HIPAA Security

HIPAA Security Culture of Compliance

HIPAA Security / By

Establishing Your Culture of Compliance Covered Entities (CEs) or Business Associates (BAs) must instill and support a security-minded organizational culture. What the heck does that mean, “Culture of Compliance”? Establishing a “culture of compliance” in your healthcare organization will require buy-in from leadership; without it ALL efforts to secure electronic protected health information (ePHI) will fail! All workforce members in the organization must subscribe to the shared vision of information security so habits and practices become automatic. As Leon Rodriguez, former Director, HHS Office for Civil Rights stated: A “ culture of compliance” means that everybody has to see themselves as responsible for the privacy and security of health information. You have talked about leadership … Employers need to make clear to their employees that this is something that they take seriously, including in their disciplinary policies and, of course, their training policies. It is something that really needs to flow down to ALL the employees who handle health information.” Here are three steps that must be taken: Education and training must be frequent and ongoing, recommend role based training for all workforce members. Those that manage and direct the work of others must set a good example and resist the temptation to indulge in exceptionalism. Accountability and taking responsibility for information security must be among the organization’s core values. Protecting patients through good information security practices should be as second nature to ALL healthcare organizations entrusted with ePHI. However, none of these measures can be effective unless the CE or BA is willing and able to: Implement them!! Don’t find out the hard way like many others, after a security incident. To enforce policies that requires these safeguards to be used. To effectively and proactively train ALL users so that they are sensitized to the importance of information security. This includes ransomware, phishing and other cybersecurity trends. Covered Entities and Business Associates your patients’ are entrusting you with their most private & intimate details, they expect it to remain secure. Besides, it is YOUR practice, YOUR patient’s, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to their risks? Each week, in “Know The Rules!” I describe HIPAA Security for Business Associates and offer ways to decrease the likelihood that patients’ ePHI will be exposed to unauthorized disclosure, alteration, and destruction or denial of access.       Don’t know where or how to start or update your HIPAA security compliance program? Let’s chat about your compliance program – schedule a call with HIPAA alli today!

Data Encryption

HIPAA Security / By

What is encryption? Encryption is a method of converting an original message of regular text into encoded text. The text is encrypted by means of an algorithm (type of formula). If information is encrypted, there would be a low probability that anyone other than the receiving party who has the key to the code or access to another confidential process would be able to decrypt (translate) the text and convert it into plain, comprehensible text. Is the use of encryption mandatory in the Security Rule? Answer: No The HIPAA Security Rule made the use of encryption an addressable implementation specification. See 45 CFR § 164.312(a)(2)(iv) and (e)(2)(ii). The encryption implementation specification is addressable, and must therefore be implemented if, after an enterprise-wise risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of electronic protected health information (ePHI). If the entity decides that the addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate. If the standard can otherwise be met, the Covered Entity (CE) or Business Associates (BAs) may choose to not implement the implementation specification or any equivalent alternative measure and document the rationale for this decision. You need to decide whether and how to use encryption. Let’s talk for a second about what we mean by encryption. Encryption is a way of scrambling electronic information so that it is unreadable to someone who does not have the authority to read that information. Besides, it is YOUR practice, YOUR patients, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to such risks? Don’t know where or how to start or update your HIPAA security compliance training? Let’s chat about your compliance program – schedule a call with HIPAA alli today!

