All Data Fast News is © Data Fast Solutions, unless where otherwise indicated • All Rights Reserved
As busy healthcare professionals focus on their core business of patient care, smaller offices tend to be more vulnerable to HIPAA violations. A recent survey by NUEMD revealed that only 40% of 927 respondents were aware that OCR HIPAA Audits were even planned to take place. The majority of respondents to the survey had 1 to 10 providers.
Although HIPAA requires a HIPAA Security Officer and a HIPAA Privacy Officer be appointed, smaller offices are less likely to do so. In fact, even though the officers are required, the NUEMD survey found that only 53% of offices had security officers and only 54% had a privacy officer. As the survey points out, a compliance plan is the first step in making sure that HIPAA guidelines are followed and 70% of respondents claimed to have such a plan. However, simply having a plan is not beneficial unless thorough training for the compliance plan is also done.
In addition to compliance plans, the NUEMD survey also found that although HIPAA requires electronic devices containing personal health information (PHI) to be cataloged, a majority of small healthcare offices were not adhering to this requirement. Yet, patient and staff communication via mobile, email, texting and social media is taking place. Training for new and existing employees on overall compliance and on-going training on the use of all technology in a HIPAA compliant manner is important.
Larger healthcare offices are not immune. Although larger healthcare providers usually have robust I.T. departments, this doesn’t always prevent them from having some of the same issues found in smaller offices. Often, smaller healthcare practices may not be aware that lots of time and money is not necessary when it comes to their healthcare I.T. In fact, small I.T. companies may be their best option for assistance in HIPAA compliance. Companies like Data-Fast Solutions have the same technology as large I.T. firms but are much more agile in their responsiveness and ability to monitor HIPAA I.T. related issues more cost effectively.
In summary, for small healthcare practices, having a HIPAA compliance plan in place and working the plan through training and follow-up communication can help a smaller practice avoid time-consuming and costly HIPAA related issues later. Having a HIPAA certified I.T. professional company like Data-Fast Solutions to assist with I.T. compliance and provide on-going I.T. support is key. This can leave smaller healthcare practices the time to focus on patient care.
Business Associate (BA) data breaches are a constant threat in healthcare. No healthcare organization operates completely on its own and having a signed business associate agreement (BAA) in place does not guarantee that a BA breach will not occur. However, there are steps that can be taken to minimize risk and lessen the overall effect of a breach.
Security Risk Assessment
Health and Human Services has guidelines on security risk assessment which can be found at:
As stated in their guidance, it is intended to provide clarification, but is not intended to be a “one-size-fits-all blueprint”. Each organization is unique and a risk assessment should be approached as thoroughly as possible based on the specific needs of the business. The risk assessment must be documented each time it is conducted and an assessment should be made anytime the policies or procedures within the healthcare organization or a business associate’s organization are updated.
Policies and Procedures for Protection of ePHI
Clear, concise policies and procedures for the protection of ePHI should be well documented to provide employees and business associates with instruction on how to protect ePHI. They should be easily accessible and, ideally, should be presented in a training environment to ensure ePHI is well protected by anyone in the business who utilizes ePHI.
Training on the use of ePHI with all parties involved should be conducted on a regular basis for new employees and business associates. Training for all employees and business associates should occur as the needs of the business change in any aspect such as the implementation of new software or with regard to any new HIPAA compliance rules and regulations.
When a Breach Occurs
If a business associate experiences a breach in data, it is imperative that a procedure for notification is in place and used as quickly as possible once a breach is recognized. Health and Human Services provides thorough guidelines on the reporting of a breach by a healthcare organization, or their business associates, which can be found here:
This is a high-level view of how to manage a breach, prior to, and after, one may occur with a business associate. Basically, the same way a healthcare organization would address an ePHI breach in its own facility is the same way it should be addressed with the business associate. If a business associate can not meet the requirements of the healthcare entity’s ePHI policies and procedures, a BAA should not be executed with that company.
