TriPoint Healthcare Solutions

Advising, Educating, and Operationalizing Privacy and Security in Healthcare

Your PHI Goes in There and Out Where? Can Understanding your PHI Flow Help Support HIPAA Compliance?

by Leave a Comment

How many organizations can say that they completely understand where all their protected health information exists and where are the inputs and outputs of the data are?  Based on current clients, very few know exactly where all protected health information is being stored and maintained.  It is not uncommon to walk into an organization and hear that they have 2 or 3 systems that store or interact with PHI – then after discussion and analysis, it is determined that there are actually 9 or 10 different systems that interact with PHI within the organization.  Additionally, many organizations don’t fully understand all the areas where PHI may come out of electronic systems.  Example, a transcription system may automatically send a document once it is transcribed or a lab system may send information to the billing system for proper charges.  Without properly understanding where all the data is being stored, what happens to the data, how those systems are protected, and where is the ePHI outputs from the systems are, it creates a challenge on effectively managing the privacy and security of protected health information.  It is the key link from privacy and security to Information Governance in an electronic era.

Sure, everyone knows they have patient data within their electronic health record, stored in their lab system, or on the organization’s file server, right?  Those areas may be obvious and clear; however, organizations must know and understand every system and location where protected health information is being stored.  Without the knowledge of where all protected health information resides within an organization and the systems that use health information, it becomes nearly impossible to manage privacy and security of information and leaves the organization extremely vulnerable to a data breach. 

Privacy and Security Officers at healthcare organizations should start a process of identification of all systems storing, transmitting, or accessing patient information – creating a knowledge and understanding of how protected health information is being stored and used within their organization.  Creating a protected health information flow diagram or documentation is a complex and detailed process.  It is most likely not going to happen in one day or one week.  It is going to take time to understand each specific system, how it may or may not use protected health information, and what other systems it interacts with.

Some suggested steps to create this information at an organization:

  • Conduct a system inventory analysis of all systems that the organizations uses
  • Understand all the hardware being used in the organization and if ePHI is being stored on the hardware
  • Evaluate each system identified to determine what the interaction is with any type of patient information
  • If the system interacts with protected health information, determine
    1. What type of PHI is being stored in the system
    2. What is the intent of the system
    3. Who is the system ‘owner’
    4. Who has access to the system and how is access management managed
    5. Where the system is being stored (local server, cloud based) and backed up
    6. What are the inputs into the system with PHI
    7. What are the outputs from of PHI from the system – both automatic and manual
    8. If the system interfaces and interacts with other systems
    9. Other security measures in place to protect the information
    10. Other pertinent information regarding the system that is important from a security perspective
  • Create documentation to support and understand all systems – Your Protected Health Information Flow!
  • Assure proper management of all systems that contain PHI!!!! It is not the job on the security officer to own the systems, but it is a responsibility to ensure the systems are understood and proper security is maintained so the privacy of the data is properly secured and protected!

This is not an easy process – in some large integrated systems, they could have hundreds of different systems that interact with ePHI in some aspect!

Remember that HIPAA doesn’t just apply to an electronic health record.  Electronic protected health information is any protected health information (PHI) that is produced, saved, transferred or received in an electronic form.  ePHI can be found on computer hard drives, in databases, in e-mail, in the EHR, and many other locations – you need to evaluate and look at your entire system to truly understand and manage ePHI!!

Don’t get caught in an unwanted data breach due to not knowing or understanding how your data flows throughout your organization, what systems have protected health information, where the inputs are, what happens to the data in the system, and where the outputs from the system exist.  Work upstream, understand your PHI data flow, and properly manage and reduce risks to PHI!

Danika

We Have a Process…Isn’t That Good Enough? HIPAA is All About the Documentation!

by Leave a Comment

Working with all different type of healthcare organizations and business associates, I frequently hear the following phrases:

“We have a process for that, it is just not documented”

“We did some items that would qualify to meet those requirements, but we didn’t know we had to document”

“We have a high level of HIPAA compliance, but just don’t have documented policies and procedures”

file folder with documents and documents. storage contracts.While all these statements may be true – the issue is HIPAA requires documentation and proof that you are complying with the regulations.  As we enter 2015 and are looking at 1) Increased enforcement of HIPAA, 2) Next phase of HIPAA Audits, 3) Data Breaches Increasing and 4) Continued Meaningful Use Audits – organizations need to make the time to assure proper documentation exists in order to comply with the HIPAA regulations.

