider culture to be more important than the other risks.”

Question: What do you want compliance and ethics professionals to take away from the survey results?

Answer: “They are not alone. Everyone has a long list of concerns. It’s a never-ending battle. They might shift their focus a little based on the survey.  Some compliance programs don’t include some of the risks included in this survey. Some compliance officers are told ‘Don’t go there.’ They may be able to show this survey to the people who are trying to limit their scope. And it’s possible that their leadership will be more open to making sure that their compliance officer covers all risks because this survey shows that it is common practice for compliance officers to do so.”

Although in 2016, cybersecurity and social media compliance risks topped the list of concerns for compliance and ethics officers, fundamental concerns such as leveraging compliance practices with business practices for greater efficiency/effectiveness, creating and maintaining an ethical culture, more effective internal investigations, and False Claims Act enforcement will continue to be high on the list of compliance concerns.