WHITE PAPER HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty WHITE PAPER HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty By Jill Brooks, MD, CHCO and Katelyn Byrne, BSN, RN Data Breaches 140 130 120 110 100 90 80 70 60 50 40 30 20 10 0 12 Months – 2014 6 Months – 2015 Theft Hacking / IT Incident Loss Disclosure Improper Disposal Not Specified 2015 breach reports for HIPAA have already surpassed the 100 mark with 110 reported June YTD. The average total cost of a data breach is $3.8 million-an increase of 23% since 2013 according to IBM’s tenth annual Cost of Data Breach Study. The study also reports that the cost incurred for each lost or stolen record containing sensitive and confidential information increased 6% to $154 average cost per record breached. Yet in healthcare, the cost is more than double at $363/ record! Source: http://www.hipaajournal.com/2015-healthcare-data-breaches-pass-100-incident-milestone-7052/ M any healthcare organizations may consider themselves unlikely to incur a breach, yet this same study reports a 22% probability of a breach occurring over 24 months. This white paper summarizes how to help protect your practice or organization from becoming a casualty of a HIPAA breach. Conduct a Risk Assessment Conduct a risk assessment in accordance with the HIPAA Privacy and Security Rules that govern the transmission of all electronic patient information. The risk assessment will force you to review security policies, identify threats and uncover vulnerabilities. Covered entities should be aware of differences between the Privacy and Security Rule requirements regarding protected health information. One major distinction is that the HIPAA Security Rule only applies to electronic protected health information (e-PHI). A covered entity is responsible for maintaining confidentiality, integrity and availability of all e-PHI. Under the HIPAA Security Rule, covered entities are required to do a risk analysis to document any risks or vulnerabilities to e-PHI. Any risks or vulnerabilities identified should be appropriately addressed and steps for mitigation documented, including necessary changes to policies and procedures. All documents should be retained for a minimum of six years. A plan should be developed based on the results of the risk analysis, and should include how your practice or healthcare organization uses the administrative, physical and technical safeguards to mitigate risks. This risk analysis should be an ongoing process and to achieve Meaningful Use, a review is required periodically. This is not a “one-size fits all” so the security measures are scalable to any size practice or healthcare organization. The Administrative, Physical and Technical Safeguards are the focus of the OCR Audit Program Protocol for the Security Rule. Covered entities must comply with all of the standards listed below and some of these standards also have required implementation specifications that must be followed: Administrative Safeguards • Security Management Process (Required Implementation Specifications for Risk Analysis, Risk Management, Sanction Policy, Information System Activity Review) • Assigned Security Responsibility (Required Implementation Specification to Identify Security Official) • Workforce Security • Information Access Management (Required Implementation Specifications for Isolating Healthcare Clearinghouse Function) • Security Awareness and Training • Security Incident Procedures (Required Implementation Specification for Response and Reporting) • Contingency Plan (Required Implementation Specifications for Data Backup Plan and Disaster Recovery Plan and Develop and Implementation of an Emergent Mode Operation Plan) • Evaluation (Required Implementation Specification for Periodic Technical and Non-technical Evaluation) • Business Associate Contracts and Other Arrangements (Required Implementation Specifications for a Written Contract) Physical Safeguards • Facility Access Controls • Workstation Use (Required Implementation Specification for Function and Physical Attributes) • Workstation Security (Required Implementation Specification for Physical Safeguards and Access Restrictions) • Device and Media Controls (Required Implementation Specifications regarding Methods for Final Disposal of e-PHI and Procedures for Reuse of Electronic Media) Technical Safeguards • Access Controls (Required Implementation Specifications to Assign All System Users a Unique Identifier and to Establish Emergency Access Procedure) • Audit Controls (Required Implementation Specification to Record and Examine Activity) • Integrity Controls • Transmission Controls • Person or Entity Authentication (Required Implementation Specification for Authentication Procedures) With the enactment of HITECH, the HIPAA Enforcement Rule allows Civil Monetary Penalties (CMP) for violations of the Privacy and/or Security Rules. A covered entity could be assessed a fine of up to $1.5M for identical violations in one calendar year even if the covered entity did not know about a violation. If known, the correction must occur in 30 days from discovery or be subject to maximum penalties. Continue HIPAA Education Educate your employees so that they understand that the security of patient health information is an integral part of their professional responsibility. Continually educate employees on current HIPAA rules and regulations, and review state regulations involving the privacy of patient information. When employees are frequently reminded of the implications of data breaches, the risk of violating them is significantly reduced. Training and education on the practice or organization’s HIPAA policies and procedures should also be ongoing to ensure all employees are aware of their responsibilities to keep the patient information private and secure. For instance, a covered entity must obtain an individual’s written