Posts Tagged HIPAA

Office of Civil Rights Issues Guidance on HIPAA in Light of Opioid Crisis

Office of Civil Rights Issues Guidance on HIPAA in Light of Opioid Crisis

With an increased focus on opioid use and addiction, the Department of Health and Human Services Office of Civil Rights has issued guidance related to the Health Insurance Portability and Accountability Act of 1996 due to misunderstandings over when a health care provider can share an individual’s protected health information in situations of overdose or need for emergency medical treatment related to opioid use. Generally speaking, HIPAA restricts a health care provider’s ability to share PHI, but there are instances when a health care provider may disclose PHI even if the patient has not authorized the disclosure.

Many health care providers mistakenly think they must have an authorization or the patient’s permission to release PHI. However, there are circumstances in which the patient’s permission is not required. HIPAA allows a health care provider to share information with a patient’s family or caregivers in certain emergency or dangerous situations. As outlined in the guidance, a provider may share information with family and close friends who are involved in the care of the patient if the provider determines that doing so in the best interest of an incapacitated or unconscious patient and the information shared is directly related to the family or friends involved in the patient’s health care or payment of care. OCR’s guidance states that a provider may use his/her professional judgment to talk to the parents of someone incapacitated by an opioid overdose about the overdose and related medical information, but the provider could not share general information not related to the overdose without the patient’s permission.

Another situation in which information may be shared without the patient’s permission is if the provider informs a person who is in a position to prevent or lessen a serious or imminent threat to the patient’s health or safety. OCR states “a doctor whose patient has overdosed on opioids is presumed to have complied with HIPAA if the doctor informs family, friends or caregivers of the opioid abuse after determining that the patient poses a serious and imminent threat to his or her health through continued abuse upon discharge.”

If a patient is not incapacitated and has decision-making capacity, a health care provider must give the patient an opportunity to agree or object to disclosure of health information with family, friends or others even if they are involved in that individual’s care or payment for care. The health care provider is not permitted to disclose health information about a patient who has the capacity to make his/her own health care decisions unless, as mentioned above, there is a serious or imminent threat of harm to the health of the individual.

The difference between capacity or incapacity can be a difficult determination for providers and may change during the course of treatment. OCR points out that decision-making incapacity may be temporary or situational and does not have to rise to the level where someone has been or must be appointed to act by law, i.e. power of attorney or guardianship. If during the course of treatment, the patient regains the ability to make decisions, the provider must give the patient the opportunity to object or agree to providing or sharing health information.

As has always been the case, HIPAA allows a health care provider to release or disclose information to a patient’s “Personal Representative.” HIPAA defines personal representative as a person who has health care decision-making authority under state law. In Alabama, a person holding general Durable Power of Attorney executed after 2012 is presumed to be the Personal Representative for purposes of HIPAA. Additionally, a parent of an unemancipated minor or someone holding a guardianship or conservatorship would also qualify.

To read OCR’s guidance, visit https://www.hhs.gov/sites/default/files/hipaa-opioid-crisis.pdf

Article contributed by Angie Cameron Smith, a partner at Burr & Forman LLP. Burr & Forman LLP is a partner with the Medical Association.

Posted in: HIPAA

Leave a Comment (0) →

What Eight Things You Should Do to Protect Your Business from Cyber Threats

What Eight Things You Should Do to Protect Your Business from Cyber Threats

Cyber threats take many forms. The widespread WannaCry ransomware attack in May 2017 highlighted how computer files could be held hostage in return for payment, while the Dyn denial of service in October 2016 highlighted how websites like Airbnb and Twitter could be made inaccessible. Cyber threats are on the rise within the health care industry, as the information gained as a result is lucrative in value. Thus, it is important every physician practice take steps to protect itself from a cyberattack.

Identify the types of cyberattacks to which your practice is most likely vulnerable.

By doing so, you can invest in measures that will be most relevant to your practice. For instance, practices that host websites must preempt denial of service attacks, while those that hold private customer information electronically must prevent unauthorized access to their data. Of course, many practices will likely be vulnerable to a variety of cyberattacks.

Develop a framework to prevent, investigate and respond to the cyberattacks to which your practice is most vulnerable.

In 2014, the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) issued and continues to update, a voluntary Framework for Improving Critical Infrastructure Cybersecurity (the “Framework”). In addition to their own independent initiatives, practices should periodically consult the Framework to keep abreast of cybersecurity best practices in order to assess their security status relative to others. In addition, the website for the Office of Civil Rights, the government entity responsible for HIPAA compliance, contains guidance on various cybersecurity topics that may also prove helpful.

Invest in the latest computer security and protection measures.

To the extent feasible, practices should strive to use the most up-to-date software and avail themselves of periodic releases of software updates. Cyberattack methods constantly evolve, and older versions of software are more vulnerable to newer and more complex threats. For example, victims of the WannaCry ransomware attack were mainly those organizations that ran older versions of Windows operating software. Practices should also consider regularly backing up data and insulating that data from their computer network, segmenting their computer network, and monitoring network activity.

Implement employee vigilance and training measures.

Perpetrators of cyberattacks often employ phishing scams by sending emails with attached malware to individuals who then promptly download the attachments and infect their employers’ computer networks. Practices should train employees to identify suspicious emails in order to guard against phishing schemes. Such training can be incorporated into your practice’s periodic HIPAA training.

