Posts Tagged ePHI

What’s the Biggest Threat to Your Medical Practice? Your Staff!

What’s the Biggest Threat to Your Medical Practice? Your Staff!

Many of us are aware of recent attacks impacting health care entities large and small. As ransomware and other cybersecurity-related crimes are being reported daily, there is a tremendous focus on the “dark web” and how to decrease the likelihood your entity will be impacted by hackers. But as we put systems in place to deal with those security issues, we must not forget about the threat of other malicious actors. These individuals are not strangers who only interact with our computer systems remotely. This threat is much closer. We’re referring to your staff members who may inappropriately access and utilize patient data for personal gain.

Employers generally believe they hire the best candidates. In most instances that is correct. After combing over résumés and doing countless interviews, it is determined the selected individual is a person you can trust and respect. As these individuals prove themselves to be competent and dependable, many of us will place a high level of confidence not only in that person’s ability to perform the job, but also in their character.

As time passes we learn a lot about our colleagues. We learn about each other’s families, interests and life goals. We become invested in our co-workers, and we share in moments of success and disappointment. These events endear us to one another and become the fabric of our working relationships. However, just as this bonding is reflective of our human desire to find commonalities, these relationships can also blind us to a very serious threat. This threat is the impact that these very individuals can have on our entities if they intentionally or inadvertently compromise a patient’s protected health information (PHI). We must constantly remind ourselves good people can do bad things depending on that individual’s circumstances at the time they make a compromising decision.

“Insider threat” is a term used to describe the threat to an entity’s systems or data that originates from within the entity. These “insiders” can be current or former employees, contractors, or business associates who have or has had authorized access to an entity’s systems or data and misuse that access.

Red Flag Behavioral Indicators

When entities endure a significant data breach, they are often in disbelief the incident occurred. Then as they begin the investigation phase, they realize there were behaviors exhibited by the bad actor that should have drawn suspicion.

Here are some behaviors entities should be watchful of:1

  • Works odd hours without authorization; notable enthusiasm for overtime work, weekend work, or unusual schedules which may result in them being able to carry out their illicit activities privately.
  • Remotely accesses the computer network while on vacation, sick leave, or at other odd times.
  • Interest in matters outside the scope of their duties, particularly where patient data may be stored and how that information may be accessed.
  • Unexplained affluence; buys things they cannot afford on their household income.
  • Without need or authorization, takes proprietary or other material like patient information home, via paper records, thumb drives or by emailing information to their personal email accounts.
  • Overwhelmed by life crisis or career disappointments.
  • Paranoia about being investigated; believes there are listening devices or cameras in their homes or workplaces.
  • Disregarding computer policies on installing personal software or hardware, accessing restricted websites, conducting unauthorized searches, or downloading confidential information.

How to Reduce Your Risk

  • Appropriately manage your employees. Entities should pay particular attention to individuals who are disgruntled or who may be undergoing financial hardship. Also, be watchful of employees who show up to work very early or leave very late with no work product to show for the extra time they’ve worked. Additionally, background checks can be very telling. This is especially true for employees whose records identify financial issues like issuing bad checks.
  • Be mindful of security access privilege designations. Only provide employees with the security access privileges they need to perform their job functions. The less access they have to patient data that does not involve them, the less likely they will be able to create large data breaches.
  • Proactively audit user access. Perform audits of user actions to determine who has been remoting into your entity’s computer network or who has been accessing your systems after normal business hours. Review reports of failed log-in attempts to determine whether employees are trying to log into systems they have not been officially granted access to view.
  • Develop and adhere to effective termination procedures. Once you become aware an employee will need to be terminated, make plans to disable their physical and system access such that the terminated employee does not have the opportunity to negatively impact your entity or systems. During the exit interview, make it clear to the terminated employee your entity will not tolerate inappropriate data access and will seek criminal prosecution if it discovers any employees are engaging in such activity.
  • Effective training programs. Ensure your employees are aware of your entity’s privacy and security policies and procedures. Reiterate these principals in training and inform them of the consequences of not adhering to these requirements. Additionally, train employees to be particularly watchful of co-workers who exhibit the behavioral indicators described above. Ensure they know the warning signs and to whom to report their concerns.
  • All insiders are not necessarily in your building. Be mindful that Business Associates and contractors may also have access to your systems
    and data. The activities of these users should be monitored as well. Individuals within those entities should be signing confidentiality agreements at a minimum and Business Associate Agreements, when applicable.

