A recent legal ruling demonstrates the importance of using encryption to protect ePHI from unauthorized viewing. A U.S. Department of Health and Human Services Administrative Law Judge (ALJ) has ruled that The University of Texas MD Anderson Cancer Center (MD Anderson) violated the HIPAA Privacy and Security Rules and granted summary judgment to the Office for Civil Rights (OCR) on all issues, requiring MD Anderson to pay $4,348,000 in civil money penalties to OCR. OCR reported that the Cancer Center had three separate data breaches in 2012 and 2013. The breaches involved the theft of an unencrypted laptop from the residence of a Cancer Center employee and the loss of two unencrypted universal serial bus (USB) thumb drives containing the unencrypted electronic protected health information (ePHI) of over 33,500 individuals. The Cancer Center had written encryption policies going as far back as 2006 and had conducted a risk analysis that found that the lack of device-level encryption posed a high risk to the security of ePHI. Nonetheless, the Cancer Center did not begin to implement encryption of ePHI until 2011, and still failed to encrypt its inventory containing ePHI (data at rest) between March 24, 2011 and January 25, 2013. The Cancer Center was penalized for each day of non-compliance with HIPAA and for each record of individuals breached. This explains the high civil monetary penalty of $4,348,000.
The Cancer Center argued that they were not obligated to encrypt its devices and that the ePHI disclosed was for research and not subject to HIPAA disclosure rules. The Cancer Center further argued that HIPAA’s penalties were unreasonable. The judge rejected each of these arguments and stated that the Cancer Center’s “dilatory conduct is shocking given the high risk to its patients resulting from the unauthorized disclosure of ePHI,” a risk that the Cancer Center “not only recognized, but that it restated many times.”
So, what can you learn from this incident? While the HIPAA security rule identifies “encryption” as an addressable implementation specification, this does not mean the specification is optional for implementation. It means you must adopt a similar solution to secure the ePHI if you choose not to use encryption or have a very strong justification why the standard does not apply in your circumstance. The Cancer Center did neither of these, despite their risk analysis identifying the lack of device-level encryption as a high risk to the security of the ePHI. Furthermore, there are numerous encryption solutions available for encrypting end user devices or portable devices that are well within the capability of all covered entities and therefore, it would be difficult for a CE to defend not employing encryption to protect PHI from unauthorized viewing. Secondly, if you have a policy that reads that you accomplish X, Y, and Z, make sure your actions mirror the policy. An adage among compliance professionals’ states that what is worse than not having a policy is having a policy and not following it. This was the case for the Cancer Center since they had encryption policies going back to 2006 that were not followed. Finally, PHI used for research purposes earns the same HIPAA protection as PHI used for Treatment, Payment, or Healthcare Operations.
Now is a very good time to inventory all your assets that maintain ePHI and determine if you need to apply encryption or another solution to secure the ePHI. Take proactive steps to protect your data at rest and protect your organization from a major civil monetary penalty. The encryption and decryption standard can be found in 45 CFR § 164.312(a)(2)(iv). The OCR news release on this case can be viewed here: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/mdanderson/index.html. For more on how HIPAAtrek can help you with your HIPAA privacy and security program, please contact our CEO Sarah Badahman at firstname.lastname@example.org\
The HIPAA security rule is full of various requirements to help you protect the confidentiality, integrity, and availability of electronic protected health information (ePHI). One of those rules addresses how you will manage the workstation which is important because it is the most direct route to your PHI. With that in mind, let’s review some steps you should take today regarding your workstations and protecting your ePHI.
- Ensure that each workstation has the necessary access controls to restrict unauthorized users and programs from accessing ePHI
- Ensure that software on each workstation and on the network, is compatible and will not lead to the degradation of the system.
- Ensure workstations are turned away from public view
- Provide physical access controls to the workstations and laptops
- Workstations should be secured at their stations
- Laptops can be tethered to their desks when necessary
- Ensure workstations have virus protection that cannot be disabled by users
- Ensure operating systems receive critical updates and patches
- Remove network access soon after individual is terminated
While these are action that can be performed by your IT department or security officer, end users also need to be educated regarding their responsibilities when working at the workstation.
- Do not leave passwords on sticky notes on the computer
- Do not share passwords with fellow employees
- Engage the screensaver when leaving the workstation unattended
- Use control-alt-delete or depress Windows key and press L
- Do not remove the plastic privacy screen from the monitor
Workstation use is a standard in the security rule because it is the main avenue to your organization’s ePHI. Without appropriate workstation procedures and proper staff education, the workstation can become a risk to the confidentiality, integrity, and availability of your ePHI. For more on how HIPAAtrek can help you with your HIPAA program, contact our CEO, Sarah Badahman at email@example.com. Happy HIPAAtrekking
As a Covered Entity (CE) or a Business Associate, you will likely have ePHI located in mobile devices and media. ePHI is no longer regulated to your desk top computer, but in many portable devices throughout your organization. Examples include laptops, external hard drives, thumb drives, tablets, smart phones, back up disks or tapes, and digital memory cards. What they all have in common is that they are all mobile and may leave your organization by design or by accident. Managing your mobile media is paramount to maintaining the confidentiality, integrity, and availability of your ePHI as required by the HIPAA security rule. To do so, you need to have policies and procedures to account for your mobile media, as well as procedures for reuse and disposal.
