Social media is everywhere—even inside the walls of hospitals. Staff may log into personal accounts during lunch breaks, and many organizations maintain official social media accounts; plus, of course, patients and visitors often rely on social media to keep in touch with friends and family. For many, social media is so much a part of their everyday routine that the benefits are almost too obvious to list. Yet the risks—including potential HIPAA violations—are often not as clear, and privacy and security officers need to stay aware of them.
As OCR's auditors wrap up the final desk audit reports for phase two of the HIPAA audit program, many covered entities (CE) are breathing a little easier. Only 167 CEs were selected for desk audits in July. Audited CEs can expect to wait several months to see the final audit reports, although they will have the opportunity to review a draft version and submit comments that will be attached to the final report.
But phase two is far from over. Business associates (BA) will be selected for desk audits this fall—the first time these entities will be subject to OCR's HIPAA audits. And early next year, OCR will launch comprehensive on-site audits of both CEs and BAs.
Q: What recommendations do you have for handling medical records for staff members who are also patients at the organization where they work? Should we provide extra protection for these patients? What can we do to ensure that staff members are not accessing their coworkers' records without permission or need?
A: I am a firm believer in not adding special protection to any record, because it implies that some records are more confidential than others. In fact, all records are confidential and staff should not access any record unless it is necessary to do so to do their jobs. And, if it is necessary, they should only access the minimum necessary to do the job. HIPAA requires access monitoring, so your organization should conduct routine audits to determine whether staff are accessing records without a work-related reason. There is now software available that can conduct routine audits by staff member and department. This software can be used to reassure staff that their information is not being accessed by coworkers and to hold accountable those who are not following the policy/law. When a staff member raises a concern, an audit should be run to determine whether inappropriate access has occurred, and if it has, sanctions should be applied. Organizations should also consider having a policy that staff should not handle coworkers' (or family members') records (except in an emergency) without the permission of their supervisor.
All of these points should be reviewed at orientation and during (at minimum) annual training to ensure all staff understand that the organization takes such transgressions seriously and will take action as needed to protect the privacy of every patient's information.
Cyber threats continue to grow and evolve, but most share a similar origin: phishing. Phishing emails, seemingly innocuous or legitimate emails used to infiltrate an organization, are a common source of malware and are used for scams in which a criminal impersonates another individual to obtain sensitive information. A study released in March by PhishMe estimated that up to 93% of phishing emails contain ransomware.
Although the damage phishing emails can do is tremendous, security officers can help their organizations turn the tide by using a combination of technical controls and targeted education.
The danger and the success of phishing emails lies in their ability to manipulate the individual on the receiving end. Phishing emails may be sent from domains that are a near-identical match for an organization's and come with what appear to be legitimate and urgent attachments or links. It's a simple scheme that criminals can use for a variety of purposes.
"They hope to get malware installed so they can control the computers they infect or even the entire network. They hope to get network or application login credentials. They hope to trick people into performing certain actions, i.e., a wire transfer of money," Kevin Beaver, CISSP, independent information security consultant at Principle Logic, LLC, in Atlanta, says. "The possibilities are endless."
The Office for Civil Rights (OCR) stepped up HIPAA enforcement in a big way this year. The agency handed down more than $5 million in HIPAA settlement fines in one week in March, and in July reached a HIPAA violation settlement with Advocate Health Care in Illinois that carried a $5.55 million monetary payment. OCR kicked off phase two of its HIPAA Audit Program and will likely complete desk audits of covered entities (CE) and business associates (BA) by the end of the year. Comprehensive on-site audits may occur early in 2017.
However, breaches continue to come at a relentless pace and questions have been raised about OCR's handling of HIPAA violations, particularly repeat HIPAA offenders. And a truly permanent HIPAA audit program may not yet be in sight: OCR states that phase two audits will help the agency plan for a permanent audit program but doesn't state when that might launch.
In a September 2015 report (https://oig.hhs.gov/oei/reports/oei-09-10-00510.pdf), the Office of Inspector General (OIG) said OCR—and HHS as a whole—should strengthen its oversight of CEs and be proactive rather than reactive in its approach to HIPAA enforcement. The report found that in 26% of closed privacy cases, OCR did not have complete documentation of corrective actions taken by CEs. In addition, OCR's case tracking system has significant limitations and makes it difficult for the agency's staff to check if a CE under investigation has been the subject of previous investigations.
All of this may make some CEs and BAs feel that HIPAA compliance is merely optional, and that leads to a weaker privacy and security culture throughout the industry. Although OCR does take action to make its presence felt, it could do more, Frank Ruelas, MBA, principal of HIPAA College in Casa Grande, Arizona, says.
