Guest post Gene Fry, vice president of technology and compliance officer, Scrypt, Inc.
According to the 2016 Survey of America’s Physicians, around 70 percent of the nearly 800,000 physicians in active patient care in the U.S. work independently or in practices consisting of 30 physicians or fewer. For these small and medium sized practices, maintaining a robust HIPAA (Health Insurance Portability and Accountability Act of 1996) compliance strategy is extremely difficult. In fact, one report suggests a third of small practices do not have a HIPAA compliance plan in place at all, which is a worrying statistic, given the potential repercussions of a HIPAA breach.
Only last year, HHS’ Office for Civil Rights (OCR), the agency responsible for enforcing the HIPAA Privacy and Security rules, announced an initiative to more widely investigate smaller HIPAA breaches. While this may not have been directly aimed at small practices – small breaches can just as easily occur at large organizations – it provided a stark reminder to all covered entities that no organization is exempt from the rules, and noncompliance is noncompliance, regardless of magnitude or intent.
To highlight this, back in 2012, Phoenix Cardiac Surgery — a four-physician practice based in Arizona — was fined $100,000 and required to take corrective actions, after it was revealed the company had been using a publically accessible calendar service to transmit ePHI to employees’ private email accounts. This violation would have been avoidable, had the offender known the use of such technologies by a medical practice is prohibited under HIPAA.
Small and medium practices, big responsibilities
Keeping on top of HIPAA compliance, alongside the many other regulatory constraints that come with managing a busy medical practice, is a challenge for any organization, but small and medium practices typically have fewer resources and less budget to manage and mitigate risks effectively in-house, so the challenge is larger than most.
Managing a full-time HIPAA compliance program, for example, is simply not feasible for most small organizations, as they are unlikely to have staff members who possess the necessary skills to lead a team in promoting HIPAA best practices, as well as undertaking risk assessments and so on. As such, all responsibility lands with the medical staff, who must assume dual roles; as both clinicians, and compliance experts. While it could be argued that every medical professional should be well versed in HIPAA compliance anyway, the reality is not all are, and this presents major security and privacy risks.
The good news is, there are some relatively easy steps small- and medium-sized practices can take to significantly minimize the risk of a HIPAA breach occurring, that don’t require any major financial investment. While the following points are not a definitive list of HIPAA requirements, they should provide a good starting point.
Start with the basics and build up
HIPAA is complex and often overwhelming, but there’s no point worrying about the small details if the fundamentals are not in place. Organizations must ensure that all staff are familiar with the following key areas of HIPAA:
Why HIPAA exists and who it covers
Key requirements under the HIPAA Privacy Rule, the Security Rule and the Breach Notification Rule
Protected Health Information (PHI/ePHI) and the key personal identifiers
HIPAA enforcement and the consequences of noncompliance
Their responsibilities as an individual within the organization
Many hospitals, clinics and healthcare organizations today talk about going paperless. In fact, according to a November 2016 research report from IDC, more than 40 percent of healthcare organizations report that they have a paper-reduction initiative in place.
Yet even hospitals that have achieved late-stage meaningful use status still receive and process high volumes of paper. This is especially true for important printing workflows, such as medical records, administrative files, admissions documents, prescriptions and pharmacy information. According to a recent survey by HIMSS Analytics, commissioned by Nuance, 90 percent of survey respondents reported some clinicians still use paper-based documents.
There is no escaping that healthcare organizations are committed to paper, at least for the short-term future. For instance, the IDC study found print volumes are expected to remain flat for the next two years, before beginning to decline after that time period.
When you consider that this amount of paper is expensive (both in terms of actual printing costs as well as overall document management processes), hard to track, and poses serious security and compliance risks, you may wonder why so many healthcare organizations continue to rely on paper.
To help answer the question, we’ll take a closer look at the reasons cited in the IDC report. We’ll also offer a few best practices any healthcare organization can follow now to reduce its reliance on paper to address the challenges posed by manual or paper-based workflows.
Why Paper Use Continues
According to the IDC report, the top reasons hospitals, clinics and healthcare organizations continue to use paper include incompatible document management systems or technology. This issue is most notable between the organization and outside facilities, leaving default paper processes as the best workaround.
Another reason is that many workflows still require paper documentation, most notably patient check-in/belongings forms, records requiring signatures, consent forms and more. Additionally, the majority of prescriptions and pharmacy records are still paper-based. For example, only 10 percent of responding hospitals indicated that prescriptions were electronic.
Lastly, healthcare organizations are large-scale consumers of fax technology. Hospitals report that many still receive and send up to 1,000 pages per month by fax. Interestingly, these hospitals report that while faxing may be an antiquated technology, many are behind in implementing new technology and must continue to focus on what works for them.
