What is the difference between a HIPAA Gap Analysis and a HIPAA Risk Analysis? Many organizations use these interchangeably, however, they are not correct in doing so. Don’t make the same mistake. We can help you understand the difference.
Office of Civil Rights Requirements
The Office for Civil Rights clearly spelled out the steps and requirements for a HIPAA Security Risk Analysis. As a result, it requires covered entities to conduct an accurate and thorough assessment. It must consider potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information held by the organization. Furthermore, entities must consider the potential risks, threats and vulnerabilities to all of the covered entities ePHI. This includes all ePHI which is created received, maintained or transmitted, including the source or location of the ePHI
Understanding a HIPAA Gap Analysis
The HIPAA Rule does not require a HIPAA Gap Analysis. The Gap Analysis is usually a limited evaluation of a covered entity or business associate’s organization to reveal whether there are certain policies, controls or safeguards required by the HIPAA. As a result, it is important rules are in place and implemented. The HIPAA Gap analysis should begin with a review of all policies, procedures, processes, practices and systems. It must investigate all facilities that relate to privacy, uses and disclosures of PHI.
Gap Analysis Insufficient for HIPAA Rule
A Gap Analysis does not satisfy the Security Risk Analysis requirement. It does not demonstrate an accurate and thorough analysis. In effect, it must consider all risks, threats and vulnerabilities to all of the ePHI an entity creates, receives, maintains or transmits. Consequently, the gap analysis is not equivalent to the risk analysis as it does not satisfy the rule as specified by 45 C.F.R. §164.308(a)(ii)(A). It is important to note that OCR expects a covered entity to document and implement all of the necessary regulations of the HIPAA Rule to obtain a Compliant rating.
Therefore, it is important to identify your covered entity’s needs and determine whether you require a Gap Analysis or Risk Analysis. Assure that the vendor you engage is qualified to perform the specific type of analysis that you need.
HIPAA technical safeguards protect PHI and have become a major part of any HIPAA Privacy program. They are key elements that help to maintain the safety of ePHI as the internet changes. Consequently technical safeguards are important due to technology advancements in the health care industry. The challenge of healthcare organizations is that of protecting electronic protected health information (EPHI). Most importantly, this includes items such as electronic health records, from various internal and external risks.
Comply with Technical Safeguards
The Security Rule, requires a covered entity to comply with the HIPAA Technical Safeguard standards and certain implementation specifications. A covered entity may use any security measures that allow it to reasonably and appropriately do so.
Define “Technical Safeguards”
The Security Rule defines technical safeguards as “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.” Consequently, this rule is based on several fundamental concepts. These are flexibility, scalability and technology neutrality. Therefore, no specific requirements for types of technology to implement are identified.
Implementing “The Security Rule”
The Rule allows the use of security measures. Consequently, these allows it to reasonably and appropriately implement the standards and implementation specifications. Because of this the covered entity must determine which security measures and specific technologies are reasonable and appropriate for implementation in its organization. There are a variety of measures which can assist an organization to meet these standards. A more detailed description can be found at the HIPAA Security Series published by HHS.gov.
HIPAA technical safeguards are important due to technology advancements. The take away is that Technical Safeguards protect PHI. It is important for all covered entities and business associates who deal with electronic PHI to review their use of Technical Safeguards to be fully in compliance. Feel free to contact us for more guidance on this important topic.
The decision to use encryption of ePHI as a safeguard depends on several factors. The HIPAA Security Rule allows safeguarded electronic PHI transmission. After a careful analysis of their system, an organization may decide that Encryption of ePHI as a safeguard is in their best interest. The healthcare provider may then decide to use encryption as the means of protection of sensitive ePHI.
They defined the encryption standard as an addressable requirement and can be confusing. Consequently, if it is a reasonable and appropriate safeguard for the protection of ePHI it should be implemented. The entity may determine it is the best safeguard in its risk management of the confidentiality integrity and availability of ePHI. Consequently, an organization should consider the use of this and implement it in its management of ePHI. Eventually, the entity must document this in the plan.
No Specific Requirements
When they enacted the Security Rule they recognized the rapid advances in technology. Consequently, it would be very difficult to give guidelines that change regularly. For this reason, they chose not to require specific safeguards. It is up to the organization to do a careful risk assessment. Based on this they may create the appropriate mechanism to protect ePHI. Presently the use of encryption of ePHI is an effective tool. It is a good safeguard for the safe transmission of email and texts through the cloud. In many cases this has become the standard for the transmission of sensitive data in healthcare and in the business world.
Alternative to Encryption
Based on its security risk assessment a health care provider may determine that encryption isn’t reasonable and appropriate. They may then present their alternative to protect ePHI. They may also decide to do neither and determine the standard may otherwise be met. The provider should document its reasons for its decision.
Social media offers many benefits for health care organizations because it allows interaction with patients and others. It offers education, and services. As a result, it is an essential communication and marketing tool and part of strategic marketing plans. Due to this organizations turn to social media to communicate with their employees. Unfortunately HIPAA and Social Media can be problematical.
Authorization to use PHI
It is possible to violate HIPAA Rules and patient privacy while using social media, if not managed correctly. Due to this it is important for health care organizations to disclose protected health information carefully. An organization must do so only with patient authorization for interviews, photographs and marketing communications.
Media Posts May Risk Privacy
Posts of PHI done by employees will violate the HIPAA Rules and result in a reportable breach of PHI. Social media posts are not a permissible use or disclosure of PHI. The ability to post simultaneously in several platforms increases the risk for an organization. Remember that to de-identify PHI, all 18 identifiers must be removed. There must also be low risk it could be used to identify the patient. Facial images, and other identifiers such as tattoos must also be removed. Learn more.
Preventing HIPAA Privacy Risk
Employees should be trained on the dangers of using social media inappropriately from the very onset of their employment. Many organizations deal with the issue through development of a social media use policy. They also monitor social media activity. If not addressed, HIPAA and Social Media can be problematical.
Using cybersecurity to protect PHI is a key feature of HIPAA. Electronic protected health care information or EPHI is at increased risk from many sources:
Foreign hackers looking for data to sell – usually on the dark web
Ransomware attacks that lock up data until a ransom payment is received
Phishing schemes that lure the user into clicking a link or opening an attachment to deploy malicious software; and
Spear phishing –a targeted attack on a specific person that appears to come from a legitimate source usually instructing a transfer of funds.
What You Can Do
In order to safeguard EPHI against threats:
Firstly, know how to spot phishing emails.
Secondly, use strong passwords, two factor authentication and encryption.
Finally, have policies, procedures and safeguards in place to protect EPHI and Know who to report an incident to in your organization.
Prepare for Cyberattacks
In the case of a cyberattack or similar emergency an entity must:
Execute it response and mitigation procedures and contingency plans.
Report the time to other law enforcement agencies.
Should report all cyber threat indicators to federal and information-sharing and analysis organizations.
Finally, it must report the breach to OCR as soon as possible, but not later than 60 days after the discovery of a breach affecting 500 or more individuals.
Most importantly, OCR considers all mitigation efforts taken by the entity during in any particular breach investigation. For instance, such efforts include voluntary sharing of breach-related information with the appropriate agencies.
The Office for Civil Rights or OCR with HIPAA oversight has not produced the long-awaited guidance on texting protected health information. Finally, at a Health Information Management Conference in March the OCR director said healthcare providers could text message their patients with PHI. However, the provider must warn the patient that it is not secure. In addition, the provider must obtain and document patient authorization to receive texts.
Recent Guidance on Sharing PHI Safely
The Centers for Medicare and Medicaid Services or CMS oversees the Conditions of Participation and Conditions for Coverage. CMS issued a memo on healthcare provider texting protected health information safely on December the 28th of 2017. Most importantly the takeaways are:
Texting Protected Health Information
CMS permits texting of patient information among members of the health care team. Above all, the platform must be secure and encrypted. As a result, it minimizes the risks to patient privacy and confidentiality. Most importantly, HIPAA regulations, the Conditions of Participation and the Condition for Coverage require this as a safeguard.
Texting Patient Orders
Regardless of the platform, CMS prohibits the practice of texting of patient orders. Above all, the provider is not in compliance with the Conditions of Participation or Conditions for Coverage if he or she texts patient orders to a member of the care team.
CPOE for Orders
Most importantly, providers should opt for the use of Computerized Provider Order Entry (CPOE) as the preferred method of order entry. CMS insists that a physician or Licensed Independent Practitioner (LIP) should enter orders into the medical record via a handwritten order or via CPOE. When using this system, orders are immediately downloaded into the provider’s electronic health records (EHR). Moreover, this method is preferred as the order would be dated, timed, authenticated and promptly placed in the medical record.
It is critical for all providers to understand and follow these new guidelines from CMS on Texting Protected Health Information among Healthcare Providers.
The OCR ordered the University of Texas MD Anderson Cancer Center to pay $4.3 million in penalties for HIPAA violations after half-hearted and incomplete efforts at encryption.
Judgement Against MD Anderson
“A U.S. Department of Health and Human Services Administrative Law Judge (ALJ) has ruled that The University of Texas MD Anderson Cancer Center (MD Anderson) violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules and granted summary judgment to the Office for Civil Rights (OCR) on all issues, requiring MD Anderson to pay $4,348,000 in civil money penalties to OCR. Moreover this is the second summary judgment victory in OCR’s history of HIPAA enforcement and the $4.3 million is the fourth largest amount ever awarded to OCR by an ALJ or secured in a settlement for HIPAA violations.”
Encryption Policies Ignored
The Office of Civil Rights (OCR) ordered the University of Texas MD Anderson Cancer Center (MD Anderson) to pay $4,348,000. These were civil money penalties for HIPAA violations because it did not follow its own encryption policies or the HIPAA Rules.
Entities of MD Anderson lost an unencrypted laptop and two flash drives during 2012 and 2013 . The devices contained the electronic personal health information of over 33,500 individuals. Consequently this lack of technical safeguards influenced greatly the decision of OCR.
OCR Serious About Lack of Technical Safeguards
Despite creating policies for encryption, the center failed to follow these or to quickly pursue its implementation after the 2012 and 2013 breaches. As a result it was clear to the courts the organization had failed to follow the HIPAA rule after the investigation.
“OCR is serious about protecting health information privacy and will pursue litigation, if necessary, to hold entities responsible for HIPAA violations,” said OCR Director Roger Severino. The $4.3 million is the fourth largest amount ever awarded to the OCR.
Most importantly, it is important to know that having security policies is not sufficient. An organization must observe and follow these policies to protect patients and the entity. Consequently, all organizations must routinely review their plan, train their employees on HIPAA and monitor that everyone follows the plan.