TriPoint Healthcare Solutions

Advising, Educating, and Operationalizing Privacy and Security in Healthcare

The Risk of Not Doing a Risk Analysis: Is It Worth It?

by Leave a Comment

Businessman Hand Stop Dominoes Continuous ToppledSome of the most famous people of our past constantly encourage us to take risk to further ourselves and make more opportunities.  We think about these quotes when big decisions are being made in all aspects of lives.  But then we have to stop and think – some risk may be worth taking to better a community, organization, or person; however, the risk of not doing something so vital to an organization, such as a HIPAA Risk Analysis, can be detrimental and can cause an organization to have a data breach or lose valuable patient information needed to support patient care.  In the words of Warren Buffet, “Risk comes from not knowing what you are doing.”  If you apply that concept to the management and protection of patient, risk comes from not knowing how you are protecting patient information, not knowing your security safeguards at your organization, and not knowing where patient information is being stored or how it is being transmitted.  At the HIMSS 2015 conference in Chicago, IL, many of the speakers discussed the importance of knowing where information exists and what is being done with that information in the normal course of business. 

Once process is meant to create the baseline understanding of the current areas of risk for a healthcare organization and is required by the HIPAA Security Rule, the HIPAA Risk Analysis.  In a 2014 study conducted by NueMD, out of 1100 physician practices, only 33% of them were confident that a HIPAA Risk Analysis was completed for their organization.  In the article by Gruessner (2015), he discussed that 22% of eligible providers and 5% of eligible hospitals are failing audits from the Meaningful Use program.  Previous documentation shows that not properly conducting a HIPAA Analysis is a top reason for the failure of the audits (not the only reason – many others exist).  Out of the 23 fines that have been assessed to healthcare organizations since 2009 for data breaches, 15 of the 23 resolutions agreements clearly stated risk assessment was one of the non-compliance areas evaluated for the amount of the fine.  It is clear that many organizations are not doing the HIPAA risk analysis – but is it worth the risk?  Are you willing to take your chances of non-compliance with HIPAA, a large data breach, a million dollar fine from the Office of Civil Rights, and potential class action law suits?  The answer to all healthcare organizations should be NO!  The risk of not doing the risk analysis is not worth is.   

There are many different ways to conduct a risk analysis – there is not right or wrong way!  In 2010, the Office of Civil Rights recommends the following steps to conduct the risk analysis

  1. Define the Scope of the Analysis
  2. Define the Data Collection Process
  3. Identify and Document Potential Threats and Vulnerabilities
  4. Assess Current Security Measures
  5. Determine Likelihood of Threat occurrence
  6. Determine Impact of Threat occurrence
  7. Determine Level of Risk
  8. Finalize Documentation

Check out the detail of the guidance at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf

After the risk analysis is completed, an organization should spend time evaluating and implementing security controls to mitigate the risks and reduce the likelihood of occurrence.  It is important that as risks identified in the risk analysis process are mitigated, the healthcare organization should assure

Are you willing to take the risk of not conducting a regular risk analysis?  All answers should be NO!  The time is now – follow the famous words of Warren Buffet – understand what you don’t know, mitigate risks that you have, and protect the privacy and security of patient information!   

Danika

References:

http://www.nuemd.com/hipaa/survey/index.html

https://ehrintelligence.com/2015/04/09/meaningful-use-audits-cause-undue-hardships-for-physicians/

Here comes Peter Cottontail – Hopping Down the HIPAA Trail!

by Leave a Comment

Easter BunnyWhen we think about the Easter Holiday and Spring that has found us, the focus shifts from existing in a dull, mundane world into a new world full of new life and new excitement.  The snow melts (if you have snow), the rivers and lakes open, the birds chirp more, and the temperature rises.  At the same time, we prepare for one of our favorite furry friends to come and visit, the Easter Bunny.  With the hope and intent of new and fresh goodies in our bag, the anticipation of the little bunny visiting creates entertainment and excitement!

It is easy for a HIPAA Compliance program to be ordinary and unexciting.  HIPAA consists of many different kinds of regulations that you must comply with just to make the government happy and that might not really work in your organization.  Many organizations focus on writing and creating a process for in order to meet compliance, but over time that process becomes outdated and doesn’t really meet the intent behind the HIPAA regulations. 

