We know many of you are currently rushing to meet the November 16, 2017 deadline for developing your Emergency Preparedness Plan for your Rural Health Clinic (RHC) or Federally Qualified Health Center (FQHC). As you do so, the Centers for Medicare & Medicaid Services (CMS) wants you to keep in mind these three key essentials for maintaining access to healthcare during disasters and emergencies;
- Safeguarding human resources
- Maintaining business continuity
- Protecting physical resources
In addition, your emergency preparedness plan will be made up of these four sections;
- Emergency Plan (including risk assessment)
- Policies and Procedures
- Communication Plan
- Training and Testing Program
In developing your emergency plan, you must first conduct a facility based risk assessment. You may already have some or most of this accomplished because you conducted the HIPAA security rule’s risk analysis and implemented a risk management plan. Nevertheless, CMS wants your risk assessment to take an all-hazards approach. An all-hazards approach looks at all possible emergencies and disasters and spells out the response procedures for each. You can’t depend on procedures for responding to one type of emergency to provide sufficient response for a different type of emergency. For instance, your procedures for an active shooter in your facility will not help you respond to a ransomware attack of your electronic health records. Makes sense, right? Your risk assessment and subsequent plan should identify and include procedures for natural, man-made, and/or facility emergencies. It should;
- Identify all business functions essential to the facility’s operations that should be continued during an emergency
- Identify all risks or emergencies that the facility may reasonably expect to confront
- Identify all contingencies for which the facility should plan
- Consider the facility’s geographic location
- Assessment of the extent to which natural or man-made emergencies may cause the facility to cease or limit operations
- Determination of what arrangements may be necessary with other health care facilities, or other entities that might be needed to ensure that essential services could be provided during an emergency
CMS uses the term “facility-based” to mean the risk assessment and emergency preparedness program is specific to your facility. This is important as this approach will more clearly identify as well as eliminate, natural disasters for your facility and area. For instance, an RHC in Florida should consider preparedness actions in the face of an approaching hurricane as opposed to an RHC in South Dakota which should consider capabilities after a three-day winter blizzard, which is more reasonable to expect. On the other hand, both RHCs should assess and develop plans to respond to a power outage which was not caused by a natural disaster, yet does require immediate response to continue operations. For instance, do you have backup generators and fuel to run the generators, thereby providing the power needed to run essential operations?
CMS allows you as an RHC to use a community-based risk assessment developed by other entities, such as public health agencies, emergency management agencies, and regional health care coalitions or you can use theirs while conducting your own facility-based assessment. If you use a community- based risk assessment and plan, you need to have a copy of it and you need to work with the organization that developed it to ensure it meets the needs of your facility’s emergency plan.
Again, you may have already addressed these emergencies and hazards while implementing your HIPAA plan and policies, so a review of your plan may only require additional considerations. We at HIPAAtrek believe that many of the CMS requirements are already addressed by the HIPAA security rule. We are currently putting together an Emergency Preparedness Plan and HIPAA security rule cross-walk so you don’t have to reinvent the wheel; so be on the lookout for it. Until then, review your current HIPAA security plan for similarities that meet the CMS Emergency Preparedness Plan requirements and/or begin to document your all-hazards risk assessment.
Soon after implementation of the HIPAA privacy rule, some staff members would conclude that a violation had occurred because a doctor and a nurse were overheard speaking about a patient’s PHI, or a technician called out a patient by their actual name in the waiting room, or a white board at a nursing station contained PHI of patients on the Intensive Care Unit. Staff had yet to learn about the “Incidental Disclosure” rule that allows for incidental uses and disclosures that occur as a by-product of a use or disclosure permitted by the privacy rule, as long as reasonable safeguards are in place.
The same can be said today about breaches. There are still some staff members and some privacy officers that conclude that a breach has occurred when in fact the incident itself falls under an exception to the breach rule. With the implementation of the Omnibus rule on January 25, 2013, significant modifications to the breach notification rule were made to include three distinct exceptions to a breach. The definition of a breach remains the same and reads as follows: “a breach is defined as the acquisition, access, use, or disclosure of protected health information (PHI) in a manner not permitted under the privacy rule which compromises the security or privacy of the protected health information”. However, if the incident falls under one of these three exceptions, no breach has occurred. Let’s take a closer look at each of these exceptions as described by the breach notification rule.
