TriPoint Healthcare Solutions

Advising, Educating, and Operationalizing Privacy and Security in Healthcare

Are you prepared? The HIPAA Audits are COMING! Six Simple Steps to Create a Solid Foundation of HIPAA Compliance.

by 2 Comments 

It is that time of year – the weather in many places is all over the place.  From 80 degrees to 28 degrees in a few days in the Midwest, cool comfortable air on the east coast, from green leaves to an array of oranges, yellows, reds, and greens.  From trees full of summertime and leaves to bare branches and leave piles on the ground.  With the changing in the seasons, it’s time to prepare for the next season.  Creating a solid HIPAA compliance program can be like braving the weather and embracing the change in the seasons – but instead we focus on the change in the culture within our organization.   
There has been a lot of news regarding HIPAA over the past couple weeks.  Continued data breaches, the Office of Inspector General (OIG) stating that there has been a lack of HIPAA oversight and enforcement, and Phase 2 of the HIPAA Audits beginning in early 2016.  The stage has been set, the world has been notified – there is going to be a change in the enforcement of HIPAA and NOW is the best time to prepare your organization. 
Here are Six Simple Steps you can take to prepare your organization for success with the upcoming changes in enforcement and Phase 2 HIPAA Audits.
  • Conduct a Risk Assessment/Analysis – if you haven’t conducted a risk analysis recently, it might be a great idea to conduct one again soon. Make sure to have a risk analysis report that provides information on how the audit was conducted, what systems were evaluated and what the identified risks were.  Remember – don’t stop there.  You must create a risk management plan and mitigate and/or address all the risks identified. 
  • Review and update all policies and procedures – policies and procedures create the foundation for success with HIPAA compliance. Conduct a gap analysis on your policies and procedures.  Look for policies that you may be missing or policies that don’t meet minimum compliance.  Then ensure that your organization is following the policies you have created.  Look for evidence such as documents, logs and audit forms that can prove you are in compliance with your policies.
  • Know who your Business Associates Are – evaluate who you are paying as third party contractors and what tasks they are performing for your organization. If they are creating, receiving, transmitting or storing any protected health information on your behalf – ensure that you have an updated business associate agreement in place with them.  Consider creating an easily accessible list or spreadsheet of all your business associates within your organization. 
  • Review and become familiar with the Audit Protocol – although the new HIPAA audit protocol hasn’t been officially published, it is good practice to review and become familiar with the HIPAA audit protocol that was used on the HIPAA audits of 2011-2012. This will help an organization understand what will be looked for as far as evidence of compliance with the regulations. 
  • Conduct internal HIPAA audits – practicing audits and helping staff become comfortable with answering questions regarding HIPAA compliance should be done. If an on-site HIPAA audit is conducted, the auditors will not only be talking to the HIPAA Privacy and Security Officers, but also all workforce members that take part in providing proper protection of patient information (A.K.A. – EVERYONE)
  • Educate all staff and leaders on the importance of HIPAA Compliance – education of your entire workforce becomes an essential step in HIPAA compliance. Your workforce should know and understand what HIPAA is and the processes and procedures that are established within your organization for proper HIPAA compliance!
While this list isn’t a complete list of what an organization can do – it is a few simple steps that can definitely help create a solid HIPAA program and prepare for the increase in enforcement and Phase 2 HIPAA Audits.  Don’t be one of the healthcare organizations that states “We didn’t know that was a requirement” or “We thought we had more time to be compliant.”  Be prepared and feel confident in the way that you are protecting your patient’s information.  Your healthcare organization will benefit and your patients will be satisfied knowing that they are receiving great care and their information is properly protected and secured!
TriPoint Healthcare Solutions will be launching an online course soon that will guide healthcare organizations through preparing for a HIPAA Audit!  Want to be the first to know about this new class? Sign up here and receive the information and access to this class!

Click Here to Be the First to Know

Danika

Your PHI Goes in There and Out Where? Can Understanding your PHI Flow Help Support HIPAA Compliance?

by Leave a Comment

How many organizations can say that they completely understand where all their protected health information exists and where are the inputs and outputs of the data are?  Based on current clients, very few know exactly where all protected health information is being stored and maintained.  It is not uncommon to walk into an organization and hear that they have 2 or 3 systems that store or interact with PHI – then after discussion and analysis, it is determined that there are actually 9 or 10 different systems that interact with PHI within the organization.  Additionally, many organizations don’t fully understand all the areas where PHI may come out of electronic systems.  Example, a transcription system may automatically send a document once it is transcribed or a lab system may send information to the billing system for proper charges.  Without properly understanding where all the data is being stored, what happens to the data, how those systems are protected, and where is the ePHI outputs from the systems are, it creates a challenge on effectively managing the privacy and security of protected health information.  It is the key link from privacy and security to Information Governance in an electronic era.