Find Out What Happens When Your Third-Party Vendors are NOT HIPAA Compliant

HIPAA Security / By

Required: HIPAA Risk Analysis Today, I discuss the importance of conducting an enterprise-wide risk analysis to identify vulnerabilities to your ePHI, and then steps to execute the required HIPAA Risk Analysis. After the passing of the Omnibus Rule, Covered Entities (CEs) are required to have a signed Business Associate Agreements (BAA) with all their Business Associates (BAs). Often BAs outsource their services to subcontractors who are also required to observe the same restrictions on the use and disclosure of electronic protected health information (ePHI). 3 Steps Ever Business Associates Should Do! Appoint your Security Official – This person will be responsible for ensuring that the activities necessary to secure ePHI are carried out. Conduct your HIPAA Risk Analysis to identify your Administrative, Physical and Technical Safeguards. After identifying your risks begin to develop policies and procedures for your security management program based on findings from the HIPAA Risk Analysis. BAs and subcontractors of ALL sizes or complexities MUST conduct and document a comprehensive HIPAA Risk Analysis of their computer and other information systems used to create, receive, maintain, or transmit ePHI to identify potential risks and respond accordingly; 45 CFR § 164.308(a)(1). Yes, this means you too solo practitioner & solo BA! What Happens When the BA is NOT Compliant? North Memorial Health Care was required to pay $1.55 Million in HIPAA penalties based on an investigation of the unencrypted stolen laptop from one of its BAs, Accretive Health. OCR’s Resolution Agreement states: • North Memorial began providing Accretive with access to North Memorial’s PHI on March 21, 2011, and did not enter into a written BAA with Accretive until October 14, 2011. See 45 C.F.R. § 164.308(b) and 45 C.F.R § 164.502(e). • From March 21, 2011 to October 14, 2011, North Memorial impermissibly disclosed the PHI of at least 289,904 individuals to Accretive when North Memorial provided Accretive with access to PHI without obtaining Accretive’s satisfactory assurances, in the form of a written BAA, that Accretive would appropriately safeguard the PHI. See 45 C.F.R. § 164.502(a). • North Memorial failed to conduct an accurate and thorough risk analysis that incorporated all of North Memorial’s information technology equipment, applications, and data systems using electronic PHI. See 45 C.F.R. § 164.308(a)(1)(ii)(A). A BA can be held directly liable and subject to civil and, in some cases, criminal penalties for making uses and disclosures of PHI that were not authorized. Establishing and maintaining an effective information security program is not only a regulatory requirement, but also a critical activity for the protection of your patients’ information. Business Associates it is your responsibility to have a complete risk analysis conducted! For tips like this and more request your copy of the “HIPAA Security Rule – Know The Rules!” Newsletter Today AND to learn more about our FREE monthly webinar.

The Importance of Using Passwords in Healthcare

HIPAA Security / By

Passwords and Passphrases The Administrative Safeguards of the HIPAA Security Rule requires Covered Entities (CEs) and Business Associates (BAs) to: Implement procedures for creating, changing and safeguarding passwords [For details see: Security Awareness and Training, §164.308(a)(5)]. Make sure you create and regularly use strong passwords (i.e. usually 10 characters or more and includes uppercase and lowercase letters, numbers, and special characters like #$&*). When creating your passwords, consider using unique “passphrases,” which are sentences may be easier to remember than a very complex password e.g. “I got A new bike for my 8th birthday!” would be ItAwkry8b! Do NOT use passwords or phrases that would be easy to guess, such as a pet’s name or your birth date. Maintaining strong and unique passwords will decreases the risk of password guessing based on commonly used passwords, information about you that might be publicly available, or password cracking tools that hackers use. Are You Using the Same Password for All Users? Does the HIPAA Security Rule permit a CE or BA to assign the same log-on ID or user ID to multiple employees? Answer: No. Under the HIPAA Security Rule, CEs and BAs, regardless of their size, are required, under § 164.312(a)(2)(i) to “assign a unique name and/or number for identifying and tracking user identity.” A “user” is defined in § 164.304 as a “person or entity with authorized access.” Accordingly, the HIPAA Security Rule requires CEs and BAs to assign a unique name and/or number to each employee or workforce member who uses a system that maintains electronic protected health information (ePHI), so that system access and activity can be identified and tracked by user. This pertains to workforce members within small or large healthcare provider offices, health plans, group health plans, and healthcare clearinghouses. Over the past years, the healthcare sector has been one of the biggest targets of cybercrimes resulting in breaches due to weak authentication. To learn about Two Factor Authentication sign up for your copy of our HIPAA Security Rule – Know The Rules! Newsletter Today!!

