Friday the 13^th comes around on average 2-3 times per year.  In 2015, Friday the 13^th will visit us 3 different times.  Friday the 13^th is thought to be one of the most unlucky days of the year – plaguing us with many different superstitions that cause fear among people.  From the masked Jason chasing people down an empty, dark street to the crazy doll, Chucky, that comes to life and attacks, the dread of the 13th of the month has created angst and fear to society! 

Just like all the superstitions and fears we face on Friday the 13th, HIPAA is full off different myths and fears created among the healthcare community.  Healthcare organizations fear HIPAA as it is going to cause issues and destruction among their organization.  Different interpretations and analysis of the HIPAA requirements has created confusions and fears among the healthcare community. 

In honor of Friday the 13^th – Lets Demystify 13 of Today’s HIPAA-Stitions

1. HIPAA prohibits me from taking care of patients and releasing information for continuity of care.

HIPAA allows the sharing of patient information for the purpose of treatment, payment, and healthcare operations (TPO).  If a provider needs to release patient information to help in the continuity of care, that is an acceptable disclosure under the HIPAA regulations.  It is smart to check with state requirements on the protection of patient information as some states do requirement a signed authorization for any use or disclosure of patient information. 

2. The HIPAA Security Risk Analysis only needs to be completed one time.

The HIPAA regulations actually do not define what the frequency of the HIPAA risk analysis needs to be.  Built to be scalable, the HIPAA security rule allows the covered entity or business associate to define the frequency; however, do it one time and never again is not an acceptable practice and leaves the organization vulnerable to non-compliance and risks to PHI.

3. Texting is considered a way of communicating about patients and has no concerns with HIPAA compliance.

Normal SMS texting is not a secure means of communications with protected health information.  In fact, texting using normal SMS format is quite risky to the healthcare organization.  If a healthcare organization is going to allow texting as a means of communications regarding patients (think about this before saying yes), a secure solution for texting should be implemented as well as a policy and procedure for effective management of texting with patient information.  Think about not only how to manage the data as it is in transmission from device to device, but also how you will manage the devices and the information that may be stored on the device.  

4. HIPAA prohibits me from sending patient reminders about appointments and leaving messages on phones.

The HIPAA privacy rule allow for all providers to communicate with their patients regarding their health care, which includes reminders about appointments. This includes communicating with patients at their homes, whether through the mail or by phone. The HIPAA regulations do not prohibit a provider from leaving messages for patients on their voicemail; however, it does require that the covered entity provides adequate safeguards to the privacy of a patient, which may include getting agreement from the patient to leave a voicemail at a specific number or send information regarding care to a specific address. 

5. Since the EHR we use is a cloud based EHR, I don’t have to worry about having a written contingency plan in place.

Using a cloud based, EHR may eliminate an organization’s need to manage the backup process for the EHR system; however, it doesn’t completely eliminate the need to create and implement a contingency plan.  The contingency plan is intended to cover so much more than how the information is backed up, such as how the organization will work in emergency mode, what systems are most vital to the day to day operations or the organization, and how recovery of data will occur.  Another aspect to think about is the EHR may only be one of the systems that stores and maintains patient information.  If you have other systems or are storing information regarding patients in other electronic locations, it is important to have a plan in place on how that information is being backed up and restored in the case of an emergency. 

6. As long as we have passwords in place to get into our systems with patient information, the information is considered secure.

A common misunderstanding of the application of passwords is that they make a system secure when implemented – but they don’t.  Passwords do provide an appropriate safeguard and a layer of security to patient information; however, the protection is only as good as the password.  To help better manage the use of passwords, strong passwords should be implemented on any systems that provide access to patient information.  Strong passwords should be a minimum of 8 characters in length and use uppercase letter, lowercase letters, numbers and systems – 3 of the 4 is the minimum recommendation.  Remember that the only true way to make information secure is to encryption the information or destroy the information using appropriate means.