Sure, everyone knows they have patient data within their electronic health record, stored in their lab system, or on the organization’s file server, right?  Those areas may be obvious and clear; however, organizations must know and understand every system and location where protected health information is being stored.  Without the knowledge of where all protected health information resides within an organization and the systems that use health information, it becomes nearly impossible to manage privacy and security of information and leaves the organization extremely vulnerable to a data breach. 

Privacy and Security Officers at healthcare organizations should start a process of identification of all systems storing, transmitting, or accessing patient information – creating a knowledge and understanding of how protected health information is being stored and used within their organization.  Creating a protected health information flow diagram or documentation is a complex and detailed process.  It is most likely not going to happen in one day or one week.  It is going to take time to understand each specific system, how it may or may not use protected health information, and what other systems it interacts with.

Some suggested steps to create this information at an organization:

  • Conduct a system inventory analysis of all systems that the organizations uses
  • Understand all the hardware being used in the organization and if ePHI is being stored on the hardware
  • Evaluate each system identified to determine what the interaction is with any type of patient information
  • If the system interacts with protected health information, determine
    1. What type of PHI is being stored in the system
    2. What is the intent of the system
    3. Who is the system ‘owner’
    4. Who has access to the system and how is access management managed
    5. Where the system is being stored (local server, cloud based) and backed up
    6. What are the inputs into the system with PHI
    7. What are the outputs from of PHI from the system – both automatic and manual
    8. If the system interfaces and interacts with other systems
    9. Other security measures in place to protect the information
    10. Other pertinent information regarding the system that is important from a security perspective
  • Create documentation to support and understand all systems – Your Protected Health Information Flow!
  • Assure proper management of all systems that contain PHI!!!! It is not the job on the security officer to own the systems, but it is a responsibility to ensure the systems are understood and proper security is maintained so the privacy of the data is properly secured and protected!

This is not an easy process – in some large integrated systems, they could have hundreds of different systems that interact with ePHI in some aspect!

Remember that HIPAA doesn’t just apply to an electronic health record.  Electronic protected health information is any protected health information (PHI) that is produced, saved, transferred or received in an electronic form.  ePHI can be found on computer hard drives, in databases, in e-mail, in the EHR, and many other locations – you need to evaluate and look at your entire system to truly understand and manage ePHI!!

Don’t get caught in an unwanted data breach due to not knowing or understanding how your data flows throughout your organization, what systems have protected health information, where the inputs are, what happens to the data in the system, and where the outputs from the system exist.  Work upstream, understand your PHI data flow, and properly manage and reduce risks to PHI!

Danika

We Have a Process…Isn’t That Good Enough? HIPAA is All About the Documentation!

by Leave a Comment

Working with all different type of healthcare organizations and business associates, I frequently hear the following phrases:

“We have a process for that, it is just not documented”

“We did some items that would qualify to meet those requirements, but we didn’t know we had to document”

“We have a high level of HIPAA compliance, but just don’t have documented policies and procedures”

file folder with documents and documents. storage contracts.While all these statements may be true – the issue is HIPAA requires documentation and proof that you are complying with the regulations.  As we enter 2015 and are looking at 1) Increased enforcement of HIPAA, 2) Next phase of HIPAA Audits, 3) Data Breaches Increasing and 4) Continued Meaningful Use Audits – organizations need to make the time to assure proper documentation exists in order to comply with the HIPAA regulations.

Policies and Procedures – They are a Requirement

If you look at the detail of the HIPAA Privacy, Security, and Breach Notifications Rule – they all have a section that requirements documentation to exist to support the regulations.

