TriPoint Healthcare Solutions

Advising, Educating, and Operationalizing Privacy and Security in Healthcare

Going from 0 to HIPAA Compliant – Like Climbing Mt. Everest: Small Steps Take You a Long Way

by Leave a Comment

evening view of Everest and Nuptse from Kala PattharMoving from 0 to HIPAA Compliant can be a lot like climbing Mt. Everest.  Starting from the bottom and staring up to try and see the peak of Mt. Everest is challenging just as starting the route to HIPAA compliance can be.  When climbing Mt. Everest, nobody sets to climb to the summit in one day.  Instead, they prepare themselves for the climb, and they break it up and take it in small steps – with a dream of reaching the summit.  The usual course of the climb is:

  • Ice Fall
  • Camp 1
  • Camp 2
  • Camp 3
  • Camp 4
  • Everest Summit (YES)!

Looks easy, right?  WRONG!  At times, climbers spend 4 – 8 weeks at the different camps trying to acclimate themselves to the altitude and prepare themselves for the next hike up the mountain.  The time spent moving between camps takes hours upon hours and can be treacherous and dangerous.  But the moment that the climbers walk the last few steps and make it to the summit, all the hard work and dedication pays off.  They can finally enjoy the success of the momentous task they just accomplished.   

BREATH, EXIST, and ENJOY the moment – because then they remember that they have to climb down AND the only way down – is the way that they came up.     

When first reviewing the HIPAA Privacy and Security Regulations, it can be SCARY and OVERWHELMING, similar to climbing Mt. Everest.  Between the two regulations, writing policies and procedures and establishing practices for an organization can take weeks, even months.  The challenge that HIPAA privacy and security practitioners face is that HIPAA usually is another added task to one’s already full plate, creating an even bigger hurdle in the path to the summit of HIPAA compliance.  With all the conflicting priorities and trying to meet so many deadlines, HIPAA tasks usually gets pushed off to the side or left for ‘tomorrow’ to do.  How many times has HIPAA come up on your ‘To-Do’ list and got pushed off until tomorrow?

Looking at the requirements under HIPAA – it is easy to see how it can be overwhelming when you are starting from scratch or reviewing what you already have in place (if you are unclear about the HIPAA requirements – contact me).

Take a new philosophy on HIPAA Compliance and Commit to 3 tasks daily.  Think of the movement towards HIPAA compliance as your movement toward the different camps that the climbers make it to as they take the challenge of climbing Mt. Everest.  This may sound silly or a little ‘too easy’ but when you take a complicated task and break it down to small daily tasks, it seems a little more achievable and not so overwhelming.    

A Sample Week of HIPAA Tasks (Privacy Rule):

Monday 1.   Update Notice of Privacy Practices 

2.   Update process for Notice Signatures

3.   Update P&P on Notice of Privacy Practices
Tuesday 1.   Review P&P on Uses and Disclosures of Protected Health Information 

2.   Observe processes for releasing health information

3.   Evaluate documentation received for disclosures of health information
Wednesday 1.   Review recent Request for Amendments of Medical Record Documentation 

2.   Evaluate and Update Amendment Policy and procedure

3.   Assure Amendment Request form is adequate are being process timely
Thursday 1.   Review all accounting of disclosure (AOD) requests 

2.   Evaluate and update AOD policy and procedure

3.   Assure AOD Request form is adequate and requests are being process timely
Friday 1.   Evaluate areas that need re-training and education on practices reviewed this week 

2.   Create a training plan for workforce members

3.   Evaluate and Update HIPAA Training Policy and Procedure

The one important item to remember is – YOU CAN’T GET IT DONE IN A DAY!  To truly evaluate your level of HIPAA compliance, create and implement privacy and security practices within your organization, and effectively train your workforce – you need to dedicate time and effort to the project.  And remember, once you get it all done – it is not time to sit back, relax and never worry again.  It is the time for evaluation and assurance that what has been established for HIPAA compliance with what is being practiced within your organization – similar to climbing back down Mt. Everest.

