All Data Fast News is © Data Fast Solutions, unless where otherwise indicated • All Rights Reserved
According to HHS.gov, the use of encryption is not mandatory, it is “addressable” rather than “required”. However, a Health and Human Services administrative law judge (ALJ) recently ruled that the University of Texas M.D. Anderson Cancer Center must pay 4.3 million in fines for failure to safeguard patient information on unencrypted devices. According to Health Leaders Media, M.D. Anderson made the decision to encrypt all devices in 2008, but by 2013 had still not done so. The breaches were reported by M.D. Anderson to OCR in 2012 and 2013 and involved an unencrypted laptop, which was stolen, and two unencrypted thumb drives which were lost. The laptop contained electronic protected health information (ePHI) of more than 29,000 people while both thumb drives contained ePHI of 5,800 people combined. M.D. Anderson plans to appeal the decision.
This recent ruling is a reminder that implementing new ePHI policies in healthcare organizations and covered entities must be done expeditiously. A vital factor in securing ePHI is fully utilizing encryption. It is a crucial link in security which can thwart hackers and thieves, yet so many in healthcare have yet to adopt it. Why it is not used more extensively is not fully known. Affordable encryption technology has been available for quite some time. It can be complicated for those not well-trained in implementing it. However, it is now more apparent that an administrative law judge would not view any excuses for lack of encryption as viable for leaving ePHI vulnerable. So, putting together a plan for encryption and implementing that plan quickly is important to do before a breach can take place.
The National Institute of Standards and Technology (NIST) has published, Guide to Storage Encryption Technologies for End User Devices. This guide can give IT and security personnel at healthcare organizations, or their covered entities, excellent information on encryption. It can provide “real-world guidance for three classes of storage encryption techniques: full disk encryption, volume and virtual disk encryption, and file/folder encryption. It also discusses important security elements of a storage encryption deployment, including cryptographic key management and authentication.” While this guide only discusses the encryption of data at rest, not the encryption of data that is transmitted, it can be a good way to educate healthcare entities on how to plan, implement, and maintain storage encryption solutions.
Implementing encryption is not an easy task for small or large healthcare offices alike. Using guides like the one published by the NIST is a good start but making sure to utilize IT companies with encryption experts can make the process much easier. Those trained in encryption can make sure that if a HIPAA data breach occurs, no ePHI will be vulnerable. If M.D. Anderson would have fully implemented their decision to encrypt their devices in 2008, they would not be faced with a 4.3 million dollar fine.
From planning to implementation and on-going support, an IT company like Data Fast Solutions can make sure your encryption plan is rolled out effectively. Contact Data Fast Solutions for more information today!
This article is ©2018 Data Fast Solutions • All Rights Reserved
In February 2017, we wrote about Healthcare System Configuration and Collaboration with the help of SAFER Guides, originally published in 2014, by the Office of the National Coordinator for Health (ONC). The SAFER Guides, or Safety Assurance Factors for EHR Resilience, were updated in 2017 and put together to assist healthcare organizations with electronic healthcare record (EHR) implementation and safety.
However, a recent study shows that many healthcare organizations do not adhere to the recommended safety practices contained in the SAFER Guides. The study found that healthcare companies do tend to follow more of the technical recommendations, but just 18%, or 25 of 140 SAFER recommendations, were fully implemented.
As we stated in our previous blog, using a SAFER Guide for EHR implementation is not mandatory, but they do provide useful tools to ensure EHR’s are not left vulnerable. The SAFER Guides, used along with a HIPAA Certified I.T. company, can ensure that the technical aspects of EHR implementation are covered, but not utilizing the guidelines, fully, can result in the safety of electronic health records being at risk.
“Of the 11 recommendations most likely to be ‘not Implemented,’ most (9 of 11) were from 3 guides: Test Results Reporting, Communication and CPOE/CDS, with 4 from the CPOE/CDS guide alone,” researchers wrote. “Conversely, all System Interfaces and Contingency Planning guide recommendations were implemented by at least one site.”
One of the most important findings in the study suggests that, according to researchers, “the guides may also assist in driving culture change regarding organizational learning related to evaluation and improvement of the EHR”. However, “this has historically been seen as the sole responsibility of the IT department rather than as shared responsibility among stakeholders across the entire organization in conjunction with EHR vendor.” This is important because EHR safety does not happen solely from within the technical department or team.