 

Your entity’s designated Security Officer can play a key role in monitoring the electronic behavior of staff members, Business Associates and contractors. Ensure this individual is knowledgeable about your entity’s HIPAA security policies and procedures, and they are following up on audits that identify behaviors that may be placing your patient data at risk. If your entity does not have updated HIPAA security policies and procedures, consider hiring a health care compliance professional to ensure regulatory compliance.

Article contributed by Samarria Dunson, J.D., CHC, CHPC, attorney/principal of Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Ala.

References
1 “The Insider Threat”, U.S. Department of Justice Federal Bureau of Investigation; https://www.fbi.gov/file-repository/insider_threat_brochure.pdf
2 “Insider Threats: What every government agency should know and do,” Deloitte Dbriefs, March 2016.

Posted in: HIPAA

Leave a Comment (0) →

HIPAA Guidance for Mass Shootings and Other Tragic and Emergency Situations

HIPAA Guidance for Mass Shootings and Other Tragic and Emergency Situations

In the aftermath of one of the deadliest school shootings in U.S. history, many health care organizations are revisiting their HIPAA policies and procedures to determine exactly what information they are allowed to share and to whom they may share information. 

FAMILY AND FRIENDS

A health care entity may share a patient’s location, general condition or death with a patient’s family, guardian, or friend who is involved in the patient’s care or who may be responsible for payment of the patient’s treatment. This may occur in a variety of circumstances including, but not limited to, the following:

  • If the patient is present and able to consent to the disclosure, the health care provider must obtain the patient’s consent, provide the patient with the opportunity to object to the disclosure, or based on the professional judgment of the health care professional, they may reasonably conclude that the individual would not object to the disclosure being made.
  • If the patient is not present or unable to consent due to incapacity or emergency, the health care professional may in the exercise of professional judgment determine whether the disclosure to the family, friend or guardian is in the best interest of the patient.
  • If the patient is deceased, the health care provider may disclose information about the patient to the family member, friend or guardian unless the health care professional is specifically aware that the patient expressed that the disclosure not be made prior to their death.
  • Health care providers may also share information about a patient with police, media outlets or the general public when attempting to identify, locate or notify family members, guardians or personal representatives of a patient. Information that may be shared include the patient’s location, general health status or death.
  • PHI may be shared with disaster relief organizations that are legally responsible for assisting with disasters if doing so will assist in the notification of family members or other individuals responsible for the patient’s care. [1]

MEDIA OUTLETS

Hospitals and health care entities may share general information about a patient with media outlets in an effort to identify, locate or notify individuals responsible for the patient’s care. However, if the request is initiated by the media, you must consider the following:

  • If the patient is conscious and does not specifically object, limited facility directory information may be shared as long as the requestor identifies the patient by name. This information includes whether the patient is indeed seeking treatment at the facility, whether they are in critical or stable condition, and whether they sought treatment and are now released.
  • If the patient is unable to consent, the health care provider can determine based on their professional judgment whether notifying the media or general public of the patient’s status or death is in the best interest of the patient.

Specific information about a patient’s care, such as x-rays, tests performed and test results, or details of a patient’s diagnosis may not be disclosed without either the patient’s authorization or the authorization of their personal representative.

