As healthcare providers continue to search for ways to cut costs and increase efficiency, many are outsourcing selected services. One report indicated that 98 percent of the hospitals surveyed were either actively considering outsourcing or had already done so.  Outsourcing is expanding beyond non-core functions to clinical areas, as healthcare providers look for ways to decrease costs and increase quality. While outsourcing can be a cost-effective move, failure to properly assess and manage risks related to protected health information (PHI) can create legal and reputational issues for the organization.
However, outsourcing and relying on vendors to perform activities
that involve access to PHI increases the risk to a covered entity. Over the
past three years, the Health and Human Services Office of Civil Right (OCR) has
issued approximately $6 million in financial penalties where failure to obtain
a signed HIPAA compliant business associate agreement (BAA) from at least one
vendor was either the sole reason for the financial penalty, or contributed the
severity of the penalty.
The HIMSS 2019 Cybersecurity Report noted that 30 percent of the
healthcare vendor respondents had not experienced a significant security
incident in the prior 12 months. This
means that 70 percent had experienced a significant security incident.
HIPAA requires that covered entities have a BAA with vendors that
have access to PHI to perform duties on behalf of the covered entity, or if
electronic PHI (ePHI) passes through their systems. The HITECH omnibus rules
require that business associates comply with the security rule with regards to
ePHI, report breaches of unsecured PHI to the covered entity, comply with
applicable requirements of the privacy rule, and ensure their subcontractors
agree to the same regulations.
While a BAA does provide a covered entity with some legal
assurances, a BAA does not necessarily indemnify a covered entity against
financial penalties for a breach if the covered entity failed to obtain
“satisfactory assurances” of the vendors security.
Nor will a BAA won’t protect the entity’s reputation. Quest Diagnostics
recently experienced a breach by one of their vendors of financial data for
approximately 11.9 million patients. While
the breach was the fault of the vendor the media focus and public attention is
on Quest Diagnostics.
It’s important to consider if the data an organization is entrusting to a vendor is protected. What is the organization doing to ensure vendors who access ePHI understand their obligations and expectations?
The steps below should be performed at least annually to help
organizations ensure that their vendors are securing their data. Covered
entities may do this internally or enlist the services of an independent agency
to do the review.
Organization Has Required BAAs
Organizations must compare their vendor master file against their
BAA file. Many organizations know they set up processes to obtain BAAs when the
Health Information Technology for
Economic and Clinical Health (HITECH) Act, regulations related to business
associates were released in 2013
and accounts payable has been trained not to process a check without a BAA.
However, experience shows that if there is a way around those controls someone
will have figured it out! Vendors can get established without BAA when you
merge or acquire another provider. Vendors can get established without a BAA
when an emergency purchase is made from a vendor. Vendors can change ownership
without providing you with notice that you need an updated BAA.
Reviewing the vendor master file should begin with elimination of
vendors that the organization knows are not BAAs, such as utilities, employee
expense reimbursement, contracted physicians, etc. The organization should then
look at all remaining vendors and determine their use and access to PHI. The
process can be time consuming and painful, but if this basic first step is
never done, an organization will never know if they have identified the vendors
that are putting the organization at risk. At the end of this process, the
organization will have two lists; vendors with BAAs and vendors without BAAs.
Once the organization has a list of vendors that access their PHI,
they need to determine “what are these vendors doing to protect patient PHI.” Some
questions organizations should ask themselves:
Do we do any periodic reviews of vendor
Did we evaluate security before we started
working with the vendor?
Do our vendors have certifications they can
provide to us?
If they advertise HITRUST certification, have
they sent us a current report?
What do we know about what they are doing with
Are they sending our data off shore?
Do they have security standards that at least
meet HIPAA standards?
Evaluation can be done in a number of ways. If a vendor is audited
annually to maintain their HITRUST certification, or they have a SOC II or
other audit done to validate their security controls, ask for the reports.
Furthermore, they should be reviewed to make sure that the controls the
organization is relied upon to protect ePHI are functioning. If the vendor
doesn’t have an independent review, the organization may need to do their own
review. Reach out to the vendor and talk
to them about their security. Covered entities may find it helpful to survey
their vendors on security.
