Planning your HIPAA success is probably the last thing on your mind. As a busy healthcare professional, you deal with multiple roaring fires all day long every day. Because you are so busy, it is easy to put off HIPAA compliance and simply hope for the best. What you may not realize is your burning compliance ember can quickly become an uncontrollable forest fire. Hoping for the best with your HIPAA compliance program has several problems:
- The Office of Civil Rights (OCR) is conducting audits to ensure compliance
- Healthcare breaches are on the rise resulting in costly fines
- It is no longer IF you will experience a breach, but WHEN
Reactive Versus Proactive Compliance
The OCR is auditing organizations of all sizes. In the beginning years of HIPAA it had no teeth. The audits have changed that. The OCR now expects organizations to be proactive in their compliance efforts. Reactive compliance is a thing of the past.
Proactive compliance is imperative to the health of your business. Fines can reach as high as $1.5 Million per incident per calendar year. The largest HIPAA fine was $4.8 Million. Failing to be proactive in your HIPAA compliance efforts will not only put you at risk if you are audited; but, will also put you at increased risk for a breach with a lofty fine.
Most importantly, proactive compliance protects your patients. Patients do not always remember their own health issues. Loss of access to your patient files could result in harm to your patients. Being proactive in your compliance efforts helps to ensure your patients’ data stays healthy.
Planning HIPAA Success
To plan for the worst, you need to start by conducting an a risk analysis. Be sure to assess your current policies and procedures. Ensure that you are also following them and keeping documentation of your compliance efforts. Conducting a risk analysis is not an optional task for HIPAA covered entities and their business associates, it is a required action. Your organization must determine how often a risk analysis should be conducted.
In addition to the risk analysis, you need to have a solid back-up and disaster recovery plan in place. Because the healthcare industry is the most attacked industry, failure to have this step in place could cost you years of patient information on top of lofty fines.
I understand that all this can be overwhelming. However, it is necessary to remember that compliance is not a checkbox that can be marked and then forgotten. Compliance is a journey that must be taken one step at a time. Unfortunately, it is not a journey that has an end point.
Don’t just hope for the best with your HIPAA compliance! Be proactive! Contact one of our HIPAAsherpas to find out how we can help you on your HIPAA journey!
Password security is the bane of most healthcare organizations’ existence! Employees and providers groan every time they are required to change their passwords. Remembering complex passwords is also difficult, especially when you have multiple passwords to remember for all the programs and networks required to manage patient care. Writing passwords down and sharing passwords are common temptations to ease the pain of password management. However, not taking password security seriously is leaving your patients’ information vulnerable.
The Password Security Conundrum
Many organizations struggle with password security. Providers and nurses often share login credentials with staff to make it their workflows easier. However, sharing passwords IS a real security threat.
If you share your password, you are responsible for ALL activity under your login credentials! It is difficult, if not impossible, to monitor someone else’s activity on your login. This is particularly true if you are not closely watching them as they are logged in as you. The person you share your password with can purposefully or accidentally change patient data. As a result, you can face serious disciplinary actions, including fines or termination.
In addition, to password sharing, password security is another major concern. If you write your passwords down on a sticky note or notebook, STOP! Because, this leaves passwords extremely vulnerable. Passwords that are written down can be lost or stolen. Also, it is impossible to determine who has accessed passwords that are written down on paper. If you must write down your passwords, consider the use of a password vault.
You and your staff are busy! As a result, these seem to be reasonable shortcuts to make his workflow more manageable. However, due to the possible monetary penalties or even loss of employment, they are really dangerous practices.
Not only is password security important for your security program, HIPAA actually REQUIRES it!
- Password Management: Procedures for creating, changing, and safeguarding passwords.
- Unique User ID: Assign a unique name and/or number for identifying and tracking user identity.
First, establish unique user IDs. This means, that every user should have their own user name or identifier to log into sensitive programs or your network. Because, having generic user IDs such as “Nurse Station 1” to login does not meet the requirement.
Second, make sure that every user ID has its own secure and complex password. This might, and probably does, mean that each employee will have multiple passwords that match up with each account.
Most importantly, TRAIN your staff on your security practices around securing and managing their passwords!
Security Beyond HIPAA
Just meeting the HIPAA requirements may not be enough to protect your patients’ information. Beyond HIPAA, it is important to protect passwords in order to secure your network and all of its data. A rogue, or even well-intentioned, employee can change a patient’s chart causing great harm to the patient.
Your HIPAA Tip on sharing passwords, is simply don’t.
If you have any questions on how to meet these requirements, contact us!
Texting patient orders is easy. However, due to patient safety, security and privacy concerns, CMS and the Joint Commission prohibit it! Not only is texting patient information a gray area of the HIPAA law, it is also does not meet Medicare requirements.
Texting and HIPAA
Despite how tempting and convenient texting patient information may seem, it is a legal gray area. Therefore, if you are wanting to go down this path, consult with an attorney that is well versed in HIPAA.
HIPAA is pretty serious about how Electronic Protected Health Information (ePHI) must be transmitted and stored. The transmission must be secure. This can be a tedious and expensive undertaking. Text messaging needs to be securely transmitted and archived. This becomes increasingly difficult with Bring Your Own Device (BYOD) that naturally comes when texting. As most organizations do not provide cell phones to their staff, texting will be done on their personal devices.
