TriPoint Healthcare Solutions

Advising, Educating, and Operationalizing Privacy and Security in Healthcare

Archives for March 2015

Your PHI Goes in There and Out Where? Can Understanding your PHI Flow Help Support HIPAA Compliance?

by Leave a Comment

How many organizations can say that they completely understand where all their protected health information exists and where are the inputs and outputs of the data are?  Based on current clients, very few know exactly where all protected health information is being stored and maintained.  It is not uncommon to walk into an organization and hear that they have 2 or 3 systems that store or interact with PHI – then after discussion and analysis, it is determined that there are actually 9 or 10 different systems that interact with PHI within the organization.  Additionally, many organizations don’t fully understand all the areas where PHI may come out of electronic systems.  Example, a transcription system may automatically send a document once it is transcribed or a lab system may send information to the billing system for proper charges.  Without properly understanding where all the data is being stored, what happens to the data, how those systems are protected, and where is the ePHI outputs from the systems are, it creates a challenge on effectively managing the privacy and security of protected health information.  It is the key link from privacy and security to Information Governance in an electronic era.

Sure, everyone knows they have patient data within their electronic health record, stored in their lab system, or on the organization’s file server, right?  Those areas may be obvious and clear; however, organizations must know and understand every system and location where protected health information is being stored.  Without the knowledge of where all protected health information resides within an organization and the systems that use health information, it becomes nearly impossible to manage privacy and security of information and leaves the organization extremely vulnerable to a data breach. 

Privacy and Security Officers at healthcare organizations should start a process of identification of all systems storing, transmitting, or accessing patient information – creating a knowledge and understanding of how protected health information is being stored and used within their organization.  Creating a protected health information flow diagram or documentation is a complex and detailed process.  It is most likely not going to happen in one day or one week.  It is going to take time to understand each specific system, how it may or may not use protected health information, and what other systems it interacts with.

Some suggested steps to create this information at an organization:

  • Conduct a system inventory analysis of all systems that the organizations uses
  • Understand all the hardware being used in the organization and if ePHI is being stored on the hardware
  • Evaluate each system identified to determine what the interaction is with any type of patient information
  • If the system interacts with protected health information, determine
    1. What type of PHI is being stored in the system
    2. What is the intent of the system
    3. Who is the system ‘owner’
    4. Who has access to the system and how is access management managed
    5. Where the system is being stored (local server, cloud based) and backed up
    6. What are the inputs into the system with PHI
    7. What are the outputs from of PHI from the system – both automatic and manual
    8. If the system interfaces and interacts with other systems
    9. Other security measures in place to protect the information
    10. Other pertinent information regarding the system that is important from a security perspective
  • Create documentation to support and understand all systems – Your Protected Health Information Flow!
  • Assure proper management of all systems that contain PHI!!!! It is not the job on the security officer to own the systems, but it is a responsibility to ensure the systems are understood and proper security is maintained so the privacy of the data is properly secured and protected!

This is not an easy process – in some large integrated systems, they could have hundreds of different systems that interact with ePHI in some aspect!

Remember that HIPAA doesn’t just apply to an electronic health record.  Electronic protected health information is any protected health information (PHI) that is produced, saved, transferred or received in an electronic form.  ePHI can be found on computer hard drives, in databases, in e-mail, in the EHR, and many other locations – you need to evaluate and look at your entire system to truly understand and manage ePHI!!

Don’t get caught in an unwanted data breach due to not knowing or understanding how your data flows throughout your organization, what systems have protected health information, where the inputs are, what happens to the data in the system, and where the outputs from the system exist.  Work upstream, understand your PHI data flow, and properly manage and reduce risks to PHI!

Danika

We Have a Process…Isn’t That Good Enough? HIPAA is All About the Documentation!

by Leave a Comment

Working with all different type of healthcare organizations and business associates, I frequently hear the following phrases:

“We have a process for that, it is just not documented”

“We did some items that would qualify to meet those requirements, but we didn’t know we had to document”

“We have a high level of HIPAA compliance, but just don’t have documented policies and procedures”

file folder with documents and documents. storage contracts.While all these statements may be true – the issue is HIPAA requires documentation and proof that you are complying with the regulations.  As we enter 2015 and are looking at 1) Increased enforcement of HIPAA, 2) Next phase of HIPAA Audits, 3) Data Breaches Increasing and 4) Continued Meaningful Use Audits – organizations need to make the time to assure proper documentation exists in order to comply with the HIPAA regulations.

Policies and Procedures – They are a Requirement

If you look at the detail of the HIPAA Privacy, Security, and Breach Notifications Rule – they all have a section that requirements documentation to exist to support the regulations.

  • Privacy Rule Documentation – 164.530(i) – A covered entity must develop and implement written privacy policies and procedures that are consistent with the Privacy Rule
  • Security Rule Documentation – 164.316(b)(1) – Maintain the policies and procedures implemented to comply with the regulations in written (which may be electronic) form; and (ii) if an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment
  • Breach Notification Rule Documentation – 164.316(b)(1) – A covered entity must comply with the administrative requirements as defined under the HIPAA rule documentation. Additionally, in the event of an unauthorized use or disclosure, the covered entity or business associate shall have the burden of demonstrating that all notifications were made as required by this subpart or that the use or disclosure did not constitute a breach

In addition to supporting compliance with policies and procedures, organizations should also ensure that they are supporting what they are doing to comply with appropriate documentation.  Some examples of documentation to review to ensure it exists per your policy is:

  • Proof of Information System Activity Review – what, what, when, where, outcomes
  • Workforce Sanctions Applications – when have you applied sanctions and why
  • Workforce Training Proof – regular training documentation as well we periodic updates
  • Compliant Received and Proof of Resolution – all complaints regarding privacy and security, the investigation and outcomes
  • Breach Notification Investigations (including 4 required questions) – all information regarding the investigation as well as the outcome documentation and assurance of the burden of proof
  • Business Associate Contracts – do you have business associates contracts signed for the third party vendors you use
  • Notice of Privacy Practices Acknowledgement – are you getting proper signatures as required and defined in your policy

This is not an all-inclusive list, but rather a sample to start thinking about how to verify that documentation exists.  It is EXTREMELY important that you don’t assume proper documentation is happening – ask and look to verify that proper documentation is happening.  Each of the above sample areas should be reviewed to see if what is defined in the policy and procedure that you have is truly being followed appropriately. 

Don’t sit back and assume you are ok because you have a process – make sure you have proper documentation to support your compliance with HIPAA regulations.  You can always conduct mock audits or hire an organization to analyze this for you.  It is best to be prepared!

Final Word on HIPAA Compliance and Documentation – Take initiative, review, analyze, and verify.  Your compliance level is only as good as the documentation you have to support it.  Be diligent, dig through documentation, and feel confident with your compliance with HIPAA.

Danika

 

Recent Posts

Connect With Us

TriPoint Healthcare Solutions
dbrinda@tripointhealthcaresolutions.com
Phone: 612.325.9742
Fax: 763.322.5027