TriPoint Healthcare Solutions

Advising, Educating, and Operationalizing Privacy and Security in Healthcare

What is your Greatest HIPAA Threat? Employee Negligence is Top Security Threat among Healthcare Providers and Business Associates!

by Leave a Comment 

We have seen a variety of different issues toping the lists of data breaches in healthcare in 2016.  Some of the issues are: cyber-attacks, ransomware, employee negligence and loss of devices with health information.  With so many moving pieces within a healthcare organization and the increase amount of information being stored and maintained by healthcare organizations and third party vendors (Business Associates), the healthcare industry has topped the list industries most likely to experience a data breach.

The Ponemon Institute recently published the 6th Annual Benchmark Study on Privacy and Security of Healthcare.  We often hear about the large scale data breach and how they impact healthcare organizations, but rarely hear of the small data breaches (under 500 individuals impacted).  The research study conducted by Ponemon Institute indicated that 90% of healthcare organization within the study have been impacted by a data breach and that data breaches have cost the healthcare industry about $6.2 billion.  Most of the participants within the study reported that the data breaches impacting their organizations were small in nature (less than 500 individuals impacted).

Healthcare organizations and business associates have cited that the top security threat that they worry about is employee negligence, which beat out cyber-attacks and mobile device insecurity.  Inattentive and careless actions of employees create more data breaches and issues for organizations that any other threat.  While cyber-attacks are a huge risk to healthcare organizations, human fault such as clicking e-mail links, downloading infected files, and having weak passwords are common reasons for a cyber-attacks.  Some recent headlines with employee negligence and data breach area:
  • Oneida Health Center Dental Clinic – Unencrypted flash drive stolen impacting 2,700 individuals
  • Wyoming Medical Center – Employees click on link in phishing scam email impacting 3,100 individuals
  • UnityPoint Health’s Allen Hospital - Employee snooping impacts 1,620 individuals
  • Children’s National Health System – Misconfiguration File Transfer Protocol impacts 4,100 individuals
  • Ohio Department of Mental Health and Additional Services – Satisfaction surveys sent on postcards impacting 59,000 individuals
  • EqalizeRCM Services – Unencrypted laptop stolen with unknown number impacted
  • Akron General Health System – Unencrypted flash drive stolen impacting 975 individuals
  • Vail Valley Medical Center – Employee copies records to bring to new employer impacting 3,100 individuals
As an organization, it is your responsibility to set your employees up for success when it comes to managing the privacy and security of your organization.  It is more than just complying with regulations and writing policies and procedures, it is about creating an environment where privacy and security is a priority for all workforce members of an organization.  Some key steps to help workforce safeguard and protect patient information:
  • Provide regular and pertinent education and guidance on privacy and security
  • Limit access to workforce members to only what they need to satisfy job requirements
  • Create clear communication processes for all security concerns and potential data breaches
  • Ensure your workforce knows and understands your policies and procedures for privacy and security of protected health information
  • Require strong password to access systems that contain protected health information and change passwords regularly
  • Implement proper safeguards such as encryption to protect data stored on laptops and other portable devices
Establish your practices within your organization and effectively train and manage your staff.  As a healthcare provide and business associate, the responsibility of your employee actions lies on the organization.  Not providing your workforce tools and education for success with the protection of the privacy and security of patient information is only going to have negative impacts on your organization and potentially cause a data breach that could cost the organization millions of dollars.  Be proactive, and provide your workforce with tools and processes to be successful.  Your workforce success is based on an organization!  Create a culture to promote privacy and security protections! 

Resource: Ponemon Institute. May 2016. Sixth Annual Benchmark Study on Privacy and Security of Healthcare Data.  https://www2.idexpertscorp.com/sixth-annual-ponemon-benchmark-study-on-privacy-security-of-healthcare-data-incidents

Data Breach: It WILL NEVER Happen to Our Organization

by Leave a Comment

You choose your path: Be Prepared OR Be Scared.

Privacy security or safeguard diagram or flowchart written on a dry erase board as tips, advice or information on making your personal, sensitive data safe and secure

How many times have you heard an organization say “A data breach will never happen here,” “We are too small for a data breach to happen,” “It only happens to hospitals and insurance companies.”  The thought that a data breach will never happen to your organization can be your biggest mistake in the preparation and defense in the event that a data breach does occur.  If you asked all the organizations who have experienced a HIPAA data breach in the past 12 months, many of them would agree that they never believed that something like that could happen.