  • Privacy Rule Documentation – 164.530(i) – A covered entity must develop and implement written privacy policies and procedures that are consistent with the Privacy Rule
  • Security Rule Documentation – 164.316(b)(1) – Maintain the policies and procedures implemented to comply with the regulations in written (which may be electronic) form; and (ii) if an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment
  • Breach Notification Rule Documentation – 164.316(b)(1) – A covered entity must comply with the administrative requirements as defined under the HIPAA rule documentation. Additionally, in the event of an unauthorized use or disclosure, the covered entity or business associate shall have the burden of demonstrating that all notifications were made as required by this subpart or that the use or disclosure did not constitute a breach

In addition to supporting compliance with policies and procedures, organizations should also ensure that they are supporting what they are doing to comply with appropriate documentation.  Some examples of documentation to review to ensure it exists per your policy is:

  • Proof of Information System Activity Review – what, what, when, where, outcomes
  • Workforce Sanctions Applications – when have you applied sanctions and why
  • Workforce Training Proof – regular training documentation as well we periodic updates
  • Compliant Received and Proof of Resolution – all complaints regarding privacy and security, the investigation and outcomes
  • Breach Notification Investigations (including 4 required questions) – all information regarding the investigation as well as the outcome documentation and assurance of the burden of proof
  • Business Associate Contracts – do you have business associates contracts signed for the third party vendors you use
  • Notice of Privacy Practices Acknowledgement – are you getting proper signatures as required and defined in your policy

This is not an all-inclusive list, but rather a sample to start thinking about how to verify that documentation exists.  It is EXTREMELY important that you don’t assume proper documentation is happening – ask and look to verify that proper documentation is happening.  Each of the above sample areas should be reviewed to see if what is defined in the policy and procedure that you have is truly being followed appropriately. 

Don’t sit back and assume you are ok because you have a process – make sure you have proper documentation to support your compliance with HIPAA regulations.  You can always conduct mock audits or hire an organization to analyze this for you.  It is best to be prepared!

Final Word on HIPAA Compliance and Documentation – Take initiative, review, analyze, and verify.  Your compliance level is only as good as the documentation you have to support it.  Be diligent, dig through documentation, and feel confident with your compliance with HIPAA.

Danika

 

You Are a Business Associate – Sign This: The Tangled Web Created with Business Associates

by Leave a Comment

Image of business partners handshaking over business objects onThe new complicated world of understanding Business Associate, Subcontractors, and Agents.

Scenario: A financial planner contacted me concerned as he just received an e-mail that a business associate agreement needs to be signed in order to work with the company that processes applications for life insurance.  The financial planner didn’t know what a business associate under HIPAA regulations meant and was getting ready to just sign the document and return it.  Thankfully, the financial planner reached out for clarification, I quickly advised against just signing the agreement and pushing back against the company to determine why they thought he was a business associate.  While dialogue between the insurance company and financial planner is still occurring, through evaluation of the work between the financial planner and insurance company (and client), it is clear that the financial planner WOULD NOT be a business associate under the HIPAA regulations. 

Since the final Omnibus Rule was effective in 2013, a new wave of confusion and challenge on who is considered a business associate and who is not considered a business associate has come to light.  To protect themselves, organizations (Covered Entities and Business Associates) have been requiring that all third parties that they work with in any business aspect sign a business associate agreement.  Even if the third party doesn’t meet the definition of a business associates or physically have interaction with protected health information, a blanket coverall approach to get signed business associate agreement is being applied.  To create more confusion, many third party organizations are just signing business associate agreements not truly knowing or understanding what it actually means and the implications of becoming a business associate.  Is this the best approach or taking the business associate agreement process to the EXTREME?

MY OPINION (Not Advice): Not everyone is a business associate and should sign a business associate agreement.  Proper review and governance over the management of business associates within covered entities and business associate organizations needs to be completed.  Additionally, the third party organizations who are just signing business associate agreements should stop and evaluate what it is they are signing.  Agreeing to terms in a business associate agreement and declaring that you are a business associate or subcontractor or a business associate does have major implications.

Covered entities and business associates need to spend time really understanding who may or may not be a business associate.  It should not be a blanket process where everyone that works with a specific company automatically has to sign an agreement.  Additionally, if information is being shared to support the spectrum of patient care (provider to provider), the business associate definition may not apply.  Dedicated individuals who are knowledgeable and understand the regulations should be working with organizations to help them navigate the business associate process.    

Per the 2013 Omnibus Rule, a business associate is  “a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information.  Per the Omnibus Rule of 2013, a “business associate” may also be considered a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate.”  Those are key words to use to evaluate if an organization is a business associate – do they create, receive, maintain, or transmit data on behalf of a covered entity or business associate? 

What should an organization do?

The best process for an organization is to have an established person or group of people in charge of the evaluation of business associate agreement.  Here are some recommended steps for overall governance of Business Associates within an organization.

