Archive for HIPAA

HIPAA and the Holidays

HIPAA and the Holidays

As the holiday season builds momentum we are faced with numerous distractions like holiday decorations, taking advantage of online sales and soaking in the traditions that we look forward to each year. But this season of joy and giving should also be met with a heightened sense of awareness and adherence to HIPAA policies and procedures. You’re likely thinking to yourself, “How can Christmas, Hanukkah, Kwanza or the New Year impact HIPAA?” Well, those holidays can’t, but your employees’ behavior sure can.

Electronic Protected Health Information (ePHI)

This busy season will cause some employees to take advantage of online shopping while at work. While that seems relatively harmless, and in most cases it is, this also invites the possibility of introducing viruses into your system from unprotected and/or unapproved sites. It is important to have a clear policy and procedure regarding internet access on your entity’s equipment and it is equally important to ensure that your entity is enforcing compliance. Likewise, the threats of ransomware are ever increasing. A distracted employee is more likely to click a suspicious link or open a questionable email that could introduce ransomware into your computer system or electronic medical records. This is a great time to remind staff of their responsibilities to protect ePHI.

Physical Security

Unfortunately, the season of “giving” for some means a season of “taking” for others. Generally, criminal activity like property theft and break-ins rise during the shopping season. This makes it extremely important for your entity to adhere to mandatory HIPAA Physical Safeguards. The HIPAA Security Rule requires entities to have a documented Facility Security Plan, which memorializes the use of physical access controls. Specifically, entities are required to “implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.”[1] The entity’s designated HIPAA Security Officer should be reminding employees of the policy of not providing keys or swipe access to individuals who are not employees or staff members of the entity. Additionally, HIPAA Security Officers should review and document the use of cameras, alarm systems, keys and swipe cards to assess whether any changes need to be made to address any areas of vulnerability.

This is also particularly important for employees and staff who travel with PHI or ePHI. Whether it is paper records or a laptop, employees and staff should ensure they are not leaving these items in their vehicles in plain view. We advise our clients to have a policy that requires employees to leave any PHI or ePHI in the trunk of their vehicle where it is not visible or inviting for a would-be-thief. This can significantly reduce the entity’s risk of HIPAA breaches, as well as property loss.

Workstation Security

Many health care providers will experience an increase in patient activity as people clamber to make their end of the year appointments to take advantage of any cost savings before the new year begins. Combine that with flu-season and the prevalence of winter illnesses and all of a sudden the waiting room just became standing room only. The euphoric nature of the season, coupled with a dramatic increase in patient activity can be a recipe for HIPAA violations. While employees struggle to keep up with the demand, they are more likely to be careless about workstation security. They become less likely to lock their computers when they walk away from their station and more likely to share usernames and passwords in order to accomplish certain tasks more quickly. While these activities seem relatively harmless, these are violations that can cost the entity greatly if it leads to breaches of PHI or ePHI.

Visitors and Guests

The holidays aren’t nearly as fun without office holiday parties. These parties generally include catered meals, outside delivery services and even invited guests. Entities should ensure that they have a documented visitor/guest policy and procedure and that their employees follow that procedure. This includes a visitor/guest sign-in. Depending on the layout of the facility, these visitor/guests should be escorted to their destination so that they don’t have an opportunity to view documents or lab reports that may be left unattended in the facility.

Delivery personnel and vendors are not the only individuals subject to that policy. Family members and friends who present to the facility to visit with staff members and employees must also adhere to the entities visitation policies. Just because the person may be a relative or close friend does not earn them the right to overhear conversations about patient PHI or the right to view PHI that may be on someone’s desk or workstation.

Tone of Voice

One of the biggest complaints that our office receives regarding patient privacy is the tone of voice used by employees and staff as they discuss their health conditions. During the holiday season, many entities play festive music in their waiting areas which automatically cause employees and staff to raise their voices as they converse with patients or other providers. Entities should pay particular attention to the location of their waiting rooms and the position of their reception desk. Employees and staff should be advised of this concern and reminded of the importance of using a professional tone that would not give rise to unauthorized or inappropriate disclosures of PHI.

This is without argument “the most wonderful time of the year.” It’s a time to enjoy family, get reacquainted with friends, and provide for the health and well-being of patients. As the activity of the season builds, it is important to make every effort to ensure that your entity is in compliance with HIPAA regulations. Adhering to appropriate policies and procedures will not only ensure that you provide appropriate patient care, it will also reduce the likelihood of liability for violations which is a great way to start the New Year.

