TriPoint Healthcare Solutions

Advising, Educating, and Operationalizing Privacy and Security in Healthcare

HIPAA Makes Us Do What? Why? Understanding the Heart of HIPAA!!

by Leave a Comment

Red heart vector illustrationAs we prepare for Valentine’s Day and the celebration of love with hearts and cupids, we are reminded that everything that we do is defined from purpose and intent.  Valentine’s Day dates back to the 5th Century as a dedicated day for people to show their love and respect for one another.

Just as with any holiday or dedicated day, HIPAA has a defined purpose and intent.  It wasn’t created to put challenges and burdens onto healthcare organizations and business associates.  It wasn’t created to block patient care and make it impossible to share protected health information.  HIPAA was created with a purpose and intent, to provide protections and rights to protected health information.  Understanding the heart of HIPAA can help an organization evaluate and successfully implement the regulations. 

The HIPAA Privacy Rule, which was mandated in 2003, has three distinct purposes.  Each of the purposes was created with intent of adding protections and enhancements to how healthcare organizations safeguard protected health information.  The Privacy Rule doesn’t focus on a media type of protected health information – but rather focuses on all patient information regardless of medium.  The three main goals of the HIPAA Privacy Rule are:

  1. protect and enhance the rights of consumers by providing them access to their health information and controlling the inappropriate use of that information;
  2. to improve the quality of health care in the U.S. by restoring trust in the health care system, and
  3. To improve the efficiency and effectiveness of health care delivery by creating a national framework for health privacy protection that builds on efforts by states, health systems, and individual organizations and individuals.

The HIPAA Security Rule, which was mandated in 2005, took protecting information to the next level with the focus on information that is created, stored, transmitted, and maintained in an electronic format.  With the increase in the amount of electronic protected health information, the main purpose of the HIPAA Security Rule is to

  1. Establish the minimum requirements to ensure the confidentiality, integrity, and availability (CIA) of electronic protected health information.

Looking to the heart of the requirements and why the privacy and security requirements were created can help healthcare organizations overcome the frustration and concerns that are created when evaluating and implementing the regulation requirements.  Remember as we get ready to prepare for the day of love and celebration of hearts, HIPAA has a heart and looking to the basics and understanding what the intent of the heart is can be beneficial. 

Celebrate the Heart of HIPAA!

Danika

And the Password IS….NOT so Secret. 6 Ways to Ensure Effective Use of Passwords.

by Leave a Comment

Vector login interface - username and passwordMost everybody is familiar with the famous TV Show ‘Password’ and remember the famous line “And the password is…”  A fun and exciting game show of trying to guess the secret password in order to win money.  Today’s attempt in trying to guess passwords has become much easier and can allow access to information and detail that can dramatically impact organizations as well as individuals.  A recent review of the most ‘hacked’ passwords by SplashData has provided the top passwords that were hacked in 2014.  These passwords are easy to get access to the information they are protecting:

Top 10 Hacked Passwords in 2014

  • 123456 (number 1 for the past 2 years)
  • Password
  • 12345
  • 12345678
  • Qwerty
  • 123456789
  • 1234
  • Baseball
  • Dragon
  • Football

The good news – these passwords are thought to only make up about 2.2% of the total password population.

Password management is the number one line of defense when it comes to protecting patient information stored on a computer, on a server, in an electronic health record, or in any system where protected health information is stored.  Effectively putting strategies and management processes in place to manage passwords in a healthcare organization or business associate is a necessity for adequate protection of patient information.  Here are 6 simple ideas to help effectively manage passwords in a healthcare organization:

  1. Enforce the Use of Strong Password. A strong password at a minimum consists of 3 or 4 of the different elements – Uppercase Letters, Lowercase Letters, Numbers, and Symbols.
  2. Requirement of Specified Length of Password. Requiring a specific length of a password can help reduce the ability to ‘guess’ a password – 7 to 8 characters in length is a good practice to implement.
  3. Require that Passwords are Changed Regularly. Passwords needs to be changed on a regular basis.  Best practice within healthcare is to change all passwords (Operating System, EHR, Administrative, etc.) every 120 to 180 days.
  4. Ensure that Workforce Members Do No Write Passwords Down. Train workforce members to never, ever write passwords down.  While it is tempting and people might not think that a password will be found if hidden in a secret spot, it is important that passwords are never written down unless the organization creates a secure process for documenting passwords.
  5. Implement Lock Out of Systems After Specified Number of Incorrect Passwords Entered. It is important that if someone fails a login a specific number of times in a short period, that the system suspends the ability to log in or requires the user to come back at a later point in time to attempt the login process again.  This will deter unwanted guessing of passwords and provides an added safeguard in the “guessing” game.
  6. Educate Workforce Members on Password Management. Educate, educate, educate, educate.  Workforce members need to understand the importance of passwords and the intent of why they need to be protected to assure unauthorized access into the healthcare systems.  With proper education, workforce members will understand the need to protect passwords, and ultimately protect patient information.

