The First Steps to Becoming HIPAA Compliant

When we schedule an appointment to go over HIPAA compliance with a new client, we are always asked, “Where do I even start?” by the owner or practice manager. Becoming HIPAA compliant is a complex proposition that takes time, knowledge, and persistence. There are many steps involved, but the first steps are always the same: appoint a Compliance Officer and perform a full Security and Privacy Risk Assessment.

Appointing a compliance officer should be the easier of those two steps. Pick a person who has enough time to dedicate to compliance. For a smaller practice, this might be a couple of hours per week. For a larger organization, you may need someone who devotes all of their time to compliance.

Choose a compliance officer who will care about compliance. It is their job to watch for violations throughout the organization. A complacent compliance officer will likely result in violations being overlooked or no action taken when violations are found.

Your compliance officer will need to learn the laws, prioritize compliance tasks, and be able to delegate certain tasks to the proper departments. Do not pick an employee who has trouble delegating these tasks. A compliance officer will generally be unable to complete all compliance tasks on their own.

After choosing a compliance officer, the next step is possibly the most important aspect of compliance: the full security and privacy risk assessment. This assessment will take at least a day or two to complete for a smaller practice and could take many days or weeks for larger organizations.

A risk assessment is a basically a full inventory of your technology, your privacy and security policies, and your employee training levels. You will start by documenting every piece of equipment that stores or has access to PHI (protected health information). You will then be tasked with deciding if PHI is adequately protected (according to the law) against unauthorized access. Unauthorized access includes access by employees who shouldn’t be accessing a particular record and non-employees who shouldn’t have access to any records.

Next, you will be reviewing company policies regarding patient privacy, and data security. If you do not have any policies in place, you will be writing those policies from scratch. If you have some policies, but are missing others, you will need to add the missing policies. For instance, if your organization doesn’t have a documented policy for handling suspected breaches, you will need to write one. Or if your organization doesn’t have a policy for employee passwords (how often they should be changed, two factor authorization for remote access, password sharing, etc) you will need these policies added to your employee handbook.

Now comes employee training documentation. You will need to find out the last time each employee was trained on HIPAA policies. If it’s been more than 12 months, that employee should be retrained immediately. All employees should be retrained every 12 months whether there have been changes to HIPAA policies or not.

After you finish this initial risk assessment, then you begin the task of remediating all of the gaps you found. If few gaps were found, this process can be quick. Maybe a few weeks. If you find that your organization is missing lots of documentation, policies, or proper security measures, the process of remediating these gaps can take months or years depending on the size of your organization.

Posted in HIPAA, Privacy, Security

HIPAA Incident Response and Reporting

 

Healthcare organizations must take extra special care of protected health information (PHI). And part of the HIPAA security rule is a group of rules regarding how to respond to a security incident and how to go about reporting that incident depending on the severity.

Make sure your organization understands the following policies and has them all in place.

The purpose of these policies is to formalize the response to, and reporting of, security incidents. This includes identification and response to suspected or known security incidents, the mitigation of the harmful effects of known or suspected security incidents to the extent possible, and the documentation of security incidents and their outcomes. It is imperative that a formal reporting and response policy be followed when responding to security incidents.

Your healthcare organization shall employ tools and techniques to monitor events, detect attacks and provide identification of unauthorized use of the systems that contain Electronic Protected Health Information (EPHI).

YOUR IT TEAM’S RESPONSIBILITY

All security incidents, threats or violations that affect or may affect the confidentiality, integrity or availability of EPHI shall be reported and responded to promptly.

Incidents that shall be reported include, but are not limited to:

  • Virus, worm or other malicious code attacks
  • Network or system intrusions
  • Persistent intrusion attempts from a particular entity
  • Unauthorized access to EPHI, an EPHI based system or an EPHI based network
  • EPHI data loss due to disaster, failure, error, theft
  • Loss of any electronic media that contains EPHI
  • Loss of the integrity of EPHI
  • Unauthorized person found in a facility

The organization’s Compliance Officers shall be notified immediately of any suspected or real security incident. If it is unclear as to whether a situation is a security incident, the Compliance Officers shall be contacted to evaluate the situation.

