Locking in HIPAA Compliance Your guide to protecting your patient information and your practice
B r o u g h t t o y o u b y:
Top Five issues
with HIPAA Security Policies By Katie Lay
olicies and procedures to comply with the HIPAA Security Rule are the foundation of your HIPAA security compliance program. Written policies document how a covered entity has implemented the standards and implementation specifications within the HIPAA Security Rule. If your policies are not complete and accurate, it is difficult to show HHS’ Office for Civil Rights (OCR), the agency in charge of enforcing HIPAA, that you are complying with the HIPAA Security Rule during an investigation of a data breach, patient HIPAA complaint, or a HIPAA audit.
2
Brought to you by
Here are five of the top issues with medical practice HIPAA security policies and how to remedy them.
1. Template or sample policies. Covered entities have been fined by HHS specifically for using sample policies. It is not enough to purchase a set of template policies — even if they are written by an attorney — and use search and replace to update the documents with your practice name. Each policy must be reviewed, and you must decide if it is reasonable and appropriate for your practice to implement based on your most recent risk analysis. Many template policies written in 2013 reference tech-
nology and security measures that are no longer recommended standards for protecting your data, or overlook recent changes to security best practices. If you have purchased template or sample policies, review them now to see if you have any of the top issues mentioned here. To adapt template policies to fit your practice, you need to include your HIPAA Security Officer, human resources, and IT staff or company in the review process. Your written policies and procedures should be based on your latest HIPAA risk analysis so that you can ensure any identified risks or deficiencies are adequately addressed in your policies. Many practices are unprepared for the addiMedical Economics
tional time and expense required to adapt template policies to fit their practice, so make sure you allow for this in your schedule and budget.
2. Missing policies for some standards and implementation specifications in the HIPAA Security Rule. In many cases, covered entities confuse HIPAA privacy policies with their HIPAA security policies. It is important to verify that you have a written policy for each of the more than 60 standards and implementation specifications listed in the HIPAA Security Rule. If your policies do not reference the appropriate sections in the HIPAA Security Rule, you may need to review your policies and the regulations to verify that each section is covered. Prior to providing your policies to OCR, you should create a reference to identify which regulations are covered by each policy. Some implementation specifications are addressable, which means the covered entity must “Implement the implementation specification if reasonable and appropriate; or if implementing the implementation specification is not reasonable and appropriate— document why it would not be reasonable and appropriate to implement the implementation specification; and implement an equivalent alternative measure if reasonable and appropriate.” [45 CFR 164.306(d) (ii)] This means that for the parts of the HIPAA Security Rule that are addressable, you can decide that the recommended security measure is not reasonable or appropriate for your practice; however, you can’t just skip the requirement. You must document why it is not reasonable or appropriate for your practice, and implement an alternative security measure if possible. Medical Economics
Template policies often include statements or directions that require you to review the recommended policy and adopt it as reasonable and appropriate, or update the policy with an alternative security measure. In many cases the documentation for why the recommended policy is not reasonable or appropriate is not included in the template policy, so you must maintain that documentation either in the policy or separately as part of your HIPAA security documentation. Remember, “addressable” does not mean “optional,” you must have documentation that addresses the implementation specification.
3. Procedures and responsibilities are not clearly defined. Many policy templates have disclaimers warning that the documents are a general guidance for developing your own policies and procedures. This is because you are required to have procedures that document how your policies are implemented. For example, a template policy may state that you will “limit access to electronic protected health information (ePHI) to person(s) with a need to access ePHI to perform his or her job duties.” Clearly defined procedures and responsibilities may include identifying who in the organization is authorized to determine who needs access, who is responsible for reviewing current and future job descriptions, how the authorization and review of access to ePHI is to be documented, etc. In many cases, practices assume that by updating policy templates with their practice name, their policies have been “customized.” It is critical you review any disclaimers and instructions provided with template policy documents so that you understand what is required
to implement policy templates for your organization. If you adopt template policies, you are responsible for verifying that the policies are appropriate for your practice and include procedures with sufficient detail to document how your practice is implementing each policy.
4. Referenced documents have not been created.
Many policies reference additional documents that must be created by your practice because they need to be specific to your organization. For instance, your risk assessment and management policy may require you to have a written risk management plan, or your contingency policy may require you to have a data backup plan, disaster recovery plan, and contingency plan. If your written policies require you to have these additional documents, you must be able to produce these documents and demonstrate that you are following the procedures listed in those documents. Referenced documents should also be reviewed when you review your policies and procedures. Your risk management plan should document your process for continually assessing risk and ensure compliance with the HIPAA Security Rule. To see if your data backup, disaster recovery, and contingency plans are accurate and complete, you can run a mock disaster scenario to test your procedures. Ideally, this would include testing a full restore of your most recent data backup to verify that your data can be recovered in case of a disaster.
5. Specific timetables and tasks are not followed.
Many policies reference specific tasks that must be done at a certain time, such as “password changed at least every 90 days” or “review audit logs of critical systems every 60 days.” Not Brought to you by
3
following your own written policies and procedures can be viewed as “willful neglect” which has severe consequences in terms of HIPAA violations and fines. Any task and timeframe referenced in your written policies and procedures should be reviewed carefully, and if it is written in your policy, you should have documentation that the policy is being followed. This may include a log documenting who is performing each task as well as the date and time the task is performed.
What is a Risk Management Process?
Staying Compliant
While there is no single method or best practice that guarantees you won’t have a data breach, the HIPAA Security Rule does require covered entities to have a Risk Management Process in place as a required implementation specification.
