If you are like me, I love to review the current stats of healthcare data breaches to look at trending or see if there is an area that is more prone to data breaches than others.  I thought I would share some new analysis of data breaches!  This information is based on healthcare data breaches where greater than 500 individuals were impacted.  

Some major highlights from the statistics:

• A total of 1,293 Data Breaches have been reported since September 2009

• Paper is still the #1 location (media type) of data breaches - 23% of total breaches involving greater than 500 individuals

• Theft and Loss make up 59% of types of data breaches

• Data hacking only makes up 10% of all data breaches where greater than 500 individuals were impacted

• Business Associates are responsible for 22% of data breaches greater than 500 individuals

• A total of 143,495,899 individuals have been impacted by data breaches greater than 500 individuals

• Data breaches involving business associates have impacted 26,399,466 individuals

• The largest data breach occurred in 2015, Anthem Data Breach, impacting 78,800,000 individuals 

If you don't have a good process in place for data breaches, now is the time to get one established!  It is better to be prepared to report a data breach than struggle when one occurs!  Breach notification is one of the major focuses of Phase 2 HIPAA audits.  

Danika

The data for this analysis is from the HHS Data Breach Portal: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

The Office for Civil Rights (OCR) announced recently that Phase 2 of the HIPAA audits have begun.  The first round of pre-audit surveys have been delivered to both covered entities and business associates.  If you are not in the first round of the audits, don’t breathe a sigh of relief as it is only the first round and definitely will not be the last.  Based on the recent increase in the data breaches, the OCR is definitely going to identify new risks and vulnerabilities.  The HIPAA audits are causing fear and concern among healthcare organizations.  Now is the time to evaluate your current level of compliance to ensure that you have clearly established policies and procedures, and are following them as defined.  Remember: Documentation is one of the keys to success with HIPAA! 

Take this short quiz to test your readiness for a HIPAA Audit:

1. Do you currently know and/or have a list of all systems that stores, maintains, or transmits protected health information within your organization?

2. Has your organization completed a HIPAA Risk Analysis within the last 2 years and do you have your Risk Analysis Report and Risk Mitigation Plan clearly documented?

3. Has your organization evaluated and updated your policies and procedures since the final HIPAA Omnibus Rule (HITECH) was published in 2013?

4. Do you have a clearly established process for identification of business associates and have current business associate agreements signed and on file?

5. Do you have a documented process for your breach investigation within your organization?

6. Do you have a process for maintaining burden of proof (administrative Breach Notification Requirement) for all investigated breaches (confirmed or not)?

7. Do you currently conduct Information System Activity Review and Log-in Monitoring in the exact manner defined by your policies and procedures?

8. Could you produce documentation to support the information system activity review and log-in monitoring, if requested?

9. Have you conducted HIPAA training to your workforce members within the past year? Do you have documentation to support the training that was conducted?

10. Do you have a detail process for access management (adding users, modifying users, terminating users) in all systems that store, maintain, or transmit PHI?

If you answered NO to ANY of the above questions, your organization may not be properly prepared in the event that a HIPAA audits comes your way.  The good news – you have time to fix it!  Start now – don’t wait!  HIPAA compliance doesn’t have to be a barrier to providing good patient care and customer service.  If you take the time and operationalize HIPAA to meet your organization’s needs, you can have a successful HIPAA compliance program without impacting patient care and customer service.  In fact, you may just enhance patient care and customer service with a complete HIPAA compliance program. 

If you need help getting ready for a HIPAA audit or need assistance with analyzing your current level of compliance, don’t be afraid to reach out for help!  Check out the list of TriPoint Healthcare Solutions’ Services to help you with HIPAA Compliance!!

Danika

Disclaimer: The above questions are not intended to be a complete evaluation of HIPAA compliance or to determine if completely prepared for a HIPAA audit.  It is a tool to evaluate if your organization needs to spend more time focusing on HIPAA compliance to prepare in the event of an audit.  It is recommended to be used a simple evaluation to determine if you have concerns regarding your current compliance level with HIPAA.  It is not considered legal advice or complete compliance evaluation. 

Friday the 13^th comes around on average 2-3 times per year.  In 2015, Friday the 13^th will visit us 3 different times.  Friday the 13^th is thought to be one of the most unlucky days of the year – plaguing us with many different superstitions that cause fear among people.  From the masked Jason chasing people down an empty, dark street to the crazy doll, Chucky, that comes to life and attacks, the dread of the 13th of the month has created angst and fear to society! 

Just like all the superstitions and fears we face on Friday the 13th, HIPAA is full off different myths and fears created among the healthcare community.  Healthcare organizations fear HIPAA as it is going to cause issues and destruction among their organization.  Different interpretations and analysis of the HIPAA requirements has created confusions and fears among the healthcare community. 

In honor of Friday the 13^th – Lets Demystify 13 of Today’s HIPAA-Stitions

1. HIPAA prohibits me from taking care of patients and releasing information for continuity of care.

HIPAA allows the sharing of patient information for the purpose of treatment, payment, and healthcare operations (TPO).  If a provider needs to release patient information to help in the continuity of care, that is an acceptable disclosure under the HIPAA regulations.  It is smart to check with state requirements on the protection of patient information as some states do requirement a signed authorization for any use or disclosure of patient information. 

2. The HIPAA Security Risk Analysis only needs to be completed one time.

The HIPAA regulations actually do not define what the frequency of the HIPAA risk analysis needs to be.  Built to be scalable, the HIPAA security rule allows the covered entity or business associate to define the frequency; however, do it one time and never again is not an acceptable practice and leaves the organization vulnerable to non-compliance and risks to PHI.