YOUR COMPLIANCE OFFICER’S RESPONSIBILITY

Your Compliance Officers shall track the incident. The Compliance Officers must determine if a report of the incident shall be forwarded to the Health and Human Services (HHS). The criteria for this varies depending on the particular incident. But err on the side of caution and report to the HHS if you suspect a breach. Reporting to the HHS does not normally result in a fine if you are being proactive.

Compliance Officers are the only employee’s that can fully resolve an incident. Other employees, the IT department, management, etc should not be making the final decision about classifying an incident as a breach or not. The Compliance Officers shall evaluate the report to determine if an investigation of the incident is necessary. The Compliance Officers shall determine if your organization’s lawyers, law enforcement, Human Resources, or any other department should be contacted about this incident.

All HIPAA security related incidents and their outcomes need to be logged and documented by the Compliance Officers. This includes all relevant information (who, what, when, where, and why) of the incident. A timeline should be kept from the very beginning of any incident and made available to the HHS and OCR if requested.

All incidents should be reviewed and investigated and if the breached PHI has been compromised (unauthorized individuals have received and viewed the PHI) the breach will be reported to HHS at this site http://ocrnotifications.hhs.gov/.

Your organization and its Compliance Officers must record all incidents and retain these incident reports for six years.

TRAINING YOUR EMPLOYEES

Your organization must train personnel on how their particular job or position needs to respond to a security incident. Each employee should know how to report an incident and know to whom to report it.

Your employees must have annual training refreshers.

Also, be sure your employees know how to report an incident anonymously if they might fear retaliation for reporting it. Show employees how to use the HHS website to report an incident during their training.

Posted in HIPAA, Privacy, Security Tagged with:

Business Associate Agreements Between Covered Entities

During our mock HIPAA audit process, we always verify Business Associate Agreements (BAAs) for our clients who are either Covered Entities (CEs) or Business Associates (BAs). In the process of deciding which BAAs are required, we are often asked about what agreement needs to be in place between two CEs who are working together.

For instance, one physician may refer a patient to a specialist physician. The first physician may send over medical records to the specialist. My clients want to know if a BAA is required between these two physicians.

At first glance, it seems as though a BAA might be required. Let’s look at the law itself:

Business associate:

(1) Except as provided in paragraph (4) of this definition, business associate means, with respect to a covered entity, a person who:

  • (i) On behalf of such covered entity or of an organized health care arrangement (as defined in this section) in which the covered entity participates, but other than in the capacity of a member of the workforce of such covered entity or arrangement, creates, receives, maintains, or transmits protected health information for a function or activity regulated by this subchapter, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities listed at 42 CFR 3.20, billing, benefit management, practice management, and repricing; or
  • (ii) Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation (as defined in § 164.501 of this subchapter), management, administrative, accreditation, or financial services to or for such covered entity, or to or for an organized health care arrangement in which the covered entity participates, where the provision of the service involves the disclosure of protected health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person.

(2) A covered entity may be a business associate of another covered entity.

(3)Business associate includes:

  • (i) A Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to protected health information to a covered entity and that requires access on a routine basis to such protected health information.
  • (ii) A person that offers a personal health record to one or more individuals on behalf of a covered entity.
  • (iii) A subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate.

(4)Business associate does not include:

  • (i) A health care provider, with respect to disclosures by a covered entity to the health care provider concerning the treatment of the individual.

  • (ii) A plan sponsor, with respect to disclosures by a group health plan (or by a health insurance issuer or HMO with respect to a group health plan) to the plan sponsor, to the extent that the requirements of § 164.504(f) of this subchapter apply and are met.

  • (iii) A government agency, with respect to determining eligibility for, or enrollment in, a government health plan that provides public benefits and is administered by another government agency, or collecting protected health information for such purposes, to the extent such activities are authorized by law.

  • (iv) A covered entity participating in an organized health care arrangement that performs a function or activity as described by paragraph (1)(i) of this definition for or on behalf of such organized health care arrangement, or that provides a service as described in paragraph (1)(ii) of this definition to or for such organized health care arrangement by virtue of such activities or services.

The answer, it turns out, is that two CEs both treating the same patient do not need a BAA to share Protected Health Information (PHI).

