If your organization handles protected health information (PHI) or electronic Protected Health Information (ePHI), you should be well aware of the Healthcare Insurance Portability and Accountability Act known commonly as HIPAA. The HIPAA compliance is regulated by the federal government and failure to comply with it can attract penalties. Additionally, non-compliance may have severe consequences!
What are the penalties for HIPAA non-compliance?
Congress enacted HIPAA in 1996 with the primary intention of safeguarding sensitive information as people switched jobs. Additionally, the United States’ Department of Health and Human Services (HSS) established HIPAA Privacy Rule in 2003.
The privacy rule defines PHI as any information handled by a covered entity that concerns the health, treatment, or payment information associated with an individual. As technology related crimes increased, HIPAA focused on ePHI where they created three safeguards in 2005. They include:
Administrative safeguards concentrate on all the policies and procedures that demonstrate protection of ePHI by a given entity
Physical safeguards which revolve around controls instituted to limit access to ePHI storage devices
Technical safeguards which focused on safeguarding all the communication channels used to transmit ePHI over open networks
Definition of covered entities and business associates
According to HIPAA, covered entities are all the bodies that are involved in the handling of a patient’s data. They include healthcare providers such as clinicians, doctors, nurses, pharmacists, dentists, and chiropractors as well as all healthcare plans providers such as the HMOs, health assurance entities, and government programs.
HIPAA also considers all healthcare clearinghouses as covered entities that should comply with its regulations. These bodies process nonstandard health-data that they obtain from the covered entities to transform it into standard data.
Business associates are all the institutions that can access the PHI or ePHI since they are contracted by the covered entities to execute specific activities on their behalf. HIPAA demands that your organization have a written contract that elaborates the responsibility of the business associates in upholding the integrity and confidentiality of the PHI that they handle.
Governing of HIPAA
The privacy and security regulations by HIPAA are enforced by the Office for Civil Rights (OCR) which serves under the Department of Health and Human Services (HSS). OCR provides a platform where you can air your complaints against covered entities as well as their business associates. If you feel that there is a data breach, you should visit the OCR website and submit your claims there for evaluation. Alternatively, you can use their portal, mail, fax, or email services.
Guest post by Chris Strammiello, Vice President of Global Alliances & Strategic Marketing, Nuance.
The growing use of smart devices at the point of care exacerbates the dual, yet contradictory, challenges confronting hospital IT directors and compliance officers: Making patients’ health information easier to access and share, while at the same time keeping it more secure.
A major problem is that there are just too many touch points that can create risk when sharing protected health information (PHI) inside and outside of the hospital. In addition to securing communications on cell phones, tablets and laptops, these tools can send output to smart multi-function printers (MFPs) that not only print, but allow walk-up users to copy, scan, fax and email documents. This functionality is why the Office of the National Coordinator for Health Information Technology now defines MFPs as workstations where PHI must be protected. These protections need to include administrative, physical and technical safeguards that authenticate users, control access to workflows, encrypt data handled on the device and maintain an audit trail of all activity.
Accurate, Effective and Secure Use of Patient Information at Point of Care
Hospitals need to adopt an approach that automatically provides security and control at the smart MFP from which patient information is shared and distributed. This approach must also support the use of mobile computing technologies, which are helping to bring access to patient information and electronic health records (EHR) to the point of care. Advanced secure information technology and output management solutions can help hospitals protect patient health information as part of achieving HIPAA-compliant use of PHI with software by adding a layer of automated security and control to both electronic and paper-based processes. These solutions can minimize the manual work and decisions that invite human error, mitigate the risk of non-compliance and help hospitals avoid the fines, reputation damage and other costs of HIPAA violations and privacy breaches.
With this approach, vulnerabilities with capturing and sharing PHI are reduced with a process that ensures:
Authorization — only authorized staff can access specific devices, network applications and resources with password or smartcard based authentication. Network authentication is seamlessly integrated with the document workflow and to ensure optimal auditing and security, the documents containing PHI are captured and routed to various destinations such as email, folders, fax and EHR systems.
Authentication — user credentials must be verified at the device, by PIN/PIC code, proximity (ID), or by swiping a smart card access documents containing PHI. Once authenticated, the solution controls what users can and cannot do. It enables or restricts email or faxing and prohibits documents with PHI from being printed, faxed or emailed.
Encryption — communications between smart MFP’s and mobile terminals, the server and destinations, such as the EHR, are encrypted to ensure documents are only visible to those with proper authorization.
File destination control — simultaneously monitors and audits the patient information in documents, ensuring PHI is controlled before it is ever gets to its intended destination.
Content filtering — automatically enforces security policies to proactively prevent PHI from leaving the hospital by filtering outbound communications and intercepting documents – rendering misdirected or intercepted information unreadable to unauthorized users.
