Electronic protected health information (ePHI) is patient information that is protected under the Health Insurance Portability and Accountability Act (HIPAA). HIPAA compliance is a complex and confusing topic, and it only gets more daunting when it comes to communication between providers and patients. If you are sending protected health information over email as a healthcare organization or a healthcare organization’s business associate, HIPAA compliance applies to you. With fines for breaches that can land upwards of a million dollars, it’s a subject that is not to be taken lightly by any organization. Let’s take a moment to settle the score on the myths and facts revolving around ePHI and HIPAA-compliant emails.
Myth: All email is HIPAA-compliant
This is a dangerously false assumption. It may come as a surprise that most free email services are not HIPAA-compliant. This includes big players such as Yahoo!, Gmail, and Hotmail. No, ePHI should never be sent through these systems. If you must send ePHI to run your business, seek out an email provider that specializes in HIPAA compliance and is specifically geared towards protecting you and the patient data that flows through your organization.
Myth: My business is too small to worry about HIPAA
Practices and organizations of all sizes get hit with HIPAA violation fines – no one is exempt. HIPAA regulations apply across the board, regardless of the size of your business. Penalties for not being compliant can range from a simple slap on the wrist to a fine of $100 per email that contains ePHI sent through an unencrypted avenue. HIPAA compliance is everyone’s responsibility, and no business is too small to suffer a surprise audit that results in business-crushing fines. Protect yourself up-front by adhering to HIPAA guidelines, and you won’t find your business under the gun for non-compliance.
Myth: Any email with PHI must have encryption
If emails are sent in-office over a secure network, encryption over e-mail is not necessary. But once that email is sent out of the office over a wide area network, or through the internet, encryption is a must.
Myth: The recipient must have encrypted email
The majority of patients use a free, non-encrypted email host. According to the HIPAA Omnibus Rule, patients have the right to request that their ePHI be sent to them via an unsecured email system. Many secure email systems can send secure messages to people without secure email – and that can be okay. But it’s important to document that request from the patient and also to inform them that when using unsecured email and waiving their right to receive their ePHI privately, they inherit the risk of a potential security breach. Documentation protects you from future accusations of negligence.
Last fall, the provisions governing Business Associate Agreements under the HITECH law went into effect. Many covered entities used templates and models offered by professional societies and the Department of Health and Human Services, but it’s becoming increasingly clear that the “model” agreements were simply a stopgap measure, and that organizations that use BAAs need to conduct ongoing reviews of the documents and customize the language to meet the individual needs of their company.
The need for ongoing reviews to business associate agreements stems from an increased focus on compliance, and audits from the Office of Civil Rights (OCR) in DHHS. In the past, HIPAA compliance audits were limited to specifically covered entities, such as doctors’ offices and hospitals. Using HIPPA-compliant providers like healthcare fax companies to transmit protected data on their encrypted servers has been the best way for health care professionals to avoid audit issues.
However, the provisions of HITECH allow for audits of subcontractors as well, ensuring that they too are complying with the privacy and security policies of the act. Essentially, then, a business associate agreement serves as an agreement by the subcontractor that it will adhere to the rules and standards of HIPAA — and they understand the consequences of noncompliance.
Some argue that the notion of business associate agreements is outdated, given that HITECH holds all subcontractors who have access to HIPAA-protected data to the same privacy and security standards as the covered entity itself, even without the written agreement. The law still states, though, that covered entities must negotiate and maintain compliant BAAs with the companies that have access to their data — even those that may not directly have access to the data.
The simple fact that the OCR is conducting audits of business associate agreements and the companies covered by the agreements, highlights the importance of maintaining up-to-date and comprehensive agreements — meaning that the “boilerplate” agreement that you signed to meet the basic compliance standards may not be enough at this point.
Considerations for Review
Since it’s been a year since the new provisions went into effect, it’s very likely that your BAAs are reasonably up-to-date, and in compliance with the laws. That being said, if you used a template, or you only made minor changes to existing agreements, it’s best to review the agreements you have on file to ensure they comply with current law.
