An OCR lawyer tells HealthLeaders Media the HIPAA privacy and security enforcer will release a proposed rule regarding business associate (BA) provisions in HITECH "shortly."
Adam H. Greene, Office of the General Counsel for OCR, wrote in an e-mail to HealthLeaders that OCR's rulemaking will elaborate on the expected date of compliance surrounding the rule.
Per HITECH, BAs had to be compliant with the HIPAA Security Rule and the use and disclosure provisions of the privacy rule by February 17 and had to enter into an updated agreement with their covered entities.
However, a law firm blogged last month that Greene said enforcement of some BA provisions will be delayed until final rules addressing those provisions are published.
In response to Greene's statements at the conference, OCR tells HealthLeaders Media that covered entities and BAs must be in compliance with rules already published—including the interim final rule on breach notification. (OCR also published an interim final rule on enforcement, which includes greater civil and monetary penalties).
Mike Robinson of HHS News, which handles media inquiries for OCR, wrote in an e-mail that "OCR will use our enforcement discretion to not impose sanctions for failure to provide the required notifications for breaches that are discovered before 180 calendar days from the publication of this rule, or February 22, 2010."
No enforcement does not mean a break from compliance, however.
"I think it is important to remember that OCR may not be ready to enforce certain parts of the HITECH Act that were statutorily effective February 17, but this does not mean that lack of compliance is necessarily wise," says Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR.
Apgar says BAs have been required to adhere to the same HIPAA regulations since 2003 (privacy) and 2005 (security) by contract. Also, while OCR may not levy a civil penalty, this does not prevent lawsuits alleging damages.
"Even though HIPAA includes no private right of action, HITECH did not specifically prohibit it for the HITECH provisions," Apgar says. "And if someone is harmed because the entity did not adequately protect the individual's PHI and they can prove harm, the entity still may find themselves paying out large sums of money in damages."
The bottom line? Be compliant now.
"Lack of enforcement does not change the fact that, statutorily, entities are required to adhere to a number of new privacy and security requirements included in the HITECH Act, Subpart D, effective February 17, 2010," Apgar says.
Though no enforcement plans have been announced regarding HITECH provisions, Robinson says OCR is serious about it. OCR gained 36 FTEs dedicated to HIPAA privacy and security rule compliance and enforcement this fiscal year and is now up to 132.
OCR has obtained corrective action—meaning entities taking significant and important actions to change practices to come into compliance with the privacy rule—in more than 14,900 cases since 2003.
"We strongly believe that enforcement efforts directed at obtaining changes in a covered entity's operations, practices, and policies will benefit all individuals—past, present, and future—that entrust the covered entity with sensitive health information," Robinson says. "Voluntary compliance and informal resolution are an efficient mechanism to resolve noncompliance and save resources for both OCR and a covered entity."
OCR posted on its Web site a list of covered entities this week that have reported breaches of unsecured PHI affecting more than 500 individuals, fulfilling its obligation under HITECH.
The HHS organization, which oversees enforcement and compliance of the HIPAA privacy and security rules, reports that since September 22, 2009, 32 covered entities have reported breaches that affected at least 500 individuals.
In the cases where a business associate (BA) is involved, OCR lists those organizations as well. OCR reports that among the 32 breaches of 500 or more, seven included BAs. OCR cited one of the BAs by name -- Rick Lawson of Professional Computer Services. That reported breach, in Wilmington, NC, involved 2,000 individuals and was the result of a hacker, according to OCR.
The most egregious breach case came from Blue Cross Blue Shield of Tennessee, which affected 500,000 as a result of stolen hard drives, OCR reported on its Web site.
Following Blue Cross Blue Shield is AvMed, Inc., a Gainesville, FL, health plan. That reported breach occurred on December 10, 2009 and affected 359,000 individuals, according to the post on the OCR site. It resulted from a stolen laptop.
HITECH requires OCR to make public any breaches of 500 or more. OCR says on the site it will continue to update the page as it receives new reports of breaches of unsecured PHI.
The requirement is included in the interim final rule on breach notification, which became effective on September 23, 2009.