Policies and Procedures – They are a Requirement

If you look at the detail of the HIPAA Privacy, Security, and Breach Notifications Rule – they all have a section that requirements documentation to exist to support the regulations.

  • Privacy Rule Documentation – 164.530(i) – A covered entity must develop and implement written privacy policies and procedures that are consistent with the Privacy Rule
  • Security Rule Documentation – 164.316(b)(1) – Maintain the policies and procedures implemented to comply with the regulations in written (which may be electronic) form; and (ii) if an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment
  • Breach Notification Rule Documentation – 164.316(b)(1) – A covered entity must comply with the administrative requirements as defined under the HIPAA rule documentation. Additionally, in the event of an unauthorized use or disclosure, the covered entity or business associate shall have the burden of demonstrating that all notifications were made as required by this subpart or that the use or disclosure did not constitute a breach

In addition to supporting compliance with policies and procedures, organizations should also ensure that they are supporting what they are doing to comply with appropriate documentation.  Some examples of documentation to review to ensure it exists per your policy is:

  • Proof of Information System Activity Review – what, what, when, where, outcomes
  • Workforce Sanctions Applications – when have you applied sanctions and why
  • Workforce Training Proof – regular training documentation as well we periodic updates
  • Compliant Received and Proof of Resolution – all complaints regarding privacy and security, the investigation and outcomes
  • Breach Notification Investigations (including 4 required questions) – all information regarding the investigation as well as the outcome documentation and assurance of the burden of proof
  • Business Associate Contracts – do you have business associates contracts signed for the third party vendors you use
  • Notice of Privacy Practices Acknowledgement – are you getting proper signatures as required and defined in your policy

This is not an all-inclusive list, but rather a sample to start thinking about how to verify that documentation exists.  It is EXTREMELY important that you don’t assume proper documentation is happening – ask and look to verify that proper documentation is happening.  Each of the above sample areas should be reviewed to see if what is defined in the policy and procedure that you have is truly being followed appropriately. 

Don’t sit back and assume you are ok because you have a process – make sure you have proper documentation to support your compliance with HIPAA regulations.  You can always conduct mock audits or hire an organization to analyze this for you.  It is best to be prepared!

Final Word on HIPAA Compliance and Documentation – Take initiative, review, analyze, and verify.  Your compliance level is only as good as the documentation you have to support it.  Be diligent, dig through documentation, and feel confident with your compliance with HIPAA.

Danika

 

You Are a Business Associate – Sign This: The Tangled Web Created with Business Associates

by Leave a Comment

Image of business partners handshaking over business objects onThe new complicated world of understanding Business Associate, Subcontractors, and Agents.

Scenario: A financial planner contacted me concerned as he just received an e-mail that a business associate agreement needs to be signed in order to work with the company that processes applications for life insurance.  The financial planner didn’t know what a business associate under HIPAA regulations meant and was getting ready to just sign the document and return it.  Thankfully, the financial planner reached out for clarification, I quickly advised against just signing the agreement and pushing back against the company to determine why they thought he was a business associate.  While dialogue between the insurance company and financial planner is still occurring, through evaluation of the work between the financial planner and insurance company (and client), it is clear that the financial planner WOULD NOT be a business associate under the HIPAA regulations. 

Since the final Omnibus Rule was effective in 2013, a new wave of confusion and challenge on who is considered a business associate and who is not considered a business associate has come to light.  To protect themselves, organizations (Covered Entities and Business Associates) have been requiring that all third parties that they work with in any business aspect sign a business associate agreement.  Even if the third party doesn’t meet the definition of a business associates or physically have interaction with protected health information, a blanket coverall approach to get signed business associate agreement is being applied.  To create more confusion, many third party organizations are just signing business associate agreements not truly knowing or understanding what it actually means and the implications of becoming a business associate.  Is this the best approach or taking the business associate agreement process to the EXTREME?

MY OPINION (Not Advice): Not everyone is a business associate and should sign a business associate agreement.  Proper review and governance over the management of business associates within covered entities and business associate organizations needs to be completed.  Additionally, the third party organizations who are just signing business associate agreements should stop and evaluate what it is they are signing.  Agreeing to terms in a business associate agreement and declaring that you are a business associate or subcontractor or a business associate does have major implications.

