You know that you have to secure your Protected Health Information. You also know that you should encrypt your PHI. But, do you know how expensive not having your PHI encrypted can be? Do you know the steps you should take to encrypt your devices and systems?
The University of Texas MD Anderson Cancer Center (MD Anderson) knows exactly how expensive it is to fail to encrypt. MD Anderson experienced multiple HIPAA violations recently:
- Theft of an unencrypted laptop from a private residence of an employee
- Two losses of unencrypted USB thumb drives
Because of these violations, MD Anderson was ordered to pay $4.35 Million in penalties to the Office for Civil Rights (OCR). The OCR news release on this case can be viewed here.
A History of Risk
In 2006, MD Anderson implemented written encryption policies. Even though they had formal a formal policy in place, MD Anderson had not implemented their policy. In fact, their risk analysis found that a lack of device-level encryption posed a high level risk. MD Anderson did not actually begin to implement encryption of ePHI until 2011. Even then, they still failed to encrypt its devices containing ePHI between March 24, 2011 and January 25, 2013.
They were penalized for each day of non-compliance and for each record breached. HIPAA allows for fines up to $1.5 Million per record per calendar year when assessing penalties for breaches.
MD Anderson was hoping to reduce the penalty. They argued that they were not obligated to encrypt their devices. They argued that because the ePHI disclosed was for research it was not subject to HIPAA. MD Anderson also believes that the penalties were unreasonable. The judge ruling on the case determined that there is a “high risk to MD Anderson’s patients resulting from the unauthorized disclosure of ePHI,” a risk that MD Anderson “not only recognized, but that it restated many times.”
Encrypt Your PHI
So, what can you learn from this incident? Encrypt your PHI! Encryption sounds much more difficult than it actually is. You can easily encrypt your devices using tools already built into them. If it is not easy to encrypt a device, such as a USB drive, simply disallow the use in your organization. The risk is simply too great for you not to encrypt all devices with PHI.
The HIPAA Security Rule is confusing. There are two types of steps identified in the Security Rule: Required and Addressable. The encryption rules for HIPAA are specified as “Addressable.” This confuses many organizations, just like MD Anderson. Addressable sounds like it should be optional. However, the definition of Addressable is not synonymous with optional.
If a HIPAA rule is Addressable, you must adopt a similar solution. So, if you determine that encryption is not an option for your organization, you must adopt similar solution to secure your PHI. In addition, you must have a strong justification as to why you are not able to implement the encryption rule.
The encryption and decryption standard can be found here.
Steps You Should Take
Just knowing that you have to encrypt your devices and stored PHI is not enough. You need to take steps to implementing encryption practices in your organization. The first step is conducting a risk analysis. You can’t protect what you don’t know is at risk.
Secondly, you need to take an inventory of all your assets that store or transmit PHI. Be careful not to forget personal devices that are used to access your PHI (Bring Your Own Device – BYOD). During this step, determine if you need to apply encryption on the device or system.
You also need to create a policy and procedures for encrypting your PHI. Just having a policy in place is not sufficient. You have to IMPLEMENT your encryption procedures. In addition, you need to train your employees on the proper use and security of devices and systems containing PHI.
For more on how HIPAAtrek can help you with your HIPAA privacy and security program, please contact us!
Secure your Workstations! Not surprisingly, workstation security is an important step in the overall health of your HIPAA Security program. In order for you to protect your patients’ data, you must protect the tools you use to access, transmit, and store their information.
Secure Your Workstations
You can secure workstations through a few simple steps:
- Each workstation has access controls enabled to restrict unauthorized users and programs from accessing ePHI
- Workstations should have automatic logoff or screensavers at low intervals (less than 15 minutes)
- Software is patched and managed to ensure the highest level of security. This also helps to prevent breaches due to gaps in security updates
- Position your workstations to protect from public view
- Make sure you have physical security safeguards in place
- Workstations should be secured at their stations
- Laptops can be attached to a desk or otherwise secured when possible
- Disable the ability for your employees to turn off your anti-virus software
- Use enterprise-level (not home version) anti-malware software
- Remove access to your network and softwares after an employee resigns or is terminated (within 24 hours)
In addition to these easy steps, you need to review your audit logs of connected workstations are required. Try using automated tools to aid in the audit log process will ensure your organization stays on top of workstation security.
