TriPoint Healthcare Solutions

Advising, Educating, and Operationalizing Privacy and Security in Healthcare

Are you prepared? The HIPAA Audits are COMING! Six Simple Steps to Create a Solid Foundation of HIPAA Compliance.

by 2 Comments 

It is that time of year – the weather in many places is all over the place.  From 80 degrees to 28 degrees in a few days in the Midwest, cool comfortable air on the east coast, from green leaves to an array of oranges, yellows, reds, and greens.  From trees full of summertime and leaves to bare branches and leave piles on the ground.  With the changing in the seasons, it’s time to prepare for the next season.  Creating a solid HIPAA compliance program can be like braving the weather and embracing the change in the seasons – but instead we focus on the change in the culture within our organization.   
There has been a lot of news regarding HIPAA over the past couple weeks.  Continued data breaches, the Office of Inspector General (OIG) stating that there has been a lack of HIPAA oversight and enforcement, and Phase 2 of the HIPAA Audits beginning in early 2016.  The stage has been set, the world has been notified – there is going to be a change in the enforcement of HIPAA and NOW is the best time to prepare your organization. 
Here are Six Simple Steps you can take to prepare your organization for success with the upcoming changes in enforcement and Phase 2 HIPAA Audits.
  • Conduct a Risk Assessment/Analysis – if you haven’t conducted a risk analysis recently, it might be a great idea to conduct one again soon. Make sure to have a risk analysis report that provides information on how the audit was conducted, what systems were evaluated and what the identified risks were.  Remember – don’t stop there.  You must create a risk management plan and mitigate and/or address all the risks identified. 
  • Review and update all policies and procedures – policies and procedures create the foundation for success with HIPAA compliance. Conduct a gap analysis on your policies and procedures.  Look for policies that you may be missing or policies that don’t meet minimum compliance.  Then ensure that your organization is following the policies you have created.  Look for evidence such as documents, logs and audit forms that can prove you are in compliance with your policies.
  • Know who your Business Associates Are – evaluate who you are paying as third party contractors and what tasks they are performing for your organization. If they are creating, receiving, transmitting or storing any protected health information on your behalf – ensure that you have an updated business associate agreement in place with them.  Consider creating an easily accessible list or spreadsheet of all your business associates within your organization. 
  • Review and become familiar with the Audit Protocol – although the new HIPAA audit protocol hasn’t been officially published, it is good practice to review and become familiar with the HIPAA audit protocol that was used on the HIPAA audits of 2011-2012. This will help an organization understand what will be looked for as far as evidence of compliance with the regulations. 
  • Conduct internal HIPAA audits – practicing audits and helping staff become comfortable with answering questions regarding HIPAA compliance should be done. If an on-site HIPAA audit is conducted, the auditors will not only be talking to the HIPAA Privacy and Security Officers, but also all workforce members that take part in providing proper protection of patient information (A.K.A. – EVERYONE)
  • Educate all staff and leaders on the importance of HIPAA Compliance – education of your entire workforce becomes an essential step in HIPAA compliance. Your workforce should know and understand what HIPAA is and the processes and procedures that are established within your organization for proper HIPAA compliance!
While this list isn’t a complete list of what an organization can do – it is a few simple steps that can definitely help create a solid HIPAA program and prepare for the increase in enforcement and Phase 2 HIPAA Audits.  Don’t be one of the healthcare organizations that states “We didn’t know that was a requirement” or “We thought we had more time to be compliant.”  Be prepared and feel confident in the way that you are protecting your patient’s information.  Your healthcare organization will benefit and your patients will be satisfied knowing that they are receiving great care and their information is properly protected and secured!
TriPoint Healthcare Solutions will be launching an online course soon that will guide healthcare organizations through preparing for a HIPAA Audit!  Want to be the first to know about this new class? Sign up here and receive the information and access to this class!

Click Here to Be the First to Know

Danika

Data Breach: It WILL NEVER Happen to Our Organization

by Leave a Comment

You choose your path: Be Prepared OR Be Scared.

Privacy security or safeguard diagram or flowchart written on a dry erase board as tips, advice or information on making your personal, sensitive data safe and secure

How many times have you heard an organization say “A data breach will never happen here,” “We are too small for a data breach to happen,” “It only happens to hospitals and insurance companies.”  The thought that a data breach will never happen to your organization can be your biggest mistake in the preparation and defense in the event that a data breach does occur.  If you asked all the organizations who have experienced a HIPAA data breach in the past 12 months, many of them would agree that they never believed that something like that could happen.

