A recent legal ruling demonstrates the importance of using encryption to protect ePHI from unauthorized viewing. A U.S. Department of Health and Human Services Administrative Law Judge (ALJ) has ruled that The University of Texas MD Anderson Cancer Center (MD Anderson) violated the HIPAA Privacy and Security Rules and granted summary judgment to the Office for Civil Rights (OCR) on all issues, requiring MD Anderson to pay $4,348,000 in civil money penalties to OCR. OCR reported that the Cancer Center had three separate data breaches in 2012 and 2013. The breaches involved the theft of an unencrypted laptop from the residence of a Cancer Center employee and the loss of two unencrypted universal serial bus (USB) thumb drives containing the unencrypted electronic protected health information (ePHI) of over 33,500 individuals. The Cancer Center had written encryption policies going as far back as 2006 and had conducted a risk analysis that found that the lack of device-level encryption posed a high risk to the security of ePHI. Nonetheless, the Cancer Center did not begin to implement encryption of ePHI until 2011, and still failed to encrypt its inventory containing ePHI (data at rest) between March 24, 2011 and January 25, 2013. The Cancer Center was penalized for each day of non-compliance with HIPAA and for each record of individuals breached. This explains the high civil monetary penalty of $4,348,000.
The Cancer Center argued that they were not obligated to encrypt its devices and that the ePHI disclosed was for research and not subject to HIPAA disclosure rules. The Cancer Center further argued that HIPAA’s penalties were unreasonable. The judge rejected each of these arguments and stated that the Cancer Center’s “dilatory conduct is shocking given the high risk to its patients resulting from the unauthorized disclosure of ePHI,” a risk that the Cancer Center “not only recognized, but that it restated many times.”
So, what can you learn from this incident? While the HIPAA security rule identifies “encryption” as an addressable implementation specification, this does not mean the specification is optional for implementation. It means you must adopt a similar solution to secure the ePHI if you choose not to use encryption or have a very strong justification why the standard does not apply in your circumstance. The Cancer Center did neither of these, despite their risk analysis identifying the lack of device-level encryption as a high risk to the security of the ePHI. Furthermore, there are numerous encryption solutions available for encrypting end user devices or portable devices that are well within the capability of all covered entities and therefore, it would be difficult for a CE to defend not employing encryption to protect PHI from unauthorized viewing. Secondly, if you have a policy that reads that you accomplish X, Y, and Z, make sure your actions mirror the policy. An adage among compliance professionals’ states that what is worse than not having a policy is having a policy and not following it. This was the case for the Cancer Center since they had encryption policies going back to 2006 that were not followed. Finally, PHI used for research purposes earns the same HIPAA protection as PHI used for Treatment, Payment, or Healthcare Operations.
Now is a very good time to inventory all your assets that maintain ePHI and determine if you need to apply encryption or another solution to secure the ePHI. Take proactive steps to protect your data at rest and protect your organization from a major civil monetary penalty. The encryption and decryption standard can be found in 45 CFR § 164.312(a)(2)(iv). The OCR news release on this case can be viewed here: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/mdanderson/index.html. For more on how HIPAAtrek can help you with your HIPAA privacy and security program, please contact our CEO Sarah Badahman at email@example.com\
The HIPAA security rule is full of various requirements to help you protect the confidentiality, integrity, and availability of electronic protected health information (ePHI). One of those rules addresses how you will manage the workstation which is important because it is the most direct route to your PHI. With that in mind, let’s review some steps you should take today regarding your workstations and protecting your ePHI.
- Ensure that each workstation has the necessary access controls to restrict unauthorized users and programs from accessing ePHI
- Ensure that software on each workstation and on the network, is compatible and will not lead to the degradation of the system.
- Ensure workstations are turned away from public view
- Provide physical access controls to the workstations and laptops
- Workstations should be secured at their stations
- Laptops can be tethered to their desks when necessary
- Ensure workstations have virus protection that cannot be disabled by users
- Ensure operating systems receive critical updates and patches
- Remove network access soon after individual is terminated
While these are action that can be performed by your IT department or security officer, end users also need to be educated regarding their responsibilities when working at the workstation.
