TriPoint Healthcare Solutions

Advising, Educating, and Operationalizing Privacy and Security in Healthcare

Ready, Set, HIPAA Enforcement – 2017 is Going to be a Year to Remember

by Leave a Comment

HIPAA Data Breaches and HIPAA Enforcement is definitely off to the races in the first 2 months of 2017.  While previous years have started slower and then gradually increased, 2017 proves to be on an advanced path.  2016 ended with a RECORD year in HIPAA Data Breaches (329 Data Breaches greater than 500 Individuals) as well as HIPAA Enforcement Fines ($23.5 Million), but 2017 is off to a quicker start in both of those categories.

Remember that the government only posts details about the data breaches that impact 500 individuals or more.  Here are some key facts to know about 2017 HIPAA Data Breaches through February 28, 2017:

  • 42 Data Breaches impacting greater than 500 Individuals have been reported
  • Unauthorized Access/Disclosure leads the Type of Breach Category with 17 (40%) – Hacking/IT incident comes in a close second with 13 (31%)
  • 312,827 Individuals have been impacted by the 42 data breaches
  • Unauthorized Access/Disclosure and Hacking/IT Incident account for 289,584 (93%) of the total individual impacted
  • Paper/Films comes in #1 place for the location of data breaches with 10 (21%) with Network Server in #2 place with 8 (19%)
  • Largest Data Breach was from Emory Healthcare due to a Hacking/IT incident impacting 79,930 individual
  • California has had the most reported data breaches with 8, followed by Ohio with 4
  • Business Associates were only involved in 3 of the reported data breaches

So comparing what we are seeing in 2017 to where we were at the end of February 2016, we are slightly up on the number of data breaches greater than 500 individuals reported.  The location of data breaches and type of data breaches remains consistent with what was seen in the beginning of 2016. 

HIPAA Enforcement has been active in 2017 as well.  We continue to hear about the HIPAA Audits with on-site audits starting some time in 2017 to 2018.  You can prepare for your HIPAA audits by comparing your organization’s HIPAA policies and procedures as well as practices and safeguards with the HIPAA Audit Protocol.

HIPAA corrective action plans (CAP) with monetary fines have made a fast and furious start in 2017.  In the first 2 months of the year, 4 HIPAA CAP with monetary fines have been assessed resulting in a total $11.4 Million.  In 2016 we only saw 1 HIPAA fine in the first 2 months of the year.  Of course the monetary fines and CAPs are always concerning for organizations; however, your organization can learn from what others are being held accountable for.  Review the information on the CAPs and see where the non-compliance with HIPAA occurred.  Then, as necessary, make changes within your organization.  The main categories for the 2017 CAP with monetary fines are:

  • Inappropriate delay in data breach reporting (reported after 60 days from the date of discovery)
  • Inappropriate implementation of information activities reviews
  • Inappropriate oversight into user set up and user management
  • Lack of implementation of encryption technology on mobile devices
  • Lack of current HIPAA Risk Analysis
  • Insufficient policies and procedures for HIPAA Compliance

Ask yourself a question – do you view HIPAA as out of sight, out of mind in your organization?  If the answer is YES – now is the time to make a change.  Implementing a strong HIPAA Compliance Program can help your organization.  A strong HIPAA Compliance program isn’t just about written policy and procedures that collect dust on the shelf.  A strong HIPAA Compliance program consists of:

  • HIPAA Policies and Procedures
  • HIPAA Requests Forms for Patient’s Rights
  • A Complete Notice Of Privacy Practices
  • Established Technical, Physical, and Administrative Safeguards
  • Conducting a regular HIPAA Risk Analysis
  • Strong Workforce Education
  • Effective User Management and Oversight into systems with Protected Health Information
  • Auditing practices for verification of compliance
  • Ongoing evaluation of current safeguards established by the organization

Let me know if you ever have any questions – anything HIPAA goes!! 

Until Next Time,

Danika

Breaking Down a HIPAA Corrective Action Plan and Settlement: It’s Not All About the Money

