Tag: protected health information

Are Your Vendors Putting the PHI of Your Patients At Risk?

By Carol Amick, manager of health care services, CompliancePoint.  

Carol Amick

As healthcare providers continue to search for ways to cut costs and increase efficiency, many are outsourcing selected services.  One report indicated that 98 percent of the hospitals surveyed were either actively considering outsourcing or had already done so. [1] Outsourcing is expanding beyond non-core functions to clinical areas, as healthcare providers look for ways to decrease costs and increase quality. While outsourcing can be a cost-effective move, failure to properly assess and manage risks related to protected health information (PHI) can create legal and reputational issues for the organization.

However, outsourcing and relying on vendors to perform activities that involve access to PHI increases the risk to a covered entity. Over the past three years, the Health and Human Services Office of Civil Right (OCR) has issued approximately $6 million in financial penalties where failure to obtain a signed HIPAA compliant business associate agreement (BAA) from at least one vendor was either the sole reason for the financial penalty, or contributed the severity of the penalty.[2]

The HIMSS 2019 Cybersecurity Report noted that 30 percent of the healthcare vendor respondents had not experienced a significant security incident in the prior 12 months.[3] This means that 70 percent had experienced a significant security incident.

HIPAA requires that covered entities have a BAA with vendors that have access to PHI to perform duties on behalf of the covered entity, or if electronic PHI (ePHI) passes through their systems. The HITECH omnibus rules require that business associates comply with the security rule with regards to ePHI, report breaches of unsecured PHI to the covered entity, comply with applicable requirements of the privacy rule, and ensure their subcontractors agree to the same regulations[4].

While a BAA does provide a covered entity with some legal assurances, a BAA does not necessarily indemnify a covered entity against financial penalties for a breach if the covered entity failed to obtain “satisfactory assurances” of the vendors security.[5] Nor will a BAA won’t protect the entity’s reputation. Quest Diagnostics recently experienced a breach by one of their vendors of financial data for approximately 11.9 million patients.[6] While the breach was the fault of the vendor the media focus and public attention is on Quest Diagnostics. 

It’s important to consider if the data an organization is entrusting to a vendor is protected. What is the organization doing to ensure vendors who access ePHI understand their obligations and expectations? 

The steps below should be performed at least annually to help organizations ensure that their vendors are securing their data. Covered entities may do this internally or enlist the services of an independent agency to do the review.  

Verify the Organization Has Required BAAs

Organizations must compare their vendor master file against their BAA file. Many organizations know they set up processes to obtain BAAs when the Health Information Technology for Economic and Clinical Health (HITECH) Act, regulations related to business associates were released in 2013[7] and accounts payable has been trained not to process a check without a BAA. However, experience shows that if there is a way around those controls someone will have figured it out! Vendors can get established without BAA when you merge or acquire another provider. Vendors can get established without a BAA when an emergency purchase is made from a vendor. Vendors can change ownership without providing you with notice that you need an updated BAA.  

Reviewing the vendor master file should begin with elimination of vendors that the organization knows are not BAAs, such as utilities, employee expense reimbursement, contracted physicians, etc. The organization should then look at all remaining vendors and determine their use and access to PHI. The process can be time consuming and painful, but if this basic first step is never done, an organization will never know if they have identified the vendors that are putting the organization at risk. At the end of this process, the organization will have two lists; vendors with BAAs and vendors without BAAs.

Evaluation of Vendors

Once the organization has a list of vendors that access their PHI, they need to determine “what are these vendors doing to protect patient PHI.” Some questions organizations should ask themselves:

Evaluation can be done in a number of ways. If a vendor is audited annually to maintain their HITRUST certification, or they have a SOC II or other audit done to validate their security controls, ask for the reports. Furthermore, they should be reviewed to make sure that the controls the organization is relied upon to protect ePHI are functioning. If the vendor doesn’t have an independent review, the organization may need to do their own review.  Reach out to the vendor and talk to them about their security. Covered entities may find it helpful to survey their vendors on security.  

If a vendor doesn’t want to provide information, or can’t provide good data, the organization needs to perform a risk assessment to determine if they are willing to accept the risk presented from the lack of information. 