[1] § 164.310(a)(2)(ii)

Samarria Dunson, J.D., CHC, CHPC is attorney/principal of Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Alabama.  www.dunsongroup.com  Read other articles from Dunson Group here.

Posted in: HIPAA

Leave a Comment (0) →

Office of Civil Rights Issues Guidance on HIPAA in Light of Opioid Crisis

Office of Civil Rights Issues Guidance on HIPAA in Light of Opioid Crisis

With an increased focus on opioid use and addiction, the Department of Health and Human Services Office of Civil Rights has issued guidance related to the Health Insurance Portability and Accountability Act of 1996 due to misunderstandings over when a health care provider can share an individual’s protected health information in situations of overdose or need for emergency medical treatment related to opioid use. Generally speaking, HIPAA restricts a health care provider’s ability to share PHI, but there are instances when a health care provider may disclose PHI even if the patient has not authorized the disclosure.

Many health care providers mistakenly think they must have an authorization or the patient’s permission to release PHI. However, there are circumstances in which the patient’s permission is not required. HIPAA allows a health care provider to share information with a patient’s family or caregivers in certain emergency or dangerous situations. As outlined in the guidance, a provider may share information with family and close friends who are involved in the care of the patient if the provider determines that doing so in the best interest of an incapacitated or unconscious patient and the information shared is directly related to the family or friends involved in the patient’s health care or payment of care. OCR’s guidance states that a provider may use his/her professional judgment to talk to the parents of someone incapacitated by an opioid overdose about the overdose and related medical information, but the provider could not share general information not related to the overdose without the patient’s permission.

Another situation in which information may be shared without the patient’s permission is if the provider informs a person who is in a position to prevent or lessen a serious or imminent threat to the patient’s health or safety. OCR states “a doctor whose patient has overdosed on opioids is presumed to have complied with HIPAA if the doctor informs family, friends or caregivers of the opioid abuse after determining that the patient poses a serious and imminent threat to his or her health through continued abuse upon discharge.”

If a patient is not incapacitated and has decision-making capacity, a health care provider must give the patient an opportunity to agree or object to disclosure of health information with family, friends or others even if they are involved in that individual’s care or payment for care. The health care provider is not permitted to disclose health information about a patient who has the capacity to make his/her own health care decisions unless, as mentioned above, there is a serious or imminent threat of harm to the health of the individual.

The difference between capacity or incapacity can be a difficult determination for providers and may change during the course of treatment. OCR points out that decision-making incapacity may be temporary or situational and does not have to rise to the level where someone has been or must be appointed to act by law, i.e. power of attorney or guardianship. If during the course of treatment, the patient regains the ability to make decisions, the provider must give the patient the opportunity to object or agree to providing or sharing health information.

As has always been the case, HIPAA allows a health care provider to release or disclose information to a patient’s “Personal Representative.” HIPAA defines personal representative as a person who has health care decision-making authority under state law. In Alabama, a person holding general Durable Power of Attorney executed after 2012 is presumed to be the Personal Representative for purposes of HIPAA. Additionally, a parent of an unemancipated minor or someone holding a guardianship or conservatorship would also qualify.

To read OCR’s guidance, visit https://www.hhs.gov/sites/default/files/hipaa-opioid-crisis.pdf

Article contributed by Angie Cameron Smith, a partner at Burr & Forman LLP. Burr & Forman LLP is a partner with the Medical Association.

Posted in: HIPAA

Leave a Comment (0) →

How to Make HIPAA Disclosures During Mass Tragedies

How to Make HIPAA Disclosures During Mass Tragedies

In light of the recent incident in Las Vegas, the Office of Civil Rights, the government entity responsible for HIPAA Compliance, issued clarification guidance on the ability of a health care provider to share patient information during such situations. While such incidents are taxing on health care providers in terms of treating capacity and ability, it is important that providers keep in mind the requirements of HIPAA regarding the disclosure of certain information to the public. A summary of OCR’s recent clarification is provided below, as it serves as a good reminder regarding what information can be shared under HIPAA in these types of mass-casualty, disaster scenarios.

Disclosures to Family, Friends and Others Involved in an Individual’s Care and for Notification.