For Example:

  • A hospital is not required to have a business associate contract with the specialist to whom it refers a patient and transmits the patient’s medical chart for treatment purposes.
  • A physician is not required to have a business associate contract with a laboratory as a condition of disclosing PHI for the treatment of an individual.
  • A hospital laboratory is not required to have a business associate contract to disclose PHI to a reference laboratory for treatment of the individual.

Alternatively, there could be a situation where two Covered Entities want to work together and share PHI for patients that aren’t being treated by both CEs. In that case, a Covered Entity can also be classified as a Business Associate requiring a Business Associate Agreement between the two organizations.

It is unusual for a Covered Entity to be a BA of another Covered Entity, but it does happen. For instance, two research hospitals might be working together on a research project. They may share PHI in the course of their research. If both CEs aren’t treating the patient, depending on other circumstances, the two hospitals may need a BAA on file

If your situation doesn’t involve caring for the same patient, double check the law and see if you need a Business Associate Agreement.

If you fall into the majority by only sharing PHI with other CEs who are also treating your patient, you should not need a formal agreement drawn up and signed.

Posted in HIPAA, Privacy Tagged with: , , ,

Discussing PHI With Relatives and Friends of Your Patient

I was recently asked about the following situation:

If a patient’s wife, mother, husband, father, or friend calls in to make an appointment on their behalf, what all can I discuss with them? Do I need a patient’s authorization first before I can discuss PHI with his or her relative or friend?

This is a common situation. And my clients want to be sure they are following the law when it comes to HIPAA compliance. So I set about trying to find a definitive answer to this question.

My search led me to the actual statute itself:

Code of Federal Regulations

Title 45 – Public Welfare

Volume: 1
Date: 2003-10-01
Original Date: 2003-10-01
Title: Section 164.510 – Uses and disclosures requiring an opportunity for the individual to agree or to object.
Context: Title 45 – Public Welfare. SUBTITLE A – DEPARTMENT OF HEALTH AND HUMAN SERVICES. SUBCHAPTER C – ADMINISTRATIVE DATA STANDARDS AND RELATED REQUIREMENTS. PART 164 – SECURITY AND PRIVACY. Subpart E – Privacy of Individually Identifiable Health Information.

(3) Limited uses and disclosures when the individual is not present. If the individual is not present, or the opportunity to agree or object to the use or disclosure cannot practicably be provided because of the individual’s incapacity or an emergency circumstance, the covered entity may, in the exercise of professional judgment, determine whether the disclosure is in the best interests of the individual and, if so, disclose only the protected health information that is directly relevant to the person’s involvement with the individual’s health care. A covered entity may use professional judgment and its experience with common practice to make reasonable inferences of the individual’s best interest in allowing a person to act on behalf of the individual to pick up filled prescriptions, medical supplies, X-rays, or other similar forms of protected health information.

So according to the statute itself, a covered entity is allowed to speak to a family member or friend on a patient’s behalf and disclose PHI. But only if some qualifications are met:

  • The healthcare provider must be reasonably sure that this information is directly relevant to this person’s involvement with the individual’s health care. The healthcare provider should use professional judgement on a case by case basis.
  • The patient must not have previously requested that PHI is not shared with this specific person or to other people.
  • The patient is not a celebrity. In which case prior authorization should be sought before giving out any PHI as this is a non-routine circumstance.

 

Doctor on the telephone

This brings us to the next question:

If my family or friends call my health care provider to ask about my condition, will they have to give my provider proof of who they are?

I found the answer to this question right on HHS.gov: Click here to view.

The answer is no. Healthcare providers are not required to obtain proof of identity for someone calling on your behalf.

However, the information a healthcare provider hands out should be limited as much as possible. And a healthcare provider should use professional judgement and consider the difference between a routine and non-routine request for PHI.

Finally, here’s one more similar question we get:

May healthcare providers leave messages for patients at their homes, either on an answering machine or with a family member, to remind them of appointments or to inform them that a prescription is ready? And may providers mail appointment or prescription refill reminders to patients’ homes?