Those regulations require:
Notice to patients alerting them to breaches "without unreasonable delay," but no later than 60 days after discovery of the breach
Notice to covered entities (CEs) by BAs when BAs discover a breach
Notice to the secretary of HHS and prominent media outlets about breaches involving more than 500 patient records
Notice to next of kin about breaches involving patients who are deceased
Notices to include what happened, the details of the unsecured PHI that was breached, steps to help mitigate harm to the patient, and the CE's response
Annual notice to the secretary of HHS 60 days before the end of the calendar year about unsecure PHI breaches involving fewer than 500 patient records
Other notable breaches posted this week include:
Blue Cross Blue Shield Association State: District of Columbia Business associate involved: Merkle Direct Marketing Approximate number of individuals affected: 15,000 Date of breach: October 7, 2009 Type of breach: unauthorized access Location of breached information: mailings
Detroit Department of Health and Wellness Promotion State: Michigan Approximate number of individuals affected: 10,000 Date of breach: October 22, 2009 Type of Breach: theft portable electronic device
Universal American, Inc. State: New York Business associate involved: Democracy Data & Communications, LLC Approximate number of individuals affected: 83,000 Date of breach: November 12, 2009 Type of breach: incorrect mailing Location of breached information: postcards
Kaiser Permanente Medical Care Program State: California Approximate number of individuals affected: 15,500 Date of breach: November 1, 2009 Type of breach: theft Location of breached information: portable electronic device
Goodwill Industries of Greater Grand Rapids, Inc. State: Michigan Approximate number of individuals affected: 10,000 Date of breach: December 15, 2009 Type of breach: theft Location of breached information: backup tapes
A HIPAA privacy and security law firm is saying that OCR will delay enforcement of the HITECH provisions regarding business associates (BA) because it has yet to publish its own regulations surrounding those provisions.
Hunton & Williams LLP blogged Friday that Adam H. Greene, Office of the General Counsel for OCR, said the BA provisions will be delayed until final rules addressing those provisions are published. Greene spoke Thursday at the American Bar Association's 11th Annual Conference on Emerging Issues in Healthcare Law.
Though OCR has not published anything formally announcing a delay, at least one HIPAA expert believes a delay is likely.
Jeff Drummond, health law partner in the Dallas office of Jackson Walker LLP and author of HIPAA Blog, tells HealthLeaders Media that "it seems clear" OCR will not enforce any HITECH provision until it has published its own regulations and those regulations have become final.
The enforcement final rule, which includes a new penalty tier for breaches of unsecure PHI, is in effect. Breach notification is expected to be enforced starting today, February 22.
However, OCR has not published any rules or guidance on some key HITECH provisions—BA contracts and BA compliance with the HIPAA Security Rule and the use and disclosure provisions of the privacy rule.
Regardless of a enforcement delay, HITECH compliance dates for BAs still apply by statute, Drummond says.
As of February 17, BAs must be in compliance with the security rule and parts of the privacy rule. And they must be entered into contract with covered entities.
"There's no delay on what the actual statute [HITECH] says," Drummond says. "So the statute is effective, and everyone is responsible for being in compliance. … Everyone should be aware that they are currently legally obligated to be in compliance with HITECH today, and there may be other enforcers (state AGs)."
So don't delay compliance, says William Miaoulis, CISA, CISM, HIPAA lead consultant for Phoenix Health Systems.
However, Miaoulis, too, feels enforcement is "a ways off, not only for covered entities but also BAs. … I don't think [OCR] is ready, and they know they were supposed to give guidance."
Editor's note: This is the third of a three-part series this week focusing on expert advice on complying with HIPAA and preparing for HITECH regulations. The HITECH compliance date for business associates to comply with the security rule was Wednesday, February 17.
HITECH compliance for business associates (BAs) has come and gone. The date for BAs to comply with the HIPAA Security Rule and the use and disclosures provision of the privacy rule was February 17. Further, breach notification enforcement begins February 22.
So where does your organization stand? Are you ready? Your BAs?
We can give you a pretty good idea after seeing the results of HCPro's HIPAA and HITECH survey that was rolled out the past two weeks. It attracted nearly 600 respondents, including mostly HIPAA compliance officers and HIM directors.
For starters, if your organization has done something with its HIPAA compliance program in light of the HITECH, you're in the majority: 89% said they've responded.
And exactly what have they done?:
Rewrite policies and procedures: 74%
Revise or draft new business associate agreements: 71%
Conduct additional training: 65%
Conduct an internal audit to evaluate your organization's program: 36%
Purchase resources to educate yourself on changes to the law: 28%
Hire a consultant to evaluate your organization's HIPAA compliance program: 6%
One respondent said they created a breach notification action response team, which seems to be a good idea when you consider the interim final rule on breach notification took effect last summer.
