Careless communication can get HIPAA-covered companies into a world of trouble. Nevertheless, many health care professionals fail to secure protected health information (PHI) in their communication. Unsecured messages put your organization at risk. An unauthorized user could get ahold of the device, a user could copy or screen capture information, or a hacker could access unencrypted messages through public Wi-Fi. Therefore, to avoid these dangers, you must choose HIPAA-compliant communication.
But what types of communication are HIPAA compliant? There are many myths about communicating PHI that you should be aware of. Let’s look at a couple common ones and see what HIPAA actually requires.
Myth: iMessage is encrypted, so it is okay to send PHI through iMessage.
Fact: It is not safe to use iMessage to send PHI. Although iMessage is encrypted, Apple keeps a 30-day cache of messages on its servers, and users can use iCloud Backup to save and store messages. Furthermore, HIPAA requires that messaging platforms be secured in other ways, such as a unique login and PIN for users, message monitoring, and automatic logoff. iMessage and many other instant messaging platforms fail in these areas.
Myth: You can get a patient’s permission to text or email their information.
Fact: Texting and emailing patient information is a legal grey area. Nevertheless, most health care professionals use text or email to send PHI daily. See this article to read more about texting and emailing patient information. You can make an agreement with a patient to send unsecured messages. However, it’s much safer to use a secure platform.
So, How Do I Safely Communicate PHI?
Although there are many “don’ts” when it comes to sending PHI, it’s still important to communicate quickly and efficiently. Instead of text or email, consider using a HIPAA-compliant alternative: secure messaging. A 2015 study by the Tepper School of Business at the Carnegie Mellon University found that there were 27% fewer patient safety incidents and 30% fewer medication errors when secure messaging was used. Therefore, security is just as important as speed and efficiency.
Secure messaging platforms are designed to comply with HIPAA. If you feel that your team needs a secure communication tool, there are many third-party apps available. Ultimately, you must not put ease over security. Make sure you know what HIPAA requires before you make a decision for your organization.
To learn more, contact HIPAAtrek at firstname.lastname@example.org.
Read more: Myth vs. Fact: HIPAA Training Requirements
HIPAA law is a complex world of “dos,” “don’ts,” and grey areas. You know HIPAA training is required by law, but you may feel unsure exactly how and when you’re supposed to train your staff. What makes it worse is that many vendors mislead HIPAA-covered companies in order to sell a product, such as HIPAA training programs.
But you can’t rely on vendors to tell you what you need to do for your staff. Therefore, making good decisions starts with knowing truth from fiction. In fact, you may find that HIPAA allows for more flexibility than you once thought.
What Is HIPAA Training?
Let’s see what the law actually says and put to rest a couple common myths about HIPAA training.
§ 164.530(b)(1) Training – A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required by this subpart and subpart D of this part, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.
§ 164.530(b)(2)(i) A covered entity must provide training that meets the requirements of paragraph (b)(1) of this section, as follows: (A) To each member of the covered entity’s workforce by no later than the compliance date for the covered entity; (B) Thereafter, to each new member of the workforce within a reasonable period of time after the person joins the covered entity’s workforce; and (C) To each member of the covered entity’s workforce whose functions are affected by a material change in the policies or procedures required by this subpart or subpart D of this part, within a reasonable period of time after the material change becomes effective in accordance with paragraph (i) of this section. (ii) A covered entity must document that the training as described in paragraph (b)(2)(i) of this section has been provided, as required by paragraph (j) of this section.
Myth: HIPAA training must be done in person.
Fact: HIPAA does not specify how the training should be accomplished. Therefore, you can train employees in any format you believe will be most effective, whether in person or online. You can train them during employee orientation, email them a PowerPoint presentation, or even have them watch training videos at their workstation. The key is that you give them the information they need to successfully do their job and comply with HIPAA.
Myth: HIPAA privacy training must be done every year.