Covered entities and business associates need to spend time really understanding who may or may not be a business associate.  It should not be a blanket process where everyone that works with a specific company automatically has to sign an agreement.  Additionally, if information is being shared to support the spectrum of patient care (provider to provider), the business associate definition may not apply.  Dedicated individuals who are knowledgeable and understand the regulations should be working with organizations to help them navigate the business associate process.    

Per the 2013 Omnibus Rule, a business associate is  “a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information.  Per the Omnibus Rule of 2013, a “business associate” may also be considered a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate.”  Those are key words to use to evaluate if an organization is a business associate – do they create, receive, maintain, or transmit data on behalf of a covered entity or business associate? 

What should an organization do?

The best process for an organization is to have an established person or group of people in charge of the evaluation of business associate agreement.  Here are some recommended steps for overall governance of Business Associates within an organization.

  • Create a team or individual responsible for the management of business associates
  • Generate a list of the account payable reports for the past 3 months and review all third party vendors and/or individuals for your organization
  • Determine the scope of work that the third party has been doing on behalf of the organization
  • Evaluate if the third party scope of work being done qualifies the third party as a business associate
  • If it is determined that they are a business associate establish and execute a business associate agreement
  • Keep up a log of all business associates – some recommended fields are Business Associate Name, Contact Individual, Contact Information, Tasks that qualify as a business associate, Business Associate Agreement signed, Date agreement signed
  • Create a process for a proactive review of any NEW third parties and that organizations is going to establish a business relationship with

It is now time to effectively oversee and manage the business associate process within an organization – the covered entity should be aware that while business associate and subcontractors are liable for HIPAA compliance, the ultimate liability falls onto the covered entity. 

Note to third parties (contractors, subcontractors) – make sure you know and understand the implications of becoming a business associate or an organization.  If you truly don’t meet the definition of a business associate or subcontractor, don’t just sign the contract – seek out advice or guidance on the proper steps!

Danika

Is Windows XP Still Common in Healthcare Organizations 10 Months after Stopping Security Updates?

by Leave a Comment

laptop with a hammer on the screenOn April 8, 2014, Microsoft stopped providing patches and updates to the Windows XP operating system.  While this seems like old news and a bit crazy to talk about – many healthcare organizations are still using Windows XP operating systems.  In discussing this issue with many healthcare organizations – one of the most common issues is that they are using a software that is unable to migrate to new versions of Windows and is needed for day to day patient care.  The vendors that support these software systems are aware; however, have not taken action to move the software to a newer windows platform.

So they’re not providing updates – what does that actually mean?  With no updates being provided – there will be no new security updates, non-security hot fixes, free or paid assisted support options, or online technical content updates to the operating system.  This leaves the system vulnerable to an attack from the outside.  There has been a lot of documentation and confusion on what needs to be done in order to protect information stored on computers that have not migrated off of Windows XP.  In addition, there have been many articles have been published that are stating that if organizations didn’t migrate off of the Windows XP Platform by 4/8/14, providers will not be eligible for Meaningful Use and will not be HIPAA Compliant.  Fact or Truth?

Fact: You are not technically in violation of HIPAA if you use Windows XP as HIPAA doesn’t mandate any specific software system; HOWEVER, the practice is extremely risky and you could be found of out compliance if a data breach was to occur.

The HIPAA Security Requirement 164.308(a)(5)(ii)(B) is an addressable standard that states that an organization must have “policies and procedures for guarding against, detecting, and reporting malicious software.”  Malicious software can be brought through any program usually in the form of a virus, Trojan horse, or worm.   By not having the ability to add security patches into the operating system of Windows XP, there are risks to the organization and data that the organization keeps and maintains – good documentation of other safeguards that exist to protect that computer MUST be implemented and documented if choosing to run on the Windows XP operating system.

