A recent legal ruling demonstrates the importance of using encryption to protect ePHI from unauthorized viewing. A U.S. Department of Health and Human Services Administrative Law Judge (ALJ) has ruled that The University of Texas MD Anderson Cancer Center (MD Anderson) violated the HIPAA Privacy and Security Rules and granted summary judgment to the Office for Civil Rights (OCR) on all issues, requiring MD Anderson to pay $4,348,000 in civil money penalties to OCR. OCR reported that the Cancer Center had three separate data breaches in 2012 and 2013. The breaches involved the theft of an unencrypted laptop from the residence of a Cancer Center employee and the loss of two unencrypted universal serial bus (USB) thumb drives containing the unencrypted electronic protected health information (ePHI) of over 33,500 individuals. The Cancer Center had written encryption policies going as far back as 2006 and had conducted a risk analysis that found that the lack of device-level encryption posed a high risk to the security of ePHI. Nonetheless, the Cancer Center did not begin to implement encryption of ePHI until 2011, and still failed to encrypt its inventory containing ePHI (data at rest) between March 24, 2011 and January 25, 2013. The Cancer Center was penalized for each day of non-compliance with HIPAA and for each record of individuals breached. This explains the high civil monetary penalty of $4,348,000.
The Cancer Center argued that they were not obligated to encrypt its devices and that the ePHI disclosed was for research and not subject to HIPAA disclosure rules. The Cancer Center further argued that HIPAA’s penalties were unreasonable. The judge rejected each of these arguments and stated that the Cancer Center’s “dilatory conduct is shocking given the high risk to its patients resulting from the unauthorized disclosure of ePHI,” a risk that the Cancer Center “not only recognized, but that it restated many times.”
So, what can you learn from this incident? While the HIPAA security rule identifies “encryption” as an addressable implementation specification, this does not mean the specification is optional for implementation. It means you must adopt a similar solution to secure the ePHI if you choose not to use encryption or have a very strong justification why the standard does not apply in your circumstance. The Cancer Center did neither of these, despite their risk analysis identifying the lack of device-level encryption as a high risk to the security of the ePHI. Furthermore, there are numerous encryption solutions available for encrypting end user devices or portable devices that are well within the capability of all covered entities and therefore, it would be difficult for a CE to defend not employing encryption to protect PHI from unauthorized viewing. Secondly, if you have a policy that reads that you accomplish X, Y, and Z, make sure your actions mirror the policy. An adage among compliance professionals’ states that what is worse than not having a policy is having a policy and not following it. This was the case for the Cancer Center since they had encryption policies going back to 2006 that were not followed. Finally, PHI used for research purposes earns the same HIPAA protection as PHI used for Treatment, Payment, or Healthcare Operations.
Now is a very good time to inventory all your assets that maintain ePHI and determine if you need to apply encryption or another solution to secure the ePHI. Take proactive steps to protect your data at rest and protect your organization from a major civil monetary penalty. The encryption and decryption standard can be found in 45 CFR § 164.312(a)(2)(iv). The OCR news release on this case can be viewed here: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/mdanderson/index.html. For more on how HIPAAtrek can help you with your HIPAA privacy and security program, please contact our CEO Sarah Badahman at firstname.lastname@example.org\
Many small practices struggle with password security. The provider shares his login credentials with staff to make it easier for him to pull records from hospital stays in preparation for a clinic visit as well as so Medical Assistants can have the exam room computer on and ready for him when he walks in or so the nurse can chart for him. With how busy physicians are, these seem to be reasonable shortcuts to make his workflow more manageable. The problem is these practices are leaving the physician and the practice vulnerable to some pretty hefty fines.
HIPAA requires covered entities and business associates with access to electronic Protected Health Information (ePHI) to implement a few safeguards to protect unauthorized access to patient information:
Password Management: Procedures for creating, changing, and safeguarding passwords. §164.308(a)(5)(ii)(D)
Unique User ID: Assign a unique name and/or number for identifying and tracking user identity. §164.312(a)(2)(i)
Integrity: Implement policies and procedures to protect electronic protected health information from improper alteration or destruction. §164.312(c)(1)
Person or Entity Authentication: Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. §164.312(d)
Beyond the privacy reasons, it is important to protect passwords in order to secure the integrity of the ePHI. A rogue, or even well-intentioned, employee can change a patient’s chart causing great harm to the patient. Your HIPAA Tip on sharing passwords, is simply don’t.
If you have any questions on how to meet these requirements, contact us!
As we continue through October 2017 and National Cybersecurity Awareness Month (NCSAM), we continue to focus on going back to the basics. Basics include the safeguards you put in place to ensure the Confidentiality, Integrity, and Availability of electronic protected health information or e-PHI, and the training you provide your workforce. Last week we looked at some basic tips about patch management and how a major organization failed to patch a vulnerability leading to the exposure of financial information of 145.5 million individuals. This week’s third installment of cybersecurity tips by HIPAAtrek will focus on multi-factor authentication.