The first exception to a breach involves any unintentional acquisition, access, or use of PHI by a workforce member or other person acting under the authority of the CE or BA, if the acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted by the privacy rule. For this exception to apply, the access must be unintentional and in good faith which can occur when a workforce member accessess the wrong patient’s chart. This exception would not apply if a technician is purposely “snooping” through electronic health records as this is not unintentional and certainly not in good faith. Additionally, the unintentional access would have to occur while the technician is conducting her duties for which she is authorized to do. Finally, after the unintentional access, the PHI cannot be further disclosed in a manner not allowed by the privacy rule. For instance, if the information is further disclosed for a treatment activity, this exception would apply. However, if the information garnered through the unintentional access is shared for “gossip” purposes, this first exception to a breach would not apply. In summary, the unintentional acquisition, access, or use must have been done in good faith, as part of the workforce member’s official duties, and not further disclosed in a manner not allowed by the privacy rule.
The second exception to a breach involves any inadvertent disclosure by a person who is authorized to access PHI at a CE or BA to another person authorized to access PHI at the same CE or BA, or organized healthcare arrangement in which the CE participates, and information received as a result of such a disclosure is not further used or disclosed in a manner not permitted by the privacy rule. For this exception to apply, the disclosure must be inadvertent. For example, a nurse on the B Ward inadvertently e-mails Dr. Serrano the wrong lab results. Dr. Serrano views the results noting that they belong to another patient and notifies the nurse who then sends him the correct lab results. Dr. Serrano deletes the e-mail and does not further disclose the lab results to anyone else in a manner not allowed by the privacy rule. Both the nurse and the doctor are authorized to access PHI, they both work at the same CE, and Dr. Serrano did not further disclose the PHI in a manner not allowed by the rule, thus this exception applies.
The third and final exception involves a disclosure of PHI where a CE or BA has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain the information. The preamble to the HIPAA rule uses the example of a CE, due to lack of reasonable safeguards, sends a number explanations of benefits (EOBs) to the wrong individuals and a few of the EOBs are returned by the post office, unopened, as undeliverable, therefore the CE can conclude that the improper addressees could not reasonably have retained the information. However, the EOBs that were not returned as undeliverable, and that the CE knows were sent to the wrong individuals, should be treated as potential breaches. The key for this exception to apply is whether the unauthorized person is able to retain the information. For example, sometimes pharmacies handout a wrong prescription bag to a patient. If the patient walks to the exit, discovers it is the wrong medication, and quickly returns it to the pharmacy, the pharmacy can make an on the spot assessment as to whether the patient (unauthorized person) was able to retain any of the demographic information belonging to the wrong prescription, i.e., name, DOB, etc. If the patient has not retained any of the information, this exception to a breach will apply.
In conclusion, the framers of the HIPAA privacy rule were aware of instances where unintentional or inadvertent uses or disclosures within a CE or BA, or disclosures to unauthorized individuals that could not reasonably retain the PHI, would pose little to no threat of compromise to a patient’s PHI. As a result, these three exceptions were created. When your next potential breach surfaces at your organization, don’t jump to conclusions. First gather all the facts and then determine if an exception applies. If so, document the incident and the exception you applied, and retain in your appropriate log or files. If none of the exceptions apply, proceed with the four-factor breach assessment to determine if there is a low risk of compromise to the PHI. The steps for the assessment are provided here: https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html
Phishing is the name of a method which entices you to give up your personal or financial information to people or organizations masquerading as a legitimate source. The bait is the request from a source you are familiar with, but is in fact, a replication or a phony. Phishing attacks may occur to your personal account, or they may involve your medical organization. In any event, knowing how to recognize them and not take the bait is the key to preventing a successful phishing attack.
Phishing attacks try to obtain valuable information from you such as your:
- Credit card number
- Bank account number
- Social security number
- Online account logins and passwords
The pilfered information is used to steal your money or in the case of your organization, carry out identity theft or introduce malware into your information systems.