- Do not leave passwords on sticky notes on the computer
- Do not share passwords with fellow employees
- Engage the screensaver when leaving the workstation unattended
- Use control-alt-delete or depress Windows key and press L
- Do not remove the plastic privacy screen from the monitor
Workstation use is a standard in the security rule because it is the main avenue to your organization’s ePHI. Without appropriate workstation procedures and proper staff education, the workstation can become a risk to the confidentiality, integrity, and availability of your ePHI. For more on how HIPAAtrek can help you with your HIPAA program, contact our CEO, Sarah Badahman at firstname.lastname@example.org. Happy HIPAAtrekking
Many small practices struggle with password security. The provider shares his login credentials with staff to make it easier for him to pull records from hospital stays in preparation for a clinic visit as well as so Medical Assistants can have the exam room computer on and ready for him when he walks in or so the nurse can chart for him. With how busy physicians are, these seem to be reasonable shortcuts to make his workflow more manageable. The problem is these practices are leaving the physician and the practice vulnerable to some pretty hefty fines.
HIPAA requires covered entities and business associates with access to electronic Protected Health Information (ePHI) to implement a few safeguards to protect unauthorized access to patient information:
Password Management: Procedures for creating, changing, and safeguarding passwords. §164.308(a)(5)(ii)(D)
Unique User ID: Assign a unique name and/or number for identifying and tracking user identity. §164.312(a)(2)(i)
Integrity: Implement policies and procedures to protect electronic protected health information from improper alteration or destruction. §164.312(c)(1)
Person or Entity Authentication: Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. §164.312(d)
Beyond the privacy reasons, it is important to protect passwords in order to secure the integrity of the ePHI. A rogue, or even well-intentioned, employee can change a patient’s chart causing great harm to the patient. Your HIPAA Tip on sharing passwords, is simply don’t.
If you have any questions on how to meet these requirements, contact us!
CMS has released a memorandum, Texting of Patient Information among Healthcare Providers. The Joint Commission released a similar recommendation in December 2016.
CMS’s recent memo states that texting of physician orders is out of compliance with several Conditions of Participation and Conditions of Coverage, mainly the retention of record and content of record requirements.
Entities are required to main the record in their original or legally reproduced form. Texts are not able to accomplish this, and some messaging platforms struggle with this requirement as well. If you are using a messaging platform to communicate orders, check with your messaging application provider to see if they are able to integrate with your EMR’s Computerized Physician Order Entry (CPOE) function. If yes, you may be able to continue to use your messaging application and remain in compliance with the CMS conditions of participation/coverage. You will also need to ensure that your messaging platform is able to authenticate the author of the message for it to be in compliance.
CMS is stating that Computerized Physician Order Entry (CPOE), and not text messages are the preferred means of communicating and documenting orders. If you have a messaging platform, or if you are planning on adopting one, do your homework to make sure you have selected or are selecting one that keeps you in compliance with CMS as well as HIPAA.
Things to look for with your messaging platform provider:
- Does it meet HIPAA security guidelines? Minimally, it must meet:
- Unique User login
- Do they have the ability to retain the records for at least 5 years (CMS requirement) in their original form or legally reproduced form?
- Do they have the ability to protect from unauthorized deletion or modification of records created? (This is a CMS and a HIPAA requirement)
- How do they prevent unauthorized access to the records? (This is both a CMS and a HIPAA requirement)
This memo does not remove the ability to use secure messaging for other healthcare operations. CMS and the Joint Commission recognize the importance of electronic messaging; however, the safety of patients regarding patient orders, including discharge orders, means that text messaging is not approved.
If you are using text messaging or a messaging application, other than your EMR’s CPOE, please contact us for guidance.