3. Texting is considered a way of communicating about patients and has no concerns with HIPAA compliance.

Normal SMS texting is not a secure means of communications with protected health information.  In fact, texting using normal SMS format is quite risky to the healthcare organization.  If a healthcare organization is going to allow texting as a means of communications regarding patients (think about this before saying yes), a secure solution for texting should be implemented as well as a policy and procedure for effective management of texting with patient information.  Think about not only how to manage the data as it is in transmission from device to device, but also how you will manage the devices and the information that may be stored on the device.  

4. HIPAA prohibits me from sending patient reminders about appointments and leaving messages on phones.

The HIPAA privacy rule allow for all providers to communicate with their patients regarding their health care, which includes reminders about appointments. This includes communicating with patients at their homes, whether through the mail or by phone. The HIPAA regulations do not prohibit a provider from leaving messages for patients on their voicemail; however, it does require that the covered entity provides adequate safeguards to the privacy of a patient, which may include getting agreement from the patient to leave a voicemail at a specific number or send information regarding care to a specific address. 

5. Since the EHR we use is a cloud based EHR, I don’t have to worry about having a written contingency plan in place.

Using a cloud based, EHR may eliminate an organization’s need to manage the backup process for the EHR system; however, it doesn’t completely eliminate the need to create and implement a contingency plan.  The contingency plan is intended to cover so much more than how the information is backed up, such as how the organization will work in emergency mode, what systems are most vital to the day to day operations or the organization, and how recovery of data will occur.  Another aspect to think about is the EHR may only be one of the systems that stores and maintains patient information.  If you have other systems or are storing information regarding patients in other electronic locations, it is important to have a plan in place on how that information is being backed up and restored in the case of an emergency. 

6. As long as we have passwords in place to get into our systems with patient information, the information is considered secure.

A common misunderstanding of the application of passwords is that they make a system secure when implemented – but they don’t.  Passwords do provide an appropriate safeguard and a layer of security to patient information; however, the protection is only as good as the password.  To help better manage the use of passwords, strong passwords should be implemented on any systems that provide access to patient information.  Strong passwords should be a minimum of 8 characters in length and use uppercase letter, lowercase letters, numbers and systems – 3 of the 4 is the minimum recommendation.  Remember that the only true way to make information secure is to encryption the information or destroy the information using appropriate means.

7. My business associate states they are HIPAA compliant so there is no need to worry about the protection of the information shared with them.

No organization is out there certifying healthcare organizations as “HIPAA Compliant.”  Any third party organization that is stating that they are HIPAA complaint most likely means that they have created an internal program to meet the requirements of the HIPAA regulations as they apply to business associates.  It is best practices that covered entities as business associates about the safeguards used to protect the information they are sharing and what makes them “HIPAA Compliant.”

8. I don’t have an electronic health record; therefore, the HIPAA security rule doesn’t apply to me.

HIPAA doesn’t distinguish between systems where information is stored on where the security rule applies and doesn’t apply.  Rather HIPAA focuses on the media type of the information – electronic, paper, and oral.  The security rule applies specifically to all electronic protected health information, which is PHI that is created, received, maintained or transmitted in electronic form.  An electronic health record is only one source of electronic protected health information. 

9. Meaningful use changed requirements for the HIPAA risk analysis.

The meaningful use requirements didn’t actually change any of the requirements that HIPAA mandates – it actually points directly to the HIPAA requirements for the conducting of the HIPAA risk analysis for protecting patient information.  The only ‘change’ is that if you are participating in the meaningful use program, a HIPAA risk analysis must be conducted or updated for each year that you attest for meaningful use.

10. Every unauthorized use and disclosure of patient information is considered a data breach.

In order to determine if a breach occurred from an unauthorized use or disclosure of information, an investigation must be completed by the covered entity or business associate to determine the risk to the patient information.  Per the Omnibus Rule of 2013, an unauthorized use or disclosure of health information is not considered a breach if there is low probability that the information has been compromised. 

11. Since the patient won’t sign my Notice of Privacy Practices, I am not allowed to treat that patient.

A patient refusing to sign the notice of privacy practice acknowledgement doesn’t prohibit the provider to take care of the patient.  The regulations state that the covered entity should make reasonable effort to get an acknowledgement of the notice of privacy practices signed.  By signing the acknowledgement, the patient is only documenting that they have been given or offered a copy of the notice of privacy practice, which explains how the organization will use and safeguard their protected health information. 

12. The HIPAA regulations prohibit Provider/Patient e-mail communication

The HIPAA regulations do not prohibit provider from communicating with patients through e-mail.  The regulations actually state that if the provider is going to communicate with patients through e-mail, proper safeguards should be implemented to protect the information.  Additionally, the Omnibus Rule states that e-mail can be sent to a patient without encryption as long as the patient agrees to it and is aware of the risks to the information. 

13. Since I fully implemented a HIPAA compliance program, data breaches will not occur at my organization.

Just because an organization implements a full HIPAA compliance program and addresses all areas of potential risk to their organization, there is no guarantee that a data breach is not going to occur.  With the sophistication of recent data attacks and human interaction, there is always going to be a risk that a data breach can occur.  The best scenario is having a fully implemented HIPAA compliance program and assure adequate training to workforce members.  Reducing and managing potential risks is the best avenue to take – no organization is without some risk.  

When evaluating HIPPA and operationalizing it to ‘fit’ a specific organization, HIPAA doesn’t have to be feared!  Overcome the common HIPAA-Stitions and being successful with HIPAA compliance can be a goal reached by all organizations – large and small.  Don’t fear HIPAA as we fear Friday the 13th, instead take it on full speed and don’t look back until you met the appropriate level of compliance.

Danika