A few weeks ago, photos surfaced of longtime former talk show host David Letterman sporting what has been termed “a retirement beard.” His influence was so great that his beard now even has a following (and has generated quite a reaction). And so, 10 months after he called it quits, I thought it appropriate to give a nod to one of Letterman’s most iconic segments, his “Top 10,” with my own Top 10 list for complying with applicable Security Law:
10. The HIPAA Security Audit. If you are feeling overwhelmed and anxious with every new Big Data breach announced and don’t know where to start with getting your own Security Compliance program up to snuff, start with the HIPAA Security Audit. Not only is it legally required under HIPAA (see 45 C.F.R. 164.306), but the comprehensive checklist of Technical, Administrative and Physical Implementation Specifications that must each be evaluated, if done right, will get your organization well on its way to identifying risks and allowing it to hopefully prevent a breach. Unfortunately, many organizations either do not complete the Security Audit properly (not thoroughly enough) or do not do enough to mitigate the gaps that are identified. Concentra recently ended up paying HHS $1.7 million because although they identified 254 of their 597 laptops were NOT encrypted, they did NOTHING until a breach caused ePHI to be compromised when an unencrypted laptop was stolen. The moral of the story here? Complete the HIPAA Security Audit, do it right, and if you identify gaps in security, fix them!
9. Learn From Resolution Agreements. HHS posts every resolution agreement it enters into with a covered entity for HIPAA non-compliance (and in the near future, we expect to see resolution agreements with Business Associates too). To date, there are 32 Settlement Agreements posted (click here to view them); one lucky winner (Cignet) was even assessed Civil Monetary Penalties. Why are these important for Security Law compliance? Because they highlight areas where others have fallen short, and what issues HHS looks for in an effective security compliance program. Resolution Agreements are a great opportunity to learn from others’ mistakes. Failure to complete updates to the Security Analysis, failure to encrypt devices, improper disposal, lack of policies and processes, and failure to implement security measures are among the mistakes HHS has no tolerance for, and that your organization cannot afford to make.
8. Learn From Big Breaches. We all shake our heads when big data breaches hit the headlines, the most recent being MedStar, which now faces an FBI investigation. This case, like others, can cause many emotions from disgust to exasperation, but it also offers a learning opportunity. With each new big breach, we should be asking, “what went wrong?” and “how do I prevent that from happening to my organization?”In the Anthem breach, which was reported early last year, the access credentials of a System Administrator were somehow obtained and this led to an external hack. The employee realized this when he saw queries being run across the database which he did not initiate (good catch, employee!). This was immediately reported, and notifications were issued to individuals without delay. One takeaway here is to ask why or how the access credentials were compromised. Employees should be well-educated and trained regarding not sharing access credentials, not writing them down (and throwing them out), not storing their user name and passwords in unsecured electronic devices, and not responding to “phishing” emails where someone posing as “IT personnel” asks for their credentials. Do your employees all have a heightened sensitivity to phishing for access credentials? Does your organization have policies that prohibit IT personnel or others from requesting access credentials by email or other unsecured or unauthenticated means? If you don’t, you should — or you might end up like Anthem.
7. Get Control Over Your Business Associates. I know. Trying to get Business Associate Agreements in place with vendors is as easy as herding cats. But, it must be done. All vendors that require access to PHI to perform a function or service on behalf of a covered entity are business associates (note: if they don’t require access to PHI, then the vendor is not a BA and a BAA is not needed). Once you have identified all your BA vendors, getting contractual language in place is critical; and, I don’t mean just “HIPAA-compliant” BAA language. There is a lot at stake when an organization hands over their PHI to a third party, and although BAs are now directly liable for non-compliance with the HIPAA Security Rule, a basic bare bones HIPAA BAA does not address a lot of other stuff. There are many other important issues, such as allocating responsibility as to who secures ePHI and when, allocating risk, allocating costs and liability, and migration of the data post-termination of the relationship (and who pays and how much). The time to address these issues and manage these risks is during the contracting process with your BA vendors, because later it will be too late.
