Posts Tagged privacy

Texting and Emailing in the World of HIPAA

Texting and Emailing in the World of HIPAA

If you experience anxiety every time you consider texting and/or emailing in your health care setting, you are not alone. On one hand, the world that we live in necessitates that information is communicated in a quick and easy manner. The ability to text or email staff and patients has become a high priority for many health care entities. On the other hand, patient privacy and confidentiality is essential to meeting compliance standards. Though emailing and texting are convenient, it certainly does not come without the possibility of pitfalls. It is a complex issue that requires meeting several factors in order to be implemented properly.

But Everybody Is Doing It, Right?

The perception is that many health care entities are already taking advantage of emailing and texting capabilities.  That may be accurate.  But the bigger question is whether they are utilizing those tools in accordance with HIPAA Privacy and Security requirements.  Health care entities should consider the following:

A Risk Analysis is key.  An adequate Risk Analysis is required to be performed at the outset of the practice, prior to developing a HIPAA policy.  This Risk Analysis identifies the type of information that you maintain or access and the areas within your entity where protected health information (PHI) is vulnerable. The Risk Analysis should be reviewed, and amended if necessary, whenever there is a change in your information technology environment.  This includes adopting the use of email and text messaging. The entity will need to consider potential vulnerabilities and threats, then document their plan to ensure that health information stays secure.

Show me the policy.  The HIPAA Privacy and Security policy must document your entity’s use of these services and define how employees are to utilize them.  This includes specifying whether only business owned devices can be used or whether the entity allows employees to utilize their own personal device (BYOD). The policy should also be specific about any differences in procedure for emailing and texting internally, versus outside communication with patients and other health care providers.  The policy requirement should be followed by adequate training.

Encryption, encryption, encryption.  Many entities that utilize PHI in email communications secure the information via encryption.  Within health care entities, the information is often secured by firewalls.  Firewalls make it much easier to implement security measures, oversee procedures and secure information.  Some health care entities choose to transmit PHI via electronic health records and customized patient portals. However, using emails to properly transmit PHI outside the entity is a much more complicated process.  To properly transmit PHI via email, encryption must be utilized.  Encryption software will resolve security issues because the patient receives an email containing a link which requires a unique username and password to access the PHI. Some patients find the process of logging in and remembering required passwords to be cumbersome, but others appreciate knowing that their information is secure.

Less is moreWhen communicating with individuals outside of your entity about PHI, utilize the Minimum Necessary Rule.  The Minimum Necessary Rule requires health care entities to limit the PHI produced to the amount of information necessary for the recipient to carry out their function.  For example, if another provider requests a patient’s diabetes lab work, only provide the requested lab work and not the patient’s entire medical record.  Also, it is recommended that you not share sensitive information including, but not limited to, a patient’s mental health, communicable disease status, child or elder abuse, and substance abuse issues.  The entity’s policies/procedures should define and describe how sensitive information should be transmitted.

The patient gets their way. HIPAA requires entities to communicate with patients in the manner determined by the patient, so long as it is reasonable. An entity’s Notice of Privacy Practices will generally articulate methods of intended communication by the entity.  However, a patient may choose not to receive communications through a traditional method. An example would be a patient request not to use U.S. mail, but to use email instead.  That entity may find that they do not have encrypted email capabilities that would appropriately safeguard the information. In this scenario, the health care entity must still comply with the patient’s request; however, they should have the patient sign a form that memorializes the patient’s request to use email communication and documents the risks associated with this request.

The guidance above does not apply to patient initiated communications. Patients are not considered to be HIPAA covered entities and therefore, their actions are not HIPAA violations.  Thus, patients are free to initiate emails or text messages with health care providers at their pleasure. Health care entities should have a form on hand for the patient to sign prior to responding to an email or text message from the patient. This form documents that the patient is aware of the inherent risk of email or text message communications, but wishes to receive the communication in that form anyway. This will help to satisfy the patient’s preference while helping to shield the health care entity from liability if communications are intercepted beyond the entity’s control.

