Many small practices struggle with password security. The provider shares his login credentials with staff to make it easier for him to pull records from hospital stays in preparation for a clinic visit as well as so Medical Assistants can have the exam room computer on and ready for him when he walks in or so the nurse can chart for him. With how busy physicians are, these seem to be reasonable shortcuts to make his workflow more manageable. The problem is these practices are leaving the physician and the practice vulnerable to some pretty hefty fines.
HIPAA requires covered entities and business associates with access to electronic Protected Health Information (ePHI) to implement a few safeguards to protect unauthorized access to patient information:
Password Management: Procedures for creating, changing, and safeguarding passwords. §164.308(a)(5)(ii)(D)
Unique User ID: Assign a unique name and/or number for identifying and tracking user identity. §164.312(a)(2)(i)
Integrity: Implement policies and procedures to protect electronic protected health information from improper alteration or destruction. §164.312(c)(1)
Person or Entity Authentication: Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. §164.312(d)
Beyond the privacy reasons, it is important to protect passwords in order to secure the integrity of the ePHI. A rogue, or even well-intentioned, employee can change a patient’s chart causing great harm to the patient. Your HIPAA Tip on sharing passwords, is simply don’t.
If you have any questions on how to meet these requirements, contact us!
As we continue through October 2017 and National Cybersecurity Awareness Month (NCSAM), we continue to focus on going back to the basics. Basics include the safeguards you put in place to ensure the Confidentiality, Integrity, and Availability of electronic protected health information or e-PHI, and the training you provide your workforce. Last week we looked at some basic tips about patch management and how a major organization failed to patch a vulnerability leading to the exposure of financial information of 145.5 million individuals. This week’s third installment of cybersecurity tips by HIPAAtrek will focus on multi-factor authentication.
Multi-factor Authentication: Multi-factor authentication is the security procedure of using two or more independent credentials to allow someone access to your information systems and e-PHI. You may have first seen this on the big screen where a James Bond type character enters a password followed by their thumb print or scan of their eye to access a classified area. This is not just movie stuff anymore. This is an example of multi-factor authentication and it provides the most secure method of ensuring the individual attempting to access the system is the person they report to be. Here are the three credentials in multi-factor authentication you need to understand:
Something you know (Knowledge Factor). This is a password, passcode, or passphrase that only you know.
Something you have (Possession Factor). This is a special hardware token which could be a key, or smart card with a unique Personal Identification Number or (PIN) assigned only to you. When you use the token, the information system recognizes your entry through this token and you authenticate it by entering the PIN.
Something you are (Inherence Factor). This is the method of identifying yourself by one of your biological traits. Unique biological identifiers include finger prints, hand geometry, retina and iris scans, or voice recognition. No one else has your biological traits and therefore cannot use them to authenticate.
The advantage of using a multi-factor authentication process is that if one credential is compromised, unauthorized access is still denied because the second credential is still needed to gain access. In other words, I may learn your password, but I don’t have your smart card or your thumb print. The attempted access is stalled or prevented without both credentials. These credentials can be used in any combination, smart card and password, password and thumb print, smart card and iris scan, etc. The key of multi-factor authentication is to establish a layered approach to allowing access to your information systems and thereby securing your e-PHI.
Multi-factor authentication is a basic security principle which should be considered whenever possible as it provides a more secure method for authenticating access to only those who are authorized. In addition to multi-factor authentication, HHS has provided a short list of tips to discuss with your staff during NCSAM and others as you see are appropriate. You can review the NCSAM tips at: https://www.hhs.gov/sites/default/files/hipaa-cyber-awarness-monthly-issue-september-2017.pdf.
Contact our Lead Account Executive, Theresa Zemcuznikov at email@example.com who can provide you a demo of our award-winning HIPAA compliance software where you can manage your entire privacy and security program in one location. In the meantime, happy HIPAA trekking.
CMS (Centers for Medicare and Medicaid Services) inappropriately paid $729.4 million in Meaningful Use incentives to healthcare providers over a three-year period due to the providers’ errors. These errors are a result of providers not being able to support their attestations of completing the measures and objectives as decided in the 2015 EHR Incentive Programs Final Rule. A couple examples of these attestations include completing the Security Risk Assessment and protecting electronic Protected Health Information (ePHI)). MIPS is a “pay-for-performance” program and it is independent of macroeconomic factors, upon which the earlier physician payment system was based. In order to qualify for MIPS, the healthcare entity must make a switch from paper records to electronic records.
Healthcare providers can choose from the Advanced Alternative Payment Models (APM) or MIPS, but most providers will choose MIPS. You should choose APM if 20% of your patients have Medicare or if 25% of your patients are Medicare reimbursables. You are eligible for MIPS if you bill more than $30k per year, provide care to 100 or more patients, and you are a physician, physician assistant, nurse practitioner, clinical nurse specialist, or a certified registered nurse anesthetist. You must start the paperwork between 1/1/2017 – 10/2/2017 and send in performance data by 3/31/2018. There will be a ninety-day attestation period in 2017 and payment adjustments for switching from paper to electronic records go into effect on 1/1/2019. If you do not participate, the result is a negative 4% adjustment in Medicare payments.
There are two options for reporting Advancing Care Information. Option 1 is the Advancing Care Information Objectives and Measures with 22 available reportable measures (7 are required including the security risk assessment). You can report the Advancing Care Information Objectives and Measures if you have technology that is certified to the 2015 edition or if you have a combination of technologies from the 2014 and 2015 editions that support these measures. Option 2 is the 2017 Advancing Care Information Transition Objectives and Measures with 13 available reportable measures (4 are required including the security risk assessment). You can report the 2017 Advancing Care Information Transition Objectives and Measures if you have technology that is certified to the 2015 edition or if you have technology certified to the 2014 edition or if you have a combination of technologies from the 2014 and 2015 editions.