You may share health information with a patient’s family members, relatives, friends, or other persons identified by the patient as involved in the patient’s care. You may also share information about a patient as necessary to identify, locate and notify family members, guardians, or anyone else responsible for the patient’s care, of the patient’s location, general condition, or death. This may include, where necessary to notify family members and others, the police, the press, or the public at large.

  • You should get verbal permission from the patient when feasible or otherwise be able to reasonably infer that the patient does not object to the disclosure. If the individual is incapacitated or not available, you may share information for these purposes if, in your professional judgment, doing so is in the patient’s best interest.
  • In addition, you may share protected health information with disaster relief organizations that are authorized by law or by their charters to assist in disaster relief efforts (g., American Red Cross), for the purpose of coordinating the notification of family members or other persons involved in the patient’s care, of the patient’s location, general condition, or death. It is unnecessary to obtain a patient’s permission to share the information in this situation if doing so would interfere with the organization’s ability to respond to the emergency.

Disclosures to the Media or Others Not Involved in the Care of the Patient/Notification.

Upon request for information about a particular patient by name, you may release limited facility directory information to acknowledge that an individual is a patient at the facility and provide basic information about the patient’s condition in general terms (g., critical or stable, deceased, or treated and released) if the patient has not objected to or restricted the release of such information or, if the patient is incapacitated, if the disclosure is believed to be in the best interest of the patient and is consistent with any prior expressed preferences of the patient. In general, affirmative reporting to the media or the public at large about an identifiable patient, or the disclosure to the public or media of specific information about the treatment of an identifiable patient, such as specific tests, test results or details of a patient’s illness, may not be done without the patient’s written authorization (or that of his/her personal representative).

Kelli Fleming is a Partner with Burr & Forman LLP practicing in the firm’s Health Care Industry Group. Burr & Forman LLP is a partner with the Medical Association.

Posted in: HIPAA

Leave a Comment (0) →

A HIPAA Contingency Plan: Yes, It’s Boring. Yes, You Must Do It.

A HIPAA Contingency Plan: Yes, It’s Boring. Yes, You Must Do It.

When was the last time you reviewed your entity’s Contingency Plan? If it has been awhile, or never, you need to get to work. In light of recent natural disasters and ransomware attacks, the necessity of thorough and documented contingency planning, to include backup and disaster recovery, has become a focus for health care entities.

Pursuant to the Health Insurance Portability and Accountability Act (HIPAA) health care entities are required to account for the confidentiality, integrity and accessibility of their electronic protected health information (ePHI). They must consider potential incidents that may affect their information systems like fires, vandalism, malware attacks and tornados. Then they must document their strategy for operation during those events.

Contingency planning should begin with a review of the entity’s Risk Analysis. This document identifies what type of ePHI the entity accesses or maintains, where the data resides, and how the entity handles the data. Afterwards, the entity should begin the process of developing specific Administrative Safeguards.

A Data Backup Plan is essential, especially in instances of malware and natural disasters. Entities must put procedures in place to create and maintain exact copy backups of their data that they can readily retrieve. For example, if an entity is heavily damaged by a tornado or fire, they must be able to gain access to the data that they previously utilized within their entity. Without the benefit of timely system backups, the entity would not be able to recover up-to-date data which can be a serious liability when treatment decisions are being made about patients/clients without the benefit of their most current records.

The entity should ensure that there is an appropriate off-site backup of the entity’s ePHI and that the backup is being appropriately performed. These exact copy backups generally occur on a daily, weekly and monthly basis. The entity should maintain copies of these backups and should test the system periodically to ensure that the backup process is working in accordance with the required standards.

The ability to recover lost or stolen data can be critical. The entity should ensure that they have an effective Disaster Recovery Plan that complies with the National Institute of Standards and Technology (NIST) specifications.[1] The Disaster Recovery Plan should identify risks observed in the Risk Analysis and reflect a comprehensive plan to recover ePHI within specific time parameters, generally 24 to 48 hours. Additionally, careful consideration must be given to appropriate off-site locations that the entity could utilize if their primary location is no longer available. All workforce members should be informed of the plan and trained on their specific role.

An Emergency Mode Operations Plan documents the manner in which the entity will work throughout the course of the emergency. This relates to the critical business processes that must take place to protect ePHI during and following the emergency or disaster. Examples include determining the need for additional equipment or supplies, ensuring hardware and software compatibility to retrieve ePHI and if necessary, communicating changes to patients/clients.

