HHS SPI (SECURITY AND PRIVACY INITIAL INQUIRY) - Section A
Last year Texas HHS issued a 2 week alert requiring that all Active fee-for-service contractors were required to have up-to-date signed SPI (Security and Privacy Initial Inquiry) and DUA (Data Use Agreement) documents on file with HHS.
Updated versions of the documents have just been issued, a new DUA v.8.4 in March 2018 and SPI v.2.1 in June 2018. State departments don’t waste time updating documents they plan on discontinuing – HHS is serious and this issue isn’t going away!
If you’re reading this blog then you are interested – that’s good! You’re also likely impacted and even if you’re not fee-for-service, adhering to these rules will go a long way toward protecting your consumer’s data. Provider groups impacted include (but are not limited to) HCS, TxHmL, TAS (Transition Assistive Services), Adult Foster Care, CLASS and various Consumer Directed Services. For a full list of providers impacted please visit the relevant HHS page here.
In this series we will review several pertinent sections of both the SPI and DUA. However we must point out that anyone reading any of our blogs/articles is strongly advised to read the documents for themselves and/or seek understanding and clarification from appropriate experts in the field as Focused Software and it’s employees do not give legal, regulatory, billing or other advice. Now we’re clear on that – let’s get started!
The first thing to note is that the SPI is now considered attachment 2 of the DUA. Therefore the SPI is to be submitted as part of the DUA package. See the final page of the new DUA.
The latest version of the SPI has clearer instructions as well as an N/A option for most questions. The expectation is that each provider be able to answer ‘Yes’ (or N/A) to all questions (except A9a and 11a, if applicable). For any ‘No’ answers an Action Plan for Compliance with a Timeline must be given below each question (except A9a and A11).
The timeline for compliance with HIPAA-related requirements for safeguarding PHI (Protected Health Information) is 30 calendar days from the date the form is signed.
Compliance with requirements related to other types of Confidential Information must be confirmed within 90 calendar days from the date the form is signed.
#1. Does the applicant/bidder access, create, disclose, receive, transmit, maintain, or store Texas HHS Confidential Information in electronic systems (e.g., laptop, personal use computer, mobile device, database, server, etc.)? IF NO, STOP. THE SPI FORM IS NOT REQUIRED.
Discussion: In this day and age the answer for virtually every provider should be YES. Unless the scenario is one of a family member taking care of another family member eg a parent taking care of a qualified child and all of your documentation is truly done by paper, the answer for every provider should be Yes. This is because everyone sends texts, receives emails and stores pertinent information on electronic hardware of some sort. I believe answering ‘No’ here is a big red flag for HHS to come and dig deeper. Unless you’re a hermit looking after a vulnerable individual out in the boonies with no phone, internet or electronic hardware of any sort, I’d think long and hard before saying No.
#2. This question simply requires contact and tax related information for the registered business
Discussion: Straightforward except if you have multiple contract numbers then there isn’t enough space to put them all in. You may want to list additional contract numbers in the space to the left under question #2 itself.
#3. Number of Employees, at all locations, in Applicant/Bidder’s Workforce
Discussion: Employees here refers to anyone whose conduct is under the direct control of the Applicant/Bidder i.e. both paid and unpaid staff. Therefore this includes all employees, volunteers, trainees, etc. If a subcontractor is under your control eg an independent contractor who does your office work and works from within your agency might qualify as an employee in this situation. Whereas subcontractor staff who work for your email company with offices in California are obviously not under your control. The interpretation of control here is critical. The main point being to ensure that all people who work on behalf of the provider (and might in the performance of their regular duties) see consumer data should be covered by some aspect of the DUA. If the Applicant/Bidder is a sole proprietor, the workforce may be only one employee.
This begs the question ‘where do contracted Host Home Providers fit in?’ Providers don’t know where to include them and therefore don’t know what rules to apply. Do you get them to sign a subcontractor DUA Agreement or not? Count them as non-exempt subcontractors or not? Insist they acquire and use encrypted email to send information about a child for example?
HHS hasn’t given clear guidelines and though the ‘Independent Contractor’ definition changes instituted by the Department of Labor (DOL) in 2015 were withdrawn by the Trump administration in June 2017 there has been no replacement guidance. Determining whether a person is an employee or an Independent Contractor can get very complex very quickly.
Focused Software helps you by providing a secure and encrypted service delivery and e-doc charting system for your Host Home providers. As well as encrypted email services that allow your Host Home providers to send encrypted replies to your encrypted emails for free!! Now you don’t have to worry about PHI transfer and whether they’re non-exempt subcontractors or not – Focused has you covered!
#4. Number of Subcontractors
Discussion: In the DUA under the Definitions subsection of the ‘Articles’ section the following definition is given – “Subcontractor” means a person who contracts with a prime contractor to work, to supply commodities, or to contribute toward completing work for a governmental entity. As relates to the DUA and SPI these would be subcontractors who might access consumer data during the performance of their duties for the prime contractor and are not exempt as per DFPS. IMPORTANT – You’ll be expected to submit the same number of signed hardcopy DUA subcontractor forms as given here. For example if you say you have 4 subcontractors then the state expects 4 DUA “Attachment 1. Subcontractor Agreement Forms” on file for your business. Remember signed hardcopies not faxed, emailed or scanned.