Again, the answer is on HHS.gov: View the website here

Yes. The HIPAA Privacy Rule permits health care providers to communicate with patients regarding their health care. This includes communicating with patients at their homes, whether through the mail or by phone or in some other manner. In addition, the Rule does not prohibit covered entities from leaving messages for patients on their answering machines. However, to reasonably safeguard the individual’s privacy, covered entities should take care to limit the amount of information disclosed on the answering machine. For example, a covered entity might want to consider leaving only its name and number and other information necessary to confirm an appointment, or ask the individual to call back.

A covered entity also may leave a message with a family member or other person who answers the phone when the patient is not home. The Privacy Rule permits covered entities to disclose limited information to family members, friends, or other persons regarding an individual’s care, even when the individual is not present. However, covered entities should use professional judgment to assure that such disclosures are in the best interest of the individual and limit the information disclosed. See 45 CFR 164.510(b)(3).

In situations where a patient has requested that the covered entity communicate with him in a confidential manner, such as by alternative means or at an alternative location, the covered entity must accommodate that request, if reasonable. For example, the Department considers a request to receive mailings from the covered entity in a closed envelope rather than by postcard to be a reasonable request that should be accommodated. Similarly, a request to receive mail from the covered entity at a post office box rather than at home, or to receive calls at the office rather than at home are also considered to be reasonable requests, absent extenuating circumstances. See 45 CFR 164.522(b).

 

Posted in HIPAA, Privacy Tagged with: , ,

How to Prepare For HIPAA Breaches

There are many steps you can take to prepare your organization for a HIPAA breach. If you are proactive, you can mitigate the severity of a breach considerably. And if you have the right policies in place, you can save your practice from large fines and other financial costs. Lets go over the things your practice should do to prepare for a HIPAA breach.

Be Prepared

The first step to handling HIPAA breaches is preparation. Do you have a written policy outlining steps to follow if you suspect or know there is a breach? Your written policy should touch on everything else I will mention below. It should be fairly comprehensive including who is charge of investigating the breach and how each step will be handled.

Train Your Staff

Writing a plan is not enough, your employees must be taught how to find and follow that plan. During your yearly HIPAA trainings you must review the steps an employee should take if they suspect or know about a breach.

Give Employees A Way To Anonymously Report Breaches

It’s the law that employees should not be afraid of retaliation for reporting a breach. To accomplish this, there must be a way for employees to report breaches anonymously if they feel that they would be retaliated against. You must teach them how to report a breach anonymously during their annual HIPAA trainings.

Teach Your Business Associates To Report Breaches Back To You

Make sure each outside company you do business with that has access to your patients’ data is aware that they must report suspected breaches to you. Make sure your Business Associate Agreements are updated to include who is responsible for contacting patients in the case of a breach. Generally you would want this responsibility to fall on the Business Associate if they cause the breach. This moves most of the liability and cost on to the Business Associate who causes a breach.

As Soon As A Breach Is Known About Or Suspected, Perform A Risk Assessment

After finding out about a breach situation, immediately begin an investigation. Perform a risk assessment to find out what was breached and if any Protected Health Information may have been stolen or lost. Find out what caused the breach so you can remediate any gaps you have in security or policies.

Notify All Affected Parties

You have 60 days from finding out about the breach to notify any patients whose data was breached. You will need to send notices by first class mail (or email if your patients have opted in to receive notices that way) to each patient affected. You will likely be required to provide credit monitoring to the affected patients. You must also notify the Office of Civil Rights about any breaches. If a breach affects fewer than 500 patients, you must notify the OCR within 60 days of the end of the calendar year in which the breach was discovered. If a breach affects 500 or more patients, you must notify the OCR within 60 days of discovery of the breach and you must contact the media and provide them with a press release. Contacting the media allows the affected patients to find out about the potential threat of identity theft more quickly.

Log Everything

If there is a breach. From day one, start logging everything: any discussions you have with employees, any information about the breach, whom you contact, what led to the breach, what you are doing to stop future breaches, etc. Log it all and keep it on hand for the OCR. They will want to see that you acted promptly and did what you could to protect your patients.

Posted in Business, HIPAA, Privacy, Security Tagged with:

HIPAA and Minimum Necessary Disclosures

HIPAA regulations state that when using or disclosing PHI (protected health information) or when requesting PHI from another covered entity (a doctor’s office, dental practice, etc), a covered entity must make reasonable efforts to limit PHI, to the minimum necessary, to accomplish the intended purpose of the use, disclosure or request.