Healthcare covered entities and business associates need to plan and be prepared in the event a potential data breach does occur.  Policies, procedures, and processes should be established that can be immediately activated in the event that a potential breach occurs and needs to be stopped, investigated, and mitigated. 

Looking over the past week, we see data breaches are occurring at all types of healthcare facilities and for a variety of reasons.

  • Buffalo Heart Group, 500 to 600 impacted – Third Party working under a physician access information outside of the scope of the work to solicit patients with the movement of a physician to a new practice
  • Unity Recovery Group, Inc., Fewer than 1,000 impacted – improper disclosures of patient information to unaffiliated recovery services
  • New Jersey Medical Center, 1,400 Impacted – An e-mail with an spreadsheet meant for internal use was sent to an incorrect recipient
  • Beacon Health, unknown impacted – Victim to a sophisticated phishing attached that caused unauthorized access to e-mails with PHI
  • University of Rochester Medical Group, 3,400 Impacted – Former Nurse Practitioner took patient’s personal information with her when she left for another organization
  • HHC Jacobi Medical Center, 90,000 impacted – Improper access and transmission of files containing PHI to personal email account
  • Associated Dentists– theft of a laptop – one was encrypted and the other was not encrypted

One piece of advice to all healthcare organizations and business associates: Be Prepared.  Don’t follow the path of so many and think that a data breach will never occur within your organization. 

If you are not confident about your breach notification response plan, review and update the plan so that it makes sense for your organization.  Go through practice drills to assure the process gets practiced and is realistic in the event of a potential data breach occurring. 

If additional help is needed, reaching out to experts in the industry is always a great idea.  Having third party assistance in the creation and establishment of a process for your organization can help elevate some of the fears and challenges that healthcare covered entities face.

Be prepared, plan accordingly, and assure your breach investigation process is ready.  You never know when your organization maybe the next data breach – a good response plan can save your organization from unwanted reproductions that data breaches bring to organizations. 

“If you are failing to plan, you are planning to fail.” – Tariq Siddique

Danika

Here comes Peter Cottontail – Hopping Down the HIPAA Trail!

by Leave a Comment

Easter BunnyWhen we think about the Easter Holiday and Spring that has found us, the focus shifts from existing in a dull, mundane world into a new world full of new life and new excitement.  The snow melts (if you have snow), the rivers and lakes open, the birds chirp more, and the temperature rises.  At the same time, we prepare for one of our favorite furry friends to come and visit, the Easter Bunny.  With the hope and intent of new and fresh goodies in our bag, the anticipation of the little bunny visiting creates entertainment and excitement!

It is easy for a HIPAA Compliance program to be ordinary and unexciting.  HIPAA consists of many different kinds of regulations that you must comply with just to make the government happy and that might not really work in your organization.  Many organizations focus on writing and creating a process for in order to meet compliance, but over time that process becomes outdated and doesn’t really meet the intent behind the HIPAA regulations. 

It is time to head down the HIPAA Trail and focus on HIPAA in a new way.  As Peter Cottontail comes to provide treats and goodies to everyone’s baskets, it is time to provide your compliance program with a new basket of tools and tricks to make HIPAA fun and enjoyable.  Rather than focusing on HIPAA as something that is forced and mandated just to comply with regulations, change the focus to be something the organizations does to protect the patients they see and the information stored and maintained by the healthcare organization. 

Here is a list of a few ideas to help provide your HIPAA Basket with new and fresh goodies:

  1. Conduct a HIPAA Risk Analysis – the risk analysis allows an organization to review and see potential risks so that they can be mitigated before an unauthorized use or disclosure of health information exists. Get everyone involved – see how your entire organization can help and support the risk analysis process.  Something fun is to go on a HIPAA scavenger hunt for employees – give them a walk through document and send them to another department to see what they can find that might be risks to your organization! 
  2. Refresh HIPAA Training – so often organizations use the same training for HIPAA or the same format for training year after year. While it is important to create consistency and assure proper training is occurring, providing a refresh on the format or content of the training can support a better compliance among employees and a better understanding of the importance of protecting patient information.
  3. Review and Update Policies and Procedures – while no regulations or processes have changed, it is always good to give the policies and procedures that help manage HIPAA compliance a review on a regular basis. While there is not mandate on how often, best practice is to review yearly or upon changes of technology, regulations, or physical space.  Set a timeline for each year to review policies and procedures and commit to that timeline! 
  4. Create a Culture of Privacy and Security Protections – organizations that are most successful with HIPAA compliance create a culture of privacy and security protections. While policies and procedures as well as technical and physical safeguards are a necessity for HIPAA Compliance, workforce members need to buy into the philosophy and intent of protecting and securing patient information.  Many times your employees become the front line defense to the safeguard and protection of patient information.  If they don’t buy in or understand the importance, an organization will struggle for success with their HIPAA compliance. 
  5. Create a HIPAA Governance Structure – there is that word – governance – again! A strong governance and oversight into the management of HIPAA at an organization will help transform from a department or person who manages privacy and security of patient information to an organization who knows the importance of protecting patient information and acts upon it throughout each day and every task.  Have specific leaders through the process and assure that roles are clearly defined!   