Healthcare covered entities and business associates need to plan and be prepared in the event a potential data breach does occur.  Policies, procedures, and processes should be established that can be immediately activated in the event that a potential breach occurs and needs to be stopped, investigated, and mitigated. 

Looking over the past week, we see data breaches are occurring at all types of healthcare facilities and for a variety of reasons.

  • Buffalo Heart Group, 500 to 600 impacted – Third Party working under a physician access information outside of the scope of the work to solicit patients with the movement of a physician to a new practice
  • Unity Recovery Group, Inc., Fewer than 1,000 impacted – improper disclosures of patient information to unaffiliated recovery services
  • New Jersey Medical Center, 1,400 Impacted – An e-mail with an spreadsheet meant for internal use was sent to an incorrect recipient
  • Beacon Health, unknown impacted – Victim to a sophisticated phishing attached that caused unauthorized access to e-mails with PHI
  • University of Rochester Medical Group, 3,400 Impacted – Former Nurse Practitioner took patient’s personal information with her when she left for another organization
  • HHC Jacobi Medical Center, 90,000 impacted – Improper access and transmission of files containing PHI to personal email account
  • Associated Dentists– theft of a laptop – one was encrypted and the other was not encrypted

One piece of advice to all healthcare organizations and business associates: Be Prepared.  Don’t follow the path of so many and think that a data breach will never occur within your organization. 

If you are not confident about your breach notification response plan, review and update the plan so that it makes sense for your organization.  Go through practice drills to assure the process gets practiced and is realistic in the event of a potential data breach occurring. 

If additional help is needed, reaching out to experts in the industry is always a great idea.  Having third party assistance in the creation and establishment of a process for your organization can help elevate some of the fears and challenges that healthcare covered entities face.

Be prepared, plan accordingly, and assure your breach investigation process is ready.  You never know when your organization maybe the next data breach – a good response plan can save your organization from unwanted reproductions that data breaches bring to organizations. 

“If you are failing to plan, you are planning to fail.” – Tariq Siddique

Danika

You Are a Business Associate – Sign This: The Tangled Web Created with Business Associates

by Leave a Comment

Image of business partners handshaking over business objects onThe new complicated world of understanding Business Associate, Subcontractors, and Agents.

Scenario: A financial planner contacted me concerned as he just received an e-mail that a business associate agreement needs to be signed in order to work with the company that processes applications for life insurance.  The financial planner didn’t know what a business associate under HIPAA regulations meant and was getting ready to just sign the document and return it.  Thankfully, the financial planner reached out for clarification, I quickly advised against just signing the agreement and pushing back against the company to determine why they thought he was a business associate.  While dialogue between the insurance company and financial planner is still occurring, through evaluation of the work between the financial planner and insurance company (and client), it is clear that the financial planner WOULD NOT be a business associate under the HIPAA regulations. 

Since the final Omnibus Rule was effective in 2013, a new wave of confusion and challenge on who is considered a business associate and who is not considered a business associate has come to light.  To protect themselves, organizations (Covered Entities and Business Associates) have been requiring that all third parties that they work with in any business aspect sign a business associate agreement.  Even if the third party doesn’t meet the definition of a business associates or physically have interaction with protected health information, a blanket coverall approach to get signed business associate agreement is being applied.  To create more confusion, many third party organizations are just signing business associate agreements not truly knowing or understanding what it actually means and the implications of becoming a business associate.  Is this the best approach or taking the business associate agreement process to the EXTREME?

MY OPINION (Not Advice): Not everyone is a business associate and should sign a business associate agreement.  Proper review and governance over the management of business associates within covered entities and business associate organizations needs to be completed.  Additionally, the third party organizations who are just signing business associate agreements should stop and evaluate what it is they are signing.  Agreeing to terms in a business associate agreement and declaring that you are a business associate or subcontractor or a business associate does have major implications.

Covered entities and business associates need to spend time really understanding who may or may not be a business associate.  It should not be a blanket process where everyone that works with a specific company automatically has to sign an agreement.  Additionally, if information is being shared to support the spectrum of patient care (provider to provider), the business associate definition may not apply.  Dedicated individuals who are knowledgeable and understand the regulations should be working with organizations to help them navigate the business associate process.    