While these are very simple processes, more detailed and secure methods of authentication exist that can remove some of the risks to healthcare organizations; however, they don’t come without time and cost to manage.  With simple steps, healthcare organizations can more effectively oversee how passwords are created, managed, and safeguarded within a healthcare organization.  Don’t get caught having someone guessing passwords, take the proper steps to manage passwords within an organization.

Danika

Source: http://blogs.wsj.com/digits/2015/01/20/123456-again-the-most-popular-passwords-arent-changing/

Are You Prepared to Report a Data Breach? Assuring Collection of the Right Data Elements

by Leave a Comment

Files Investigation.As of today, there has been 1170 data breaches reported to Department of Health and Human Services, which have impacted over 40 million individuals.  The numbers continue to increase at a rapid pace with a clear concern for data breaches in 2015.  The final breach notification rule requires that healthcare organizations conduct a data breach investigation on each and every unauthorized use and disclosure of protected health information to determine if there is a “low probability that the information is compromised.”  Four objective questions must be asked and answered EVERYTIME an investigation is completed:

  1. The nature and extent of the PHI involved in the data breach, including the types of identifiers and likelihood of the re-identification
  2. The unauthorized person (people) who used the PHI or whom it was disclosed to
  3. Whether the PHI was viewed, acquired, or re-disclosed
  4. The extent to which the risk to the PHI has been mitigated

With the answers to these questions complete, healthcare organizations can feel confident they have the documentation and burden of proof in place to submit a data breach to the Secretary of the Department of Health and Human Services (DHHS) – WRONG!!! Many more data elements must be collected during the investigation in the event that a data breach needs to be reported to DHHS.  The notification submission method for a data breach from the Secretary of DHHS has recently been updated – which has more clear data elements and requirements for reporting.  Understanding the data elements that must be reported is the foundation of creating a proper method for investigating and documenting a data breach.  With the updated reporting form, covered entities and business associates must be ready to report all these data elements:

  • Breach Start Date
  • Breach End Date
  • Discovery Start Date
  • Discovery End Date
  • Approximate Number of People Impacted
  • Type of Breach (Hacking/IT Incident, Improper Disposal, Loss, Theft, Unauthorized Access/Disclosure)
  • Location of Breach (Desktop Computer, Electronic Medical Record, Email, Laptop, Network Server, Other Portable Electronic Device, Paper/Films, Other-Must enter a location)
  • Type of Protected Health Information Involved (Clinical, Demographic, Financial, Other-Must enter a details)
  • Brief Description of the Breach
  • Safeguards in Place Prior to Breach (None, Privacy Rule Safeguards, Security Rule Administrative Safeguards, Security Rule Technical Safeguards, Security Rule Physical Safeguards)
  • Individual Notice Provided Start Date
  • Individual Notice Provided End Date
  • If Substitute Notice was required
  • If Media was notified
  • Actions taken in response to breach

If you are not collecting all these data points each time you are completing an investigation, you run the risk of not having all the accurate data and potentially have to repeat the investigation.  Create a process that assures collection of all required data elements needed for a breach reporting up front so you don’t have to repeat work and run the risk of extending past the 60 day investigation and notification timeline!  Don’t get in the habit of doing duplicate work – collect all the data elements up front.  If you need a tool – contact TriPoint!    

 And don’t forget to check out the new and improved Data Breaches Impacting Greater than 500 Individuals website – https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

 Data Breach Fun Facts – Since September 1, 2009!

  • The Make Up of the Data Breach Organizations
    • 733 from Healthcare Providers
    • 328 from Business Associates
    • 104 from Health Plans
    • 5 from Healthcare Clearing Houses
  • Theft and Loss account for 63.5% of Data Breaches
  • Paper is the top media source for data breaches making up 22.3%
  • Laptops are the second top medium source making up 21.7%
  • Largest data breach was in 2011 – 4.9 Million Individuals Impacted

 Prepare, Document, and Take Action!

