Anna M. Bonner, R. EEG T., RPSGT
The Health Insurance Portability and Accountability Act (i.e., HIPAA) has grown into a more robust and regulated law since its first inception in 1996, primarily beginning when the Omnibus Rule of 2013 was introduced. The Omnibus Rule created modifications to HIPAA’s privacy and security rules, as well as created changes for enforcement and breach notification rules. Since then, the federal government has been enforcing the law more stringently, bringing in record amounts in fines and millions of dollars in settlements and judgements annually. But the law is an abstract, principle-based regulation, where A does not always equal B; rather it is based and interpreted on risk. In the current environment where the Department of Health and Human Services’ Office for Civil Rights (HHS) (OCR) just concluded 2018 with an all-time record for HIPAA enforcement, we as healthcare professionals must be proactive with our compliance and get policies in place well before something, such as a breach, happens. I recently attended a live webinar focusing on the “Upcoming Changes with HIPAA – 2019” presented by nationally renowned HIPAA Compliance Consultant, Brian L. Tuttle. Brian is a Certified Professional in Health IT, Certified HIPAA Professional and Administrator, and has over 17 years of experience in Health IT and Compliance Consulting. In this Tech Tips article, I will share key tips on privacy and security rules, which present our biggest challenges for standard compliance.
Current Administration and HIPAA
It is important to know that while deregulation may be occurring in other areas of the government, the OCR’s enforcement activities have continued under its new Director, Roger Severino. While the number of settlements has remained on average, the settlement amounts have increased substantially. In 2018 alone, OCR enforcement activity settled ten cases and secured one judgement, totaling over $28 million dollars; more than a 20 percent increase in fines since 2016.
HIPAA as a Personal Law
In other words, HIPAA is a personal responsibility. From practical mistakes, such as misplacing a USB drive, to billing mistakes, neurodiagnostic professionals face risk in their everyday practice. Violations are subject to both civil and criminal penalties, including jail time, so compliance is crucial.
Risk analysis is the first step toward compliance for any organization and laboratory. The OCR’s Security Rule does not specify how often a risk analysis should be performed, but rather states that “the risk analysis process should be ongoing.” Brian recommends that because security risk is the number one reason for noncompliance and fines, risk assessments should be conducted annually and include a full review of Policies & Procedures (P&P). As technology advances, ineffective or dated practices should be updated or removed from P&P. Computer and device passwords should be changed. Annual compliance training should be mandatory and documented for all staff.
While 100 percent perfect compliance is seemingly impossible, it is not fully expected either. Breaches may happen, but your laboratory and staff must show proof that the security of patient health information is taken seriously and that managers, supervisors and all staff are staying on top of the issue.
Ease of transmission. The number one cause of security breach is cyber, which is not new. But what is new is that there has recently been a big change in the use of ransomware. Hacking is the number one route of obtaining Protected Health Information (PHI) and loss or theft of portable, unencrypted device, such as a USB drive, laptop or cell phone, is a close second. For IT criminals today, data is worth more than gold. Often, all they are seeking is simply a single password. Be aware that your email spam filter will not catch someone seeking a password. And if your computers are networked, a single password may allow access to multiple computers.
How do you mitigate this? First, all companies and laboratories must use good, quality security, i.e., no consumer-grade technology. Second and equally important is education. Every single employee needs to be educated and education needs to be documented. Employees must understand how hackers hack.
- Educate staff and document education
- If your staff use company devices, such as cell phones or laptops:
- Investigate 3rd party text encryption apps
- Turn off instant text and email notifications that bypass password entry
- Force password complexity
- Perform annual risk assessments to identify threats and document, document, document
Ransomware changed a great deal in 2018. Typically, ransomware is delivered through email, what is called a phishing-style email. This type of software is very intelligent, seeks out databases and anything that is shared or networked. Then, it encrypts the data and holds it ransom, i.e., you cannot get your data back until you pay, usually with bit coins. Be aware, however, that paying does not guarantee the return of your data.
