Email encryption, file sharing, and mailbox security
by Chris Apgar, CISSP
Q: We are in the process of building a new office. Would it be HIPAA compliant to have an outside locked mailbox for our general postal mail and therapist paperwork that is dropped off at night? If not, would a mail slot on our front door work better?
A: An outside locked mailbox will suffice to secure incoming mail and therapist paperwork. Ensure that the mailbox is secure and not easily broken into. If the mailbox is secured with a key, it's a good idea to implement a solid key management program so it's known who has a key. Keys should be recovered when an employee resigns or is terminated. If an employee leaves without returning his or her key, it's wise to re-key the lock on the mailbox.
Editor's note
Apgar is president of Apgar & Associates, LLC, in Portland, Oregon. He is also a BOH editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Email your HIPAA questions to Associate Editor Nicole Votta at nvotta@hcpro.com.
OCR and HIPAA audits. Give you chills, don't they? Most covered entities (CE) naturally fear getting the letter from the HIPAA privacy and security enforcers saying that they're coming?or that they want something. "Something" usually means your policies and procedures, risk analysis, and mitigation efforts if you've suffered a breach. Bottom line: CEs want to avoid OCR unless they need to go to the agency for information on the HIPAA Privacy, Security, or Breach Notification rules
Interoperability isn't a new goal, but 2016 may be the year it becomes closer to a reality. HHS' 2017 budget includes a boost in the Office of the National Coordinator for Health Information Technology (ONC) funding specifically for the development of interoperability guidelines and standards, like an interoperability code of conduct, as well as efforts to combat information blocking.
Staying ahead of change
Being a hot-button issue alone won't solve interoperability's problems. It's a complex initiative, and reaching the goals outlined in the ONC's Interoperability Roadmap means providers, vendors, and policymakers have to work together to create practical guidelines and products that meet all applicable existing legislation, including HIPAA and other privacy and security laws. Interoperability also requires software vendors and developers to go against the very nature of their business and work with the competition.
It's a tall order, but achieving interoperability could greatly reduce the technical burdens many security officers struggle with, as well as create an atmosphere in which providers and vendors can work together to keep PHI safe. If it's not achieved, greater administrative burdens, technological problems, and, at worst, significant security weaknesses could result, cautions Chris Apgar, CISSP, president of Apgar and Associates, LLC, in Portland, Oregon.
Security officers need to pay close attention to interoperability, Apgar says. "Any time code is touched or changes are made in how an application or interface works, [it] raises the risk that the end product will not include the required security controls."
If 2016 is the year the healthcare industry starts making real progress on the road to interoperability, security officers need to make sure they read the map and scout the territory to ensure their organizations don't take any wrong turns.
Q: The chief executive officer of the hospital where I work is talking about having our hospital coding done in India. What are the potential ramifications of this plan for our hospital? I know a prominent hospital in Palo Alto, California, was going to do this in 2011.
Have any U.S. hospitals actually outsourced their medical record coding to foreign countries? What are the liability risks? What do we need to be aware of in terms of HIPAA compliance?
A: Yes, many organizations send coding and transcription work overseas. Despite business associate agreements (which you must get with any such vendor, offshore or not), it may be difficult to ensure that these vendors are HIPAA compliant, although one could make the same argument about U.S. vendors as well. Be sure to do your due diligence by carefully checking your vendor's references (and documenting the results) should you choose to go this route. You might also discuss this with your organization's insurance carrier and/or attorney for an assessment of the risks.
Editor's note: Chris Simons, MS, RHIA, the director of health information and privacy officer at Maine General Medical Center in Augusta, answered these questions. Simons is also an HIMB advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Send your questions related to HIPAA compliance to Editor Jaclyn Fitzgerald atjfitzgerald@hcpro.com.
To find the right solution for your organization, you must understand how and why employees are using messaging and email services.
"You want a solution that's easy to use, and that's within the work environment of whoever is sending the message," Apgar says. Apgar's case in point is Oregon's state-sponsored CareAccord Direct Secure Messaging email service. The service doesn't connect to all EHRs or an organization's email service. Users have to log in through the website to send a message. Busy employees, he points out, particularly clinical staff like physicians, are unlikely to use a service that requires them to go out of their way, making it a poor choice.
Text messaging solutions directed at the healthcare industry were not always common and user friendly. Until about a year ago, there were few mature products on the market for securing text messages, Apgar says. The ones that did provide good security had serious usability limitations as most could only be used to communicate with other people in your network. A specialist, Apgar says, wouldn't have been able to send a quick, secure text to his or her patient's primary care doctor if the doctor was not part of the specialist's organization. Some services, like Tiger Text and HipaaChat, offer a solution to this problem. (See the March 2015 issue of BOH for more information about Tiger Text.) If the sender uses Tiger Text, but the recipient does not, Tiger Text delivers a text message that includes a link to the now encrypted text message. When the recipient clicks the link, the browser on the mobile device opens up to the text message, which is encrypted at a National Institute of Standards and Technology standard 256-bit encryption.
Keep in mind, however, that you have to treat text messaging the same as email. Device security and storage need to be analyzed. Burton warns that some may not realize the text messages on their phones leave traces of data behind.
Apgar agrees. "They don't understand that ultimately the cell phone carrier has servers that back up your texts, and you have it [stored] on your phone," he says.