LAW ENFORCEMENT

Health care entities can provide information to law enforcement with a signed HIPAA authorization from the patient or the patient’s personal representative. However, there are instances in which PHI may be shared with law enforcement without patient consent. Those instances include:

  • When the health care professional reasonably believes that the report would prevent or lessen a serious and imminent threat to the health or safety of an individual or the public;
  • The entity believes in good faith that it is sharing information that may be evidence of a crime that occurred on the premises of the entity;
  • Alerting law enforcement of the death of an individual when there is a suspicion that the death resulted from criminal conduct;
  • When responding to an off-site medical emergency, as necessary to alert law enforcement to criminal activity;
  • When it is required by law to make reports to law enforcement, like in instances of treating gunshot or stab wounds;
  • In compliance with court orders, warrants, subpoenas or summons;
  • In response to a request by law enforcement to identify or locate a suspect, fugitive, material witness or missing person (the information must be limited to basic demographic and identifying information about the person); and
  • Instances of child abuse or neglect reporting when the entity receiving the report is officially authorized by law to receive the report[2].

WHAT ABOUT THE SUSPECT?

When law enforcement needs assistance with identifying and locating a suspect, fugitive or material witness to a crime, health care entities are encouraged to cooperate with these requests.  However, those disclosures must be limited to the following information:

  • Name and Address,
  • Date and Place of Birth,
  • Social Security Number,
  • ABO Blood Type and RH Factor,
  • Type of Injury,
  • Date and Time of Treatment,
  • Date and Time of Death, and
  • Description of Distinguishing Physical Characteristics[3] (Ex. Tattoos, mustache, beard).

Any additional disclosures about a suspect’s medical information, such as DNA tests or body fluid analysis, can only be disclosed upon the presentation of a signed authorization, court order, warrant or documented administrative request.

WHAT IS A HIPAA WAIVER, AND WHEN DOES IT APPLY?

There is no lack of confusion regarding what a HIPAA waiver is and when it may be utilized. Waivers of HIPAA sanctions and penalties occur when the President declares an emergency or disaster and the Secretary of the Department of Health and Human Services (HHS) waives provisions of the Privacy Rule during the emergency or disaster.

If the Secretary issues such a waiver, it only applies:

  • In the emergency area and for the emergency period identified in the public health emergency declaration;
  • To hospitals that have instituted a disaster protocol. The waiver would only apply to patients at such hospital; and
  • For up to 72 hours from the time the hospital implements its disaster protocol.[4] Once the limited waiver terminates, health care entities are required to comply with the HIPAA Privacy Rule.

It is important to know under what circumstances you can disclose information and to whom those disclosures can be offered. Failure to understand these requirements may place you at risk for HIPAA violations and sanctions. If you have specific questions about disclosures of PHI, please contact a health care compliance professional.

[1] 45 CFR 164.510(b)

[2] 45 CFR 164.512

[3] 45 CFR 164.512(f)(2)

[4] 45 CFR 164.510(b)(4)

Article contributed by Samarria Dunson, J.D., CHC, CHPCattorney/principal of The Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Ala. The Dunson Group, LLC, is an official partner with the Medical Association.

Posted in: HIPAA

Leave a Comment (0) →

A HIPAA Contingency Plan: Yes, It’s Boring. Yes, You Must Do It.

A HIPAA Contingency Plan: Yes, It’s Boring. Yes, You Must Do It.

When was the last time you reviewed your entity’s Contingency Plan? If it has been awhile, or never, you need to get to work. In light of recent natural disasters and ransomware attacks, the necessity of thorough and documented contingency planning, to include backup and disaster recovery, has become a focus for health care entities.

Pursuant to the Health Insurance Portability and Accountability Act (HIPAA) health care entities are required to account for the confidentiality, integrity and accessibility of their electronic protected health information (ePHI). They must consider potential incidents that may affect their information systems like fires, vandalism, malware attacks and tornados. Then they must document their strategy for operation during those events.

Contingency planning should begin with a review of the entity’s Risk Analysis. This document identifies what type of ePHI the entity accesses or maintains, where the data resides, and how the entity handles the data. Afterwards, the entity should begin the process of developing specific Administrative Safeguards.