Mobile Devices and Protected Health Information

HIPAA Privacy, HIPAA Security / By

Mobile Devices in Healthcare These days more mobile devices and Internet of Medical Things (IoMT) devices are more powerful and hold more information than ever before and pose heightened security risks. This includes your smartphone, tablet, medical device (medical equipment storing electronic protected health information [ePHI]), and any other type of equipment that provides convenient access to your computer, ePHI, email, banking and social media accounts. Unfortunately, it could also provide the same convenient access for hackers. Healthcare organizations, Covered Entities (CEs) and Business Associates (BAs), rely heavily on these devices in their organization to create, receive, maintain, or transmit ePHI and must include them in their enterprise-wide risk analysis and take action(s) to reduce risks identified to a reasonable and appropriate level. See 45 C.F.R. § 164.308(a)(1)(ii)(A)–(B). Additional risks when using mobile devices for PHI Due to their small size and portability, mobile devices are at a greater risk of being lost or stolen. A lost or stolen mobile device containing unsecured PHI could lead to a breach, triggering HIPAA breach notification obligations for a CE and/or their BAs. Additional risks and extra precautions should be taken when using personal mobile devices to store or access PHI. Permitting the use of personal mobile devices must be included in the risk analysis and requires the implementation of security measures sufficient to reduce those risks. If an organization prohibits the use of personal mobile devices for work activities (especially those activities involving PHI), policies, making any prohibitions clear, should be in place and enforced. Did you know? Access to information on mobile devices need not be limited to nefarious actions by malicious software and/or hackers, but could also originate from more mundane applications. A seemingly harmless mobile app or game may grant access to your contacts, pictures or other information on your device and send such data to an external entity without your knowledge. As mobile devices are increasingly and consistently used by CEs and BAs and their workforce members to store or access PHI, it is important that the security of mobile devices is reviewed regularly, and modified when necessary, to ensure PHI remains protected. See 45 C.F.R. § 164.306(e). Mobile Device Default Settings Mobile devices, similar to many other computer systems, may be delivered by third party vendors with default settings, such as preset passwords or out dated firmware, which may create vulnerabilities. Such default settings may enable automatic connectivity to unsecure Wi-Fi, Bluetooth, cloud storage, or file sharing network services. Organizations should take steps to ensure that mobile devices are properly configured and secured BEFORE allowing the device to create, receive, maintain, or transmit PHI. Additionally, workforce members should be trained in the proper, secure use of mobile devices to store or access PHI. Training Training should include educating workforce members on the dangers of using unsecured Wi-Fi networks, such as public Wi-Fi offered in airports and coffee shops, as well as unsecured cloud storage and file sharing services. Workforce members should also be trained on the risks of viruses and malware infecting mobile devices. Just as with other computer systems, malicious software that infects mobile devices could provide access to unauthorized individuals which could result in a breach of PHI. Covered Entities and Business Associates need to understand patients are entrusting them with their most private and intimate details, they expect it to remain secure. Besides, it is YOUR practice, YOUR patient’s, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to such risks? Don’t know where or how to start or update your HIPAA security compliance training? Let’s chat about your compliance program – schedule a call with HIPAA alli today!

Workforce Security Termination Procedures

Workforce Security Termination Procedures

HIPAA Security / By

Your Employee Just Quit! You receive a call from the front desk explaining that one of your workforce members just quit. What do you do? The first thing you do, pull out your termination standard operating procedure (SOP). The SOP should include the necessary Workforce Security Termination Procedures for you to follow. What Does the HIPAA Security Rule Say? The Termination procedures is an addressable Administrative Safeguard, as defined below §164.308 (a)(3)(ii)(C). Implement procedures for terminating access to electronic protected health information (PHI) when the employment of, or other arrangement with, a workforce member ends or as required by determinations made as specified in paragraph (a)(3)(ii)(B) [the Workforce Clearance Procedure] of this section. Administrative Safeguards In case you did not already know over half of the HIPAA Security Rule is comprised Administrative Safeguards, they are defined as: Administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic PHI and to manage the conduct of the covered entity’s workforce in relation to the protection of that information. For more details on Administrative Safeguards see our article on where I breakdown for you. Why Do Termination Procedures Matter? When a workforce member leaves, it is extremely important for regulated entities of all sizes prevent unauthorized access to PHI. This is accomplished by terminating the former workforce member’s access to PHI. Don’t forget to ensure all company owned mobile devices like laptops and smartphones are returned. Also, if you allow the use of PHI on personally owned phones or other devices is permitted, be sure those devices are cleared or purged of electronic PHI. Termination Procedures Termination Procedures should include: Procedures to terminate access to PHI should also include termination of physical access to facilities. Procedures to terminate physical access could include:→ Changing combination locks and security codes→ Removing users from access lists, and ensuring the return of keys→ Tokens→ Keycards, ID badges→ And any other physical items that could permit access to secure areas with PHI Have standard termination procedures of all action items to be completed when an individual leaves, these action items could be incorporated into a checklist. These should include notification to the IT department or a specific security individual of when an individual should no longer have access to PHI, when their duties change, they quit, or are fired. Consider using logs to document whenever access is granted (both physical and electronic), privileges increased, and equipment given to individuals. These logs can be used to document the termination of access and return of physical equipment. Consider having alerts in place to notify the proper department when an account has not been used for a specified number of days. These alerts may be helpful in identifying accounts that should be permanently terminated. Terminate electronic and physical access as soon as possible. De-activate or delete user accounts, including disabling or changing user IDs and Have appropriate audit procedures in place. Appropriate audit and review processes confirm that procedures are being implemented, are effective, and that individuals are not accessing PHI when they shouldn’t or after they leave. Address physical access and remote access by implementing procedures to:→ Take back all devices and items permitting access to facilities (like laptops, smartphones, removable media, ID badges, keys)→ Terminate physical access (for example, change combination locks, security codes)→ Effectively clear or purge PHI from personal devices and terminate access to PHI from such devices if personal devices are permitted to access or store PHI→ Terminate remote access capabilities→ Terminate access to remote applications, services, and websites such as accounts used to access third-party or cloud-based services Change the passwords of any administrative or privileged accounts (like admin or root user) that a former workforce member had access to. Something to Ponder … Ask yourself the following two questions: Does your organization have current termination policies and procedures? Does your organization’s policies and procedures include timely communication of termination actions to ensure that the termination procedures are appropriately followed?

