Posts Tagged privacy

How Are HIPAA Breaches Impacting Alabama?

How Are HIPAA Breaches Impacting Alabama?

HIPAA enforcement reached an all-time high in 2018, with financial settlements ranging from $100,000 to $16,000,000.  The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) is responsible for providing oversight and ensuring HIPAA compliance. Last year alone, OCR resolved a total of 25,089 complaints of HIPAA violations and required at least 632 entities to adhere to Corrective Action Plans which document how those entities will attain and maintain compliance with all applicable components of the HIPAA regulations. While last year’s numbers set records and gained significant attention, those numbers are only expected to increase.

As compliance professionals and media outlets focus on the latest hacking incident or security breach, some may wonder how breaches of health care data are impacting the great state of Alabama. While Alabama has a population of fewer than 5 million people, it is no stranger to OCR investigations.  In fact, a look back at the last 15 years of OCR HIPAA enforcement data reflects that the same vulnerabilities that plague states with much larger populations align with issues that burden Alabama covered entities, as well.  Alabama, Florida, Minnesota, New Jersey and Ohio are identical with regard to OCR complaint resolution percentages. In these states, OCR concluded that 28% of the complaints received required corrective action on behalf of the HIPAA covered entity. Only 6 percent of complaints in these states were determined not to be violations and 66 percent of complaints were resolved after the intake and review process.

Several breaches impacting the PHI of 500+ individuals have been reported within the state of Alabama. The most recent was the 2018 breach of FastHealth Corporation, a HIPAA Business Associate which contracted with covered entities to perform website and operational services. An unauthorized third party accessed FastHealth’s web server and acquired information from their databases, impacting 1,345 Alabamians. This breach followed a previous breach by the same organization occurring in June 2017 that likewise involved their network server and affected 9,289 individuals.

While large breaches generally receive the most publicity and attention, smaller breaches can be equally as devastating. For instance, breaches involving mental health or communicable disease information can be harmful to the patient whose information was breached, even if it is just one individual. Pursuant to state statutes, breaching this type of information can open an entity up to civil liability, even if numerous individuals are not affected.

Alabama Breach Notification Statute – A Wake-Up Call  

When Alabama passed the Alabama Data Breach Notification Act of 2018, many health care providers were pleased to note that there was a specific exemption for entities that were required to adhere to HIPAA. However, a careful review of the exemption language is warranted. Pursuant to Section 11, an entity that is subject to HIPAA regulations and complies with those standards are exempt so long as they do the following:

  1. Maintain procedures pursuant to those laws, rules, regulations, procedures, or guidance.
  2. Provide notice to affected individuals pursuant to those laws, rules, regulations, procedures, or guidance.
  3. Timely provide a copy of the notice to the Attorney General when the number of individuals the entity notified exceeds 1,000.

Thus, to be exempt from the Alabama statute, HIPAA covered entities must do more than simply assert exemption status due to HIPAA regulations.  The entity must also demonstrate that it is in compliance with HIPAA.

New Day for Breach Notification Rule Adherence

According to Linda Sanches, Senior Advisor for HIT & Privacy at OCR, it is going to be tougher for entities to conceal breaches. It has come to the attention of OCR that there are HIPAA covered entities who do not report their breaches and have found success staying “under the radar of HIPAA enforcement.” However, Ms. Sanchez announced at the 2019 Health Care Compliance Conference that OCR was not only considering more severe action against entities that did not follow the regulations but that in the future OCR would be observing news reports, interviewing past and disgruntled employees and placing more resources towards seeking out entities that disregarded the regulations.

Alabama covered entities face the same federal regulatory authority as any other state, regardless of size, population or economy.  Thus, it is important for health care providers to understand the requirements and ensure that their entity and their workforce is aware of the regulations and how those regulation impact their organization. The most recent national trends on the location and type of breaches from 2018 can be reviewed in the charts below.

Article contributed by Samarria Dunson, J.D., CHC, CHPC, attorney/principal of The Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Ala.  Attorney Dunson is also Of Counsel with the law firm of Balch & Bingham, LLP.  The Dunson Group, LLC, is an official partner with the Medical Association.

Posted in: HIPAA

Leave a Comment (0) →

Record Year for HIPAA Enforcement

Record Year for HIPAA Enforcement

In the current environment of regulation reduction, it is notable that the Department of Health and Human Services (HHS) received a record $28.6 million dollars in publicized settlements and judgments for HIPAA violations in 2018.  These numbers surpass previous years with the closest year on record being 2016 in which HHS collected $23.5 million dollars. These numbers reflect that HIPAA enforcement actions are on the rise.

There are several factors that are leading to this increase in fines:

  1. A lack of understanding about what encompasses an adequate HIPAA Risk Assessment;
  2. Failure to attain Business Associate Agreements when applicable;
  3. Failure to comply with physical, technical and administrative safeguards to secure protected health information (PHI); and
  4. Failure to implement encryption solutions or alternative adequate measures.

It is important to note that this record-setting total does not encompass all of the enforcement action taken by HHS against covered entities in 2018.  These numbers simply represent larger, more notable settlements and judgments.  In fact, HHS took corrective action against countless health care providers, health plans and business associates last year and it does not appear that these numbers will decrease in 2019.  As of February 22, 2019, HHS has officially begun investigating over 50 entities for large scale breaches.  For more information on these investigations of breaches of 500 individuals or more, visit the Wall of Shame on the HHS website. Pursuant to the HITECH Act of 2009, the Secretary of HHS is required to post information about entities who breach the PHI of 500 people or more to demonstrate transparency to health care consumers.