If a vendor doesn’t want to provide information, or can’t provide
good data, the organization needs to perform a risk assessment to determine if
they are willing to accept the risk presented from the lack of
After doing the two steps above, organizations should have
listings of their vendors and their BAAs. For vendors with BAAs, review those
BAAs. Have the agreements been updated to reflect the HITECH Omnibus
requirements? Are the agreements complete with the names of both parties and
the appropriate signatures? Is the contact information correct? If the vendor
doesn’t have a BAA, it’s past time to get a BAA. If the vendor with access to
PHI refuses to sign a BAA, it’s time to terminate that relationship!
Monitoring vendors for PHI security is not a “one time” review. A
vendor who had a great security person who understood HIPAA and the
organizations requirements, can have a financial set back and replace the
experienced Security Director to save money. A vendor who assured an
organization that their data was stored and processed in the US can suddenly outsource
to an offshore location for processing of the account. While this monitoring
can take time and resources, as many have learned in healthcare — a little
prevention can often head off a major issue.
If your organization handles protected health information (PHI) or electronic Protected Health Information (ePHI), you should be well aware of the Healthcare Insurance Portability and Accountability Act known commonly as HIPAA. The HIPAA compliance is regulated by the federal government and failure to comply with it can attract penalties. Additionally, non-compliance may have severe consequences!
What are the penalties for HIPAA non-compliance?
Congress enacted HIPAA in 1996 with the primary intention of safeguarding sensitive information as people switched jobs. Additionally, the United States’ Department of Health and Human Services (HSS) established HIPAA Privacy Rule in 2003.
The privacy rule defines PHI as any information handled by a covered entity that concerns the health, treatment, or payment information associated with an individual. As technology related crimes increased, HIPAA focused on ePHI where they created three safeguards in 2005. They include:
Administrative safeguards concentrate on all the policies and procedures that demonstrate protection of ePHI by a given entity
Physical safeguards which revolve around controls instituted to limit access to ePHI storage devices
Technical safeguards which focused on safeguarding all the communication channels used to transmit ePHI over open networks
Definition of covered entities and business associates
According to HIPAA, covered entities are all the bodies that are involved in the handling of a patient’s data. They include healthcare providers such as clinicians, doctors, nurses, pharmacists, dentists, and chiropractors as well as all healthcare plans providers such as the HMOs, health assurance entities, and government programs.
HIPAA also considers all healthcare clearinghouses as covered entities that should comply with its regulations. These bodies process nonstandard health-data that they obtain from the covered entities to transform it into standard data.
Business associates are all the institutions that can access the PHI or ePHI since they are contracted by the covered entities to execute specific activities on their behalf. HIPAA demands that your organization have a written contract that elaborates the responsibility of the business associates in upholding the integrity and confidentiality of the PHI that they handle.
Governing of HIPAA
The privacy and security regulations by HIPAA are enforced by the Office for Civil Rights (OCR) which serves under the Department of Health and Human Services (HSS). OCR provides a platform where you can air your complaints against covered entities as well as their business associates. If you feel that there is a data breach, you should visit the OCR website and submit your claims there for evaluation. Alternatively, you can use their portal, mail, fax, or email services.
Guest post by Chris Strammiello, Vice President of Global Alliances & Strategic Marketing, Nuance.
The growing use of smart devices at the point of care exacerbates the dual, yet contradictory, challenges confronting hospital IT directors and compliance officers: Making patients’ health information easier to access and share, while at the same time keeping it more secure.
A major problem is that there are just too many touch points that can create risk when sharing protected health information (PHI) inside and outside of the hospital. In addition to securing communications on cell phones, tablets and laptops, these tools can send output to smart multi-function printers (MFPs) that not only print, but allow walk-up users to copy, scan, fax and email documents. This functionality is why the Office of the National Coordinator for Health Information Technology now defines MFPs as workstations where PHI must be protected. These protections need to include administrative, physical and technical safeguards that authenticate users, control access to workflows, encrypt data handled on the device and maintain an audit trail of all activity.