For more information on how Host Home providers fit into the category of HHS subcontractor (or not) please refer to question #3 above.
#5. Name of Information Technology Security Official and Name of Privacy Official for Applicant/Bidder
Discussion: These maybe one and the same person or even an external consultant. Please refer to the relevant section of the SPI instructions (last 6 pages) for definitions, expectations and relevant duties of these 2 officers.
So are contracted Host Home Providers subcontractors or NOT???!!! Providers don’t know……but Focused Software can help!!
#6. Type(s) of Texas HHS Confidential Information theApplicant/Bidder will create, receive, maintain, use, disclose or have access to:
Discussion: In order to answer correctly please refer to the Texas HHS definition of Confidential Information (CI) as well as the definitions for the different CI types in the SPI Information section (last 6 pages). If your team handles other types of CI they should be listed. Most providers will need to check off all boxes except CJIS however your company maybe unique so check first.
#7. Number of Storage Devices for Texas HHS Confidential Information:
Discussion: This includes all electronic devices for storage of CI (or Protected Health Information (PHI)). So yes – this includes cell phones, laptops, PCs, servers, cloud services etc. If you’re a client Focused Software can help with some answers here. Please refer to the definitions in this question and subsequently answer each sub-question. Don’t forget to add all of the devices up and enter the total number in the appropriate section!
#8. Number of unduplicated individuals for whom Applicant/Bidder reasonably expects to handle Texas HHS Confidential Information during one year:
Discussion: Number of consumers/clients that you are responsible to Texas HHS for and for whom you will handle CI/PHI.
#9a. Will Applicant/Bidder use, disclose, create, receive, transmit or maintain protected health information on behalf of a HIPAA‐covered Texas HHS agency for a HIPAA‐covered function?
Discussion: If you are a fee-for-service provider of any sort (and likely even if you’re not) then the answer really should be yes.
9b. Does Applicant/Bidder have a Privacy Notice prominently displayed on a Webpage or a Public Office of Applicant/Bidder’s business open to or that serves the public?
Discussion: The expected answer is yes. Focused clients can ask for a free pdf copy that they can print off and display prominently at their place of business. If you answer, no, then you must complete an Action Plan for Compliance with a Timeline less than that for this type of HIPAA deficiency. This is a HIPAA requirement and therefore not applicable to exempt entities ie your answer may be “N/A” if HIPAA rules do not apply to you.
#10a. Does Applicant/Bidder require subcontractors to execute the DUA Attachment 1 Subcontractor Agreement Form?
Discussion: The answer expected here is yes especially if your answer to question 4 above is anything above zero; unless your subcontractors are exempt. Focused Software is happy to sign attachment 1 of the DUA for you. Find out (quickly) if all of your subcontractors will sign the DUA. Why quickly? Some EHR or encrypted email companies refuse to sign this state mandated document because they have in-house Business Associate Agreements (BAA) that they believe adequately cover the HHS requirements. If your EHR or encrypted email company refuses to sign the DUA attachment 1 for you, you will need to discuss this with HHS Texas. Don’t wait until you get the final letter demanding the DUA attachment 1 before you starting enquiring! The odds of success are not at all guaranteed that the state will approve the third party BAA (what can be guaranteed is your wait time for an answer won’t be short!). This might impact you’re ability to provide or get paid for IDD services. On the other hand you could just keep things real simple and switch to Focused Software!
#10b. Will Applicant/Bidder agree to require subcontractors who will access Confidential Information to comply with the terms of the DUA, not disclose any Confidential Information to them until they have agreed in writing to the same safeguards and to discontinue their access to the Confidential Information if they fail to comply?
Discussion: Again, the expected answer here is yes. You are expected to get a signed DUA attachment 1 from any non-exempt subcontractors (eg EHR, encrypted email, contract billing/accounting, network management vendors etc) before you give them access to your clients CI/PHI.
#11. Does Applicant/Bidder have any Optional Insurance currently in place?
Discussion: This is one of the few places where a ‘No’ answer does not require an Action Plan For Compliance unless you have been specifically instructed to maintain such insurance per Texas HHS or other authorized agency. Insurance coverage here refers to Network Security and Privacy; (2) Data Breach; (3) Cyber Liability (lost data, lost use or delay/suspension in business, denial of service with e‐business, the Internet, networks and informational assets, such as privacy, intellectual property, virus transmission, extortion, sabotage or web activities); (4) Electronic Media Liability; (5) Crime/Theft; (6) Advertising Injury and Personal Injury Liability; and (7) Crisis Management and Notification Expense Coverage.
Stay tuned! Remember Focused Software is here for you! Our blog next week will cover section B of the SPI.
Contact us today – we’ll be happy to provide a free, no-obligation demonstration of the Focused Software Electronic Health Record, discuss provider operations and brainstorm with you so you can discover how easy it is to comply with the SPI and DUA requirements when you partner with Focused Software.