Remember the famous Spanish saying “Poco a Poco se va lejos” (Little by Little, One Goes a Long Way).  Small steps can make all the difference in the successful creation, evaluation, and execution of a solid and complete HIPAA Compliance Program!

Danika 

HAPPY NEW YEAR – HIPAA Style!

by Leave a Comment

Vintage Key With 2015 Year Sign2014 was an epic year for healthcare data breaches.  From hacking into systems, breaking into healthcare organizations, theft of portable media, and improper destruction of paper records, the healthcare sector saw the largest data breach increase in 2014.  With 2015 just starting out, predictions are that healthcare organizations will see another increase in the number of data breaches.  While nothing can completely eliminate the risk to a healthcare organization regarding a data breach, simple steps can be put into place to manage and oversee the privacy and security protections established by healthcare organizations.  By taking some simple steps with the new year, healthcare organizations can proactively manage their privacy and security programs, and deter the potential data breach from occurring.  Follow the Happy New Year steps and your organization will be well on its way to effective and efficient privacy and security management of protected health information! 

HHave a strong breach investigation process defined and implemented

A – Assure regular staff training and updates on privacy and security

P – Pay attention to who has access to what information (Minimum Necessary)

P – Proactive reviews of audit logs for software that maintains protected health information

Y – Yearly risk assessment and risk management  

N – Narrow access of protected health information to only get access to what is needed

E – Evaluation of privacy and security safeguards implemented to assure they are working effectively

W – Watch how people are working to determine how they are protecting health information

Y – Yearly review of business associates and the contracts that are established

E – Evaluate the use of encryption in the organization and document why, if encryption was not chosen

A – Adequate apply proper security patches and malicious software updates

R – Regular review of all HIPAA Privacy and security policies and procedures

Healthcare organizations should no longer ignore or overlook their compliance with the HIPAA regulations.  In order to prevent data breaches and protect patient information, it is important that a detailed HIPAA Governance program be established.  With the start of a fresh new year, it is time to re-write the HIPAA story and manage how patient information is protected!

Danika

2014 Data Breaches: A Review of a Monumental Year

by Leave a Comment

2014-2015Looking back at 2014, it has brought a lot of concern and fear with the effective management of protected health information managed by healthcare organizations and business associates.  It has also been a memorable year for healthcare data breaches.  In 2014, healthcare organizations and business associates reported 301 large data breaches (data breach that impacts more than 500 people) – an increase from the 226 large data breaches reported in 2013.  With a 33% increase in large data breaches in 2014, it will also be known for the year the FBI warned healthcare organizations that they are at high risk for data breaches due to the lack of security measures and oversight of the protection of the data.

2014 Data Breach Facts

  • 88 of the 301 Data Breaches had business associates involved
  • 48.6% of the breaches were caused by theft
  • 21.6% of data that was breached was stored on paper
  • 11,506,782 people were impacted by data breaches
  • 10% of data breaches were caused by Hacking/IT Incidents
  • 7 States didn’t report any data breaches (MT, ND, HI, RI, VT, WV, ME)
  • $7,940,220 was collected in HIPAA fines by the Office of Civil Rights
  • 40 – Largest number of data breaches in one state (California)
  • 4,932,154 – Largest number of people impacted in one state (Tennessee)
  • 18 Data Breaches suffered by one covered entity (Oregon Health Insurance Exchange)