Update BAAs

After doing the two steps above, organizations should have listings of their vendors and their BAAs. For vendors with BAAs, review those BAAs. Have the agreements been updated to reflect the HITECH Omnibus requirements? Are the agreements complete with the names of both parties and the appropriate signatures? Is the contact information correct? If the vendor doesn’t have a BAA, it’s past time to get a BAA. If the vendor with access to PHI refuses to sign a BAA, it’s time to terminate that relationship!

Monitoring vendors for PHI security is not a “one time” review. A vendor who had a great security person who understood HIPAA and the organizations requirements, can have a financial set back and replace the experienced Security Director to save money. A vendor who assured an organization that their data was stored and processed in the US can suddenly outsource to an offshore location for processing of the account. While this monitoring can take time and resources, as many have learned in healthcare — a little prevention can often head off a major issue.  


[1] https://www.prnewswire.com/news-releases/by-2022-average-hospital-costs-must-be-reduced-by-24-to-breakeven-and-outsourcing-may-be-the-solution-says-black-book-300643743.html

[2] https://www.hipaajournal.com/hipaa-business-associate-agreement/

[3] https://www.himss.org/2019-himss-cybersecurity-survey

[4] https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html

[5] https://www.hipaajournal.com/hipaa-business-associate-agreement/

[6] https://www.washingtonpost.com/business/economy/quest-diagnostics-discloses-breach-of-patient-records/2019/06/03/aa37b556-860a-11e9-a870-b9c411dc4312_story.html?utm_term=.ef131df9330b

[7] https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/factsheet/index.html

Penalties For Violating HIPAA

By Ken Lynch, founder and CEO, Reciprocity Labs.

Ken Lynch

If your organization handles protected health information (PHI) or electronic Protected Health Information (ePHI), you should be well aware of the Healthcare Insurance Portability and Accountability Act known commonly as HIPAA. The HIPAA compliance is regulated by the federal government and failure to comply with it can attract penalties. Additionally, non-compliance may have severe consequences!

What are the penalties for HIPAA non-compliance?

Congress enacted HIPAA in 1996 with the primary intention of safeguarding sensitive information as people switched jobs. Additionally, the United States’ Department of Health and Human Services (HSS) established HIPAA Privacy Rule in 2003.

The privacy rule defines PHI as any information handled by a covered entity that concerns the health, treatment, or payment information associated with an individual. As technology related crimes increased, HIPAA focused on ePHI where they created three safeguards in 2005. They include:

Definition of covered entities and business associates

According to HIPAA, covered entities are all the bodies that are involved in the handling of a patient’s data. They include healthcare providers such as clinicians, doctors, nurses, pharmacists, dentists, and chiropractors as well as all healthcare plans providers such as the HMOs, health assurance entities, and government programs.

HIPAA also considers all healthcare clearinghouses as covered entities that should comply with its regulations. These bodies process nonstandard health-data that they obtain from the covered entities to transform it into standard data.

Business associates are all the institutions that can access the PHI or ePHI since they are contracted by the covered entities to execute specific activities on their behalf. HIPAA demands that your organization have a written contract that elaborates the responsibility of the business associates in upholding the integrity and confidentiality of the PHI that they handle.

Governing of HIPAA

The privacy and security regulations by HIPAA are enforced by the Office for Civil Rights (OCR) which serves under the Department of Health and Human Services (HSS). OCR provides a platform where you can air your complaints against covered entities as well as their business associates. If you feel that there is a data breach, you should visit the OCR website and submit your claims there for evaluation. Alternatively, you can use their portal, mail, fax, or email services.

Continue Reading

How Organizations Meet Compliance Demands with Smart Technology

Guest post by Chris Strammiello, Vice President of Global Alliances & Strategic Marketing, Nuance.

Chris Strammiello
Chris Strammiello

The growing use of smart devices at the point of care exacerbates the dual, yet contradictory, challenges confronting hospital IT directors and compliance officers: Making patients’ health information easier to access and share, while at the same time keeping it more secure.