  • Create a team or individual responsible for the management of business associates
  • Generate a list of the account payable reports for the past 3 months and review all third party vendors and/or individuals for your organization
  • Determine the scope of work that the third party has been doing on behalf of the organization
  • Evaluate if the third party scope of work being done qualifies the third party as a business associate
  • If it is determined that they are a business associate establish and execute a business associate agreement
  • Keep up a log of all business associates – some recommended fields are Business Associate Name, Contact Individual, Contact Information, Tasks that qualify as a business associate, Business Associate Agreement signed, Date agreement signed
  • Create a process for a proactive review of any NEW third parties and that organizations is going to establish a business relationship with

It is now time to effectively oversee and manage the business associate process within an organization – the covered entity should be aware that while business associate and subcontractors are liable for HIPAA compliance, the ultimate liability falls onto the covered entity. 

Note to third parties (contractors, subcontractors) – make sure you know and understand the implications of becoming a business associate or an organization.  If you truly don’t meet the definition of a business associate or subcontractor, don’t just sign the contract – seek out advice or guidance on the proper steps!

Danika

Is Windows XP Still Common in Healthcare Organizations 10 Months after Stopping Security Updates?

by Leave a Comment

laptop with a hammer on the screenOn April 8, 2014, Microsoft stopped providing patches and updates to the Windows XP operating system.  While this seems like old news and a bit crazy to talk about – many healthcare organizations are still using Windows XP operating systems.  In discussing this issue with many healthcare organizations – one of the most common issues is that they are using a software that is unable to migrate to new versions of Windows and is needed for day to day patient care.  The vendors that support these software systems are aware; however, have not taken action to move the software to a newer windows platform.

So they’re not providing updates – what does that actually mean?  With no updates being provided – there will be no new security updates, non-security hot fixes, free or paid assisted support options, or online technical content updates to the operating system.  This leaves the system vulnerable to an attack from the outside.  There has been a lot of documentation and confusion on what needs to be done in order to protect information stored on computers that have not migrated off of Windows XP.  In addition, there have been many articles have been published that are stating that if organizations didn’t migrate off of the Windows XP Platform by 4/8/14, providers will not be eligible for Meaningful Use and will not be HIPAA Compliant.  Fact or Truth?

Fact: You are not technically in violation of HIPAA if you use Windows XP as HIPAA doesn’t mandate any specific software system; HOWEVER, the practice is extremely risky and you could be found of out compliance if a data breach was to occur.

The HIPAA Security Requirement 164.308(a)(5)(ii)(B) is an addressable standard that states that an organization must have “policies and procedures for guarding against, detecting, and reporting malicious software.”  Malicious software can be brought through any program usually in the form of a virus, Trojan horse, or worm.   By not having the ability to add security patches into the operating system of Windows XP, there are risks to the organization and data that the organization keeps and maintains – good documentation of other safeguards that exist to protect that computer MUST be implemented and documented if choosing to run on the Windows XP operating system.

It is also important to note nowhere in the meaningful use requirements or the HIPAA requirements does it specify having to be on a specific software platform or operating system.  Here is an example FAQ from HHS for clarification regarding operating systems requirements under HIPAA – no specific operating system must be used!  http://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2014.html

Still Using XP – What you should be doing now:

  • Evaluate and determine how to migrate from Windows XP to an updated operating system as soon as possible.
  • If vendor is only running on XP – work with them and continue to push them to update the software due to risks of the old system and lack of security patches.
  • Conduct your HIPAA risk assessment to determine if your organization’s systems are still operating on Windows XP and what risks exist.
  • Come up with a detailed risk management process if your organization is still running on Windows XP, including information on how to reduce risk until you migrate from the Windows XP system.
  • Evaluate everything – There is not ‘formal’ documentation from HHS, ONC, or the OCR regarding this measure and how to interpret from a meaningful use and HIPAA aspect.
  • Assure that you document Windows XP as a risk to your organization within the risk assessment/mitigation as well as potential impacts from malware, viruses, & hackers.
  • If questions come up, ask for clarification or assistance.

As of July 14, 2015, Microsoft will stop providing updates and support to any versions of Windows Server 2003 – leaving organizations with a challenge of upgrading and/or migrating to a new server software.  If you are still running on Microsoft 2003, it is time to take steps now to execute a proper migration strategy and protect your patient information.

Final note: Running any type of organization where protected health information is involved and there are not adequate and regular security patches being implemented is a risky practice and could expose an organization to a data breach.  From the eyes of a security professional – the risk isn’t worth a large scale breach of information.  It is time to take action now and get rid of old software platforms that are no longer being updated and supported.

Danika

Recent Posts

Connect With Us

TriPoint Healthcare Solutions
dbrinda@tripointhealthcaresolutions.com
Phone: 612.325.9742
Fax: 763.322.5027