This article is ©2017 Data Fast Solutions • All Rights Reserved
The role of information technology in healthcare has had a major impact on patient care. Healthcare technology has allowed innovative, instant, collaboration for healthcare professionals throughout the world. Important health-related data can be shared within seconds and has led to life-saving procedures. It has also brought about telehealth, or telemedicine, which is a way to reach patients who may not otherwise have access to quality care. Or, as a convenient way to allow patients an alternative to traditional face-to-face check-ups in a doctor’s office. Many large corporations have implemented telehealth for their employees, and their families, who may be suffering from minor ailments.
As defined by the U.S. Department of Health and Human Services, telehealth is "the use of electronic information and telecommunications technologies to support and promote long-distance clinical health care, patient, and professional health-related education, public health and health administration. Technologies include videoconferencing, the internet, store-and-forward imaging, streaming media, and terrestrial and wireless communications." As with all other forms of electronic personal health information (ePHI), telehealth technology should be HIPAA compliant.
The HIPAA guidelines for telehealth were set forth for any healthcare professional or organization who provides remote services to patients and requires:
- Only authorized users should have access to ePHI
- A system of secure communication should be implemented to protect the integrity of ePHI
- A system of monitoring communications containing ePHI should be implemented to prevent accidental or malicious breaches
It’s important that SMS, Skype, or email, not be used to conduct telehealth activities. As has been noted in previous Data-Fast Solutions blogs, when electronic personal health information (ePHI) involves other parties, there must be a Business Associate Agreement (BAA) on file. The BAA must outline ways in which ePHI is protected and allow audits of the system used to store ePHI.
When using SMS, Skype, or email, copies of information sent via these methods are kept on the service providers’ servers. The companies providing these services would not enter into a BAA, so using them would be a breach of HIPAA regulations and therefore is not an option.
In order to conduct telehealth and be HIPAA compliant, only secure, encrypted messaging should be used. In addition to messages, encrypted data such as images, documents, and videos can be viewed through user-friendly apps. Only healthcare professionals, their patients, and other covered entities would have access to them through secure, authorized logins. Since the data is encrypted it is rendered unreadable or unusable outside of the private network.
As technology continues to evolve, telehealth can become a more viable option for larger parts of the population. With the ability to utilize a technologically safe, secure environment to receive medical attention, it is possible to increase wellness while decreasing the spread of illnesses that can occur in hospitals and doctor’s offices.
Safeguarding electronic Personal Health Information (ePHI) can be done in many ways technologically. However, it's often human error that can cause a breach to occur. If a device containing ePHI is lost or stolen and it doesn't have proper encryption or access protection, all of the data on the device is in jeopardy. A recent settlement between the U. S. Department of Health and Human Services Office for Civil Rights (OCR) and MAPFRE Life Insurance Company of Puerto Rico for $2.2 million was due to human error. According to a breach report filed with OCR by MAPFRE, a USB data storage device was stolen from their I.T. department and there were no safeguards in place to keep the names, dates, and social security numbers of over 2,200 individuals from being compromised. MAPFRE implemented a corrective action plan in addition to the settlement.
A thorough, monthly, risk analysis of HIPAA-related data can help prevent a corrective action plan from having to be implemented. In an article, How to Reduce Human Error and Prevent HIPAA Breaches, published in the "HIPAA Journal", spokesperson for the OCR, Rachel Seeger stated that "Human error increases risk when there are already vulnerabilities in place." No technological advances made, to date, have been able to compensate for human mistakes when it comes to sensitive data.
In conjunction with risk analysis, training new employees and conducting on-going training of existing employees can help thwart a data breach. According to the HIPAA Journal training should include:
Additional, more specific, training based on the needs of your particular healthcare organization can help ensure that a data breach from human error will not occur. For example, in offices that utilize marketing via social media and other types of advertising, patient privacy should always be first. Only those patients who provide consent for their photos, or other personal data, can be used.