Many experts agree that BAAs should be reviewed at least once a year or more often if they expire, or if there are significant changes to the business relationship.
When reviewing your business associate agreements, there are a few key points to pay close attention to:
Today’s physicians face an increasing array of non-clinical demands on their time, from filling out paperwork to sorting through insurance denials. As a result, the amount of time doctors have to actually see patients has been reduced.
The combination of decreasing number of physicians, increasing demand for quality care, and rising costs of healthcare has created a challenging environment for both patients and healthcare professionals.
Nearly all of us have experienced long wait times at a physician’s office, often for minor ailments or routine follow-ups. These lengthy wait times are causing more and more patients to skip follow-up visits or turn to unreliable online medical services and websites for information. This not only erodes the doctor-patient relationship, but it puts patient health at risk. Furthermore, the information is not properly shared with the patient’s actual physician.
Today’s ultra-connected world has a solution that can bring the doctor-patient relationship into the 21st century: telemedicine.
Telemedicine is a suite of technology solutions that enables doctors to communicate with and treat patients via text, video and audio – and it can be used by physicians, nurses, office staff, any healthcare professional and, of course, patients. Telemedicine allows physicians to provide more convenient, real-time interactions with their own patients, for triaging acute issues and for quick follow up visits that can save the entire health system time and money.
And it’s far from the latest medical fad. Telemedicine is already one of the fastest growing segments in healthcare. According to the American Telemedicine Association, half of all U.S. hospitals now use some form of telemedicine. Similarly, Health Affairs has predicted an increase in domestic telehealth revenue by almost 20 percent per year, to $1.9 billion by 2018.
Connecting to patients, anywhere and anytime
Clearly, these solutions have ushered in a new age of medicine. Technology can also provide real-time data on patient vital signs, blood sugars and other information to improve the monitoring of chronic conditions, reducing readmission rates and keeping our patients healthier outside of the hospital.
Factors fueling the growth of telemedicine are as follows: a shortage of physicians in rural and remote areas, the high prevalence of chronic diseases, growing elderly populations, increasing numbers of smartphone users and the need for improved quality of care.
Telemedicine solutions fall into two broad categories: remote patient monitoring and online/digital communications. Remote patient monitoring links home healthcare equipment (heart monitors, dialysis equipment, etc.) to the internet and then securely reports patient data back to a healthcare provider.
Guest post by Ali Din, senior vice president, dinCloud.
With support having ended for Windows Server 2003, many organizations are left asking how to proceed with the soon-to-be obsolete server operating system. For organizations held to regulatory compliance standards, this question holds additional complexity. One of the industries undoubtedly scratching its proverbial head this week as support ends is healthcare.
Over the past few years, HIPAA, the Health Insurance Portability and Accountability Act of 1996, and HITECH, The Health Information Technology for Economic and Clinical Health Act, have largely determined the trajectory of IT and operations in healthcare. Perhaps most notably, HIPAA has helped govern patient security as healthcare institutions were incentivized to migrate health records to an electronic format through meaningful use. As EHRs, cloud and mobility solutions abounded, HIPAA guidelines dictated privacy and security standards for the industry. Today, many healthcare organizations are faced with a similar transition. Like all organizations, healthcare institutions have the option to migrate their servers to a supported operating system, which typically includes a corresponding hardware upgrade. Alternatively, they can migrate these workloads to the cloud. However, as reported by the Wall Street Journal, “analysts say that the technology [Windows Server 2003] is more prevalent in healthcare, utilities and government,” demonstrating that inaction seems to be more prevalent in the healthcare sector than one would think.
Those who have not yet migrated from Windows Server 2003 will be exposed to significant security risk and may compromise HIPAA compliance, as it is unlikely the operating system will remain a HIPAA supported platform.
The implications of not migrating extend beyond just the affected server. One unpatched vulnerability can compromise an organization’s entire infrastructure.