6. Social Media & The Internet. Does your organization have policies specifically regarding social media use and the Internet? If it doesn’t, it should. Use of professional chat groups and other social media may be appropriate, but disclosing PHI on such sites, either inadvertently or negligently, is not. Things I’ve seen:
- A video is posted on YouTube for what seems like a good cause, but when you zoom in on the video, you can see a whiteboard with patient names and other identifiable information in the background;
- A doctor posts a case on a professional chat circle to seek colleagues’ opinions, but while she does not disclose her patient’s name, she discloses sufficient other general information that enabled someone else in the chat group to identify the patient;
- A nurse posts a picture of a patient’s echo cardiogram on her Facebook site that shows a very, very rare disease. Since it’s just a picture, she thinks the patient can’t be identified. However, one of her distant “friends” knows where she works, and knows that her neighbor has spoken about having a rare cardiac condition that lines up to the picture, and so in all likelihood can identify the patient.
These are all breaches. Social media and the Internet pose a new Wild West and challenge for security. Corralling this relatively new security risk starts with developing solid policies on these topics, and then educating employees on what is and what is not allowed when it comes to the Internet and social media use.
5. No Snooping! The temptations can be great, but employees must be made aware of the repercussions of snooping. Snooping violates patient privacy and security. In Walgreens v. Hinchy, a jury awarded a patient/customer $1.4 million after a pharmacist viewed a patient record for her personal purposes (she wanted to know if her husband’s ex-girlfriend had a prescription for a condition that she believed her husband contracted). In the Walgreens case, the corporation was forced to pay up under legal theories of respondeat superior, making an employer essentially liable for the illegal act of its employee. But this case might have been avoided with better training and internal sanctions. Employees should also be made aware that state attorney generals have criminally prosecuted individuals, including doctors, nurses and other staff, who have snooped in patient records with no legitimate purpose. Therefore, the stakes are high, but the solution is easy. If the reason one wants to access a record is not an “authorized” purpose (i.e. treatment, payment, health care operations), then access is prohibited. Period.
4. Email & Texting. Gmail, iCloud, Yahoo, Hotmail, etc. — these are all insecure. Patient information should not be sent through unsecured email and texting. Unfortunately, employee non-compliance is high as they do not want to give up the efficiency of using these easy means to “quickly” send a file or other patient information. However, the speed at which the information travels does not directly correlate to the level of security those methods offer. With all the focus HHS is placing on encryption and it can help avoid breaches, I would not recommend allowing emailing and texting (there is an exception HHS allows if a patient requests for their PHI to be sent directly to them by email, and is informed of the security risk of the provider/covered entity doing so). Luckily, secure alternatives and solutions are continuing to pop up, such as direct messaging, encrypted patient portals, TigerText and PingMD. Look into them, and get your employees to stop texting patient information!
3. Encrypt. This includes data in motion and data at rest. If you do not encrypt devices that house or facilitate ePHI, you better have a very exceptional reason why you do not — and you have to document it (per the HIPAA Security Rule), otherwise you will get no sympathy from HHS when data is breached. Encryption is also a Safe Harbor under the Breach Notification Rule, so if a device is lost, stolen, or hacked but the ePHI is encrypted, you do not have to notify HHS or individuals (at least under HITECH, but check your individual state’s breach laws).
2. Report Breaches & Security Incidents. Here, I am talking about the internal kind of reporting. Employees are the “eyes and ears” of an organization. A covered entity must notify HHS and individuals of a Breach as soon as it is discovered or “should have been discovered with reasonable diligence” (see 45 C.F.R. 164.404(a)). That means that as soon as an employee is aware of a breach, the 60-day time frame within which an organization has to make its notifications starts ticking. For this reason, it is critical for employees to know who they must report such knowledge to. If they don’t, the covered entity can be assessed additional penalties for every patient and every day late the notices were made. Delay in notifying individuals about a breach or in discovering a breach may also lead to larger volume of data being compromised and for a longer period of time, which is why time is of the essence when getting information from the employee to a person who is able to properly act on it.
1. Educate & Train. The human factor is probably one of the weakest links in security compliance. The only way to begin to try and manage this risk and weakness is to start with establishing a culture at your organization where security is vital.Employees must be constantly educated and trained on the organization’s policies and expectations. I’ve found that the most effective method to training employees is through use cases. What should the employee do when he/she discovers about a breach? What kinds of phishing emails might you see, and how to respond. A well-educated and trained workforce that is given constant security reminders on the latest and greatest hacking schemes and security vulnerabilities will better insure that your security program is more effective and your organization is hopefully less vulnerable to breaches.
For more information on this critical topic, join us Tuesday, April 12 at noon ET as Helen Oscislawski and Steve J. Fox, Principal, Post & Schell, discuss how CIOs and other health IT leaders can keep their organizations secure in an interactive panel discussion.