Your HIPAA Security Officer must be familiar with your written policies and procedures so that he or she can update your documentation when necessary. The HIPAA Security Officer should coordinate with your IT staff or company as changes are made, new threats are identified, and new technology is implemented. Remember, even if you use an outside vendor for services related to your HIPAA security compliance, you are ultimately responsible for protecting your patients’ data and complying with the HIPAA Security Rule. It is critical that your written policies and procedures are reviewed frequently, and you are able to document that your practice is following these policies. Unlike HIPAA privacy policies, HIPAA security policies are meant to be updated frequently as you identify ways to mitigate the risks identified in your ongoing risk management process and as your practice’s technology, operations, and staffing changes. Katie Lay is the vice president of
business development at CAEK, Inc., a HIPAA security compliance company. She has provided HIPAA compliance education and seminars for physicians, hospitals, and public health agencies since 2010.
4
Brought to you by
Anna Drachenberg
A Risk Management Process is a method of continually assessing risks and ensuring appropriate security measures are implemented to minimize or mitigate the potential damage to the organization. While there is no single method or best practice that guarantees you won’t have a
data breach, the HIPAA Security Rule does require covered entities to have a Risk Management Process in place as a required implementation specification. There are three important parts to a successful Risk Management Process, and all three are required by the HIPAA Security Rule.
1. Implement Security Measures
As the Risk Management [45 CFR 164.308(a)(1)(ii)(B)] implementation specification states, each covered entity must “Implement security measures sufficient to reduce risks and
vulnerabilities to a reasonable and appropriate level...” In order to document compliance with this requirement, according to CMS, your practice should have a detailed implementation plan that includes: a. Security measure(s) to be implemented; b. Assigned responsibilities; and c. Start and completion dates. The plan should guide your practice’s actual implementation of security measures to reduce risks to electronic protected health information (ePHI) to appropriate levels. If a planned security measure cannot be implemented, you should document the step(s) taken to mitigate the risk or alternative security measures implemented to reduce risks. It is important to note that, even if your practice chooses to use an outside vendor to implement security measures selected, you are responsible for compliance with the HIPAA Security Rule. For instance, you may engage an IT company to encrypt all of your computers; however, you must verify and document that the computers were encrypted.
2. Ensure Compliance The HIPAA Security Rule requires covered entities to “Ensure compliance with this subpart by its workforce”[45 CFR 164.306(a)(4)]. This means that you must verify that your staff and any outside vendors are complying with your written policies and procedures. For instance, if you hire a new employee, you must ensure that your HIPAA security policies for authorizing access to ePHI, training, and setting up user accounts have been followed. If your IT vendor installs a new Medical Economics
computer, you must ensure that your HIPAA security policies for authorized software installation, antivirus software, and encryption have been followed. If your practice is investigated because of a patient HIPAA complaint or breach, you may be required to provide documentation that your policies have been followed. For example, your HIPAA Security Officer should be able to provide the following documentation according to your written policies. • Date and time computers were encrypted or verified not to contain ePHI on the hard drive. • Software updates installed within one business day (or time determined by your policy) of release by the software vendor. • Date and time most recent electronic medical record system audit was reviewed by HIPAA Security Officer and/or designated employee. • Any shared passwords, such as wireless network password, changed within one business day (or time determined by your policy), after the most recent employee termination. • Authorization to access ePHI on file for most recent employee hired. During an investigation, HHS gives a limited amount of time to produce requested compliance documentation; therefore, your HIPAA Security Officer should be able to easily retrieve documentation for all of your written policies and procedures.
3. Evaluate and Monitor Security Measures Covered entities are responsible for evaluating and monitoring the risk mitigation measures according to the implementation specification, [per 45 CFR 164.308(a)(8)]: “Perform a periodic technical and nontechnical evaluation, based initially Medical Economics
upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information that establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart.” This means that periodically you must evaluate if your policies and procedures meet the requirements of the HIPAA Security Rule for new risks, new security measures available to mitigate those risks, and changes to your environment or operations. Cyber criminals are constantly working on new ways to steal data. You are responsible for updating your policies and implementing new security measures to meet these new threats and risks to your patients’ data. As security measures and technology to mitigate these threats become more readily available and cost effective, security measures may be reasonable and appropriate today that were too expensive when the HIPAA Omnibus Rule went into effect in 2013. This is why it is important to continually review the security measures available to ensure that you have implemented every reasonable security measure to protect your patients’ data. Information security experts estimate that hundreds of thousands of new malware are released every day. Some require installing software updates as soon as a patch is released by your software vendor, and some may require other security measures. Your Risk Management Process should include monitoring security threats, applying security updates, and notifying your staff of potential threats. If you plan on making changes to your operations and environment, you may need to update your security measures for those new activities, such as installing
new software, starting a social media program, or offering telemedicine services. If you determine that existing security measures are not sufficient to protect against the risks associated with the new technology, then you must determine if additional security measures are needed. Risk analysis and management should not be limited to a once-a-year activity, but must be ongoing so that you can address risks before you implement a new system or technology. Integrated Risk Analysis and Management Process
There is no panacea for protecting electronic health information. While a good IT partner or well-trained IT staff is critical to implementing the technical safeguards, you are ultimately responsible for ensuring compliance with the entire HIPAA Security Rule. As the designated person responsible for implementing and ensuring compliance, the HIPAA Security Officer must continually analyze and manage risk for the practice. Risk analysis and risk management are the foundation of your Security Rule compliance efforts. Risk analysis and risk management are ongoing processes that are necessary to understand the risks to ePHI and the security measures that must be implemented to protect ePHI. To implement a successful HIPAA security compliance program, you need to integrate risk analysis and management processes with your everyday business operations. n Anna Drachenberg is CEO
CAEK, Inc., a HIPAA security compliance company. She started her career at the U.S. Food and Drug Administration before moving into technology. She has over 20 years of regulatory, software development, and information security experience. Brought to you by
5
What do custom policies mean to you? You know you need HIPAA policies that are specific to your organization. Pasting your practice name into a policy template does not make it “custom.” We create policies and procedures specific to your organization based on your risk analysis.