The SAFER Guides specifically state that a multi-disciplinary team should complete the self-assessments and evaluate potential health IT-related patient safety risks addressed by the specific SAFER Guide within the context of a particular healthcare organization. The checklists and worksheets are designed as simple tools to make sure all aspects of EHR are considered. Utilizing the guides, as they were intended, can increase the likelihood of implementing and utilizing EHRs safely and effectively.
Data Fast Solutions is HIPAA I.T. Certified and can assist your organization in utilizing the SAFER Guides effectively to ensure a safe EHR implementation and continued EHR safety. Contact Data Fast Solutions today!
General Data Protection Regulation, or GDPR, is due to take effect next month and many in healthcare in the U.S may wonder how it affects them. Per the GDPR portal, it “was designed to harmonize data privacy laws across Europe” and relates to those residing in the EU. However, it does have far reaching effects into the United States due to how personal data is collected, used, disclosed and processed by controllers and processors. Simply put, controllers determine the “purposes, conditions and means of processing personal data”, while processors are those who process “personal data on behalf of the controller”.
American healthcare organizations may think that GDPR is already completely addressed through U.S. HIPAA regulation, however, that is not necessarily the case. An article, published in February of this year, by The National Law Review, Does GDPR Regulate Clinical Care Delivery by US Health Care Providers?, helps address the specifics of GDPR as it relates to U.S. healthcare. Per the article, the GDPR does not have direct reach to personal data processing by a U.S. controller or processor if the business is:
· Not physically located in the EU
· Not offering goods and services through advertising or direct marketing to individuals in the EU
· Not monitoring the post care of individuals treated in the U.S.
With many smaller U.S. healthcare offices, all three of the criteria may not apply. However, post care of those located in the EU may occur, so GDPR would need to be strictly enforced to avoid stiff penalties.
The key in healthcare providers having to adhere to GDPR in the U.S. pertains to the location of an individual in the EU, not their EU citizenship. So, if you’re treating an EU citizen who resides in the U.S., HIPAA laws, not GDPR, would apply. If you are providing post care to an individual who resides in the EU, HIPAA and GDPR must be followed.
It’s important to understand that HIPAA relates to the privacy of protected health information (PHI) while GDPR, according to the article above, relates broadly to personal data, health related or otherwise, which is “any information relating to an identified or identifiable natural person who is in the EU, regardless of the individual’s EU citizenship status.”
The broader terms of GDPR, as opposed to HIPAA are outlined in the HIPAA Journal article, Understanding GDPR Compliance, published last January, which states:
Any body which collects, maintains or uses an individual´s personal data but neglects to first acquire the informed consent of those persons, or does not delete destroy their record of the data concerned after an individual has withdrawn their consent – breaches the GDPR. There are numerous other rights of individuals that must be taken into account by companies or organization[s] when they review their GDPR compliance. These rights of individuals include [but are not limited to]:
In addition, the IAPP (International Association of Privacy Professionals) gives a good side-by-side comparison of HIPAA and GDPR. If you are an American healthcare entity, it’s important to be informed about GDPR as it must be strictly adhered to beginning next month. Data Fast Solutions can assist you in making sure your healthcare I.T. services meet both GDPR and HIPAA regulations. Contact us today!
Some I.T. professionals simply provide a service and rely on the technology, itself, to work as it should. This approach may be okay for some industries, but it’s especially harmful if it’s done within healthcare and it can lead to increased breaches. As trained HIPAA I.T. professionals, Data Fast Solutions not only provides secure I.T. services, but stays informed on what’s working well to provide clients with the best, knowledgeable service.
Recent data suggests that while I.T. provides the healthcare sector with many advances in patient data and care, healthcare data breaches are still increasing. In analyzing the reasons behind the breaches, Verizon’s 2018 Protected Health Information Data Breach Report found that in almost 60 percent of 1,368 security incidents, occurring in 27 countries, breaches were due to insiders or employees. Almost three-quarters of the reported incidents were in the United States.
Researchers also found that insiders being the source of breaches is unique to healthcare and they are driven by:
The study also confirmed the research published by the American Journal of Managed Care which found that paper and film were the most common locations for data breaches. In the cases studied, it occurred in 27% of incidents.