Health care providers can take action to reduce their risk by doing the following:

  1. Performing annual Risk Assessments;
  2. Identifying Business Associates and entering into adequate Business Associate Agreements;
  3. Creating and updating HIPAA policies and procedures;
  4. Ensuring that employees and staff members receive up-to-date training; and
  5. Proactive monitoring of electronic systems containing PHI.

This uptick in penalties illustrates that HHS is serious about their mandate to protect the privacy and security of PHI.  Their record demonstrates that they can be successful at attaining multi-million dollar settlements with health care entities and health plans that don’t comply with HIPAA regulations.  This is a good time for health care providers and HIPAA Business Associates to review their compliance programs to ensure that they are meeting the requirements. In HIPAA compliance, the lack of a specific strategy to secure PHI is an actionable failure that could result in a large fine and a loss of goodwill with the entity’s customers, its patients.  If you are unsure about whether your HIPAA compliance program is adequate or if you know that it is time to update your policies, procedures and training, consult a health care compliance expert.

Article contributed by Samarria Dunson, J.D., CHC, CHPC, attorney/principal of The Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Ala.  Attorney Dunson is also Of Counsel with the law firm of Balch & Bingham, LLP.  The Dunson Group, LLC, is an official partner with the Medical Association.

Posted in: HIPAA

Leave a Comment (0) →

Speak Up! HHS Wants to Hear from YOU!

Speak Up! HHS Wants to Hear from YOU!

The Department of Health and Human Services Office of Civil Rights wants to hear from health care providers, business associates and members of the public about how they can best modify HIPAA regulations. On Dec. 12, 2018, OCR issued a Request for Information, asking the public for comments on how the regulations can best facilitate continuity of care and decrease regulatory burdens.

“We are looking for candid feedback about how the existing HIPAA regulations are working in the real world and how we can improve them,” said OCR Director Roger Severino. “We are committed to pursuing the changes needed to improve quality of care and eliminate undue burdens on covered entities while maintaining robust privacy and security protections for individuals’ health information.”

They are looking for feedback in the following areas:

  • Promoting information sharing for treatment and care coordination and/or case management by amending the Privacy Rule to encourage, incentivize, or require covered entities to disclose PHI to other covered entities.
  • Encouraging covered entities, particularly providers, to share treatment information with parents, loved ones, and caregivers of adults facing health emergencies, with a particular focus on the opioid crisis.
  • Implementing the HITECH Act requirement to include, in an accounting of disclosures, disclosures for treatment, payment, and health care operations (TPO) from an electronic health record in a manner that provides helpful information to individuals, while minimizing regulatory burdens and disincentives to the adoption and use of interoperable EHRs.
  • Eliminating or modifying the requirement for covered health care providers to make a good faith effort to obtain individuals’ written acknowledgment of receipt of providers’ Notice of Privacy Practices, to reduce burden and free up resources for covered entities to devote to coordinated care without compromising transparency or an individual’s awareness of his or her rights.

Additionally, OCR is encouraging health care providers, business associates and members of the public to answer 54 questions that relate to their experiences working with health care data to determine which aspects of the regulations are necessary and which may be overly burdensome.

The RFI can be viewed by clicking on the following link: https://www.govinfo.gov/content/pkg/FR-2018-12-14/pdf/2018-27162.pdf

The deadline for comment is Feb. 12, 2019.  OCR has provided the following methods to submit comments:

  • Federal eRulemaking Portal. You may submit electronic comments at http://www.regulations.gov by searching for the Docket ID number HHS–OCR– 0945–AA00. Follow the instructions for sending comments.
  • Hand-Delivery or Regular, Express, or Overnight Mail: S. Department of Health and Human Services, Office for Civil Rights, Attention: RFI, RIN 0945– AA00, Hubert H. Humphrey Building, Room 509F, 200 Independence Avenue SW, Washington, DC 20201.

Instructions: All submissions received must include ‘‘Department of Health and Human Services, Office for Civil Rights RIN 0945–AA00’’ for this RFI. All comments received will be posted without change to http://www.regulations.gov, including any personal information provided.

As a compliance professional, I will be submitting comments on areas that impact my clients on Feb. 8, 2019.  If you have questions or concerns, feel free to contact me, and I’ll be happy to discuss your concerns or include your inquiry in my comments. I can be reached toll-free at 1-888-959-9501 or at Samarria@dunsongroup.com.

Article contributed by Samarria Dunson, J.D., CHC, CHPC, attorney/principal of The Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Ala.  Attorney Dunson is also Of Counsel with the law firm of Balch & Bingham, LLP.  The Dunson Group, LLC, is an official partner with the Medical Association.

Posted in: HIPAA

Leave a Comment (0) →

The HIPAA Horizon: What Changes Can We Look Forward to in the Near Future?

The HIPAA Horizon: What Changes Can We Look Forward to in the Near Future?

The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) oversees compliance with the Health Insurance Portability and Accountability Act (HIPAA). Specifically, this entity is charged with ensuring that HIPAA-covered entities adhere to the HIPAA Privacy, Security and Breach Notification Rules.

On Jan. 30, 2017, Pres. Trump issued an order referred to as the “Executive Order for Reducing Regulation and Controlling Regulatory Costs.”  This became known as the “2-for-1 Executive Order.” This order required all federal agencies to cut two existing regulations for every proposed new regulation.