A Data Backup Plan is essential, especially in instances of malware and natural disasters. Entities must put procedures in place to create and maintain exact copy backups of their data that they can readily retrieve. For example, if an entity is heavily damaged by a tornado or fire, they must be able to gain access to the data that they previously utilized within their entity. Without the benefit of timely system backups, the entity would not be able to recover up-to-date data which can be a serious liability when treatment decisions are being made about patients/clients without the benefit of their most current records.

The entity should ensure that there is an appropriate off-site backup of the entity’s ePHI and that the backup is being appropriately performed. These exact copy backups generally occur on a daily, weekly and monthly basis. The entity should maintain copies of these backups and should test the system periodically to ensure that the backup process is working in accordance with the required standards.

The ability to recover lost or stolen data can be critical. The entity should ensure that they have an effective Disaster Recovery Plan that complies with the National Institute of Standards and Technology (NIST) specifications.[1] The Disaster Recovery Plan should identify risks observed in the Risk Analysis and reflect a comprehensive plan to recover ePHI within specific time parameters, generally 24 to 48 hours. Additionally, careful consideration must be given to appropriate off-site locations that the entity could utilize if their primary location is no longer available. All workforce members should be informed of the plan and trained on their specific role.

An Emergency Mode Operations Plan documents the manner in which the entity will work throughout the course of the emergency. This relates to the critical business processes that must take place to protect ePHI during and following the emergency or disaster. Examples include determining the need for additional equipment or supplies, ensuring hardware and software compatibility to retrieve ePHI and if necessary, communicating changes to patients/clients.

Testing and Revision Procedures are required for the Data Backup, Disaster Recovery and Emergency Mode Operation Plans. These tests should occur within the timelines listed in the entities Risk Analysis and in all instances no less than annually. The testing process should be documented and evaluated to determine any need for revision.

Entities should perform an Application and Data Criticality Analysis to identify the information systems that are most important from a business operations perspective. This allows the entity to prioritize which databases need to be restored and in what order. For example, if a health care provider were the victim of a ransomware attack and they were attempting to recover the data, the Application and Data Criticality Analysis would identify the exact systems that are most crucial to their operations, allowing them to more easily prioritize the recovery process.

What does a compliance professional look for when auditing an entity for compliance with contingency planning? Entities should be able to produce the following:

  • A documented Contingency Plan which covers each of the specifications listed above, namely Data Backup Plan, Disaster Recovery Plan, Emergency Mode Operations Plan, Testing and Revision Procedures and Application and Data Criticality Analysis;
  • Documented roles and responsibilities of workforce members during disasters or emergencies;
  • Documentation that identifies the entities critical applications;
  • Documentation to demonstrate the plan is periodically reviewed and tested; and
  • Documentation that reflects whether amendments to the Contingency Plan or Risk Analysis were warranted and implemented, if applicable.

While contingency planning is important for appropriate business operations and HIPAA compliance, it is also critical to patient care. Patients count on health care providers to provide appropriate treatment and care during normal periods and during emergencies. If an emergency or disaster renders an entity without access to their ePHI with no plan to recover or otherwise gain access to the data, that creates unnecessary liability on behalf of the provider for treating the patient without access to their current records. Patient care should be paramount to the mission of all health care entities.

[1] Although only federal agencies are required to follow NIST standards, they represent industry standards for how health care entities should handle ePHI.

Samarria Dunson, J.D., CHC, CHPC is attorney/principal of Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Alabama.  www.dunsongroup.com

Posted in: HIPAA

Leave a Comment (0) →

A Risk Analysis Is Your Entity’s Annual HIPAA Checkup

A Risk Analysis Is Your Entity’s Annual HIPAA Checkup

The Health Insurance Portability and Accountability Act (HIPAA) requires all covered entities to conduct an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, availability and integrity of electronic protected health information (ePHI). This process must be documented as a Risk Analysis. Covered entities must develop a Risk Analysis at their inception and review the Risk Analysis at least annually to identify potential changes to their information systems, physical environment, and/or the regulatory environment that may affect how they handle ePHI.