Additionally, the report found the following categories in the breaches that they studied:
It’s obvious, by the report, that a reduction in paper data, along with more secure systems in place, can result in a reduction in the amount of security breaches. The authors of the report suggest full disk encryption (FDE) and routinely monitoring record access just as Data Fast Solutions has always recommended. However, the report also points to the need for more robust policies and procedures within a healthcare organization to combat error across all categories. How policies and procedures are changed to address the issues is unique to each organization but being proactive is key.
There are hundreds of cases in the news of breaches within healthcare that are occurring with an almost knee-jerk reaction of analysis after the fact. Just as the Verizon report shows, the approach to breaches is almost always the same. Focusing on securing ePHI and increasing training for employees is recommended and should not be taken lightly, but information provided by the media suggests that these recommendations are falling on deaf ears. That is not necessarily the case.
Perhaps, more importantly, is the need for analysis on what is working right. Data provided to healthcare I.T. professionals regarding organizations who have successfully thwarted attacks as a study in success, rather than failure, may not be newsworthy, but can possibly help more. While some healthcare companies may experience a breach, many more are using HIPAA trained I.T. professionals like Data Fast Solutions who have the knowledge and expertise to assist with I.T. policies that work. Technology, like people, is never perfect, but Data Fast Solutions learns from data breach analysis and focuses on what works well to keep PHI safe.
Healthcare industry data breaches have, unfortunately, become a more frequent occurrence in recent years. This information is tracked through the Health and Human Services (HHS) online breach portal. The portal has been dubbed the “Wall of Shame” and shows a higher rate of breaches over the past three years. It was put in place in 2009 to provide data, as required by section 13402(e)(4) of the HITECH Act, to “post a list of breaches of unsecured protected health information affecting 500 or more individuals.” Although the information provided contains the type and location of the breach, the portal does not provide more specifics which could help healthcare officials and I.T. professionals learn more about why the breaches are occurring.
Tracking trends in healthcare breaches is the key and the Protenus Breach Barometer is one of the best ways to reveal those trends. It utilizes data compiled by DataBreaches.net to provide a monthly snapshot which can be used to better combat specific issues. Prior year data, month over month, reveals that hacking and issues occurring from within healthcare organizations are the two main culprits of the data breaches. Those inside Issues include mistakes made by staff as well as malicious attempts by employees to obtain secure data.
As we have mentioned in previous blog posts, technology is not always fail proof when it comes to human error, but consistent employee training and everyday awareness can reduce the rate at which errors occur. Training all staff to constantly be aware of malicious attempts by insiders to steal electronic personal health information (ePHI) can help thwart an attack before it occurs. Simple, daily, communication can help raise awareness and keep all employees on alert. In addition, with the increasing rate of breaches, increasing the rate at which healthcare data audits are performed can help limit damage should employee errors occur.
Addressing issues outside of an organization that involve hacking can be much more difficult. Hackers are increasingly more sophisticated in their attempts at obtaining highly valuable healthcare data than they have been in the past. However, just as hackers are persistent, highly reputable I.T. companies, such as Data-Fast Solutions, are just as persistent at stopping them. Through on-going education, training, and analyzing data breach trends, the healthcare I.T. industry is constantly learning new ways to progress.
With healthcare information technology, knowledge of issues after they occur is not enough. In addition to current technology, and ethical employees who understand the importance of protecting ePHI, getting to the root of data breach problems will help organizations become more proactive in their on-going approach. For assistance with your healthcare I.T. audit or to implement a more secure healthcare system for your organization, contact Data-Fast Solutions today.
In a previous blog, we discussed appointing a HIPAA Privacy and Security Officer and all of the duties that the officer may perform as set forth by the American Health Information Management Association (AHIMA).
In addition to those duties, an important task is to regularly audit your healthcare company to ensure overall HIPAA compliance. Part of your company’s audit should be to make sure Business Associate Agreements are up-to-date and include revisions, required under the Omnibus Final Rule, that the business associate will stay HIPAA compliant.
The HIPAA Omnibus rule (section 164.103) states that a covered entity may be a business associate of another covered entity and a business associate includes:
(i) A Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to protected health information to a covered entity and that requires access on a routine basis to such protected health information.
(ii) A person that offers a personal health record to one or more individuals on behalf of a covered entity.
(iii) A subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate.
(4) Business associate does not include:
(i) A health care provider, with respect to disclosures by a covered entity to the health care provider concerning the treatment of the individual.
