HIPAA audit: The 42 questions HHS might ask

They cover everything from security to employee status to Internet use

June 19, 2007 (Computerworld) Jaikumar Vijayan — In March, Atlanta’s Piedmont Hospital became the first institution in the country to be audited for compliance with the security rules of the Health Insurance Portability and Accountability Act (HIPAA).

The audit was conducted by the office of the inspector general at the U.S. Department of Health and Human Service (HHS) and is being seen by some in the health care industry as a precursor of similar audits to come at other institutions.

Neither Piedmont nor HHS officials have publicly confirmed the audit or spoken about it. That silence has sparked considerable curiosity about why Piedmont was targeted as well as the scope of the audit and the kind of information HHS was seeking.

A document obtained by Computerworld from a reliable source indicates that Piedmont was presented with a list of 42 items that HHS officials wanted information on within 10 days. Specificially, Piedmont was asked to provide policies and procedures for:

1. Establishing and terminating users’ access to systems housing electronic patient health information (ePHI).
2. Emergency access to electronic information systems.
3. Inactive computer sessions (periods of inactivity).
4. Recording and examining activity in information systems that contain or use ePHI.
5. Risk assessments and analyses of relevant information systems that house or process ePHI data.
6. Employee violations (sanctions).
7. Electronically transmitting ePHI.
8. Preventing, detecting, containing and correcting security violations (incident reports).
9. Regularly reviewing records of information system activity, such as audit logs, access reports and security incident tracking reports.
10. Creating, documenting and reviewing exception reports or logs. Please provide a list of examples of security violation logging and monitoring.
11. Monitoring systems and the network, including a listing of all network perimeter devices, i.e. firewalls and routers.
12. Physical access to electronic information systems and the facility in which they are housed.
13. Establishing security access controls; (what types of security access controls are currently implemented or installed in hospitals’ databases that house ePHI data?).
14. Remote access activity i.e. network infrastructure, platform, access servers, authentication, and encryption software.
15. Internet usage.
16. Wireless security (transmission and usage).
17. Firewalls, routers and switches.
18. Maintenance and repairs of hardware, walls, doors, and locks in sensitive areas.
19. Terminating an electronic session and encrypting and decrypting ePHI.
20. Transmitting ePHI.
21. Password and server configurations.
22. Anti-virus software.
23. Network remote access.
24. Computer patch management.

HHS also had a slew of other requests:

1. Please provide a list of all information systems that house ePHI data, as well as network diagrams, including all hardware and software that are used to collect, store, process or transmit ePHI.
2. Please provide a list of terminated employees.
3. Please provide a list of all new hires.
4. Please provide a list of encryption mechanisms use for ePHI.
5. Please provide a list of authentication methods used to identify users authorized to access ePHI.
6. Please provide a list of outsourced individuals and contractors with access to ePHI data, if applicable. Please include a copy of the contract for these individuals.
7. Please provide a list of transmission methods used to transmit ePHI over an electronic communications network.
8. Please provide organizational charts that include names and titles for the management information system and information system security departments.
9. Please provide entity wide security program plans (e.g System Security Plan).
10. Please provide a list of all users with access to ePHI data. Please identify each user’s access rights and privileges.
11. Please provide a list of systems administrators, backup operators and users.
12. Please include a list of antivirus servers, installed, including their versions.
13. Please provide a list of software used to manage and control access to the Internet.
14. Please provide the antivirus software used for desktop and other devices, including their versions.
15. Please provide a list of users with remote access capabilities.
16. Please provide a list of database security requirements and settings.
17. Please provide a list of all Primary Domain Controllers (PDC) and servers (including Unix, Apple, Linux and Windows). Please identify whether these servers are used for processing, maintaining, updating, and sorting ePHI.
18. Please provide a list of authentication approaches used to verify a person has been authorized for specific access privileges to information and information systems.

Find article here: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9025253

HHS Promulgates New Regulations to Facilitate Adoption of Health Information Technology

On August 1, 2006, the U.S. Department of Health & Human Services (“HHS”) promulgated final rules (“Final Rules”) that will permit hospitals, physician practices and certain other organizations to donate electronic prescribing (“e-prescribing”) and electronic health records (“EHR”) technology and supporting services to physicians without violating either the federal physician self-referral (“Stark”) law or the federal health care program anti-kickback law (“AKL”). Both Final Rules are a result of the Congressional mandate in the Medicare Prescription Drug, Improvement, and Modernization Act of 2003 (“MMA”) for the creation of a Stark law exception and an AKL safe harbor that would enable entities (such as hospitals) to encourage and assist physicians to embrace the use of e-prescribing technology. In promulgating the Final Rules,

HHS elected to go beyond e-prescribing, providing immunity for the donation of EHR technology and services under certain circumstances, as well.

I. The Final Rules

The Stark law exceptions and AKL safe harbors established by the Final Rules

are considerably more protective than was originally contemplated in the

October 11, 2005 proposed rules (the “Proposed Rules”). Among other things, the Final Rules allow for a broader range of qualifying donors and recipients; cover a more extensive range of technology; and replace a possible cap on the value of the donated e-prescribing or EHR technology with a recipient cost sharing provision for EHR.