7. My business associate states they are HIPAA compliant so there is no need to worry about the protection of the information shared with them.

No organization is out there certifying healthcare organizations as “HIPAA Compliant.”  Any third party organization that is stating that they are HIPAA complaint most likely means that they have created an internal program to meet the requirements of the HIPAA regulations as they apply to business associates.  It is best practices that covered entities as business associates about the safeguards used to protect the information they are sharing and what makes them “HIPAA Compliant.”

8. I don’t have an electronic health record; therefore, the HIPAA security rule doesn’t apply to me.

HIPAA doesn’t distinguish between systems where information is stored on where the security rule applies and doesn’t apply.  Rather HIPAA focuses on the media type of the information – electronic, paper, and oral.  The security rule applies specifically to all electronic protected health information, which is PHI that is created, received, maintained or transmitted in electronic form.  An electronic health record is only one source of electronic protected health information. 

9. Meaningful use changed requirements for the HIPAA risk analysis.

The meaningful use requirements didn’t actually change any of the requirements that HIPAA mandates – it actually points directly to the HIPAA requirements for the conducting of the HIPAA risk analysis for protecting patient information.  The only ‘change’ is that if you are participating in the meaningful use program, a HIPAA risk analysis must be conducted or updated for each year that you attest for meaningful use.

10. Every unauthorized use and disclosure of patient information is considered a data breach.

In order to determine if a breach occurred from an unauthorized use or disclosure of information, an investigation must be completed by the covered entity or business associate to determine the risk to the patient information.  Per the Omnibus Rule of 2013, an unauthorized use or disclosure of health information is not considered a breach if there is low probability that the information has been compromised. 

11. Since the patient won’t sign my Notice of Privacy Practices, I am not allowed to treat that patient.

A patient refusing to sign the notice of privacy practice acknowledgement doesn’t prohibit the provider to take care of the patient.  The regulations state that the covered entity should make reasonable effort to get an acknowledgement of the notice of privacy practices signed.  By signing the acknowledgement, the patient is only documenting that they have been given or offered a copy of the notice of privacy practice, which explains how the organization will use and safeguard their protected health information. 

12. The HIPAA regulations prohibit Provider/Patient e-mail communication

The HIPAA regulations do not prohibit provider from communicating with patients through e-mail.  The regulations actually state that if the provider is going to communicate with patients through e-mail, proper safeguards should be implemented to protect the information.  Additionally, the Omnibus Rule states that e-mail can be sent to a patient without encryption as long as the patient agrees to it and is aware of the risks to the information. 

13. Since I fully implemented a HIPAA compliance program, data breaches will not occur at my organization.

Just because an organization implements a full HIPAA compliance program and addresses all areas of potential risk to their organization, there is no guarantee that a data breach is not going to occur.  With the sophistication of recent data attacks and human interaction, there is always going to be a risk that a data breach can occur.  The best scenario is having a fully implemented HIPAA compliance program and assure adequate training to workforce members.  Reducing and managing potential risks is the best avenue to take – no organization is without some risk.  

When evaluating HIPPA and operationalizing it to ‘fit’ a specific organization, HIPAA doesn’t have to be feared!  Overcome the common HIPAA-Stitions and being successful with HIPAA compliance can be a goal reached by all organizations – large and small.  Don’t fear HIPAA as we fear Friday the 13th, instead take it on full speed and don’t look back until you met the appropriate level of compliance.

Danika

As we prepare for Valentine’s Day and the celebration of love with hearts and cupids, we are reminded that everything that we do is defined from purpose and intent.  Valentine’s Day dates back to the 5^th Century as a dedicated day for people to show their love and respect for one another.

Just as with any holiday or dedicated day, HIPAA has a defined purpose and intent.  It wasn’t created to put challenges and burdens onto healthcare organizations and business associates.  It wasn’t created to block patient care and make it impossible to share protected health information.  HIPAA was created with a purpose and intent, to provide protections and rights to protected health information.  Understanding the heart of HIPAA can help an organization evaluate and successfully implement the regulations. 