A major problem is that there are just too many touch points that can create risk when sharing protected health information (PHI) inside and outside of the hospital. In addition to securing communications on cell phones, tablets and laptops, these tools can send output to smart multi-function printers (MFPs) that not only print, but allow walk-up users to copy, scan, fax and email documents. This functionality is why the Office of the National Coordinator for Health Information Technology now defines MFPs as workstations where PHI must be protected. These protections need to include administrative, physical and technical safeguards that authenticate users, control access to workflows, encrypt data handled on the device and maintain an audit trail of all activity.

Accurate, Effective and Secure Use of Patient Information at Point of Care

Hospitals need to adopt an approach that automatically provides security and control at the smart MFP from which patient information is shared and distributed. This approach must also support the use of mobile computing technologies, which are helping to bring access to patient information and electronic health records (EHR) to the point of care. Advanced secure information technology and output management solutions can help hospitals protect patient health information as part of achieving HIPAA-compliant use of PHI with software by adding a layer of automated security and control to both electronic and paper-based processes. These solutions can minimize the manual work and decisions that invite human error, mitigate the risk of non-compliance and help hospitals avoid the fines, reputation damage and other costs of HIPAA violations and privacy breaches.

With this approach, vulnerabilities with capturing and sharing PHI are reduced with a process that ensures:

Continue Reading

Dispelling the Myths about HIPAA Compliance

Guest post by Erik Kangas, CEO, LuxSci.

Erik Kangas
Erik Kangas

Electronic protected health information (ePHI) is patient information that is protected under the Health Insurance Portability and Accountability Act (HIPAA). HIPAA compliance is a complex and confusing topic, and it only gets more daunting when it comes to communication between providers and patients. If you are sending protected health information over email as a healthcare organization or a healthcare organization’s business associate, HIPAA compliance applies to you. With fines for breaches that can land upwards of a million dollars, it’s a subject that is not to be taken lightly by any organization. Let’s take a moment to settle the score on the myths and facts revolving around ePHI and HIPAA-compliant emails.

Myth: All email is HIPAA-compliant

This is a dangerously false assumption. It may come as a surprise that most free email services are not HIPAA-compliant. This includes big players such as Yahoo!, Gmail, and Hotmail. No, ePHI should never be sent through these systems. If you must send ePHI to run your business, seek out an email provider that specializes in HIPAA compliance and is specifically geared towards protecting you and the patient data that flows through your organization.

Myth: My business is too small to worry about HIPAA

Practices and organizations of all sizes get hit with HIPAA violation fines – no one is exempt. HIPAA regulations apply across the board, regardless of the size of your business. Penalties for not being compliant can range from a simple slap on the wrist to a fine of $100 per email that contains ePHI sent through an unencrypted avenue. HIPAA compliance is everyone’s responsibility, and no business is too small to suffer a surprise audit that results in business-crushing fines. Protect yourself up-front by adhering to HIPAA guidelines, and you won’t find your business under the gun for non-compliance.

Myth: Any email with PHI must have encryption

If emails are sent in-office over a secure network, encryption over e-mail is not necessary. But once that email is sent out of the office over a wide area network, or through the internet, encryption is a must.

Myth: The recipient must have encrypted email

The majority of patients use a free, non-encrypted email host. According to the HIPAA Omnibus Rule, patients have the right to request that their ePHI be sent to them via an unsecured email system. Many secure email systems can send secure messages to people without secure email – and that can be okay. But it’s important to document that request from the patient and also to inform them that when using unsecured email and waiving their right to receive their ePHI privately, they inherit the risk of a potential security breach. Documentation protects you from future accusations of negligence.

Continue Reading

Patient Portals: Security Concern or Effective Tool?

Martin Edwards
Martin Edwards

Guest post by Martin Edwards, MS, CHC, CHPC, compliance officer, Dell Healthcare.

Patient portals offer an unprecedented opportunity to engage consumers, provide a customized care experience and potentially change behavior. Yet they also introduce new security concerns for both patients and providers.

A question we often hear from healthcare providers regarding security is: How much protection against negligence does meeting the HIPAA requirements really provide? That question is particularly germane to patient portals, which create an additional entry point and more risk to the security of protected health information (PHI). The laws and regulations in these cases can be confusing.