LayerComplianceTM is the comprehensive HIPAA solution that helps you get and stay in compliance.
Visit layercompliance.com or email info@layercompliance.com to learn more.
LAYERCOMPLIANC by
TM
Covered the HIPAA Bases? Don’t Forget about streaming media
By Sabrina George
Want to avoid a HIPAA-related fine? Look for vendors that follow the rules. Here’s some help. ou’ve considered all the nuances of the new HIPAA guidelines when it comes to securing the reams of patient data residing on your computer networks including installing firewalls and changing passwords frequently. But did you think twice when the doctors in your hospital signed up for an interactive Web conference series to stay current with their medical specialties? Streaming media and Web conferencing sites might seem harmless, but watching or listening to streaming media may require downloading a special media player that may contain malware, according to the “HIPAA, Privacy & Security Training Module,” put out by the University of North Carolina at Chapel Hill. Regardless of whether a patient data breach happens or not, all Web conferences, webinars or any technology used for online collaboration or conferencing, are subject to HIPAA guidelines, outlined in the law’s Privacy Rule, the Security Rule and the HITECH Act, which clarified and strengthened the first two rules in 2009. Penalties vary, from up to $50,000 per incident up to $1.5 million per incident for violations that are not corrected, per calendar year. And in some cases, the penalties for state laws might be more severe. Medical Economics
The ruling applies to vendors who are legally classified as business associates: As privacy rule 45 C.F. R. § 164.504(e), states: “If a vendor or subcontractor transmits, maintains, or has routine access to protected health information (PHI) when providing its services to a covered entity then it is considered a business associate.” So, that applies to software vendors transmitting patient information, which might be discussed in an online doctors’ forum, a webinar series, or other online conferencing application. To avoid heavy fines, look for a streaming media and conferencing vendor that is HIPAA compliant. That vendor will understand all the nuances of the law, and have the latest encryption technology to secure your data. Here are a few things to make keep in mind when shopping for a vendor who adheres to all the HIPAA guidelines. • Data encryption: Make sure data used in Web meetings and transmitted in a Web conference or webinar are securely encrypted using state-of-theart encryption techniques. This includes audio communication, video clips, presentations, Q&A, chats and surveys. • Access controls: Only authorized users are allowed access to electronic protected health
data; this includes transferring, removing, disposing and re-using electronic media and data. Access controls should include unique user IDs, an emergency access procedure, automatic logoff and encryption and decryption. • Daily audit reports: Tracking logs should be maintained to keep a continuous audit of activity on hardware and software. These reports can pinpoint the source of any security violations. • Integrity controls: These are measures put in place to ensure that electronic protected health information has not been altered or destroyed. • Disaster recovery: Comprehensive offsite backup and disaster recovery systems need to be in place to ensure that any electronic media errors or failures can be quickly remedied and patient health information can be recovered accurately and intact. • Network security: A highly secure network is critical to protect against unauthorized public access of electronic protected health information, regardless of how it is transmitted. n Sabrina George is vice president of marketing at Onstream Media & Infinite Conferencing, divisions of Onstream Media Corp.
Brought to you by
7
Private practices top the list as the most common covered entities required to take corrective action under HIPAA. By Ron Sterling, CPA, MBA
H
ow you address patient HIPAA issues, as well as the effectiveness of your HIPAA compliance efforts, can reduce your risk of being subjected to an investigation. All it takes is a single complaint to HHS or a breach report filed by your practice to start an inves-
8
Brought to you by
tigation. Fortunately, there are steps your practice can take to avoid this. Know the process
Filing a HIPAA complaint is quick and easy through HHS’ toll-free number or using the agency’s paper or online form, and even a dedicated e-mail address. Your HIPAA Notice of Privacy must notify patients of
that right as well as the option of filing a complaint with your own privacy officer. It’s important that your practice effectively supports a patient’s right to take this step and be responsive to any such complaints. Many practices do not have a HIPAA complaint form easily accessible to patients. Many practice staffers and physicians aren’t
Medical Economics
familiar with the rights of patients to file a complaint. Make sure your staff knows how to connect the patient with your privacy officer and how the patient can file a complaint outside of the practice. If your complaint process is difficult, your patients may go directly to HHS to trigger an investigation. Handling things in-house
If your practice receives a complaint, you should: • Contact the patient as soon as possible to gather information on the incident and convey your commitment to addressing the situation. The privacy officer should also explain your internal process. • Keep the patient informed about the status and resolution of the complaint as well as, if necessary, the breach notification. • Formally notify the patient about your findings and response to his or her complaint. Your response should help the patient understand the situation and your efforts to address any problems and issues. Note that many complaints may not involve a problem but merely a patient’s lack of understanding of your HIPAA obligations and their rights. • Maintain documentation for the practice on the response to the complaint and any remediation effort so as to avoid similar problems in the future. • Ensure that practice leadership regularly reviews both the status of complaints and the practice’s response to them as part of the HIPAA monitoring effort. Should the patient also file the complaint with HHS, your practice will be able to provide its response, thereby demonstrating your due diligence and HIPAA compliance.