As was the case with MAPFRE Life Insurance Company, even data that is not transferred out of a facility is still left vulnerable to theft. Having physical safeguards in place within an organization such as keeping sensitive data under lock and key is one way to keep them contained. Implementing technology such as a remote wipe-out of stolen data isn't always effective if a theft is not reported immediately.
Technology is only as good as the person utilizing it. There will always be human error in technology but through continual risk analysis and training, the mistakes can be kept to a minimum and contained.
The task of migrating paper charts to electronic health records (EHR’s) may seem overwhelming for a busy physician’s office. Less than optimal results may occur if a specified plan for migration is not followed. In fact, it’s estimated that one-fifth of doctors across the U.S. are still using paper records in their practices despite incentives for electronic conversion. However, once the decision to migrate is made, a move to EHR does not have to be cumbersome. According to HealthIT.gov, following the steps outlined below can make the transition easier.
When preparing for EHR implementation, you should develop a plan for migration of patient data from the paper chart to the EHR. You should make sure to conduct chart migration before your go-live date. You should work with your vendor to populate electronic charts with clinical data from existing paper charts, so that providers do not have to start with a clean slate during their first electronic visit with the patient.
Consider the following questions when developing a plan for chart migration.
In addition to these steps, using a HIPAA certified I.T. professional can help ease the transition further and ensure your migration goals are met effectively. I.T. experts like Data Fast Solutions can help your organization make the best, informed decisions regarding EHR’s based on the platform used.
A healthcare provider, or other health care entity, may be well-versed in HIPAA policies and procedures, but some are not as aware of the need to comply with the Federal Trade Commission (FTC) Act. If you share health-related information, your disclosures must adhere to the FTC Act. As many are aware, the FTC Act was designed to protect consumers from deceptive practices or unfair acts in commerce.
About two months ago, the Health and Human Services’ (HHS) Office of Civil Rights (OCR) put together some good guidelines that can help healthcare organizations make sure they are in compliance with the FTC Act. They recommend the following:
In addition to the above guidelines, there is a thorough FTC Disclosures report, called “.com Disclosures - How to Make Effective Disclosures in Digital Advertising”. It gives straightforward advice about online disclosures, from making sure hyperlinks that lead to a disclosure are obvious, to using plain language. It goes on to provide detailed information not only on the actual placement and proximity of disclosures, but the technical limitations on how a disclosure may, or may not be, displayed in certain browsers.
As healthcare technology evolves, it’s always important to stay abreast of updated HIPAA and FTC rules and regulations to ensure your organization remains compliant. Data Fast Solutions has the experts and technology you need to be certain that you and your organization are always covered in the quickly changing healthcare I.T. environment.
This article is ©2016 Data Fast Solutions • All Rights Reserved
Phishing, the attempt to fraudulently gather personal and financial data, is an ongoing threat to hospitals and other health care facilities. One of the most recent cases of phishing, as reported by the HIPAA Journal in June of this year, was Verity Health Systems in Oregon. The phishing email was not in relation to patient data, but was requesting information on Verity employees themselves. The email appeared to come from within the company, so the unsuspecting receiver of the email complied with the request, sending employee names, addresses, social security numbers, and even the earnings and withholdings of Verity employees to the attacker.
Some feel certain that they would not become victim to such an attack, but phishing has become much more sophisticated with the IRS, and other organizations, issuing warnings to the public to stay alert. The HIPAA Journal article states that compromises via business email have been highly effective due to the fraudulent emails appearing to come from a CEO or other executive.
Microsoft provides some ways to recognize phishing which may include emails that contain:
Bad spelling and grammar - Cyber attackers are generally not good spellers and their grammar is often bad.
Links in an email - If a link in an email seems suspicious, do not click on it. Microsoft advises to rest your mouse over the link, but DO NOT click on it to see if the address that was typed for the link matches what is displayed.
Threats - Phishing emails often contain threats of account closures or other urgent sounding verbiage stating that their request for information must be completed or consequences will follow.