Phishing attacks are carried out primarily in two main ways. First, attackers use phishing emails which look very similar to what you normally see in your daily e-mails. Second, attackers use links to websites that look similar to other organizations, companies, and/or banks that you visit frequently. Phishing e-mails and websites have the following characteristics:
- They all ask for you to provide personal information. Most legitimate organizations, and including all banks, will not ask you to provide personal information whether it be your credit card number or your login password.
- There is usually a sense of urgency. The phishing emails request immediate action and they use this technique to get you to bite quickly. This is the same technique you see on TV ads for a product whereby your quick response for “acting right now”, will get you a discount or a second item at half price. Or the e-mail will be emotional and pull at your “heart strings” in order to entice you to act.
- Most phishing emails have a generic “hello” for the greeting. The e-mail does not use your name since it is the same phishing e-mail sent to millions.
- The e-mails may contain attachments which are most likely malware and the moment you click on it, you invite malware (malicious code) into your system which will begin to destroy or copy your hard drive and its contents.
- The e-mails may also contain a phony link to a phony website. The link is masked so what you see looks correct, but the actual hyperlink is set up to go to the phony site. Hover your mouse over the link to see what is truly behind it.
- Many times, the e-mails contain poor grammar. Remember, hackers come at all levels with some that are very good at what they do, and others with poor writing skills.
- Legitimate websites use Secure Sockets Layer (SSL) for protecting the information you enter into the site; look for https:// instead of http:// in the URL. The added “s” means the site is secured.
Phishing attacks have increased over the years as hackers have gotten smarter and more clever. However, there are preventive steps you or your staff can take to survive the attacks with little to no damage. Consider the following:
- Your IT department should consider installing robust spam filters which can identify these e-mails and send them to the spam folder instead.
- If the e-mail looks suspicious, don’t trust it. Instead, pick up the phone and call the organization to determine if they sent the e-mail in question.
- If the link looks suspicious, don’t click on it. Instead, manually type the organizations real URL into your browser and provide the information after you have confirmed it was the organization that contacted you.
- Your IT department should consider adopting a URL scanner which will check the authenticity of any website you visit.
- If your organization uses Internet Explorer, ask your IT department to turn on the SmartScreen filter which will help you discover if a website is a phishing site.
- Unlike your browser at home, your organization determines what browser you will use at work, and it is most likely a newer browser which is supported with patches by the manufacturer. Nonetheless, your IT department could consider installing a security toolbar to alert you when visiting known phishing sites.
While the above technical steps will help minimize the effects of a phishing attack or help avoid them altogether, the ultimate defense lies with the user or employees themselves. It is the human factor that contributes to the large cases of successful phishing attacks since employees are ultimately tricked to open the link and/or respond to the e-mail. However, the more your workforce is educated regarding phishing, the more likely they will recognize an attack when it occurs. Some organizations have conducted “phishing simulations” to determine how many individuals will fall prey to the fake phishing attack. Afterwards, those individuals are provided additional training. This can be a great way to provide training and practice recognizing phishing attacks, but organizations need to make sure no punitive action is taken. Instead, consider an organization wide contest such that the department with the lowest number of tricked employees wins some prize or recognition.
Phishing attacks will continue and become more elaborate. The best defense is to employ technical safeguards to help detect them as well as to train your staff how to recognize them and not take the bait.
Happy HIPAA trekking!
When thinking about your information system asset inventory, it is easy to focus solely on the compliance elements. When doing so, many smaller healthcare organizations will opt not to keep an inventory, as it is not explicitly required in HIPAA. Although not specifically required in the HIPAA Security Rule, there are indicators in the Security Rule that an accurate and up-to-date information systems asset inventory will support several of the requirements within the Rule such as Risk Analysis, Risk Management, Information Systems Activity Review, Device and Media Management, and Audit Controls.
An information system asset inventory is more than just tracking your hardware. According to the HIPAA Security Rule Crosswalk to NIST, managing assets enables “the organization to achieve business purposes that are identified and managed consistent with their relative importance to business objectives and the organization’s risk strategy.”
