When thinking about your information system asset inventory, it is easy to focus solely on the compliance elements. When doing so, many smaller healthcare organizations will opt not to keep an inventory, as it is not explicitly required in HIPAA. Although not specifically required in the HIPAA Security Rule, there are indicators in the Security Rule that an accurate and up-to-date information systems asset inventory will support several of the requirements within the Rule such as Risk Analysis, Risk Management, Information Systems Activity Review, Device and Media Management, and Audit Controls.
An information system asset inventory is more than just tracking your hardware. According to the HIPAA Security Rule Crosswalk to NIST, managing assets enables “the organization to achieve business purposes that are identified and managed consistent with their relative importance to business objectives and the organization’s risk strategy.”
There are many benefits of creating and maintaining an accurate and up-to-date inventory. The three broad categories of benefit are: Risk Management, Business Operations, and Financial.
You can’t protect what you don’t know you have. Arguably one of the most important requirements of the HIPAA Security Rule is the Risk Analysis. Organizations that have to comply with HIPAA, are required to identify reasonable threats and vulnerabilities to their electronic PHI. Having an information system asset inventory will give the organization a starting place for this process.
Conducting audits and reviewing your system activity is also drastically simplified when there is an inventory in place. The inventory serves as a checklist to ensure you have reviewed/audited all the systems in your organization where PHI is stored, accessed, transmitted, or created.
Healthcare entities are notoriously short staffed and as such are constantly looking for ways to improve their productivity with their existing workforce. The irony is that the healthcare industry as a whole as a reliance on older and legacy systems which are costly from a productivity standpoint (which translate into lost dollars). Having an information system asset inventory helps to identify technology gaps. Since we know that older systems that are not supported by the manufacturer are a major risk factor, having an inventory that reflects the age of a system can identify when that system should be replaced. This not only will help improve productivity, but will also reduce the risk of a technical breach to your organization.
Reducing risk and improving productivity will have a direct and positive impact on your organization. Understanding the percentage of your budget spent on technology is also important. The healthcare industry has historically not invested heavily on their IT infrastructure and supporting systems. The majority of the healthcare IT budget is spent on softwares such as EMR and telehealth. This can cause an increased cost to productivity, operations, and compliance as not enough attention is being spent on the infrastructure itself. As detailed in Business Operations, an information systems asset inventory can give a broad picture to help identify these gaps in order to allot appropriately in your organization’s budget.
More than just managing risk and operations, having a detailed list of your organizations information systems (particularly hardware) can have an added tax benefit as these systems can be depreciated over time. Unlike other assets in your organization, technology becomes less valuable over time.
Creating and managing an information system asset inventory is good for your business and ultimately for your patients. Start simple, create a spreadsheet to list all your hardware and software systems. Remember to include personal devices that are used within your network (so-called Bring Your Own Device). Consider including the cost and age of the information systems as well. As you continue this process, or if you are a larger healthcare entity, you may want to use a software system that can help you track these systems.
A healthy organization is one that manages its risks and creates a culture of security. Having an information system asset inventory list is an important step in the health of your organization!
If you have any questions, please don’t hesitate to reach out! Happy HIPAA trekking!
The need for Business Associate Agreements (BAAs) is not a new one. They have been required since the inception of HIPAA. As the HHS Office for Civil Rights (OCR) has increased its enforcement efforts of HIPAA compliance, organizations that are required to be compliant with HIPAA, should review their business associate lists to verify that every business associate has a BAA in place.
Yesterday (April 20, 2017), the OCR announced a settlement of $31,000 with a non-profit located in Illinois. The non-profit had failed to enter into a BAA with one of its vendors that stores records containing PHI.
Settlement cases cost far greater than the amount owed to the OCR as a result of the compliance deficiency. When an organization settles with the OCR for a HIPAA violation, the organization is placed on a Corrective Action Plan (CAP). CAPs can be extensive, particularly for small organizations.
In the case of the Illinois non-profit, they have to create policies and procedures within 60 days and train their staff within 30 days of finalizing the policies. This will be a costly and time consuming endeavor for the organization. In addition to creating policies and training their staff, the organization also is required to make annual reports to the OCR on their compliance status.
Not only does this organization have to pay the OCR $31,000 and pay to create policies and train their staff, the organization also faces potential a reputation impact which could cost the organization further.