Train Your Employees
Employees are responsible for more than half of all healthcare breaches. It is important to train your staff on their role in securing their workstations.
Most employees cringe at the thought of compliance training. When employees are not engaged in the training process or they are simply bored, your training programs are not effective. Therefore, STOP the long BORING training sessions! Incorporate training in ways that is easy for your employees to digest. Security reminders are not only required by HIPAA; but, they are also incredibly effective training tools.
What is a security reminder? I am glad you asked! A security reminder is any communication, in any media, used to communicate important security information to your staff. Examples of security reminders include:
- A poster or flyer in common areas such as an employee break room
- Short emails or memos
- Staff meetings to impart vital security information
- Screensaver messages
Training your staff in a meaningful way increases learning retention and improves staff productivity and engagement. Your employees won’t remember an hour long training seminar; however, they will remember a note taped to the employee fridge or on the back of the bathroom stall!
Wrapping it Up
Workstation use is a standard in the security rule because it is the main avenue to your organization’s ePHI. Without appropriate workstation procedures and proper staff education, the workstation can become a risk to the confidentiality, integrity, and availability of your ePHI.
For more on how HIPAAtrek can help you with your HIPAA program, contact our us! Happy HIPAAtrekking
Many small practices struggle with password security. The provider shares his login credentials with staff to make it easier for him to pull records from hospital stays in preparation for a clinic visit as well as so Medical Assistants can have the exam room computer on and ready for him when he walks in or so the nurse can chart for him. With how busy physicians are, these seem to be reasonable shortcuts to make his workflow more manageable. The problem is these practices are leaving the physician and the practice vulnerable to some pretty hefty fines.
HIPAA requires covered entities and business associates with access to electronic Protected Health Information (ePHI) to implement a few safeguards to protect unauthorized access to patient information:
Password Management: Procedures for creating, changing, and safeguarding passwords. §164.308(a)(5)(ii)(D)
Unique User ID: Assign a unique name and/or number for identifying and tracking user identity. §164.312(a)(2)(i)
Integrity: Implement policies and procedures to protect electronic protected health information from improper alteration or destruction. §164.312(c)(1)
Person or Entity Authentication: Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. §164.312(d)
Beyond the privacy reasons, it is important to protect passwords in order to secure the integrity of the ePHI. A rogue, or even well-intentioned, employee can change a patient’s chart causing great harm to the patient. Your HIPAA Tip on sharing passwords, is simply don’t.
If you have any questions on how to meet these requirements, contact us!
CMS has released a memorandum, Texting of Patient Information among Healthcare Providers. The Joint Commission released a similar recommendation in December 2016.
CMS’s recent memo states that texting of physician orders is out of compliance with several Conditions of Participation and Conditions of Coverage, mainly the retention of record and content of record requirements.
Entities are required to main the record in their original or legally reproduced form. Texts are not able to accomplish this, and some messaging platforms struggle with this requirement as well. If you are using a messaging platform to communicate orders, check with your messaging application provider to see if they are able to integrate with your EMR’s Computerized Physician Order Entry (CPOE) function. If yes, you may be able to continue to use your messaging application and remain in compliance with the CMS conditions of participation/coverage. You will also need to ensure that your messaging platform is able to authenticate the author of the message for it to be in compliance.
CMS is stating that Computerized Physician Order Entry (CPOE), and not text messages are the preferred means of communicating and documenting orders. If you have a messaging platform, or if you are planning on adopting one, do your homework to make sure you have selected or are selecting one that keeps you in compliance with CMS as well as HIPAA.
Things to look for with your messaging platform provider:
- Does it meet HIPAA security guidelines? Minimally, it must meet:
- Unique User login
- Do they have the ability to retain the records for at least 5 years (CMS requirement) in their original form or legally reproduced form?
- Do they have the ability to protect from unauthorized deletion or modification of records created? (This is a CMS and a HIPAA requirement)
- How do they prevent unauthorized access to the records? (This is both a CMS and a HIPAA requirement)
This memo does not remove the ability to use secure messaging for other healthcare operations. CMS and the Joint Commission recognize the importance of electronic messaging; however, the safety of patients regarding patient orders, including discharge orders, means that text messaging is not approved.
If you are using text messaging or a messaging application, other than your EMR’s CPOE, please contact us for guidance.