Common HIPAA Risks
& The New HITECH Final Rule
Eric W. HumesWhat is HIPAA?
•
The Health Insurance Portability and Accountability
Act (HIPAA) was passed by Congress in 1996 to
protect the privacy of patient information.
PHI vs. ePHI
}
Two considerations to keep in mind:
} HIPAA Privacy Rule – General guidelines relative to Protected Health
Information (PHI)
Li6le Known Fact #1
}
PHI must be protected in ANY form!
} Many people think that HIPAA only applies to PHI in electronic form.
While it is true that the Security Rule applies only to electronic PHI, this is covered within the Privacy Rule, which covers PHI in *ALL* forms.
}
Examples of other forms
} Hard copy information
} Charts, insurance forms, lab results, etc…
} Electronic Forms
} Emails, Blogs, Tweets, EPM/EMR Software, Check-in Kiosks, unprotected monitors, etc…
CE’s & BA’s Must Comply
}Covered Entities: (CE’s)
} Health Plans
} Healthcare Clearinghouses
} Any healthcare provider
}
Business Associates: (BA’s)
} Anyone who provides legal; actuarial; accounting; consulting; data
aggregation; management; administrative; accreditation; or financial services to a Covered Entity.
Li6le Known Fact #2
}
Business Associates (BAs) of Covered Entities (CEs) must
comply with the terms of HIPAA as outlined within their BA
agreement.
} Many IT consulting firms do not realize their actions are governed by
HIPAA just the same as the practices’.
} We ALL share in the responsibility of protecting our patient’s health
HIPAA ViolaOons
}
2 Types of HIPAA Violations
} Unintentional
} Intentional
à Read LHE article on Technology and Common HIPAA Risks
http://www.leagueofhealthcareexperts.com/news/ hipaa_risk_0112.html
Examples of UnintenOonal ViolaOons
} Improper disposal of old computers and backup tapes
} Inadequate physical protecOon of computers or network containing ePHI
} Leaving detailed PHI in a voicemail message
} Sending unencrypted ePHI in an email
} Blogging/Facebooking/TweeOng about a paOent situaOon – even if
anonymously doing so
} Careless handling of user names and passwords
} Inadequate network firewall
} Exposing EMR systems to malicious code (malware) when connecOng to
the Internet
} Failure to maintain Business Associate Agreements with vendors
} Allowing paOents or visitors to be near una6ended and unlocked
Examples of IntenOonal ViolaOons
} Accessing or using ePHI without having a legiOmate need to do so
} Allowing another employee to uOlize any systems via your password
} Disclosure of PHI to an unauthorized individual
} Sale of PHI to any source
} Accessing ePHI on a website or cloud-‐based EMR that is not secured*
} ConnecOng unapproved devices to the network
} Failure to encrypt ePHI before transporOng (physically or electronically)
} Misuse of confidenOal paOent informaOon for personal use
} Deliberately compromising EMR security measures
Other ConsideraOons
}
How does today’s technology change the way WE
should think about HIPAA?
} Social Networking
} Cloud Computing
} Mobility
}
What about our patients?
} Patient communication
} Patient portals
}
Clinical workflows
} HIPAA risks associated with this
Social Networking
}Social Networking
} Facebook } LinkedIn } Twitter } Blogs}
Excellent ways to share information, but remember:
} Never post anonymously about a patient
PaOent IdenOfiers
}
The 18 Health Information Identifiers:
1. Names
2. Geographic locaOon
3. Dates
4. Telephone numbers
5. Fax numbers
6. Electronic mail addresses
7. Social security numbers
8. Medical record numbers
9. Health plan beneficiary numbers
10. Account numbers
11. CerOficate/license numbers
12. Vehicle idenOfiers
13. Device idenOfiers
14. Web Universal Resource Locator (URL)
15. Internet protocol (IP) address number
16. Biometric idenOfiers (including finger or voice prints)
17. Full face photographic images and any comparable images
Cloud CompuOng
}
Current Forecast: cloudy with a good chance of encryption!
}
New regulations provide answers to common questions about 3
rdparty cloud (storage & hosting), and communications providers.
}
Question: Are cloud-based service providers considered
BA’s? YES!
}
Online backup services
}
Web-based EPM/EMR Hosting Companies
}
Internet Service Providers
Any subcontractor that creates, receives, maintains, or
transmits protected health information on behalf of the
business associate.
Mobility
}Mobile Technology
} Smart Phones } iPads } Tablets } Laptops}
Mobile devices are easily lost, stolen, or compromised
}
Password protect all devices
}
Enable “Remote Wipe” services
}
Encrypt any ePHI on mobile devices
PaOent CommunicaOon
}Patient Portals
} Real-time access to patient records on-line
} Growing in popularity since Meaningful Use
} The specific Meaningful Use measures that a paOent portal can help to
meet are:
} Timely electronic access to changes in health informa2on
} Electronic copies of their health record
} Clinical summaries a8er each office visit
} Pa2ent-‐specific educa2on resources
} Bottom line: Must Be Secure!
Clinical Workflow
} HIPAA Risks associated with clinical workflow:
} Patient left alone in a room with an unlocked computer
} Ctl+Alt+Del then Enter to lock a windows computer
} Some EMR’s have a hot key or button that will automatically lock computer
} ePHI left exposed on a monitor screen
} Common in Check-in/Check-out areas and nurse stations
} Cover all public area monitors with Privacy Filters which only allow a limited viewing
angle
HIPAA/HITECH Final Rule
HIPAA/HITECH Final Rule -‐ Timeline
Announced
January 25
th,
2013
EffecOve
March 26
th,
2013
Compliance by
September
23
rd, 2013
HIPAA/HITECH Final Rule Highlights
}
Business associates of covered enOOes now directly liable
for compliance.
}
Business associates may now be liable for up to $1.5 million for
noncompliance of privacy regulaOon based on the level of
negligence.
}
Strengthens limitaOons on the use of PHI for markeOng
purposes.
HIPAA/HITECH Final Rule Highlights
Covered EnOOes must…
}
Assign a designated InformaOon Security Officer
}
Establish a change control commi6ee and change control
process
HIPAA/HITECH Final Rule Highlights
}
PaOents will now have the ability to request electronic
medical records in electronic form.
}
Companies that transmit and/or store PHI — regardless
of whether they actually view it — are now considered
business associates.
}
Cloud-‐based backup companies
}Cloud-‐based EMR vendors
}
Internet Service Providers (AT&T, Charter, Windstream, etc.)
HIPAA/HITECH Final Rule Highlights
}
The new rules require the business associate to ensure
that any subcontractors it may engage on a Covered
EnOty’s behalf that will have access to protected health
informaOon agree to the same restricOons and condiOons
that apply to the business associate with respect to such
informaOon.
Your IT consul2ng firm / contractor will need BAAs with its
subcontractors and vendors.
QuesOons sOll remain…
}
Should paOents receive a % of penalOes
collected for violaOons?
}
Why should paOents have to wait up to 60
Final Thoughts
}
Simply put, HIPAA restricts the sharing of PHI.
“Need to know basis”
}
PHI should be shared with as few individuals as needed to
ensure paOent care.
}