Accountability: The security rule requires you to account for all mobile devices and media that maintains ePHI. This includes controlling where your media moves within your organization as well as outside of it. Imagine a scenario where mobile media could not be found or accounted for in your large facility? Does that mean it is still in your facility or has an employee taken it home? Is it lost? Worse yet, imagine if the mobile device is leaving your organization without your knowledge, thus placing your organization at risk of a privacy breach. To establish an accountability program, you must first have a full and correct inventory of all your mobile assets (laptops, tablets, smart phones, etc.). The next step is to establish a check out/in log for the mobile media. Anyone who wants to remove mobile media from the organization, must check it out first and sign it back in upon return. There must be a business justification to remove the device/media. As for those few individuals who have been approved to use mobile media outside the facility on a routine basis, they should also sign the media out initially as a long-term checkout, so a record of its whereabouts is documented. Staff should be trained about this policy and it should be followed every time. Periodic review of the sign out log will help prevent further concerns of missing mobile devices and media.
Reuse: Mobile devices and media are sometimes reused within an organization. Additionally, many organizations provide their used or outdated hardware/software to local charities, such as churches or elementary schools. Whether the media stays in house or is donated, you need to ensure the media is sanitized of all ePHI.
There are several different software cleaning solutions on the market. These types of software require that you run the software through the memory drive to eliminate all the data. They are sometimes called “Disk Wipe” software. Look closely at the software instructions which will direct you to run the software three times or up to seven times. This is commonly known as a “pass”. The Department of Defense (DoD) 5220.22-M data sanitization method, overwrites existing information on the storage device. The wipe sequence writes zero on the first pass, writes number one on the second pass, and adds a random character over the data on the third pass thus making any previous information unrecognizable and unretrievable. When cleaning smart phones, review the manufacturer’s instructions for wiping the memory clean or restoring the smartphone to factory settings. The objective is to clean your mobile media such that it will be free of all EPHI and the mobile device can be reused internally or externally. Finally, document and tag the item as being sanitized and make a record of who it is signed out to.
Disposal: Not all mobile devices and media are reused. More often it is slated for disposal at the end of its life cycle. Disposal requires you to permanently remove all ePHI, AND, permanently destroy the device such that it cannot be used again. A common method to destroy the memory of a hard drive is to use a degausser (will not work with flash memory-based devices). This method removes all ePHI and makes the memory unusable. If you don’t have a degausser, you can wipe the media clean (see reuse method above), and then physically destroy the hard drive platter with a hammer. You can also use these options for mobile media as listed in NIST publication 800.88r1, Guidelines for Media Sanitization: Shred, Disintegrate, Pulverize, or Incinerate by burning the device in a licensed incinerator. Afterwards, document the destruction in your inventory so that it includes:
- Name of media destroyed
- Method of destruction
- Date of destruction
- Person or organization destroying media
As a Covered Entity (CE) or a Business Associate you will undoubtedly have mobile devices and media to manage. Today, mobile media seems to be ubiquitous. To ensure you protect ePHI from unauthorized access and prevent a data breach, implement device and mobile media accountability, reuse, and disposal procedures. Staff should understand they must report to you (security officer/office) with questions and concerns about mobile media, including use of their own mobile media if your policy allows it. The HIPAA security rule addresses the requirements for device and media control at 45 CFR §164.310(d)(1) Physical Safeguards; Device and media controls. For further questions on this topic or assistance with your HIPAA compliance program, please contact our Chief Executive Officer, Sarah Badahman at firstname.lastname@example.org Until then, happy HIPAA trekking!
As a Covered Entity (CE) you disclose protected health information (PHI) throughout the day for treatment, payment, and health care operations (TPO). These TPO disclosures do not require you to obtain an authorization from the patient. Examples of treatment disclosures include when you draw a patient’s blood work at your clinic or practice, but you send the specimen to a reference lab to obtain the results. Similarly, you see a patient who needs to see a specialist, so you refer the patient to another provider. This is also viewed as a treatment disclosure. Payment disclosures occur when you bill an insurance provider for care rendered. This includes when payment for care is obtained by billing Medicare, Humana, TRICARE, or any other healthcare insurance provider. Healthcare operations disclosures are those management actions you take to administer your overall healthcare program. Examples of healthcare operations disclosures include reviewing the competence or qualifications of your health care professionals, licensing or credentialing activities, conducting or arranging for medical review or legal services, as well as customer support to name a few. Bottom line, you are permitted to use and disclose PHI for TPO without the patient’s authorization.
You are also permitted to disclose PHI without a patient’s authorization, or opportunity to agree or object, to avert a serious threat to health or safety. As a CE, you may, consistent with your state law or other applicable laws, disclose PHI if you believe the disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public, and, the person you notify is reasonably able to prevent or lessen the threat. The following two examples demonstrate how this provision in the rule can be used.