Data Breaches by State in 2014

State Number of Data Breaches People Impacted
Alaska 1 2,743
Alabama 3 55,466
Arkansas 3 10,713
Arizona 4 109,828
California 40 1,055,254
Colorado 6 41,096
Connecticut 3 7,390
Delaware 1 1,667
Florida 29 216,210
Georgia 10 365,793
Iowa 4 7,087
Idaho 1 6,900
Illinois 14 67,059
Indiana 11 268,208
Kansas 3 18,894
Kentucky 6 10,005
Louisiana 3 17,051
Massachusetts 12 62,189
Maryland 4 259,533
Michigan 4 11,688
Minnesota 5 25,446
Missouri 6 49,895
Mississippi 2 4,250
North Carolina 6 27,726
Nebraska 1 2,125
New Hampshire 2 1,979
New Jersey 5 76,314
New Mexico 3 4,040
Nevada 1 800
New York 19 247,268
Ohio 12 49,532
Oklahoma 1 6,000
Oregon 4 6,721
Pennsylvania 10 39,902
South Carolina 3 270,978
South Dakota 1 620
Tennessee 8 4,932,154
Texas 28 2,272,685
Utah 3 796,132
Virginia 8 22,688
Washington 6 22,771
Wisconsin 1 2,400
Wyoming 1 2,700

 

With 2015 looking to be another eventful year of HIPAA data breaches and HIPAA enforcement, healthcare organizations need to assure they are evaluating and implementing effective HIPAA oversight and governance programs.  It is essential that no matter what the size of the organization – large or small – protection of the privacy and security of patient information needs to be a front leader in the 2015 strategies.

Information Retrieved from http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

Danika

5 Mistakes in Training the Workforce on Healthcare Privacy and Security

by Leave a Comment

Books and laptopThe privacy and security policies and procedures are in place and updated, encryption of e-mail and computers is completed, risk assessment and mitigation plan is close to done, and business associate agreements are in place, it is time to breathe a sigh of relief and feel confident in your HIPAA Compliance Program.  Right?  What else could have been missed?

WRONG!

Many healthcare organizations fail to understand and effectively prepare their workforce members to understand how privacy and security relates to their specific job.  Workforce members have proven to be one of the top underlying reasons for HIPAA data breaches – both large and small.  Many healthcare organization train staff once per year and assume that education and training is enough to provide workforce members adequate information and tools to support proper understanding of healthcare privacy and security requirements.  What they don’t know, is they might be falling into the one of the 5 top mistakes in managing education and training to workforce members when it comes to privacy and security.

  1. Timing – education is happening yearly (maybe) or upon hire with no additional education provided. Failing to adequately and consistently train workforce members on privacy and security in healthcare can set an organization up for many vulnerabilities in protecting patient information.
  2. Workforce Members – healthcare organizations misunderstand the definition of workforce members and miss training workforce members on healthcare privacy and security requirements. When people are left out of training due to misinterpretation of who is part of the workforce, gaps are created in understanding privacy and security in a healthcare organization.
  3. Methods & Information – using the same methodology and information for training year after year can prove ineffective on gaining the skills and understanding necessary for successful safeguarding of patient information. Re-using the same education materials and methods over and over again is a common practice in healthcare organizations and results in improper education and understanding by workforce members.  Many people learn in different ways and not acknowledging and building training off of many methods can cause some workforce members to never fully grasp the concept of healthcare privacy and security.
  4. Relevant Data – training focused on just the regulations and not on how the specific healthcare organization’s technology and policies and procedures interact with privacy and security compliance can cause issues. By not understanding the current practices of an organization and how the technology supports protection of patient information, an organization creates risks and inconsistencies in day to day practices to safeguard patient information.
  5. Regular Updates – many organizations do not provide regular updates and information on current compliance issues with healthcare privacy and security outside the regular scheduled HIPAA training. Out of sight, Out of mind – without regular updates and current industry concerns, workforce members will push protection of patient information to the back burner and make careless mistakes, potentially causing a data breach.

Privacy and security education should be more than looking at a computer screen, watching a video, answering a few questions, and printing a completion certificate.  Proper training should take part in a variety of ways such as e-mail reminders, staff meeting discussions, current articles, and question and answer sessions.  Successful training should be interactive, relevant, and memorable to the workforce to create understanding and knowledge in the area of healthcare privacy and security.  It is time to start effectively preparing the workforce to help safeguard and protect patient information.  Don’t find your organization making one of the top 5 mistakes when training the workforce in regards to healthcare privacy and security.  Make 2015 the year when you create a robust HIPAA Training program that will properly prepare your workforce for success in safeguarding patient information!