It is time to head down the HIPAA Trail and focus on HIPAA in a new way.  As Peter Cottontail comes to provide treats and goodies to everyone’s baskets, it is time to provide your compliance program with a new basket of tools and tricks to make HIPAA fun and enjoyable.  Rather than focusing on HIPAA as something that is forced and mandated just to comply with regulations, change the focus to be something the organizations does to protect the patients they see and the information stored and maintained by the healthcare organization. 

Here is a list of a few ideas to help provide your HIPAA Basket with new and fresh goodies:

  1. Conduct a HIPAA Risk Analysis – the risk analysis allows an organization to review and see potential risks so that they can be mitigated before an unauthorized use or disclosure of health information exists. Get everyone involved – see how your entire organization can help and support the risk analysis process.  Something fun is to go on a HIPAA scavenger hunt for employees – give them a walk through document and send them to another department to see what they can find that might be risks to your organization! 
  2. Refresh HIPAA Training – so often organizations use the same training for HIPAA or the same format for training year after year. While it is important to create consistency and assure proper training is occurring, providing a refresh on the format or content of the training can support a better compliance among employees and a better understanding of the importance of protecting patient information.
  3. Review and Update Policies and Procedures – while no regulations or processes have changed, it is always good to give the policies and procedures that help manage HIPAA compliance a review on a regular basis. While there is not mandate on how often, best practice is to review yearly or upon changes of technology, regulations, or physical space.  Set a timeline for each year to review policies and procedures and commit to that timeline! 
  4. Create a Culture of Privacy and Security Protections – organizations that are most successful with HIPAA compliance create a culture of privacy and security protections. While policies and procedures as well as technical and physical safeguards are a necessity for HIPAA Compliance, workforce members need to buy into the philosophy and intent of protecting and securing patient information.  Many times your employees become the front line defense to the safeguard and protection of patient information.  If they don’t buy in or understand the importance, an organization will struggle for success with their HIPAA compliance. 
  5. Create a HIPAA Governance Structure – there is that word – governance – again! A strong governance and oversight into the management of HIPAA at an organization will help transform from a department or person who manages privacy and security of patient information to an organization who knows the importance of protecting patient information and acts upon it throughout each day and every task.  Have specific leaders through the process and assure that roles are clearly defined!   

Office for Civil Rights (OCR) HIPAA Audits are coming in 2015 – take the time that has been given to fill your HIPAA Compliance Basket with new goodies and tools to be successful.  Figure out how you can breathe new life into your HIPAA program and make it successful in protecting the valuable patient information that the organization is trusted with.  HIPAA can be fun and exciting – just like the change in the season and a full basket of goodies!  Hopefully you will bump into Peter Cottontail hopping down the HIPAA Trail!    

“Most of us feel that our health information is private and should be protected. That is why there is a federal law that sets rules for health care providers and health insurance companies about who can look at and receive our health information.”

—Office for Civil Rights

Danika

Your PHI Goes in There and Out Where? Can Understanding your PHI Flow Help Support HIPAA Compliance?

by Leave a Comment

How many organizations can say that they completely understand where all their protected health information exists and where are the inputs and outputs of the data are?  Based on current clients, very few know exactly where all protected health information is being stored and maintained.  It is not uncommon to walk into an organization and hear that they have 2 or 3 systems that store or interact with PHI – then after discussion and analysis, it is determined that there are actually 9 or 10 different systems that interact with PHI within the organization.  Additionally, many organizations don’t fully understand all the areas where PHI may come out of electronic systems.  Example, a transcription system may automatically send a document once it is transcribed or a lab system may send information to the billing system for proper charges.  Without properly understanding where all the data is being stored, what happens to the data, how those systems are protected, and where is the ePHI outputs from the systems are, it creates a challenge on effectively managing the privacy and security of protected health information.  It is the key link from privacy and security to Information Governance in an electronic era.

Sure, everyone knows they have patient data within their electronic health record, stored in their lab system, or on the organization’s file server, right?  Those areas may be obvious and clear; however, organizations must know and understand every system and location where protected health information is being stored.  Without the knowledge of where all protected health information resides within an organization and the systems that use health information, it becomes nearly impossible to manage privacy and security of information and leaves the organization extremely vulnerable to a data breach. 

Privacy and Security Officers at healthcare organizations should start a process of identification of all systems storing, transmitting, or accessing patient information – creating a knowledge and understanding of how protected health information is being stored and used within their organization.  Creating a protected health information flow diagram or documentation is a complex and detailed process.  It is most likely not going to happen in one day or one week.  It is going to take time to understand each specific system, how it may or may not use protected health information, and what other systems it interacts with.