Per the 2013 Omnibus Rule, a business associate is  “a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information.  Per the Omnibus Rule of 2013, a “business associate” may also be considered a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate.”  Those are key words to use to evaluate if an organization is a business associate – do they create, receive, maintain, or transmit data on behalf of a covered entity or business associate? 

What should an organization do?

The best process for an organization is to have an established person or group of people in charge of the evaluation of business associate agreement.  Here are some recommended steps for overall governance of Business Associates within an organization.

  • Create a team or individual responsible for the management of business associates
  • Generate a list of the account payable reports for the past 3 months and review all third party vendors and/or individuals for your organization
  • Determine the scope of work that the third party has been doing on behalf of the organization
  • Evaluate if the third party scope of work being done qualifies the third party as a business associate
  • If it is determined that they are a business associate establish and execute a business associate agreement
  • Keep up a log of all business associates – some recommended fields are Business Associate Name, Contact Individual, Contact Information, Tasks that qualify as a business associate, Business Associate Agreement signed, Date agreement signed
  • Create a process for a proactive review of any NEW third parties and that organizations is going to establish a business relationship with

It is now time to effectively oversee and manage the business associate process within an organization – the covered entity should be aware that while business associate and subcontractors are liable for HIPAA compliance, the ultimate liability falls onto the covered entity. 

Note to third parties (contractors, subcontractors) – make sure you know and understand the implications of becoming a business associate or an organization.  If you truly don’t meet the definition of a business associate or subcontractor, don’t just sign the contract – seek out advice or guidance on the proper steps!

Danika

Don’t Get Run Over by the HIPAA Omnibus!

by Leave a Comment

3d london bus on white backgroundHIPAA Compliance continues to be a HOT TOPIC in healthcare.  Everyday news and information is published about the lack of compliance, the struggles within organizations, data breaches occurring, and the HIPAA audits coming.  In 2013, the HIPAA Omnibus Rule was established which had many provisions on the HIPAA Privacy and Security Regulations.  With the compliance date of September 23, 2013, many healthcare organizations and business associates have not taken proper steps to get to climb onto the HIPAA Omnibus and assure compliance with the new regulations.   

A recent study conducted by NueMD in 2014 provided insight into compliance levels with the HIPAA Regulations and the HIPAA Omnibus Rule.  Over 1,000 Medical Practices and 160 Billing Companies were surveyed in regards to the current level of compliance with HIPAA and the changes with the HIPAA Omnibus Rule.  The results were SHOCKING and EYEOPENING!!!!  Check out some key findings:

  • 36% of respondents stated they didn’t know about the HIPAA Omnibus Rule
  • 68% of respondents stated they didn’t know of the HIPAA Audits
  • 23% of respondents stated they had no HIPAA Compliance Plan
  • 54% of respondents stated they didn’t have a Security Officer
  • 45% of respondents stated they didn’t have a Privacy Officer
  • 55% of respondents stated they had no process established for Breach Notification

Based on the findings, it is clear that healthcare organizations need to step up and establish HIPAA Compliance Programs and ensure they are updating their information to include the HIPAA Omnibus Requirements.  Jump on the HIPAA Omnibus and ensure that the organization has a joyful ride rather than being ran off the road. 

The major components of the HIPAA Omnibus Rule that healthcare organizations AND business associates need to evaluate and implement within their organization are:

  • Breach Notification
  • Business Associates Compliance Requirements
  • Sale of Protected Health Information
  • Marketing and Protected Health Information
  • Fundraising and Protected Health Information
  • Research Authorization Changes
  • Access to Immunization Data
  • Electronic copy of Protected Health Information
  • Access to Deceased Patient’s Records
  • Genetic Information Nondisclosure Act (ACT)
  • Restriction of Protected Health Information to Health Plans
  • Update to the Notice of Privacy Practices

Please note this is not an “end all be all” list of requirements.  Each organization needs to assess the regulatory changes and determine how and what applies to their specific organization.

With the HIPAA Delays – healthcare organizations are given the gift of time.  Use this time to get aboard the HIPAA Omnibus and assure that you have updated or established all appropriate policies and procedures for your organization.  Don’t delay any longer – the time is NOW! 