Many health care compliance professionals have been interested to learn how HHS OCR would respond to this challenge. There was significant curiosity about how this mandate would change the way HHS OCR was able to protect patient rights and whether they would be able to continue to develop regulations to protect the confidentiality, integrity and availability of patient records during a period of when ransomware scares and identity theft challenges are more and more prevalent.

It appears the industry has received their answer. At the HIPAA Summit, OCR Director Roger Severino announced, “The HHS Office for Civil Rights is planning to make some changes to the HIPAA Privacy Rule and enforcement regulations but will ask first for input from the health care sector and the public before making possible modifications.”

The proposed rule or Notice of Proposed Rule Making (NPRM) is the official document that announces and explains the agency’s plan to address a problem or accomplish a goal. All proposed rules must be published in the Federal Register to notify the public and to give them an opportunity to submit comments. The proposed rule and the public comments received on it form the basis for the final rule.[1]

HHS OCR has not officially posted the notice of proposed rulemaking for 2018, however, compliance professionals have been given a heads up on what to expect this year. HHS OCR is planning to submit notice of proposed rulemaking (NPRM) in at least the following three areas:

Good Faith of Health Care Providers. This would allow health care providers to share information with an incapacitated patient’s family members without patient authorization so long as the health care provider believes in “good faith” that making the disclosure is in the best interest of the patient.

Request for Information on Distribution of a Percentage of Civil Monetary Penalties or Monetary Settlements to Harmed Individuals. Historically, money collected from HIPAA fines and settlements have not been shared with the individual whose information was compromised. HHS OCR will be seeking comments on what the public thinks will be the best way to allow “victims” of HIPAA violations to be able to share in the money the agency receives as a result of enforcement actions.

Changing Requirements to Obtain Acknowledgment of Receipt of Notice of Privacy Practices. HIPAA-covered entities are currently required to have patients sign an acknowledgment form, which confirms they have been provided with a copy of the entity’s Notice of Privacy Practices. Entities are required to keep copies of those acknowledgment forms for a period of six years. However, patients also have the right to refuse to sign the acknowledgment form, and providers cannot refuse service based on a patient’s refusal to sign the acknowledgment. Potentially, this requirement may be stricken from the regulations or altered to alleviate the administrative burden associated with the current requirement.

In addition to proposed rulemaking, HHS OCR intends to provide long-awaited guidance to the health care industry specifically on encryption, social media and texting.

[1] “A Guide to the Rulemaking Process,” Office of the Federal Register.

Article contributed by Samarria Dunson, J.D., CHC, CHPCattorney/principal of Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Alabama. Find more of Ms. Dunson’s contributions on her partnership page

Posted in: HIPAA

Leave a Comment (0) →

Medical Association Chooses PCIHIPAA to Help Benefit and Protect Its Members

Medical Association Chooses PCIHIPAA to Help Benefit and Protect Its Members

MONTGOMERY – The Medical Association of the State of Alabama has partnered with PCIHIPAA to help protect its members from the onslaught of ransomware attacks, HIPAA violations and data breaches impacting Alabama physicians. Under HIPAA’s Security and Privacy Rules, health care providers are required to take proactive steps to protect sensitive patient information.

“The Medical Association services more than 7,000 Alabama physicians. It’s critical that our members understand the risks surrounding HIPAA compliance and patient data privacy and security laws. We vetted many HIPAA compliance providers and believe PCIHIPAA’s OfficeSafe Compliance Program is the right solution for Alabama physicians. PCIHIPAA’s compliance program is robust and easy to implement. I’m confident our partnership will provide a necessary, value-added program for our members.” said Association President Jerry Harrison M.D.

The partnership comes on the heels of an important announcement surrounding HIPAA compliance regulation. The Director of U.S. Department of Health and Human Services’ Office for Civil Rights recently stated, “Just because you are a small medical or dental practice doesn’t mean we’re not looking and that you are safe if you are violating the law. You won’t be.” In addition, in 2017 hacking and employee errors led to data breaches at Alabama-based Surgical Dermatology Group, UAB Viral Hepatitis Clinic and The University of Alabama, supporting the importance of HIPAA compliance and patient data protection.

According to the U.S. Department of Health and Human Services, OCR has received over 150,000 HIPAA complaints following the issuance of the Privacy Rule in April 2003. A rising number of claims filed under HIPAA in recent years have led many patients to question whether or not their personal payment and health information is safe. As the government has become more aggressive in HIPAA enforcement, large settlements have become widespread and rising penalties for HIPAA non-compliance are a reality.

According to HHS.gov, the types of HIPAA violations most often identified are:

  1. Impermissible uses and disclosures of protected health information (PHI)
  2. Lack of technology safeguards of PHI
  3. Lack of adequate contingency planning in case of a data breach or ransomware attack
  4. Lack of administrative safeguards of PHI
  5. Lack of a mandatory HIPAA risk assessment
  6. Lack of executed Business Associate Agreements
  7. Lack of employee training and updated policies and procedures

“We are honored to be partnering with The Medical Association of The State of Alabama. They have a 140-year track record of helping Alabama physicians thrive. PCIHIPAA’s mission is to help physicians easily and affordably navigate HIPAA requirements and provide the solutions they need to protect their practices. We find that many practices don’t have the resources to navigate HIPAA law, and are unaware of common vulnerabilities. We encourage all association members to take a complimentary risk assessment to quickly assess their HIPAA compliance and risk levels. To get started go to Start Risk Assessment.” said Jeff Broudy, CEO of PCIHIPAA.