Office for Civil Rights (OCR) HIPAA Audits are coming in 2015 – take the time that has been given to fill your HIPAA Compliance Basket with new goodies and tools to be successful.  Figure out how you can breathe new life into your HIPAA program and make it successful in protecting the valuable patient information that the organization is trusted with.  HIPAA can be fun and exciting – just like the change in the season and a full basket of goodies!  Hopefully you will bump into Peter Cottontail hopping down the HIPAA Trail!    

“Most of us feel that our health information is private and should be protected. That is why there is a federal law that sets rules for health care providers and health insurance companies about who can look at and receive our health information.”

—Office for Civil Rights

Danika

Your PHI Goes in There and Out Where? Can Understanding your PHI Flow Help Support HIPAA Compliance?

by Leave a Comment

How many organizations can say that they completely understand where all their protected health information exists and where are the inputs and outputs of the data are?  Based on current clients, very few know exactly where all protected health information is being stored and maintained.  It is not uncommon to walk into an organization and hear that they have 2 or 3 systems that store or interact with PHI – then after discussion and analysis, it is determined that there are actually 9 or 10 different systems that interact with PHI within the organization.  Additionally, many organizations don’t fully understand all the areas where PHI may come out of electronic systems.  Example, a transcription system may automatically send a document once it is transcribed or a lab system may send information to the billing system for proper charges.  Without properly understanding where all the data is being stored, what happens to the data, how those systems are protected, and where is the ePHI outputs from the systems are, it creates a challenge on effectively managing the privacy and security of protected health information.  It is the key link from privacy and security to Information Governance in an electronic era.

Sure, everyone knows they have patient data within their electronic health record, stored in their lab system, or on the organization’s file server, right?  Those areas may be obvious and clear; however, organizations must know and understand every system and location where protected health information is being stored.  Without the knowledge of where all protected health information resides within an organization and the systems that use health information, it becomes nearly impossible to manage privacy and security of information and leaves the organization extremely vulnerable to a data breach. 

Privacy and Security Officers at healthcare organizations should start a process of identification of all systems storing, transmitting, or accessing patient information – creating a knowledge and understanding of how protected health information is being stored and used within their organization.  Creating a protected health information flow diagram or documentation is a complex and detailed process.  It is most likely not going to happen in one day or one week.  It is going to take time to understand each specific system, how it may or may not use protected health information, and what other systems it interacts with.

Some suggested steps to create this information at an organization:

  • Conduct a system inventory analysis of all systems that the organizations uses
  • Understand all the hardware being used in the organization and if ePHI is being stored on the hardware
  • Evaluate each system identified to determine what the interaction is with any type of patient information
  • If the system interacts with protected health information, determine
    1. What type of PHI is being stored in the system
    2. What is the intent of the system
    3. Who is the system ‘owner’
    4. Who has access to the system and how is access management managed
    5. Where the system is being stored (local server, cloud based) and backed up
    6. What are the inputs into the system with PHI
    7. What are the outputs from of PHI from the system – both automatic and manual
    8. If the system interfaces and interacts with other systems
    9. Other security measures in place to protect the information
    10. Other pertinent information regarding the system that is important from a security perspective
  • Create documentation to support and understand all systems – Your Protected Health Information Flow!
  • Assure proper management of all systems that contain PHI!!!! It is not the job on the security officer to own the systems, but it is a responsibility to ensure the systems are understood and proper security is maintained so the privacy of the data is properly secured and protected!

This is not an easy process – in some large integrated systems, they could have hundreds of different systems that interact with ePHI in some aspect!

Remember that HIPAA doesn’t just apply to an electronic health record.  Electronic protected health information is any protected health information (PHI) that is produced, saved, transferred or received in an electronic form.  ePHI can be found on computer hard drives, in databases, in e-mail, in the EHR, and many other locations – you need to evaluate and look at your entire system to truly understand and manage ePHI!!