Electronic protected health information (ePHI) is patient information that is protected under the Health Insurance Portability and Accountability Act (HIPAA). HIPAA compliance is a complex and confusing topic, and it only gets more daunting when it comes to communication between providers and patients. If you are sending protected health information over email as a healthcare organization or a healthcare organization’s business associate, HIPAA compliance applies to you. With fines for breaches that can land upwards of a million dollars, it’s a subject that is not to be taken lightly by any organization. Let’s take a moment to settle the score on the myths and facts revolving around ePHI and HIPAA-compliant emails.
Myth: All email is HIPAA-compliant
This is a dangerously false assumption. It may come as a surprise that most free email services are not HIPAA-compliant. This includes big players such as Yahoo!, Gmail, and Hotmail. No, ePHI should never be sent through these systems. If you must send ePHI to run your business, seek out an email provider that specializes in HIPAA compliance and is specifically geared towards protecting you and the patient data that flows through your organization.
Myth: My business is too small to worry about HIPAA
Practices and organizations of all sizes get hit with HIPAA violation fines – no one is exempt. HIPAA regulations apply across the board, regardless of the size of your business. Penalties for not being compliant can range from a simple slap on the wrist to a fine of $100 per email that contains ePHI sent through an unencrypted avenue. HIPAA compliance is everyone’s responsibility, and no business is too small to suffer a surprise audit that results in business-crushing fines. Protect yourself up-front by adhering to HIPAA guidelines, and you won’t find your business under the gun for non-compliance.
Myth: Any email with PHI must have encryption
If emails are sent in-office over a secure network, encryption over e-mail is not necessary. But once that email is sent out of the office over a wide area network, or through the internet, encryption is a must.
Myth: The recipient must have encrypted email
The majority of patients use a free, non-encrypted email host. According to the HIPAA Omnibus Rule, patients have the right to request that their ePHI be sent to them via an unsecured email system. Many secure email systems can send secure messages to people without secure email – and that can be okay. But it’s important to document that request from the patient and also to inform them that when using unsecured email and waiving their right to receive their ePHI privately, they inherit the risk of a potential security breach. Documentation protects you from future accusations of negligence.
Guest post by Martin Edwards, MS, CHC, CHPC, compliance officer, Dell Healthcare.
Patient portals offer an unprecedented opportunity to engage consumers, provide a customized care experience and potentially change behavior. Yet they also introduce new security concerns for both patients and providers.
A question we often hear from healthcare providers regarding security is: How much protection against negligence does meeting the HIPAA requirements really provide? That question is particularly germane to patient portals, which create an additional entry point and more risk to the security of protected health information (PHI). The laws and regulations in these cases can be confusing.
Fortunately for providers, “safe harbor” is offered in those cases where the provider can prove that they have properly encrypted all devices that contain PHI. Under the HIPAA security rule, as long as PHI is encrypted according to National Institute for Standards and Technology (NIST) guidelines, it is no longer considered “unsecured” and providers are effectively exempt from improper disclosure being considered a “breach.” Thus, the HIPAA breach notification rule doesn’t apply, and, by extension, the provider can avoid potential fines from the Office for Civil Rights (OCR). Since most breaches of PHI reported to the U.S. Department of Health and Human Services (HHS) to date have related to the theft or loss of unencrypted mobile devices, encrypting the data is a primary defense against data loss and against the consequences of improper disclosure.
While patient portals add risk, they also confer many benefits to healthcare organizations, including enhanced patient-provider communication and empowerment of patients. Some studies have found that portals can also enable better outcomes for patients. These benefits are behind the HIPAA privacy rule’s “right of access,” which allows individuals to examine and obtain a copy of their PHI. Meaningful use requirements also require eligible professionals to exchange secure emails with at least 5 percent of their unique patients. Since portals are an ideal way to meet this requirement, organizations seeking to comply with Stage 2 criteria have an incentive to adopt them.
Guest post by Brandee Norris, assistant professor healthcare administration and management school of business and technology, Trevecca Nazarene University.
The health information technology (HIT) industry is on the verge of a dramatic dawning. As more healthcare organizations transition to paperless systems and to meaningful use of a certified electronic health record (EHR), the need to ensure the safety and integrity of healthcare data and to eliminate the risk of health IT breaches increases. In the past five years, the Department of Health and Human Services reported more than 800 breaches of healthcare patient data, breaches that affected more than 30 million patients. Breaches in electronic healthcare data cause serious negative outcomes for patients, stakeholders, and organizations—both public and private—and result in millions of dollars in fines and losses.
As the use of HIT systems increases within the healthcare industry, hospitals and providers of private practices are seeking effective methods to enhance data storage and streamline access to patient information without jeopardizing the privacy of the data. A possible solution to this problem is the transference of protected health information from a local system’s network to a cloud-based electronic medical records (EMR) service. Cloud computing may be categorized as private or public. Based on HIPAA regulations, professionals in the healthcare industry continue to dispute the legitimacy of public cloud computing and compliance with specific requirements of the HIPAA.
Contrary to provisions mandated by HIPAA, cloud-based platforms could accommodate the growing needs of healthcare organizations and provide flexibility to adapt to frequent changes, while providing significant cost savings. The primary objectives of using any variation of a cloud-based program are efficient leveraging of healthcare information, enhancement of patient experience, versatility for providers, and improved clinical outcomes. Cloud-based programs permit 24-hour patient access to electronic records.