##

 

 

 

About PCIHIPAA
PCIHIPAA is an industry leader in PCI and HIPAA compliance providing turnkey, convenient solutions for its clients. Delivering primary security products to mitigate the liabilities facing dentists and doctors, PCIHIPAA removes the complexities of financial and legal compliance to PCI and HIPAA regulations to ensure that health and dental practices are educated about what HIPAA laws require and how to remain in full compliance. Learn more at OfficeSafe.com and PCIHIPAA.com.

Posted in: MVP

Leave a Comment (0) →

HIPAA Guidance for Mass Shootings and Other Tragic and Emergency Situations

HIPAA Guidance for Mass Shootings and Other Tragic and Emergency Situations

In the aftermath of one of the deadliest school shootings in U.S. history, many health care organizations are revisiting their HIPAA policies and procedures to determine exactly what information they are allowed to share and to whom they may share information. 

FAMILY AND FRIENDS

A health care entity may share a patient’s location, general condition or death with a patient’s family, guardian, or friend who is involved in the patient’s care or who may be responsible for payment of the patient’s treatment. This may occur in a variety of circumstances including, but not limited to, the following:

  • If the patient is present and able to consent to the disclosure, the health care provider must obtain the patient’s consent, provide the patient with the opportunity to object to the disclosure, or based on the professional judgment of the health care professional, they may reasonably conclude that the individual would not object to the disclosure being made.
  • If the patient is not present or unable to consent due to incapacity or emergency, the health care professional may in the exercise of professional judgment determine whether the disclosure to the family, friend or guardian is in the best interest of the patient.
  • If the patient is deceased, the health care provider may disclose information about the patient to the family member, friend or guardian unless the health care professional is specifically aware that the patient expressed that the disclosure not be made prior to their death.
  • Health care providers may also share information about a patient with police, media outlets or the general public when attempting to identify, locate or notify family members, guardians or personal representatives of a patient. Information that may be shared include the patient’s location, general health status or death.
  • PHI may be shared with disaster relief organizations that are legally responsible for assisting with disasters if doing so will assist in the notification of family members or other individuals responsible for the patient’s care. [1]

MEDIA OUTLETS

Hospitals and health care entities may share general information about a patient with media outlets in an effort to identify, locate or notify individuals responsible for the patient’s care. However, if the request is initiated by the media, you must consider the following:

  • If the patient is conscious and does not specifically object, limited facility directory information may be shared as long as the requestor identifies the patient by name. This information includes whether the patient is indeed seeking treatment at the facility, whether they are in critical or stable condition, and whether they sought treatment and are now released.
  • If the patient is unable to consent, the health care provider can determine based on their professional judgment whether notifying the media or general public of the patient’s status or death is in the best interest of the patient.

Specific information about a patient’s care, such as x-rays, tests performed and test results, or details of a patient’s diagnosis may not be disclosed without either the patient’s authorization or the authorization of their personal representative.

LAW ENFORCEMENT

Health care entities can provide information to law enforcement with a signed HIPAA authorization from the patient or the patient’s personal representative. However, there are instances in which PHI may be shared with law enforcement without patient consent. Those instances include:

  • When the health care professional reasonably believes that the report would prevent or lessen a serious and imminent threat to the health or safety of an individual or the public;
  • The entity believes in good faith that it is sharing information that may be evidence of a crime that occurred on the premises of the entity;
  • Alerting law enforcement of the death of an individual when there is a suspicion that the death resulted from criminal conduct;
  • When responding to an off-site medical emergency, as necessary to alert law enforcement to criminal activity;
  • When it is required by law to make reports to law enforcement, like in instances of treating gunshot or stab wounds;
  • In compliance with court orders, warrants, subpoenas or summons;
  • In response to a request by law enforcement to identify or locate a suspect, fugitive, material witness or missing person (the information must be limited to basic demographic and identifying information about the person); and
  • Instances of child abuse or neglect reporting when the entity receiving the report is officially authorized by law to receive the report[2].

WHAT ABOUT THE SUSPECT?

When law enforcement needs assistance with identifying and locating a suspect, fugitive or material witness to a crime, health care entities are encouraged to cooperate with these requests.  However, those disclosures must be limited to the following information:

  • Name and Address,
  • Date and Place of Birth,
  • Social Security Number,
  • ABO Blood Type and RH Factor,
  • Type of Injury,
  • Date and Time of Treatment,
  • Date and Time of Death, and
  • Description of Distinguishing Physical Characteristics[3] (Ex. Tattoos, mustache, beard).

Any additional disclosures about a suspect’s medical information, such as DNA tests or body fluid analysis, can only be disclosed upon the presentation of a signed authorization, court order, warrant or documented administrative request.

WHAT IS A HIPAA WAIVER, AND WHEN DOES IT APPLY?

There is no lack of confusion regarding what a HIPAA waiver is and when it may be utilized. Waivers of HIPAA sanctions and penalties occur when the President declares an emergency or disaster and the Secretary of the Department of Health and Human Services (HHS) waives provisions of the Privacy Rule during the emergency or disaster.