Given that malicious emails are often sent by seemingly familiar senders, practices should teach employees how to spot subtle clues that indicate dangerous emails. For instance, employers should instruct employees to check whether the domain name of the originating account is a “near-miss” from what would be expected. For example, an employee recognizing “dot com” and “dot co” could be the difference in avoiding hefty losses.

Test your cybersecurity measures and monitor the effectiveness.

To test whether employees take instructed precautions against phishing attacks, practices should send their employees emails from a “near-miss” domain and tally how many employees fall for them. Of course, even after enhancing computer security systems and increasing employee awareness of network defenses, practices may nonetheless succumb to a cyberattack, but at least the chances of doing so may be reduced.

Obtain effective cyberattack insurance coverage.

Practices should compare potential damages in the event of a cyberattack to the coverage provided in their existing insurance policies and seek out supplementary insurance for any uncovered damages or liabilities that may arise in the event of a cyberattack. For instance, since courts are divided as to whether computer systems constitute “tangible property” for purposes of an insurance claim, practices should consider consulting their insurance companies, brokers, or legal counsel to obtain insurance that covers the types of damages that arise in cyberattacks, including, but not limited to, expenses associated with providing patients with written notice when a reportable HIPAA breach occurs.

Adopt an effective legal strategy for your practice that preempts and limits liability.

As practices retain confidential personal and medical information, any data breach or unauthorized disclosure could subject the practice to liability under a host of federal and state law claims, in addition to HIPAA fines and penalties. Thus, the establishment of an effective legal strategy that preempts and limits liability is essential.

Employ traditional security measures for your practice at locations that could be vulnerable to physical disruption of your cyber capabilities.

Practices should account for some of the more traditional ways in which perpetrators can disrupt their computer networks. To prevent someone from unplugging the power source to a computer network or server, you could consider installing CCTV cameras and limiting access to such areas. In addition, have security incident procedures in place and be prepared to continue operations if an interruption occurs. For example, if an interruption with respect to your EMR system occurs, be prepared to continue business utilizing paper medical records until the interruption can be resolved and your EMR is back online.

Article contributed by David D. Dowd III, Elizabeth B. Shirley and Kelli C. Fleming with Burr & Forman LLP practicing in the firm’s Health Care Industry Group. Burr & Forman LLP, is an official Bronze Partner with the Medical Association.

Posted in: Technology

Leave a Comment (0) →

How to Make HIPAA Disclosures During Mass Tragedies

How to Make HIPAA Disclosures During Mass Tragedies

In light of the recent incident in Las Vegas, the Office of Civil Rights, the government entity responsible for HIPAA Compliance, issued clarification guidance on the ability of a health care provider to share patient information during such situations. While such incidents are taxing on health care providers in terms of treating capacity and ability, it is important that providers keep in mind the requirements of HIPAA regarding the disclosure of certain information to the public. A summary of OCR’s recent clarification is provided below, as it serves as a good reminder regarding what information can be shared under HIPAA in these types of mass-casualty, disaster scenarios.

Disclosures to Family, Friends and Others Involved in an Individual’s Care and for Notification.

You may share health information with a patient’s family members, relatives, friends, or other persons identified by the patient as involved in the patient’s care. You may also share information about a patient as necessary to identify, locate and notify family members, guardians, or anyone else responsible for the patient’s care, of the patient’s location, general condition, or death. This may include, where necessary to notify family members and others, the police, the press, or the public at large.

  • You should get verbal permission from the patient when feasible or otherwise be able to reasonably infer that the patient does not object to the disclosure. If the individual is incapacitated or not available, you may share information for these purposes if, in your professional judgment, doing so is in the patient’s best interest.
  • In addition, you may share protected health information with disaster relief organizations that are authorized by law or by their charters to assist in disaster relief efforts (g., American Red Cross), for the purpose of coordinating the notification of family members or other persons involved in the patient’s care, of the patient’s location, general condition, or death. It is unnecessary to obtain a patient’s permission to share the information in this situation if doing so would interfere with the organization’s ability to respond to the emergency.

Disclosures to the Media or Others Not Involved in the Care of the Patient/Notification.

Upon request for information about a particular patient by name, you may release limited facility directory information to acknowledge that an individual is a patient at the facility and provide basic information about the patient’s condition in general terms (g., critical or stable, deceased, or treated and released) if the patient has not objected to or restricted the release of such information or, if the patient is incapacitated, if the disclosure is believed to be in the best interest of the patient and is consistent with any prior expressed preferences of the patient. In general, affirmative reporting to the media or the public at large about an identifiable patient, or the disclosure to the public or media of specific information about the treatment of an identifiable patient, such as specific tests, test results or details of a patient’s illness, may not be done without the patient’s written authorization (or that of his/her personal representative).

Kelli Fleming is a Partner with Burr & Forman LLP practicing in the firm’s Health Care Industry Group. Burr & Forman LLP is a partner with the Medical Association.

Posted in: HIPAA

Leave a Comment (0) →

A HIPAA Contingency Plan: Yes, It’s Boring. Yes, You Must Do It.

A HIPAA Contingency Plan: Yes, It’s Boring. Yes, You Must Do It.

When was the last time you reviewed your entity’s Contingency Plan? If it has been awhile, or never, you need to get to work. In light of recent natural disasters and ransomware attacks, the necessity of thorough and documented contingency planning, to include backup and disaster recovery, has become a focus for health care entities.

