Paper records persist despite healthcare's steady move to purely electronic documentation. Although paper records are simpler to secure than electronic records in some ways—you can't phish your way into a locked file cabinet—they also can't be encrypted. If a paper record is left out on a desk, there's little that can be done to prevent an unauthorized individual from reading it or even taking it. Papers can easily be misplaced or lost. They can be mixed up with another patient's records—or other unrelated papers—on a desk or be put back in the wrong file. And papers can all too easily fall unnoticed out of a file while being taken from one place to another.
Paper is still generated at multiple points, from new patient information forms to medical records that must be printed in part or whole if another provider's EHR system isn't interoperable. Keeping track of paper and ensuring it stays secure remains a challenge for privacy officers, but it can be managed through sound policies and alert staff.
Medical records that exist only on paper and are not digitized will be kept in a folder system. Staff may need access to these records for reference or to make copies, Ruelas says. That means paper records can pass through many hands throughout their lifetime, leaving them vulnerable to simple breaches.
Despite the security headaches caused by electronic information, electronic files can be protected against casual viewing by unauthorized individuals through proper encryption. Paper has no such protection, Frank Ruelas, MBA, principal of HIPAA College in Casa Grande, Arizona, says. "Paper records, unlike electronic records, are immediately readable," he warns. "One doesn't need an electronic interface along with a login and passwords."
You also can't easily track paper and log how many people have looked at it. An electronic file may leave a trace even if it's deleted, but a missing paper won't be noticed until someone actually goes looking for it. "Unlike electronic systems, paper documents can be seen and taken by someone without leaving a trace," Kate Borten, CISSP, CISM, HCISSP, founder of The Marblehead Group in Marblehead, Massachusetts, says. And although electronic records are more likely to be involved in large-scale breaches, there can still be paper record breaches involving thousands of patients, she says.
PHI is a bankable commodity. Hackers steal data and sell it to fraudsters. Individuals borrow or trade health information to fraudulently obtain coverage for services. Medical identity theft is a highly personal crime that can impact the victim's finances, personal and professional life, and health. Protecting this data is a tall order and involves staff in diverse departments, from front desk registration to information security.
"It doesn't take much to steal a credit card and use it for a hit-and-run buying spree, but healthcare data includes far more personal information," says Kate Borten, CISSP, CISM, HCISSP, founder of The Marblehead Group in Marblehead, Massachusetts. PHI often includes the individual's name, address, and Social Security number, along with medical record numbers and insurance identification number.
Understanding how to detect medical identity theft and how to mitigate its effects can help organizations reduce the prevalence of such crime.
Medical identity theft can be difficult to detect, says Chris Apgar, CISSP, founder of Apgar and Associates, LLC, in Portland, Oregon.
"There is no national tracking system in place like there is with, say, theft of credit card data. I could perpetrate Medicaid fraud using the same data in multiple states, and unlike with credit cards, there is no national system to detect and shut down medical identity theft," he says.
Q: If my medical waste includes PHI, do I need a BAA with our waste management vendor?
A: Yes. For example, clinics and hospitals contracting with bio-waste disposal vendors that dispose of IV bags execute a BAA with the bio-waste disposal vendors. It's no different than the requirement to execute a BAA with a document shredding vendor. If the vendor will come in contact with PHI, a BAA is in order.
Editor's note: Apgar is president of Apgar & Associates, LLC, in Portland, Oregon. He is also a BOH editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are that of the author and do not represent HCPro or ACDIS. Email your HIPAA questions to Associate Editor Nicole Votta at nvotta@hcpro.com.
Hackers and malware are routine threats for most healthcare organizations, but this year saw criminals add a devastating tool to their arsenal: ransomware.
Although the dramatic increase in ransomware attacks against healthcare organizations is largely a recent phenomenon, ransomware itself is not new. According to the FBI, it's been around for several years, but the agency began to see an uptick in ransomware attacks in 2015, particularly against organizations. Early this year, the Department of Defense specifically warned healthcare organizations that they are a top target for ransomware. As ransomware continued to grab headlines and lawmakers called for official action, HHS released ransomware response and prevention guidance for healthcare organizations (www.aha.org/content/16/160620cybersecransomware.pdf).
State and federal lawmakers took notice as well. At a March 22 joint hearing of the House of Representatives subcommittees on Information Technology and Health Care, Benefits, and Administrative Rules, some lawmakers suggested HIPAA should be modified to specifically require covered entities and business associates to report ransomware attacks.