If the Secretary issues such a waiver, it only applies:

  • In the emergency area and for the emergency period identified in the public health emergency declaration;
  • To hospitals that have instituted a disaster protocol. The waiver would only apply to patients at such hospital; and
  • For up to 72 hours from the time the hospital implements its disaster protocol.[4] Once the limited waiver terminates, health care entities are required to comply with the HIPAA Privacy Rule.

It is important to know under what circumstances you can disclose information and to whom those disclosures can be offered. Failure to understand these requirements may place you at risk for HIPAA violations and sanctions. If you have specific questions about disclosures of PHI, please contact a health care compliance professional.

[1] 45 CFR 164.510(b)

[2] 45 CFR 164.512

[3] 45 CFR 164.512(f)(2)

[4] 45 CFR 164.510(b)(4)

Article contributed by Samarria Dunson, J.D., CHC, CHPCattorney/principal of The Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Ala. The Dunson Group, LLC, is an official partner with the Medical Association.

Posted in: HIPAA

Leave a Comment (0) →

Social Media & HIPAA: When Sharing is Not Caring

Social Media & HIPAA: When Sharing is Not Caring

Social media is an increasingly common presence within the health care industry – among providers and consumers alike – but despite the potential benefits it can offer both parties, it introduces many risks.

Paging Dr. Google

It’s no exaggeration to say that the internet has completely transformed the way people seek medical information, and social media has played a significant role in this transformation. In fact, of the 74 percent of internet users that engage on social media, 80 percent of those are specifically searching for health information, and nearly half are looking for information about a specific doctor or health professional[1].

What’s more, research[2] has shown that social media can have a direct influence on a patient’s decision to choose a specific health provider, or even lead them to seek a second opinion, particularly amongst patients coping with a chronic condition, stress, or diet management.

This presents many opportunities for healthcare providers looking to get ahead of the competition – and for those who choose to actively engage in social media, the rewards can be significant, but so can the risks. So before jumping into social media headfirst, physicians need to understand the potential pitfalls, specifically the risks associated with patient privacy, and their obligations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Social media and PHI

PHI stands for Protected Health Information. The HIPAA Privacy Rule[3] provides federal protections for personal health information held by HIPAA covered entities (health care providers, health plans, healthcare clearinghouses, plus their business associates) and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of personal health information needed for patient care and other important purposes.

The limits of permissible disclosure, however, are extremely limited, and definitely don’t include social media; if a physician were to disclose a patient’s PHI via social media without consent, even accidentally, this would be a direct violation of HIPAA guidelines and probably state law too.

While one would hope that most healthcare professionals know not to share PHI publically, some may not even know that what they are sharing, or intend on sharing is actually PHI; it is extremely difficult to anonymize patients, and even the subtlest of identifiers could be deemed a breach of patient privacy if it can be tied to a patient.

To avoid this happening, providers need to understand the 18 PHI identifiers, which are:

  • Names;
  • Geographic information;
  • Dates (e.g. birth date, admission date, discharge date, date of death);
  • Telephone numbers;
  • Fax numbers;
  • E-mail addresses;
  • Social Security numbers;
  • Medical record numbers;
  • Health plan beneficiary numbers;
  • Account numbers;
  • Certificate/license numbers;
  • Vehicle identifiers and serial numbers, including license plate numbers;
  • Device identifiers and serial numbers;
  • URLs;
  • IP address numbers;
  • Biometric identifiers (e.g. finger and voice prints);
  • Full-face photographic images and any comparable images; and
  • Other unique identifying numbers, characteristics, or codes.

How to ensure a HIPAA compliant social media strategy

To avoid an inadvertent breach of PHI, covered entities should educate staff on best practices when using social media, including:

Avoid social messenger services

The likes of Facebook Messenger, LinkedIn, and Twitter Direct Messages may be familiar and convenient, but they are not secure and should be avoided at all costs when discussing patient health matters or exchanging PHI, even with trusted colleagues. Not only are these platforms inherently insecure due to a lack of encryption and access controls, the potential for error is increased as users could accidentally post information publicly or send a message to the wrong recipient.

What’s more, as BYOD (bring your own device) becomes more widely adopted in healthcare organizations, and as more devices are carried between home and work, the potential for device theft or loss increases, which further jeopardizes the security of any sensitive information that exists on a device, within social media applications, or on web browsers. This considered, PHI should only ever be exchanged via HIPAA-secure messaging services, that have been approved by IT departments and are used as part of an organization’s regular workflow.

Think very carefully before posting

When utilized as part of a wider marketing strategy, social media can be a very effective tool, but those responsible for managing social media output on behalf of an organization must be well versed in what type of content is and is not acceptable to share online. Even a seemingly harmless photo of the outside of a premises could cause problems if patients can be seen entering or exiting the building, or if a vehicle can be recognized in the car park. The same can be said of waiting rooms and reception areas, where the likelihood of capturing a patient’s face is high.

Keep work and home life separate

A HIPAA violation can just as easily happen in the home as it can in the workplace. After a hard day at work it is not uncommon for members of staff to air their grievances online – be it on Facebook, Twitter, or within closed forums. Again, considering how difficult it is to de-identify PHI, this behavior should be strongly discouraged, particularly where complaints about patients are involved. Similarly, posting about a famous person, friend, or family member being seen in a practice may be tempting, but is equally risky.

Social media has become second nature for many of us, and the ease of access to it is both a blessing and a curse for the healthcare industry. When managed responsibly, social media can be a highly effective marketing tool, and can even help improve the health outcomes of patients searching for information online. When used irresponsibly, however, the risks are high, and potential repercussions significant.