Some suggested steps to create this information at an organization:

  • Conduct a system inventory analysis of all systems that the organizations uses
  • Understand all the hardware being used in the organization and if ePHI is being stored on the hardware
  • Evaluate each system identified to determine what the interaction is with any type of patient information
  • If the system interacts with protected health information, determine
    1. What type of PHI is being stored in the system
    2. What is the intent of the system
    3. Who is the system ‘owner’
    4. Who has access to the system and how is access management managed
    5. Where the system is being stored (local server, cloud based) and backed up
    6. What are the inputs into the system with PHI
    7. What are the outputs from of PHI from the system – both automatic and manual
    8. If the system interfaces and interacts with other systems
    9. Other security measures in place to protect the information
    10. Other pertinent information regarding the system that is important from a security perspective
  • Create documentation to support and understand all systems – Your Protected Health Information Flow!
  • Assure proper management of all systems that contain PHI!!!! It is not the job on the security officer to own the systems, but it is a responsibility to ensure the systems are understood and proper security is maintained so the privacy of the data is properly secured and protected!

This is not an easy process – in some large integrated systems, they could have hundreds of different systems that interact with ePHI in some aspect!

Remember that HIPAA doesn’t just apply to an electronic health record.  Electronic protected health information is any protected health information (PHI) that is produced, saved, transferred or received in an electronic form.  ePHI can be found on computer hard drives, in databases, in e-mail, in the EHR, and many other locations – you need to evaluate and look at your entire system to truly understand and manage ePHI!!

Don’t get caught in an unwanted data breach due to not knowing or understanding how your data flows throughout your organization, what systems have protected health information, where the inputs are, what happens to the data in the system, and where the outputs from the system exist.  Work upstream, understand your PHI data flow, and properly manage and reduce risks to PHI!

Danika

We Have a Process…Isn’t That Good Enough? HIPAA is All About the Documentation!

by Leave a Comment

Working with all different type of healthcare organizations and business associates, I frequently hear the following phrases:

“We have a process for that, it is just not documented”

“We did some items that would qualify to meet those requirements, but we didn’t know we had to document”

“We have a high level of HIPAA compliance, but just don’t have documented policies and procedures”

file folder with documents and documents. storage contracts.While all these statements may be true – the issue is HIPAA requires documentation and proof that you are complying with the regulations.  As we enter 2015 and are looking at 1) Increased enforcement of HIPAA, 2) Next phase of HIPAA Audits, 3) Data Breaches Increasing and 4) Continued Meaningful Use Audits – organizations need to make the time to assure proper documentation exists in order to comply with the HIPAA regulations.

Policies and Procedures – They are a Requirement

If you look at the detail of the HIPAA Privacy, Security, and Breach Notifications Rule – they all have a section that requirements documentation to exist to support the regulations.

  • Privacy Rule Documentation – 164.530(i) – A covered entity must develop and implement written privacy policies and procedures that are consistent with the Privacy Rule
  • Security Rule Documentation – 164.316(b)(1) – Maintain the policies and procedures implemented to comply with the regulations in written (which may be electronic) form; and (ii) if an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment
  • Breach Notification Rule Documentation – 164.316(b)(1) – A covered entity must comply with the administrative requirements as defined under the HIPAA rule documentation. Additionally, in the event of an unauthorized use or disclosure, the covered entity or business associate shall have the burden of demonstrating that all notifications were made as required by this subpart or that the use or disclosure did not constitute a breach

In addition to supporting compliance with policies and procedures, organizations should also ensure that they are supporting what they are doing to comply with appropriate documentation.  Some examples of documentation to review to ensure it exists per your policy is:

  • Proof of Information System Activity Review – what, what, when, where, outcomes
  • Workforce Sanctions Applications – when have you applied sanctions and why
  • Workforce Training Proof – regular training documentation as well we periodic updates
  • Compliant Received and Proof of Resolution – all complaints regarding privacy and security, the investigation and outcomes
  • Breach Notification Investigations (including 4 required questions) – all information regarding the investigation as well as the outcome documentation and assurance of the burden of proof
  • Business Associate Contracts – do you have business associates contracts signed for the third party vendors you use
  • Notice of Privacy Practices Acknowledgement – are you getting proper signatures as required and defined in your policy

This is not an all-inclusive list, but rather a sample to start thinking about how to verify that documentation exists.  It is EXTREMELY important that you don’t assume proper documentation is happening – ask and look to verify that proper documentation is happening.  Each of the above sample areas should be reviewed to see if what is defined in the policy and procedure that you have is truly being followed appropriately. 