Fact: Although HIPAA recommends periodic privacy reminders to employees, it doesn’t set a training schedule. According to the privacy rule, you must train new employees on HIPAA privacy soon after they start their job. However, you only need to train them on a periodic or as-needed basis after that. You get to decide how this looks practically, based on your organization’s needs.
So, How Should You Do HIPAA Training?
Because HIPAA applies to a large variety of organizations, from huge hospitals to tiny clinics, it’s flexible and allows you to design a training plan that fits your organization’s workflow. You can get basic HIPAA training for free from the U.S. Department of Health and Human Services (HHS). Basic training is good for staff members who are new to the health care industry. You can also use it as a periodic reminder for experienced staff.
However, you’ll need to go beyond the basics. After initial employee training, HIPAA training efforts should be as detailed and department-specific as possible. This means you should train employees on the little-known HIPAA rules or exceptions that apply directly to their day-to-day work. See this post for examples of detailed HIPAA training.
Lastly, the security rule requires you to send periodic security reminders to your staff. However, this requirement doesn’t have to be painful. The HIPAAtrek platform sends security reminders automatically and allows you to create and send messages to all your staff members, which makes training easier. Additionally, HIPAAtrek houses all your policies and procedures, reminding employees to read them and complete other training tasks as needed.
Remember, when creating a HIPAA training plan, don’t rely on others’ interpretation of HIPAA law, and don’t fall prey to deceptive marketing tactics. Read the HIPAA rule for yourself and learn from trustworthy sources, such as HHS. For more information, contact HIPAAtrek at email@example.com.
Because healthcare organizations hold a wealth of sensitive information, they’ve been prime targets of phishing attacks for years. In a 2018 report by Merlin International, 62% of respondents (healthcare organizations) had experienced a cyberattack in the last year, half of which resulted in lost healthcare data. Furthermore, up to 91% of cyberattacks can be traced to phishing emails.
In phishing scams, hackers masquerade as legitimate sources that you’re familiar with and trust. They trick you into handing over your credit card number, bank account number, social security number, passwords, and more. Hackers may steal your information, money, and identity, or they may infect your organization’s system with malware and put your data at risk.
Phishing attacks can target both your personal email account and your work email. Furthermore, many employees access both accounts from their work computers, perhaps doubling the risk of an email phishing attack on their organization’s systems. Therefore, you must learn how to recognize phishing scams and refuse to take the bait.
How Does Phishing Work?
Hackers disguise their malicious emails as harmless communication, such as marketing emails from an online retailer. They may even pretend to be your bank or a government authority, such as the IRS or FBI. Phishing emails may have links to fake websites that look similar to trusted organizations you often visit on the web. Thus, hackers lure you into visiting the malicious site and giving up login information.
Below are some of the signs of a phishing email or website:
- A generic “hello” greeting. Phishing emails don’t use your name because they are sent en masse and not personalized.
- Asking for personal information. Most legitimate organizations won’t ask you via email to input personal information, such as a credit card number or password.
- A sense of urgency. Phishing emails often urge you to take immediate action, playing on fear or other emotions to make you act before you think.
- Attachments. Phishing emails may have infected attachments that will unleash malware onto your computer, which can destroy or copy your hard drive.
- Links. Phishing emails may have masked links to a phony website. Hover your mouse over the link to see its actual address.
- Poor spelling or grammar. Hackers come at all skill levels. However, many show signs of poor writing skills.
How to Prevent a Phishing Attack
Although healthcare employees are falling prey to phishing attacks at an alarming rate, you don’t have to. The following precautions will help you avoid getting caught in a scam, both before and after a phishing email makes it to your inbox.
- Install robust spam filters that will identify malicious emails and send them to spam.
- Adopt a URL scanner that will check the authenticity of any website you visit.
- Turn on browser filters to help you discover if a website is a phishing site.
- Install a security toolbar to alert you when visiting known phishing sites.
- Don’t open suspicious emails, links, or attachments. Instead, call the organization that supposedly sent the email and see if it’s legitimate.