Pursuant to the Health Insurance Portability and Accountability Act (HIPAA) health care entities are required to account for the confidentiality, integrity and accessibility of their electronic protected health information (ePHI). They must consider potential incidents that may affect their information systems like fires, vandalism, malware attacks and tornados. Then they must document their strategy for operation during those events.

Contingency planning should begin with a review of the entity’s Risk Analysis. This document identifies what type of ePHI the entity accesses or maintains, where the data resides, and how the entity handles the data. Afterwards, the entity should begin the process of developing specific Administrative Safeguards.

A Data Backup Plan is essential, especially in instances of malware and natural disasters. Entities must put procedures in place to create and maintain exact copy backups of their data that they can readily retrieve. For example, if an entity is heavily damaged by a tornado or fire, they must be able to gain access to the data that they previously utilized within their entity. Without the benefit of timely system backups, the entity would not be able to recover up-to-date data which can be a serious liability when treatment decisions are being made about patients/clients without the benefit of their most current records.

The entity should ensure that there is an appropriate off-site backup of the entity’s ePHI and that the backup is being appropriately performed. These exact copy backups generally occur on a daily, weekly and monthly basis. The entity should maintain copies of these backups and should test the system periodically to ensure that the backup process is working in accordance with the required standards.

The ability to recover lost or stolen data can be critical. The entity should ensure that they have an effective Disaster Recovery Plan that complies with the National Institute of Standards and Technology (NIST) specifications.[1] The Disaster Recovery Plan should identify risks observed in the Risk Analysis and reflect a comprehensive plan to recover ePHI within specific time parameters, generally 24 to 48 hours. Additionally, careful consideration must be given to appropriate off-site locations that the entity could utilize if their primary location is no longer available. All workforce members should be informed of the plan and trained on their specific role.

An Emergency Mode Operations Plan documents the manner in which the entity will work throughout the course of the emergency. This relates to the critical business processes that must take place to protect ePHI during and following the emergency or disaster. Examples include determining the need for additional equipment or supplies, ensuring hardware and software compatibility to retrieve ePHI and if necessary, communicating changes to patients/clients.

Testing and Revision Procedures are required for the Data Backup, Disaster Recovery and Emergency Mode Operation Plans. These tests should occur within the timelines listed in the entities Risk Analysis and in all instances no less than annually. The testing process should be documented and evaluated to determine any need for revision.

Entities should perform an Application and Data Criticality Analysis to identify the information systems that are most important from a business operations perspective. This allows the entity to prioritize which databases need to be restored and in what order. For example, if a health care provider were the victim of a ransomware attack and they were attempting to recover the data, the Application and Data Criticality Analysis would identify the exact systems that are most crucial to their operations, allowing them to more easily prioritize the recovery process.

What does a compliance professional look for when auditing an entity for compliance with contingency planning? Entities should be able to produce the following:

  • A documented Contingency Plan which covers each of the specifications listed above, namely Data Backup Plan, Disaster Recovery Plan, Emergency Mode Operations Plan, Testing and Revision Procedures and Application and Data Criticality Analysis;
  • Documented roles and responsibilities of workforce members during disasters or emergencies;
  • Documentation that identifies the entities critical applications;
  • Documentation to demonstrate the plan is periodically reviewed and tested; and
  • Documentation that reflects whether amendments to the Contingency Plan or Risk Analysis were warranted and implemented, if applicable.

While contingency planning is important for appropriate business operations and HIPAA compliance, it is also critical to patient care. Patients count on health care providers to provide appropriate treatment and care during normal periods and during emergencies. If an emergency or disaster renders an entity without access to their ePHI with no plan to recover or otherwise gain access to the data, that creates unnecessary liability on behalf of the provider for treating the patient without access to their current records. Patient care should be paramount to the mission of all health care entities.

[1] Although only federal agencies are required to follow NIST standards, they represent industry standards for how health care entities should handle ePHI.

Samarria Dunson, J.D., CHC, CHPC is attorney/principal of Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Alabama.  www.dunsongroup.com

Posted in: HIPAA

Leave a Comment (0) →

Is Your HIPAA Contingency Plan Adequate?

Is Your HIPAA Contingency Plan Adequate?

Your response to this question may include one of the following answers:

  1. What in the world is a Contingency Plan?
  2. I think we did that, but I’m not sure where it is.
  3. I know we did one a while back, but we haven’t looked at it in a while.

If any of these responses sound familiar, you will want to get to work. FAST!

HIPAA covered entities are required to protect the integrity, confidentiality and availability of electronic protected health information (ePHI).  In accordance with §164.308(a)(7) of the HIPAA regulations, covered entities are required to develop and maintain a Contingency Plan.  Specifically, covered entities are required to “establish (and implement as needed) policies and procedures for responding to an emergency or other occurrences (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.” The purpose of this requirement is to ensure that entities are able to properly recover or access the accurate health information of their patients and clients during emergencies.

Entities must fulfill this requirement by satisfying “required” and “addressable” standards. Required specifications must be implemented while addressable specifications allow an entity to have more flexibility with regard to how they develop and implement the specification.

