Planning your HIPAA success is probably the last thing on your mind. As a busy healthcare professional, you deal with multiple roaring fires all day long every day. Because you are so busy, it is easy to put off HIPAA compliance and simply hope for the best. What you may not realize is your burning compliance ember can quickly become an uncontrollable forest fire. Hoping for the best with your HIPAA compliance program has several problems:
- The Office of Civil Rights (OCR) is conducting audits to ensure compliance
- Healthcare breaches are on the rise resulting in costly fines
- It is no longer IF you will experience a breach, but WHEN
Reactive Versus Proactive Compliance
The OCR is auditing organizations of all sizes. In the beginning years of HIPAA it had no teeth. The audits have changed that. The OCR now expects organizations to be proactive in their compliance efforts. Reactive compliance is a thing of the past.
Proactive compliance is imperative to the health of your business. Fines can reach as high as $1.5 Million per incident per calendar year. The largest HIPAA fine was $4.8 Million. Failing to be proactive in your HIPAA compliance efforts will not only put you at risk if you are audited; but, will also put you at increased risk for a breach with a lofty fine.
Most importantly, proactive compliance protects your patients. Patients do not always remember their own health issues. Loss of access to your patient files could result in harm to your patients. Being proactive in your compliance efforts helps to ensure your patients’ data stays healthy.
Planning HIPAA Success
To plan for the worst, you need to start by conducting an a risk analysis. Be sure to assess your current policies and procedures. Ensure that you are also following them and keeping documentation of your compliance efforts. Conducting a risk analysis is not an optional task for HIPAA covered entities and their business associates, it is a required action. Your organization must determine how often a risk analysis should be conducted.
In addition to the risk analysis, you need to have a solid back-up and disaster recovery plan in place. Because the healthcare industry is the most attacked industry, failure to have this step in place could cost you years of patient information on top of lofty fines.
I understand that all this can be overwhelming. However, it is necessary to remember that compliance is not a checkbox that can be marked and then forgotten. Compliance is a journey that must be taken one step at a time. Unfortunately, it is not a journey that has an end point.
Don’t just hope for the best with your HIPAA compliance! Be proactive! Contact one of our HIPAAsherpas to find out how we can help you on your HIPAA journey!
You know that you have to secure your Protected Health Information. You also know that you should encrypt your PHI. But, do you know how expensive not having your PHI encrypted can be? Do you know the steps you should take to encrypt your devices and systems?
The University of Texas MD Anderson Cancer Center (MD Anderson) knows exactly how expensive it is to fail to encrypt. MD Anderson experienced multiple HIPAA violations recently:
- Theft of an unencrypted laptop from a private residence of an employee
- Two losses of unencrypted USB thumb drives
Because of these violations, MD Anderson was ordered to pay $4.35 Million in penalties to the Office for Civil Rights (OCR). The OCR news release on this case can be viewed here.
A History of Risk
In 2006, MD Anderson implemented written encryption policies. Even though they had formal a formal policy in place, MD Anderson had not implemented their policy. In fact, their risk analysis found that a lack of device-level encryption posed a high level risk. MD Anderson did not actually begin to implement encryption of ePHI until 2011. Even then, they still failed to encrypt its devices containing ePHI between March 24, 2011 and January 25, 2013.
They were penalized for each day of non-compliance and for each record breached. HIPAA allows for fines up to $1.5 Million per record per calendar year when assessing penalties for breaches.
MD Anderson was hoping to reduce the penalty. They argued that they were not obligated to encrypt their devices. They argued that because the ePHI disclosed was for research it was not subject to HIPAA. MD Anderson also believes that the penalties were unreasonable. The judge ruling on the case determined that there is a “high risk to MD Anderson’s patients resulting from the unauthorized disclosure of ePHI,” a risk that MD Anderson “not only recognized, but that it restated many times.”
Encrypt Your PHI
So, what can you learn from this incident? Encrypt your PHI! Encryption sounds much more difficult than it actually is. You can easily encrypt your devices using tools already built into them. If it is not easy to encrypt a device, such as a USB drive, simply disallow the use in your organization. The risk is simply too great for you not to encrypt all devices with PHI.
The HIPAA Security Rule is confusing. There are two types of steps identified in the Security Rule: Required and Addressable. The encryption rules for HIPAA are specified as “Addressable.” This confuses many organizations, just like MD Anderson. Addressable sounds like it should be optional. However, the definition of Addressable is not synonymous with optional.
If a HIPAA rule is Addressable, you must adopt a similar solution. So, if you determine that encryption is not an option for your organization, you must adopt similar solution to secure your PHI. In addition, you must have a strong justification as to why you are not able to implement the encryption rule.
The encryption and decryption standard can be found here.
Steps You Should Take
Just knowing that you have to encrypt your devices and stored PHI is not enough. You need to take steps to implementing encryption practices in your organization. The first step is conducting a risk analysis. You can’t protect what you don’t know is at risk.
Secondly, you need to take an inventory of all your assets that store or transmit PHI. Be careful not to forget personal devices that are used to access your PHI (Bring Your Own Device – BYOD). During this step, determine if you need to apply encryption on the device or system.
You also need to create a policy and procedures for encrypting your PHI. Just having a policy in place is not sufficient. You have to IMPLEMENT your encryption procedures. In addition, you need to train your employees on the proper use and security of devices and systems containing PHI.
For more on how HIPAAtrek can help you with your HIPAA privacy and security program, please contact us!
CMS has released a memorandum, Texting of Patient Information among Healthcare Providers. The Joint Commission released a similar recommendation in December 2016.