Accurate, Effective and Secure Use of Patient Information at Point of Care
Hospitals need to adopt an approach that automatically provides security and control at the smart MFP from which patient information is shared and distributed. This approach must also support the use of mobile computing technologies, which are helping to bring access to patient information and electronic health records (EHR) to the point of care. Advanced secure information technology and output management solutions can help hospitals protect patient health information as part of achieving HIPAA-compliant use of PHI with software by adding a layer of automated security and control to both electronic and paper-based processes. These solutions can minimize the manual work and decisions that invite human error, mitigate the risk of non-compliance and help hospitals avoid the fines, reputation damage and other costs of HIPAA violations and privacy breaches.
With this approach, vulnerabilities with capturing and sharing PHI are reduced with a process that ensures:
Authorization — only authorized staff can access specific devices, network applications and resources with password or smartcard based authentication. Network authentication is seamlessly integrated with the document workflow and to ensure optimal auditing and security, the documents containing PHI are captured and routed to various destinations such as email, folders, fax and EHR systems.
Authentication — user credentials must be verified at the device, by PIN/PIC code, proximity (ID), or by swiping a smart card access documents containing PHI. Once authenticated, the solution controls what users can and cannot do. It enables or restricts email or faxing and prohibits documents with PHI from being printed, faxed or emailed.
Encryption — communications between smart MFP’s and mobile terminals, the server and destinations, such as the EHR, are encrypted to ensure documents are only visible to those with proper authorization.
File destination control — simultaneously monitors and audits the patient information in documents, ensuring PHI is controlled before it is ever gets to its intended destination.
Content filtering — automatically enforces security policies to proactively prevent PHI from leaving the hospital by filtering outbound communications and intercepting documents – rendering misdirected or intercepted information unreadable to unauthorized users.
Electronic protected health information (ePHI) is patient information that is protected under the Health Insurance Portability and Accountability Act (HIPAA). HIPAA compliance is a complex and confusing topic, and it only gets more daunting when it comes to communication between providers and patients. If you are sending protected health information over email as a healthcare organization or a healthcare organization’s business associate, HIPAA compliance applies to you. With fines for breaches that can land upwards of a million dollars, it’s a subject that is not to be taken lightly by any organization. Let’s take a moment to settle the score on the myths and facts revolving around ePHI and HIPAA-compliant emails.
Myth: All email is HIPAA-compliant
This is a dangerously false assumption. It may come as a surprise that most free email services are not HIPAA-compliant. This includes big players such as Yahoo!, Gmail, and Hotmail. No, ePHI should never be sent through these systems. If you must send ePHI to run your business, seek out an email provider that specializes in HIPAA compliance and is specifically geared towards protecting you and the patient data that flows through your organization.
Myth: My business is too small to worry about HIPAA
Practices and organizations of all sizes get hit with HIPAA violation fines – no one is exempt. HIPAA regulations apply across the board, regardless of the size of your business. Penalties for not being compliant can range from a simple slap on the wrist to a fine of $100 per email that contains ePHI sent through an unencrypted avenue. HIPAA compliance is everyone’s responsibility, and no business is too small to suffer a surprise audit that results in business-crushing fines. Protect yourself up-front by adhering to HIPAA guidelines, and you won’t find your business under the gun for non-compliance.
Myth: Any email with PHI must have encryption
If emails are sent in-office over a secure network, encryption over e-mail is not necessary. But once that email is sent out of the office over a wide area network, or through the internet, encryption is a must.
Myth: The recipient must have encrypted email
The majority of patients use a free, non-encrypted email host. According to the HIPAA Omnibus Rule, patients have the right to request that their ePHI be sent to them via an unsecured email system. Many secure email systems can send secure messages to people without secure email – and that can be okay. But it’s important to document that request from the patient and also to inform them that when using unsecured email and waiving their right to receive their ePHI privately, they inherit the risk of a potential security breach. Documentation protects you from future accusations of negligence.
Guest post by Martin Edwards, MS, CHC, CHPC, compliance officer, Dell Healthcare.