A Contingency Plan should include the following:

  1. Data Backup Plan (Required)
  2. Disaster Recovery Plan (Required)
  3. Emergency Mode Operation Plan (Required)
  4. Testing and Revision Procedures (Addressable)
  5. Applications and Data Criticality Analysis (Addressable)

Data Backup Plan

Entities must have internal controls as well as a working relationship with vendors of their information systems to ensure that the entity has the ability to do an up-to-date exact copy backup of its ePHI. The entity should have mechanisms in place to ensure that the backup is performed properly. This backup process must be periodically tested to ensure the integrity of the ePHI.

Data Recovery Plan

A Data Recovery Plan for use in disasters and emergencies must be developed.  Entities should review the HIPAA Risk Analysis to consider foreseeable threats. The Data Recovery Plan should reasonably mitigate any identified threats. In many instances, the entity needs to ensure that the Data Recovery Plan allows workforce members to access ePHI no later than 24 hours after a disaster occurs or a time deemed reasonable by the entity. Employees and staff must be educated with regard to their responsibilities in instances of emergencies when data recovery is warranted.

Emergency Operations Plan

An Emergency Operations Plan must be developed and documented. Entities should solicit the assistance of vendors of information systems that house the entity’s ePHI to devise a plan for how the entity should function during emergencies. This coordination shall include identifying alternate sites for work operations. The Emergency Operations Plan should be tested periodically during increments established by the entities risk management policy.

Testing and Revision Procedures

The Contingency Plan should be assessed and the entity should identify the need for any revisions. This testing should occur at least annually. This process, as well as any revisions that occur as a result of testing, should be documented. Testing shall include, but is not limited to, the disaster recovery plan, data backup plan and emergency operations plan.

Applications and Data Criticality Analysis

The entity must develop and amend their Risk Analysis, as necessary. As threats or vulnerabilities are identified in the Risk Analysis, the entity must work to resolve identified risks. The entity must ensure that contingency plans are included in the Risk Analysis and that vulnerabilities are appropriately addressed.

Where Should You Start?

  1. Develop a risk management group to oversee this process, as well as other HIPAA-related policies and procedures.
  2. Determine where your ePHI is stored and utilized in your entity.
  3. Consider threats to your ePHI. (Ex.) fires, flooding, hurricanes, tornadoes
  4. Develop procedures for how your entity will respond to these threats.
  5. Test and evaluate the procedures.

Don’t Forget to Document

Some entities invest considerable time and resources considering how they will respond to disasters and emergencies. Often, they implement procedures that are communicated orally but they fail to document the procedures and fail to develop written policies. Always remember, “if it isn’t written down, it didn’t happen.” Entities must ensure that they memorialize their contingency planning efforts by implementing written policies and procedures.

The absence of a written HIPAA Contingency Plan is indicative of an entity that has 1) not undergone a HIPAA compliant Risk Analysis or 2) has undergone an inadequate HIPAA Risk Analysis. In either case, the entity’s lack of attention to such a critical process could be detrimental to the health of its patients and the entity itself.

To ensure that your entity is complying with federal regulations, please consult a health care compliance professional.

Samarria Dunson, J.D., CHC, CHPC is attorney/principal of Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Alabama.  www.dunsongroup.com

Posted in: HIPAA

Leave a Comment (0) →

A Risk Analysis Is Your Entity’s Annual HIPAA Checkup

A Risk Analysis Is Your Entity’s Annual HIPAA Checkup

The Health Insurance Portability and Accountability Act (HIPAA) requires all covered entities to conduct an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, availability and integrity of electronic protected health information (ePHI). This process must be documented as a Risk Analysis. Covered entities must develop a Risk Analysis at their inception and review the Risk Analysis at least annually to identify potential changes to their information systems, physical environment, and/or the regulatory environment that may affect how they handle ePHI.

When performing a Risk Analysis, entities should review the HIPAA regulations and recommendations from the National Institute of Standards and Technology (NIST). Although federal agencies are the only entities required to comply with NIST, these guidelines act as the industry standard and should be followed by all covered entities.

Generally, a Risk Analysis is performed by the entity’s Security Officer. HIPAA requires each entity to have a designated Security Officer.  This designation must be in writing. The designated Security Officer must be familiar with the entity’s operations and competent in Information Technology. In accordance with NIST standards, the Security Officer should take the following steps to create or review the Risk Analysis:

  1. Determine where the entity’s ePHI is stored;
  2. Interview management to determine how workforce members utilize ePHI;
  3. Review access security settings and controls of the information systems;
  4. Determine the present and potential threats to ePHI;
  5. Determine the likelihood and impact of current and potential threats and assign them a risk level of high, medium or low;
  6. Document the Risk Analysis process and attach it to the updated Risk Analysis; and
  7. Work with management to resolve all threats within a reasonable period, with priority given to issues of higher risk and vulnerability.

Risk Analysis Content

A Risk Analysis shall include the evaluation of administrative, technical and physical safeguards.

Administrative Safeguards are defined as “administrative actions, and policies and procedures, to manage the selection, development, implementation and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.[1]  Administrative safeguards include the following:

  1. Assigned Security Responsibilities
  2. Security Management
  3. Information Access Management
  4. Business Associate Agreements
  5. Security Incident Procedures
  6. Security Awareness and Training
  7. Workforce Security
  8. Contingency Plans
  9. Evaluation

Technical safeguards are defined as “technology and the policy and procedures for its use that protect electronic protected health information and control access to it.”[2]  Technical safeguards include the following:

  1. Access Controls
  2. Audit Controls
  3. Integrity
  4. Person or Entity Authentication
  5. Transmission Security

Physical safeguards are defined as “physical measures, policies, and procedures to protect a covered entity‘s or business associate‘s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”[3] Physical safeguards include the following:

  1. Facility Access Controls
  2. Workstation Use
  3. Workstation Security
  4. Device and Media Controls

The completed Risk Analysis must be maintained for at least six (6) years and should be kept in paper and electronic form.