Some organizations struggle with identifying their business associates. Examples of potential business associates include (but is not limited to):
- EMR/Practice Management (billing) software companies
- Consultants that have access to PHI
- Outside IT vendors
- Outside Billing Company
- Leased Copier/Printer/Scanner (if the device has a hard drive)
- Record Storage companies
- Any other software, consultant, or vendor that accesses, stores, or transmits PHI
For more information on BAAs, visit: https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html
Happy HIPAA trekking!
Medical record requests from attorneys, insurance companies, and everyone in between can be challenging to keep up with. You are trying to balance patient care with operations and getting paid for treatment. At HIPAAtrek, we frequently get asked how clinics and hospitals can charge for certain records requests.
HHS issued clarification for permissible fees in May of last year: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/clarification-flat-rate-copy-fee/index.html
There is no maximum charge for copied medical records. The flat rate not to exceed $6.50 option was meant for organizations who did not wish to calculate the actual or average cost for the copies. There are three options for charging patients for copies to their health records:
- By calculating actual allowable costs to fulfill each request
- By using a schedule of costs based on average allowable labor costs to fulfill standard requests
- If patients are requesting electronic records, and the entity wishes not to calculate the actual or average cost, the organization can charge a flat rate of $6.50 Link to the guidance from HHS: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html#maximumflatfee
See link below for everything that can be included in the charge to patient who has requested access to their PHI.
In addition to federal regulations, most states have regulations regarding charging for medical records. These state regulations can become quite sticky. Theres are provisions in the federal law that supersedes the state laws:
“The fee may not include costs associated with verification; documentation; searching for and retrieving the PHI; maintaining systems; recouping capital for data access, storage, or infrastructure; or other costs not listed above even if such costs are authorized by State law.”
Here are some great websites that details the state permissible charges:
As with all online resources, it is good practice to double check the guidance with the individual state’s website.
Happy HIPAA trekking!
Patients are looking for easy ways to communicate with their providers that don’t require a phone call. Hold times and constraining office hours to make an appointment, request records, pay a bill, and other patient communications are often cited as frustrations by your patients. To help resolve this, you look to technology to streamline your patient communications.
Technology is a perfect solution to solve many of these more tedious communications. Technology can make your patients and your staff a lot happier. Patients can send communication requests at their convenience and your staff isn’t tied up on the phone to respond to them.
How we deal with technology to make our patients our own lives easier, is where it can get really sticky. The temptation is to create a communication page on our websites. This is totally acceptable, so long as, we keep HIPAA in mind when doing so. We have to ensure that the communication page for the patient to make these requests is SECURE. What this means is that we have to enable an encryption method on that communication page to make sure that the transmission of the request is coming to us without being seen by an unauthorized viewer.
There are several ways we can handle this problem. The first method is through our Electronic Health Record’s patient portal. Patient portals were designed to allow patients to communicate with their providers in a number of ways. By creating a link to your patient portal on your website, your patients now have the option to communicate with your staff at their convenience.
The patient portal option only works if you have a patient portal and if your patients are registered for it. A lot of practices are solving the problem with putting a communication form directly on their website to take communication requests from potential new patients as well as patients that are not yet registered for the patient portal. To make this communication form secure can be a bit trickier, but is still doable.
To secure your website communication forms, you have a few options. The easiest option is to purchase a Secure Socket Layer (SSL) for your website. Your website will then display as secure (HTTPS) for your web visitors. Another option if encrypting your entire site is not an option for you, is to purchase a secure web communication tool to embed on your website. A quick Google search for HIPAA compliant web communication forms will give you several options to choose from.
Apart from the website, we also have to ensure the communication is coming to us securely. The most common way web communication forms are delivered is through email. The email account associated with the web communication form needs to be encrypted. You will also need to make sure you are limiting access to that email account to only the necessary staff within your clinic. The email account will need to follow your practices security policies regarding backup as well.
If you are using your website as a communication tool for your patients, you will need to make sure that your website and its supporting systems (including the content management system and hosting) is included on your risk analysis, information system activity review, and other security evaluations your have in place to meet the Security Rule requirements.
Taking these few steps will help your practice avoid a costly breach due to insecure web communication.
For more information, contact us! Happy HIPAA Trekking!