It is also important to note nowhere in the meaningful use requirements or the HIPAA requirements does it specify having to be on a specific software platform or operating system.  Here is an example FAQ from HHS for clarification regarding operating systems requirements under HIPAA – no specific operating system must be used!  http://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2014.html

Still Using XP – What you should be doing now:

  • Evaluate and determine how to migrate from Windows XP to an updated operating system as soon as possible.
  • If vendor is only running on XP – work with them and continue to push them to update the software due to risks of the old system and lack of security patches.
  • Conduct your HIPAA risk assessment to determine if your organization’s systems are still operating on Windows XP and what risks exist.
  • Come up with a detailed risk management process if your organization is still running on Windows XP, including information on how to reduce risk until you migrate from the Windows XP system.
  • Evaluate everything – There is not ‘formal’ documentation from HHS, ONC, or the OCR regarding this measure and how to interpret from a meaningful use and HIPAA aspect.
  • Assure that you document Windows XP as a risk to your organization within the risk assessment/mitigation as well as potential impacts from malware, viruses, & hackers.
  • If questions come up, ask for clarification or assistance.

As of July 14, 2015, Microsoft will stop providing updates and support to any versions of Windows Server 2003 – leaving organizations with a challenge of upgrading and/or migrating to a new server software.  If you are still running on Microsoft 2003, it is time to take steps now to execute a proper migration strategy and protect your patient information.

Final note: Running any type of organization where protected health information is involved and there are not adequate and regular security patches being implemented is a risky practice and could expose an organization to a data breach.  From the eyes of a security professional – the risk isn’t worth a large scale breach of information.  It is time to take action now and get rid of old software platforms that are no longer being updated and supported.

Danika

Don’t Get Run Over by the HIPAA Omnibus!

by Leave a Comment

3d london bus on white backgroundHIPAA Compliance continues to be a HOT TOPIC in healthcare.  Everyday news and information is published about the lack of compliance, the struggles within organizations, data breaches occurring, and the HIPAA audits coming.  In 2013, the HIPAA Omnibus Rule was established which had many provisions on the HIPAA Privacy and Security Regulations.  With the compliance date of September 23, 2013, many healthcare organizations and business associates have not taken proper steps to get to climb onto the HIPAA Omnibus and assure compliance with the new regulations.   

A recent study conducted by NueMD in 2014 provided insight into compliance levels with the HIPAA Regulations and the HIPAA Omnibus Rule.  Over 1,000 Medical Practices and 160 Billing Companies were surveyed in regards to the current level of compliance with HIPAA and the changes with the HIPAA Omnibus Rule.  The results were SHOCKING and EYEOPENING!!!!  Check out some key findings:

  • 36% of respondents stated they didn’t know about the HIPAA Omnibus Rule
  • 68% of respondents stated they didn’t know of the HIPAA Audits
  • 23% of respondents stated they had no HIPAA Compliance Plan
  • 54% of respondents stated they didn’t have a Security Officer
  • 45% of respondents stated they didn’t have a Privacy Officer
  • 55% of respondents stated they had no process established for Breach Notification

Based on the findings, it is clear that healthcare organizations need to step up and establish HIPAA Compliance Programs and ensure they are updating their information to include the HIPAA Omnibus Requirements.  Jump on the HIPAA Omnibus and ensure that the organization has a joyful ride rather than being ran off the road. 

The major components of the HIPAA Omnibus Rule that healthcare organizations AND business associates need to evaluate and implement within their organization are:

  • Breach Notification
  • Business Associates Compliance Requirements
  • Sale of Protected Health Information
  • Marketing and Protected Health Information
  • Fundraising and Protected Health Information
  • Research Authorization Changes
  • Access to Immunization Data
  • Electronic copy of Protected Health Information
  • Access to Deceased Patient’s Records
  • Genetic Information Nondisclosure Act (ACT)
  • Restriction of Protected Health Information to Health Plans
  • Update to the Notice of Privacy Practices

Please note this is not an “end all be all” list of requirements.  Each organization needs to assess the regulatory changes and determine how and what applies to their specific organization.

With the HIPAA Delays – healthcare organizations are given the gift of time.  Use this time to get aboard the HIPAA Omnibus and assure that you have updated or established all appropriate policies and procedures for your organization.  Don’t delay any longer – the time is NOW! 

Danika

Source: NueMD Survey Findings: http://www.nuemd.com/hipaa/survey/practice-findings.html

Recent Posts

Connect With Us

TriPoint Healthcare Solutions
dbrinda@tripointhealthcaresolutions.com
Phone: 612.325.9742
Fax: 763.322.5027