Testing and Revision Procedures are required for the Data Backup, Disaster Recovery and Emergency Mode Operation Plans. These tests should occur within the timelines listed in the entities Risk Analysis and in all instances no less than annually. The testing process should be documented and evaluated to determine any need for revision.

Entities should perform an Application and Data Criticality Analysis to identify the information systems that are most important from a business operations perspective. This allows the entity to prioritize which databases need to be restored and in what order. For example, if a health care provider were the victim of a ransomware attack and they were attempting to recover the data, the Application and Data Criticality Analysis would identify the exact systems that are most crucial to their operations, allowing them to more easily prioritize the recovery process.

What does a compliance professional look for when auditing an entity for compliance with contingency planning? Entities should be able to produce the following:

  • A documented Contingency Plan which covers each of the specifications listed above, namely Data Backup Plan, Disaster Recovery Plan, Emergency Mode Operations Plan, Testing and Revision Procedures and Application and Data Criticality Analysis;
  • Documented roles and responsibilities of workforce members during disasters or emergencies;
  • Documentation that identifies the entities critical applications;
  • Documentation to demonstrate the plan is periodically reviewed and tested; and
  • Documentation that reflects whether amendments to the Contingency Plan or Risk Analysis were warranted and implemented, if applicable.

While contingency planning is important for appropriate business operations and HIPAA compliance, it is also critical to patient care. Patients count on health care providers to provide appropriate treatment and care during normal periods and during emergencies. If an emergency or disaster renders an entity without access to their ePHI with no plan to recover or otherwise gain access to the data, that creates unnecessary liability on behalf of the provider for treating the patient without access to their current records. Patient care should be paramount to the mission of all health care entities.

[1] Although only federal agencies are required to follow NIST standards, they represent industry standards for how health care entities should handle ePHI.

Samarria Dunson, J.D., CHC, CHPC is attorney/principal of Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Alabama.  www.dunsongroup.com

Posted in: HIPAA

Leave a Comment (0) →

Is Your HIPAA Contingency Plan Adequate?

Is Your HIPAA Contingency Plan Adequate?

Your response to this question may include one of the following answers:

  1. What in the world is a Contingency Plan?
  2. I think we did that, but I’m not sure where it is.
  3. I know we did one a while back, but we haven’t looked at it in a while.

If any of these responses sound familiar, you will want to get to work. FAST!

HIPAA covered entities are required to protect the integrity, confidentiality and availability of electronic protected health information (ePHI).  In accordance with §164.308(a)(7) of the HIPAA regulations, covered entities are required to develop and maintain a Contingency Plan.  Specifically, covered entities are required to “establish (and implement as needed) policies and procedures for responding to an emergency or other occurrences (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.” The purpose of this requirement is to ensure that entities are able to properly recover or access the accurate health information of their patients and clients during emergencies.

Entities must fulfill this requirement by satisfying “required” and “addressable” standards. Required specifications must be implemented while addressable specifications allow an entity to have more flexibility with regard to how they develop and implement the specification.

A Contingency Plan should include the following:

  1. Data Backup Plan (Required)
  2. Disaster Recovery Plan (Required)
  3. Emergency Mode Operation Plan (Required)
  4. Testing and Revision Procedures (Addressable)
  5. Applications and Data Criticality Analysis (Addressable)

Data Backup Plan

Entities must have internal controls as well as a working relationship with vendors of their information systems to ensure that the entity has the ability to do an up-to-date exact copy backup of its ePHI. The entity should have mechanisms in place to ensure that the backup is performed properly. This backup process must be periodically tested to ensure the integrity of the ePHI.

Data Recovery Plan

A Data Recovery Plan for use in disasters and emergencies must be developed.  Entities should review the HIPAA Risk Analysis to consider foreseeable threats. The Data Recovery Plan should reasonably mitigate any identified threats. In many instances, the entity needs to ensure that the Data Recovery Plan allows workforce members to access ePHI no later than 24 hours after a disaster occurs or a time deemed reasonable by the entity. Employees and staff must be educated with regard to their responsibilities in instances of emergencies when data recovery is warranted.

Emergency Operations Plan

An Emergency Operations Plan must be developed and documented. Entities should solicit the assistance of vendors of information systems that house the entity’s ePHI to devise a plan for how the entity should function during emergencies. This coordination shall include identifying alternate sites for work operations. The Emergency Operations Plan should be tested periodically during increments established by the entities risk management policy.

