HIPAA Compliance Efforts: Planning for the Worst and Hoping for the Best


Planning your HIPAA success is probably the last thing on your mind. As a busy healthcare professional, you deal with multiple roaring fires all day long every day. Because you are so busy, it is easy to put off HIPAA compliance and simply hope for the best. What you may not realize is your burning compliance ember can quickly become an uncontrollable forest fire. Hoping for the best with your HIPAA compliance program has several problems:

  • The Office of Civil Rights (OCR) is conducting audits to ensure compliance
  • Healthcare breaches are on the rise resulting in costly fines
  • It is no longer IF you will experience a breach, but WHEN

Reactive Versus Proactive Compliance

The OCR is auditing organizations of all sizes. In the beginning years of HIPAA it had no teeth.  The audits have changed that. The OCR now expects organizations to be proactive in their compliance efforts. Reactive compliance is a thing of the past.

Proactive compliance is imperative to the health of your business. Fines can reach as high as $1.5 Million per incident per calendar year. The largest HIPAA fine was $4.8 Million. Failing to be proactive in your HIPAA compliance efforts will not only put you at risk if you are audited; but, will also put you at increased risk for a breach with a lofty fine.

Most importantly, proactive compliance protects your patients. Patients do not always remember their own health issues. Loss of access to your patient files could result in harm to your patients. Being proactive in your compliance efforts helps to ensure your patients’ data stays healthy.

Planning HIPAA Success

To plan for the worst, you need to start by conducting an a risk analysis. Be sure to assess your current policies and procedures. Ensure that you are also following them and keeping documentation of your compliance efforts. Conducting a risk analysis is not an optional task for HIPAA covered entities and their business associates, it is a required action. Your organization must determine how often a risk analysis should be conducted.

In addition to the risk analysis, you need to have a solid back-up and disaster recovery plan in place. Because the healthcare industry is the most attacked industry, failure to have this step in place could cost you years of patient information on top of lofty fines.

I understand that all this can be overwhelming. However, it is necessary to remember that compliance is not a checkbox that can be marked and then forgotten. Compliance is a journey that must be taken one step at a time. Unfortunately, it is not a journey that has an end point.

Don’t just hope for the best with your HIPAA compliance! Be proactive! Contact one of our HIPAAsherpas to find out how we can help you on your HIPAA journey!

Is Your ePHI Encrypted?

Categories: Tags:

You know that you have to secure your Protected Health Information. You also know that you should encrypt your PHI. But, do you know how expensive not having your PHI encrypted can be? Do you know the steps you should take to encrypt your devices and systems?

The University of Texas MD Anderson Cancer Center (MD Anderson) knows exactly how expensive it is to fail to encrypt. MD Anderson experienced multiple HIPAA violations recently:

  • Theft of an unencrypted laptop from a private residence of an employee
  • Two losses of unencrypted USB thumb drives

Because of these violations, MD Anderson was ordered to pay $4.35 Million in penalties to the Office for Civil Rights (OCR). The OCR news release on this case can be viewed here.

A History of Risk

In 2006, MD Anderson implemented written encryption policies. Even though they had formal a formal policy in place, MD Anderson had not implemented their policy. In fact, their risk analysis found that a lack of device-level encryption posed a high level risk. MD Anderson did not actually begin to implement encryption of ePHI until 2011. Even then, they still failed to encrypt its devices containing ePHI between March 24, 2011 and January 25, 2013.

They were penalized for each day of non-compliance and for each record breached. HIPAA allows for fines up to $1.5 Million per record per calendar year when assessing penalties for breaches.

MD Anderson was hoping to reduce the penalty. They argued that they were not obligated to encrypt their devices. They argued that because the ePHI disclosed was for research it was not subject to HIPAA. MD Anderson also believes that the penalties were unreasonable. The judge ruling on the case determined that there is a “high risk to MD Anderson’s patients resulting from the unauthorized disclosure of ePHI,” a risk that MD Anderson “not only recognized, but that it restated many times.”

Encrypt Your PHI

So, what can you learn from this incident? Encrypt your PHI! Encryption sounds much more difficult than it actually is. You can easily encrypt your devices using tools already built into them. If it is not easy to encrypt a device, such as a USB drive, simply disallow the use in your organization. The risk is simply too great for you not to encrypt all devices with PHI.

The HIPAA Security Rule is confusing. There are two types of steps identified in the Security Rule: Required and Addressable. The encryption rules for HIPAA are specified as “Addressable.” This confuses many organizations, just like MD Anderson. Addressable sounds like it should be optional. However, the definition of Addressable is not synonymous with optional.