As a Covered Entity (CE) or a Business Associate, you will likely have ePHI located in mobile devices and media. ePHI is no longer regulated to your desk top computer, but in many portable devices throughout your organization. Examples include laptops, external hard drives, thumb drives, tablets, smart phones, back up disks or tapes, and digital memory cards. What they all have in common is that they are all mobile and may leave your organization by design or by accident. Managing your mobile media is paramount to maintaining the confidentiality, integrity, and availability of your ePHI as required by the HIPAA security rule. To do so, you need to have policies and procedures to account for your mobile media, as well as procedures for reuse and disposal.
Accountability: The security rule requires you to account for all mobile devices and media that maintains ePHI. This includes controlling where your media moves within your organization as well as outside of it. Imagine a scenario where mobile media could not be found or accounted for in your large facility? Does that mean it is still in your facility or has an employee taken it home? Is it lost? Worse yet, imagine if the mobile device is leaving your organization without your knowledge, thus placing your organization at risk of a privacy breach. To establish an accountability program, you must first have a full and correct inventory of all your mobile assets (laptops, tablets, smart phones, etc.). The next step is to establish a check out/in log for the mobile media. Anyone who wants to remove mobile media from the organization, must check it out first and sign it back in upon return. There must be a business justification to remove the device/media. As for those few individuals who have been approved to use mobile media outside the facility on a routine basis, they should also sign the media out initially as a long-term checkout, so a record of its whereabouts is documented. Staff should be trained about this policy and it should be followed every time. Periodic review of the sign out log will help prevent further concerns of missing mobile devices and media.
Reuse: Mobile devices and media are sometimes reused within an organization. Additionally, many organizations provide their used or outdated hardware/software to local charities, such as churches or elementary schools. Whether the media stays in house or is donated, you need to ensure the media is sanitized of all ePHI.
There are several different software cleaning solutions on the market. These types of software require that you run the software through the memory drive to eliminate all the data. They are sometimes called “Disk Wipe” software. Look closely at the software instructions which will direct you to run the software three times or up to seven times. This is commonly known as a “pass”. The Department of Defense (DoD) 5220.22-M data sanitization method, overwrites existing information on the storage device. The wipe sequence writes zero on the first pass, writes number one on the second pass, and adds a random character over the data on the third pass thus making any previous information unrecognizable and unretrievable. When cleaning smart phones, review the manufacturer’s instructions for wiping the memory clean or restoring the smartphone to factory settings. The objective is to clean your mobile media such that it will be free of all EPHI and the mobile device can be reused internally or externally. Finally, document and tag the item as being sanitized and make a record of who it is signed out to.
Disposal: Not all mobile devices and media are reused. More often it is slated for disposal at the end of its life cycle. Disposal requires you to permanently remove all ePHI, AND, permanently destroy the device such that it cannot be used again. A common method to destroy the memory of a hard drive is to use a degausser (will not work with flash memory-based devices). This method removes all ePHI and makes the memory unusable. If you don’t have a degausser, you can wipe the media clean (see reuse method above), and then physically destroy the hard drive platter with a hammer. You can also use these options for mobile media as listed in NIST publication 800.88r1, Guidelines for Media Sanitization: Shred, Disintegrate, Pulverize, or Incinerate by burning the device in a licensed incinerator. Afterwards, document the destruction in your inventory so that it includes:
- Name of media destroyed
- Method of destruction
- Date of destruction
- Person or organization destroying media
As a Covered Entity (CE) or a Business Associate you will undoubtedly have mobile devices and media to manage. Today, mobile media seems to be ubiquitous. To ensure you protect ePHI from unauthorized access and prevent a data breach, implement device and mobile media accountability, reuse, and disposal procedures. Staff should understand they must report to you (security officer/office) with questions and concerns about mobile media, including use of their own mobile media if your policy allows it. The HIPAA security rule addresses the requirements for device and media control at 45 CFR §164.310(d)(1) Physical Safeguards; Device and media controls. For further questions on this topic or assistance with your HIPAA compliance program, please contact our Chief Executive Officer, Sarah Badahman at email@example.com Until then, happy HIPAA trekking!