The handling and sharing of medical records is a critical and sensitive issue, and one that affects millions of providers, patients and payers every day. According to the Center for Disease Control and Prevention, Americans alone make more than a billion visits to doctors’ offices, clinics and hospitals annually, so one can only imagine how often medical records exchange hands between patients, physicians, specialists, healthcare organizations and their staff.
Test results, images, medical and billing history and other related information continue to be mailed, faxed and—more commonly—emailed between interested parties. Email is the most popular of these options because it combines the wide accessibility of snail mail with the immediacy of fax transmission. But email as a means of sharing sensitive healthcare data lacks in three critical areas: security, regulatory compliance and working with large files.
Security, privacy and protection
Gaps in email security should have doctors and patients sweating bullets any time they attach medical information to an email and hover their cursor over the “send” button.
The overarching problem lies in the encryption, or lack thereof. Like CDs and popular online sharing services, medical records transmitted via email are generally unencrypted. This is the case not only in transit, but also when they sit on the servers of the email providers. Thus, sensitive medical information lies vulnerable at all times.
Exchanging records by email means exposing patients’ personal information and their entire medical histories to a nefarious underworld of hackers seeking to exploit such information. It may include the most personal and private information, from social security numbers to diagnoses for chronic illnesses. Should information get in the wrong hands, there’s no predicting the extent and impact of the consequences.
A little more than a year ago the former Director of the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS), Leon Rodriquez, referred to covered entities that did not realize they have business associate relationships in place. He went on to say that some business associates did not know that they were actually business associates. Rodriquez stressed it was both the responsibility of the covered entity and the business associate to understand this relationship does exist.
Regarding ramped up HIPAA enforcement and compliance, Rodriquez indicated future audits will be narrower in scope and include more organizations than ever before. Covered entities and their business associates also will be audited under the new permanent program, and audits will focus on vulnerabilities that could change year to year as new issues arise. This appeared to be the start of an intended awareness program and fair warning.
With Rodriquez’s departure to Homeland Security in June, it seemed like the task of continuing the drum beat message of ramped up HIPAA enforcement fell to Linda Sanches.
Sanches is OCR’s senior health information privacy advisor. In that position, she oversees the HIPAA security and breach notifications audit program and may know a thing or two about the direction OCR wants to take with future audits. Sanches recently spoke at the Health Information and Management Systems Society (HIMSS) Privacy and Security Forum. However, she did not provide any striking revelations or critical insights about these new audits, just more of what the industry seems to know already, that these audits are coming.
Much like Rodriquez did in the past, Sanches spoke more in generalities than specifics. She indicated OCR was looking at a broader view of the entire healthcare industry as possible criteria for selection of who would be targeted for an audit. Using the National Provider Identifier (NPI) database is a method being considered to select entities like hospitals, practices and dental providers for audits.
Guest post by Stephen Cobb, senior security researcher, ESET.
HIPAA’s privacy and security rules are often labeled as being burdensome and restrictive. The rules are increasingly criticized as ineffective and people wonder how an organization can be HIPAA compliant and still suffer a breach of protected health information.
A medical approach to answering that question might be to think about infection prevention and control. Infection control protocols exist to prevent the spread of infectious diseases. However, a patient can get infected at a hospital or clinic that has such protocols in place. The reasons for such anomalies include lapses in conformance to the protocol and inappropriate protocol relative to potential infection vectors.
Such language maps closely to the demands of healthcare data protection, which could be described as the prevention and control of unauthorized access to protected health information. Clearly there is a need for healthcare organizations and their employees to fully comply with “policies and procedures that are appropriate to the threats.” Getting people to comply requires organizational commitment from the top down, backed by the adequate equipping and educating of staff at all levels.
But what if those policies and procedures are not appropriate to the threats? What if the infection vectors are different from those you trained to defend against, or the threat agent more virulent than you supposed? That’s where a lot of health data security breaches occur, in that gap between established practices and emerging threats. The difference between being “HIPAA compliant” and “secure” often comes down to underestimating threats. Continue Reading
According to the 2014 Exclusive EHR Study conducted by the MPI Group and Medical Economics, 70 percent of clinicians said their EHR investment has not been worth the effort, resources and costs. Widespread dissatisfaction with electronic records systems is casting an unfortunate shadow over the great potential they hold for making today’s medical practices more efficient and for improving healthcare delivery. However, practices can help avoid future disappointment with their EHR decision and save time and resources by understanding how to avoid common implementation pitfalls.
1. Choosing the wrong EHR
The intuitiveness and ease of use of your EHR will affect every area of your practice. If you don’t consider yourself to be technologically savvy, finding an intuitive solution should be at the top of your list. (After all, presumably you’re a clinician, not an IT expert.) Was a clinician was involved with the development of the EHR system? If a clinician wasn’t involved, chances are your idea of “usable” won’t line up with that of the vendor’s.