by 2 Comments 

Healthcare NewsThe headlines over the last week highlighted that an Oncology Practice in Indiana, Cancer Care Group, P.C., received a $750,000 fine for HIPAA non-compliance by the Office for Civil Rights.  After a laptop bag was stolen out of an employee’s car in 2012, the information of approximately 55,000 patients was breached, including names, addresses, date of birth, social security number, clinical information, and insurance information.  The laptop didn’t have any safeguards such as encryption applied to it, creating risk for those 55,000 patients.  In the settlement, the organization must pay a hefty $750,000 fine; HOWEVER, it is only part of the correction action settlement.  The organization must do a lot more than just pay the fine – causing additional costs and time commitments to the organization.  In addition, the corrective action plan is valid for 3 years from the effective date!!
Looking deeper into the corrective action plan (CAP) between Cancer Care Group and Department of Health and Human Services (HHS), they are also required to:
  • Conduct a HIPAA Risk Analysis within 90 days of the CAP effective date
    • Submit the Risk Analysis Report for approval to the HHS
    • If the Risk Analysis is not approved, Cancer Care Group will have 60 days to revise the Risk Analysis and submit to the HHS for approval
  • Implement an organization-wide risk management plan to address and mitigate any risks and vulnerability found during the risk analysis
    • Within 90 days of approval of the Risk Analysis from HHS, Cancer Care Group must submit the Risk Management Plan to HHS for approval.
    • If the Risk Management Plan is not approved, Cancer Care Group must update the Risk Management Plan and resubmit to HHS within 60 days.
    • One approved, Cancer Care Group must begin the implementation of the Risk Management Plan.
  • Review and revise policies and procedures relating to the HIPAA Security Rule
    • Based on the findings from the HIPAA Risk Analysis, Cancer Care Group must review and revise all policies and procedures relating the to the HIPAA Security Rule
    • All policies and procedures must be forward to HHS within 60 days of the approval of the Risk Management Plan
    • If policies and procedures are not approved by HHS, Cancer Care Group will have to revise and resubmit the policies and procedures within 30 days.
    • Within 30 days of approval of the policies and procedures from HHS, Cancer Care Group must implement the new policies and procedures.
  • Review and revise security rule training program based on the risk analysis findings
    • Revise and update the training program and submit for approval to HHS within 60 days of the approved Risk Analysis from HHS.
    • Within 30 days of approved training program from HHS, administer the approved training program to all Cancer Care Group workforce.
  • Any reportable events (failure of workforce member to comply with policies and procedures, security incident, potential data breach, etc.) must be promptly investigated and reported to HHS within 30 days of the awareness of the incident.
    • Notification must include: 1) a description of the event including relevant facts individuals involved and policies and procedure(s) impacted AND 2) description of actions taken and future actions planned
  • Provide HHS Annual Reports of the following for the CAP Timeframe (3 Years)
    • Updates or changes to the approved Risk Analysis or Risk Management Plan
    • Updates or changes to Cancer Care Group’s approved HIPAA policies and procedures
    • Summary of all Reportable Privacy and Security Events
    • Attestation by the appointed officer/owner at Cancer Care Group that he/she has appropriately reviewed the annual report to HHS and verification that the information is truthful and accurate.
In the event that you find your organization in the middle of a data breach that is being submitted to HHS, the proper steps should be taken to evaluate your current level of compliance.  It is best to try and identify risks and vulnerabilities to your organization immediately rather than waiting for the HHS to come and mandate that you evaluate your compliance.  From the above information, HHS doesn’t just ‘go away’ after the fine is appropriately paid.  Being linked and connected to the HHS for 3 years post settlement is intense and challenging.  Relying on approval from HHS of all aspects of the HIPAA Security Rule can overwhelming and stressful.  Don’t find yourself in this situation. 
Remember – your organization is the one responsible for compliance with the federal privacy and security requirements.  With the verge of Phase 2 of the HIPAA Audits starting soon, now is the time to get out and evaluate.  Waiting for the HHS to come in and tell you what to do, or worse, assess a fine is something that should be avoided!
Take time to evaluate your compliance, plan your mitigation strategies and take action for compliance!
Danika

Here comes Peter Cottontail – Hopping Down the HIPAA Trail!

by Leave a Comment

Easter BunnyWhen we think about the Easter Holiday and Spring that has found us, the focus shifts from existing in a dull, mundane world into a new world full of new life and new excitement.  The snow melts (if you have snow), the rivers and lakes open, the birds chirp more, and the temperature rises.  At the same time, we prepare for one of our favorite furry friends to come and visit, the Easter Bunny.  With the hope and intent of new and fresh goodies in our bag, the anticipation of the little bunny visiting creates entertainment and excitement!

It is easy for a HIPAA Compliance program to be ordinary and unexciting.  HIPAA consists of many different kinds of regulations that you must comply with just to make the government happy and that might not really work in your organization.  Many organizations focus on writing and creating a process for in order to meet compliance, but over time that process becomes outdated and doesn’t really meet the intent behind the HIPAA regulations. 

It is time to head down the HIPAA Trail and focus on HIPAA in a new way.  As Peter Cottontail comes to provide treats and goodies to everyone’s baskets, it is time to provide your compliance program with a new basket of tools and tricks to make HIPAA fun and enjoyable.  Rather than focusing on HIPAA as something that is forced and mandated just to comply with regulations, change the focus to be something the organizations does to protect the patients they see and the information stored and maintained by the healthcare organization. 