All transmissions of ePHI, including texts, must be taken into account when an organization conducts its risk analysis. In the risk analysis process, the organization must consider:
- WHAT ePHI is being transmitted
- HOW the ePHI is being transmitted
- WHICH devices are permitted to send ePHI
- IF the organization has a BYOD policy, that it is calculating those devices in the risk analysis
In addition, the impact to the organization in the event of a breach must also be calculated. Events such as theft, loss, improper disposal of the device, as well as the likelihood of the ePHI being intercepted by an unauthorized individual, must all be considered in the risk analysis.
So How Do I Communicate?
You may be tempted to stop all electronic transmissions. However, eliminating electronic transmissions is not reasonable. Consider that 73% of all health care professionals are already texting ePHI, whether it is permissible or not. Also consider, 98% of all health care professionals rely on routine email messages to communicate between internal staff and referring providers as well as business associates. Eliminating electronic transmissions altogether could, and probably will, have an immense burden on the efficiency in your organization.
Because of the need for electronic communication, the idea of mutual consent comes into play. Mutual consent is where both the HIPAA covered entity or business associate enter into an agreement with the patient whose data is being transmitted. HIPAA seemingly allows for insecure transmissions IF:
- The individual is clearly informed of the security risks of that and a secure option is recommended.
- The individual indicates in writing that it is OK to send them ePHI via insecure email.
- The Covered Entity keeps explicit records of all of these “mutual consent” cases, including the content of the risk warnings and the written approval from the individual.
Be very careful when using this loophole in the HIPAA law. Seek the advice of an attorney well versed in HIPAA BEFORE sending any insecure transmissions. With such a legal gray area, and with many secure options for securely transmitting ePHI on the market that are quite affordable, it is my recommendation that you still seek the secure transmissions.
Texting Patient Orders and CMS
The reason CMS and The Joint Commission prohibit texting patient orders goes far beyond just HIPAA. In fact, texting patient orders is considered out of compliance with several Conditions of Participation and Conditions of Coverage for CMS. Most importantly, the retention of record and content of record requirements.
If you participate in Medicare, you are required to main records in their original or legally reproduced form. Texts are not able to accomplish this. Additionally, some messaging platforms struggle with this requirement. Check with your messaging provider to see if they are able to integrate with your EMR’s Computerized Physician Order Entry (CPOE) function. If so, you may be able to continue to use your messaging application and remain in compliance with CMS.
When thinking about your information system asset inventory, it is easy to focus solely on the compliance elements. When doing so, many smaller healthcare organizations will opt not to keep an inventory, as it is not explicitly required in HIPAA. Although not specifically required in the HIPAA Security Rule, there are indicators in the Security Rule that an accurate and up-to-date information systems asset inventory will support several of the requirements within the Rule such as Risk Analysis, Risk Management, Information Systems Activity Review, Device and Media Management, and Audit Controls.
An information system asset inventory is more than just tracking your hardware. According to the HIPAA Security Rule Crosswalk to NIST, managing assets enables “the organization to achieve business purposes that are identified and managed consistent with their relative importance to business objectives and the organization’s risk strategy.”
There are many benefits of creating and maintaining an accurate and up-to-date inventory. The three broad categories of benefit are: Risk Management, Business Operations, and Financial.
You can’t protect what you don’t know you have. Arguably one of the most important requirements of the HIPAA Security Rule is the Risk Analysis. Organizations that have to comply with HIPAA, are required to identify reasonable threats and vulnerabilities to their electronic PHI. Having an information system asset inventory will give the organization a starting place for this process.
Conducting audits and reviewing your system activity is also drastically simplified when there is an inventory in place. The inventory serves as a checklist to ensure you have reviewed/audited all the systems in your organization where PHI is stored, accessed, transmitted, or created.
Healthcare entities are notoriously short staffed and as such are constantly looking for ways to improve their productivity with their existing workforce. The irony is that the healthcare industry as a whole as a reliance on older and legacy systems which are costly from a productivity standpoint (which translate into lost dollars). Having an information system asset inventory helps to identify technology gaps. Since we know that older systems that are not supported by the manufacturer are a major risk factor, having an inventory that reflects the age of a system can identify when that system should be replaced. This not only will help improve productivity, but will also reduce the risk of a technical breach to your organization.
Reducing risk and improving productivity will have a direct and positive impact on your organization. Understanding the percentage of your budget spent on technology is also important. The healthcare industry has historically not invested heavily on their IT infrastructure and supporting systems. The majority of the healthcare IT budget is spent on softwares such as EMR and telehealth. This can cause an increased cost to productivity, operations, and compliance as not enough attention is being spent on the infrastructure itself. As detailed in Business Operations, an information systems asset inventory can give a broad picture to help identify these gaps in order to allot appropriately in your organization’s budget.
More than just managing risk and operations, having a detailed list of your organizations information systems (particularly hardware) can have an added tax benefit as these systems can be depreciated over time. Unlike other assets in your organization, technology becomes less valuable over time.
Creating and managing an information system asset inventory is good for your business and ultimately for your patients. Start simple, create a spreadsheet to list all your hardware and software systems. Remember to include personal devices that are used within your network (so-called Bring Your Own Device). Consider including the cost and age of the information systems as well. As you continue this process, or if you are a larger healthcare entity, you may want to use a software system that can help you track these systems.
A healthy organization is one that manages its risks and creates a culture of security. Having an information system asset inventory list is an important step in the health of your organization!
If you have any questions, please don’t hesitate to reach out! Happy HIPAA trekking!