Texting Has Added Risks

Text messages are generally available to anyone who utilizes that person’s phone because there is generally not separate password security for access to the text messaging feature.  Additionally, because the text messages do not pass through the entity’s servers, it is difficult, if not impossible, for IT staff and Security Officers to audit the texts.  And if these communications are intended to be a part of the patient’s record to demonstrate communication, the patient loses the right to amend the communication if it is not readily available in the paper or electronic record. There are vendors who offer “secure texting” solutions. If a health care entity is considering a secure texting vendor, have your designated Security Officer review their system carefully and converse extensively with the vendor about whether their product is indeed secure. A BAA with the vendor is also required. Finally, the entity should revisit its written policy and retrain when necessary.

To ensure that your practice is in compliance, and for assistance with determining whether your entity should proceed with implementing text or email communications, please consult a health care compliance professional.

Samarria Dunson, J.D., CHC, CHPC is attorney/principal of Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Alabama.  www.dunsongroup.com

Posted in: Legal Watch, Liability

Leave a Comment (0) →

What is a Business Associate Agreement, and Why Should You Care?

What is a Business Associate Agreement, and Why Should You Care?

Health care providers are primarily concerned with the treatment and wellbeing of their patients. They gather and maintain tremendous amounts of protected health information[1]  (PHI) throughout the treatment process and commonly share that PHI with third parties who assist them with carrying out their work. This process of sharing PHI with a third party, non-workforce member, may create a business associate relationship. With the passage of the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, medical practices are now required to identify business associate relationships and enter into Business Associate Agreements (BAAs). Failure to comply can led to heavy fines imposed by the Department of Health and Human Services.

A common challenge to compliance with this regulation is assessing whether an individual or entity falls within the definition of a Business Associate.  To make this determination, medical practices are required to identify third parties who create, receive, maintain, or transmit PHI on behalf of the covered entity, including subcontractors. After documenting this process, an appropriate BAA must be executed to govern the relationship and to protect any PHI.

BAAs are contracts that dictate how a Business Associate must use, disclose and safeguard PHI, as well as the covered entity’s responsibilities to the Business Associate. At a minimum, the BAA must include the following provisions:

  • Establish the permitted and required uses and disclosures of PHI by the Business Associate;
  • Provide that the Business Associate will not use or further disclose the information other than as permitted or required by the contract or as required by law;
  • Require the Business Associate to implement appropriate safeguards to prevent unauthorized use or disclosure of the information, including implementing requirements of the HIPAA Security Rule with regard to electronic PHI;
  • Require the Business Associate to report to the covered entity any use or disclosure of the information not provided for by its contract, including incidents that constitute breaches of unsecured PHI;
  • Require the Business Associate to disclose PHI as specified in its contract to satisfy a covered entity’s obligation with respect to individuals’ requests for copies of their PHI, as well as make available PHI for amendments (and incorporate any amendments, if required) and accountings;
  • To the extent the Business Associate is to carry out a covered entity’s obligation under the Privacy Rule, require the Business Associate to comply with the requirements applicable to the obligation;
  • Require the Business Associate to make available to HHS its internal practices, books, and records relating to the use and disclosure of PHI received from, created, or received by the Business Associate on behalf of the covered entity for purposes of HHS determining the covered entity’s compliance with the HIPAA Privacy Rule;
  • At termination of the contract, if feasible, require the Business Associate to return or destroy all PHI received from, or created or received by the Business Associate on behalf of, the covered entity;
  • Require the Business Associate to ensure that any subcontractors it may engage on its behalf that will have access to PHI agree to the same restrictions and conditions that apply to the Business Associate with respect to such information; and
  • Authorize termination of the contract by the covered entity if the Business Associate violates a material term of the contract. Contracts between Business Associates and their subcontractors are subject to these same requirements.[2] (DHHS, 2013)

Don’t Think This Applies to You? Think Again!

Business Associate relationships are voluminous in medical practices.  More often than not, the modern medical practice will have multiple relationships that require a BAA. A few examples may include:

  • Tech support for an Electronic Health Record (EHR)
  • Data storage services
  • Repair services for copiers with hard drives
  • Data destruction
  • Cloud hosting
  • CPA firms that provide accounting services
  • Independent medical transcription services
  • Claims processing

Business Associates May Face Penalties as Well

In June of 2016, Catholic Health Services of the Archdiocese of Philadelphia settled with HHS for $650,000 when it was discovered that they may have violated the HIPAA Security Rule. CHCS provided management and information technology services to the nursing home company creating a Business Associate relationship. HHS alleged that the theft of a CHCS iPhone without password protection compromised the PHI of numerous nursing home residents.