When performing a Risk Analysis, entities should review the HIPAA regulations and recommendations from the National Institute of Standards and Technology (NIST). Although federal agencies are the only entities required to comply with NIST, these guidelines act as the industry standard and should be followed by all covered entities.

Generally, a Risk Analysis is performed by the entity’s Security Officer. HIPAA requires each entity to have a designated Security Officer.  This designation must be in writing. The designated Security Officer must be familiar with the entity’s operations and competent in Information Technology. In accordance with NIST standards, the Security Officer should take the following steps to create or review the Risk Analysis:

  1. Determine where the entity’s ePHI is stored;
  2. Interview management to determine how workforce members utilize ePHI;
  3. Review access security settings and controls of the information systems;
  4. Determine the present and potential threats to ePHI;
  5. Determine the likelihood and impact of current and potential threats and assign them a risk level of high, medium or low;
  6. Document the Risk Analysis process and attach it to the updated Risk Analysis; and
  7. Work with management to resolve all threats within a reasonable period, with priority given to issues of higher risk and vulnerability.

Risk Analysis Content

A Risk Analysis shall include the evaluation of administrative, technical and physical safeguards.

Administrative Safeguards are defined as “administrative actions, and policies and procedures, to manage the selection, development, implementation and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.[1]  Administrative safeguards include the following:

  1. Assigned Security Responsibilities
  2. Security Management
  3. Information Access Management
  4. Business Associate Agreements
  5. Security Incident Procedures
  6. Security Awareness and Training
  7. Workforce Security
  8. Contingency Plans
  9. Evaluation

Technical safeguards are defined as “technology and the policy and procedures for its use that protect electronic protected health information and control access to it.”[2]  Technical safeguards include the following:

  1. Access Controls
  2. Audit Controls
  3. Integrity
  4. Person or Entity Authentication
  5. Transmission Security

Physical safeguards are defined as “physical measures, policies, and procedures to protect a covered entity‘s or business associate‘s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”[3] Physical safeguards include the following:

  1. Facility Access Controls
  2. Workstation Use
  3. Workstation Security
  4. Device and Media Controls

The completed Risk Analysis must be maintained for at least six (6) years and should be kept in paper and electronic form.

Risk Analysis vs. Risk Management

Health care entities often confuse Risk Analysis and Risk Management. While a Risk Analysis serves to identify threats and estimate their risks, Risk Management is the process of managing identified risks. Risk Management consists of the development of policies and procedures that dictate how to address identified risks.

Several Risk Analysis Tools exist that entity’s can utilize. However, the Department of Health and Human Services (HHS) encourages entities to seek expert advise when completing a Risk Analysis to ensure that the Risk Analysis is accurate and thorough. Additionally, the National Institute of Standards and Technology (NIST) has produced a series of publications that can assist covered entities with understanding information technology security. Those publications can be viewed by visiting http://csrc.nist.gov/publications/PubsSPs.html.

A proper Risk Analysis is a necessity not only because it is required by HIPAA regulations, but also because it offers the entity the best opportunity to identify and deal with risks associated with the preservation of ePHI.  Finally, in the event a covered entity has to answer for a breach of PHI, the failure to produce a proper Risk Analysis could lead to sufficient justification for punitive action by HHS.

[1] 45 CFR 164.304

[2] 45 CFR 164.304

[3] 45 CFR 164.304

The Dunson Group is a health care compliance law firm in Montgomery, Ala., focused on helping health care providers meet regulatory requirements. Samarria Dunson, J.D., CHC, CHPC is attorney/principal of Dunson Group, LLC, and regularly contributes articles of special interests to physicians and practice managers.

Posted in: HIPAA

Leave a Comment (0) →