Security officers must act now to protect their organizations, and in turn, organizations must be prepared to invest in security and carefully follow related policies. The price for failing to do so could be high.
Creating and conducting an organizationwide risk analysis: Part 2
Editor's note: This is part two of a series about implementing an organizationwide risk analysis. See the May 2016 issue of BOH for part one.
Performing a regular organizationwide risk analysis is a basic HIPAA requirement and also simply good business practice. Beyond checking off an item on the HIPAA compliance list, a risk analysis will help an organization identify and rank security weaknesses, efficiently use resources to address them, and ultimately protect the security and integrity of an organization's data, including PHI, financial, and business operations information. Yet in a world of competing demands and limited resources, a risk analysis may be put off until it's too late. Even if one is completed, security officers may encounter obstacles when trying to act on the results of the risk analysis.
The purpose of a risk analysis is to develop a strategic plan of action that addresses and corrects vulnerabilities, and shouldn't be used to simply create a report on the current state of security, says Kate Borten, CISSP, CISM, HCISPP, founder of The Marblehead Group in Marblehead, Massachusetts. "Only when an organization performs periodic and as-needed risk assessments, and then mitigates significant risks, can the ISO [information security officer] and leadership have the confidence that their security program is functioning and adequate," she says.
A risk analysis is one of several activities that is part of a risk management program, says Rick Ensenbach, CISSP-ISSMP, CISA, CISM, CCSFP, manager of risk advisory and forensic services at Wipfli, LLP, in Eau Claire, Wisconsin. The risk management program is about managing risks to the organization (i.e., business mission, image, reputation, and patient safety and privacy), organizational assets, and workforce. An organization can't mitigate risks it isn't aware of and doesn't understand.
Risks are first identified, then analyzed and evaluated based on what action is needed, Ensenbach says. They also must be monitored on an ongoing basis, a vital step that if missed can undermine an otherwise solid risk management program.
As Phase 2 of the HIPAA audit program begins, covered entities (CE) and business associates (BA) will be watching their email for an audit letter from OCR. Of those chosen for audit, most will be selected for a desk audit. They'll have 10 days after receipt of the email to gather requested documents for OCR's auditors.
But how will CEs and BAs know they are collecting the right information? A careful reading of the updated Phase 2 audit protocol (www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/index.html) will help guide CEs and BAs. But if the protocol isn't read carefully, and in full, important documents could easily be left out, leading to inaccurate audit reports and even a visit from OCR's investigators.
The Phase 2 audit protocol expands the Phase 1 compliance areas to reflect changes made by the 2013 HIPAA omnibus final rule. The updated audit protocol also includes information for BAs, which were not audited during Phase 1 but will be in the current round of audits. The protocol contains a description of the audit areas, general instructions and definitions, and a keyword-searchable table.
Phase 2 audits will be conducted in three rounds. The first two rounds will consist of desk audits of specific audit targets, while the third round will be comprehensive audits. Round one audits will target CEs and round two audits will target BAs.
Editor's note: This is part one of a series about medical identity theft. Look for part two in an upcoming issue of BOH.
Privacy and security officers are sitting on a hoard of valuable data: medical identity information. Social Security numbers. Medicare, Medicaid, and other insurer numbers. Credit card and bank account information. This data can fetch a high price on the black market, and medical identity theft costs patients, providers, and insurers millions of dollars a year. The lure of medical identity information makes healthcare organizations an appealing target for criminals, from large operations launching sophisticated hacking schemes to smaller groups running tried and true fraud scams.
A 2015 study conducted by the Ponemon Institute and sponsored by the Medical Identity Fraud Alliance (MIFA), the Fifth Annual Study on Medical Identity Theft, found that medical identity fraud nearly doubled between 2010 and 2014. More than 2.3 million adults were victims of medical identity theft and fraud in 2014 alone. The average cost per victim was $13,500 and the combined out-of-pocket cost was approximately $20 billion. But the financial impact is only the tip of the iceberg. Medical identity theft can result in physical harm to a patient if the medical record is altered to include another person's information such as allergies, disease status, or blood type.
Healthcare organizations often absorb some of the costs, and if the stolen PHI was used to commit Medicare or Medicaid fraud, they could be investigated by the OIG.
The stakes are high but by raising awareness and championing education and robust security programs, privacy and security officers can help their organizations stay one step ahead of criminals.