“Business associates must implement the protections of the HIPAA Security Rule for the electronic protected health information they create, receive, maintain, or transmit from covered entities,” said U.S. Department of Health and Human Services Office for Civil Rights (OCR) Director Jocelyn Samuels. “This includes an enterprise-wide risk analysis and corresponding risk management plan, which are the cornerstones of the HIPAA Security Rule.”

Medical practices should be eager to institute BAAs where appropriate as they shift liability to the Business Associate for the inappropriate conduct of the Business Associate. Medical practices should not allow any relationship with contractors to exist without first analyzing the need for a Business Associate Agreement. If not, the medical practice could be required to perform breach notification or pay litigation costs for the actions of the Business Associate. It is paramount that your medical practice attain BAAs when necessary and have a system in place to track them. A proper tracking system will notify you when BAAs expire. Additionally, a proper tracking system will ensure that nothing slips through the cracks.  Understand that if during an audit it is determined that your medical practice lacks the necessary BAAs, has expired BAAs or that they don’t have the required provisions, your entity could be fined for non-compliance with the HITECH Act.

It is important to note that there are a number of exceptions to the Business Associate Agreement requirement that may apply. Some exceptions include conduits, workforce members and janitors. To protect your practice, you should have a qualified professional perform a risk analysis to determine if a BAA is necessary and to fashion a BAA to the specific relationship.

Samarria Dunson, J.D., CHC, CHPC is attorney/principal of Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Alabama.  www.dunsongroup.com

[1] PHI includes many common identifiers, like a patient’s name, date of birth, address, social security number, full-face photo or any other personal identifiers.

[2] Department of Health and Human Services. (2013) Business Associate Agreement Contracts. Retrieved from https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html

Posted in: Liability

Leave a Comment (0) →

So, How Do I Comply with HIPAA?

hipaa_banner

Editor’s Note: This article was originally published in the 2016 Spring Issue of Alabama Medicine magazine

A physician client recently asked me a seemingly simple, straightforward question: “So, how do I comply with HIPAA?” The answer, unfortunately, is not as simple and straightforward as the question.

HIPAA (i.e., the Health Insurance Portability and Accountability Act) and its various regulations include numerous, often confusing requirements, and little in the way of practical guidance. With this in mind, this article provides the author’s attempt to give, in simple terms, an overview of HIPAA’s requirements, and a short list of practical steps physician practices may take to establish a baseline of compliance.

Overview

In the most simple terms, to comply with HIPAA, a physician practice needs to address and satisfy the obligations of a “covered entity” under the regulations set forth in the HIPAA security regulations, 45 CFR § 164.300 et seq. (the “Security Rule”); the HIPAA breach notification regulations, 45 CFR § 164.400 et seq. (the “Breach Notification Rule”); and the HIPAA privacy regulations, 45 CFR § 164.500 et seq. (the “Privacy Rule”), in respect to “protected health information” (“PHI”) received and maintained by the practice on behalf of its patients. HIPAA compliance has garnered significant attention recently, due to increasing public awareness in regard to data breaches and privacy and information security matters, generally, as well as increased enforcement efforts by the U.S. Department of Health and Human Services Office of Civil Rights (“HHS,” and “OCR”)1 and other government agencies,2 not to mention the looming specter of potential class action and other litigation involving affected patients.3 In addition, OCR recently commenced a new, expanded HIPAA audit program that will select physician practices and other HIPAA-covered entities and business associates for random compliance audits.4

Privacy Rule

To comply with the Privacy Rule, a physician practice must not access, use or disclose PHI, in paper or electronic form, other than as required or permitted by the Rule. For example, the Privacy Rule requires that a physician practice not disclose a patient’s PHI to a third party without an appropriate written authorization from the patient, except in certain circumstances, such as in connection with the patient’s treatment, or payment for such treatment, or the practice’s health care operations. The Privacy Rule also specifies that, in general, even if a particular disclosure is required or permitted, the practice must ensure that the disclosure is limited to the minimum necessary information. In addition to these foundational issues, the Privacy Rule requires that physician practices take certain administrative steps to facilitate compliance, including identifying a privacy officer, implementing written policies and procedures to formalize privacy practices, and entering into business associate agreements (that include specific provisions outlined in the Rule) with vendors and other third parties that create, receive, transmit or maintain PHI on behalf of the practice (“business associates,” in HIPAA terms). Physician practices must also regularly evaluate and update their privacy policies and practices, provide regular privacy training to their workforce members, and impose appropriate sanctions when workforce members fail to comply with established privacy practices.