Fortunately for providers, “safe harbor” is offered in those cases where the provider can prove that they have properly encrypted all devices that contain PHI. Under the HIPAA security rule, as long as PHI is encrypted according to National Institute for Standards and Technology (NIST) guidelines, it is no longer considered “unsecured” and providers are effectively exempt from improper disclosure being considered a “breach.” Thus, the HIPAA breach notification rule doesn’t apply, and, by extension, the provider can avoid potential fines from the Office for Civil Rights (OCR). Since most breaches of PHI reported to the U.S. Department of Health and Human Services (HHS) to date have related to the theft or loss of unencrypted mobile devices, encrypting the data is a primary defense against data loss and against the consequences of improper disclosure.

While patient portals add risk, they also confer many benefits to healthcare organizations, including enhanced patient-provider communication and empowerment of patients. Some studies have found that portals can also enable better outcomes for patients. These benefits are behind the HIPAA privacy rule’s “right of access,” which allows individuals to examine and obtain a copy of their PHI. Meaningful use requirements also require eligible professionals to exchange secure emails with at least 5 percent of their unique patients. Since portals are an ideal way to meet this requirement, organizations seeking to comply with Stage 2 criteria have an incentive to adopt them.

Continue Reading

The Future of Health IT: A “Dawning” of Dynamic Proportions

Brandee Norris
Brandee Norris

Guest post by Brandee Norris, assistant professor healthcare administration and management school of business and technology, Trevecca Nazarene University.

The health information technology (HIT) industry is on the verge of a dramatic dawning. As more healthcare organizations transition to paperless systems and to meaningful use of a certified electronic health record (EHR), the need to ensure the safety and integrity of healthcare data and to eliminate the risk of health IT breaches increases. In the past five years, the Department of Health and Human Services reported more than 800 breaches of healthcare patient data, breaches that affected more than 30 million patients. Breaches in electronic healthcare data cause serious negative outcomes for patients, stakeholders, and organizations—both public and private—and result in millions of dollars in fines and losses.

As the use of HIT systems increases within the healthcare industry, hospitals and providers of private practices are seeking effective methods to enhance data storage and streamline access to patient information without jeopardizing the privacy of the data. A possible solution to this problem is the transference of protected health information from a local system’s network to a cloud-based electronic medical records (EMR) service. Cloud computing may be categorized as private or public. Based on HIPAA regulations, professionals in the healthcare industry continue to dispute the legitimacy of public cloud computing and compliance with specific requirements of the HIPAA.

Contrary to provisions mandated by HIPAA, cloud-based platforms could accommodate the growing needs of healthcare organizations and provide flexibility to adapt to frequent changes, while providing significant cost savings. The primary objectives of using any variation of a cloud-based program are efficient leveraging of healthcare information, enhancement of patient experience, versatility for providers, and improved clinical outcomes. Cloud-based programs permit 24-hour patient access to electronic records.

Consumers in the 21st century prefer convenient methods to access healthcare services and manage personal information. Consequently, healthcare organizations have adopted patient-centered models to deliver health care and increase provider-patient communication. In addition, cloud-based platforms can facilitate the use of mobile devices, such as smartphones and iPads, allowing patients and providers to access health software applications. The number of healthcare consumers using smartphones to access health information soared from more than 60 million to more than70 million in the last two years. Anderson projects an estimated 20 percent annual increase of software application sales during the next five years.

Healthcare providers have suggested that significant benefits could occur for patients using mobile software applications to monitor their health status. Currently, numerous types of health software applications exist that are free or obtainable at a reasonable fee. Last year, healthcare providers used health software applications for obtaining diagnostic test results, sending alerts for patients to self- medicate, track and monitor levels of chronic pain, and store vital signs and emergency contact information. Consumers should be aware that a compatible operating system and adequate storage space are required to download health software applications to a mobile device.

Continue Reading

Cancer Treatment Centers of America Improves Patient Care with Managed Print Services

Chris Downs
Chris Downs

Guest post by Christopher Downs, vice president, information services, Cancer Treatment Centers of America.

Printing is like electricity – when it works, no one really notices it. They only notice it when it’s not working.