For HIPAA covered entities who engage in social media, the message is simple; develop robust company policies to ensure responsible usage, and ensure all staff are trained to think before they share.

[1] http://www.pewinternet.org/2011/02/01/health-topics-3/

[2] https://getreferralmd.com/2013/09/healthcare-social-media-statistics/

[3] https://www.hhs.gov/hipaa/for-professionals/privacy/index.html

About The Author

Gene Fry has been the compliance officer and vice president of technology at Scrypt, Inc. since 2001 and has 25 years of IT experience working in industries such as health care and for companies in the U.S. and abroad. He is a Certified HIPAA Professional (CHP) through the Management and Strategy Institute, a Certified Cyber Security Architect through ecFirst and certified in HIPAA privacy and security through the American Health Information Management Association. Most recently achieved the HITRUST CSF Practitioner certification from the HITRUST ALLIANCE. Gene can be contacted through https://www.docbookmd.com/. DocbookMD is built by Scrypt, Inc. DocbookMD is an official partner of the Medical Association.

Posted in: HIPAA

Leave a Comment (0) →

HIPAA and the Holidays

HIPAA and the Holidays

As the holiday season builds momentum we are faced with numerous distractions like holiday decorations, taking advantage of online sales and soaking in the traditions that we look forward to each year. But this season of joy and giving should also be met with a heightened sense of awareness and adherence to HIPAA policies and procedures. You’re likely thinking to yourself, “How can Christmas, Hanukkah, Kwanza or the New Year impact HIPAA?” Well, those holidays can’t, but your employees’ behavior sure can.

Electronic Protected Health Information (ePHI)

This busy season will cause some employees to take advantage of online shopping while at work. While that seems relatively harmless, and in most cases it is, this also invites the possibility of introducing viruses into your system from unprotected and/or unapproved sites. It is important to have a clear policy and procedure regarding internet access on your entity’s equipment and it is equally important to ensure that your entity is enforcing compliance. Likewise, the threats of ransomware are ever increasing. A distracted employee is more likely to click a suspicious link or open a questionable email that could introduce ransomware into your computer system or electronic medical records. This is a great time to remind staff of their responsibilities to protect ePHI.

Physical Security

Unfortunately, the season of “giving” for some means a season of “taking” for others. Generally, criminal activity like property theft and break-ins rise during the shopping season. This makes it extremely important for your entity to adhere to mandatory HIPAA Physical Safeguards. The HIPAA Security Rule requires entities to have a documented Facility Security Plan, which memorializes the use of physical access controls. Specifically, entities are required to “implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.”[1] The entity’s designated HIPAA Security Officer should be reminding employees of the policy of not providing keys or swipe access to individuals who are not employees or staff members of the entity. Additionally, HIPAA Security Officers should review and document the use of cameras, alarm systems, keys and swipe cards to assess whether any changes need to be made to address any areas of vulnerability.

This is also particularly important for employees and staff who travel with PHI or ePHI. Whether it is paper records or a laptop, employees and staff should ensure they are not leaving these items in their vehicles in plain view. We advise our clients to have a policy that requires employees to leave any PHI or ePHI in the trunk of their vehicle where it is not visible or inviting for a would-be-thief. This can significantly reduce the entity’s risk of HIPAA breaches, as well as property loss.

Workstation Security

Many health care providers will experience an increase in patient activity as people clamber to make their end of the year appointments to take advantage of any cost savings before the new year begins. Combine that with flu-season and the prevalence of winter illnesses and all of a sudden the waiting room just became standing room only. The euphoric nature of the season, coupled with a dramatic increase in patient activity can be a recipe for HIPAA violations. While employees struggle to keep up with the demand, they are more likely to be careless about workstation security. They become less likely to lock their computers when they walk away from their station and more likely to share usernames and passwords in order to accomplish certain tasks more quickly. While these activities seem relatively harmless, these are violations that can cost the entity greatly if it leads to breaches of PHI or ePHI.

Visitors and Guests

The holidays aren’t nearly as fun without office holiday parties. These parties generally include catered meals, outside delivery services and even invited guests. Entities should ensure that they have a documented visitor/guest policy and procedure and that their employees follow that procedure. This includes a visitor/guest sign-in. Depending on the layout of the facility, these visitor/guests should be escorted to their destination so that they don’t have an opportunity to view documents or lab reports that may be left unattended in the facility.

Delivery personnel and vendors are not the only individuals subject to that policy. Family members and friends who present to the facility to visit with staff members and employees must also adhere to the entities visitation policies. Just because the person may be a relative or close friend does not earn them the right to overhear conversations about patient PHI or the right to view PHI that may be on someone’s desk or workstation.

Tone of Voice

One of the biggest complaints that our office receives regarding patient privacy is the tone of voice used by employees and staff as they discuss their health conditions. During the holiday season, many entities play festive music in their waiting areas which automatically cause employees and staff to raise their voices as they converse with patients or other providers. Entities should pay particular attention to the location of their waiting rooms and the position of their reception desk. Employees and staff should be advised of this concern and reminded of the importance of using a professional tone that would not give rise to unauthorized or inappropriate disclosures of PHI.

This is without argument “the most wonderful time of the year.” It’s a time to enjoy family, get reacquainted with friends, and provide for the health and well-being of patients. As the activity of the season builds, it is important to make every effort to ensure that your entity is in compliance with HIPAA regulations. Adhering to appropriate policies and procedures will not only ensure that you provide appropriate patient care, it will also reduce the likelihood of liability for violations which is a great way to start the New Year.