(ii) A plan sponsor, with respect to disclosures by a group health plan (or by a health insurance Issuer or HMO with respect to a group health plan) to the plan sponsor, to the extent that the requirements of § 164.504(f) of this subchapter apply and are met.
(iii) A government agency, with respect to determining eligibility for, or enrollment in, a government health plan that provides public benefits and is administered by another government agency, or collecting protected health information for such purposes, to the extent such activities are authorized by law.
(iv) A covered entity participating in an organized health care arrangement that performs a function or activity as described by paragraph (1)(i) of this definition for or on behalf of such organized health care arrangement, or that provides a service as described in paragraph (1)(ii) of this definition to or for such organized health care arrangement by virtue of such activities or services.
To ensure your business associates remain HIPAA compliant, Data-Fast Solutions recommends that your HIPAA Privacy and Security Officer audit your business associates on a regular basis. This is extremely important because the duties they carry out, as a covered entity, make you liable for any penalties occurred for violations committed by them.
Some ways to audit a business associate include asking about their security systems in place and:
As HIPAA Certified I.T. professionals, Data-Fast Solutions can assist you with an I.T. audit to ensure your company, and your business associates, are HIPAA I.T. compliant. Contact us at (817)380-3188 for more information.
In a previous article, Small Healthcare Providers and HIPAA Compliance, it was noted that many small to mid-sized healthcare offices are less likely to appoint a HIPAA Privacy Officer and a HIPAA Security Officer. Part of the challenge is that privacy and security officers are hard to find across many sectors. The healthcare industry, requiring candidates with in-depth knowledge of HIPAA and HITECH, can make filling the position even more difficult. However, as HIPAA rules and technology continue to evolve, this is one area where adhering to the HIPAA mandate can keep smaller offices from experiencing a privacy breach.
Understanding the responsibilities of each officer can help smaller organizations find existing or new employees who may fit the requirements with little or no additional training.
According to the American Health Information Management Association (AHIMA), a privacy officer’s responsibilities include:
AHIMA describes the responsibility of a HIPAA Security Officer as one who:
It’s important to note that if one individual meets the requirements of both officers it is acceptable for one person to perform both roles. However, many smaller offices tend to appoint an existing office or billing manager to the privacy and security position. In doing that, one or more privacy and security duties may not be performed adequately. So, it is okay for some work to be delegated to others if the privacy and security officer makes sure that the work is carried out properly.
For assistance from an I. T. security standpoint, a HIPAA knowledgeable I.T. professional can help. Data Fast Solutions has been providing HIPAA I.T. services in the Dallas Fort Worth area for many years. If you have any questions about your information technology and HIPAA compliance, contact Data Fast Solutions today!
This article is ©2017 Data Fast Solutions • All Rights Reserved
The HIPAA Security Rule was established to provide national standards regarding electronic personal health information (ePHI). In relation to the security rule, administrative security standards were created to address different areas of concern in relation to ePHI. One important piece is password management which states “the covered entity must implement procedures for creating, changing, and safeguarding passwords.” The following information provides some guidelines in relation to the security standards for passwords.
To create a strong password, use the criteria below.
A password is only strong if:
Having a system that prompts users to update their passwords every three months or so seemed like a good idea in the past. However, current data suggests that changing passwords too frequently can make them less secure. A blog written for the Federal Trade Commission, by Chief Technologist, Lorrie Cranor, “Time to rethink mandatory password changes” states that when users are required to change their passwords frequently, they often select weaker passwords leaving them more open to attackers. A good rule of thumb is to review passwords and storage of passwords on a yearly basis and create new ones based on complex password creation criteria at that time.
With increasingly complicated passwords and different passwords for every site, storing passwords is almost always necessary to be able to remember them. However, the storage must be secure. Writing passwords on a piece of paper when it’s accessible to others is like storing passwords in your computer, or smartphone, without using encryption and both leave your passwords vulnerable to misuse.
After reviewing and updating less secure storage methods, it’s important to securely delete any current passwords stored elsewhere. This can be done using a shredding software to safely erase existing files.
Passwords are meant to safeguard data and the user from unscrupulous attacks. Following the guidelines above can help your healthcare organization implement, or update, password procedures to ensure your ePHI is secure. Data Fast Solutions is always available to help your company with any of your HIPAA compliant technology needs. As certified HIPAA technology experts, we specialize in all aspects of keeping your ePHI safe.
