HIPAA Tip – Sharing Passwords

Categories: Tags:

Many small practices struggle with password security. The provider shares his login credentials with staff to make it easier for him to pull records from hospital stays in preparation for a clinic visit as well as so Medical Assistants can have the exam room computer on and ready for him when he walks in or so the nurse can chart for him. With how busy physicians are, these seem to be reasonable shortcuts to make his workflow more manageable. The problem is these practices are leaving the physician and the practice vulnerable to some pretty hefty fines.

HIPAA requires covered entities and business associates with access to electronic Protected Health Information (ePHI) to implement a few safeguards to protect unauthorized access to patient information:

Password Management: Procedures for creating, changing, and safeguarding passwords. §164.308(a)(5)(ii)(D) 

Unique User ID: Assign a unique name and/or number for identifying and tracking user identity. §164.312(a)(2)(i)  

Integrity: Implement policies and procedures to protect electronic protected health information from improper alteration or destruction. §164.312(c)(1)

Person or Entity Authentication: Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. §164.312(d)

Beyond the privacy reasons, it is important to protect passwords in order to secure the integrity of the ePHI. A rogue, or even well-intentioned, employee can change a patient’s chart causing great harm to the patient. Your HIPAA Tip on sharing passwords, is simply don’t.

If you have any questions on how to meet these requirements, contact us!

Happy HIPAAtrekking!

HIPAA and Personal Devices

Categories: Tags:

Celebrate Cybersecurity Awareness: Multi-Factor Authentication

Categories: Tags:

As we continue through October 2017 and National Cybersecurity Awareness Month (NCSAM), we continue to focus on going back to the basics.  Basics include the safeguards you put in place to ensure the Confidentiality, Integrity, and Availability of electronic protected health information or e-PHI, and the training you provide your workforce.  Last week we looked at some basic tips about patch management and how a major organization failed to patch a vulnerability leading to the exposure of financial information of 145.5 million individuals.  This week’s third installment of cybersecurity tips by HIPAAtrek will focus on multi-factor authentication.

Multi-factor Authentication:  Multi-factor authentication is the security procedure of using two or more independent credentials to allow someone access to your information systems and e-PHI.  You may have first seen this on the big screen where a James Bond type character enters a password followed by their thumb print or scan of their eye to access a classified area. This is not just movie stuff anymore. This is an example of multi-factor authentication and it provides the most secure method of ensuring the individual attempting to access the system is the person they report to be.  Here are the three credentials in multi-factor authentication you need to understand:

Something you know (Knowledge Factor).  This is a password, passcode, or passphrase that only you know.

Something you have (Possession Factor).  This is a special hardware token which could be a key, or smart card with a unique Personal Identification Number or (PIN) assigned only to you.  When you use the token, the information system recognizes your entry through this token and you authenticate it by entering the PIN.

Something you are (Inherence Factor).   This is the method of identifying yourself by one of your biological traits.  Unique biological identifiers include finger prints, hand geometry, retina and iris scans, or voice recognition.  No one else has your biological traits and therefore cannot use them to authenticate.

The advantage of using a multi-factor authentication process is that if one credential is compromised, unauthorized access is still denied because the second credential is still needed to gain access. In other words, I may learn your password, but I don’t have your smart card or your thumb print. The attempted access is stalled or prevented without both credentials.  These credentials can be used in any combination, smart card and password, password and thumb print, smart card and iris scan, etc.  The key of multi-factor authentication is to establish a layered approach to allowing access to your information systems and thereby securing your e-PHI.

Multi-factor authentication is a basic security principle which should be considered whenever possible as it provides a more secure method for authenticating access to only those who are authorized.  In addition to multi-factor authentication, HHS has provided a short list of tips to discuss with your staff during NCSAM and others as you see are appropriate. You can review the NCSAM tips at: https://www.hhs.gov/sites/default/files/hipaa-cyber-awarness-monthly-issue-september-2017.pdf.

Contact our Lead Account Executive, Theresa Zemcuznikov at theresa@hipaatrek.com who can provide you a demo of our award-winning HIPAA compliance software where you can manage your entire privacy and security program in one location.  In the meantime, happy HIPAA trekking.

The Connection Between MIPS (Medicare and Medicaid Incentive Programs) and HIPAA

Categories: Tags:

CMS (Centers for Medicare and Medicaid Services) inappropriately paid $729.4 million in Meaningful Use incentives to healthcare providers over a three-year period due to the providers’ errors. These errors are a result of providers not being able to support their attestations of completing the measures and objectives as decided in the 2015 EHR Incentive Programs Final Rule. A couple examples of these attestations include completing the Security Risk Assessment and protecting electronic Protected Health Information (ePHI)). MIPS is a “pay-for-performance” program and it is independent of macroeconomic factors, upon which the earlier physician payment system was based. In order to qualify for MIPS, the healthcare entity must make a switch from paper records to electronic records.

Healthcare providers can choose from the Advanced Alternative Payment Models (APM) or MIPS, but most providers will choose MIPS. You should choose APM if 20% of your patients have Medicare or if 25% of your patients are Medicare reimbursables. You are eligible for MIPS if you bill more than $30k per year, provide care to 100 or more patients, and you are a physician, physician assistant, nurse practitioner, clinical nurse specialist, or a certified registered nurse anesthetist. You must start the paperwork between 1/1/2017 – 10/2/2017 and send in performance data by 3/31/2018. There will be a ninety-day attestation period in 2017 and payment adjustments for switching from paper to electronic records go into effect on 1/1/2019. If you do not participate, the result is a negative 4% adjustment in Medicare payments.

There are two options for reporting Advancing Care Information. Option 1 is the Advancing Care Information Objectives and Measures with 22 available reportable measures (7 are required including the security risk assessment). You can report the Advancing Care Information Objectives and Measures if you have technology that is certified to the 2015 edition or if you have a combination of technologies from the 2014 and 2015 editions that support these measures. Option 2 is the 2017 Advancing Care Information Transition Objectives and Measures with 13 available reportable measures (4 are required including the security risk assessment). You can report the 2017 Advancing Care Information Transition Objectives and Measures if you have technology that is certified to the 2015 edition or if you have technology certified to the 2014 edition or if you have a combination of technologies from the 2014 and 2015 editions.

Complementing MIPS with HIPAA brings about better patient engagement. Certified Electronic Health Record Technology (CEHRT) has enabled features such as availability of secure patient portals, encrypted text messages, and email products. Because of this, patient engagement tools sent electronically by regular (encrypted) email and text messaging include features such as appointment reminders, healthcare instructions, patient satisfaction surveys, and health and wellness newsletters and recall reminders. Since these are part of the regular use of technology in healthcare, HIPAA has enacted rules by which PHI can be sent by encrypted electronic transmission. Advancing Care Information of MIPS requires a HIPAA Security Risk Assessment, similar to the Meaningful Use clause. That is the strong link between MIPS and HIPAA. What if you don’t have CEHRT? You can apply for a Hardship Exception if you do not have CEHRT. Simply lacking CEHRT does not qualify the MIPS-eligible clinician or group for reweighting though. CEHRT is required for participation in the advancing care information performance category.

If you do have CEHRT, you must now conduct or review a Security Risk Analysis in accordance with the requirements in 45 CFR 164.308 (a)(1). Doing so will lead to securing ePHI for your Covered Entity or Business Associate. You must then conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. You must also address the security (to include encryption) of ePHI data created or maintained by certified EHR technology in accordance with requirements in 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3). Then, you must implement security updates as necessary and correctly identify security deficiencies as part of the MIPS eligible clinician’s risk management process.