Multi-factor Authentication: Multi-factor authentication is the security procedure of using two or more independent credentials to allow someone access to your information systems and e-PHI. You may have first seen this on the big screen where a James Bond type character enters a password followed by their thumb print or scan of their eye to access a classified area. This is not just movie stuff anymore. This is an example of multi-factor authentication and it provides the most secure method of ensuring the individual attempting to access the system is the person they report to be. Here are the three credentials in multi-factor authentication you need to understand:
Something you know (Knowledge Factor). This is a password, passcode, or passphrase that only you know.
Something you have (Possession Factor). This is a special hardware token which could be a key, or smart card with a unique Personal Identification Number or (PIN) assigned only to you. When you use the token, the information system recognizes your entry through this token and you authenticate it by entering the PIN.
Something you are (Inherence Factor). This is the method of identifying yourself by one of your biological traits. Unique biological identifiers include finger prints, hand geometry, retina and iris scans, or voice recognition. No one else has your biological traits and therefore cannot use them to authenticate.
The advantage of using a multi-factor authentication process is that if one credential is compromised, unauthorized access is still denied because the second credential is still needed to gain access. In other words, I may learn your password, but I don’t have your smart card or your thumb print. The attempted access is stalled or prevented without both credentials. These credentials can be used in any combination, smart card and password, password and thumb print, smart card and iris scan, etc. The key of multi-factor authentication is to establish a layered approach to allowing access to your information systems and thereby securing your e-PHI.
Multi-factor authentication is a basic security principle which should be considered whenever possible as it provides a more secure method for authenticating access to only those who are authorized. In addition to multi-factor authentication, HHS has provided a short list of tips to discuss with your staff during NCSAM and others as you see are appropriate. You can review the NCSAM tips at: https://www.hhs.gov/sites/default/files/hipaa-cyber-awarness-monthly-issue-september-2017.pdf.
Contact our Lead Account Executive, Theresa Zemcuznikov at email@example.com who can provide you a demo of our award-winning HIPAA compliance software where you can manage your entire privacy and security program in one location. In the meantime, happy HIPAA trekking.
CMS (Centers for Medicare and Medicaid Services) inappropriately paid $729.4 million in Meaningful Use incentives to healthcare providers over a three-year period due to the providers’ errors. These errors are a result of providers not being able to support their attestations of completing the measures and objectives as decided in the 2015 EHR Incentive Programs Final Rule. A couple examples of these attestations include completing the Security Risk Assessment and protecting electronic Protected Health Information (ePHI)). MIPS is a “pay-for-performance” program and it is independent of macroeconomic factors, upon which the earlier physician payment system was based. In order to qualify for MIPS, the healthcare entity must make a switch from paper records to electronic records.
Healthcare providers can choose from the Advanced Alternative Payment Models (APM) or MIPS, but most providers will choose MIPS. You should choose APM if 20% of your patients have Medicare or if 25% of your patients are Medicare reimbursables. You are eligible for MIPS if you bill more than $30k per year, provide care to 100 or more patients, and you are a physician, physician assistant, nurse practitioner, clinical nurse specialist, or a certified registered nurse anesthetist. You must start the paperwork between 1/1/2017 – 10/2/2017 and send in performance data by 3/31/2018. There will be a ninety-day attestation period in 2017 and payment adjustments for switching from paper to electronic records go into effect on 1/1/2019. If you do not participate, the result is a negative 4% adjustment in Medicare payments.
There are two options for reporting Advancing Care Information. Option 1 is the Advancing Care Information Objectives and Measures with 22 available reportable measures (7 are required including the security risk assessment). You can report the Advancing Care Information Objectives and Measures if you have technology that is certified to the 2015 edition or if you have a combination of technologies from the 2014 and 2015 editions that support these measures. Option 2 is the 2017 Advancing Care Information Transition Objectives and Measures with 13 available reportable measures (4 are required including the security risk assessment). You can report the 2017 Advancing Care Information Transition Objectives and Measures if you have technology that is certified to the 2015 edition or if you have technology certified to the 2014 edition or if you have a combination of technologies from the 2014 and 2015 editions.
Complementing MIPS with HIPAA brings about better patient engagement. Certified Electronic Health Record Technology (CEHRT) has enabled features such as availability of secure patient portals, encrypted text messages, and email products. Because of this, patient engagement tools sent electronically by regular (encrypted) email and text messaging include features such as appointment reminders, healthcare instructions, patient satisfaction surveys, and health and wellness newsletters and recall reminders. Since these are part of the regular use of technology in healthcare, HIPAA has enacted rules by which PHI can be sent by encrypted electronic transmission. Advancing Care Information of MIPS requires a HIPAA Security Risk Assessment, similar to the Meaningful Use clause. That is the strong link between MIPS and HIPAA. What if you don’t have CEHRT? You can apply for a Hardship Exception if you do not have CEHRT. Simply lacking CEHRT does not qualify the MIPS-eligible clinician or group for reweighting though. CEHRT is required for participation in the advancing care information performance category.
If you do have CEHRT, you must now conduct or review a Security Risk Analysis in accordance with the requirements in 45 CFR 164.308 (a)(1). Doing so will lead to securing ePHI for your Covered Entity or Business Associate. You must then conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. You must also address the security (to include encryption) of ePHI data created or maintained by certified EHR technology in accordance with requirements in 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3). Then, you must implement security updates as necessary and correctly identify security deficiencies as part of the MIPS eligible clinician’s risk management process.