 Danika

Going from 0 to HIPAA Compliant – Like Climbing Mt. Everest: Small Steps Take You a Long Way

by Leave a Comment

evening view of Everest and Nuptse from Kala PattharMoving from 0 to HIPAA Compliant can be a lot like climbing Mt. Everest.  Starting from the bottom and staring up to try and see the peak of Mt. Everest is challenging just as starting the route to HIPAA compliance can be.  When climbing Mt. Everest, nobody sets to climb to the summit in one day.  Instead, they prepare themselves for the climb, and they break it up and take it in small steps – with a dream of reaching the summit.  The usual course of the climb is:

  • Ice Fall
  • Camp 1
  • Camp 2
  • Camp 3
  • Camp 4
  • Everest Summit (YES)!

Looks easy, right?  WRONG!  At times, climbers spend 4 – 8 weeks at the different camps trying to acclimate themselves to the altitude and prepare themselves for the next hike up the mountain.  The time spent moving between camps takes hours upon hours and can be treacherous and dangerous.  But the moment that the climbers walk the last few steps and make it to the summit, all the hard work and dedication pays off.  They can finally enjoy the success of the momentous task they just accomplished.   

BREATH, EXIST, and ENJOY the moment – because then they remember that they have to climb down AND the only way down – is the way that they came up.     

When first reviewing the HIPAA Privacy and Security Regulations, it can be SCARY and OVERWHELMING, similar to climbing Mt. Everest.  Between the two regulations, writing policies and procedures and establishing practices for an organization can take weeks, even months.  The challenge that HIPAA privacy and security practitioners face is that HIPAA usually is another added task to one’s already full plate, creating an even bigger hurdle in the path to the summit of HIPAA compliance.  With all the conflicting priorities and trying to meet so many deadlines, HIPAA tasks usually gets pushed off to the side or left for ‘tomorrow’ to do.  How many times has HIPAA come up on your ‘To-Do’ list and got pushed off until tomorrow?

Looking at the requirements under HIPAA – it is easy to see how it can be overwhelming when you are starting from scratch or reviewing what you already have in place (if you are unclear about the HIPAA requirements – contact me).

Take a new philosophy on HIPAA Compliance and Commit to 3 tasks daily.  Think of the movement towards HIPAA compliance as your movement toward the different camps that the climbers make it to as they take the challenge of climbing Mt. Everest.  This may sound silly or a little ‘too easy’ but when you take a complicated task and break it down to small daily tasks, it seems a little more achievable and not so overwhelming.    

A Sample Week of HIPAA Tasks (Privacy Rule):

Monday 1.   Update Notice of Privacy Practices 

2.   Update process for Notice Signatures

3.   Update P&P on Notice of Privacy Practices
Tuesday 1.   Review P&P on Uses and Disclosures of Protected Health Information 

2.   Observe processes for releasing health information

3.   Evaluate documentation received for disclosures of health information
Wednesday 1.   Review recent Request for Amendments of Medical Record Documentation 

2.   Evaluate and Update Amendment Policy and procedure

3.   Assure Amendment Request form is adequate are being process timely
Thursday 1.   Review all accounting of disclosure (AOD) requests 

2.   Evaluate and update AOD policy and procedure

3.   Assure AOD Request form is adequate and requests are being process timely
Friday 1.   Evaluate areas that need re-training and education on practices reviewed this week 

2.   Create a training plan for workforce members

3.   Evaluate and Update HIPAA Training Policy and Procedure

The one important item to remember is – YOU CAN’T GET IT DONE IN A DAY!  To truly evaluate your level of HIPAA compliance, create and implement privacy and security practices within your organization, and effectively train your workforce – you need to dedicate time and effort to the project.  And remember, once you get it all done – it is not time to sit back, relax and never worry again.  It is the time for evaluation and assurance that what has been established for HIPAA compliance with what is being practiced within your organization – similar to climbing back down Mt. Everest.

Remember the famous Spanish saying “Poco a Poco se va lejos” (Little by Little, One Goes a Long Way).  Small steps can make all the difference in the successful creation, evaluation, and execution of a solid and complete HIPAA Compliance Program!

Danika 

Recent Posts

Connect With Us

TriPoint Healthcare Solutions
dbrinda@tripointhealthcaresolutions.com
Phone: 612.325.9742
Fax: 763.322.5027