Consumers in the 21st century prefer convenient methods to access healthcare services and manage personal information. Consequently, healthcare organizations have adopted patient-centered models to deliver health care and increase provider-patient communication. In addition, cloud-based platforms can facilitate the use of mobile devices, such as smartphones and iPads, allowing patients and providers to access health software applications. The number of healthcare consumers using smartphones to access health information soared from more than 60 million to more than70 million in the last two years. Anderson projects an estimated 20 percent annual increase of software application sales during the next five years.
Healthcare providers have suggested that significant benefits could occur for patients using mobile software applications to monitor their health status. Currently, numerous types of health software applications exist that are free or obtainable at a reasonable fee. Last year, healthcare providers used health software applications for obtaining diagnostic test results, sending alerts for patients to self- medicate, track and monitor levels of chronic pain, and store vital signs and emergency contact information. Consumers should be aware that a compatible operating system and adequate storage space are required to download health software applications to a mobile device.
Printing is like electricity – when it works, no one really notices it. They only notice it when it’s not working.
Think about it. Quality communication is a cornerstone of delivering excellent patient care. Almost every department in a healthcare organization relies on their printers to provide instructions and information that are vital to a patient’s health. So, when the printing environment is offline or ineffective, it has a real impact on how healthcare is controlled and delivered.
At Cancer Treatment Centers of America (CTCA), our motto is to deliver “care that never quits,” meaning we place our patients and their caregivers first and foremost in every action and decision that we make. As such, we rely on our technology systems to be seamless, secure and reliable so that we can deliver on our motto.
The Importance of Printing
When a patient arrives at any one of our six treatment centers, he or she receives a personalized booklet providing details regarding his or her treatment schedule. Over the course of a stay, patients will receive additional documents such as prescriptions, post-surgery instructions, discharge summaries and insurance information, just to name a few. Administrative departments also generate and print reports, spreadsheets and presentations that are essential to hospital business functions.
All in all, approximately 90 percent of CTCA’s 5,000 employees rely on printers, printing roughly 30 million pages annually. That means, on average, our employees print more than 82,000 pages per day across the network.
Guest post by Michelle Blackmer, director of marketing, Healthcare, Informatica.
The volume of protected health information (PHI) in electronic form is exploding – both from the wholesale move from paper charts to electronic health records for capturing clinical data and with the proliferation of new sources of electronic data from networked medical devices. Additionally, IT staff have been overwhelmed by regulatory mandates, rampant technology changes (e.g., virtualization, BYOD, big data), massive application projects and flat or decreasing budgets.
This increase in electronic PHI combined with the challenges for health systems IT make it even more important for providers and non-providers to find efficient ways to secure their data. However, with malicious activity showing a consistent upward trend, absent a change to an almost maniacal leadership focus on protecting patient data and the deployment of available tools and processes as an organizational imperative, 2014 will bring even more frequent and larger breaches of PHI.
Current data security climate
Even still, many healthcare organizations are not taking the necessary steps to reduce the proliferation of unprotected PHI in non-production test and development environments. Ninety-four percent of respondents to the third annual Ponemon Institute Benchmark Survey on Patient Privacy and Data Security had at least one data breach in the past two years, and 45 percent reported having had more than five total incidents each. Even more surprising is that the leading cause for a breach is a lost or stolen computing device that houses PHI. The survey also found that:
Unrestricted database administrator (DBA) access heightens risk: 73 percent of DBAs can view all data.
Data compromise/theft remains rampant: 50 percent of respondents say data has been compromised or stolen by a malicious insider such as a privileged user.
Organizations are under-coping:68 percent have difficulty restricting user access to sensitive data, 66 percent have difficulty complying with privacy/data protection regulations and 55 percent lack confidence that they would even detect data theft/loss from their own production environments.
The HIPAA Privacy Rule regulates the use and disclosure of Protected Health Information (PHI) held by “covered entities.”These entities generally include healthcare clearinghouses, employer sponsored health plans, health insurers, and healthcare providers.
PHI is any information held by a covered entity concerning the health status, provision of healthcare, or payment for healthcare that can be linked to an individual.
Covered entities must disclose PHI to the individual within 30 days upon request. They also must disclose PHI when required to do so by law, such as reporting suspected child abuse to state child welfare agencies.
Introducing an electronic medical records system into the practice helps the physicians and staff provide more efficient healthcare by making medical records more accessible to all health care team members. It also brings some risks. In this two-part article, CAP Risk Management and Patient Safety identifies 10 areas of risk exposure and provides some brief recommendations in each area.
EMR or EHR
Know your system. Electronic Medical Record is the term most often used for the electronic system now holding the medical records of the physician’s patients. If patients’ medical data is shared electronically with other facilities, locations, caregivers, and/or billers, the term Electronic Health Record is more accurate. The terms are often used interchangeably. Most articles are using the words “Electronic Health Record.”
Provide updated/additional training periodically, especially after software updates and enhancements.