Testing and Revision Procedures

The Contingency Plan should be assessed and the entity should identify the need for any revisions. This testing should occur at least annually. This process, as well as any revisions that occur as a result of testing, should be documented. Testing shall include, but is not limited to, the disaster recovery plan, data backup plan and emergency operations plan.

Applications and Data Criticality Analysis

The entity must develop and amend their Risk Analysis, as necessary. As threats or vulnerabilities are identified in the Risk Analysis, the entity must work to resolve identified risks. The entity must ensure that contingency plans are included in the Risk Analysis and that vulnerabilities are appropriately addressed.

Where Should You Start?

  1. Develop a risk management group to oversee this process, as well as other HIPAA-related policies and procedures.
  2. Determine where your ePHI is stored and utilized in your entity.
  3. Consider threats to your ePHI. (Ex.) fires, flooding, hurricanes, tornadoes
  4. Develop procedures for how your entity will respond to these threats.
  5. Test and evaluate the procedures.

Don’t Forget to Document

Some entities invest considerable time and resources considering how they will respond to disasters and emergencies. Often, they implement procedures that are communicated orally but they fail to document the procedures and fail to develop written policies. Always remember, “if it isn’t written down, it didn’t happen.” Entities must ensure that they memorialize their contingency planning efforts by implementing written policies and procedures.

The absence of a written HIPAA Contingency Plan is indicative of an entity that has 1) not undergone a HIPAA compliant Risk Analysis or 2) has undergone an inadequate HIPAA Risk Analysis. In either case, the entity’s lack of attention to such a critical process could be detrimental to the health of its patients and the entity itself.

To ensure that your entity is complying with federal regulations, please consult a health care compliance professional.

Samarria Dunson, J.D., CHC, CHPC is attorney/principal of Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Alabama.  www.dunsongroup.com

Posted in: HIPAA

Leave a Comment (0) →

A Risk Analysis Is Your Entity’s Annual HIPAA Checkup

A Risk Analysis Is Your Entity’s Annual HIPAA Checkup

The Health Insurance Portability and Accountability Act (HIPAA) requires all covered entities to conduct an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, availability and integrity of electronic protected health information (ePHI). This process must be documented as a Risk Analysis. Covered entities must develop a Risk Analysis at their inception and review the Risk Analysis at least annually to identify potential changes to their information systems, physical environment, and/or the regulatory environment that may affect how they handle ePHI.

When performing a Risk Analysis, entities should review the HIPAA regulations and recommendations from the National Institute of Standards and Technology (NIST). Although federal agencies are the only entities required to comply with NIST, these guidelines act as the industry standard and should be followed by all covered entities.

Generally, a Risk Analysis is performed by the entity’s Security Officer. HIPAA requires each entity to have a designated Security Officer.  This designation must be in writing. The designated Security Officer must be familiar with the entity’s operations and competent in Information Technology. In accordance with NIST standards, the Security Officer should take the following steps to create or review the Risk Analysis:

  1. Determine where the entity’s ePHI is stored;
  2. Interview management to determine how workforce members utilize ePHI;
  3. Review access security settings and controls of the information systems;
  4. Determine the present and potential threats to ePHI;
  5. Determine the likelihood and impact of current and potential threats and assign them a risk level of high, medium or low;
  6. Document the Risk Analysis process and attach it to the updated Risk Analysis; and
  7. Work with management to resolve all threats within a reasonable period, with priority given to issues of higher risk and vulnerability.

Risk Analysis Content

A Risk Analysis shall include the evaluation of administrative, technical and physical safeguards.

Administrative Safeguards are defined as “administrative actions, and policies and procedures, to manage the selection, development, implementation and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.[1]  Administrative safeguards include the following:

  1. Assigned Security Responsibilities
  2. Security Management
  3. Information Access Management
  4. Business Associate Agreements
  5. Security Incident Procedures
  6. Security Awareness and Training
  7. Workforce Security
  8. Contingency Plans
  9. Evaluation

Technical safeguards are defined as “technology and the policy and procedures for its use that protect electronic protected health information and control access to it.”[2]  Technical safeguards include the following:

  1. Access Controls
  2. Audit Controls
  3. Integrity
  4. Person or Entity Authentication
  5. Transmission Security

Physical safeguards are defined as “physical measures, policies, and procedures to protect a covered entity‘s or business associate‘s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”[3] Physical safeguards include the following:

  1. Facility Access Controls
  2. Workstation Use
  3. Workstation Security
  4. Device and Media Controls

The completed Risk Analysis must be maintained for at least six (6) years and should be kept in paper and electronic form.