The HIPAA Privacy Rule, which was mandated in 2003, has three distinct purposes.  Each of the purposes was created with intent of adding protections and enhancements to how healthcare organizations safeguard protected health information.  The Privacy Rule doesn’t focus on a media type of protected health information – but rather focuses on all patient information regardless of medium.  The three main goals of the HIPAA Privacy Rule are:

1. protect and enhance the rights of consumers by providing them access to their health information and controlling the inappropriate use of that information;
2. to improve the quality of health care in the U.S. by restoring trust in the health care system, and
3. To improve the efficiency and effectiveness of health care delivery by creating a national framework for health privacy protection that builds on efforts by states, health systems, and individual organizations and individuals.

The HIPAA Security Rule, which was mandated in 2005, took protecting information to the next level with the focus on information that is created, stored, transmitted, and maintained in an electronic format.  With the increase in the amount of electronic protected health information, the main purpose of the HIPAA Security Rule is to

1. Establish the minimum requirements to ensure the confidentiality, integrity, and availability (CIA) of electronic protected health information.

Looking to the heart of the requirements and why the privacy and security requirements were created can help healthcare organizations overcome the frustration and concerns that are created when evaluating and implementing the regulation requirements.  Remember as we get ready to prepare for the day of love and celebration of hearts, HIPAA has a heart and looking to the basics and understanding what the intent of the heart is can be beneficial. 

Celebrate the Heart of HIPAA!

Danika

Most everybody is familiar with the famous TV Show ‘Password’ and remember the famous line “And the password is…”  A fun and exciting game show of trying to guess the secret password in order to win money.  Today’s attempt in trying to guess passwords has become much easier and can allow access to information and detail that can dramatically impact organizations as well as individuals.  A recent review of the most ‘hacked’ passwords by SplashData has provided the top passwords that were hacked in 2014.  These passwords are easy to get access to the information they are protecting:

Top 10 Hacked Passwords in 2014

• 123456 (number 1 for the past 2 years)
• Password
• 12345
• 12345678
• Qwerty
• 123456789
• 1234
• Baseball
• Dragon
• Football

The good news – these passwords are thought to only make up about 2.2% of the total password population.

Password management is the number one line of defense when it comes to protecting patient information stored on a computer, on a server, in an electronic health record, or in any system where protected health information is stored.  Effectively putting strategies and management processes in place to manage passwords in a healthcare organization or business associate is a necessity for adequate protection of patient information.  Here are 6 simple ideas to help effectively manage passwords in a healthcare organization:

1. Enforce the Use of Strong Password. A strong password at a minimum consists of 3 or 4 of the different elements – Uppercase Letters, Lowercase Letters, Numbers, and Symbols.
2. Requirement of Specified Length of Password. Requiring a specific length of a password can help reduce the ability to ‘guess’ a password – 7 to 8 characters in length is a good practice to implement.
3. Require that Passwords are Changed Regularly. Passwords needs to be changed on a regular basis.  Best practice within healthcare is to change all passwords (Operating System, EHR, Administrative, etc.) every 120 to 180 days.
4. Ensure that Workforce Members Do No Write Passwords Down. Train workforce members to never, ever write passwords down.  While it is tempting and people might not think that a password will be found if hidden in a secret spot, it is important that passwords are never written down unless the organization creates a secure process for documenting passwords.
5. Implement Lock Out of Systems After Specified Number of Incorrect Passwords Entered. It is important that if someone fails a login a specific number of times in a short period, that the system suspends the ability to log in or requires the user to come back at a later point in time to attempt the login process again.  This will deter unwanted guessing of passwords and provides an added safeguard in the “guessing” game.
6. Educate Workforce Members on Password Management. Educate, educate, educate, educate.  Workforce members need to understand the importance of passwords and the intent of why they need to be protected to assure unauthorized access into the healthcare systems.  With proper education, workforce members will understand the need to protect passwords, and ultimately protect patient information.