Touch base with your IT department to get help with protecting your email against cyberattacks. However, keep in mind that hackers are constantly refining their techniques to bypass security measures. Therefore, you must never let your guard down, even with precautions in place.
Read more: How to Secure Your Workstations
You are the ultimate defense against phishing attacks. Although humans are the ones who often give hackers what they want, they are also the ones to recognize and refuse to respond to phishing emails. Therefore, the more you and your team learn about phishing, the more likely you’ll be able to recognize an attack before it occurs.
Some organizations conduct “phishing simulations,” which shows how many people fall prey to fake phishing attacks. Those who took the bait then get additional training to help them recognize the scam. Rather than punishing employees that fail the simulation, you should focus on teamwork and learning.
A Final Word on Phishing
With perhaps thousands of personal records at stake, healthcare organizations are the big fish that hackers try to hook. By far, email is the most common means of phishing and cyberattacks in general. Therefore, you must put technical safeguards in place to detect and prevent scam emails and train your staff on how to recognize them.
To help you and your team create a culture of security compliance, the HIPAAtrek platform sends automatic reminders to your entire team about login monitoring, password management, and malicious software. Request a demo or contact us to learn more.
Read more: Password Management
A little oversight can lead to a lot of trouble. Employees who aren’t prepared to securely handle patients’ protected health information (PHI) can accidentally cause breaches and leak tens to millions of private records. Why does this happen? In many cases, managers fail to train their staff in HIPAA compliance.
HIPAA compliance training shouldn’t simply check the box and call it a day. Training must be ongoing, detailed, and tailored for each department. With regular training, managers can address risk areas as they arise, from a lack of breach preparedness to improper use of the nurse’s station white board. Detailed and focused training goes beyond the building blocks of HIPAA by bringing to light little-known rules or exceptions to the rules.
Below are some trouble areas managers should address in HIPAA training:
The Release of Information Office is at high risk for disclosing patients’ PHI without the right authorization. HIPAA training should make sure employees understand the federal and state requirements for releasing PHI to requesters. How will they verify if a requester is authorized to receive PHI? When can they deny access to a requester? Ongoing HIPAA training should address how and when PHI may be released. You can use case studies to help train your staff on impermissible uses or disclosures of PHI.
Recognizing a Breach
When PHI is handled daily in all departments, a human or technical error can cause a breach at any time. Staff members should assume an impermissible disclosure of PHI is a breach until shown otherwise. However, some impermissible disclosures – by exception – are not breaches. Therefore, you should train your breach response team on these exceptions.
Using Professional Judgement
In some cases, employees may use professional judgement to do what is best for the patient. For example, a person acting on behalf of another may pick up that person’s prescriptions or X-rays. Doctors may also exercise judgement when a person needs treatment but is incapacitated. In this case, doctors may disclose PHI to family or friends so they can treat the person. Staff members should know in what cases they may use their judgement.
Using the Nurse’s Station White Board
In their HIPAA compliance training, nurses need to learn what they are allowed and not allowed to write on the nurse’s station white board. For example, HIPAA allows you to write a patient’s name, diagnosis, or other relevant information on the board. Furthermore, nurses should use shorthand to write the minimum necessary information they need. Although visitors or other patients may accidentally see the board, it is okay, as long as physical and administrative safeguards are in place.
Identifying Victims of Abuse, Neglect, or Domestic Violence
Signs of abuse, neglect, or domestic violence may be subtle. Doctors, nurses, and medical technicians must be able to not only spot the signs but also follow the proper protocol. They may need to give the patient’s information to a government authority, social service, or protective service. Therefore, you should train staff members to recognize the signs and report these cases to the proper authority.
Speaking to Law Enforcement
Additionally, you must train emergency room staff on how to talk to law enforcement officers. ER staff members may disclose PHI – such as name, address, date of birth, social security number, blood type, injury and treatment information, and physical characteristics – to help identify or locate a suspect, fugitive, witness, or missing person. However, they are not allowed to disclose someone’s DNA, DNA analysis, dental records, or body fluid/tissue analysis to law enforcement.