There are many benefits of creating and maintaining an accurate and up-to-date inventory. The three broad categories of benefit are: Risk Management, Business Operations, and Financial.
You can’t protect what you don’t know you have. Arguably one of the most important requirements of the HIPAA Security Rule is the Risk Analysis. Organizations that have to comply with HIPAA, are required to identify reasonable threats and vulnerabilities to their electronic PHI. Having an information system asset inventory will give the organization a starting place for this process.
Conducting audits and reviewing your system activity is also drastically simplified when there is an inventory in place. The inventory serves as a checklist to ensure you have reviewed/audited all the systems in your organization where PHI is stored, accessed, transmitted, or created.
Healthcare entities are notoriously short staffed and as such are constantly looking for ways to improve their productivity with their existing workforce. The irony is that the healthcare industry as a whole as a reliance on older and legacy systems which are costly from a productivity standpoint (which translate into lost dollars). Having an information system asset inventory helps to identify technology gaps. Since we know that older systems that are not supported by the manufacturer are a major risk factor, having an inventory that reflects the age of a system can identify when that system should be replaced. This not only will help improve productivity, but will also reduce the risk of a technical breach to your organization.
Reducing risk and improving productivity will have a direct and positive impact on your organization. Understanding the percentage of your budget spent on technology is also important. The healthcare industry has historically not invested heavily on their IT infrastructure and supporting systems. The majority of the healthcare IT budget is spent on softwares such as EMR and telehealth. This can cause an increased cost to productivity, operations, and compliance as not enough attention is being spent on the infrastructure itself. As detailed in Business Operations, an information systems asset inventory can give a broad picture to help identify these gaps in order to allot appropriately in your organization’s budget.
More than just managing risk and operations, having a detailed list of your organizations information systems (particularly hardware) can have an added tax benefit as these systems can be depreciated over time. Unlike other assets in your organization, technology becomes less valuable over time.
Creating and managing an information system asset inventory is good for your business and ultimately for your patients. Start simple, create a spreadsheet to list all your hardware and software systems. Remember to include personal devices that are used within your network (so-called Bring Your Own Device). Consider including the cost and age of the information systems as well. As you continue this process, or if you are a larger healthcare entity, you may want to use a software system that can help you track these systems.
A healthy organization is one that manages its risks and creates a culture of security. Having an information system asset inventory list is an important step in the health of your organization!
If you have any questions, please don’t hesitate to reach out! Happy HIPAA trekking!
The need for Business Associate Agreements (BAAs) is not a new one. They have been required since the inception of HIPAA. As the HHS Office for Civil Rights (OCR) has increased its enforcement efforts of HIPAA compliance, organizations that are required to be compliant with HIPAA, should review their business associate lists to verify that every business associate has a BAA in place.
Yesterday (April 20, 2017), the OCR announced a settlement of $31,000 with a non-profit located in Illinois. The non-profit had failed to enter into a BAA with one of its vendors that stores records containing PHI.
Settlement cases cost far greater than the amount owed to the OCR as a result of the compliance deficiency. When an organization settles with the OCR for a HIPAA violation, the organization is placed on a Corrective Action Plan (CAP). CAPs can be extensive, particularly for small organizations.
In the case of the Illinois non-profit, they have to create policies and procedures within 60 days and train their staff within 30 days of finalizing the policies. This will be a costly and time consuming endeavor for the organization. In addition to creating policies and training their staff, the organization also is required to make annual reports to the OCR on their compliance status.
Not only does this organization have to pay the OCR $31,000 and pay to create policies and train their staff, the organization also faces potential a reputation impact which could cost the organization further.
Some organizations struggle with identifying their business associates. Examples of potential business associates include (but is not limited to):
- EMR/Practice Management (billing) software companies
- Consultants that have access to PHI
- Outside IT vendors
- Outside Billing Company
- Leased Copier/Printer/Scanner (if the device has a hard drive)
- Record Storage companies
- Any other software, consultant, or vendor that accesses, stores, or transmits PHI
For more information on BAAs, visit: https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html
Happy HIPAA trekking!