Another aspect to consider is cost, which can vary across a wide spectrum from free to several thousand dollars a month. Decide on the maximum price that you are willing to pay. This will reduce the list of vendors for consideration. Oh by the way, beware of the word “free.” Your biggest hidden cost is not the dollars spent on software, but the hours of lost productivity from a system that impedes you with banner ads and other annoying distractions.
To be certain that the EHR you choose is the right one for your practice, do everything in your power to expose yourself to the software prior to purchasing. It is worth asking the vendor whether they offer free trials. If not, consider watching video tutorials, attending webinars and shadowing another clinician using the EHR.
2. Underestimating the importance of an implementation plan
To ensure the smoothest transition possible, develop an implementation plan that will introduce you to your new EHR and also help you identify specific questions to ask the vendor. Your EHR vendor will likely have one to give you – just ask.
At a minimum, a useful implementation guide should tell you how to do the following:
Guest post by Scott Walters, client services, INetU.
Whether they are cloud providers, EHR services firms or SaaS providers, technology companies that market to healthcare organizations are considered “business associates” under HIPAA. In the past, that meant customers often asked them to sign agreements assuring that they were employing best practices and would provide breach notifications to help customers maintain compliance.
As of September 13, 2013. however, changes to the guidelines were implemented that mean technology providers are now directly liable to the U.S. Department of Health & Human Services (HHS) for securing any PHI that they’re entrusted with. In addition to the increase in accountability, this first-hand responsibility also brings technology providers under the threat of fines that can now reach well into the millions of dollars.
The Cost of a Breach
The HHS Office for Civil Rights (OCR), the main enforcement body for HIPAA, has been gradually increasing fines for organizations that violate HIPAA compliance. The penalties have totaled well into the millions, with several organizations in the past few years receiving fines in excess of $1.5 million from OCR. In fact, according to data from the Department of Health and Human Services, HIPAA-covered entities and now business associates have paid more than $18.6 million to date to settle alleged federal HIPAA violations with $3.7 million of that coming from organizations in the last year alone. On top of this, there are often state and private legal settlements involved.
The Massachusetts Eye and Ear Infirmary (MEEI) is among the organizations that have experienced dramatic penalties firsthand, incurring fines of $1.5 million in 2012 after the theft of a laptop from an MEEI doctor who was traveling to Asia ended up exposing PHI. Blue Cross Blue Shield of Tennessee also paid $1.5 million in the same year following a breach of 1 million patient records stemming from the theft of 57 unencrypted hard drives from a leased training facility.
These two examples not only show the potential cost of a breach, they also demonstrate another quality that reaches across many of the violations to date – the fact that many of the biggest healthcare and HIPAA breaches are caused by unencrypted data and local storage of PHI. As technology providers offer services to manage this type of data, the onus to meet HIPAA regulations is more frequently falling on their shoulders. The upside to this is that, with some forethought, SaaS and EHR providers have the opportunity to make their cloud services even more HIPAA ready than their customers’ on-premise solutions.
For physicians’ practices in the 21st century, connectivity is the buzzword. Getting doctors connected to data, patients connected to healthcare providers, and practices connected to networks are just a few of the web-fueled scenarios coming down the pike.
The Health Information Technology for Economic and Clinical Health (HITECH) Act is a game changer and affects just about every aspect of modern medical care. HITECH, part of the American Recovery and Reinvestment Act of 2009, promotes the adoption and meaningful use of health information technology.
As is often the case with a shift this monumental, there are both benefits and challenges of connected healthcare that practice groups will have to address. First, let’s take a look at some of the benefits.
1. Join the Digital Revolution. Just as other industries that went digital years ago, healthcare benefits from the streamlining offered by a networked environment. Clinical interoperability of healthcare IT lowers costs and enhances efficiency by facilitating the comprehensive exchange of health information between care providers, hospitals and patients. The trend is toward innovation in healthcare as the industry as a whole responds to consumer demands and government reforms.
2. Safety in Numbers. As of 2013, more than 323,000 American medical practices and hospitals adopted EHRs and attested as meaningful users, indicating a 266 percent increase over 2012, according to CMS statistics. However, even with this upsurge in participation, those numbers represent only a small percentage of US hospitals that currently keep electronic records and contribute to the health information exchange. So, while the risk of being an early adopter is largely gone, your practice group could still be near the front of the adoption wave.
3. It’s easier. As you can see from the statistics in the previous point, healthcare IT adoption is in an early phase, and for most practices, there is a lack of centralization. To help elucidate the complexity of the system, look no further than the state of Florida, where there are at least 672 EHR vendors. Connecting health information digitally creates a central database that greatly simplifies the process of storing and retrieving all patient data. It’s like finding the needle in the haystack every time.