Those regulations require:
Notice to patients alerting them to breaches "without unreasonable delay," but no later than 60 days after discovery of the breach
Notice to covered entities (CEs) by BAs when BAs discover a breach
Notice to the secretary of HHS and prominent media outlets about breaches involving more than 500 patient records
Notice to next of kin about breaches involving patients who are deceased
Notices to include what happened, the details of the unsecured PHI that was breached, steps to help mitigate harm to the patient, and the CE's response
Annual notice to the secretary of HHS 60 days before the end of the calendar year about unsecure PHI breaches involving fewer than 500 patient records
"Breach notification" earned the No. 1 spot to our survey's question, "Which provision of the American Recovery and Reinvestment Act of 2009 do you feel is the most challenging?"
It took top honors at 39%, and only 29% said there were completely ready to comply with those requirements; 61% said there were "almost ready" to comply. Amending business associate contracts took No. 2 in terms of the most challenging aspects of ARRA/HITECH at 18%. Finishing third with 16% was "Patients rights to accounting on EHRs," which some told us earlier will be a logistical "nightmare."
BA requirements under HITECH have changed drastically. Most survey respondents said they feel their BAs are ready, but the scary part is 45% said they are not confident in their BAs' readiness.
Thinking about updating your training? An overwhelming majority (71%) of respondents said they update their training only annually. And only 31% said they are "very comfortable" that the training is effective. Most (63%) said they are "fairly comfortable."
So what's the parting message here, now that HITECH has essentially arrived?
Kate Borten, CISSP, CISM, president of The Marblehead Group, offers these quick tips:
Convert more organization leaders to become privacy and security believers
Stay focused and do not become overwhelmed by privacy/security responsibilities or discouraged by setbacks
Develop a 2010 work plan that is both achievable and a stretch for you and your organization
John Parmigiani, president, John C. Parmigiani & Associates, LLC, in Ellicott City, MD, and one of the members of the team that created the HIPAA Security Rule, says he hopes HITECH is the wakeup call that providers and enforcers need regarding HIPAA compliance.
"Having worked both with CEs and BAs over the years in attempting to foster HIPAA compliance, I am continually amazed at the lack of understanding and completeness in their HIPAA compliance," Parmigiani says.
Covered entities have been "emboldened by a long-standing environment of lax enforcement" and a belief that HIPAA compliance is a one-time project. It is not, he says, and perhaps government enforcement will be a harbinger for better compliance.
Through HITECH, OCR should easily be able to gain some "street cred" by quickly launching an audit initiative and "thereby sending a signal that compliance with HIPAA security and privacy is an important component of healthcare," he says.
Editor's note: This is the first of a three-part series this week focusing on expert advice on complying with HIPAA and preparing for HITECH regulations. The HITECH compliance date for business associates to comply with the security rule is Wednesday, February 17.
As a HIPAA covered entity, you should watch HITECH closely.
But HITECH compliance is really about HIPAA privacy and security rule compliance.
So as your organization works to comply with breach notification regulations and sets up a "harm threshold" risk analysis team, per HITECH, it should also go back to HIPAA security 101.
"HITECH did include significant changes, but the bottom line is and especially security officers need to do is make sure they actually comply with the HIPAA Security Rule," says Chris Apgar, CISSP, president, Apgar & Associates, LLC, in Portland, OR.
Business associates (BAs) are concerned that by February 17, they must comply with the HIPAA Security Rule and the use and disclosure provisions of the privacy rule. In reality, Apgar says BAs should have been compliant since 2003 for privacy and 2005 for security, by contract.
"Yes, the new requirements [especially breach notification] need to be addressed, but the bottom line is many covered entities and business associates have consistently failed to comply with the HIPAA Security Rule," Apgar says. "I find this over and over when conducting compliance audits."
And it's not as if HIPAA Security Rule compliance is all technical. The most significant risk, and the largest section of the security rule itself, is administrative safeguards.
"You can have the best technical security infrastructure in the industry, but that will not adequately protect against breaches and carelessness," Apgar says. "This is another reason why training and policies and procedures are so important."
Apgar says the security rule requires covered entities and BAs to ask these questions:
Have I conducted a risk analysis lately, and did I properly document it, mitigate damages and document where risks were acceptable?
Is my privacy/security training current? Do I train new workforce members who will have access to personal health information (PHI)? Do I regularly conduct refresher training for all staff? Do I send out security reminders?
Are my policies and procedures complete, current and enforceable? Have I trained workforce members on the policies and procedures they are required to adhere to?
Have I implemented a comprehensive audit program (the security rule requires three periodic audits and an "evaluation" or compliance audit)? When did I last conduct an "evaluation"? Did I address audit findings, and did I properly document it?