But how would this have helped the Verity employees? Many people are already aware of certain ways to recognize phishing, so attackers are constantly attempting new ways to phish, as was seen in the Verity case. Therefore, thorough training and continued communication are key. In fact, prior to the Verity Health Systems attack, two other large healthcare companies, Magnolia Health Corporation of California and St. Joseph’s Healthcare in New Jersey had almost identical scams which resulted in data breaches in February of this year.
Training employees on the ways in which new attacks are occurring and then following up with employees on recent reported cases can help thwart future attacks. When cyber attackers see that their fraudulent efforts are working, they tend to continue in the same manner. If the Verity employees had been aware of the attacks on Magnolia and St. Joseph’s earlier in the year, they may have questioned the validity of the email they received.
Staying informed is one of the best defenses against phishing. Data Fast Solutions is your best I.T. partner to make sure that you stay informed about phishing and other cyber attacks. Data Fast Solutions has seasoned, skilled, professionals who are highly knowledgeable in cyber security as it relates to HIPAA and keeping your health care organization safe from cyber attacks.
In a prior article, in August of this year, the conveniences of cloud computing in healthcare, as well as the security risks of using the cloud were highlighted. Recently, Health and Human Services (HHS) updated their guidelines on cloud computing in relation to HIPAA to comply with regulations to protect the privacy of and keep electronic protected health information (ePHI) secure. These new guidelines include cloud service providers (CSPs) and their role in HIPAA compliance.
Specifically, the guidelines state:
“When a covered entity engages the services of a CSP to create, receive, maintain, or transmit ePHI (such as to process and/or store ePHI), on its behalf, the CSP is a business associate under HIPAA. Further, when a business associate subcontracts with a CSP to create, receive, maintain, or transmit ePHI on its behalf, the CSP subcontractor itself is a business associate. This is true even if the CSP processes or stores only encrypted ePHI and lacks an encryption key for the data. Lacking an encryption key does not exempt a CSP from business associate status and obligations under the HIPAA Rules. As a result, the covered entity (or business associate) and the CSP must enter into a HIPAA-compliant business associate agreement (BAA), and the CSP is both contractually liable for meeting the terms of the BAA and directly liable for compliance with the applicable requirements of the HIPAA Rules.”
The HHS guidelines go on to answer questions such as:
“If a CSP stores only encrypted ePHI and does not have a decryption key, is it a HIPAA business associate?”
“Do the HIPAA Rules allow health care providers to use mobile devices to access ePHI in a cloud?”
Answers to these, and other questions, can be found on the HHS.gov website as:
As a result of changing guidelines, it’s important that current Service Level Agreements (SLAs) between a CSP and their customer be updated to make sure that the SLA is consistent with updated HIPAA rules.
Just as cloud computing allows easier collaboration between healthcare professionals, it’s also important to collaborate with a good I.T. company like Data-Fast Solutions who is well-versed in HIPAA compliance. This will ensure updated HHS HIPAA guidelines are continually being met.
Mobile devices such as laptops, smartphones, and tablets are used now, more than ever, in healthcare because of their convenience, ease of use, and ability to transmit data efficiently. In addition, apps on mobile devices have made previously arduous tasks more manageable by providing healthcare workers with the ability to complete their work in less time.
Time management apps and other apps such as those used for maintenance of health records, patient monitoring, and medical training have given health care professionals the ability to make informed, sometimes life saving, medical decisions much more quickly than in the past.
However, the convenience of using a mobile device can leave those in the healthcare industry vulnerable to cyber attacks if certain guidelines for protecting and securing information are not followed properly.
The Department of Health and Human Services (HHS) has put together a fact sheet to ensure your organization knows how to protect the private health information.
Installing and enabling encryption
Use of a password (to lock a mobile device and to lock apps within a mobile device)
Installing and activating wiping and/or remote disabling to have the ability to erase data on a mobile device if it’s lost or stolen
Disabling file-sharing applications if they are installed
Installing and enabling a firewall
Installing and enabling security software and keeping security software up-to-date
Researching mobile apps thoroughly before downloading (to ensure privacy and prevent hacking)
Maintaining physical control of your mobile device
Using adequate security to send or receive health information via secure Wi-Fi
Properly deleting all stored health information on a mobile device prior to discarding it
A healthcare organization should have policies and procedures in place for the use of personal mobile devices versus those provided by the company for work use.