"I do believe that OCR is trying to let people know that it considers HIPAA compliance an important objective," he says. "With its guidance and ongoing alerts about the occasional enforcement actions here and there, I see OCR's enforcement a small step above being a paper tiger in terms of how seriously people take it."
Threats to PHI are coming fast and furious. Although many organizations are ready to take HIPAA compliance seriously, it requires sustained attention and resources for organizations to protect PHI. That can't happen if privacy and security officers aren't being heard by the board and senior leaders.
In July, OCR announced it reached a HIPAA breach settlement with Oregon Health and Science University (OHSU), an academic health center. In its statement on the settlement, the agency drew attention to the vital role hospital executives and senior leaders play in HIPAA compliance. OHSU did complete risk analyses and identify vulnerabilities, including those that caused the two massive breaches named in the settlement, but no action was taken to mitigate these vulnerabilities. Without support from the top, OHSU's security risks remained unaddressed until it was too late. Failure to address these risks came with a $2.7 million price tag, a strict three-year corrective action plan, and the kind of bad press that's difficult to put a positive spin on.
Privacy and security officers need executive support, but obtaining it may be a challenge. Alliances with key staff and an understanding of the concerns senior leaders face can be a win for privacy and security in the boardroom.
Growing threats to PHI, particularly ransomware, have drawn attention to privacy and security this year. Senior leaders and members of the board may be feeling the pressure to change the way their organizations operate and step up security measures.
There are no federally recognized HIPAA certification standards for covered entities (CE) and business associates (BA) and it's unlikely one will be. However, that doesn't stop larger CEs from requiring some form of certification to demonstrate compliance with HIPAA and proof that BAs have implemented sound information security programs. The Health Information Trust Alliance (HITRUST) published its first common security framework (CSF) in March 2009 with the goal of focusing on information security as a core pillar of the broad adoption of health information systems and exchanges. Larger CEs, primarily large health plans, now require their BAs to become HITRUST certified.
Q: We recently received a request for a patient's records. The patient transferred to another provider several years ago and we subsequently transferred all the patient's records to the new provider. Should I direct the request to the provider the patient transferred to? I'm unsure that we should be responsible for retrieving and releasing information for this patient since we transferred the patient's entire record to the new provider.
A: If you sent a copy of the patient's records to the new provider and still have the original records, it would be appropriate for you to respond to the request. If you transferred all records to the new provider and no longer have the patient's information, refer the request to the new provider.
Editor's note: Mary Brandt, MBA, RHIA, CHE, CHPS, is a healthcare consultant specializing in healthcare regulatory compliance and operations improvement. She is also an advisory board member for BOH. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS. Email your HIPAA questions to Associate Editor Nicole Votta at nvotta@hcpro.com.
Paper records persist despite healthcare's steady move to purely electronic documentation. Although paper records are simpler to secure than electronic records in some ways—you can't phish your way into a locked file cabinet—they also can't be encrypted. If a paper record is left out on a desk, there's little that can be done to prevent an unauthorized individual from reading it or even taking it. Papers can easily be misplaced or lost. They can be mixed up with another patient's records—or other unrelated papers—on a desk or be put back in the wrong file. And papers can all too easily fall unnoticed out of a file while being taken from one place to another.
Paper is still generated at multiple points, from new patient information forms to medical records that must be printed in part or whole if another provider's EHR system isn't interoperable. Keeping track of paper and ensuring it stays secure remains a challenge for privacy officers, but it can be managed through sound policies and alert staff.
Medical records that exist only on paper and are not digitized will be kept in a folder system. Staff may need access to these records for reference or to make copies, Ruelas says. That means paper records can pass through many hands throughout their lifetime, leaving them vulnerable to simple breaches.
Despite the security headaches caused by electronic information, electronic files can be protected against casual viewing by unauthorized individuals through proper encryption. Paper has no such protection, Frank Ruelas, MBA, principal of HIPAA College in Casa Grande, Arizona, says. "Paper records, unlike electronic records, are immediately readable," he warns. "One doesn't need an electronic interface along with a login and passwords."
You also can't easily track paper and log how many people have looked at it. An electronic file may leave a trace even if it's deleted, but a missing paper won't be noticed until someone actually goes looking for it. "Unlike electronic systems, paper documents can be seen and taken by someone without leaving a trace," Kate Borten, CISSP, CISM, HCISSP, founder of The Marblehead Group in Marblehead, Massachusetts, says. And although electronic records are more likely to be involved in large-scale breaches, there can still be paper record breaches involving thousands of patients, she says.