[1] § 164.310(a)(2)(ii)

Samarria Dunson, J.D., CHC, CHPC is attorney/principal of Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Alabama.  www.dunsongroup.com  Read other articles from Dunson Group here.

Posted in: HIPAA

Leave a Comment (0) →

Texting and Emailing in the World of HIPAA

Texting and Emailing in the World of HIPAA

If you experience anxiety every time you consider texting and/or emailing in your health care setting, you are not alone. On one hand, the world that we live in necessitates that information is communicated in a quick and easy manner. The ability to text or email staff and patients has become a high priority for many health care entities. On the other hand, patient privacy and confidentiality is essential to meeting compliance standards. Though emailing and texting are convenient, it certainly does not come without the possibility of pitfalls. It is a complex issue that requires meeting several factors in order to be implemented properly.

But Everybody Is Doing It, Right?

The perception is that many health care entities are already taking advantage of emailing and texting capabilities.  That may be accurate.  But the bigger question is whether they are utilizing those tools in accordance with HIPAA Privacy and Security requirements.  Health care entities should consider the following:

A Risk Analysis is key.  An adequate Risk Analysis is required to be performed at the outset of the practice, prior to developing a HIPAA policy.  This Risk Analysis identifies the type of information that you maintain or access and the areas within your entity where protected health information (PHI) is vulnerable. The Risk Analysis should be reviewed, and amended if necessary, whenever there is a change in your information technology environment.  This includes adopting the use of email and text messaging. The entity will need to consider potential vulnerabilities and threats, then document their plan to ensure that health information stays secure.

Show me the policy.  The HIPAA Privacy and Security policy must document your entity’s use of these services and define how employees are to utilize them.  This includes specifying whether only business owned devices can be used or whether the entity allows employees to utilize their own personal device (BYOD). The policy should also be specific about any differences in procedure for emailing and texting internally, versus outside communication with patients and other health care providers.  The policy requirement should be followed by adequate training.

Encryption, encryption, encryption.  Many entities that utilize PHI in email communications secure the information via encryption.  Within health care entities, the information is often secured by firewalls.  Firewalls make it much easier to implement security measures, oversee procedures and secure information.  Some health care entities choose to transmit PHI via electronic health records and customized patient portals. However, using emails to properly transmit PHI outside the entity is a much more complicated process.  To properly transmit PHI via email, encryption must be utilized.  Encryption software will resolve security issues because the patient receives an email containing a link which requires a unique username and password to access the PHI. Some patients find the process of logging in and remembering required passwords to be cumbersome, but others appreciate knowing that their information is secure.

Less is moreWhen communicating with individuals outside of your entity about PHI, utilize the Minimum Necessary Rule.  The Minimum Necessary Rule requires health care entities to limit the PHI produced to the amount of information necessary for the recipient to carry out their function.  For example, if another provider requests a patient’s diabetes lab work, only provide the requested lab work and not the patient’s entire medical record.  Also, it is recommended that you not share sensitive information including, but not limited to, a patient’s mental health, communicable disease status, child or elder abuse, and substance abuse issues.  The entity’s policies/procedures should define and describe how sensitive information should be transmitted.

The patient gets their way. HIPAA requires entities to communicate with patients in the manner determined by the patient, so long as it is reasonable. An entity’s Notice of Privacy Practices will generally articulate methods of intended communication by the entity.  However, a patient may choose not to receive communications through a traditional method. An example would be a patient request not to use U.S. mail, but to use email instead.  That entity may find that they do not have encrypted email capabilities that would appropriately safeguard the information. In this scenario, the health care entity must still comply with the patient’s request; however, they should have the patient sign a form that memorializes the patient’s request to use email communication and documents the risks associated with this request.

The guidance above does not apply to patient initiated communications. Patients are not considered to be HIPAA covered entities and therefore, their actions are not HIPAA violations.  Thus, patients are free to initiate emails or text messages with health care providers at their pleasure. Health care entities should have a form on hand for the patient to sign prior to responding to an email or text message from the patient. This form documents that the patient is aware of the inherent risk of email or text message communications, but wishes to receive the communication in that form anyway. This will help to satisfy the patient’s preference while helping to shield the health care entity from liability if communications are intercepted beyond the entity’s control.

Texting Has Added Risks

Text messages are generally available to anyone who utilizes that person’s phone because there is generally not separate password security for access to the text messaging feature.  Additionally, because the text messages do not pass through the entity’s servers, it is difficult, if not impossible, for IT staff and Security Officers to audit the texts.  And if these communications are intended to be a part of the patient’s record to demonstrate communication, the patient loses the right to amend the communication if it is not readily available in the paper or electronic record. There are vendors who offer “secure texting” solutions. If a health care entity is considering a secure texting vendor, have your designated Security Officer review their system carefully and converse extensively with the vendor about whether their product is indeed secure. A BAA with the vendor is also required. Finally, the entity should revisit its written policy and retrain when necessary.

To ensure that your practice is in compliance, and for assistance with determining whether your entity should proceed with implementing text or email communications, please consult a health care compliance professional.

Samarria Dunson, J.D., CHC, CHPC is attorney/principal of Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Alabama.  www.dunsongroup.com

Posted in: Legal Watch, Liability

Leave a Comment (0) →

What is a Business Associate Agreement, and Why Should You Care?