Complementing MIPS with HIPAA brings about better patient engagement. Certified Electronic Health Record Technology (CEHRT) has enabled features such as availability of secure patient portals, encrypted text messages, and email products. Because of this, patient engagement tools sent electronically by regular (encrypted) email and text messaging include features such as appointment reminders, healthcare instructions, patient satisfaction surveys, and health and wellness newsletters and recall reminders. Since these are part of the regular use of technology in healthcare, HIPAA has enacted rules by which PHI can be sent by encrypted electronic transmission. Advancing Care Information of MIPS requires a HIPAA Security Risk Assessment, similar to the Meaningful Use clause. That is the strong link between MIPS and HIPAA. What if you don’t have CEHRT? You can apply for a Hardship Exception if you do not have CEHRT. Simply lacking CEHRT does not qualify the MIPS-eligible clinician or group for reweighting though. CEHRT is required for participation in the advancing care information performance category.
If you do have CEHRT, you must now conduct or review a Security Risk Analysis in accordance with the requirements in 45 CFR 164.308 (a)(1). Doing so will lead to securing ePHI for your Covered Entity or Business Associate. You must then conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. You must also address the security (to include encryption) of ePHI data created or maintained by certified EHR technology in accordance with requirements in 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3). Then, you must implement security updates as necessary and correctly identify security deficiencies as part of the MIPS eligible clinician’s risk management process.
By now you are well into developing your Emergency Preparedness Plan for your Rural Health Clinic (RHC) or Federally Qualified Health Center (FQHC). You conducted an all-hazards approach to your risk assessment. That is, you identified all probable hazards and developed response procedures for each type of hazard which include natural, man-made, and/or facility emergencies. Additionally, as you conducted your risk assessment, you took a facility-based approach. You concentrated on risks specific to your facility and your region; for instance, you developed plans for a blizzard in Colorado or a tidal wave in Hawaii. You may have also decided to use a community-based risk assessment where you use plans developed by other entities such as public health and emergency management agencies, or regional health care coalitions. All the while, you reviewed your current HIPAA policies to look for overlaps or areas of commonality so you can use what you have already developed and have in place. Your next step for your Emergency Preparedness is to implement your plan in policies and procedures.
Centers for Medicare and Medicaid Services (CMS) requires you to develop policies and procedures and review and update them if needed at least annually. The policies and procedures must align with the risk assessment and hazards identified during the risk assessment. You can choose to make them part of your facility’s Standard Operating Procedures or Operating Manual, however, CMS recommends you have a central place to house your emergency preparedness program documents. This will make it easy for CMS to review them should they conduct a survey.
There are four key issues CMS asks you address in your policy and procedures:
1. Safe evacuation
2. Shelter in place
3. Preserve Medical Documentation
4. Using Volunteers
1. Safe Evacuation: CMS wants you to develop an evacuation plan which considers the care and treatment needs of evacuees. The plan should also spell out staff responsibilities, transportation needs, and identify locations that will be used for evacuation. The evacuation protocols should address where the evacuees will go but also where the staff members go as many times the evacuation location for the two are different. What will your transportation needs look like? How many vehicles do you have? Will you use vehicles of opportunity to evacuate your patients and staff? If you are an RHC or FQHC, you must also place exit signs to guide patients and staff in the event of an evacuation from your facility.
2. Shelter in Place: CMS wants you to develop a plan to shelter in place for your patients, staff, and volunteers. Not every emergency allows you to evacuate your facility. The most common threat that requires a shelter in place decision is probably a tornado. Your policy and procedures should identify the criteria for determining which staff and patients will shelter in place before an evacuation. When developing your plan, don’t forget to consider the ability of your building to survive a disaster as well as what proactive steps you can take prior to a situation that requires you to shelter in place. These are critical decisions that need to be well thought out before an actual emergency occurs.
3. Preserve Medical Documentation: CMS requires that you establish a system of medical documentation that preserves patient information, ensure patient records are secure and kept confidential, and readily available to support continuity of care during and after an emergency. Your policy and procedures should explain how you will accomplish this as well as stay in compliance with the HIPAA privacy and security rule. That is to say, your procedures must show how you will protect the privacy and security of individual’s personal health records whether you have electronic or paper medical records.
4. Using Volunteers: CMS wants you to develop policy and procedures to use volunteers in an emergency and other staffing strategies. Your procedures should explain how you will use volunteers with different skill levels. For instance, you may have healthcare professionals who volunteer during an emergency. How will you provide privileging and credentialing process in an emergency that ensures the volunteers can perform services within their scope of practice and training? You will have to look at your state laws and regulations for guidance. You also have federal teams that may volunteer in an emergency and are federally designated health care professionals such as the Public Health Service (PHS) staff, National Disaster Medical System (NDMS) medical teams, Department of Defense (DOD) Nurse Corps, or the Medical Reserve Corps (MRC). Your policy and procedures should also spell out how you will use non-medical volunteers. These individuals will perform non-medical tasks during your emergency.
CMS requires you to develop policies and procedures and review them annually. This allows you to update them if needed. The policies and procedures must align with the risk assessment and hazards identified during your risk assessment and address safe evacuation of your patients and staff, sheltering in place, preserving medical documentation, and how you will use both medical professional and non-professional volunteers. CMS recommends you have a central place to house your emergency preparedness program documents. And remember to review your current HIPAA policies for areas where there is commonality or where you have already addressed some of the requirements of the Emergency Preparedness Plan.