Medical Economics
OCR investigations
HHS says the problems that have triggered the most investigations are impermissible use and disclosure of information, lack of safeguards, and lack of patient access to information. After OCR has received a complaint, the agency verifies that the complaint involves a practice or hospital and has been filed on a timely basis, generally within 180
HHS says the problems that have triggered the most investigations are impermissible use and disclosure of information, lack of safeguards, and lack of patient access to information. days of the event. If the initial requirements are not met, the complaint is not pursued. OCR will request information about the complaint. This request will specify the issue and the information needed, as well as a response due date, typically 30 days after the request. Requested information could include documents, logs, and HIPAA manuals. Information from your practice management system and electronic health record (EHR), such as a copy of the document involved in the complaint may be requested as well. According to HHS, the initial review may include: • analyzing the submitted information to determine if OCR can resolve the issue;
• requesting additional information to problems or deficiencies noted in your response to OCR; and • acquiring additional information and/or conducting interviews by phone as needed to determine the proper handling of the complaint. The investigator will seek next to develop a “voluntary action plan or letter” to resolve the complaint. This is where most practices arrive at an agreement and complete the investigation. If the issue isn’t resolved, OCR will arrange for a site visit. The investigator may: • interview just about anyone in your practice, including managers, the HIPAA privacy officer, computer support staff, clinical staff, doctors and front desk staff. • observe operations to understand the environment that led to the complaint. After the visit, the investigator will analyze the issues and formally document the findings. The investigator may prepare several supporting documents including an action memorandum and investigative report. The action memorandum documents the complaint issues and includes a draft agreement or other actionable items, including a more serious violation letter of findings. Practices may receive technical assistance from OCR to address the problem or a more serious notification of an enforcement violation for failing to comply with HIPAA and other deficiencies. The draft is then finalized with a determination whether a violation occurred. n Ron Sterling, CPA, MBA, is president of consulting firm Sterling Solutions in Silver Spring, Maryland.
Brought to you by
9
Many medical practices are vulnerable to considerable liability due to lax HIPAA protocols, but focusing on these nine areas can help reduce your risks. By Ron Sterling, CPA, MBA
D
espite changes to the Health Insurance Portability and Accountability Act (HIPAA) that dramatically affect the risk profile of medical practices, many have yet to establish a full arsenal of defenses against data breaches. The simple fact is that failure to update your protections can multiply your vulnerabilities and fines if a breach occurs. The penalties for a HIPAA violation are real and substantial. For example, a five-physician practice in Phoenix, Arizona, was fined $100,000 for failing to meet HIPAA’s privacy and security requirements. In other cases, fines have been assessed for the loss of thumb drives and laptops containing patient information as well as for poor compliance plans and training. HIPAA privacy rules established standards for the handling and use of patient information, known as Protected Health Information (PHI). Prior to HIPAA, patient information was regulated by a diverse patchwork of thousands of state and federal laws. HIPAA’s standards enabled the exchange of information among health-
10
Brought to you by
care organizations that assure provenance and integrity of PHI as well as appropriate authorization to share information among practices and/or healthcare organizations. Unfortunately, many practices lack a comprehensive HIPAA security and privacy compliance program. Although HIPAA compliance can be tailored to the complexity and size of your practice, the use of supposed shortcuts can dramatically increase the risk of problems and penalties. Using boilerplate materials from the Internet that have never been customized for the practice, performing training years ago but never again and not having designated staff members responsible for HIPAA compliance are common failures among smaller practices. Compliance problems are not limited to small practices. Some larger practices assume that information technology (IT) staff members enforce HIPAA when in fact the IT team knows little about clinical operations or procedures to support HIPAA standards. Small and not-so-small practices are exposed to HIPAA penalties as well as the embarrassment of inappropriate use
of patient information. HIPAA problems and compliance issues can even place your electronic health records (EHR) incentive payments at risk. HIPAA problems can affect every aspect of your practice. For example: • Failure to maintain the integrity of your office notes could result in unsubstantiated billings and refunds from your practice to payers. • In the event of a claim of medical professional liability, poor compliance with HIPAA privacy and/or security could severely undermine your defense against claims. • Insurance auditors, quality reviews and other reviews of your patient records will depend on practice efforts to protect the integrity of patient information. • In the worst cases, your patient and service documentation may be misleading and/ or dismissed due to HIPAA problems and violations. HIPAA is not optional or a luxury. In order to meet your HIPAA responsibilities, we will review some key strategies to decrease your HIPAA-related risk. Medical Economics
Supporting HIPAA security and privacy is a key requirement for virtually every practice. Practices make a variety of direct and implied representations that HIPAA privacy and security compliance is in place to other practices, payers and a wide range of related parties. In the event of a problem, the lack of appropriate compliance strategies and processes will expose the practice to a greater level of embarrassment and penalties. By making HIPAA compliance part of your operational and patient service strategy, you will operate as a more reliable and effective organization while meeting the HIPAA requirements. Update your notice of privacy practices
The “current” Notice of Privacy Practices (NPP) in some practices is years old or was copied from a different practice. Like all other HIPAA compliance tools, the Notice of Privacy Practices should be customized for the practice and reflect current requirements. If your NPP is dated prior to 2013, or lacks a date at all, then you need to update it. The HIPAA Omnibus rule included new requirements for using PHI that have to be included in the NPP, including: • The circumstances under which the covered entity can use or disclose PHI. This must reflect the new rules regarding marketing and fundraising activities, the sale of PHI and disclosure to payers. • An explanation of the patient’s rights and how those rights can be exercised. • An explanation of the covered entity’s legal obligations. • A contact person who can provide additional information to the patient. Additionally, use of an EHR, changes to procedures, and even new service plans may trigger NPP changes. Medical Economics