A. E-prescribing

The e-prescribing exception and safe harbor are nearly identical, protecting donations by a hospital, physician group practice, Medicare Part D Prescription Drug Plan (“PDP”) sponsor, or Medicare Advantage (“MA”) organization of hardware, software, information technology (including internet connectivity), and training and support services that are necessary and used solely to receive and transmit electronic prescription information, provided that several conditions are met. For example: (1) the donor may not limit or restrict the use or compatibility of the donated technology or services with other e-prescribing or electronic health information systems; (2) the technology and services must be capable of being used for any patient regardless of payor status; (3) the donation of the items and services cannot be conditioned on an agreement by the recipient to do business with the donor; and (4) the decision to make the donation – including the amount and nature of the items and services – must not be determined in a manner that takes into account the volume or value of referrals or other business generated between the parties. Significantly, HHS did not impose a limit on the value of e-prescribing technology that may be donated to an eligible recipient.

 

B. EHR

The Final Rules also establish a new regulatory Stark law exception and AKL safe harbor for the donation of EHR technology and services. The most significant aspects of this exception and safe harbor are discussed below.

1. Donors

In comparison to the Proposed Rules, the Final Rules expand the types of entities that may donate EHR items and services. Under the Stark law exception, donations may be made by any entity that furnishes “designated health services.” Under the AKL safe harbor, the donor may be (1) any individual or entity that provides covered items and services and seeks reimbursement, either directly or through reassignment, from any federal health care program, or (2) any health plan. This generous definition encompasses hospitals, group practices, physicians, nursing and other facilities, pharmacies, laboratories, oncology centers, community health centers, and dialysis facilities, among others.

2. Recipients

The Stark law exception protects items and services donated to any physician. The AKL safe harbor protects donations to any individual or entity engaged in the delivery of health care, such as physicians, group practices, physician assistants, nurse practitioners, nurses, therapists, audiologists, pharmacists, nursing and other facilities, community health centers, and laboratories.

3. Protected Items and Services

The Final Rules protect “information technology” (e.g., internet connectivity and maintenance) in addition to the software and training services (e.g., help desk) covered under the Proposed Rules. Software must contain, or link to, an e-prescribing component. (Protection is not afforded to the donation of hardware, however.) Unlike the e-prescribing Final Rule, EHR items and services must be necessary and used predominantly (rather than solely) to create, maintain, transmit or receive the EHR of the donor’s or physician’s patients in order to be protected. Although it is not clear what regulators will consider to be “necessary and predominant,” Preamble commentary indicates that software packages may include, depending on the circumstances, functions related to the care and treatment of individual patients, such as patient administration, scheduling functions, billing, and clinical support. Expressly excluded, however, is any technology used primarily for personal business or business unrelated to the recipient’s clinical practice or operations.

 

4. Interoperability

Under the Final Rules, which abandon the pre- and post-interoperability distinction

contained in the Proposed Rules, donated EHR technology must be interoperable with other e-health systems at the time of its donation in order to be protected.

“Interoperable” is defined as software able to (1) communicate and exchange data accurately, effectively, securely, and consistently with different information technology systems, software applications, and networks, in various settings, and (2) exchange

data such that the clinical or operational purpose and meaning of the data are preserved without alteration. Software is “deemed” interoperable if a certifying body recognized by HHS has certified the software no more than 12 months prior to the date

of donation. In notices published in the August 4, 2006 edition of the Federal Register,

HHS (1) recognized certain ambulatory EHR criteria developed by the Certification

Commission for Healthcare Information Technology that may be used by certifying

bodies to deem technologies interoperable and (2) promulgated interim guidance for entities that want to become recognized EHR certifying bodies.

5. Cost Sharing

The Final Rules require the recipient physician to pre-pay a minimum of 15 percent of the donor’s costs. Neither the donor nor a related party may finance the physician’s payment.

6. Selection of Recipients

EHR donors may not directly take into account the volume or value of referrals or other business generated between the parties when determining whether, and the extent to which, a particular recipient is provided EHR. The Final Rules, however, list various selection criteria that donors may use without triggering the volume or value or other business generated standards. For example, donors may consider such practice specific criteria as the total number of prescriptions written, practice size, number of hours worked by the physician, and the physician’s overall use of automated technology.

II. Conclusion

The Final Rules reflect an unprecedented degree of coordination between CMS and OIG, resulting in consistent treatment of health information technology donations under the Stark law and AKL. This coordination reflects the government’s desire to remove impediments to the adoption of important, but expensive, software and related information technology that will enhance patient care and safety and reduce medical errors while simultaneously protecting federal health care programs from fraud, waste and abuse.

The Final Rules are scheduled to be published in the Federal Register on August 8, 2006, and will become effective 60 days thereafter. Although the exception and safe harbor for EHR donations will sunset on December 31, 2013, the e-prescribing provisions are indefinite.