If a HIPAA rule is Addressable, you must adopt a similar solution. So, if you determine that encryption is not an option for your organization, you must adopt similar solution to secure your PHI. In addition, you must have a strong justification as to why you are not able to implement the encryption rule.

The encryption and decryption standard can be found here.

Steps You Should Take

Just knowing that you have to encrypt your devices and stored PHI is not enough. You need to take steps to implementing encryption practices in your organization. The first step is conducting a risk analysis. You can’t protect what you don’t know is at risk.

Secondly, you need to take an inventory of all your assets that store or transmit PHI. Be careful not to forget personal devices that are used to access your PHI (Bring Your Own Device – BYOD). During this step, determine if you need to apply encryption on the device or system.

You also need to create a policy and procedures for encrypting your PHI. Just having a policy in place is not sufficient. You have to IMPLEMENT your encryption procedures. In addition, you need to train your employees on the proper use and security of devices and systems containing PHI.

For more on how HIPAAtrek can help you with your HIPAA privacy and security program, please contact us!

Workstation Do’s and Don’ts

Categories: Tags:

Secure your Workstations! Workstation security is an important step in the overall health of your HIPAA Security program. You want to protect your patient’s sensitive information; so, you must secure the tools you use to access, transmit, and store their information.

Secure Your Workstations

Secure workstations through a few simple steps.

  1. Ensure each workstation has access controls enabled. This will to restrict unauthorized users and programs from accessing ePHI.
  2. Ensure workstations should have automatic logoff or screensavers at low intervals (less than 15 minutes).
  3. Patch and manage software regularly to ensure the highest level of security. This also helps to prevent breaches due to gaps in security updates.
  4. Position your workstations to protect from public view.
  5. Ensure you have physical security safeguards in place
    • Workstations should be secured at their stations.
    • Laptops can be attached to a desk or otherwise secured when possible.
  6. Disable the ability for your employees to turn off your anti-virus software.
  7. Use enterprise-level (not home version) anti-malware software.
  8. Remove access to your network and softwares after an employee resigns or is terminated (within 24 hours).

In addition to these easy steps, you need to review your audit logs of connected workstations are required. Try using automated tools to aid in the audit log process will ensure your organization stays on top of workstation security.

Train Your Employees

Employees are responsible for more than half of all healthcare breaches.  It is important to train your staff on their role in securing their workstations.

Most employees cringe at the thought of compliance training. When employees are not engaged in the training process or they are simply bored, your training programs are not effective. Therefore, STOP the long BORING training sessions! Incorporate training in ways that is easy for your employees to digest. Security reminders are not only required by HIPAA; but, they are also incredibly effective training tools.

What is a security reminder? I am glad you asked! A security reminder is any communication, in any media, used to communicate important security information to your staff. Examples of security reminders include:

  • Placing a poster or flyer in common areas such as an employee break room
  • Sending short emails or memos
  • Conducting staff meetings to impart vital security information
  • Implementing screensaver messages

Training your staff in a meaningful way increases learning retention and improves staff productivity and engagement. Your employees won’t remember an hour long training seminar. However, they will remember a note taped to the employee fridge or on the back of the bathroom stall!

Wrapping it Up

Workstation use is a standard in the security rule because it is the main avenue to your organization’s ePHI.  Without appropriate workstation procedures and proper staff education, the workstation can become a risk to the confidentiality, integrity, and availability of your ePHI.

For more on how HIPAAtrek can help you with your HIPAA program, contact our us! Happy HIPAAtrekking

Password Security – HIPAA Tip

Categories: Tags:

Password security is the bane of most healthcare organizations’ existence! Employees and providers groan every time they are required to change their passwords. Remembering complex passwords is also difficult, especially when you have multiple passwords to remember for all the programs and networks required to manage patient care. Writing passwords down and sharing passwords are common temptations to ease the pain of password management. However, not taking password security seriously is leaving your patients’ information vulnerable.

The Password Security Conundrum

Many organizations struggle with password security. Providers and nurses often share login credentials with staff to make it their workflows easier. However, sharing passwords IS a real security threat.

If you share your password, you are responsible for ALL activity under your login credentials! It is difficult, if not impossible, to monitor someone else’s activity on your login. This is particularly true if you are not closely watching them as they are logged in as you. The person you share your password with can purposefully or accidentally change patient data. As a result, you can face serious disciplinary actions, including fines or termination.

In addition, to password sharing, password security is another major concern. If you write your passwords down on a sticky note or notebook, STOP! Because, this leaves passwords extremely vulnerable. Passwords that are written down can be lost or stolen. Also, it is impossible to determine who has accessed passwords that are written down on paper. If you must write down your passwords, consider the use of a password vault.