Many NPPs lack practicespecific issues and accommodations. For example, even though communications with patients through e-mail is allowed as long as patients understand the risks, the operational aspects of assimilating e-mails of clinical significance with your EHR and/ or paper record may be daunting. If you are using a patient portal, you may want to direct patients to the portal and exclude e-mail use in your NPP. Find a security and privacy officer
HIPAA requires a privacy officer to monitor HIPAA privacy compliance and a security officer for HIPAA security. For smaller practices one person can serve both roles. The security and privacy officers are the go-to people for HIPAA issues and are responsible for current documents, training, and compliance. As important, the privacy and security officers will have to handle and address HIPAA problems, and lead the response to impermissible uses and disclosures as well as breaches. HIPAA privacy and security officers need to be properly trained as well as involved in developing a compliance program for the practice. The officer(s) are responsible for maintaining relevant policies and procedures as your practice evolves to meet changes in the healthcare industry as well as changes to your practice. Lack of HIPAA officers or defaulting to an office manager who has not been trained or doesn’t have the time to develop and monitor HIPAA-compliant practice standards will not pass the compliance test. Responsibilities for the officer include: • updating privacy and security policies; • creating a breach/incident log; • developing a process for providing patients with records when requested;
• updating incident response plans; • performing a risk assessment; and • training employees. Update and document policies and procedures
Practices are required to maintain documentation on HIPAA policies and procedures used to comply with the requirements. Many practices use boilerplate policies and procedures from various sources and services. However, the key issue is that the practice has to customize the policies and procedures for their own situation. Policies and procedures will dramatically differ for a variety of service, operational and technical issues. For example: • Using billing, EHR, and patient portal products from different vendors requires additional HIPAA security monitoring and tracking. • Practices using paper charts will have to assure that the paper charts are properly managed and stored. • Specialty practices that have extensive diagnostic equipment in-house will have to monitor PHI in each piece of equipment. • Practices that exchange electronic information with labs, hospitals, other healthcare organizations should track the integrity and timely handling of outgoing and incoming electronic information. • Practices with only one office will not have to address the coordination and office specific operational issues that will be covered in a practice with multiple offices. HIPAA policies and procedures form the basis for the operational processes that will be used to serve patients. Brought to you by
11
Conduct training
Common HIPAA compliance problems related to training staff on HIPAA issues include: • Training that was provided previously, but never repeated. • New staff is trained on the job, but have no formal HIPAA training. • No formal policies and procedures for training staff. • Using a generic HIPAA training program that lacks application to the practice. HIPAA requires training staff and doctors on practice-specific issues when they are hired as well as refresher courses on a periodic basis. Additionally, changes to the practice could necessitate supplemental training. Using Web meeting services and other technologies, practices can record a training session that can be used to support the HIPAA training requirements. However, general HIPAA training available on the Internet may not address the practice-specific issues that
Myths debunked about security risk analyses MYTH: The security risk analysis is optional for small providers. FACT: False. The analysis is required for all providers. MYTH: Installing a certified EHR fulfills the security risk analysis component. FACT: False. Security requirements address all ePHI, not just info in your EHR. MYTH: I only need to do a risk analysis once. FACT: False. To comply with HIPAA, you must continue to review, modify, and update your security protections. For more myths debunked, visit: www.healthit.gov
12
Brought to you by
make the difference between compliance and lack of due care. Standardize your endof-day clinical process
Most practices have an end-ofday practice management process that matches payments with posted transactions and visits with charge entry. The process is used to verify that information has been properly recorded and managed in the medical billing system. An unposted batch or failure to generate claims would be considered a significant problem that must be fixed. Unfortunately, most practices do not have a clinical end-of-day process to verify that clinical records are being properly maintained. Maintenance lapses could undermine the integrity of patient records and your clinical operations. Items that could be checked on a daily basis include: • Patient exam notes were signed within an acceptable time. • Incoming secured messages (Meaningful Use Stage 2) have been reviewed and addressed. • Incoming electronic lab results (Meaningful Use) have been reviewed and communicated to the patient. • The practice has sent reminders (Meaningful Use) to patients on overdue patient radiology orders and surgical orders. The end-of-day process should be based on standards established by the physician management. For example, primary care practices may have end-of-day checking for delivery of outgoing referrals while specialty practices may check on patients with overdue procedures. Understand breach consequences
A HIPAA breach is defined as the acquisition, access, use, or disclosure of PHI that is not allowed by HIPAA privacy rules. Breach penalties are capped at $1.5 million per penalty type per year with a sliding scale ($100 to $50,000)
per incident. The HIPAA Omnibus rule dramatically changed the breach triggers and HIPAA risks. Prior to 2013, a breach required financial or reputational harm. HIPAA Omnibus changed the trigger for a breach to a situation where there is NOT a low probability that the PHI has been compromised; a much lower breach trigger. Additionally, before the HIPAA Omnibus “pre-breach” events were evaluated to determine if a breach has occurred under the practice’s management process and a practice determined standard. No documentation of “prebreach” events was required. Now practices must evaluate four aspects (nature of information, the receiving party, possibility of access, and mitigating factors) of any impermissible use or disclosure of PHI (or immediately consider such incident a breach). Your practice must maintain the information on the incident and your analysis of it. Your practice’s handling of impermissible uses and disclosures and determination of breaches could be used to determine the nature (and penalty) for an actual breach as well as reflect on your HIPAA compliance. Any analysis of your HIPAA efforts could include a review of the analysis of impermissible use and disclosure as well as a look at your policies and procedures, training records, and risk assessments. If your documentation is poor, not current, or you have avoided acknowledgement of breaches, then your practice could be at risk for higher financial penalties. Develop standard business associate agreements