authorization for any use or disclosure of PHI that is not related to treatment, payment or healthcare operations with a few otherwise permitted exceptions. Reasonable efforts should be made by the covered entity to disclose the minimum amount of PHI necessary for the intended purpose, and access to PHI should only be designated to those employees with duties requiring access. Understanding the Privacy Rule Covered entities have several requirements under the Privacy Rule. The purpose of the rule is to protect and secure individually identifiable patient information and the covered provider has the ultimate responsibility for HIPAA compliance. Compliance with the Privacy Rule was required on April 14, 2003. According to the OCR’s HIPAA Audit Program Protocol for covered entities on Privacy Rule requirements, the following processes, controls and policies will be reviewed: laptops, desktop computers and other portable electronic devices. It is important to frequently remind employees to be watchful of any electronic devices or records left unattended. While it is the job of your IT staff to safeguard patient information, employees also need to be mindful of their role in keeping patient data safe by watching devices and patient records. • Notice of Privacy Practices for PHI • Rights to request privacy protection for PHI • Access of individuals to PHI Encrypt Data & Hardware • Administrative requirements • Uses and disclosures of PHI • Amendment of PHI • Accounting of disclosures While theft and loss remains a key source of data breaches, even more surprising is the vulnerability of hacking into healthcare-related devices. Frequently used devices in healthcare that cannot be overlooked during a security risk assessment as they have proven to be vulnerable include: A couple of important aspects of the rule involve practical steps such as assigning a privacy/security officer and staff training. Your employees should be aware of who is serving these important roles. The privacy and security officer should develop, document and maintain policies and procedures, and work with the IT team and EHR vendors. Office policies and procedures should be reviewed and updated as needed to ensure that every possible system is in place to secure and protect all PHI, which under the Privacy Rule applies to any PHI-oral, paper or electronic. Most importantly, the staff must be continually educated about any changes to existing Privacy policies and procedures. Monitor Devices and Records The OCR reports 34 data breach incidents affecting more than 500 people from January through mid August 2015. About half are related to theft, most commonly involving • Virtual private network • Firewalls • Software • Printer/Scanner/Fax • Mail Servers Many breach incidents involving theft or loss could have been avoided with the use of encryption technology to avoid data breaches. While HIPAA doesn’t require the encryption of data, it also does not consider the loss of encrypted data a breach. Encrypting patient information is one way to avoid potential penalties, and also protect your other vulnerabilities associated with hardware (servers, networks, mobile and other medical devices). Ensure networks with public access do not expose private patient information. Instead, create dedicated secure networks for the transmission of patient information. Scrutinize Service-Level Agreements If you are considering retaining patient information and data on the cloud, be certain that the Service Level Agreement (SLA) you have with your Cloud Service Provider clearly states that you own the data and that it can be accessed securely and timely. Also ensure that the SLA complies with HIPAA and state privacy laws. Make Business Associates Accountable Update and maintain business associate agreements that reflect changes to federal and state privacy regulations. Healthcare organizations usually have many vendors with access to patient data. In the event of a breach, the healthcare practice or organization is responsible. Hold your Business Associates (BAs) accountable for putting safeguards in place to protect PHI, providing security and risk assessments and for reporting breaches immediately to the covered entity. Texting has become a routine means of communication for most mobile phone users, including healthcare providers. Approximately three-quarters of clinicians use texting to exchange work-related information with other clinicians (see Frost and Sullivan 2011). The convenience, ease and speed of text messaging are all appealing. Due to HIPAA Privacy and Security rules, texting presents many compliance issues. Standard text messaging is not secure and should never be used to exchange patient information. Secure text messaging can be done within the HIPAA regulations but there are several things to consider (Adam Greene April 2012): • Password protection and encryption. Check with the vendor regarding the security of the mobile device. • Policy regarding what patient information, if any, will be shared. • Immediate deletion of all texts regarding patient information to reduce possibility of unauthorized third party exposure. • Ability to remotely clear the mobile device in case of theft. • Usage of texting must be disclosed in Notice of Privacy Practices. • Documentation of texted information in patient’s record if the shared information affects the patient’s care. Patient must be able to request amendment of their record, according to Privacy Rule. • Business associate agreement with mobile device carrier if text information is stored on server on a routine basis or sent via email. • Immediate disclosure of a security breach and corrective action within 30 days. Understand Risks of Being Mobile and Social The dynamic nature of technology creates more ways to become susceptible to data breaches. Texting, the use of mobile devices and social media used commonly among