HIPAA Rules

HIPAA Rules – Who Has To Comply?

HIPAA Security / By

HIPAA Rules – Who Has To Comply? Back in 2013, HIPAA rules were updated when the final Omnibus Rule became effective on March 26, 2013. I know that seems like ancient history to most, but really it was less than 10 years ago. That’s how long it has been since third-party vendors, referred to as Business Associates (BAs), of all sizes have been required to comply with HIPAA Privacy, Security, and Breach Notification Rules. These days most healthcare providers and health plans do not carry out all of their healthcare activities and functions by themselves. Instead, they often use the services of a variety of other individuals or businesses. Health & Human Services (HHS) defines this type of service provider as a BA, as defined in 45 CFR 160.103. HIPAA Rules – What Do the Rules Say? Covered Entities (CEs) and BAs, collectively referred to as regulated entities, in accordance with § 164.306:  Must ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) the regulated entity creates, receives, maintains, or transmits on the CE’s behalf only if the CE obtains satisfactory assurances, in accordance with § 164.314(a) that the BA will appropriately safeguard the information. Every CE must document that their BAs are HIPAA compliant, this requirement includes documentation of their workforce training, and they have HIPAA compliant security policies in place and that they there is an incident reporting procedure in place between your practice and the BA. And remember to document your findings – If it’s not documented, it didn’t happen! After all, an auditor might ask you for the data. Covered Entities Any healthcare provider, health plan, or healthcare clearinghouse that transmits any information in an electronic form in connection with transactions for which HHS has adopted a standard. For example, hospitals, academic medical centers, physicians, pharmacies, and other healthcare providers who electronically transmit claims transaction information directly or through an intermediary to a health plan are covered entities. CEs can be institutions, organizations, or individuals. Third-Party Vendors Third-party vendors, referred to as BAs, is a person or entity including subcontractors, other than a member of the workforce* of a CE, who performs functions or activities that involve access by the BA to PHI. BAs are also subcontractor that creates, receives, maintains, or transmits protected health information (PHI) on behalf of another BA.  *Note: Anyone paid with a 1099 freelancer/contractor is not a member of your workforce. Be sure your organization is following the 1099 Freelancer/Contractor IRS Rules.  Subcontractors An entity to which a BA delegates a function, activity, or service, other than as a member of the BAs workforce. There is no limit to the number of subcontractors that may be liable, because a subcontractor might delegate functions to other subcontractors, creating a chain of BA entities. Covered Entities and their third-party vendors should understand that patients are entrusting them with their most private and intimate details, they expect it to remain secure. Besides, it is YOUR practice, YOUR patients, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to such risks?