Here is a list of a few ideas to help provide your HIPAA Basket with new and fresh goodies:

  1. Conduct a HIPAA Risk Analysis – the risk analysis allows an organization to review and see potential risks so that they can be mitigated before an unauthorized use or disclosure of health information exists. Get everyone involved – see how your entire organization can help and support the risk analysis process.  Something fun is to go on a HIPAA scavenger hunt for employees – give them a walk through document and send them to another department to see what they can find that might be risks to your organization! 
  2. Refresh HIPAA Training – so often organizations use the same training for HIPAA or the same format for training year after year. While it is important to create consistency and assure proper training is occurring, providing a refresh on the format or content of the training can support a better compliance among employees and a better understanding of the importance of protecting patient information.
  3. Review and Update Policies and Procedures – while no regulations or processes have changed, it is always good to give the policies and procedures that help manage HIPAA compliance a review on a regular basis. While there is not mandate on how often, best practice is to review yearly or upon changes of technology, regulations, or physical space.  Set a timeline for each year to review policies and procedures and commit to that timeline! 
  4. Create a Culture of Privacy and Security Protections – organizations that are most successful with HIPAA compliance create a culture of privacy and security protections. While policies and procedures as well as technical and physical safeguards are a necessity for HIPAA Compliance, workforce members need to buy into the philosophy and intent of protecting and securing patient information.  Many times your employees become the front line defense to the safeguard and protection of patient information.  If they don’t buy in or understand the importance, an organization will struggle for success with their HIPAA compliance. 
  5. Create a HIPAA Governance Structure – there is that word – governance – again! A strong governance and oversight into the management of HIPAA at an organization will help transform from a department or person who manages privacy and security of patient information to an organization who knows the importance of protecting patient information and acts upon it throughout each day and every task.  Have specific leaders through the process and assure that roles are clearly defined!   

Office for Civil Rights (OCR) HIPAA Audits are coming in 2015 – take the time that has been given to fill your HIPAA Compliance Basket with new goodies and tools to be successful.  Figure out how you can breathe new life into your HIPAA program and make it successful in protecting the valuable patient information that the organization is trusted with.  HIPAA can be fun and exciting – just like the change in the season and a full basket of goodies!  Hopefully you will bump into Peter Cottontail hopping down the HIPAA Trail!    

“Most of us feel that our health information is private and should be protected. That is why there is a federal law that sets rules for health care providers and health insurance companies about who can look at and receive our health information.”

—Office for Civil Rights

Danika

We Have a Process…Isn’t That Good Enough? HIPAA is All About the Documentation!

by Leave a Comment

Working with all different type of healthcare organizations and business associates, I frequently hear the following phrases:

“We have a process for that, it is just not documented”

“We did some items that would qualify to meet those requirements, but we didn’t know we had to document”

“We have a high level of HIPAA compliance, but just don’t have documented policies and procedures”

file folder with documents and documents. storage contracts.While all these statements may be true – the issue is HIPAA requires documentation and proof that you are complying with the regulations.  As we enter 2015 and are looking at 1) Increased enforcement of HIPAA, 2) Next phase of HIPAA Audits, 3) Data Breaches Increasing and 4) Continued Meaningful Use Audits – organizations need to make the time to assure proper documentation exists in order to comply with the HIPAA regulations.

Policies and Procedures – They are a Requirement

If you look at the detail of the HIPAA Privacy, Security, and Breach Notifications Rule – they all have a section that requirements documentation to exist to support the regulations.

  • Privacy Rule Documentation – 164.530(i) – A covered entity must develop and implement written privacy policies and procedures that are consistent with the Privacy Rule
  • Security Rule Documentation – 164.316(b)(1) – Maintain the policies and procedures implemented to comply with the regulations in written (which may be electronic) form; and (ii) if an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment
  • Breach Notification Rule Documentation – 164.316(b)(1) – A covered entity must comply with the administrative requirements as defined under the HIPAA rule documentation. Additionally, in the event of an unauthorized use or disclosure, the covered entity or business associate shall have the burden of demonstrating that all notifications were made as required by this subpart or that the use or disclosure did not constitute a breach

In addition to supporting compliance with policies and procedures, organizations should also ensure that they are supporting what they are doing to comply with appropriate documentation.  Some examples of documentation to review to ensure it exists per your policy is:

  • Proof of Information System Activity Review – what, what, when, where, outcomes
  • Workforce Sanctions Applications – when have you applied sanctions and why
  • Workforce Training Proof – regular training documentation as well we periodic updates
  • Compliant Received and Proof of Resolution – all complaints regarding privacy and security, the investigation and outcomes
  • Breach Notification Investigations (including 4 required questions) – all information regarding the investigation as well as the outcome documentation and assurance of the burden of proof
  • Business Associate Contracts – do you have business associates contracts signed for the third party vendors you use
  • Notice of Privacy Practices Acknowledgement – are you getting proper signatures as required and defined in your policy

This is not an all-inclusive list, but rather a sample to start thinking about how to verify that documentation exists.  It is EXTREMELY important that you don’t assume proper documentation is happening – ask and look to verify that proper documentation is happening.  Each of the above sample areas should be reviewed to see if what is defined in the policy and procedure that you have is truly being followed appropriately. 

Don’t sit back and assume you are ok because you have a process – make sure you have proper documentation to support your compliance with HIPAA regulations.  You can always conduct mock audits or hire an organization to analyze this for you.  It is best to be prepared!

Final Word on HIPAA Compliance and Documentation – Take initiative, review, analyze, and verify.  Your compliance level is only as good as the documentation you have to support it.  Be diligent, dig through documentation, and feel confident with your compliance with HIPAA.

Danika

 

Recent Posts

Connect With Us

TriPoint Healthcare Solutions
dbrinda@tripointhealthcaresolutions.com
Phone: 612.325.9742
Fax: 763.322.5027