health care workers, increase this likelihood. Is texting patient information a part of how you communicate? Quicker than a phone call, texting is often utilized by healthcare workers to convey work-related information. It is important to ensure that you are texting in a HIPAA compliant manner. Are your mobile devices HIPAA compliant? Significant civil and criminal penalties including large fines, loss of licensure and even imprisonment are associated with HIPAA violations regarding the exchange of e-PHI. To avoid these possible penalties, ensure your mobile phone usage is in compliance with HIPAA Privacy and Security Rules. As the world of healthcare evolves, more and more healthcare providers are utilizing mobile devices when conducting business. In fact, having a mobile device is almost a necessity in this day and age of healthcare. Healthcare workers who utilize mobile devices need to ensure that they are not risking data breaches and must protect private patient information. If you are a covered entity, you are responsible for complying with HIPAA regulations for securing private patient information, including when using mobile devices. Here are several guidelines to ensure proper security when using mobile devices: • Before allowing the use of mobile devices, decide whether they will be used to access, retrieve, or store patient data or as part of your organization’s internal EHR system. • Think about the threats that mobile devices pose to the confidentiality of patient information your organization holds. • Identify a risk management strategy for mobile devices. Evaluate and maintain the safeguards your organization has in place for mobile devices. • Develop, document, and implement a policy for your organization regarding safeguarding private health information. • Conduct ongoing privacy training for mobile device users in the workplace. Do you risk violating HIPAA on social media? As technology advances so has social media, with more and more platforms arising for people to communicate – anytime, anywhere and with anyone. With an increase of social media presence in our lives, comes an increase in possibilities to breach patient confidentiality. Healthcare workers may not even realize that providing vague details about their day on a social media platform can put them at risk for disclosing personal patient information. Facebook, Twitter, Instagram, Snapchat, YouTube, blogs, web pages, Google+, LinkedIn can all get healthcare providers in trouble under HIPAA, state privacy laws, and state medical laws. Data breaches in the healthcare community have risen from physicians and other healthcare professionals increased use of social media. Most of these breaches could have been avoided. Any disclosure of a patient’s protected health information (PHI) through social media can be a problem. Here are some tips to avoid violating HIPAA with social media: • Do not talk about patients online, even in general terms. Simply avoiding using a patient’s name is not enough. Identifiable factors, such as patient age and medical condition should also be avoided. Talking about disease conditions, treatment options, and research is okay. Talking about specific patients with these disease conditions is not okay. • Do not blog anonymously. Being anonymous gives people a false sense of power, making them feel they can say whatever they want without consequence. • If you would not say it in a crowded elevator, do not post it online. • Have a friend check your posts before you share them. What might be funny to you may not come off as funny to others. A fresh set of eyes can help assess whether or not you are heading down a slippery slope. • Keep your personal and professional lives separate. Do not friend request patients from your personal accounts. Have your posts set so that only friends can view them. Check your privacy settings monthly, as they can change. As technology and legislation increase and evolve, your policies and procedures need to be updated to stay current. Plan to review them at least once every six months, and be sure your social media policy includes a section on PHI. Avoid “The Wall of Shame” Healthcare entities have enhanced visibility of privacy and security breaches. As part of HITECH, any breach of over 500 individuals will be posted on “The Wall of Shame” on the HHS website. To avoid joining this list, continually monitor your practice or healthcare organization for vulnerabilities and threats and mitigate any potential risks to PHI to prevent avoidable breaches. Conclusion This whitepaper summarizes ways to help protect your healthcare practice or organization against data breaches. Having policies and guidelines in place and communicated for employees to follow is important for them to know what they can and cannot do. Having a full compliance program in place can help ensure you are HIPAA compliant and protect your entity against data breaches. From policies and procedures to employee training and risk assessments, First Healthcare Compliance offers a comprehensive compliance management program solution to ensure your entity is HIPAA compliant and maintains compliance not just in HIPAA but in all areas mandated by the Affordable Care Act (ACA). Our Solution: Confidently manage compliance with the First Healthcare Compliance comprehensive compliance management solution which provides you the visibility, oversight, controls and tools to manage your organization’s compliance program from the topdown and from the bottom-up. Mitigate your risk and drive compliance with our customized, scalable cloud-based solution coupled with live support from our team of experts in healthcare compliance. First Healthcare Compliance www.1sthcc.com 888.54.FIRST 3903 Centerville Road Wilmington, DE 19807 © 2016 First Healthcare Compliance LLC. All rights reserved.
* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project