Danika

Source: NueMD Survey Findings: http://www.nuemd.com/hipaa/survey/practice-findings.html

Going from 0 to HIPAA Compliant – Like Climbing Mt. Everest: Small Steps Take You a Long Way

by Leave a Comment

evening view of Everest and Nuptse from Kala PattharMoving from 0 to HIPAA Compliant can be a lot like climbing Mt. Everest.  Starting from the bottom and staring up to try and see the peak of Mt. Everest is challenging just as starting the route to HIPAA compliance can be.  When climbing Mt. Everest, nobody sets to climb to the summit in one day.  Instead, they prepare themselves for the climb, and they break it up and take it in small steps – with a dream of reaching the summit.  The usual course of the climb is:

  • Ice Fall
  • Camp 1
  • Camp 2
  • Camp 3
  • Camp 4
  • Everest Summit (YES)!

Looks easy, right?  WRONG!  At times, climbers spend 4 – 8 weeks at the different camps trying to acclimate themselves to the altitude and prepare themselves for the next hike up the mountain.  The time spent moving between camps takes hours upon hours and can be treacherous and dangerous.  But the moment that the climbers walk the last few steps and make it to the summit, all the hard work and dedication pays off.  They can finally enjoy the success of the momentous task they just accomplished.   

BREATH, EXIST, and ENJOY the moment – because then they remember that they have to climb down AND the only way down – is the way that they came up.     

When first reviewing the HIPAA Privacy and Security Regulations, it can be SCARY and OVERWHELMING, similar to climbing Mt. Everest.  Between the two regulations, writing policies and procedures and establishing practices for an organization can take weeks, even months.  The challenge that HIPAA privacy and security practitioners face is that HIPAA usually is another added task to one’s already full plate, creating an even bigger hurdle in the path to the summit of HIPAA compliance.  With all the conflicting priorities and trying to meet so many deadlines, HIPAA tasks usually gets pushed off to the side or left for ‘tomorrow’ to do.  How many times has HIPAA come up on your ‘To-Do’ list and got pushed off until tomorrow?

Looking at the requirements under HIPAA – it is easy to see how it can be overwhelming when you are starting from scratch or reviewing what you already have in place (if you are unclear about the HIPAA requirements – contact me).

Take a new philosophy on HIPAA Compliance and Commit to 3 tasks daily.  Think of the movement towards HIPAA compliance as your movement toward the different camps that the climbers make it to as they take the challenge of climbing Mt. Everest.  This may sound silly or a little ‘too easy’ but when you take a complicated task and break it down to small daily tasks, it seems a little more achievable and not so overwhelming.    

A Sample Week of HIPAA Tasks (Privacy Rule):

Monday 1.   Update Notice of Privacy Practices 

2.   Update process for Notice Signatures

3.   Update P&P on Notice of Privacy Practices
Tuesday 1.   Review P&P on Uses and Disclosures of Protected Health Information 

2.   Observe processes for releasing health information

3.   Evaluate documentation received for disclosures of health information
Wednesday 1.   Review recent Request for Amendments of Medical Record Documentation 

2.   Evaluate and Update Amendment Policy and procedure

3.   Assure Amendment Request form is adequate are being process timely
Thursday 1.   Review all accounting of disclosure (AOD) requests 

2.   Evaluate and update AOD policy and procedure

3.   Assure AOD Request form is adequate and requests are being process timely
Friday 1.   Evaluate areas that need re-training and education on practices reviewed this week 

2.   Create a training plan for workforce members

3.   Evaluate and Update HIPAA Training Policy and Procedure

The one important item to remember is – YOU CAN’T GET IT DONE IN A DAY!  To truly evaluate your level of HIPAA compliance, create and implement privacy and security practices within your organization, and effectively train your workforce – you need to dedicate time and effort to the project.  And remember, once you get it all done – it is not time to sit back, relax and never worry again.  It is the time for evaluation and assurance that what has been established for HIPAA compliance with what is being practiced within your organization – similar to climbing back down Mt. Everest.

Remember the famous Spanish saying “Poco a Poco se va lejos” (Little by Little, One Goes a Long Way).  Small steps can make all the difference in the successful creation, evaluation, and execution of a solid and complete HIPAA Compliance Program!

Danika 

Recent Posts

Connect With Us

TriPoint Healthcare Solutions
dbrinda@tripointhealthcaresolutions.com
Phone: 612.325.9742
Fax: 763.322.5027