Risk Analysis vs. Risk Management

Health care entities often confuse Risk Analysis and Risk Management. While a Risk Analysis serves to identify threats and estimate their risks, Risk Management is the process of managing identified risks. Risk Management consists of the development of policies and procedures that dictate how to address identified risks.

Several Risk Analysis Tools exist that entity’s can utilize. However, the Department of Health and Human Services (HHS) encourages entities to seek expert advise when completing a Risk Analysis to ensure that the Risk Analysis is accurate and thorough. Additionally, the National Institute of Standards and Technology (NIST) has produced a series of publications that can assist covered entities with understanding information technology security. Those publications can be viewed by visiting http://csrc.nist.gov/publications/PubsSPs.html.

A proper Risk Analysis is a necessity not only because it is required by HIPAA regulations, but also because it offers the entity the best opportunity to identify and deal with risks associated with the preservation of ePHI.  Finally, in the event a covered entity has to answer for a breach of PHI, the failure to produce a proper Risk Analysis could lead to sufficient justification for punitive action by HHS.

[1] 45 CFR 164.304

[2] 45 CFR 164.304

[3] 45 CFR 164.304

The Dunson Group is a health care compliance law firm in Montgomery, Ala., focused on helping health care providers meet regulatory requirements. Samarria Dunson, J.D., CHC, CHPC is attorney/principal of Dunson Group, LLC, and regularly contributes articles of special interests to physicians and practice managers.

Posted in: HIPAA

Leave a Comment (0) →

What is the ProAssurance Legal Defense Endorsement?

What is the ProAssurance Legal Defense Endorsement?

As a ProAssurance insured, did you know that in addition to medical professional liability coverage your ProAssurance insurance policy also has embedded legal expense coverage for a variety of regulatory risk exposures, certain types of disciplinary proceedings, and other types of covered investigations? It’s called the Legal Defense Endorsement, and it is an automatic part of your policy at no additional cost to you. Generally speaking – and subject to applicable deductibles, policy period aggregates, and other terms and conditions – the Legal Defense Endorsement provides up to $25,000 of legal expense coverage on a per claim basis for a laundry list of “covered investigations” specifically listed in the endorsement.*

Many of the covered investigations are of the regulatory risk variety – like HIPAA, EMTALA, the federal Anti-Kickback and False Claims Act statutes, the Patient Protection and Affordable Care Act, and others. In the event of an investigation or proceeding commenced against you by a governmental or regulatory agency charged with the enforcement of compliance with those laws and regulations, call ProAssurance because your Legal Defense Endorsement could provide up to $25,000 of legal expense coverage to help you navigate the investigative process.

Several other covered investigations relate specifically to Medicare and Medicaid. Again, in the event of an investigation or proceeding commenced against you by any federal or state agency charged with the enforcement of compliance with certain laws regulating Medicare or Medicaid and the rules and regulations related to billing and reimbursement for medical services under those programs, your Legal Defense Endorsement could provide up to $25,000 of coverage for legal expenses you incur as a result of such investigations.

Some of the remaining covered investigations include disciplinary proceedings commenced by the state’s medical licensure commission investigating alleged unprofessional conduct that could result in action being taken against your license to practice medicine. Disciplinary proceedings commenced by a hospital or its medical staff for the purpose of suspending, modifying, restricting, revoking, non-renewing, or terminating your staff privileges are also covered investigations under your Legal Defense Endorsement. Many an unwitting physician has tried to represent him or herself in these types of proceedings, only to later regret not enlisting the assistance of legal counsel.

There are additional covered investigations in the Legal Defense Endorsement not mentioned in this article. If you want to read your Legal Defense Endorsement look for the form titled “Professional Legal Defense Coverage Part” in your current ProAssurance policy. The endorsement itself is about two-and-a-half pages. You can always access your policy documents online through the ProAssurance secure customer portal at www.proassurance.com.

Knowing and understanding how the coverage in your Legal Defense Endorsement works can help you to avoid spending money out of your own pocket on legal expenses that could be covered by the endorsement. More importantly, taking advantage of the coverage in your Legal Defense Endorsement can help you to avoid digging yourself into a deeper hole by attempting to handle a covered investigation on your own without the assistance of legal counsel.

For more information about your Legal Defense Endorsement or if you have questions about the coverage in the endorsement, contact your ProAssurance representative for assistance.

*Please note that legal counsel must be either appointed directly by ProAssurance or if selected by the insured, appointed by ProAssurance with prior written approval before their legal expenses can be covered under the Legal Defense Endorsement.

Posted in: Liability

Leave a Comment (0) →

Texting and Emailing in the World of HIPAA

Texting and Emailing in the World of HIPAA

If you experience anxiety every time you consider texting and/or emailing in your health care setting, you are not alone. On one hand, the world that we live in necessitates that information is communicated in a quick and easy manner. The ability to text or email staff and patients has become a high priority for many health care entities. On the other hand, patient privacy and confidentiality is essential to meeting compliance standards. Though emailing and texting are convenient, it certainly does not come without the possibility of pitfalls. It is a complex issue that requires meeting several factors in order to be implemented properly.