Business Associates (BA) are non-employees or companies who create, receive, maintain or transmit PHI on behalf of your practice. In most cases, the BA is performing similar services for other parties who are covered under HIPAA. Medical Economics
A significant challenge for small practices is whose business associate agreement (BAA) is used. If you use the vendor’s BAA, you may have to deal with terms that may prove problematic. For example, some vendor BAAs: • take full advantage of the 60 days to notify your practice of a breach; • empower the vendor to control the breach notification process that you want to control; and/or • specify who pays for breach expenses that may conflict with your practice’s interests. Additionally, you may want to monitor “pre-breach” events and vendor remediation efforts to fix problems. If you use the vendor’s BAA, then you will be dealing with different BAA versions with each vendor and a negotiation process to address issues in each BAA. If you have a practice BAA, you can include the use of your BAA in the negotiation for the vendor services. All practices should take the following steps regarding BAAs:
What is a security risk analysis? A security risk analysis involves analyzing vulnerabilities and threats to your system to safeguard electronic protected health information (ePHI). It means reviewing your policies, practices, and systems and correcting any issues that may make ePHI vulnerable. 1. Review existing security of protected health information 2. Identify threats and vulnerabilities 3. Assess risks for likelihood and impact 4. Mitigate security risks 5. Monitor results
Medical Economics
• Review and verify your BA relationships whenever you change vendors or service levels with a vendor; and • Develop your own BAA that can be included in all negotiations with vendors, with the strategy of standardizing these agreements with all vendors. Perform a security risk analysis
One of the more challenging problems for many practices is meeting the HIPAA security requirements. HIPAA security establishes standards to protect the confidentiality, integrity and accessibility of electronic PHI. To meet the HIPAA Security standards, practices must perform a HIPAA security risk analysis. The analysis is also a Meaningful Use requirement. Unfortunately, many practices fail to perform an adequate assessment. Indeed, some practices think that use of an EHR alone fulfills the requirement or the EHR vendor takes care of the assessment. Failure to perform an adequate assessment can result in returning Meaningful Use incentive payments and/or HIPAA financial penalties to the practice. Indeed, an inadequate assessment could multiply penalties by a factor of 10 or more in the event of a HIPAA breach. In order to complete the assessment, practices need an evaluation tool. Evaluation tools have been developed by system integrators, other vendors and a variety of organizations. Many of these tools seek to minimize the effort and, in some cases, provide a false sense of security that the assessment is valid. The website HealthIT.gov has an assessment tool (bit.ly/ HIT-assessment-tool) that is the standard practices should consider. The paper version is more than 420 pages but there are strategies practices can use to make the assessment more manageable.
As with all HIPAA activities, you should customize the tool to address the specifics of your organization or practice. For example, use of an EHR cloud service would simplify the assessment compared with practices whose EHR is on in-house computer servers. Maintain constant vigilance
HIPAA compliance is not a single task that you get to check off and you are done. HIPAA compliance requires constant vigilance and adjustments to your operations and underlying policies and procedures according to practice changes that affect HIPAA as well as HIPAA changes that affect your practice including: • Implementing a patient portal • New EHR software • EHR software upgrades • Virtual patient visits over a Skype-like service • New diagnostic equipment • Opening a new location • Adding a provider that results in changes in clinical services and/or procedures • An impermissible use or disclosure • A breach If you have a change that affects your HIPAA profile, you may need to update your policies and procedures as well as train physicians and staff on the changes. If you have a change to your EHR or computer systems, you may need to update your security risk assessment. Failure to maintain your HIPAA strategies and procedures could result in weaknesses, HIPAA violations, and penalties. n Ron Sterling, CPA, MBA, is president of consulting firm Sterling Solutions in Silver Spring, Maryland.
Brought to you by
13
HIPAA BREACH: Secure Data and Prevent Fines Now Many private practices lack written policies and procedures for data security and haven’t done a security risk assessment. Here’s how to secure your practice. By Ken Terry
M
any private practices lack written policies and procedures for data security and haven’t done a security risk assessment, health IT consultants say. These omissions are a mistake for several reasons, the observers note. First, both the Health Insurance Portability and Accountability Act (HIPAA) security rule and the meaningful use criteria require periodic security risk assessments, and HIPAA mandates written policies and procedures. If you’re subjected to a HIPAA audit and found to be in violation of the rules, you could be facing a stiff fine. If your meaningful use attestations are audited, you might have to return your electronic health record (EHR) incentive payments to the government. Security breaches can also open you up to lawsuits from patients and damage your reputation in the community. Moreover, if the breach is large enough to require you to report it immediately to the Office of Civil Rights (OCR) in the U.S. Department of Health and
14
Brought to you by
Human Services (HHS), OCR may investigate your security procedures. Most physicians are at least vaguely aware of these perils. So why don’t they pay more attention to data security? Some doctors are unaware of the need for security risk assessments because they’re too busy to keep abreast of compliance requirements, says David Zetter, a consultant in Mechanicsburg, Pennsylvania. Others know the rules but figure there’s only a slim chance they’ll be caught if they ignore them, he adds. While it is difficult to keep track of all the government requirements, this is an area that you don’t want to ignore or be ignorant of. In either case, you’re putting your practice, your patients, and your own financial security at risk. Here are some basics to consider as you evaluate your current security posture. Practice setting
Security approaches differ by practice setting. Large medical groups and healthcare systems have their own IT staffs and can afford to hire security consultants. Small and medium-sized practices, in contrast, usually depend on their EHR vendors
and local computer service companies to implement the security options they have chosen. You need your IT vendors to establish data security, but you can’t rely on them to protect you. While they must all sign business associate agreements under the latest iteration of the HIPAA rules, their liability is limited to the security breaches they cause directly, Zetter notes. For example, if the EHR or network vendor made a mistake in configuring the system, and protected health information (PHI) was exposed as a result, that vendor would be responsible. But if a practice chose not to encrypt its data or didn’t secure its mobile devices, the practice would be liable. Theoretically, an EHR developer would be liable if a software design flaw led to the unauthorized release of PHI; but none of the experts we consulted had heard of that happening. Employed physicians must follow the security policies and procedures of their healthcare system or group. If an employed doctor violates HIPAA rules, the healthcare organization is responsible. But those physicians may face a range of sanctions Medical Economics