CMS’s recent memo states that texting of physician orders is out of compliance with several Conditions of Participation and Conditions of Coverage, mainly the retention of record and content of record requirements.
Entities are required to main the record in their original or legally reproduced form. Texts are not able to accomplish this, and some messaging platforms struggle with this requirement as well. If you are using a messaging platform to communicate orders, check with your messaging application provider to see if they are able to integrate with your EMR’s Computerized Physician Order Entry (CPOE) function. If yes, you may be able to continue to use your messaging application and remain in compliance with the CMS conditions of participation/coverage. You will also need to ensure that your messaging platform is able to authenticate the author of the message for it to be in compliance.
CMS is stating that Computerized Physician Order Entry (CPOE), and not text messages are the preferred means of communicating and documenting orders. If you have a messaging platform, or if you are planning on adopting one, do your homework to make sure you have selected or are selecting one that keeps you in compliance with CMS as well as HIPAA.
Things to look for with your messaging platform provider:
- Does it meet HIPAA security guidelines? Minimally, it must meet:
- Unique User login
- Do they have the ability to retain the records for at least 5 years (CMS requirement) in their original form or legally reproduced form?
- Do they have the ability to protect from unauthorized deletion or modification of records created? (This is a CMS and a HIPAA requirement)
- How do they prevent unauthorized access to the records? (This is both a CMS and a HIPAA requirement)
This memo does not remove the ability to use secure messaging for other healthcare operations. CMS and the Joint Commission recognize the importance of electronic messaging; however, the safety of patients regarding patient orders, including discharge orders, means that text messaging is not approved.
If you are using text messaging or a messaging application, other than your EMR’s CPOE, please contact us for guidance.
As a Covered Entity (CE) you disclose protected health information (PHI) throughout the day for treatment, payment, and health care operations (TPO). These TPO disclosures do not require you to obtain an authorization from the patient. Examples of treatment disclosures include when you draw a patient’s blood work at your clinic or practice, but you send the specimen to a reference lab to obtain the results. Similarly, you see a patient who needs to see a specialist, so you refer the patient to another provider. This is also viewed as a treatment disclosure. Payment disclosures occur when you bill an insurance provider for care rendered. This includes when payment for care is obtained by billing Medicare, Humana, TRICARE, or any other healthcare insurance provider. Healthcare operations disclosures are those management actions you take to administer your overall healthcare program. Examples of healthcare operations disclosures include reviewing the competence or qualifications of your health care professionals, licensing or credentialing activities, conducting or arranging for medical review or legal services, as well as customer support to name a few. Bottom line, you are permitted to use and disclose PHI for TPO without the patient’s authorization.
You are also permitted to disclose PHI without a patient’s authorization, or opportunity to agree or object, to avert a serious threat to health or safety. As a CE, you may, consistent with your state law or other applicable laws, disclose PHI if you believe the disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public, and, the person you notify is reasonably able to prevent or lessen the threat. The following two examples demonstrate how this provision in the rule can be used.
A clinic learns that a child has tested positive for tuberculosis. Upon learning that the child attends a local day care center, the clinic contacts the center immediately to have the child removed from the other children and isolated until the child can be picked up by his parents. The threat to health of the other children is the contagious disease the child had, and the person(s) notified of this PHI have the ability to lessen the threat by isolating the child from the other children. In another example, a post-partum mother contacts the clinic and tells the front desk clerk that she feels depressed and is having thoughts of harming her newborns. After the mother ends the phone call, the clerk contacts the neo-natal ward where the newborns are located, notifies them of their mother’s psychological condition, and contacts the police. When the mother arrives at the hospital where her newborns are, the police and a doctor are there to meet her at the door and assist the mother through her temporary crisis. The threat to the safety of the newborns is the mother’s ideation about harming them and the PHI is the mother’s post-partum depressed condition.
In both examples above, the threat to the children and newborns is imminent and the individuals contacted were reasonably able to prevent or lessen the threat. To make a disclosure under this part of the HIPAA rule, the threat must be imminent, not just a probability or it could happen situation. In addition, the individual(s) contacted must be able to lessen or eliminate the threat. It is important to understand that when you make this type of disclosure, the rule recognizes you are doing so in “good faith” based on your reasonable belief at the time that an imminent threat to health and safety exists. As explained in the HIPAA rule preamble, this approach is consistent with the “duty to warn” third persons at risk, which had been established through case law. In Tarasoff v. Regents of the University of California (17 Cal. 3d 425 (1976)), the Supreme Court of California found that when a therapist’s patient had made credible threats against the physical safety of a specific person, the therapist had an obligation to use reasonable care to protect the intended victim of his patient, against danger, including warning the victim of the danger. In the Tarasoff case, the patient told the doctor of his desire to kill Tarasoff, but the victim was never warned and subsequently murdered. To be clear, the HIPAA rule is not intended to create a duty to warn or disclose, rather it permits the CE to make a disclosure to avert a serious and imminent threat to health and safety.
As a CE, it is important to understand how this part of the HIPAA rule works and to ensure your staff have been trained to recognize this type of situation. The specific citation that addresses this type of disclosure can be found at 45 CFR 164.512 (j)(i). Uses and disclosures for which an authorization or opportunity to agree or object is not required: Standard: Uses and disclosures to avert a serious threat to health or safety. This type of disclosure is also accountable and should be added to the Accounting of Disclosure list. For further questions on this subject or how HIPAAtrek can help you with your HIPAA compliance program, please contact our Account Executive Theresa Zemcuznikov at firstname.lastname@example.org.