Patient portals offer an unprecedented opportunity to engage consumers, provide a customized care experience and potentially change behavior. Yet they also introduce new security concerns for both patients and providers.
A question we often hear from healthcare providers regarding security is: How much protection against negligence does meeting the HIPAA requirements really provide? That question is particularly germane to patient portals, which create an additional entry point and more risk to the security of protected health information (PHI). The laws and regulations in these cases can be confusing.
Fortunately for providers, “safe harbor” is offered in those cases where the provider can prove that they have properly encrypted all devices that contain PHI. Under the HIPAA security rule, as long as PHI is encrypted according to National Institute for Standards and Technology (NIST) guidelines, it is no longer considered “unsecured” and providers are effectively exempt from improper disclosure being considered a “breach.” Thus, the HIPAA breach notification rule doesn’t apply, and, by extension, the provider can avoid potential fines from the Office for Civil Rights (OCR). Since most breaches of PHI reported to the U.S. Department of Health and Human Services (HHS) to date have related to the theft or loss of unencrypted mobile devices, encrypting the data is a primary defense against data loss and against the consequences of improper disclosure.
While patient portals add risk, they also confer many benefits to healthcare organizations, including enhanced patient-provider communication and empowerment of patients. Some studies have found that portals can also enable better outcomes for patients. These benefits are behind the HIPAA privacy rule’s “right of access,” which allows individuals to examine and obtain a copy of their PHI. Meaningful use requirements also require eligible professionals to exchange secure emails with at least 5 percent of their unique patients. Since portals are an ideal way to meet this requirement, organizations seeking to comply with Stage 2 criteria have an incentive to adopt them.
Guest post by Brandee Norris, assistant professor healthcare administration and management school of business and technology, Trevecca Nazarene University.
The health information technology (HIT) industry is on the verge of a dramatic dawning. As more healthcare organizations transition to paperless systems and to meaningful use of a certified electronic health record (EHR), the need to ensure the safety and integrity of healthcare data and to eliminate the risk of health IT breaches increases. In the past five years, the Department of Health and Human Services reported more than 800 breaches of healthcare patient data, breaches that affected more than 30 million patients. Breaches in electronic healthcare data cause serious negative outcomes for patients, stakeholders, and organizations—both public and private—and result in millions of dollars in fines and losses.
As the use of HIT systems increases within the healthcare industry, hospitals and providers of private practices are seeking effective methods to enhance data storage and streamline access to patient information without jeopardizing the privacy of the data. A possible solution to this problem is the transference of protected health information from a local system’s network to a cloud-based electronic medical records (EMR) service. Cloud computing may be categorized as private or public. Based on HIPAA regulations, professionals in the healthcare industry continue to dispute the legitimacy of public cloud computing and compliance with specific requirements of the HIPAA.
Contrary to provisions mandated by HIPAA, cloud-based platforms could accommodate the growing needs of healthcare organizations and provide flexibility to adapt to frequent changes, while providing significant cost savings. The primary objectives of using any variation of a cloud-based program are efficient leveraging of healthcare information, enhancement of patient experience, versatility for providers, and improved clinical outcomes. Cloud-based programs permit 24-hour patient access to electronic records.
Consumers in the 21st century prefer convenient methods to access healthcare services and manage personal information. Consequently, healthcare organizations have adopted patient-centered models to deliver health care and increase provider-patient communication. In addition, cloud-based platforms can facilitate the use of mobile devices, such as smartphones and iPads, allowing patients and providers to access health software applications. The number of healthcare consumers using smartphones to access health information soared from more than 60 million to more than70 million in the last two years. Anderson projects an estimated 20 percent annual increase of software application sales during the next five years.
Healthcare providers have suggested that significant benefits could occur for patients using mobile software applications to monitor their health status. Currently, numerous types of health software applications exist that are free or obtainable at a reasonable fee. Last year, healthcare providers used health software applications for obtaining diagnostic test results, sending alerts for patients to self- medicate, track and monitor levels of chronic pain, and store vital signs and emergency contact information. Consumers should be aware that a compatible operating system and adequate storage space are required to download health software applications to a mobile device.