Think about it. Quality communication is a cornerstone of delivering excellent patient care. Almost every department in a healthcare organization relies on their printers to provide instructions and information that are vital to a patient’s health. So, when the printing environment is offline or ineffective, it has a real impact on how healthcare is controlled and delivered.

At Cancer Treatment Centers of America (CTCA), our motto is to deliver “care that never quits,” meaning we place our patients and their caregivers first and foremost in every action and decision that we make. As such, we rely on our technology systems to be seamless, secure and reliable so that we can deliver on our motto.

The Importance of Printing

When a patient arrives at any one of our six treatment centers, he or she receives a personalized booklet providing details regarding his or her treatment schedule. Over the course of a stay, patients will receive additional documents such as prescriptions, post-surgery instructions, discharge summaries and insurance information, just to name a few. Administrative departments also generate and print reports, spreadsheets and presentations that are essential to hospital business functions.

All in all, approximately 90 percent of CTCA’s 5,000 employees rely on printers, printing roughly 30 million pages annually. That means, on average, our employees print more than 82,000 pages per day across the network.

Continue Reading

Data Breaches of Protected Health Information Will Get More Frequent in 2014

Michelle Blackmer

Guest post by Michelle Blackmer, director of marketing, Healthcare, Informatica.

The volume of protected health information (PHI) in electronic form is exploding – both from the wholesale move from paper charts to electronic health records for capturing clinical data and with the proliferation of new sources of electronic data from networked medical devices. Additionally, IT staff have been overwhelmed by regulatory mandates, rampant technology changes (e.g., virtualization, BYOD, big data), massive application projects and flat or decreasing budgets.

This increase in electronic PHI combined with the challenges for health systems IT make it even more important for providers and non-providers to find efficient ways to secure their data. However, with malicious activity showing a consistent upward trend, absent a change to an almost maniacal leadership focus on protecting patient data and the deployment of available tools and processes as an organizational imperative, 2014 will bring even more frequent and larger breaches of PHI.

Current data security climate

Even still, many healthcare organizations are not taking the necessary steps to reduce the proliferation of unprotected PHI in non-production test and development environments. Ninety-four percent of respondents to the third annual Ponemon Institute Benchmark Survey on Patient Privacy and Data Security had at least one data breach in the past two years, and 45 percent reported having had more than five total incidents each. Even more surprising is that the leading cause for a breach is a lost or stolen computing device that houses PHI.  The survey also found that:

Continue Reading

What HIPAA Means for Care Providers and EHR vendors?

What HIPAA means for care providers and EHR vendors?
Parker

Guest post by Scott Parker, Cure MD

The HIPAA Privacy Rule regulates the use and disclosure of Protected Health Information (PHI) held by “covered entities.”These entities generally include healthcare clearinghouses, employer sponsored health plans, health insurers, and healthcare providers.

PHI is any information held by a covered entity concerning the health status, provision of healthcare, or payment for healthcare that can be linked to an individual.

Covered entities must disclose PHI to the individual within 30 days upon request. They also must disclose PHI when required to do so by law, such as reporting suspected child abuse to state child welfare agencies.

Continue Reading

Every Physician and Medical Practice Should Be Aware of These Common Risks and Safeguards for EHRs – Are You? (Part 1)

Guest post by Allan Ridings and Joseph Wager, senior risk management and patient safety specialists, Cooperative of American Physicians.

Part 1 of a two-part series.

Introducing an electronic medical records system into the practice helps the physicians and staff provide more efficient healthcare by making medical records more accessible to all health care team members. It also brings some risks. In this two-part article, CAP Risk Management and Patient Safety identifies 10 areas of risk exposure and provides some brief recommendations in each area.

EMR or EHR

Know your system.  Electronic Medical Record is the term most often used for the electronic system now holding the medical records of the physician’s patients. If patients’ medical data is shared electronically with other facilities, locations, caregivers, and/or billers, the term Electronic Health Record is more accurate. The terms are often used interchangeably. Most articles are using the words “Electronic Health Record.”

Provide updated/additional training periodically, especially after software updates and enhancements.

Continue Reading