Recent natural disasters, such as Hurricane Harvey in Texas and Hurricane Irma in Florida have, once again, put the spotlight on the importance of healthcare contingency planning. When a catastrophic event takes place, it's imperative for any business to have a back-up plan and be up and working again as soon as possible. This is especially true in healthcare. Many in the healthcare industry have contingency plans in place as required. However, testing and updating the plan as the needs of the business, and those employed by the business, change is imperative to the plan working properly should the need arise to use it.
Electronic Personal Health Information (ePHI) is an integral part of any healthcare contingency plan and the HIPAA Final Security Rule, Section §164.308(a) (7), “requires the establishment and implementation of procedures for responding to events that damage systems containing electronic protected health information”. This requirement is outlined in the Health and Human Services’ Information Technology Contingency Plan template. The template, designed for HHS, can be a useful tool for any company. It’s a comprehensive plan for all the I.T. systems in an organization should a natural disaster or other catastrophic event take place.
As with any good contingency plan, the HHS plan establishes procedures to restore ePHI through notification, recovery, and reconstitution. The template also provides a sample contact list which is formulated to provide a line of succession for individuals with decision making authority. It also identifies the team who is responsible for enacting the contingency plan and the team’s responsibilities. In addition, and an integral part of the plan, is to establish criteria for validation and testing of the plan between the business owner and the system developer at least once a year.
The HHS I.T. contingency plan can be found with a simple Google search as can other, similar, back-up plans for HIPAA related data. However, some smaller health care organizations may not have an in-house system developer on staff. When it comes to HIPAA related data and keeping electronic protected health information (ePHI) safe, it’s important to have a knowledgeable and experienced I.T. company. An I.T. professional who can help with constructing a workable plan custom designed for the specific needs of the business will help save time and money.
Data Fast Solutions can assist with testing and continued maintenance of a contingency plan through modification, or the creation of a new plan, to make sure it coincides with any new systems put in place. As HIPAA Certified I.T. Professionals, Data Fast specializes in ePHI and restoring it quickly, so lifesaving data is readily available should a catastrophic event take place.
While medical record retention requirements are not governed by the HIPAA Privacy Rule, state laws generally do provide direction on how long medical records should be kept. However, per Health and Human Services, the HIPAA Privacy Rule requires that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of medical records and other protected health information (PHI) for whatever period such information is maintained by a covered entity, including through disposal. (See 45 CFR).
Many healthcare providers today are utilizing electronic medical records in their day-to-day practice even if older charts have not yet been migrated completely. With technology rapidly advancing, it can be a challenge for medium and small healthcare facilities to navigate the rules and regulations of HIPAA and state laws as well as the technology needed to retain electronic protected health information (ePHI) safely.
However, there are some helpful guidelines by Health and Human Services to help ensure ePHI is being managed and retained securely.
The Privacy and Security Guide provides a specific section on working with electronic health records (EHR) and health I.T. developers to help understand the privacy and security practices put in place. It reads as follows:
“When my health IT developer installs its software for my practice, does its implementation process address the security features listed below for my practice environment?
o ePHI encryption
o Auditing functions
o Backup and recovery routines
o Unique user IDs and strong passwords
o Role- or user-based access controls
o Auto time-out
o Emergency access
o Amendments and accounting of disclosures
• Will the health IT developer train my staff on the above features so my team can update and configure these features as needed?
• How much of my health IT developer’s training covers privacy and security awareness, requirements, and functions?
• How does my backup and recovery system work?
o Where is the documentation?
o Where are the backups stored?
o How often do I test this recovery system?
• When my staff is trying to communicate with the health IT developer’s staff, how will each party authenticate its identity? For example, how will my staff know that an individual who contacts them is the health IT developer representative and not a hacker trying to pose as such?
• How much remote access will the health IT developer have to my system to provide support and other services? How will this remote access be secured?
• If I want to securely email with my patients, will this system enable me to do that as required by the Security Rule?”
The additional section on cybersecurity is especially helpful as cloud based storage of ePHI is more prevalent. This section has a link to the HHS Security Risk Assessment Tool at:
This can be useful for small to medium-sized health care practices and their I.T. professionals.
As technology changes and improves quickly, it may be helpful for healthcare professionals to know that there are HIPAA trained I.T. professionals such as Data Fast Solutions who can assist them effectively.