So how do we accomplish the goal of limiting our PHI access and requests to the minimum necessary level? We look at three basic areas: levels of access to PHI, requesting PHI, and sending PHI.

Giving employees specific levels of access to PHI

Each employee should have just enough access to your medical record system to do their job. For instance, an employee who only answers the phone and sets appointments doesn’t generally need access to medical histories, x-rays, and other specific medical information. Therefore, their level of access to your practice software should be limited to seeing the schedule and creating or changing appointments. Alternatively, an employee who only treats patients and never handles billing information should not have access to credit card numbers, health insurance plan ID numbers, or other financial information in your systems.

It may seem easier to just give everyone access to everything. However, consider the consequences of taking that shortcut. If any one of your employees’ software login were to be leaked or guessed by an outside individual, that person would have access to every single piece of information in your records system. A breach like that could cost hundreds of thousands of dollars in fines, costs to notify patients, and credit monitoring fees for affected patients.

Requesting specific amounts of PHI from others

Many practices depend on patient referrals from outside practices. When taking these referrals, often medical information is sent over either electronically or via mail. When working with an outside practice, you should only ever request the minimum amount of PHI to perform the care you have been tasked with. If a patient is coming to you for a specific procedure like a root canal or a surgical procedure, it may be tempting to ask for the entire history of care from the outside practice. However, you’ll likely only need the recent x-rays and other information pertinent to that patient’s current ailment. Limiting the amount of PHI you ask for limits your liability in a situation where a medical record was breached in transit. If PHI gets lost in the mail, that is considered a breach. Accordingly, the more information contained therein, the higher the possible fine from the Office for Civil Rights in the event of a breach.

Sending specific amounts of PHI to others when requested

Most practices refer patients to specialists when a patient needs a procedure outside of the practice’s area of expertise. When doing so, the outside specialist will likely request information about the patient: x-rays, medical histories, insurance information, etc. Therefore, it is important that you and your employees understand the difference between a routine request for information and a non-routine request for information. A routine request for information is the type of request you see all the time. The request is for the right amount of information for the third party specialist to perform their procedure.  And the request shouldn’t make you question why they are asking for that specific information.

Alternatively, there are non-routine requests for information. These requests may be for entire medical histories or a specific piece of information you’ve never been asked for. Or the request may be because of an unusual referral situation your practice doesn’t see very often. In these situations, your employees should take a moment to ensure that all of the information requested is really necessary to perform the procedure or care for the patient effectively. Furthermore, if your employee doesn’t agree with the magnitude of the request, they should communicate with the third party and ensure that a particular piece of information is really needed. Only if the third party can give you a compelling reason for needing the information should you make the exception and send it to them.

J.J. Micro’s PracticeProtect platform helps your organization understand and follow HIPAA regulations like minimum access to PHI. Give us a call today at 636-556-0009 to schedule a free risk assessment.

Posted in Dental, HIPAA, Privacy, Security

Rules For Sending And Receiving Protected Health Information (PHI)

HIPAA requires that covered entities (organizations who provide treatment to patients, bill insurance plans, or create protected health information (PHI)) must protect their PHI. This protection extends to sending and receiving PHI. Moreover, there are specific rules for how to send PHI to outside entities like other practices, insurance companies, and patients themselves.

First, lets define Protected Health Information.

  • Protected Health Information is medical information that contains any of the following uniquely identifying characteristics:
    • Names
    • All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
    • All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
    • Phone numbers
    • Fax numbers
    • Email addresses
    • Social Security numbers
    • Medical record numbers
    • Health plan beneficiary numbers
    • Account numbers
    • Certificate/license numbers
    • Vehicle identifiers and serial numbers, including license plate numbers
    • Device identifiers and serial numbers
    • Web Universal Resource Locators (URLs)
    • Internet Protocol (IP) address numbers
    • Biometric identifiers, including finger and voice prints
    • Full face photographic images and any comparable images
    • Any other unique identifying number, characteristic, or code