End of support means that Microsoft will no longer issue patches and security updates for Windows Serer 2003, and the resulting security risk is so severe, US-CERT, a branch of the Department of Homeland Security, issued a security alert warning of the “impact” of end of support. The alert states, “organizations that are governed by regulatory obligations may find they are no longer able to satisfy compliance requirements while running Windows Server 2003.”
Like the security risk, cost for extended support will also compound for healthcare organizations. Microsoft is charging $600 per server for the service, which will quickly add up.
With the risk and cost associated with not migrating, why are so many healthcare organizations approaching the deadline with no foreseeable migration plan? Like many goings-on in the industry, it’s complicated.
One factor is that some mission critical applications may not transition to a supported platform. That leaves IT administrators choosing between migration and applications that, in some cases, may be in daily use by their workforce.
And, finally, if it ain’t broke (yet), don’t fix it. Like many industries, healthcare organizations are often seeing heightened demand placed on smaller teams, which doesn’t leave ample time for proactivity. In these scenarios, migration planning may not have been prioritized with budget or resource allocation.
However, with end of support approaching in just a few days, regardless of the reason why these organizations didn’t migrate, they will soon be faced with the consequences.
Guest post by Amit Cohen, co-founder and CEO, FortyCloud.
Remote access is changing the practice of medicine – from data collected remotely from newly developed telemedicine devices, to surgery conducted by a surgeon in an offsite location. A smartphone application, currently in development, is set to monitor a user’s voice to detect mood changes for individuals with bipolar disorder. Devices and applications such as these not only improve the quality of care available to patients across the globe, their use also results in exponential growth in the sources and volumes of data. These cutting-edge technologies present new challenges for IT professionals who are responsible for ensuring high availability (always-accessible data), scalability and flexibility for their healthcare organizations.
To enable scalable, high performance from at lower costs, even from remote locations, healthcare and pharmaceutical IT have adopted the cloud. Since cloud data centers can be diversified across the globe, cloud computing provides quick access to globally diverse users.
The cloud also offers the scalability to handle the massive influx of new data generated by new health care applications expected from the implementation of the U.S. Patient Protection and Affordable Care Act (PPACA). The U.S. Department of Health and Human Services (HHS) Stage 3 Proposed Rule, is also likely to result in additional volumes of digital data. This Rule seeks to align the EHR Incentive Programs with other CMS quality reporting programs that use certified EHR technology to promote improved patient outcomes and health.
Therefore, it is not surprising that healthcare cloud computing is forecasted to grow to $9.48 billion by 2020, according a recent study; an impressive increase from the current, 2015 market value of $3.73 billion.
Technology and healthcare have never been more dependent on each other and
ensuring your data is stored on HIPAA-compliant storage systems can be a
challenge. InfoTech Healthcare attempts to take this burden off the healthcare
facilities and provides customers with mobile storage platform to store data from X-rays to office documents. How many times do users email documents back and forth to share information and it not be encrypted? InfoTech Healthcare’s goal is to provide healthcare customers with a worry free solution that requires zero administration action from
the customer while providing information quickly to users no matter the location.
InfoTech Healthcare makes it easy for healthcare organizations to share and store information on a highly secure HIPAA-compliant system that requires not administrative effort by the customer. InfoTech Healthcare provides the tools for users to operate with unlimited storage and share information
with other authorized staff quickly. The InfoTech Healthcare storage app is available for Windows, MAC, iPhone, iPad and Android to keep users connected from any location.
Healthcare providers count on storing their office and patient information in a safe and easy to use location. InfoTech Healthcare ensures that healthcare providers have an easy to use system that meets all the security
requirements of the industry. Our team manages all the backend requirements so healthcare providers can focus on using the system and not managing it. Highly detailed auditing is automatically turned on so that data can be reviewed by managed if ever needed. Our systems can be configured so that our support staff can retrieve information deleted from the system by any user. This prevents unauthorized data destruction and ensuring your organization is compliant with record management. Providing multiple layers of granular security, information can be restricted to seven levels of access ranging from ownership to denied access.