One tip that came to me from ASET’s Director of Education, Faye McNall, is to take the following short training quiz on how to recognize phishing. It was a real eye-opener (Note: You do not have to use a real email address to take this quiz): Phishing Quiz. Another tip that Brian recommends for larger groups and laboratories is to consider hiring an IT expert to perform a controlled phishing expedition to determine who clicks or opens the phishing-style emails and therefore, who needs additional training.
The Big Change
The federal government made it official that a ransomware attack which attaches to non encrypted health information is now a reportable security breach. In other words, a virus which attaches to your database constitutes a security breach on your behalf because an unauthorized individual took control of your data. If your data is encrypted and unreadable using good, quality security software, then the same scenario would not constitute a security breach because you had good processes in place. This is a good example where A does not always equal B; rather compliance is based and interpreted on risk. While HIPAA does not require encryption of your PHI in your database, it serves as a good measure to do so.
Use of Personal Devices
The use of personal devices in the workplace has increased exponentially; they are effective in streamlining communication, easy and cheap to use, but are also very high risk and difficult to manage. A full risk assessment should always include personal devices if they are being used in the workplace for work-related purposes.
Tip: Under HIPAA, a lost or stolen device that is properly encrypted is not a reportable security breach. Do you know how and where PHI is stored on your device? Could a child, playing with your phone, access this information? Or could a person seated next to you read your email/text notification if your cell phone is placed between you? Is your passcode easily by-passable? You need to ensure that security updates are done and not delayed. You also need to ensure the device is encrypted using ‘whole disk encryption’.
Another Hot Topic: Texting
Texting PHI between healthcare providers and workers is very different. These messages are generally not secure because they lack encryption, and the sender does not know with certainty the message was received by the intended recipient or someone else. Also, it is important to remember that the vendor/wireless carrier may automatically store the text messages that can be viewed by another party on the account.
There are many pros and cons with the use of texting in a healthcare environment, as there are for other personal devices. However, it is important to note (and new in 2019) that patient orders cannot be texted, even through an encrypted device. The government wants to ensure that patient orders will be entered appropriately into the patient’s electronic health record and therefore does not allow the use of texting to send patient orders.
If your facility allows for the use of texting as a way of communicating PHI, ensure the following topics are addressed in your policies:
- Staff training on the use of texting
- Specifies the appropriate use for texting and the appropriate secure application to text
- Ensure complex password protection and encryption
- Ensure you maintain a device inventory, such as log in/log out if shared
- Address a retention period, which Brian recommends you require immediate deletion of PHI in texts
Tips and Resources
- “Poor man’s” encryption: – If you do not have encryption software and you need to send secure information, use Winzip to encrypt the zip file. Microsoft Word also has encryption available. File-order encryption (protects a document) or folder-order (protects all documents in the folder) encryption is free.
- USB: While you can share patient information that has been requested by patient using a USB, you should not use or place the patient’s USB in your computer. Patient information to share among providers or for your own use/review should never go on a USB without encryption.
- Lawsuits: No one can sue under HIPAA as a violation in and of itself, as it is not a private right of action. However, in the 2013 Omnibus Rule, Congress gave state Attorney Generals the ability to implement right of action per state. In 2017, 2018 and today, this is becoming a big problem even though it is an uphill battle in the courts. A prosecutor has to prove financial loss, defamation, etc., but people still file a complaint and trial attorneys will represent in the hopes of settlement. This is a problem, especially for larger institutions.
- Always verify and fact check through HHS: hhs.gov. HHS also has a very good FAQ section.
- For a downloadable Security Risk Assessment tool to help guide you through the process, go to: SRA 3.0
- For a list of all implementations of rules, go to HIPAA Administrative Simplification
- Always check your state laws!
- For a comprehensive audit protocol (this is a very long webpage but goes through every implementation step for privacy and security), and the questions to expect during an audit.
- To create your own Cyber-Planning Guidelines documents: https://www.fcc.gov/cyberplanner