That’s a pretty hefty list of uniquely identifying characteristics. Basically, if you can use a piece of information to single a person’s medical information out, all of the information becomes Protected Health Information

Sending PHI through email

The most common way to exchange information these days is via email. This will likely be the easiest way to get patient records over to other practices or to send a record to a patient who is requesting something. Consequently, it’s important to distinguish between standard email and encrypted email. Many practices assume that because their email system uses SSL or TLS encryption, it’s encrypted to HIPAA standards and they never give it another thought. Almost all email systems: Gmail, Hotmail, Yahoo, Godaddy, Microsoft Exchange, Outlook.com, AOL, etc. are encrypted with either SSL or TLS. This protects the information in the email being sent from being intercepted somewhere between the sender and the receiver. HIPAA says this is not enough.

HIPAA requires that when sending an email containing PHI, you accomplish 3 things:

  • Encrypt the PHI so that it can’t be intercepted by an unintended party.
  • Verify the identity of the receiving party before they can open the encrypted email attachment.
  • Have a way to revoke access to the encrypted attachment when it is no longer needed, or if it was sent in error.

To achieve all three of these goals, generally your practice will want to employ an email encryption service like Virtru or Hushmail. These services separate the file attachment (that you can use to send PHI) from the rest of the email so that PHI isn’t stored in non-secure ways. They make users on the receiving end of the email confirm their identity before allowing the file attachment to be viewed. And they allow the file attachment to be revoked at any time; either by setting an expiration date or by manually revoking access. Also, your practice will need  a Business Associate Agreement on file with any encryption service you decide to use. The encryption service has to prove they will be protecting your PHI while it is being transferred or stored on their systems.

Using a standard email account without a secure encrypted file attachment to send PHI is a violation of the HIPAA security and privacy rules. There is nothing to stop an unintended recipient from opening a sensitive attachment and there is no way to revoke access to the PHI after the email is sent.

As with all communications involving PHI, you should be logging any time you send or receive PHI. A patient has the right to know who you sent their PHI to. Your practice software likely has a place for you to log these PHI disclosures.

Sending PHI through the mail

When sending PHI through the mail, you must use certified mail or a similar service that requires a signature from the recipient. This is to ensure that any PHI makes it to its destination. If you don’t have a record of when the PHI was both sent and received, you can’t be sure who has the PHI if you were audited. And if a patient wanted a complete list of all entities that has access to their PHI, you couldn’t give them an accurate list without proper record keeping. With certified mail, you will have access to a signature of the person who received the letter and a date and time when they received it.

Using standard mail is not allowed because of the lack of tracking inherent to standard mail.

Face to face and phone conversations

Face to face conversations and phone calls are both common ways practices disclose PHI. All PHI disclosures should be tracked. Accordingly, you must keep a log if you gave out PHI via conversation or phone call. Again, the patient has a right to know who has access to their PHI. If you communicated PHI to another doctor for instance and now that doctor is aware of your patients medical information, your patient has the right to know that.

Faxing PHI

Faxing is considered a gray area as far as HIPAA is concerned. HIPAA recognizes that fax machines are sometimes the only way for one practice to quickly send information to another entity. Conversely, HIPAA is aware that fax technology is inherently insecure. Faxes can be intercepted via phone tap and generally fax machines just print out any fax that comes through and leaves it sitting in its tray for all to see. These problems are hard to overcome for most practices, nonetheless you can make some headway in securing your fax to eliminate many chances of a breach occurring.

The HIPAA security rule says that fax machines should be kept behind a locked door. This way non-employees cannot easily access any faxes that may have printed out, but not been picked up yet. And if your fax machine supports it, faxes should be stored in the fax machine’s memory until an authorized user signs in to the fax machine and prints them out.

I expect that as secure encrypted email becomes more prevalent, the HIPAA security rule will be updated to remove faxing from the list of approved methods to send PHI.

You should get in the practice now of avoiding faxes that contain PHI and only use this method as a last resort.

Posted in Business, Email, Encryption, HIPAA Tagged with: ,

HIPAA Compliance For Nonprofit Organizations

There are more than 1.5 million nonprofit organizations in the United States. Of those, the National Center for Charitable Statistics estimates that over 170,000 are in the health related sector. Many of these health services nonprofits are currently unaware that HIPAA laws apply to them. This leaves nonprofits vulnerable to not only audits from the Department of Health and Human Services but to actual breaches of data that will affect your patients and clients.