from their employer. In fact, HHS requires that organizations have a sanctions policy for employees who violate HIPAA, notes Ron Sterling, CPA, a health IT consultant in Silver Spring, Maryland. The type of liability a physician has may depend on the nature of his or her relationship with a hospital, says Mac McMillan, chief executive officer of the security firm CynergisTek and chair of the privacy and security policy task force of the Healthcare Information and Management Systems Society (HIMSS). “In some cases, they’re autonomous; in other cases, they’re almost like an employee; in other cases, they manage their staff in their own practice locations, but they get other services from the hospital, and those are governed by the hospital policies,” McMillan says. But regardless of their hospital relationship, he adds, non-employed physicians are responsible for complying with HIPAA rules. Security implications of hosting
Most practices have an on-site client-server system or use a cloud-based EHR. If you have the latter, the EHR vendor is responsible for the security of the server that stores your application and data, as well as for data backup. If you have an on-premises server, that’s your responsibility. The physical security mandated by HIPAA includes having a locked room or closet where your server resides. In addition, off-site data backup is required. You must have policies governing the receipt and removal of hardware and electronic media containing PHI to and from a facility, and you must implement policies to protect PHI from improper alteration or destruction. McMillan strongly advises that small and medium-sized practices consider outsourcing their health IT to remote hosting Medical Economics
companies. “For the physician, it’s like buying a service: he’s buying an EHR, e-mail, network support, workstations, file servers and data storage, and it’s all hosted in a virtual environment. So he doesn’t have the headaches of having to understand how to secure the system. He’s buying it as a service.” From a security standpoint, McMillan adds, “the only thing practices are responsible for are their own employees and their physicians, and how they interface with that system and what they do with the information once they have access to it. That’s much easier for them to manage.” Some of the larger EHR vendors, including Epic, Cerner, McKesson, Allscripts, and eClinicalWorks, offer this kind of soup-to-nuts hosted solution, McMillan notes. Alternatively, he says, a practice could use a third party hosting firm that understands HIPAA requirements. The total cost of ownership for running your own client-server network, he says, is probably greater than the fees you’d pay to a remote hosting service. David Boles, D.O., who leads a 12-provider practice in Clarksville, Tennessee, says his practice recently decided to switch to remote hosting “because keeping up with the security requirements got to be more than I wanted to deal with.” While it’s too soon to evaluate the results, he notes that he made the switch after a cloudbased EHR offered by his group’s longtime vendor failed to work as promised. The group went back to the EHR’s client-server version; but rather than invest in new servers, Boles decided to hire the remote hosting company. The importance of encryption
Regardless of how your system is set up, there are certain security basics that you need to be familiar with.
To start with, the experts say, you should encrypt all of your data. Encryption is a strong defense against thieves and is considered nearly unbreakable, note McMillan and Sterling. It is possible that a “brute force attack” could be used to obtain a user password, which would sidestep the encryption, Zetter says. Questioned on that point, McMillan replies, “It’s certainly possible, but encryption is still a sound risk mitigation and liability manager response.” Encryption is especially important on laptops, smartphones and computer tablets, because these devices can easily be lost or stolen. In fact, lost or stolen mobile devices account for 39% of the security incidents in healthcare, and for 78% of the records compromised in security breaches, according to one study. One way to prevent theft of mobile devices is to prohibit providers and staff from taking them out of the office or facility, Zetter notes. If a physician goes to the hospital, he points out, that doctor can use a hospital laptop and connect to the office network from that device. If a laptop or other mobile device is lost, and PHI is on it, the incident should be reported, Zetter says, even if the data is encrypted. “Because if you fail to and the government finds out, you’re going to be in bigger trouble,” Zetter says. Sterling takes a different view. “If data is properly encrypted, it’s not considered PHI,” he says. “If I lost a thumb drive with all kinds of encrypted information on it, that wouldn’t be considered a breach.” What constitutes a security breach under HIPAA is discussed later in this article. At this point, it’s just important to understand that encryption greatly reduces the possibility of such a breach. Brought to you by
15
End-user devices and PHI
Another strategy that many practices have adopted is to set up their computer systems in such a way that PHI is stored only on their servers or in their cloud-based EHRs. Desktops, laptops and other mobile devices that doctors and staff members use are not allowed to store PHI. Some practices have “thin-
By the numbers $21,906,500 - Monetary settlements, as of June 19, 2015, involving HIPAA Privacy, Security and Breach Notification Rules $4.3 million - The lone civil money penalty issued by OCR for violations of HIPAA Privacy Rule 115,929 - Number of complaints received by OCR since compliance date of HIPAA Privacy Rule in April 2003, as of May 31, 2015 1,216 - Compliance reviews initiated over that same time period 15 - Resolutions of cases involving the HIPAA Breach Notification Rule, as of May 31, 2015 $15,581,000 - Monetary settlements tied to those resolution agreements 549 - Number of referrals made by OCR to the U.S. Department of Justice for criminal investigation tied to knowing disclosure of obtaining protected health information in violation of HIPAA 23,580 - Number of cases investigated and resolved by OCR requiring technical changes in privacy practices and corrective actions, or technical assistance to, HIPAA covered entities and their business associates, as of May 31, 2015. Source: HHS’ Office for Civil Rights
16
Brought to you by