Add

Addressable and Required: Know the Difference

HIPAA Security / By

Addressable and Required: Know the Difference When it comes to the HIPAA Security Rule Covered Entities (CEs) and their third-party vendors, referred to as regulated entities by the Department of Health and Human Services, are required to comply with every Security Rule “Standard.” Some of those standards are categorizes are addressable and required. Addressable and Required Breakdown The HIPAA Security Rule contains several implementation specifications that are labeled as Addressable or Required specifications. Required – If an implementation specification is described as “required,” the specification MUST be implemented. Addressable – The concept of “addressable implementation specifications” was developed to provide providers and their third-party vendors additional flexibility with respect to compliance with the security standards. One important thing to remember, “addressable” designation does not mean that an implementation specification is optional. HHS to the Rescue Luckily HHS has come to our rescue in the response to the following frequently asked question: “What is the difference between addressable and required implementation ns in the Security Rule?” Below is a breakdown of their response: If the standard is not reasonable and appropriate, the Security Rule allows the regulated entity to adopt an alternative measure to achieve the purpose of the standard if the alternative measure is reasonable and appropriate 45 C.F.R. § 164.306(d). In meeting standards that contain addressable implementation specifications, a regulated entity will do one of the following for each addressable specification: Implement the addressable implementation specifications Implement one or more alternative security measures to accomplish the same purpose Not implement either an addressable implementation specification or an alternative Each regulated entity must evaluate whether a given addressable implementation specification is a reasonable and appropriate security measure to implement within their particular security framework. HHS provides the following example: A regulated entity must implement an addressable implementation specification if it is reasonable and appropriate to do so and must implement an equivalent alternative if the addressable implementation specification is unreasonable and inappropriate, and there is a reasonable and appropriate alternative. The decision to implement an addressable implementation specification will depend on a variety of factors, such as, among others, the entity’s risk analysis, risk mitigation strategy, what security measures are already in place, and the cost of implementation. It’s All in the Documentation Don’t forget each choice must be documented. After all you don’t want the HHS auditor to say “I find your lack of documentation disturbing.” The decisions a regulated entity makes regarding addressable specifications must be documented in writing. Written documentation should include the factors considered as well as the results of the risk assessment (analysis) on which the decision was based. Something to Ponder The HIPAA security risk analysis process is an opportunity to learn as much as possible about the health of your information security. Don’t ignore your need to be HIPAA compliant! Any device or media that contains protected health information (PHI) needs to be properly protected – HIPAA is not system or hardware specific – it applies to all!

Yes, Dorothy a Risk Analysis is Required!

HIPAA Security / By

A Business Associate (BA) is someone who performs services that involve the disclosure of Protected Health Information (PHI), such as claims processing, utilization review, billing, quality assurance, or benefit managers. Companies performing other types of services, such as legal, accounting, financial, or administrative services may also be considered BAs if they need to have access to PHI in order to perform their responsibilities. Did you know? BAs are required to comply with the requirements identified in the HIPAA Security Rule 45 CFR § 164.314(a)(2). This means all BAs, no matter your size, are required to perform a complete and thorough risk analysis to identify their potential Administrative, Physical and Technical security risks to PHI; 45 CFR § 164.308(a)(1). Remember: ANY change made to the equipment used to create, receive, maintain, or transmit, a practice’s PHI requires an update to the risk analysis.   And don’t forget to document your findings – If it’s not documented, it didn’t happen! Covered Entities and Business Associates need to understand patients are entrusting them with their most private and intimate details, they expect it to remain secure. Besides, it is YOUR practice, YOUR patient’s, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to such risks?     For tips like this and more request your copy of our “HIPAA Security Rule – Know The Rules!” Newsletter Today.

HIPAA Risk Analysis

HIPAA Security / By

Did you know? ALL Business Associates (BAs) are required to perform a HIPAA risk analysis to identify their potential Administrative, Physical and Technical security risks to electronic protected health information (ePHI). The Administrative Safeguards provisions require BAs to perform risk analysis as part of their security management processes. The results of the risk analysis will be used to determine security measures reasonable and appropriate for each organization. A risk analysis process includes, but is not limited to, the following activities: Evaluate the likelihood and impact of potential risks to e-PHI 45 C.F.R. § 164.306(b)(iv); Implement appropriate security measures to address the risks identified in the risk analysis 45 C.F.R. § 164.308(a)(1)(ii)(B); Implement appropriate security measures to address the risks identified in the risk analysis 45 C.F.R. § 164.308(a)(1)(ii)(B); Document the chosen security measures and, where required, the rationale for adopting those measures 45 C.F.R. § 164.306(d)(3)(ii)(B)(1); 45 C.F.R. § 164.316(b)(1); and Maintain continuous, reasonable, and appropriate security protections 45 C.F.R. § 164.306(e). Covered Entities and Business Associates need to understand patients are entrusting YOU with their most private and intimate details, they expect it to remain secure. Besides, it is YOUR practice, YOUR patients, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to such risks?   For tips like this and more request your copy of our “HIPAA Security Rule – Know The Rules!” Newsletter Today.