Danika

The HIPAA Holiday List

by Leave a Comment

The HIPAA Holiday List 

Colorful red gifts with Christmas balls isolated on white

Everyone is frantically searching the shelves of the stores, trying to find that perfect gift for their loved ones to make them smile and cheer during the holiday season.  Kids are scrambling to put their perfect list together of the must have toys and gadgets that they need.  Holiday music is on the radio.  It is the perfect season for fun, laughter, and joy.  Excitement looms for the close of another year and the fresh start of the upcoming year.

HIPAA is also putting together a list as we near the end of the year – the list of “must haves” and “should do’s” regarding privacy and security in healthcare.  HIPAA is wondering how many data breaches will occur in the next year and if new regulations will be published regarding privacy and security in healthcare.  One thing is for certain, the HIPAA Holiday List is a MUST review for all healthcare organization to be prepared and successful as 2014 closes down and 2015 starts fresh and new.

The HIPAA Holiday List

  • Risk Assessment & Risk Management
    • Complete a thorough and accurate risk assessment for your organization, clearly identifying potential threats and vulnerabilities to protected health information. With the risks to your organization identified, come up with clear and concise processes to mitigate and reduce the risks. Consider new controls, policies and procedures, and/or technology for your organization.  Healthcare organizations should assure that both the risk assessment outcomes and risk management processes are clearly written out in a format best suitable for the organization.
  • Policy and Procedure Evaluation
    • Evaluating of policy and procedures is a top need for HIPAA this year. Not only is it important to review your policies and procedures to assure that they are up to date and accurate with current practices within your organization, it is equally important to assure that the practices and processes defined are being followed within an organization.  As necessary and appropriate, update policies and procedures and assure that they are available for the appropriate people of the workforce.
  • Workforce Education
    • When was the last time that you educated your workforce on privacy and security within your organization? Not only is it important for your workforce members to understand what regulations exist for privacy and security on a state and federal basis, it is also important that they understand the policies and procedures created by your organization to assure they are meeting the expectations for privacy and security compliance.  Don’t forget to document the education that happened and any updates that you send out!
  • Notice of Privacy Practices and Access Rights
    • Have you taken the time to update your Notice of Privacy Practices to include all the information from the Omnibus Rule of 2013? Does is clearly define the access rights of your patients and how their information will be used and disclosed?  If you are not confident that your Notice of Privacy Practices meet the requirements of the regulations, it is time to review and update the information and content.  Don’t forget to replace all the old Notice of Privacy Practices with the new one – including posting it to your website, if applicable.  Additionally, healthcare organizations should assure there are clearly written policies and procedures for the management and oversight of the patient’s access rights to their protected health information.
  • Breach Notification Timeliness & Notification Content
    • The 60 day countdown begins on the date of discovery. Sure, it seems like a lot of time, but in reality 60 days flies by in the blink of an eye.  Healthcare organizations should review the current breach notification processes to assure investigations are being completed and notifications are timely and prompt within the 60 day window defined by the regulations.  When a breach happens, healthcare organizations need to assure they are providing written notification to the affected parties and that the content includes the required information for notification.  Healthcare organizations should assure that they are keeping a copy of the notification letter, a list of who was notified, and when they were notified for burden of proof documentation.

Help make dreams come true for HIPAA and your organization this year!  Review the HIPAA Holiday List and check it twice.  Going into 2015 feeling confident about your organization’s HIPAA compliance program will make EVERYONE cheer with joy!

Happy Holiday Season!

Danika

Recent Posts

Connect With Us

TriPoint Healthcare Solutions
dbrinda@tripointhealthcaresolutions.com
Phone: 612.325.9742
Fax: 763.322.5027