client” networks, where the desktops in the office are dumb terminals that cannot store programs or data. Other practices can’t use that approach because the physicians have to carry their laptops with them when they travel to other practice settings. They keep the EHR applications on their laptops but don’t store any data on them. For example, Jeffrey Kagan, MD, an internist in Newington, Connecticut and a Medical Economics editorial consultant, and his partner use laptops when they visit patients in nursing homes and when they travel. Several years ago, they stored all of their patient records on their laptops, synching with the office server every day. Then, because their laptops didn’t have enough disk space, they stopped storing PHI on them and began using remote access to the network when they needed to see their records. Boles’ practice discourages providers from taking laptops out of the office, but allows remote access to the system from home computers. “We’d never get through with the paperwork if we didn’t let people work at home, too,” he says. Security experts advise caution when using personal computers, because they can be infected with malware or used as conduits to break into a network. If you do use a personal computer, McMillan says, remote access should include a proxy server or a virtual private network to ensure you don’t store any PHI on the personal computer and to shield the network from unauthorized intrusions. Two-factor authentication
Good access controls are critical, McMillan notes, because thieves impersonating users can gain access to EHRs. Besides having strong passwords, practices should deploy “two-factor
authentication,” he says. Under this approach, which he says is very affordable, the practice can use a biometric tool, such as thumbprint authentication, or a proximity badge to confirm the user’s identity. Alternatively, users might be asked a personal question when they log on. To make two-factor authentication less onerous, he adds, you can set up the system so that the password has to be entered only once a day. “You use some second factor associated with the person so they only have to put their username and password in once. Then the system might time out, but I can touch it with my badge or my fingerprint and it comes right back up,” McMillan says. Two-factor authentication also can be used for remote access, he says. iPhone users, for example, can download a free app that enables this kind of identity access, while Google Mail provides options for encryption and two-factor authentication. Reporting breaches
What should you do if you have a security incident? That depends on whether it’s regarded as a security breach and how many patients are involved. As noted earlier, experts disagree over whether the loss of encrypted data constitutes a breach. The HIPAA security rule says that an impermissible use or disclosure of PHI is presumed to be a breach unless the HIPAAcovered entity or business associate shows there is a low probability that the PHI has been compromised, based on a risk assessment of these factors: • The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; • The unauthorized person who used the PHI or to whom the disclosure was made; • Whether the PHI was actually acquired or viewed; and Medical Economics
• The extent to which the risk to the PHI has been mitigated. “If there’s a low probability that the PHI was compromised, you don’t have to report it,” Sterling maintains. “But you have to maintain the documentation.” If the records of 500 or more patients are breached, you are required to notify the patients and HHS within 60 days. If fewer than 500 patients are involved, you don’t have to tell the government right away, but you must notify the patients. If 10 or more patients can’t be reached, you have to make a public announcement that a breach has occurred, Sterling says. You must document all security breaches, regardless of size, and report them to HHS annually. If a laptop is stolen in a practice where PHI can be accessed only through the network, Zetter advises consulting an attorney. The practice should tell him or her what they think is on the laptop and when it was taken. Then they should ask the lawyer whether they need to notify HHS or the patients immediately.
Kagan says his practice has had a couple of minor HIPAA security issues over the years, but they affected only a few patients. “We jumped up proactively and paid for identity protection for those people for a couple of years,” he says. “If somebody broke into our server, with 22,000 patients’ records in it, we’d have to send them all a letter.” Establishing policies and procedures
Templates for security policies and security risk assessments are available for free from a variety of sources, but must be adapted to the specifics of the practice situation, consultants say. HIMSS and the Office of the National Coordinator for Health IT (ONC) have security risk assessment tools online, McMillan notes. Sterling specifically cites ONC’s Security Risk Assessment Tool. Sterling admits that the first time a practice does such an assessment, “it’s complicated.” But subsequent annual updates are much easier. A group that’s never done it before might want to get some advice from a security consultant, he says.
HIPAA rule violations: Categories and penalty amounts The Health Insurance Portability and Accountability Act Omnibus Rule establishes four “tiers” of violations, based on what it terms “increasing levels of culpability,” with a range of fines for each tier. Violations of the same requirement or prohibition for any of the categories are limited to $1.5 million per calendar year. The language of the rule states that actual dollar amounts will be based on “the nature and extent of the violation, the nature and extent of the resulting harm, and other factors…includ[ing] both the financial condition and size of the covered entity or business associate.”
Category
Fine range
Did not know of breach
$100 to $50,000
Had reasonable cause to know
$1,000 to $50,000
Willful neglect, corrected
$10,000 to $50,000
Willful neglect, not corrected
$50,000
Medical Economics
McMillan, whose company doesn’t work with small practices, echoes Sterling’s point. A few thousand dollars for a security risk assessment, he says, is “small potatoes” compared to the amount that a practice might have to refund to the government if its meaningful use attestation is ever audited. If a practice can’t afford to hire a consultant, there are vendors who can walk you through the process using online software. “There’s a whole group of security vendors now that cater to the small practice. And there are some good ones.” McMillan says. Zetter agrees, noting that one vendor he knows will help practices perform a security risk assessment for $350. Conclusion
Your practice can do an adequate job of safeguarding your PHI. But it takes some dedicated effort to find out what you need to do and to make sure that it gets done. That could prove challenging. Boles and some of his colleagues, for example, did their own security risk assessment this year, having laid off the in-house IT technician who used to do it. “We go through it the best we can,” he says, “but it’s like the IRS code.” Hiring a consultant, however, would be too expensive, he adds. Kagan says he’s concerned about security risks, “but I’ve got so many concerns going on simultaneously. I’m more worried about the quality of patient care, malpractice suits, and my reputation in the community. Cybersecurity and HIPAA issues just get a lower priority for most doctors.” That’s all true, until the HIPAA police come knocking at the door. Then you’ll be glad you did your due diligence on data security. n Ken Terry is a freelance healthcare writer, specializing in health IT.
Brought to you by
17
MONDAY
TUESDAY
EVERYDAY
Patient complaints. Malware. Lost devices. 3rd party breach. What do these incidents have in common? They could happen at any time. That’s why you need an ongoing risk management process. A once-a-year audit is not enough. We create a dynamic risk management plan that helps keep you compliant all year round.
LayerComplianceTM is the comprehensive HIPAA solution that helps you get and stay in compliance.
Visit layercompliance.com or email info@layercompliance.com to learn more.
LAYERCOMPLIANC by
TM