Don’t sit back and assume you are ok because you have a process – make sure you have proper documentation to support your compliance with HIPAA regulations.  You can always conduct mock audits or hire an organization to analyze this for you.  It is best to be prepared!

Final Word on HIPAA Compliance and Documentation – Take initiative, review, analyze, and verify.  Your compliance level is only as good as the documentation you have to support it.  Be diligent, dig through documentation, and feel confident with your compliance with HIPAA.

Danika

 

You Are a Business Associate – Sign This: The Tangled Web Created with Business Associates

by Leave a Comment

Image of business partners handshaking over business objects onThe new complicated world of understanding Business Associate, Subcontractors, and Agents.

Scenario: A financial planner contacted me concerned as he just received an e-mail that a business associate agreement needs to be signed in order to work with the company that processes applications for life insurance.  The financial planner didn’t know what a business associate under HIPAA regulations meant and was getting ready to just sign the document and return it.  Thankfully, the financial planner reached out for clarification, I quickly advised against just signing the agreement and pushing back against the company to determine why they thought he was a business associate.  While dialogue between the insurance company and financial planner is still occurring, through evaluation of the work between the financial planner and insurance company (and client), it is clear that the financial planner WOULD NOT be a business associate under the HIPAA regulations. 

Since the final Omnibus Rule was effective in 2013, a new wave of confusion and challenge on who is considered a business associate and who is not considered a business associate has come to light.  To protect themselves, organizations (Covered Entities and Business Associates) have been requiring that all third parties that they work with in any business aspect sign a business associate agreement.  Even if the third party doesn’t meet the definition of a business associates or physically have interaction with protected health information, a blanket coverall approach to get signed business associate agreement is being applied.  To create more confusion, many third party organizations are just signing business associate agreements not truly knowing or understanding what it actually means and the implications of becoming a business associate.  Is this the best approach or taking the business associate agreement process to the EXTREME?

MY OPINION (Not Advice): Not everyone is a business associate and should sign a business associate agreement.  Proper review and governance over the management of business associates within covered entities and business associate organizations needs to be completed.  Additionally, the third party organizations who are just signing business associate agreements should stop and evaluate what it is they are signing.  Agreeing to terms in a business associate agreement and declaring that you are a business associate or subcontractor or a business associate does have major implications.

Covered entities and business associates need to spend time really understanding who may or may not be a business associate.  It should not be a blanket process where everyone that works with a specific company automatically has to sign an agreement.  Additionally, if information is being shared to support the spectrum of patient care (provider to provider), the business associate definition may not apply.  Dedicated individuals who are knowledgeable and understand the regulations should be working with organizations to help them navigate the business associate process.    

Per the 2013 Omnibus Rule, a business associate is  “a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information.  Per the Omnibus Rule of 2013, a “business associate” may also be considered a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate.”  Those are key words to use to evaluate if an organization is a business associate – do they create, receive, maintain, or transmit data on behalf of a covered entity or business associate? 

What should an organization do?

The best process for an organization is to have an established person or group of people in charge of the evaluation of business associate agreement.  Here are some recommended steps for overall governance of Business Associates within an organization.

  • Create a team or individual responsible for the management of business associates
  • Generate a list of the account payable reports for the past 3 months and review all third party vendors and/or individuals for your organization
  • Determine the scope of work that the third party has been doing on behalf of the organization
  • Evaluate if the third party scope of work being done qualifies the third party as a business associate
  • If it is determined that they are a business associate establish and execute a business associate agreement
  • Keep up a log of all business associates – some recommended fields are Business Associate Name, Contact Individual, Contact Information, Tasks that qualify as a business associate, Business Associate Agreement signed, Date agreement signed
  • Create a process for a proactive review of any NEW third parties and that organizations is going to establish a business relationship with

It is now time to effectively oversee and manage the business associate process within an organization – the covered entity should be aware that while business associate and subcontractors are liable for HIPAA compliance, the ultimate liability falls onto the covered entity. 

Note to third parties (contractors, subcontractors) – make sure you know and understand the implications of becoming a business associate or an organization.  If you truly don’t meet the definition of a business associate or subcontractor, don’t just sign the contract – seek out advice or guidance on the proper steps!

Danika

Recent Posts

Connect With Us

TriPoint Healthcare Solutions
dbrinda@tripointhealthcaresolutions.com
Phone: 612.325.9742
Fax: 763.322.5027