Risk Analysis vs. Risk Management

Health care entities often confuse Risk Analysis and Risk Management. While a Risk Analysis serves to identify threats and estimate their risks, Risk Management is the process of managing identified risks. Risk Management consists of the development of policies and procedures that dictate how to address identified risks.

Several Risk Analysis Tools exist that entity’s can utilize. However, the Department of Health and Human Services (HHS) encourages entities to seek expert advise when completing a Risk Analysis to ensure that the Risk Analysis is accurate and thorough. Additionally, the National Institute of Standards and Technology (NIST) has produced a series of publications that can assist covered entities with understanding information technology security. Those publications can be viewed by visiting http://csrc.nist.gov/publications/PubsSPs.html.

A proper Risk Analysis is a necessity not only because it is required by HIPAA regulations, but also because it offers the entity the best opportunity to identify and deal with risks associated with the preservation of ePHI.  Finally, in the event a covered entity has to answer for a breach of PHI, the failure to produce a proper Risk Analysis could lead to sufficient justification for punitive action by HHS.

[1] 45 CFR 164.304

[2] 45 CFR 164.304

[3] 45 CFR 164.304

The Dunson Group is a health care compliance law firm in Montgomery, Ala., focused on helping health care providers meet regulatory requirements. Samarria Dunson, J.D., CHC, CHPC is attorney/principal of Dunson Group, LLC, and regularly contributes articles of special interests to physicians and practice managers.

Posted in: HIPAA

Leave a Comment (0) →

How Can You Avoid a HIPAA Mega Breach?

How Can You Avoid a HIPAA Mega Breach?

A HIPAA breach often occurs when a health care entity wrongfully discloses the protected health information of a patient or client. These incidents can occur by accident, like faxing patient information to the wrong fax number. They can also be the result of willful or intentional acts, like employees who gather patient information for the purpose of filing false tax returns. They occur in many forms and can affect any number of individuals.  Breaches can range in scale from a single individual being compromised to an incident affecting thousands and even millions of people.

The Department of Health and Human Services requires a breaching entity to take specific reporting action based on the number of individuals the breach affects. In the world of HIPAA breaches, 500 is a magic number. Breaches affecting greater than 500 individuals are generally considered a HIPAA “Mega” breach. These mega beaches have more stringent notification requirements that could cause your health care practice to be featured on the evening news. Just as with breaches affecting fewer than 500 people, mega breaches require that you provide individual notice to each patient. This often requires staff time as they work to locate each patient’s last known address and send them a breach notification letter explaining what happened, who was involved, how their data was compromised, and what the entity is doing to avoid similar incidents in the future. Often, entities will offer their patients credit monitoring for a two-year period to mitigate the breach and demonstrate to the patient that the entity is serious about data security.

Mega breaches also require individual notice. However, these large breaches also require simultaneous notice directly to the HHS Office of Civil Rights and local media and news outlets. Entities reporting these large breaches will deal with immediate issues like loss of business and loss of reputation while also responding to patients and clients who are angry that their information has been compromised.

How can you avoid dealing with a HIPAA Mega breach in your practice?

You Must Perform a Competent and Thorough Risk Analysis. Many compliance professionals refer to this as your entity’s “annual exam.”  During this process, you and your team should determine every system that contains electronic protected health information and assess its vulnerability for inappropriate disclosure. This analysis is a requirement of the HIPAA Security Rule and must occur annually or sooner if necessitated by changes to your IT system or turnover in your workforce. Entities must remember to document this process and have it readily available to produce to HHS upon request. Failure to perform, document, and/or produce an adequate Risk Analysis is often a sign to HHS that an entity is non-compliant and may lead to a more extensive audit. This is an opportunity for entities to determine the adequacy of their cybersecurity and how to protect their entity from malware.