Do I have current, up-to-date, and communicated disaster recovery and emergency mode operations plans and have they been tested recently?
Do I follow CMS' remote access guidelines (not necessarily part of the rule, but CMS' earlier indicated remote access management would be included as an audit criteria)?
What am I encrypting (e.g., data in transit, data at rest, etc.), and how am I protecting non-electronic PHI (breach notification and the privacy rule's "mini-security rule" requiring administrative, physical, and technical safeguard implementation for non-electronic PHI)?
It will audit entities of all sizes from the sole practitioner to the multi-state healthcare corporation. And it's good to remember, Apgar says, that if any complaint is filed with OCR alleging willful neglect or suspected willful neglect, OCR is mandated by statute to investigate.
Above all, go back to the drawing board and make sure you're HIPAA compliant.
"It's difficult to comply with HITECH if you haven't complied with HIPAA in the first place," Apgar says.
Privacy and security officers have to comply with more rules than ever. The Federal Trade Commission's Red Flags rule, existing HIPAA laws, and the new Health Information Technology for Economic and Clinical Health (HITECH) Act require that covered entities:
Protect patient information with technical, administrative, and physical safeguards (HIPAA)
Lessen the negative effect of unauthorized disclosure (HIPAA)
Notify patients within 60 days of breaches that involve unsecure personal health information (PHI) and pose a significant risk of financial, reputational, or other harm (HITECH; enforcement effective February 17)
Inform HHS of breaches (HITECH; enforcement effective February 17)
Establish an identity theft prevention program with policies and procedures to detect, prevent, and mitigate identity theft (Red Flags Rule; enforcement effective June 1)
How should your facility handle these added regulations? Implement a three-step process to protect all patient information that includes plans for what to do before, during, and after a security incident, says Andrew E. Blustein, Esq., partner and cochair of Garfunkel Wild & Travis, PC's Health Information and Technology Group, in Great Neck, NY, Hackensack, NJ, and Stamford, CT.
"A medical record is chock-full of information that an identity thief can use to its advantage," says Blustein. "It's basically a treasure chest of credit card numbers, Social Security card numbers, and everything else someone needs to steal an identity."
Before the breach
Mitigate harm resulting from identity theft by preventing breaches from occurring, says David A. Mebane, Esq., senior vice president for legal affairs at Saint Barnabas Health Care System in West Orange, NJ.
"You want to create the right amount of technical safeguards so your patients are protected," says Mebane.
Safeguards include:
Encrypting laptop computers and other portable devices
Prohibiting the installation of unsecured software
Creating system firewalls
Establishing remote access roles specific to applications and business requirements
Destroying unnecessary patient information
Using and updating antivirus software
HHS also provides specific guidance for securing portable devices.
Establish policies and educate employees and vendors about their responsibility to protect information and report incidents, says Mebane.
"You'll also want to perform regular audits so you have a way of detecting breaches," says Mebane. "Once the information has been stolen and is in the wrong hands, a lot of the damage will already have been done."
Create an incident response program, advises Blustein. Form teams and designate leaders responsible for responding to and investigating any breaches. Ensure that your policies specify:
The type of information that must be reported
The entities to whom information must be reported
The deadline for reporting information
Penalties for individuals responsible for the breach
Responding to the breach
"Installing a program to prevent loss of PHI is like putting an alarm on your house," says Blustein. "It's a good start and it will prevent some thieves, but it doesn't mean you'll never have a problem."
If you discover a breach, alert your attorneys and consider retaining outside counsel. This serves two purposes. It provides an unbiased look at the event and helps protect your organization.
Activate the response teams you previously established, says Blustein. They should be prepared to investigate all aspects of the breach, including:
How the theft occurred
Who took the information
Whether employees were at fault
The amount of information taken
The number and identity of affected patients
The type of information stolen
Soon after making these determinations, decide whom you must notify and how you must do this. You'll need to consider state law, HIPAA, and the HITECH Act, says Blustein. You also must ask yourself what the right thing to do is, he says.
"You need someone in your organization who can make these decisions quickly to avoid the bottleneck problem," says Blustein. "The concern is that often things pile up and it takes too long to get approval and the notification letter ends up sitting on an administrator's desk."
Also consider offering affected individuals free credit monitoring for a specified time to help reduce the effect of the identity theft.
"You want to do everything you can to protect yourself and your patients," says Blustein. "By monitoring credit and notifying the right people, you might be able to cut off the use of their personal information before any damage is done."