John Penland is the CEO and founder of InfoTech Healthcare. John’s passion for cloud solutions started out of college when working with other healthcare software companies. To be successful, John realized that customers needed a safe and reliable service backed by outstanding customer support and education. John developed key partnerships with other vendors in the market to deliver customers a great set of services for healthcare providers that met all compliance regulations for HIPAA storage. InfoTech Healthcare storage systems are designed to lead the way in cloud storage for healthcare and other business organizations.
In January of this year, Anthem, Inc. a managed care provider, learned of a cyber attack to their IT system. This attack, which occurred over several weeks beginning in December, 2014, compromised the identities over 80 million customers. The breach, in which the healthcare information of millions were compromised, constitutes a serious HIPAA violation, exposing the provider to potentially devastating legal liability.
Unfortunately, this sort of breach perpetrated against healthcare providers is becoming ever more common. The Ponemon Institute, along with ID Experts, issued a report in May this year that showcased healthcare data breaches. The Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data calculates a 125 percent growth in healthcare cyber attacks over the past five years. Although employee negligence and lost or stolen devices still result in many data breaches, a shift is occurring from accidental loss to intentional targeting of data that reveals individuals’ names, Social Security numbers, and other personal information.
The reason that healthcare providers are being targeted is that the information they maintain to provide care for their patients is often substantial enough that cyber criminals can use the data from a single healthcare provider to engage in identity theft. Moreover, cyber criminals target healthcare data because they recognize that many healthcare facilities, including insurance companies, don’t have the resources or technologies to prevent or to detect attacks.
Anthem is a large corporate entity that can afford and use the technology required to protect HIPAA sensitive data, and yet the breach still occurred. What can other healthcare businesses do to prevent or detect a cyber attack on HIPAA sensitive data?
Meeting Standards, Avoiding Fines
The growing use of electronic health records and electronic protected health information (ePHI) accounts for the need to protect information contained in these records. But while these records are often well secured, an often overlooked vulnerability point is credit card processing. Payment Card Industry Data Security Standard (PCI DSS) and HIPAA rules require entities to maintain reasonable and appropriate safeguards for protecting credit card payments. What this actually translates into actionable steps, however, is less clear. To that end, here are four rules to follow when accepting credit card payments to ensure that you’re meeting HIPAA/PCI mandated or suggested compliance guidelines:
At HIMSS this year, multiple speakers laid out visions for a future where parents could consult with a pediatrician via a telemedicine encounter during the middle of the night, take their children to receive immunization shots at a retail clinic, and have all of this information aggregated in their primary care provider’s record so that providing an up to date immunization record at the start of the next school year is as simple as logging into the PCP’s patient portal and printing out the immunization record. In short, multiple speakers presented visions of a truly interoperable future where patient information is exchanged seamlessly between providers, healthcare applications on smartphones, and insurers.
While initiatives such as the CommonWell Health Alliance, Epic’s Care Everywhere, and regional health information exchanges attempt to address the interoperability challenge, these fall short of fully supporting the future vision described above. Today’s solutions do not address smartphone applications and still require manual intervention to ensure that suggested record matches truly belong to the same patient before the records are linked. This process is costly but manageable in an environment where a low volume of patient records are matched between large provider organizations. In a future world where patient data is available from a multitude of websites, smartphone applications and traditional healthcare organizations, it would be cost prohibitive to manually review and verify all potential record matches.
Of course, one solution to this dilemma would be to improve patient matching algorithms and no longer require manual review of records before they are linked. However, for this to be possible, a standard set of data attributes would need to be captured by any application that would use or generate patient data. In a 2014 industry report to the Office of the National Coordinator for Health Information Technology, first name, last name, middle name, suffix, date of birth, current address, historical address, current phone number, historical phone number, and gender were identified as data attributes that should be standardized. Many of the suggestions in this report were incorporated into the Shared Nationwide Interoperability Roadmap that the ONC released in January 2015.