What is a Business Associate Agreement, and Why Should You Care?

Health care providers are primarily concerned with the treatment and wellbeing of their patients. They gather and maintain tremendous amounts of protected health information[1]  (PHI) throughout the treatment process and commonly share that PHI with third parties who assist them with carrying out their work. This process of sharing PHI with a third party, non-workforce member, may create a business associate relationship. With the passage of the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, medical practices are now required to identify business associate relationships and enter into Business Associate Agreements (BAAs). Failure to comply can led to heavy fines imposed by the Department of Health and Human Services.

A common challenge to compliance with this regulation is assessing whether an individual or entity falls within the definition of a Business Associate.  To make this determination, medical practices are required to identify third parties who create, receive, maintain, or transmit PHI on behalf of the covered entity, including subcontractors. After documenting this process, an appropriate BAA must be executed to govern the relationship and to protect any PHI.

BAAs are contracts that dictate how a Business Associate must use, disclose and safeguard PHI, as well as the covered entity’s responsibilities to the Business Associate. At a minimum, the BAA must include the following provisions:

  • Establish the permitted and required uses and disclosures of PHI by the Business Associate;
  • Provide that the Business Associate will not use or further disclose the information other than as permitted or required by the contract or as required by law;
  • Require the Business Associate to implement appropriate safeguards to prevent unauthorized use or disclosure of the information, including implementing requirements of the HIPAA Security Rule with regard to electronic PHI;
  • Require the Business Associate to report to the covered entity any use or disclosure of the information not provided for by its contract, including incidents that constitute breaches of unsecured PHI;
  • Require the Business Associate to disclose PHI as specified in its contract to satisfy a covered entity’s obligation with respect to individuals’ requests for copies of their PHI, as well as make available PHI for amendments (and incorporate any amendments, if required) and accountings;
  • To the extent the Business Associate is to carry out a covered entity’s obligation under the Privacy Rule, require the Business Associate to comply with the requirements applicable to the obligation;
  • Require the Business Associate to make available to HHS its internal practices, books, and records relating to the use and disclosure of PHI received from, created, or received by the Business Associate on behalf of the covered entity for purposes of HHS determining the covered entity’s compliance with the HIPAA Privacy Rule;
  • At termination of the contract, if feasible, require the Business Associate to return or destroy all PHI received from, or created or received by the Business Associate on behalf of, the covered entity;
  • Require the Business Associate to ensure that any subcontractors it may engage on its behalf that will have access to PHI agree to the same restrictions and conditions that apply to the Business Associate with respect to such information; and
  • Authorize termination of the contract by the covered entity if the Business Associate violates a material term of the contract. Contracts between Business Associates and their subcontractors are subject to these same requirements.[2] (DHHS, 2013)

Don’t Think This Applies to You? Think Again!

Business Associate relationships are voluminous in medical practices.  More often than not, the modern medical practice will have multiple relationships that require a BAA. A few examples may include:

  • Tech support for an Electronic Health Record (EHR)
  • Data storage services
  • Repair services for copiers with hard drives
  • Data destruction
  • Cloud hosting
  • CPA firms that provide accounting services
  • Independent medical transcription services
  • Claims processing

Business Associates May Face Penalties as Well

In June of 2016, Catholic Health Services of the Archdiocese of Philadelphia settled with HHS for $650,000 when it was discovered that they may have violated the HIPAA Security Rule. CHCS provided management and information technology services to the nursing home company creating a Business Associate relationship. HHS alleged that the theft of a CHCS iPhone without password protection compromised the PHI of numerous nursing home residents.

“Business associates must implement the protections of the HIPAA Security Rule for the electronic protected health information they create, receive, maintain, or transmit from covered entities,” said U.S. Department of Health and Human Services Office for Civil Rights (OCR) Director Jocelyn Samuels. “This includes an enterprise-wide risk analysis and corresponding risk management plan, which are the cornerstones of the HIPAA Security Rule.”

Medical practices should be eager to institute BAAs where appropriate as they shift liability to the Business Associate for the inappropriate conduct of the Business Associate. Medical practices should not allow any relationship with contractors to exist without first analyzing the need for a Business Associate Agreement. If not, the medical practice could be required to perform breach notification or pay litigation costs for the actions of the Business Associate. It is paramount that your medical practice attain BAAs when necessary and have a system in place to track them. A proper tracking system will notify you when BAAs expire. Additionally, a proper tracking system will ensure that nothing slips through the cracks.  Understand that if during an audit it is determined that your medical practice lacks the necessary BAAs, has expired BAAs or that they don’t have the required provisions, your entity could be fined for non-compliance with the HITECH Act.

It is important to note that there are a number of exceptions to the Business Associate Agreement requirement that may apply. Some exceptions include conduits, workforce members and janitors. To protect your practice, you should have a qualified professional perform a risk analysis to determine if a BAA is necessary and to fashion a BAA to the specific relationship.

Samarria Dunson, J.D., CHC, CHPC is attorney/principal of Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Alabama.  www.dunsongroup.com

[1] PHI includes many common identifiers, like a patient’s name, date of birth, address, social security number, full-face photo or any other personal identifiers.

[2] Department of Health and Human Services. (2013) Business Associate Agreement Contracts. Retrieved from https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html

Posted in: Liability

Leave a Comment (0) →
Page 1 of 2 12