Don’t get caught in an unwanted data breach due to not knowing or understanding how your data flows throughout your organization, what systems have protected health information, where the inputs are, what happens to the data in the system, and where the outputs from the system exist.  Work upstream, understand your PHI data flow, and properly manage and reduce risks to PHI!

Danika

Going from 0 to HIPAA Compliant – Like Climbing Mt. Everest: Small Steps Take You a Long Way

by Leave a Comment

evening view of Everest and Nuptse from Kala PattharMoving from 0 to HIPAA Compliant can be a lot like climbing Mt. Everest.  Starting from the bottom and staring up to try and see the peak of Mt. Everest is challenging just as starting the route to HIPAA compliance can be.  When climbing Mt. Everest, nobody sets to climb to the summit in one day.  Instead, they prepare themselves for the climb, and they break it up and take it in small steps – with a dream of reaching the summit.  The usual course of the climb is:

  • Ice Fall
  • Camp 1
  • Camp 2
  • Camp 3
  • Camp 4
  • Everest Summit (YES)!

Looks easy, right?  WRONG!  At times, climbers spend 4 – 8 weeks at the different camps trying to acclimate themselves to the altitude and prepare themselves for the next hike up the mountain.  The time spent moving between camps takes hours upon hours and can be treacherous and dangerous.  But the moment that the climbers walk the last few steps and make it to the summit, all the hard work and dedication pays off.  They can finally enjoy the success of the momentous task they just accomplished.   

BREATH, EXIST, and ENJOY the moment – because then they remember that they have to climb down AND the only way down – is the way that they came up.     

When first reviewing the HIPAA Privacy and Security Regulations, it can be SCARY and OVERWHELMING, similar to climbing Mt. Everest.  Between the two regulations, writing policies and procedures and establishing practices for an organization can take weeks, even months.  The challenge that HIPAA privacy and security practitioners face is that HIPAA usually is another added task to one’s already full plate, creating an even bigger hurdle in the path to the summit of HIPAA compliance.  With all the conflicting priorities and trying to meet so many deadlines, HIPAA tasks usually gets pushed off to the side or left for ‘tomorrow’ to do.  How many times has HIPAA come up on your ‘To-Do’ list and got pushed off until tomorrow?

Looking at the requirements under HIPAA – it is easy to see how it can be overwhelming when you are starting from scratch or reviewing what you already have in place (if you are unclear about the HIPAA requirements – contact me).

Take a new philosophy on HIPAA Compliance and Commit to 3 tasks daily.  Think of the movement towards HIPAA compliance as your movement toward the different camps that the climbers make it to as they take the challenge of climbing Mt. Everest.  This may sound silly or a little ‘too easy’ but when you take a complicated task and break it down to small daily tasks, it seems a little more achievable and not so overwhelming.    

A Sample Week of HIPAA Tasks (Privacy Rule):

Monday 1.   Update Notice of Privacy Practices 

2.   Update process for Notice Signatures

3.   Update P&P on Notice of Privacy Practices
Tuesday 1.   Review P&P on Uses and Disclosures of Protected Health Information 

2.   Observe processes for releasing health information

3.   Evaluate documentation received for disclosures of health information
Wednesday 1.   Review recent Request for Amendments of Medical Record Documentation 

2.   Evaluate and Update Amendment Policy and procedure

3.   Assure Amendment Request form is adequate are being process timely
Thursday 1.   Review all accounting of disclosure (AOD) requests 

2.   Evaluate and update AOD policy and procedure

3.   Assure AOD Request form is adequate and requests are being process timely
Friday 1.   Evaluate areas that need re-training and education on practices reviewed this week 

2.   Create a training plan for workforce members

3.   Evaluate and Update HIPAA Training Policy and Procedure

The one important item to remember is – YOU CAN’T GET IT DONE IN A DAY!  To truly evaluate your level of HIPAA compliance, create and implement privacy and security practices within your organization, and effectively train your workforce – you need to dedicate time and effort to the project.  And remember, once you get it all done – it is not time to sit back, relax and never worry again.  It is the time for evaluation and assurance that what has been established for HIPAA compliance with what is being practiced within your organization – similar to climbing back down Mt. Everest.

Remember the famous Spanish saying “Poco a Poco se va lejos” (Little by Little, One Goes a Long Way).  Small steps can make all the difference in the successful creation, evaluation, and execution of a solid and complete HIPAA Compliance Program!

Danika 

Recent Posts

Connect With Us

TriPoint Healthcare Solutions
dbrinda@tripointhealthcaresolutions.com
Phone: 612.325.9742
Fax: 763.322.5027