Security Rule

Under the Security Rule, physician practices must implement reasonable and appropriate administrative, physical and technical safeguards to protect electronic PHI (“ePHI”). Technical safeguards include, for example, encryption, access controls, audit logs, authentication controls, and other safeguards directed toward securing ePHI. Physical safeguards include locking doors, screening computers, and other safeguards to protect access to workstations and other physical facilities where workforce members access ePHI and protocols to safeguard ePHI during disposal. Administrative safeguards include security risk analysis (discussed further below) and risk management plans, contingency/disaster recovery plans, and security incident reporting procedures, as well as written policies and procedures addressing security practices, regular evaluation of security safeguards, and workforce training and sanctions, similar to the Privacy Rule.

Breach Notification Rule

The Breach Notification Rule requires that, in the event a physician practice discovers an unauthorized access, use or disclosure of unsecured PHI (for example, a breach of unencrypted ePHI), in paper or electronic form, the practice must notify each patient affected by the breach, as well as OCR,5 unless the practice can demonstrate, based on a risk assessment conducted in accordance with the Rule,6 that there is not more than a low probability that PHI was compromised. Like the Privacy Rule and the Security Rule, the Breach Notification Rule also requires physician practices implement written policies and procedures to document their breach notification responsibilities and practices, train workforce members regarding their responsibilities in the event of a breach, and hold workforce members accountable for non-compliance.

Practical Steps

In view of the various rules and requirements discussed above, physician practices may take the following steps toward establishing a baseline of compliance with HIPAA.

Perform a security risk analysis in compliance with the Security Rule. It is essential that every physician practice perform (and regularly update, as appropriate) a security risk analysis, in compliance with the Security Rule, as noted above. Done properly, the security risk analysis highlights specific risks and vulnerabilities in the practice’s security practices and recommends specific steps to address them – thereby providing a road map, of sorts, to compliance with the Security Rule. From an enforcement standpoint, OCR has repeatedly zeroed in on covered entities that fail to perform an appropriate risk analysis. As a practical matter, most physician practices utilize third-party consultants, with appropriate information technology expertise and resources, to conduct the risk analysis. In any case, the risk analysis should be coordinated through legal counsel to, among other things, ensure applicable HIPAA requirements are addressed and preserve attorney-client privilege, to the extent possible, as to communications with the consultant (i.e., in regard to security risks and vulnerabilities identified in the analysis). Physician practices should be sure, also, to routinely update their risk analysis, to ensure that new and evolving legal requirements and risks are timely addressed.

Implement appropriate written policies and procedures for compliance with the Privacy Rule, Security Rule and Breach Notification Rule. It is also essential that every physician practice implemented, written policies and procedures to facilitate compliance with the Privacy Rule, the Security Rule and the Breach Notification Rule. “Template” policies and procedures may be obtained from various sources, and may be sufficient for compliance, at least temporarily; ultimately, however, practices should tailor their policies and procedures to their particular circumstances – including, for example, the specific risks and vulnerabilities identified, from time to time, in the practice’s (ongoing) security risk analysis, as well as the practice’s history and experience with (actual) privacy, security and breach matters. As noted above, it is also critical that the practice regularly review and update its policies procedures to ensure compliance with applicable laws and regulations, and to take into account, again, any recent privacy, security or breach related matters at the practice.

Address encryption. Technically, encryption is not required to comply with the Security Rule. Like risk analysis, however, encryption (specifically, lack of encryption) is a favorite target of OCR, in its enforcement efforts, especially in regard to (unencrypted) mobile devices, such as laptops and tablet computers, smartphones, and the like.7 Moreover, encrypted ePHI (i.e., “secure” ePHI)8 is not subject to the Breach Notification Rule; that is, even if the information is somehow breached, the practice need not notify patients or OCR regarding the incident.