Learning your lessons
The nature of the breach will help determine whether you want to amend your existing policies to be better prepared, educate staff members with respect to prevention, or implement more safeguards, says Blustein. Shore up any documentation pertaining to the incident in case there is an investigation, he says.
Even if you don't experience a security incident, monitor businesses and healthcare organizations in your area that may have been affected, advises Mebane.
"You can't just roll out policies and be done with it," says Blustein. "The challenges are always changing, and you need to be able to keep up with them."
Ensuring uniformity throughout your organization is important. "An organization should strive to ensure that your clinic down the street should have the same policies and protection as the computer in your main lobby," says Blustein.
HHS' "harm threshold" standard in its interim final rule on breach notification will prevent healthcare organizations from overwhelming patients with unnecessary breach notification responses, according to providers who work with privacy and security.
At the 18th annual National HIPAA Summit Friday, Judi Hofman, CAP, CHP, CHSS, privacy/information security officer for Cascade Healthcare Community at St. Charles Medical Center in Bend, OR, and Debbie Mikels, corporate manager, confidentiality for Partners Healthcare System in Boston, said the provision published August 24 in the Federal Register gives covered entities the power to prevent unnecessary notifications.
"If you flood your patients with huge concerns, you're going to open up a floodgate of problems in your organization where you really may not have had a risk to start with," Hofman said.
The panelists at the three-day seminar at the Wardman Park Hotel in Washington, DC, responded to a question from an attendee on the controversial harm threshold.
HHS says in the interim final rule that many commenters on its draft guidance in April suggested that HHS add a "harm threshold such that an unauthorized use or disclosure of [PHI] is considered a breach only if the use or disclosure poses some harm to the individual."
Now, covered entities and their BAs will perform a risk assessment to determine if there is significant risk of harm to the individual whose PHI was inappropriately dispensed into the wrong hands.
According to the interim final rule, the important questions are:
In whose hands did the PHI land?
Can the information disclosed cause "significant risk of financial, reputational, or other harm to the individual"?
Was mitigation possible? For example, can you obtain forensic proof that a stolen laptop computer's data was not accessed?
Some Congressmen disagree with the standard.
Six members of the House of Representatives signed a letter on October 1 written to HHS Secretary Kathleen Sebelius that urges HHS to repeal or revise the harm standard provision in HHS' interim final rule on breach notification.
The Congressmen, all but one of whom are Democrats, wrote they are "deeply concerned" about the harm provision because it gives covered entities and business associates (BAs) a "breadth of discretion" as they determine the level of harm to an individual whose PHI was inappropriately disclosed.
Congress explicitly rejected a harm standard when it crafted the American Recovery and Reinvestment Act of 2009 (ARRA), which includes tougher HIPAA enforcement and greater breach notification requirements.
Mikels, of Partners in Boston, said Friday her team is already prepared to conduct its harm risk assessment.
"We have to look at those harm questions," she said.
For instance:
Was it a release that went to a person inside your organization to another person that didn't need to know?
Does your organization have reason to believe that the PHI wasn't accessed?
"What do I think about [the harm threshold]? Again, it's a balance thing," Mikels said. "I think it makes sense to do a risk assessment. Whoever's the closest to the issue is the one who is best able to look at it and best able to figure out what happened."
Without a risk assessment and determination of harm, patients would be "inundated with so many letters that the letter of the law would be meaningless," Mikels said. "I'm kind of leaning toward I think it makes sense to do a risk analysis if we do it well and with the intent of the law. We tend to err on the side of caution and notify patients. Down the road, we wouldn't want patients to say, 'OK, my identity was stolen,' and we didn't do anything about it."
At the last HIPAA Summit—in September—Gerry Hinkley, Esq., partner and chair of HIT practice group for Davis Wright Tremaine in San Francisco, called the harm threshold a "huge weakness." He said if he's a patient, he wants to be the one determining whether information that was disclosed inappropriately could cause significant harm—and not the covered entity. Some also say it allows organizations to choose at their own discretion their own breaches.
"I don't think this is a get-out-of-jail-free card," Hofman of Cascade Healthcare Community said Friday. "With legal, compliance and with ethics, you would hope most organizations would have a higher standard of ethics, and that we'd do our best for our patients."
HITECH called for "periodic audits" to ensure HIPAA compliance, but as of today the Office of Civil Rights has not created a calendar of when those periodic audits will take place.