The Office of Civil Rights (OCR) will not hesitate to levy a fine on a nonprofit if a data breach were to occur. And the risk of data breach is high. A stolen laptop or mobile device can easily contain hundreds of patient medical records. And the fine can be as high as $50,000 per medical record breached.

There is a simple litmus test to decide if HIPAA laws apply to your nonprofit. Do you store any of the following information for your patients, clients, members, or benificiaries?

  • Any past or present health conditions — either physical or mental
  • Any past, present, or future planned medical treatment
  • Any past, present, or future payment information for medical care

If any of the above data is stored with any of the following unique identifiers, your nonprofit must be HIPAA compliant. There are 18 traits that HIPAA looks for to identify someone:

  • Name
  • Address (all geographic subdivisions smaller than state, including street address, city, county, zip code)
  • All elements (except years) of dates related to an individual (including birth date, admission date, discharge date, date of death and exact age if over 89)
  • Telephone number
  • Fax number
  • Email address
  • Social Security number
  • Medical record number
  • Health plan beneficiary number
  • Account number
  • Certificate/license number
  • Any vehicle or other device serial number
  • Device identifiers or serial numbers
  • Web URL
  • Internet Protocol (IP) address numbers
  • Finger or voice prints
  • Photographic images
  • Any other characteristic that could uniquely identify the individual

It is rare that an organization would have health data on individuals without personally identifying those individuals. An example would be an organization that does research on the effects of a certain disease on the population of the United States. If the data was sanitized of any personal identifiers, and only showed effects on the general population in aggregate, HIPAA laws would not apply. But this is a narrow subset of data. Most data does include at least one or two personal identifiers.

So what should a nonprofit who stores health information do? HIPAA compliance is a very broad set of rules that range from administrative responsibilities and privacy training to IT related security. There are hundreds of things to check during a security audit and many small organizations don’t know where to start. Don’t let yourself become overwhelmed. With some help, a nonprofit can go from non-compliant to fully compliant in as little as 30 to 60 days. The first step is to perform a HIPAA risk assessment. This will help you decide where you are being compliant and where you are not. After a risk assessment, you can decide on a step by step plan to remediate each area of non-compliance.

J.J. Micro provides free HIPAA risk assessments to nonprofit organizations. If after we provide our no strings attached assessment you decide that your organization needs help to become compliant, we will provide you with a quote for our PracticeProtect service. PracticeProtect includes everything you need to be compliant. From encrypted email and storage/backup solutions to privacy policies and training procedures for your staff, we will walk you through each step of the process. Call us today at 636-556-0009 to schedule your free HIPAA risk assessment.

Posted in HIPAA, Security Tagged with:

OCR Announces Fines for Breaches Affecting Fewer Than 500 Patients

As a HIPAA compliance IT consultant I work with many small dental and medical practices that are affected by HIPAA regulations. For many years, dental practitioners and boutique medical service providers have been able to fly under the radar of the OCR (Office of Civil Rights) and not worry about audits or fines resulting from breaches. However, in 2016 the OCR began to perform random audits of all covered entities and their downstream business associates. And with the new announcement that the OCR will issue fines for breaches affecting 500 or fewer patients, we will see an even bigger focus on HIPAA compliance from these small practices.

Our service offering, PracticeProtect, has seen a recent uptick in sales as more medical service providers are made aware of the dangers of non-compliance. Where practice owners were once unconcerned with the possibility of an audit and thus lax with their security policies, we are now seeing a strong focus on compliance. Many practice owners have spent so long not focusing on compliance that they aren’t aware of just how non-compliant they are. Our first visit with a new client includes an initial HIPAA risk assessment where we cover twenty topics that are usually problem areas for a small practice. We generally find that practices are initially compliant in less than five of those twenty areas.

There are considerable investments in both time and money to become compliant. Many practices have weighed the cost/benefit ratio before and found that the risks weren’t great enough to warrant the investment. But that cost/benefit ratio is changing and I believe more and more practices will be investing in compliance over the next few years.