But Everybody Is Doing It, Right?

The perception is that many health care entities are already taking advantage of emailing and texting capabilities.  That may be accurate.  But the bigger question is whether they are utilizing those tools in accordance with HIPAA Privacy and Security requirements.  Health care entities should consider the following:

A Risk Analysis is key.  An adequate Risk Analysis is required to be performed at the outset of the practice, prior to developing a HIPAA policy.  This Risk Analysis identifies the type of information that you maintain or access and the areas within your entity where protected health information (PHI) is vulnerable. The Risk Analysis should be reviewed, and amended if necessary, whenever there is a change in your information technology environment.  This includes adopting the use of email and text messaging. The entity will need to consider potential vulnerabilities and threats, then document their plan to ensure that health information stays secure.

Show me the policy.  The HIPAA Privacy and Security policy must document your entity’s use of these services and define how employees are to utilize them.  This includes specifying whether only business owned devices can be used or whether the entity allows employees to utilize their own personal device (BYOD). The policy should also be specific about any differences in procedure for emailing and texting internally, versus outside communication with patients and other health care providers.  The policy requirement should be followed by adequate training.

Encryption, encryption, encryption.  Many entities that utilize PHI in email communications secure the information via encryption.  Within health care entities, the information is often secured by firewalls.  Firewalls make it much easier to implement security measures, oversee procedures and secure information.  Some health care entities choose to transmit PHI via electronic health records and customized patient portals. However, using emails to properly transmit PHI outside the entity is a much more complicated process.  To properly transmit PHI via email, encryption must be utilized.  Encryption software will resolve security issues because the patient receives an email containing a link which requires a unique username and password to access the PHI. Some patients find the process of logging in and remembering required passwords to be cumbersome, but others appreciate knowing that their information is secure.

Less is moreWhen communicating with individuals outside of your entity about PHI, utilize the Minimum Necessary Rule.  The Minimum Necessary Rule requires health care entities to limit the PHI produced to the amount of information necessary for the recipient to carry out their function.  For example, if another provider requests a patient’s diabetes lab work, only provide the requested lab work and not the patient’s entire medical record.  Also, it is recommended that you not share sensitive information including, but not limited to, a patient’s mental health, communicable disease status, child or elder abuse, and substance abuse issues.  The entity’s policies/procedures should define and describe how sensitive information should be transmitted.

The patient gets their way. HIPAA requires entities to communicate with patients in the manner determined by the patient, so long as it is reasonable. An entity’s Notice of Privacy Practices will generally articulate methods of intended communication by the entity.  However, a patient may choose not to receive communications through a traditional method. An example would be a patient request not to use U.S. mail, but to use email instead.  That entity may find that they do not have encrypted email capabilities that would appropriately safeguard the information. In this scenario, the health care entity must still comply with the patient’s request; however, they should have the patient sign a form that memorializes the patient’s request to use email communication and documents the risks associated with this request.

The guidance above does not apply to patient initiated communications. Patients are not considered to be HIPAA covered entities and therefore, their actions are not HIPAA violations.  Thus, patients are free to initiate emails or text messages with health care providers at their pleasure. Health care entities should have a form on hand for the patient to sign prior to responding to an email or text message from the patient. This form documents that the patient is aware of the inherent risk of email or text message communications, but wishes to receive the communication in that form anyway. This will help to satisfy the patient’s preference while helping to shield the health care entity from liability if communications are intercepted beyond the entity’s control.

Texting Has Added Risks

Text messages are generally available to anyone who utilizes that person’s phone because there is generally not separate password security for access to the text messaging feature.  Additionally, because the text messages do not pass through the entity’s servers, it is difficult, if not impossible, for IT staff and Security Officers to audit the texts.  And if these communications are intended to be a part of the patient’s record to demonstrate communication, the patient loses the right to amend the communication if it is not readily available in the paper or electronic record. There are vendors who offer “secure texting” solutions. If a health care entity is considering a secure texting vendor, have your designated Security Officer review their system carefully and converse extensively with the vendor about whether their product is indeed secure. A BAA with the vendor is also required. Finally, the entity should revisit its written policy and retrain when necessary.

To ensure that your practice is in compliance, and for assistance with determining whether your entity should proceed with implementing text or email communications, please consult a health care compliance professional.

Samarria Dunson, J.D., CHC, CHPC is attorney/principal of Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Alabama.  www.dunsongroup.com

Posted in: Legal Watch, Liability

Leave a Comment (0) →

How Can You Avoid a HIPAA Mega Breach?

How Can You Avoid a HIPAA Mega Breach?

A HIPAA breach often occurs when a health care entity wrongfully discloses the protected health information of a patient or client. These incidents can occur by accident, like faxing patient information to the wrong fax number. They can also be the result of willful or intentional acts, like employees who gather patient information for the purpose of filing false tax returns. They occur in many forms and can affect any number of individuals.  Breaches can range in scale from a single individual being compromised to an incident affecting thousands and even millions of people.

The Department of Health and Human Services requires a breaching entity to take specific reporting action based on the number of individuals the breach affects. In the world of HIPAA breaches, 500 is a magic number. Breaches affecting greater than 500 individuals are generally considered a HIPAA “Mega” breach. These mega beaches have more stringent notification requirements that could cause your health care practice to be featured on the evening news. Just as with breaches affecting fewer than 500 people, mega breaches require that you provide individual notice to each patient. This often requires staff time as they work to locate each patient’s last known address and send them a breach notification letter explaining what happened, who was involved, how their data was compromised, and what the entity is doing to avoid similar incidents in the future. Often, entities will offer their patients credit monitoring for a two-year period to mitigate the breach and demonstrate to the patient that the entity is serious about data security.

Mega breaches also require individual notice. However, these large breaches also require simultaneous notice directly to the HHS Office of Civil Rights and local media and news outlets. Entities reporting these large breaches will deal with immediate issues like loss of business and loss of reputation while also responding to patients and clients who are angry that their information has been compromised.

How can you avoid dealing with a HIPAA Mega breach in your practice?

You Must Perform a Competent and Thorough Risk Analysis. Many compliance professionals refer to this as your entity’s “annual exam.”  During this process, you and your team should determine every system that contains electronic protected health information and assess its vulnerability for inappropriate disclosure. This analysis is a requirement of the HIPAA Security Rule and must occur annually or sooner if necessitated by changes to your IT system or turnover in your workforce. Entities must remember to document this process and have it readily available to produce to HHS upon request. Failure to perform, document, and/or produce an adequate Risk Analysis is often a sign to HHS that an entity is non-compliant and may lead to a more extensive audit. This is an opportunity for entities to determine the adequacy of their cybersecurity and how to protect their entity from malware.

Invest in Encryption. HIPAA categorizes patient data in two ways: (1) secured and (2) unsecured. Entities most often find themselves in trouble when they have a breach of unsecured  The breach notification requirements discussed above which include notice to patients, HHS and media outlets ONLY refer to breaches of unsecured data. However, secured data is exempt from notice requirements. Secured or encrypted data is considered to be unusable, unreadable, or indecipherable to unauthorized individuals; thus, a breach of that device cannot occur. Encrypting patient data is the ultimate safety net! For example, a nurse uses a business laptop to store patient information of the 550+ individuals that are treated in her practice. She takes it home for the night and leaves it on the passenger seat of her car. Her vehicle is broken into overnight and the laptop is stolen. If the laptop is unencrypted, she now faces HIPAA breach notification requirements, loss of reputation, and the overwhelming threat of possible fines and lawsuits. However, if the laptop is encrypted, she would simply document the occurrence and have the laptop replaced.

Enforce Privacy and Security Policies and Provide Training. Often, the most effective tool in your health care compliance arsenal is a competent and well-informed workforce. Employees must understand how their actions can affect the security of data along with the consequences of violating policies and procedures. Additionally, having policies and procedures that are customized to your practice demonstrates a serious approach to compliance. Often, being able to produce copies of polices and training that employees were mandated to review and participate in will reflect that the entity itself was aware of its risks and sought to avoid or minimize them. An employee who has documented that they have reviewed the policies and participated in training, but nevertheless participated in negligent or reckless behavior, is more likely to be seen as a “bad actor” and not a reflection of a culture of non-compliance within the entity.

You’re entity may also want to reflect on how the following devices are utilized and stored:

  1. Hard Drives
  2. CDs/DVDs
  3. Flash Drives
  4. Back-Up Storage Tapes

To ensure that your practice is complying with federal regulations, and for assistance with avoiding or navigating a mega breach, please consult a health care compliance professional.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Samarria Dunson, J.D., CHC, CHPC is attorney/principal of Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Alabama.  www.dunsongroup.com

Posted in: HIPAA

Leave a Comment (0) →

The Cost of Non-Compliance with HIPAA Regulations Can Cripple Your Practice

The Cost of Non-Compliance with HIPAA Regulations Can Cripple Your Practice

The Basics of HIPAA Privacy and Security

The Health Insurance Portability and Accountability Act (HIPAA) mandates that covered entities comply with the HIPAA Privacy Rule, Security Rule and Breach Notification Standards set out by the Department of Health and Human Services (HHS) Office of Civil Rights (OCR). These covered entities include health plans, health care clearinghouses, health care providers who transmit health information in electronic form and business associates. Affectionately known as the “HIPAA Police,” this agency is responsible for protecting patients’ health information privacy rights.

The Privacy Rule dictates how protected health information (PHI) shall be used and disclosed. It strikes an appropriate balance of ensuring that patient information is maintained in a confidential manner while not hindering disclosures that would account for the treatment and payment of health care services.

The Security Rule has the same overall goal of protecting PHI with a specific focus on electronically created, maintained or transmitted PHI. Thus, the Security Rule protects electronic PHI (ePHI).