Sue McAndrew, the deputy director for Health Information Privacy for OCR, said at the 18th Annual National HIPAA Summit Thursday that OCR is working with a HIPAA privacy and security expert to help the organization "map out essentially the range of options that we have and what would be the most effective."
OCR is considering its budgetary means as well as the most effective method. "There are 1,000 ways to do this," McAndrew said.
HHS published in the Federal Register on October 30 the HITECH Act enforcement interim final rule for the February 17, 2009 HITECH Act deadline.
The interim rule includes no amendments to the enforcement provisions in HITECH, according to the rule itself.
HITECH calls for greater penalties for HIPAA violations and increased enforcement through "periodic audits." And that provision, section 13411 of the HITECH, targets covered entities and business associates. In the new rule, the civil monetary penalties increased greatly, with a maximum penalty of $1.5 million for all violations of an identical provision.
As for the latest numbers surrounding HIPAA complaints, OCR in 2009 reported it received 7,116 complaints, a sharp decrease from the prior three years:
2008: 8,526
2007: 8,174
2006: 7,334
Why the decline in 2009? Perhaps it was a year of policy-making, and HIPAA enforcement and complaints were in limbo.
Uday O. Ali Pabrai, CISSP, CHSS, chief executive and co-founder of HIPAA Academy in Newport Beach, CA, said at the HIPAA Summit Thursday he thinks enforcement activity—and breaches—will become more prevalent after this month.
"I think there will be a lot of data breaches we'll be hearing about in the media this year," Pabrai said.
Business associates can be directly liable for a breach of unsecure protected health information (PHI) and could have to pay OCR directly, a top OCR official told HealthLeaders Media at the 18th Annual National HIPAA Summit Wednesday afternoon.
HealthLeaders Media asked Sue McAndrew, deputy director for Health Information Privacy for OCR, if a business associate could end up paying out of its own pocket for a breach.
The answer is yes.
"Business associates going forward will be directly liable for violations that occur in their possession," McAndrew said. "The fines would be imposed upon the BA, and if they can't pay, we send them to jail."
McAndrew laughed at the line about "jail," and said it was in jest.
However, she went on to say OCR would consider waiving—or decreasing—some of the penalties after an assessment of the financial state of a violating hospital. She also said that the "settlement door is always open."
On Wednesday, McAndrews also released breach numbers for the month of January:
As of January 2010, there have been 35 reports of breaches affecting 500-plus individuals, resulting in 712,000 notices.
Most of the reports were ePHI contained in lost or stolen unencrypted media or portable device.
There were more than 300 reports of smaller breaches.
Most of the paper records were sent to wrong fax numbers, wrong addresses, and wrong individuals.
When Chris Apgar, CISSP, president of Apgar & Associates in Portland, OR, conducts audits of healthcare organizations, he usually finds problems in five areas.
Many organizations are focusing on the new privacy and security requirements created by the Health Information Technology for Economic and Clinical Health (HITECH) Act. However, they also must measure their overall compliance with HIPAA requirements already on the books, says Apgar.
Facilities and organizations considering what to do next should concentrate on compliance in these five areas, says Apgar:
Lack of a risk analysis. Organizations either haven't conducted a risk analysis or, they last conducted one in 2005 when the HIPAA rule became final, he says. A risk analysis is "the foundation for your security program," he says. "You need that to build on."
Undocumented policies and procedures. Organizations may be doing the right thing, but they haven't documented it in their policies and procedures, he says. Less frequently, organizations do not follow proper procedures and don't have anything in writing.
Lack of training. Organizations may train new staff members, but many don't provide ongoing training, or the training they offer is often out-of-date, he says.
Failure to conduct compliance audits. The Security Rule calls it an evaluation, but it's really a compliance audit, says Apgar. Organizations need to conduct an annual compliance audit and also should conduct periodic audits, including an information systems activity review. "It's not happening in organizations. They either have never done it or don't do it on a consistent basis," says Apgar.
Lack of disaster recovery planning and emergency mode operations. Organizations either don't have a plan or it is out-of-date. Or the plan may focus only on how the organization will get its computers back up and running during an emergency. But consider a hypothetical situation; there is a flu pandemic and most of your staff members are out sick. The computers are running, but you haven't addressed how to keep your business going while trying to recover from this type of emergency. So don't focus only on technology during disaster planning. You need a business continuity plan that addresses all aspects of coping with a disaster or emergency.
So where should you begin to ensure compliance with all current regulations?
Focus first on the risk analysis and compliance audit because they "will show you where the holes are" and where your specific organization is lacking, says Apgar.