Vet vendors and vendor contracts. Physician practices should routinely vet any vendors (i.e., business associates) that have access to PHI, in paper or electronic form, to ensure the vendor has appropriate safeguards in place, similar to those required of the practice. In addition, as noted above, physician practices should ensure that they have written, HIPAA compliant, business associate agreements in place with such vendors. Practices should also confirm that business associate agreements and/or related vendor service contracts include adequate protections (in the form of indemnification, and other remedies) for the practice, in the event of a data breach or similar incident. Moreover, due to the significant risk
management and legal implications now associated with ePHI, practices are advised to coordinate review of their vendor arrangements and contracts with appropriate legal counsel.

Implement appropriate back-up and contingency plans. The Security Rule requires that physician practices have in place secure procedures for backing up PHI and safeguards to protect PHI and to recover lost PHI, in the event of a natural disaster or other, similar contingency. Some practices utilize their own servers or resources to back up data; others utilize “cloud” or similar third-party services. As a practical matter, similar to risk analysis, contingency plans are often developed and implemented in coordination with a third-party consultant with appropriate expertise.

Confirm appropriate insurance coverage is in place. Many insurance carriers now offer some form of “cyber” insurance coverage to protect against losses related to data breaches and other information security matters. Cyber insurance typically addresses the insured’s overall information technology security practices; it may or may not address specific HIPAA compliance issues. In lieu of (or in addition to) cyber coverage, physician practices may look to other insurance (directors and officers, errors and omissions, professional liability, general liability, etc.) for coverage. In any case, particularly in view of the significant enforcement and litigation risks now associated with HIPAA and related privacy and security matters, physician practices must be sure they have adequate insurance coverage in place in the event of a data breach or similar privacy or security incident – and, in the event coverage is available from multiple sources, that they understand the interplay between the various policies.

Sources

  1. OCR enforcement efforts include a number of high dollar settlements (known as “resolution agreements”) entered into between OCR and HIPAA covered entities, including physician practices. For additional information pertaining to OCR resolution agreements and other enforcement efforts, please see the HHS website, at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/index.html. (To view OCR resolution agreements involving physician practices, visit the above link, and select “Private Practices.”)
  2. Besides OCR, data breaches (whether or not HIPAA is implicated) may trigger enforcement efforts by state attorneys general, the Federal Trade Commission and other state or federal agencies.
  3. See, e.g., Class Action Lawsuit for Flowers Hospital Data Breach Moves to Discovery Phase, HIPAA Journal (Oct. 5. 2015), accessible at http://www.hipaajournal.com/flowers-hospital-class-action-data-breach-lawsuit-moves-to-discovery-8133/ (last visited March 24, 2016).
  4. See OCR Launches Phase 2 of HIPAA Audit Program, available at http://www.hhs.gov/hipaa/forprofessionals/compliance-enforcement/audit/phase2announcement/index.html.
  5. Notification to OCR is delivered using an online portal on the HHS website, accessible at https://ocrportal.hhs.gov/ocr/breach/wizard_breach.jsf?faces-redirect=true.
  6. The Breach Notification Rule includes specific factors the physician practice must take into account in conducting the risk assessment. These factors are set forth at 45 CFR §164.402.
  7. OCR data indicates that a significant portion of reported breaches of unsecured PHI, perhaps more than half, involve theft or loss of an unencrypted mobile device.
  8. To avoid the notification requirements of the Breach Notification Rule, ePHI must be encrypted according to specific, National Institute of Standards and Technology (“NIST”) protocols. For information regarding specific encryption protocols, see Guidance to Render Unsecured Protected Health Information Unusable, Unreadable or Indecipherable to Unauthorized Individuals, on the HHS website, at http://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html.

The information in this article reflects the thoughts and opinions of the author, and does not, and is not intended to, constitute legal advice. If you have specific questions pertaining to HIPAA or other legal matters addressed herein, please consult appropriate legal counsel.

Contributed by D. Brent Wills, Esq., a partner at Gilpin Givhan P.C., a Bronze Partner with the Association.

Posted in: Legal Watch

Leave a Comment (0) →
Page 2 of 2 12