While these are very simple processes, more detailed and secure methods of authentication exist that can remove some of the risks to healthcare organizations; however, they don’t come without time and cost to manage.  With simple steps, healthcare organizations can more effectively oversee how passwords are created, managed, and safeguarded within a healthcare organization.  Don’t get caught having someone guessing passwords, take the proper steps to manage passwords within an organization.

Danika

Source: http://blogs.wsj.com/digits/2015/01/20/123456-again-the-most-popular-passwords-arent-changing/

As of today, there has been 1170 data breaches reported to Department of Health and Human Services, which have impacted over 40 million individuals.  The numbers continue to increase at a rapid pace with a clear concern for data breaches in 2015.  The final breach notification rule requires that healthcare organizations conduct a data breach investigation on each and every unauthorized use and disclosure of protected health information to determine if there is a “low probability that the information is compromised.”  Four objective questions must be asked and answered EVERYTIME an investigation is completed:

1. The nature and extent of the PHI involved in the data breach, including the types of identifiers and likelihood of the re-identification
2. The unauthorized person (people) who used the PHI or whom it was disclosed to
3. Whether the PHI was viewed, acquired, or re-disclosed
4. The extent to which the risk to the PHI has been mitigated

With the answers to these questions complete, healthcare organizations can feel confident they have the documentation and burden of proof in place to submit a data breach to the Secretary of the Department of Health and Human Services (DHHS) – WRONG!!! Many more data elements must be collected during the investigation in the event that a data breach needs to be reported to DHHS.  The notification submission method for a data breach from the Secretary of DHHS has recently been updated – which has more clear data elements and requirements for reporting.  Understanding the data elements that must be reported is the foundation of creating a proper method for investigating and documenting a data breach.  With the updated reporting form, covered entities and business associates must be ready to report all these data elements:

• Breach Start Date
• Breach End Date
• Discovery Start Date
• Discovery End Date
• Approximate Number of People Impacted
• Type of Breach (Hacking/IT Incident, Improper Disposal, Loss, Theft, Unauthorized Access/Disclosure)
• Location of Breach (Desktop Computer, Electronic Medical Record, Email, Laptop, Network Server, Other Portable Electronic Device, Paper/Films, Other-Must enter a location)
• Type of Protected Health Information Involved (Clinical, Demographic, Financial, Other-Must enter a details)
• Brief Description of the Breach
• Safeguards in Place Prior to Breach (None, Privacy Rule Safeguards, Security Rule Administrative Safeguards, Security Rule Technical Safeguards, Security Rule Physical Safeguards)
• Individual Notice Provided Start Date
• Individual Notice Provided End Date
• If Substitute Notice was required
• If Media was notified
• Actions taken in response to breach

If you are not collecting all these data points each time you are completing an investigation, you run the risk of not having all the accurate data and potentially have to repeat the investigation.  Create a process that assures collection of all required data elements needed for a breach reporting up front so you don’t have to repeat work and run the risk of extending past the 60 day investigation and notification timeline!  Don’t get in the habit of doing duplicate work – collect all the data elements up front.  If you need a tool – contact TriPoint!    

 And don’t forget to check out the new and improved Data Breaches Impacting Greater than 500 Individuals website – https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

 Data Breach Fun Facts – Since September 1, 2009!

• The Make Up of the Data Breach Organizations
  • 733 from Healthcare Providers
  • 328 from Business Associates
  • 104 from Health Plans
  • 5 from Healthcare Clearing Houses
• Theft and Loss account for 63.5% of Data Breaches
• Paper is the top media source for data breaches making up 22.3%
• Laptops are the second top medium source making up 21.7%
• Largest data breach was in 2011 – 4.9 Million Individuals Impacted

 Prepare, Document, and Take Action!

 Danika