HIPAA training that goes beyond the basics gives your staff the knowledge they need to properly handle high-risk situations. However, ongoing and detailed HIPAA training is easier said than done. Everyone is busy with day-to-day operations, so who has the time to nail down the finer points of HIPAA?
The HIPAAtrek, Inc. software manages HIPAA policies and procedures and keeps track of each employee’s training tasks in a streamlined interface, making ongoing HIPAA training a customized – and automatic – process. HIPAAtrek, Inc. helps you reduce risk and increase compliance. Access the demo to learn how you can simplify your HIPAA training.
You know that you have to secure your Protected Health Information. You also know that you should encrypt your PHI. But, do you know how expensive not having your PHI encrypted can be? Do you know the steps you should take to encrypt your devices and systems?
The University of Texas MD Anderson Cancer Center (MD Anderson) knows exactly how expensive it is to fail to encrypt. MD Anderson experienced multiple HIPAA violations recently:
- Theft of an unencrypted laptop from a private residence of an employee
- Two losses of unencrypted USB thumb drives
Because of these violations, MD Anderson was ordered to pay $4.35 Million in penalties to the Office for Civil Rights (OCR). The OCR news release on this case can be viewed here.
A History of Risk
In 2006, MD Anderson implemented written encryption policies. Even though they had formal a formal policy in place, MD Anderson had not implemented their policy. In fact, their risk analysis found that a lack of device-level encryption posed a high level risk. MD Anderson did not actually begin to implement encryption of ePHI until 2011. Even then, they still failed to encrypt its devices containing ePHI between March 24, 2011 and January 25, 2013.
They were penalized for each day of non-compliance and for each record breached. HIPAA allows for fines up to $1.5 Million per record per calendar year when assessing penalties for breaches.
MD Anderson was hoping to reduce the penalty. They argued that they were not obligated to encrypt their devices. They argued that because the ePHI disclosed was for research it was not subject to HIPAA. MD Anderson also believes that the penalties were unreasonable. The judge ruling on the case determined that there is a “high risk to MD Anderson’s patients resulting from the unauthorized disclosure of ePHI,” a risk that MD Anderson “not only recognized, but that it restated many times.”
Encrypt Your PHI
So, what can you learn from this incident? Encrypt your PHI! Encryption sounds much more difficult than it actually is. You can easily encrypt your devices using tools already built into them. If it is not easy to encrypt a device, such as a USB drive, simply disallow the use in your organization. The risk is simply too great for you not to encrypt all devices with PHI.
The HIPAA Security Rule is confusing. There are two types of steps identified in the Security Rule: Required and Addressable. The encryption rules for HIPAA are specified as “Addressable.” This confuses many organizations, just like MD Anderson. Addressable sounds like it should be optional. However, the definition of Addressable is not synonymous with optional.
If a HIPAA rule is Addressable, you must adopt a similar solution. So, if you determine that encryption is not an option for your organization, you must adopt similar solution to secure your PHI. In addition, you must have a strong justification as to why you are not able to implement the encryption rule.
The encryption and decryption standard can be found here.
Steps You Should Take
Just knowing that you have to encrypt your devices and stored PHI is not enough. You need to take steps to implementing encryption practices in your organization. The first step is conducting a risk analysis. You can’t protect what you don’t know is at risk.
Secondly, you need to take an inventory of all your assets that store or transmit PHI. Be careful not to forget personal devices that are used to access your PHI (Bring Your Own Device – BYOD). During this step, determine if you need to apply encryption on the device or system.
You also need to create a policy and procedures for encrypting your PHI. Just having a policy in place is not sufficient. You have to IMPLEMENT your encryption procedures. In addition, you need to train your employees on the proper use and security of devices and systems containing PHI.
For more on how HIPAAtrek can help you with your HIPAA privacy and security program, please contact us!