Invest in Encryption. HIPAA categorizes patient data in two ways: (1) secured and (2) unsecured. Entities most often find themselves in trouble when they have a breach of unsecured  The breach notification requirements discussed above which include notice to patients, HHS and media outlets ONLY refer to breaches of unsecured data. However, secured data is exempt from notice requirements. Secured or encrypted data is considered to be unusable, unreadable, or indecipherable to unauthorized individuals; thus, a breach of that device cannot occur. Encrypting patient data is the ultimate safety net! For example, a nurse uses a business laptop to store patient information of the 550+ individuals that are treated in her practice. She takes it home for the night and leaves it on the passenger seat of her car. Her vehicle is broken into overnight and the laptop is stolen. If the laptop is unencrypted, she now faces HIPAA breach notification requirements, loss of reputation, and the overwhelming threat of possible fines and lawsuits. However, if the laptop is encrypted, she would simply document the occurrence and have the laptop replaced.

Enforce Privacy and Security Policies and Provide Training. Often, the most effective tool in your health care compliance arsenal is a competent and well-informed workforce. Employees must understand how their actions can affect the security of data along with the consequences of violating policies and procedures. Additionally, having policies and procedures that are customized to your practice demonstrates a serious approach to compliance. Often, being able to produce copies of polices and training that employees were mandated to review and participate in will reflect that the entity itself was aware of its risks and sought to avoid or minimize them. An employee who has documented that they have reviewed the policies and participated in training, but nevertheless participated in negligent or reckless behavior, is more likely to be seen as a “bad actor” and not a reflection of a culture of non-compliance within the entity.

You’re entity may also want to reflect on how the following devices are utilized and stored:

  1. Hard Drives
  2. CDs/DVDs
  3. Flash Drives
  4. Back-Up Storage Tapes

To ensure that your practice is complying with federal regulations, and for assistance with avoiding or navigating a mega breach, please consult a health care compliance professional.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Samarria Dunson, J.D., CHC, CHPC is attorney/principal of Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Alabama.  www.dunsongroup.com

Posted in: HIPAA

Leave a Comment (0) →

The Cost of Non-Compliance with HIPAA Regulations Can Cripple Your Practice

The Cost of Non-Compliance with HIPAA Regulations Can Cripple Your Practice

The Basics of HIPAA Privacy and Security

The Health Insurance Portability and Accountability Act (HIPAA) mandates that covered entities comply with the HIPAA Privacy Rule, Security Rule and Breach Notification Standards set out by the Department of Health and Human Services (HHS) Office of Civil Rights (OCR). These covered entities include health plans, health care clearinghouses, health care providers who transmit health information in electronic form and business associates. Affectionately known as the “HIPAA Police,” this agency is responsible for protecting patients’ health information privacy rights.

The Privacy Rule dictates how protected health information (PHI) shall be used and disclosed. It strikes an appropriate balance of ensuring that patient information is maintained in a confidential manner while not hindering disclosures that would account for the treatment and payment of health care services.

The Security Rule has the same overall goal of protecting PHI with a specific focus on electronically created, maintained or transmitted PHI. Thus, the Security Rule protects electronic PHI (ePHI).

At a minimum, a covered health care entity is required to complete the following tasks to comply with the Privacy and Security Rules:

  • Designate a Privacy Officer;
  • Designate a Security Officer;
  • Perform a Risk Analysis;
  • Publish and Make Available a Notice of Privacy Practices;
  • Adopt Policies and Procedures;
  • Perform and Document Workforce Training;
  • Develop and Implement Mitigation Procedures;
  • Adhere to Administrative, Technical and Physical Safeguards of PHI;
  • Adhere to Administrative, Technical and Physical Safeguards of ePHI;
  • Develop and Implement Mechanisms to Receive and Handle Complaints and Breaches; and
  • Perform Periodic Assessments and Audits

The HIPAA Breach Notification Rule specifically dictates how covered entities and their business associates must handle impermissible uses or disclosures of PHI, also known as breaches. This rule dictates the content of the notice, to whom notice must be given, timeliness of the notice and other appropriate deadlines. Breaches must be assessed to determine the number of individuals affected and the possibility of mitigation, both of which affect how the breach should be ultimately handled. For example, breaches affecting less than 500 people require individual notice, whereas breaches affecting 500 people or more require individual notice, notice to specific news outlets and notice to the Secretary of HHS. Due to the complexity of the breach notification standards, it is paramount that your privacy and security officers know and understand the breach notification requirements.

How much could non-compliance cost you?