A clinic learns that a child has tested positive for tuberculosis. Upon learning that the child attends a local day care center, the clinic contacts the center immediately to have the child removed from the other children and isolated until the child can be picked up by his parents. The threat to health of the other children is the contagious disease the child had, and the person(s) notified of this PHI have the ability to lessen the threat by isolating the child from the other children. In another example, a post-partum mother contacts the clinic and tells the front desk clerk that she feels depressed and is having thoughts of harming her newborns. After the mother ends the phone call, the clerk contacts the neo-natal ward where the newborns are located, notifies them of their mother’s psychological condition, and contacts the police. When the mother arrives at the hospital where her newborns are, the police and a doctor are there to meet her at the door and assist the mother through her temporary crisis. The threat to the safety of the newborns is the mother’s ideation about harming them and the PHI is the mother’s post-partum depressed condition.
In both examples above, the threat to the children and newborns is imminent and the individuals contacted were reasonably able to prevent or lessen the threat. To make a disclosure under this part of the HIPAA rule, the threat must be imminent, not just a probability or it could happen situation. In addition, the individual(s) contacted must be able to lessen or eliminate the threat. It is important to understand that when you make this type of disclosure, the rule recognizes you are doing so in “good faith” based on your reasonable belief at the time that an imminent threat to health and safety exists. As explained in the HIPAA rule preamble, this approach is consistent with the “duty to warn” third persons at risk, which had been established through case law. In Tarasoff v. Regents of the University of California (17 Cal. 3d 425 (1976)), the Supreme Court of California found that when a therapist’s patient had made credible threats against the physical safety of a specific person, the therapist had an obligation to use reasonable care to protect the intended victim of his patient, against danger, including warning the victim of the danger. In the Tarasoff case, the patient told the doctor of his desire to kill Tarasoff, but the victim was never warned and subsequently murdered. To be clear, the HIPAA rule is not intended to create a duty to warn or disclose, rather it permits the CE to make a disclosure to avert a serious and imminent threat to health and safety.
As a CE, it is important to understand how this part of the HIPAA rule works and to ensure your staff have been trained to recognize this type of situation. The specific citation that addresses this type of disclosure can be found at 45 CFR 164.512 (j)(i). Uses and disclosures for which an authorization or opportunity to agree or object is not required: Standard: Uses and disclosures to avert a serious threat to health or safety. This type of disclosure is also accountable and should be added to the Accounting of Disclosure list. For further questions on this subject or how HIPAAtrek can help you with your HIPAA compliance program, please contact our Account Executive Theresa Zemcuznikov at email@example.com.
As we continue through October 2017 and National Cybersecurity Awareness Month (NCSAM), we continue to focus on going back to the basics. Basics include the safeguards you put in place to ensure the Confidentiality, Integrity, and Availability of electronic protected health information or e-PHI, and the training you provide your workforce. Last week we looked at some basic tips about patch management and how a major organization failed to patch a vulnerability leading to the exposure of financial information of 145.5 million individuals. This week’s third installment of cybersecurity tips by HIPAAtrek will focus on multi-factor authentication.
Multi-factor Authentication: Multi-factor authentication is the security procedure of using two or more independent credentials to allow someone access to your information systems and e-PHI. You may have first seen this on the big screen where a James Bond type character enters a password followed by their thumb print or scan of their eye to access a classified area. This is not just movie stuff anymore. This is an example of multi-factor authentication and it provides the most secure method of ensuring the individual attempting to access the system is the person they report to be. Here are the three credentials in multi-factor authentication you need to understand:
Something you know (Knowledge Factor). This is a password, passcode, or passphrase that only you know.
Something you have (Possession Factor). This is a special hardware token which could be a key, or smart card with a unique Personal Identification Number or (PIN) assigned only to you. When you use the token, the information system recognizes your entry through this token and you authenticate it by entering the PIN.
Something you are (Inherence Factor). This is the method of identifying yourself by one of your biological traits. Unique biological identifiers include finger prints, hand geometry, retina and iris scans, or voice recognition. No one else has your biological traits and therefore cannot use them to authenticate.
The advantage of using a multi-factor authentication process is that if one credential is compromised, unauthorized access is still denied because the second credential is still needed to gain access. In other words, I may learn your password, but I don’t have your smart card or your thumb print. The attempted access is stalled or prevented without both credentials. These credentials can be used in any combination, smart card and password, password and thumb print, smart card and iris scan, etc. The key of multi-factor authentication is to establish a layered approach to allowing access to your information systems and thereby securing your e-PHI.
Multi-factor authentication is a basic security principle which should be considered whenever possible as it provides a more secure method for authenticating access to only those who are authorized. In addition to multi-factor authentication, HHS has provided a short list of tips to discuss with your staff during NCSAM and others as you see are appropriate. You can review the NCSAM tips at: https://www.hhs.gov/sites/default/files/hipaa-cyber-awarness-monthly-issue-september-2017.pdf.
Contact our Lead Account Executive, Theresa Zemcuznikov at firstname.lastname@example.org who can provide you a demo of our award-winning HIPAA compliance software where you can manage your entire privacy and security program in one location. In the meantime, happy HIPAA trekking.