Printing is like electricity – when it works, no one really notices it. They only notice it when it’s not working.
Think about it. Quality communication is a cornerstone of delivering excellent patient care. Almost every department in a healthcare organization relies on their printers to provide instructions and information that are vital to a patient’s health. So, when the printing environment is offline or ineffective, it has a real impact on how healthcare is controlled and delivered.
At Cancer Treatment Centers of America (CTCA), our motto is to deliver “care that never quits,” meaning we place our patients and their caregivers first and foremost in every action and decision that we make. As such, we rely on our technology systems to be seamless, secure and reliable so that we can deliver on our motto.
The Importance of Printing
When a patient arrives at any one of our six treatment centers, he or she receives a personalized booklet providing details regarding his or her treatment schedule. Over the course of a stay, patients will receive additional documents such as prescriptions, post-surgery instructions, discharge summaries and insurance information, just to name a few. Administrative departments also generate and print reports, spreadsheets and presentations that are essential to hospital business functions.
All in all, approximately 90 percent of CTCA’s 5,000 employees rely on printers, printing roughly 30 million pages annually. That means, on average, our employees print more than 82,000 pages per day across the network.
Guest post by Michelle Blackmer, director of marketing, Healthcare, Informatica.
The volume of protected health information (PHI) in electronic form is exploding – both from the wholesale move from paper charts to electronic health records for capturing clinical data and with the proliferation of new sources of electronic data from networked medical devices. Additionally, IT staff have been overwhelmed by regulatory mandates, rampant technology changes (e.g., virtualization, BYOD, big data), massive application projects and flat or decreasing budgets.
This increase in electronic PHI combined with the challenges for health systems IT make it even more important for providers and non-providers to find efficient ways to secure their data. However, with malicious activity showing a consistent upward trend, absent a change to an almost maniacal leadership focus on protecting patient data and the deployment of available tools and processes as an organizational imperative, 2014 will bring even more frequent and larger breaches of PHI.
Current data security climate
Even still, many healthcare organizations are not taking the necessary steps to reduce the proliferation of unprotected PHI in non-production test and development environments. Ninety-four percent of respondents to the third annual Ponemon Institute Benchmark Survey on Patient Privacy and Data Security had at least one data breach in the past two years, and 45 percent reported having had more than five total incidents each. Even more surprising is that the leading cause for a breach is a lost or stolen computing device that houses PHI. The survey also found that:
Unrestricted database administrator (DBA) access heightens risk: 73 percent of DBAs can view all data.
Data compromise/theft remains rampant: 50 percent of respondents say data has been compromised or stolen by a malicious insider such as a privileged user.
Organizations are under-coping:68 percent have difficulty restricting user access to sensitive data, 66 percent have difficulty complying with privacy/data protection regulations and 55 percent lack confidence that they would even detect data theft/loss from their own production environments.
The HIPAA Privacy Rule regulates the use and disclosure of Protected Health Information (PHI) held by “covered entities.”These entities generally include healthcare clearinghouses, employer sponsored health plans, health insurers, and healthcare providers.
PHI is any information held by a covered entity concerning the health status, provision of healthcare, or payment for healthcare that can be linked to an individual.
Covered entities must disclose PHI to the individual within 30 days upon request. They also must disclose PHI when required to do so by law, such as reporting suspected child abuse to state child welfare agencies.
Introducing an electronic medical records system into the practice helps the physicians and staff provide more efficient healthcare by making medical records more accessible to all health care team members. It also brings some risks. In this two-part article, CAP Risk Management and Patient Safety identifies 10 areas of risk exposure and provides some brief recommendations in each area.
EMR or EHR
Know your system. Electronic Medical Record is the term most often used for the electronic system now holding the medical records of the physician’s patients. If patients’ medical data is shared electronically with other facilities, locations, caregivers, and/or billers, the term Electronic Health Record is more accurate. The terms are often used interchangeably. Most articles are using the words “Electronic Health Record.”
Provide updated/additional training periodically, especially after software updates and enhancements.