At a minimum, a covered health care entity is required to complete the following tasks to comply with the Privacy and Security Rules:

  • Designate a Privacy Officer;
  • Designate a Security Officer;
  • Perform a Risk Analysis;
  • Publish and Make Available a Notice of Privacy Practices;
  • Adopt Policies and Procedures;
  • Perform and Document Workforce Training;
  • Develop and Implement Mitigation Procedures;
  • Adhere to Administrative, Technical and Physical Safeguards of PHI;
  • Adhere to Administrative, Technical and Physical Safeguards of ePHI;
  • Develop and Implement Mechanisms to Receive and Handle Complaints and Breaches; and
  • Perform Periodic Assessments and Audits

The HIPAA Breach Notification Rule specifically dictates how covered entities and their business associates must handle impermissible uses or disclosures of PHI, also known as breaches. This rule dictates the content of the notice, to whom notice must be given, timeliness of the notice and other appropriate deadlines. Breaches must be assessed to determine the number of individuals affected and the possibility of mitigation, both of which affect how the breach should be ultimately handled. For example, breaches affecting less than 500 people require individual notice, whereas breaches affecting 500 people or more require individual notice, notice to specific news outlets and notice to the Secretary of HHS. Due to the complexity of the breach notification standards, it is paramount that your privacy and security officers know and understand the breach notification requirements.

How much could non-compliance cost you?

Not complying with HIPAA regulations can be expensive. The fines can range from $100 to $50,000 per violation, with a maximum of $1.5 million in a calendar year for repeat violations. The categories of violations are based upon the level of negligence demonstrated by the individual/entity that caused the breach. Penalties are based on the nature of the breach and the extent of harm caused by the breach.

hipaa_012017

The HHS Office of Civil rights has collected tens of millions of dollars in settlements. These settlement funds are then funneled back into the enforcement program to further strengthen their auditing efforts and oversight. This practice makes the program self-sustaining and will continue to grow and develop making it that much more likely that you or a health care provider that you know will be audited.

In August of 2016, Advocate Health Care Network settled with the HHS Office of Civil Rights for $5.5 million after it was determined that they failed to do the following:

  • Conduct accurate and thorough risk assessments of ePHI;
  • Implement policies and procedures to limit physical access to ePHI;
  • Obtain business associate agreements assuring that business associates would appropriately safeguard PHI; and
  • Safeguard an unencrypted laptop that was left in an unlocked vehicle overnight

In July of 2016, the University of Mississippi Medical Center reached a $2.75 million dollar settlement after numerous issues of non-compliance were discovered, including:

  • Failure to implement policies procedures relating to security violations;
  • Failure to implement physical safeguards of workstations that access ePHI and restrict access to authorized users;
  • Failure to assign a unique name and/or number for identifying and tracking user identity in information systems containing ePHI; and
  • Failure to notify individuals and follow breach notification standards after information was believed to be inappropriately accessed, acquired or disclosed.

Business associates were also fined, highlighting the importance of health care entities identifying their business associates and executing appropriate business associate agreements. In April of 2016, Raleigh Orthopedic Clinic, P.A. in North Carolina entered into a resolution agreement with a monetary payment of $750,000. It was determined that this entity turned over x-ray films and PHI to a company that would then harvest the silver from the x-ray films.

“HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise,” said Jocelyn Samuels, Director of the HHS Office of  Civil Rights. “It is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected.”

On January 9, 2017, HHS announced a settlement with Presence Health for $475,000. This represented the first settlement based on the untimely reporting of breaches of unsecured PHI.

“Covered entities need to have a clear policy and procedures in place to respond to the Breach Notification Rule’s timeliness requirements,” said Director Samuels. “Individuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate any potential harm caused by the breach.”

Resolution agreements can go beyond requiring entities to pay fines. They may also require an entity to take specific corrective action and report their activities to HHS Office of Civil Rights for a designated time. Often this probationary period lasts from one to three years. Additional information on fines and resolution agreements are available on the OCR website.

In addition to steep fines, an equally threatening issue is damage to your reputation. There is no doubt that media coverage of publicized breaches can have a chilling effect on patients who are already on heightened alert to issues like identity theft. Last year alone, OCR publicized settlements ranging from $25,000 to $5.5 million. They also maintain a scrolling section on their web page, affectionately known to compliance professionals as the “Wall of Shame.”

Should your organization receive the unpleasant honor of being highlighted on this website, you should know that it details information on the underlying offense and OCR has no intention of removing past offenders, regardless of how long ago their misdeeds occurred. A quick glance at the Wall of Shame contains breach information on over 1,798 separate incidents dating all the way back to 2009.  https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

The covered entities hit the hardest by enforcement action are listed below based on frequency:

  • Private Practices
  • General Hospitals
  • Outpatient Facilities
  • Pharmacies; and
  • Health Plans

According to OCR, issues investigated most are, compiled cumulatively, in order of frequency:

  • Impermissible uses and disclosures of PHI;
  • Lack of safeguards of PHI;
  • Lack of patient access to their PHI;
  • Lack of administrative safeguards of electronic PHI; and
  • Use or disclosure of more than the minimum necessary PHI

But where might health care entities be most vulnerable? According to Jerome Meites, a Chief Regional Counsel for the Office of Civil Rights, “Portable media is the bane of existence for covered entities. It causes an enormous number of the complaints that OCR deals with.” Portable media includes laptops, cellphones, hard drives and flashdrives. While these instruments are vital to communicating information in the health care setting, the amount of data contained on these devices makes their security a primary focus for Privacy and Security Officers.

Threats to medical practices and other covered entities exist and the consequences of enforcement actions and private litigation can be devastating.  Covered entities must address these issues on the front end. Covered entities should assess the strengths and weaknesses of their compliance programs to protect themselves and their patients.

Samarria Dunson (samarria@dunsongroup.com) is attorney/principal of Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Alabama.  www.dunsongroup.com

Posted in: HIPAA

Leave a Comment (0) →
Page 4 of 5 12345