According to a 2014 Identity Theft Resource Center Report, the healthcare industry has officially surpassed other major industries and now accounts for 42.3 percent of all data breaches recorded last year. As the number of patient medical records transitions to a digital sharing model, the potential cost of data breaches is now substantially higher than for those less regulated, like retail and public services. It’s clear that the industry is increasingly vulnerable to sophisticated cyberattacks; hackers are after vital patient information such as social security numbers and past medical records. With limited budgets and priorities often, and rightfully, placed on patient care, many healthcare organizations lack the resources to implement stronger security levels. Despite these constraints, with the right technology and best practices in place healthcare organizations can position themselves for success.
The costs associated with “damage control” for many healthcare providers is steep with the annual cap on fines for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and HITECH Act of 2009, up from a maximum of $25,000 per year to $1.5 million. And fines are only part of the financial burden. Investigation and legal efforts, business downtime and decreased credibility all drive up costs even further.
Unfortunately, many healthcare organizations are still facing challenges when it comes to effectively communicating and collaborating on security. In many of these healthcare organizations, there is a department for privacy and compliance and then a separate department for enterprise IT security. Functional groups are often siloed and share very little information with each other. This becomes a major issue in the event of a breach as neither side is able to understand the full spectrum of the threat without the others’ data.
The consequences of the gap between compliance and IT security becomes evident when dealing with insider threats. An individual’s actions may look legitimate but when correlated against other activity, could indicate that malicious activity is occurring. A workstation that has always previously accessed clinical data or some other patient information doesn’t raise suspicion. But a subtle, steady increase in traffic, say of five or ten percent, correlated with communication to an unauthorized or new IP address, likely indicates a breach. The same example could apply to an external threat with a malicious actor using social engineering methods to entice an unwitting user to download malware. Once inside the network, the malware can replicate the very same scenario. Either way, a breach has occurred. The IT security department may discover the situation, investigate and handle it and move on to the next task. But without visibility into this type of data, how would the compliance department learn about possible data leakage and take the necessary steps to investigate and report?
What follows is a nice, yet concise, infographic developed by Clearwater Compliance — an organization that helps health systems ensure patient safety and improve the quality of care by safeguarding the confidentiality, integrity and availability of protected health information (PHI) – that provides a nice overview of the current state of healthcare breaches.
Clearwater Compliance states that according to Breach Level Index, there were 336 healthcare data breaches reported in the U.S. last year; “the Office for Civil Rights portal on the HHS website cited 165 breaches affecting 500 or more individuals in 2014.”
Interesting, the organization points out that non-digital breaches remain an issue. “Paper data breaches accounted for 9 percent of compromised records in the first half of 2014 – and a surprising 31 percent in the second half. In total, nearly 200,000 paper records were compromised last year, along with nearly 60,000 pieces of individually identifiable health information ranging from lab specimens to radiology film,” wrote the Clearwater Compliance team.
Additionally, insider mistakes and malice can be costly. In breaches examined, there were 45 incidents involving insider actions that resulted in the compromise of more than 478,000 records. “That means that about half of all the incidents we studied involved either mistakes or malice by an organization’s own employees and business associates.”
Clearwater Compliance makes the case that, despite an organization’s best efforts, “it’s almost impossible to eliminate all workforce-related data breaches. But organizations can take steps to foster an atmosphere of compliance and prevention.”
Lindy Benton, CEO of MEA|NEA, recently wrote in a piece for MultiBriefs: “According to the Wall Street Journal, Forrester Research recently conducted a survey of more than 2,100 healthcare IT pros and found that only about 60 percent of them said they encrypt devices like laptops, smartphones or tablets. Also according to the research, 39 percent of healthcare security incidents since 2005 have included a lost or stolen device.
“For some additional perspective, since federal reporting requirements started, the U.S. Department of Health and Human Services has tracked major breaches (those affecting 500 people or more) and has identified more than 945 incidents affecting patients’ personal information, affecting more than 30 million people.
“A majority of these breaches are tied to theft (17.4 million people), followed by data loss (7.2 million people), hacking (3.6 million) and unauthorized access of accounts (1.9 million people), according to The Washington Post. And these numbers do not even include the Community Health Systems numbers.