In addition to these guidelines, HHS has a web page dedicated to health information privacy and security on mobile devices. It includes helpful documentation as well as videos to watch to help train staff on the use of mobile devices and HIPAA compliance. It also includes downloadable training materials for healthcare staff with postcards such as "10 Tips to Protect and Secure Health Information When Using a Mobile Device".
Technology safeguards can be put in place for mobile devices, but some of the biggest breaches have occurred when a person using a device is not well informed about how to prevent access to private information. Recent research by Arxan Technologies found that 84 percent of health related apps were open to hacking through code tampering and reverse-engineering. In addition, most app users are not fully aware of the privacy policies for apps and how the private information is used once the app is activated on their mobile device.
Continually reviewing and updating technology and training is imperative to keeping mobile devices HIPAA compliant. Utilizing a certified and knowledgeable HIPAA I.T. professional such as Data Fast Solutions can ensure your mobile technology is well protected and your staff is up-to-date on how to prevent a cyber attack via a mobile device.
Healthcare professionals are now well-versed in HIPAA policies and procedures and are well aware of the importance of HIPAA and the ramifications for non-compliance. However, some healthcare workers may not be as familiar with the HITECH Act. Per HHS.gov, “the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology.”
HITECH was put in place to meet certain goals of the existing regulatory aspects of HIPAA which included improving quality of care through reduced costs and efficiency. Patient personal health information (PHI) in electronic health records (EHI) is of utmost importance in meeting HIPAA guidelines. Having a good information technology company who is well trained and certified in HIPAA/HITECH analysis and assessment can save your health care organization valuable time and money.
A thorough HIPAA/HITECH analysis should include a review of your PHI/ePHI policies and procedures as well as an examination of your network layout and infrastructure. The analysis can identify whether encrypted or unencrypted PHI is being used in portable devices such as laptops, phones, or thumb drives to lessen the risk of cyber attacks. Other areas of the analysis should include a review of the way fax machines are used, if any, and their potential for leaving PHI vulnerable. Rather than using a fax machine, a knowledgeable I.T. company can give you more convenient, secure, modes of transmitting PHI to lessen your organization’s risk of exposing sensitive information. In addition, the use of email and possibility for breaches in unsecured webmail systems, such as those used outside the office to send and receive email from home, should be reviewed. And, finally, an analysis of an area that is surprisingly often overlooked is the way in which PHI is stored, purged or destroyed.
If breaches are found in an analysis, a HIPAA/HITECH assessment can determine the severity of the breach and an I.T. professional can take the steps necessary to secure your network as quickly as possible. As with the analysis, an assessment should be done by HIPAA/HITECH certified trained and knowledgeable I.T. expert to avoid costly mistakes.
In April, 2014, the FBI issued a warning to health care organizations that the highest volume of cyber threats are in the healthcare industry. “Data analysis revealed multiple devices (e.g., radiology imaging software, digital video systems, faxes, printers) and security application systems (e.g., Virtual Private Networks (VPN), firewalls, and routers) were compromised.” Which is why a HIPAA/HITECH analysis and assessment is vitally important.
Also, the FBI reports that according to a Ponemon Institute report dated March 2013, “63% of the health care organizations surveyed reported a data breach in the past two years with an average monetary loss of $2.4 million per data breach. The majority of each data breach resulted in the theft of information assets. Lastly, 45% reported that their organizations have not implemented security measures to protect patient information.”
Patient information can be much more sensitive than data in in other industries making it more appealing for cyber attacks. Yet, according to the FBI “the healthcare industry is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely.”
Treating information technology in your healthcare practice as importantly as you do your patients, by relying on HIPAA/HITECH trained and certified professionals, will ensure your organization is not part of the FBI statistics.