You and your staff are busy!  As a result, these seem to be reasonable shortcuts to make his workflow more manageable. However, due to the possible monetary penalties or even loss of employment, they are really dangerous practices.

HIPAA Requirements

Not only is password security important for your security program, HIPAA actually REQUIRES it!

  • Password Management: Procedures for creating, changing, and safeguarding passwords. 
  • Unique User ID: Assign a unique name and/or number for identifying and tracking user identity.

First, establish unique user IDs. This means, that every user should have their own user name or identifier to log into sensitive programs or your network. Because, having generic user IDs such as “Nurse Station 1” to login does not meet the requirement.

Second, make sure that every user ID has its own secure and complex password. This might, and probably does, mean that each employee will have multiple passwords that match up with each account.

Most importantly, TRAIN your staff on your security practices around securing and managing their passwords!

Security Beyond HIPAA

Just meeting the HIPAA requirements may not be enough to protect your patients’ information. Beyond HIPAA, it is important to protect passwords in order to secure your network and all of its data. A rogue, or even well-intentioned, employee can change a patient’s chart causing great harm to the patient.

Your HIPAA Tip on sharing passwords, is simply don’t.

If you have any questions on how to meet these requirements, contact us!

Happy HIPAAtrekking!

Texting Patient Orders

Categories: Tags:

Texting patient orders is easy. However, due to patient safety, security and privacy concerns, CMS and the Joint Commission prohibit it! Not only is texting patient information a gray area of the HIPAA law, it is also does not meet Medicare requirements.

Texting and HIPAA

Despite how tempting and convenient texting patient information may seem, it is a legal gray area. Therefore, if you are wanting to go down this path, consult with an attorney that is well versed in HIPAA.

HIPAA is pretty serious about how Electronic Protected Health Information (ePHI) must be transmitted and stored. The transmission must be secure. This can be a tedious and expensive undertaking. Text messaging needs to be securely transmitted and archived. This becomes increasingly difficult with Bring Your Own Device (BYOD) that naturally comes when texting. As most organizations do not provide cell phones to their staff, texting will be done on their personal devices.

HIPAA Considerations

All transmissions of ePHI, including texts, must be taken into account when an organization conducts its risk analysis. In the risk analysis process, the organization must consider:

  • WHAT ePHI is being transmitted
  • HOW the ePHI is being transmitted
  • WHICH devices are permitted to send ePHI
  • IF the organization has a BYOD policy, that it is calculating those devices in the risk analysis

In addition, the impact to the organization in the event of a breach must also be calculated. Events such as theft, loss, improper disposal of the device, as well as the likelihood of the ePHI being intercepted by an unauthorized individual, must all be considered in the risk analysis.

So How Do I Communicate?

You may be tempted to stop all electronic transmissions. However, eliminating electronic transmissions is not reasonable. Consider that  73% of all health care professionals are already texting ePHI, whether it is permissible or not. Also consider, 98% of all health care professionals rely on routine email messages to communicate between internal staff and referring providers as well as business associates. Eliminating electronic transmissions altogether could, and probably will, have an immense burden on the efficiency in your organization.

Because of the need for electronic communication, the idea of mutual consent comes into play. Mutual consent is where both the HIPAA covered entity or business associate enter into an agreement with the patient whose data is being transmitted. HIPAA seemingly allows for insecure transmissions IF:

  • The individual is clearly informed of the security risks of that and a secure option is recommended.
  • The individual indicates in writing that it is OK to send them ePHI via insecure email.
  • The Covered Entity keeps explicit records of all of these “mutual consent” cases, including the content of the risk warnings and the written approval from the individual.

Be very careful when using this loophole in the HIPAA law. Seek the advice of an attorney well versed in HIPAA BEFORE sending any insecure transmissions. With such a legal gray area, and with many secure options for securely transmitting ePHI on the market that are quite affordable, it is my recommendation that you still seek the secure transmissions.

Texting Patient Orders and CMS

The reason CMS and The Joint Commission prohibit texting patient orders goes far beyond just HIPAA. In fact, texting patient orders is considered out of compliance with several Conditions of Participation and Conditions of Coverage for CMS. Most importantly, the retention of record and content of record requirements.

If you participate in Medicare, you are required to main records in their original or legally reproduced form. Texts are not able to accomplish this. Additionally, some messaging platforms struggle with this requirement. Check with your messaging provider to see if they are able to integrate with your EMR’s Computerized Physician Order Entry (CPOE) function. If so, you may be able to continue to use your messaging application and remain in compliance with CMS.

Happy HIPAAtrekking!