Not complying with HIPAA regulations can be expensive. The fines can range from $100 to $50,000 per violation, with a maximum of $1.5 million in a calendar year for repeat violations. The categories of violations are based upon the level of negligence demonstrated by the individual/entity that caused the breach. Penalties are based on the nature of the breach and the extent of harm caused by the breach.

hipaa_012017

The HHS Office of Civil rights has collected tens of millions of dollars in settlements. These settlement funds are then funneled back into the enforcement program to further strengthen their auditing efforts and oversight. This practice makes the program self-sustaining and will continue to grow and develop making it that much more likely that you or a health care provider that you know will be audited.

In August of 2016, Advocate Health Care Network settled with the HHS Office of Civil Rights for $5.5 million after it was determined that they failed to do the following:

  • Conduct accurate and thorough risk assessments of ePHI;
  • Implement policies and procedures to limit physical access to ePHI;
  • Obtain business associate agreements assuring that business associates would appropriately safeguard PHI; and
  • Safeguard an unencrypted laptop that was left in an unlocked vehicle overnight

In July of 2016, the University of Mississippi Medical Center reached a $2.75 million dollar settlement after numerous issues of non-compliance were discovered, including:

  • Failure to implement policies procedures relating to security violations;
  • Failure to implement physical safeguards of workstations that access ePHI and restrict access to authorized users;
  • Failure to assign a unique name and/or number for identifying and tracking user identity in information systems containing ePHI; and
  • Failure to notify individuals and follow breach notification standards after information was believed to be inappropriately accessed, acquired or disclosed.

Business associates were also fined, highlighting the importance of health care entities identifying their business associates and executing appropriate business associate agreements. In April of 2016, Raleigh Orthopedic Clinic, P.A. in North Carolina entered into a resolution agreement with a monetary payment of $750,000. It was determined that this entity turned over x-ray films and PHI to a company that would then harvest the silver from the x-ray films.

“HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise,” said Jocelyn Samuels, Director of the HHS Office of  Civil Rights. “It is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected.”

On January 9, 2017, HHS announced a settlement with Presence Health for $475,000. This represented the first settlement based on the untimely reporting of breaches of unsecured PHI.

“Covered entities need to have a clear policy and procedures in place to respond to the Breach Notification Rule’s timeliness requirements,” said Director Samuels. “Individuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate any potential harm caused by the breach.”

Resolution agreements can go beyond requiring entities to pay fines. They may also require an entity to take specific corrective action and report their activities to HHS Office of Civil Rights for a designated time. Often this probationary period lasts from one to three years. Additional information on fines and resolution agreements are available on the OCR website.

In addition to steep fines, an equally threatening issue is damage to your reputation. There is no doubt that media coverage of publicized breaches can have a chilling effect on patients who are already on heightened alert to issues like identity theft. Last year alone, OCR publicized settlements ranging from $25,000 to $5.5 million. They also maintain a scrolling section on their web page, affectionately known to compliance professionals as the “Wall of Shame.”

Should your organization receive the unpleasant honor of being highlighted on this website, you should know that it details information on the underlying offense and OCR has no intention of removing past offenders, regardless of how long ago their misdeeds occurred. A quick glance at the Wall of Shame contains breach information on over 1,798 separate incidents dating all the way back to 2009.  https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

The covered entities hit the hardest by enforcement action are listed below based on frequency:

  • Private Practices
  • General Hospitals
  • Outpatient Facilities
  • Pharmacies; and
  • Health Plans

According to OCR, issues investigated most are, compiled cumulatively, in order of frequency:

  • Impermissible uses and disclosures of PHI;
  • Lack of safeguards of PHI;
  • Lack of patient access to their PHI;
  • Lack of administrative safeguards of electronic PHI; and
  • Use or disclosure of more than the minimum necessary PHI

But where might health care entities be most vulnerable? According to Jerome Meites, a Chief Regional Counsel for the Office of Civil Rights, “Portable media is the bane of existence for covered entities. It causes an enormous number of the complaints that OCR deals with.” Portable media includes laptops, cellphones, hard drives and flashdrives. While these instruments are vital to communicating information in the health care setting, the amount of data contained on these devices makes their security a primary focus for Privacy and Security Officers.

Threats to medical practices and other covered entities exist and the consequences of enforcement actions and private litigation can be devastating.  Covered entities must address these issues on the front end. Covered entities should assess the strengths and weaknesses of their compliance programs to protect themselves and their patients.

Samarria Dunson (samarria@dunsongroup.com) is attorney/principal of Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Alabama.  www.dunsongroup.com

Posted in: HIPAA

Leave a Comment (0) →
Page 4 of 4 1234