Read here about the first case where the OCR issued a fine for a breach that affected less than 500 patients. A laptop containing 441 patient medical records was stolen. At the time, the organization that owned the laptop had not performed a HIPAA security risk assessment, nor did they have any policies or practices in place to prevent a breach like this one. Simply encrypting the data on the laptop and password protecting the encryption would have stopped this breach. Because the organization had no procedures in place, the OCR levied a $50,000 fine. Since the breach occurred in 2010, that organization has brought itself into compliance. But they could have avoided the breach and the fine all together if they had been prepared for this. The likely cost of compliance would have been a fraction of the fine they paid.

If you are a small medical or dental practice, let J.J. Micro perform a free HIPAA risk assessment to find out where you stand with HIPAA compliance. There are no strings attached to this risk assessment. You are free to do what you like with the information we provide. We are not government auditors and do not report any security risks to the OCR. We are only here to help you bring your business into compliance.

Posted in Business, Dental, HIPAA, Security

The Importance of Encryption for HIPAA Compliance

Encryption. . .what does it mean to encrypt something? Why is it important? And why is it particularly important for covered entities and business associates in the health services industry? What can you do to make sure your data is encrypted while it is being transferred from one place to another and while it is at rest on servers and backup drives? These are all questions I am asked regularly when I do initial HIPAA risk assessments and audits. My clients tend to downplay the importance of encryption initially until they fully understand the risks of not encrypting data properly.

Encryption is defined as the translation of data into a secret code. Encryption is the most effective way to achieve data security. To read an encrypted file, you must have access to a secret key or password that enables you to decrypt it. If you were to send a file across the internet in a non-encrypted format, it could be intercepted anywhere along the way and you would have no idea that your data had been breached. Additionally, if you were to store data on a storage device in a non-encrypted format, and that device was lost or stolen, your data would be accessible to anyone. Using encryption nullifies both of those scenarios by only allowing someone with your secret encryption key to decrypt the data and read it.

For the purposes of HIPAA compliance, encryption is absolutely necessary for one particular category of data: protected health information (PHI). This includes patient medical records, personal patient information like phone numbers, addresses, and social security numbers. Encryption of PHI is important for a few reasons. First, and foremost, you have a duty to your patients to keep their personal information safe from unauthorized access. One quick way to lose patients and your practice is to betray patient trust. Additionally, as a covered entity or business associate you are bound by federal law to protect PHI from breach or loss. The Office of Civil Rights has the authority to fine you up to $50,000 per record breached or lost if they deem that you haven’t implemented and followed a good faith HIPAA compliance plan.

email encryptionWhat is a practice to do? How can you be sure your PHI is encrypted? There are three places you’ll want to double check for encryption. During our HIPAA audits we most commonly find that practices aren’t employing encryption when emailing patient health records to other practices or to the patients themselves. This is a fairly easy problem to fix. There are a multitude of available email encryption services such as Virtru, Office 365 Encrypted Email, and Hushmail. These services generally integrate directly into your browser or Microsoft Outlook so that it’s as easy as pressing a button to convert any email into an encrypted email that requires the user at the other end to verify their identity to receive the email.

It is more complicated to find out if the other two categories have HIPAA compliant encryption enabled. These two areas are data stored on devices like servers, desktops, laptops, and mobile phones. And separately, data stored on backup devices and backed up to the cloud. You will want to contact a HIPAA compliant IT specialist to verify that your devices and backup storage is HIPAA compliant. An IT specialist can tell you what level of encryption you are using and whether the encryption is turned on and configured properly. Additionally, in the case of a cloud backup service, the IT specialist can make sure that the cloud provider is HIPAA compliant themselves and is willing to sign a Business Associate Agreement (BAA) for your practice and share some of the liability for storing that sensitive data.

J.J. Micro IT Consulting is available for a free HIPAA risk assessment. During that assessment we will look for proper encryption methods in addition to possible HIPAA compliance issues in the categories of security, privacy, and administrative procedures. Please give us a call at 636-556-0009 to schedule an appointment today.

Posted in Cloud, Data Backup, Dental, Email, Encryption, HIPAA, Security Tagged with: