HIPAA Blog

HIPAA Gap Analysis and a HIPAA Risk Analysis

HIPAA Gap Analysis
Learn about the HIPAA Gap Analysis

What is the difference between a HIPAA Gap Analysis and a HIPAA Risk Analysis?  Many organizations use these interchangeably, however, they are not correct in doing so.  Don’t make the same mistake. We can help you understand the difference.

Office of Civil Rights Requirements

The Office for Civil Rights clearly spelled out the steps and requirements for a HIPAA Security Risk Analysis.  As a result, it requires covered entities to conduct an accurate and thorough assessment. It must consider potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information held by the organization.  Furthermore, entities must consider the potential risks, threats and vulnerabilities to all of the covered entities ePHI.  This includes all ePHI which is created received, maintained or transmitted, including the source or location of the ePHI

Understanding a HIPAA Gap Analysis

The HIPAA Rule does not require a HIPAA Gap Analysis.  The Gap Analysis is usually a limited evaluation of a covered entity or business associate’s organization to reveal whether there are certain policies, controls or safeguards required by the HIPAA.  As a result, it is important rules are in place and implemented. The HIPAA Gap analysis should begin with a review of all policies, procedures, processes, practices and systems. It must investigate all facilities that relate to privacy, uses and disclosures of PHI.

Gap Analysis Insufficient for HIPAA Rule

A Gap Analysis  does not satisfy the Security Risk Analysis requirement. It does not demonstrate an accurate and thorough analysis. In effect, it must consider all risks, threats  and vulnerabilities to all of the ePHI an entity creates, receives, maintains or transmits.  Consequently, the gap analysis is not equivalent to the risk analysis as it does not satisfy the rule as specified  by 45 C.F.R. §164.308(a)(ii)(A).  It is important to note that OCR expects a covered entity to document and implement all of the necessary regulations of the HIPAA Rule to obtain a Compliant rating.

Therefore, it is important to identify your covered entity’s needs and determine whether you require a Gap Analysis or Risk Analysis.  Assure that the vendor you engage is qualified to perform the specific type of analysis that you need. 

Media Creates Dangerous HIPAA Violations

Social Media
Social Media on iPhone

The Privacy Rule standards address the use and disclosure of individuals’ health information—called “protected health information” by organizations subject to the Privacy Rule — called “covered entities,” as well as standards for individuals’ privacy rights to understand and control how their health information is used. 

Death of Celebrities and HIPAA

With the recent deaths of several celebrity musicians, media outlets have an ever-growing source of news and information; some of which is dug up in less than lawful ways. Unfortunately this media creates HIPAA breaches.

HIPAA Cases In Point

The UCLA Medical Center recently had to pay $865,500 in fines for the negligence of patient (mostly celebrity) health information. These breaches constitute a serious risk for hospitals and health centers because the information leaks are often times easily traceable. The demand for media to obtain this information, even through breaches, is high considering the public craves information on the lives of their favorite celebrities but the repercussions can be great.

Employees can be surprisingly negligent with celebrities’ sensitive information. Workers have caused breaches at major hospitals. Cedars-Sinai Hospital in Los Angeles fired five employees and a student assistant in 2013. The hospital traced a breach of Kim Kardashian’s pregnancy information back to them.

Prince’s Medical Information Leak

This issue becomes relevant today considering the recent passing of Prince in April. His health was relatively fine before, and his death came as a shock to many. His death was a great mystery too many. TMZ reported Prince’s medical condition before any official public health announcements. Once again media creates HIPAA breaches.

HIPAA does not apply to TMZ. An employee of the hospital leaked the information. Consequently, the hospital is responsible for a breach of private information.

Just recently it was released that Prince died of a drug overdose but sensitive information can easily be leaked and create legal issues for health providers, especially when it makes its rounds in the news.

HIPAA Breaches Result From Media Coverage

While the demand for information and gossip on celebrities is high and can cloud better judgment, celebrities have the same rights as the rest of us under HIPAA. It is important to restrict media access to a hospital or health center and to inform employees of the legal ramifications of a HIPAA breach. Training employees is crucial and HIPAA Associates can make it easier for you through our expertise on HIPAA compliance and training.

Keep your team informed on standards of HIPAA — Contact HIPAA Associates today for your HIPAA training.

Sharing Mental Health Information

Sharing Mental Health Information
A doctor sharing mental health information with a caregiver

Sharing Mental Health Information

Allowing Providers to Share

In certain circumstances HIPAA allows sharing of mental health information by mental health providers based on professional judgment.   It can be when it is in the best interests of the patient, or to prevent or lessen a risk of harm.

If there is a risk of harm to themselves or others, or if exhibiting behavior that may threaten their health or safety, providers need to be able to use professional judgment.   As a result they can identify the potential or likely risk and determine who can help lessen it.

Ways to Share Mental Health Information

There are several ways the provider may address the situation.

If the patient lacks ability to make decisions or is unconscious, the provider can share information with the patient’s personal representative (if applicable).   They can also share with family or friends involved in their care if it’s determined in the patients’ best interest.

A provider may contact anyone reasonably able to lessen the risk of harm.   This is important when they believe that a patient presents a serious and imminent threat to the health or safety to themselves or another person.

OCR Wont’t Second Guess

The Office for Civil Rights (OCR)states it won’t second guess mental health provider’s judgement when a patient is a threat to himself or others. HIPAA allows mental health providers to share information.

For more detail see the OCR guidance on this vital topic.  Remember to check state law for any restrictions on sharing.  It is the responsibility of all providers of mental health treatment to know the rules before managing this information.

This is your HIPAA ABCs brought to you by HIPAA Associates.  Contact us for more information on this important topic and HIPAA training for you and your company.

HIPAA Technical Safeguards Protect PHI

Technical Safeguards Protect PHI
Technical Safeguards Protect PHI

 

Why Technical Safeguards?

HIPAA technical safeguards protect PHI and have become a major part of any HIPAA Privacy program. Technical safeguards are important due to constant technology advancements in the health care industry. They are key elements that help to maintain the safety of EPHI as the internet changes.   One of the greatest challenges of healthcare organizations face is that of protecting electronic protected health information (EPHI).   This would include protection of electronic health records, from various internal and external risks. To best reduce risks to EPHI, covered entities must implement technical safeguards.  

Comply with Technical Safeguards

The Security Rule requires a covered entity to comply with the HIPAA Technical Safeguard standards and certain implementation specifications.  A covered entity may use any security measures that allow it to reasonably and appropriately do so.

Define “Technical Safeguards”

The Security Rule defines technical safeguards as “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.”  

This rule is based on several fundamental concepts.  These concepts include:

  • Flexibility
  • Scalability
  • Technology neutrality

As they are written there are no specific requirements identified for types of technology to implement.  It is entirely up to a covered entity to determine what security measures and specific technologies are reasonable and appropriate for implementation within the entity.

Solutions vary in nature depending on the organization.   The Security Rule requires that reasonable and appropriate measures must be implemented and that the General Requirements of the rule must be met. That is the most important requirement.

Implementing “The Security Rule”

In the Security Standards under General Rules, Flexibility of Approach, provides the entity with important guidance for focusing on decisions a covered entity must consider when selecting security measures such as technology solutions.  Once an organization has completed the required risk analysis and risk management process the entity will be able to make the appropriate informed decisions.

The Rule allows the use of security measures but there is no specific technology that is required.  The guidance given is that the entity should reasonably and appropriately implement the Standards and implementation specifications.  As a result of this the covered entity must determine which security measures and specific technologies are reasonable and appropriate for implementation in its organization.  

Technical Standards:


Standard: Access Control

This first standard is meant to outline the ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource.

It provides users with rights and/or privileges to access and perform functions using programs, files information systems and applications.  Ideally it should provide access to the minimum necessary information required to perform a duty within the organization. This access should be granted based upon a set of access rules the covered entity implements as part of “Information Management Access”outlined in the Administrative Safeguards section of the Rule.

The standard requires a covered entity to:

“Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in Information Access Management.”

There are many different combinations of access control methods and technical controls that can be used to accomplish these objectives.  Whatever method is used it should be appropriate for the role and/or function of the workforce member.

There are four implementation specifications:

  • Unique User identification (Required)
  • Emergency Access Procedure (Required)
  • Automatic Logoff (Addressable)
  • Encryption and Decryption (Addressable)

Unique User Identification (Required)

According to this implementation specification, a covered entity is directed to do the following:

“Assign a unique name and/or number for identifying and tracking user identity.”

A user identification is a process used to identify a specific user of an information system, typically by name and/or number.  This identifier will allow an entity to track specific user activity when that user is logged into an information system.  By doing so It will enable an entity to hold users accountable for functions performed on information systems with EPHI when logged into those systems. 

There are no specified formats described by the Rule for identification.  A Covered entity must determine the best user identification strategy based on their workforce and their operations.

Emergency Access Procedure

Under this implementation specification the organization is asked to:

“Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.”  

There must be procedures which are well documented and instructions that will allow an entity to have access to EPHI during emergency situations.  An entity must determine the types of situation that would require emergency access to information systems.  Examples to consider would be loss of power or hijacking of data.

Automatic Logoff

Under this implementation specification the organization is asked to:

“Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.”

Automatic logoff from a system is a common approach to protecting inadvertent access to workstations. It is an effective way to prevent unauthorized users from accessing EPHI on a workstation left unattended.

Encryption and Decryption

Under this implementation specification the covered entity is asked to consider:

“Implement a mechanism to encrypt and decrypt electronic protected health information.”  

This is an addressable system and should be put into effect when it is a reasonable and appropriate safeguard for a covered entity.  Encryption is a method of converting messages into encoded text using an algorithim.  By using this technique there is low probability anyone other than the intended recipient who has the key may read the information.  There are many ways to encrypt or technologies to protect data from being inappropriately accessed.  It is up to the entity to decide if this is necessary.

When the Security Rule was enacted they recognized the rapid advances in technology. Consequently, it would be very difficult to give guidelines that change regularly. For this reason, they chose not to require specific safeguards.  It is up to the organization to do a careful risk assessment.   Based on this, they may create the appropriate mechanism to protect ePHI.  Presently the use of encryption of ePHI is an effective tool.  It is a good safeguard for the safe transmission of email and texts through the cloud.  In many cases this has become the standard for the transmission of sensitive data in healthcare and in the business world.


Standard:  Audit Controls

Audit controls are key in monitoring and reviewing activity in the system to protect its EPHI.

The standard requires a covered entity to:

“Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.”

Information systems must have some level of audit control with the ability to provide reports.  These controls are useful for auditing system activity in the face of a security violation.

The Security Rule does not identify specific data to be gathered by the audit controls.  It is up to the covered entity to consider this after a risk analysis and to determine the most reasonable and appropriate for audit control for their systems that contain EPHI.


Standard: Integrity

Integrity is defined in the Security Rule, as “the property that data or information have not been altered or destroyed in an unauthorized manner.”

The standard requires a covered entity to:

“Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.”

The reason for this standard is to establish and implement policies and procedures for protecting EPHI from being compromised regardless of the source.  It will help prevent work force members from making accidental or intentional changes and thus altering or destroying EPHI.  It may also help prevent alterations caused by electronic media errors or failures.

There is one addressable implementation specification.

Mechanism to Authenticate Electronic Protected Health Information

If it is reasonable and appropriate a covered entity must:

“Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.”

A covered entity must do a risk analysis and determine from this the various risks to the integrity of EPHI.  This will help define the security measures necessary to reduce the risks.


Standard:  Person or Entity Authentication

Authenticating the individual who has access to the system is very important in the establishment of technical safeguards.

This standard requires a covered entity to:

“Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.”  

This implementation specification requires a system of identification to verify that a person is who they are before getting access to the system.  There are many ways of accomplishing this such as passwords, PINs, smart cards, tokens, keys or biometrics.

The mechanism used will depend on the organization.  Most organizations rely on a password or PIN.  If the credential entered match those of the system, the user is then allowed access.


Standard: Transmission Security

It is important to guard all transmissions of electronic protected health information.

This standard requires a covered entity to:

“Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.”

Once a covered entity has completed a risk analysis they will review and understand the current method used to transmit EPHI.  Consider if it is sent by email, internet, a network or texting.  Once these methods are reviewed the entity can determine the best way to protect EPHI.

There are two implementation specifications:

  • Integrity Controls
  • Encryption

Integrity Controls

Based on a risk analysis If this is an implementation specification that is reasonable and appropriate, the covered entity must:

“Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.”

Integrity in the context of this implementation focuses on making sure the EPHI is not improperly modified during transmission.  This may be accomplished by using network protocols that confirm the data that was sent is the data is received.

Encryption

After a risk analysis if this implementation specification is a reasonable and appropriate safeguard the covered entity must:

“Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.”

As mentioned earlier under the Access Control standard, encryption is a method of converting messages into an encoded or unreadable text that is later decrypted into comprehensible text.  This is an addressable implementation, similar to that under Encryption and Decryption.

Encryption works only if the sender and receiver are using the same or compatible technology.  The Security Rule allows covered entities the flexibility to determine when, with whom and what method of encryption to use. 


In Conclusion

HIPAA technical safeguards are important due to technology advancements as they help to protect EPHI in today’s environment.  It is crucial for all covered entities and business associates who deal with electronic PHI to review their use of Technical Safeguards to be fully in compliance.  

We are available to discuss Technical Safeguards with your organization.

 

New HIPAA Penalties from HHS

New HIPAA Penalties
Judge handing out New HIPAA Penalties

 

Direction from HHS on Penalties

 New HIPAA Penalties are now available from the Department of Health and Human Services after it published a notice on April 30th.    HHS is exercising its discretion in how it applies its regulations on the assessment of Civil Monetary Penalties (CMPs) under HIPAA. Currently HHS applied the same cumulative annual limit to the four categories of violations.

Pending further rule making HHS will now apply different cumulative annual CMP limits.  This will be instead of the maximum $1.5 million for each level of violation. This is a reduction in the maximum limit, scaling down based on the level of culpability. Consequently HHS will use the new penalty structure until further notice.  It is important to understand the new HIPAA Penalties from HHS.

Read about Data Breaches.

The Four Categories

Based on four categories of culpability HHS has provided covered entities and business associates with a whole new structure for penalties.  In mostcases the amount of penalty will be significantly less than what we have experienced in the past.

For a category of no knowledge the minimum penalty is now $100, and the annual limit will be $25,000 down from $1.5 million.

For a reasonable cause $1,000 is the minimum and $100,000 for an annual limit down from $1.5 million.

Next, willful neglect with a correction it would be $10,000 as a minimum and $250,000 for annual limit.

Finally the highest is for Willful neglect with no correction with $50,000 as a minimum with an annual limit of $1,500,000.

This new guidance changes significantly the penalty structure for HIPAA violations and must be considered and understood by covered entities and business associates who deal with protected health information.

To read this important notice on new HIPAA Penalties from HHS, visit the Federal Register using the link below.

Reasonable Safeguards for PHI

Reasonable Safeguards for PHI
Reasonable Safeguards Are Important

Protecting  PHI

Reasonable Safeguards for PHI are precautions that a prudent person must take to prevent a disclosure of Protected Health Information.  To protect all forms of PHI: verbal, paper, and electronic, provides must apply these safeguards.  They help prevent unauthorized uses or disclosures of PHI.  In addition safeguards must be part of every privacy compliance plan.  Organizations must share this with all members of the organization.

Safeguards for Verbal PHI

Apply Reasonable Safeguards for PHI to all of your verbal disclosures of Protected Health Information. When you work with a patient, first determine who is with the patient before discussing PHI.  Secondly do not assume the patient permits disclosure of their PHI just because family or a friend is in the room with them. Ask who is with the patient and if the patient permits disclosure.  Finally you may ask the persons to leave the room providing the patient an opportunity to object.

Paper PHI

In addition, reasonable safeguards for PHI must apply to the use of all paper products to prevent these from reaching the wrong person.  Providers must dispose of all paper products that have PHI in a shredder once no longer used.  Personnel must make every effort to give the patients summary to the correct patient.  When a paper patient summary is given to a patient, every effort must be made to give it to the correct patient.

Electronic PHI

Password protect all computers in order to protect electronic PHI.  Employees must only use the computer medical accounts to which they are assigned.   One must consider the use of encryption of any email or texts that contains ePHI.

Use of Reasonable Safeguards for PHI Prevent Violations

In conclusion the use of reasonable safeguards may be the difference between an Office for Civil Rights finding of a privacy violation or a finding that an incidental disclosure occurred.   The latter is secondary to a permissible disclosure, and not a violation. Reasonable safeguards protect PHI and help prevent you from violating patient privacy.

For more information follow this link.

Read about Breaches.

Disclosures to Law Enforcement are Permissible

Disclosing PHI to law enforcement
We often must disclose PHI to law enforcement if we follow the appropriate guidelines.

Disclosures to Law Enforcement

Sometimes it is hard to determine under what circumstances PHI disclosure to law enforcement is permissible. For example, HIPAA permits disclosures to law enforcement in certain situations. It is reasonable to disclose if a signed authorization from the patient or their legal representative exists .

When to Respond

The HIPAA Rule permits disclosures when required by law. This may be necessary to respond to subpoena’s and court orders with specific requirements.  In addition this may be necessary to investigate a crime, to locate a missing person and to prevent serious threats to public health and safety.  State law requires reporting for reports of child and adult abuse and neglect, and to report certain injury and disease.

State Law

Besides considering the federal HIPAA law, review state law because it may be more protective than HIPAA. If that is the case the entity must follow state law. It is important for your organization to know what are the permissible disclosures to law enforcement.

This is your HIPAA ABCs brought to you by HIPAA Associates.  Contact us for more information on this important topic and HIPAA training for you and your company.  Follow us on Facebook and Twitter.

Other ABCs of interest.

Filing a HIPAA Privacy Complaint

Filing a  Privacy Complaint
How to File a Privacy Complaint.

Procedures for Making a Complaint

A covered entity must have a procedure for filing a HIPAA privacy complaint by individuals regarding its privacy practices or for an alleged violation of the Privacy Rule.  Most importantly the Notice of Privacy Practices must contain contact information for the covered entity’s privacy officer and information on how to submit a complaint to the Office for Civil Rights.  In addition,  an organization must file complaints within 180 days of when you knew the violation occurred.

Privacy Officer

The privacy officer or designee investigates all complaints involving privacy of protected health information.   The organization should maintain records on the complaints and their resolution. The Privacy Officer will determine whether or not there has been a violation or a breach of unsecured PHI.  In a filing to the OCR, there should be information about the complainant.  There should be details of the complaint and any additional information that might help OCR when reviewing the complaint.

On behalf of the covered entity, the Privacy Officer will respond to inquiries initiated by the Office for Civll Rights as it investigates complaints.

No Retaliation for Filing a Privacy Complaint

Above all an organization must not retaliate for filing a HIPAA privacy complaint under the HIPAA rules. Most importantly, an organization must encourage employees to file a complaint if they feel a violation took place. Finally, an organization must resolve and prevent them from happening again which helps protect the organization.  On the other hand, an employee may complain directly to the OCR if retaliatory action occurred.

In conclusion there must be a good process for filing a privacy complaint and there should be not retaliation for doing so.

This is your HIPAA ABCs brought to you by HIPAA Associates.  Contact us for more information on this important topic.

For more information.

Breaches of Protected Health Information

Breaches of Protected Health Information
Breaches of PHI

Breaches Are A Serious Matter

Many breaches of Protected Health Information are a serious matter.  A breach is an impermissible use or disclosure of protected health information or PHI.  Consequently, it compromises privacy or security of PHI.  It is presumed to be a breach unless certain criteria are met.  The covered entity or business associate must demonstrate there is a low probability that the phi has been compromised based on a risk assessment of the following:

  1. Firstly, the nature and extent of the PHI involved, including the types of identifiers and the likelihood of identification
  2. Secondly, the unauthorized person to whom the disclosure was made.
  3. Third, whether the PHI was acquired or viewed.
  4. Finally, the extent to which the risk to the patient was mitigated.

Paper Breaches

There are many forms of Breaches of Protected Health Information.  Some examples of breaches of paper phi are loss of paper files, unsecure disposal, and paperwork given to the wrong person.  As a result, all entities that handle paper PHI must be aware of how important it is when sharing  or disposing of this information.  It is not uncommon for patients to receive the discharge summary of other patients or to see old medical records simply thrown away in the trash.

Electronic Beaches

Examples of electronic PHI breaches include loss of an unencrypted mobile device and sharing PHI on an unsecured document sharing internet site.  Most importantly, all organizations must create a process by which electronic PHI is protected on the cloud.

Consequently all of these have been the subject of Office for Civil Rights penalties.

Verbal Breaches

Verbal breaches of PHI occur if PHI is disclosed to the wrong individual or if its overheard when safeguards are not used.

It is important for all covered entities and business associates to review their policies.  As A result they will be able to better protect PHI whether it is paper, electronic or spoken.

Please contact us, for more information about breaches or about HIPAA. Follow us on Facebook or Twitter.

HIPAA and Social Media can be Problematical

HIPAA and Social Media
Social Media and HIPAA

 

Benefits of Social Media

Social media offers many benefits for health care organizations because it allows interaction with patients and others.  It offers education, and services.  As a result, it is an essential communication and marketing tool and part of strategic marketing plans.  Due to this organizations turn to social media to communicate with their employees. Unfortunately HIPAA and Social Media can be problematical.

Authorization to use PHI

It is possible to violate HIPAA Rules and patient privacy while using social media, if not managed correctly.  Due to this it is important for health care organizations to disclose protected health information carefully.   An organization must do so only with patient authorization for interviews, photographs and marketing communications.

Media Posts May Risk Privacy

Posts of PHI done by employees will violate the HIPAA Rules and result in a reportable breach of PHI. Social media posts are not a permissible use or disclosure of PHI.   The ability to post simultaneously in several platforms increases the risk for an organization. Remember that to de-identify PHI,  all 18 identifiers must be removed.   There must also be low risk it could be used to identify the patient. Facial images, and other identifiers such as tattoos must also be removed.    Learn more.

Preventing HIPAA Privacy Risk

Employees should be trained on the dangers of using social media inappropriately from the very onset of their employment.  Many organizations deal with the issue through development of a social media use policy.   They also monitor social media activity.  If not addressed, HIPAA and Social Media can be problematical.