Top HIPAA Hazards and How to Avoid Them

Transcription

1 Top HIPAA Hazards and How to Avoid Them HIPAA penalties are getting bigger and bigger, and are almost always issued for inadvertent mistakes. MPA monitors the Office of Civil Rights (OCR) HIPAA enforcements on a daily basis, and breaks down the top HIPAA hazards and how you can stay out of hot water. Snooping The Hazard. It is a common misconception that all employees of a provider have access to any PHI held by that provider. HIPAA s minimum necessary rule requires providers to restrict PHI access to those who have a legitimate need under HIPAA s Privacy Rule. If your computer and network systems allow all employees equal access to all patient PHI, you have a potential HIPAA violation on your hands. The Example. A health system learned the hard way, after employees repeatedly looked up the ephi of celebrity patients for no legitimate reason. Commonly known as snooping, this practice cost the health system $865,500 in settlement, and one snooping employee four months in jail. What You Can Do. Establish access levels for your employees based on their job functions, and ask your IT support how to set up access controls, so snooping isn t possible. If a receptionist is dying to know what his neighbor named her baby, HIPAA snooping can be avoided if that receptionist is not able to access patient records. Employee training is equally important. Make sure employees receive regular training about the HIPAA minimum necessary rule, and know that snooping is not permitted. Unencrypted Laptops and Flash Drives The Hazard. Health care employees increasingly rely on laptops and flash drives as remote access, working from home, and travel are more and more common. These devices are a handy way to travel with work information. They are also easy to lose, 1 June 2014

2 which carries big risks under HIPAA. If a laptop or flash drive contains ephi and is unencrypted, it poses a HIPAA Security risk. The Example. A dermatology practice entered a $150,000 settlement after an unencrypted thumb drive containing the PHI of 2,200 patients was stolen from an employee car. A hospice paid $50,000 due to a stolen unencrypted laptop. A health services company paid $1,725,220 in settlement arising out of a stolen unencrypted laptop. In each of these cases, the stolen laptop led to an OCR investigation, which identified additional HIPAA violations. Another health care provider entered a $1.5 Million HIPAA settlement after an unencrypted personal laptop containing ephi was stolen. What You Can Do. Address laptops and portable devices in your HIPAA Security risk assessment, and update the assessment whenever you introduce new forms of electronic media. Consider prohibiting the use of PHI on laptops and portable devices, unless they are encrypted. Establish a policy for whether and when laptops and portable devices can be used even if they are encrypted and certainly remind employees never to leave PHI in their cars. Don t Forget the Boss The Hazard. Most providers routinely train employees on HIPAA but many forget the boss. Individuals in a leadership position are even more likely to be asked about patients by the media. And yet many providers skip training at the executive level because they don t want to be a bother. It is in everyone s best interests, including the boss s, to make HIPAA training a bother. The Example. A medical center entered a $275,000 HIPAA settlement after two senior level executives discussed a patient s medical care with the media on at least three occasions, without the patient s authorization. In addition, senior management shared information about the patient s condition, diagnosis and treatment with the entire workforce by . What You Can Do. Include all employees, including management, leaders and executives, in HIPAA training. These individuals help set the tone of your organization, and can lead employees to HIPAA compliance if they know what to do. Rethink Working From Home The Hazard. Well-meaning employees take work home to meet deadlines, or exceed performance expectations. When this involves PHI, employees with good intentions can 2 June 2014

3 create a very bad problem. How do you protect the privacy and security of PHI when it leaves your facility? The Example. A hospital entered a $1,000,000 HIPAA settlement after an employee left documents containing PHI on the subway, including PHI for patients with HIV/AIDS. The documents were never recovered, which means no one knows if they were improperly used. What You Can Do. Decide if you want to allow employees to bring work home. If so, clearly define how this can be done. It is a good idea for paper PHI to stay in your facility. Also evaluate protections for ephi. If employees are allowed to work from home, can they access ephi? If so how do you know their access is secure? How do you know your provider s ephi is safe from the view of others in the employee s home? Copiers Count The Hazard. Modern photocopiers store ephi, just like a computer. And yet many providers have not addressed photocopiers in their HIPAA Security risk assessments or policies and procedures. The Example. CBS purchased a photocopier that had previously been leased by a health plan, and found that the copier s hard drive contained ephi for 344,579 patients. One CBS Evening News expo and one $1,215,780 HIPAA settlement later, the health plan learned the hard way that copier hard drives must be cleared of ephi before sending the copier back to the leasing company. What You Can Do. Identify all equipment that stores ephi, considering copiers and faxes. Include this equipment in your HIPAA Security risk assessment and policies and procedures. Make sure employees responsible for purchasing, selling, destroying or leasing this equipment understands these procedures. Consider posting warnings on each device containing ephi with an alert that service, sale or disposal of the device should be cleared through the security officer. We re Working On It The Hazard. Many organizations seek comfort in the fact that they are working on HIPAA Privacy and/or Security policies and procedures, and are hopeful that if they are audited or have a complaint, the government will go easy on them. To the contrary, the government has recently come down hard on providers whose HIPAA compliance efforts were in progress. 3 June 2014

4 The Example. A health services company was investigated after an unencrypted laptop was stolen. The OCR found that the company had conducted security risk assessments and identified that lack of encryption was a risk. The company had started to encrypt, but had not yet finished. The OCR imposed a $1,725,220 penalty. Likewise, a health plan was investigated after an unencrypted laptop was stolen. The company encrypted their devices after the breach but it was too late. The OCR found a pattern of HIPAA noncompliance going back to In other words, we re working on it or even we just did that are not effective defenses. What You Can Do. Make HIPAA risk assessments, policies, procedures, and training an immediate priority. Everyone working in health care is busy but the government does not see that as an excuse. Consider sharing penalty examples with leadership, in order to motivate your organization to stick to a quick timeline for addressing HIPAA. Social Media Snafus The Hazard. 75% of employees check personal social media at least once a day while at work. Almost half of employees use social media to connect with co-workers and customers. 1 This means that prohibiting use of cell phones and social media is no longer an option: social media is here to stay. Without guidance, a minefield of HIPAA violations awaits your employees. The Example. Examples of social media HIPAA snares run the gamut from innocent, to inadvertent, to ill-intentioned: A NYC EMT posted a photo of a murder victim on his Facebook page. A paramedic posted information on his MySpace page about a rape victim he transported. Without using a name, he posted enough detail for the media to locate the victim (who sued the EMT and his employer). A nurse posted a Facebook rant about an alleged cop killer she treated. The media identified the individual and where he was being treated. Nurses posted PHI related to shift changes on Facebook for all to see. It is common for employees to post pictures of patients on Facebook. These posts can be malicious or friendly. Either way, they violate HIPAA. What You Can Do. Implement a social media policy with Do s and Don ts for social media use. Remind employees that information sent over social media is often unencrypted 1 Social Media & Workplace Collaboration, SilkRoad, available at: Report.pdf 4 June 2014

5 and unsecured and owned by the social media site. Train your employees to understand how innocent postings can violate the law. Explain that omitting a patient s name does not guarantee the patient can t be identified. Use your newsletter, paycheck stuffers, shift changes, or other methods to advance employee understanding of privacy issues and proper social media use. Rusty, Dusty Risk Assessments The Hazard. A provider conducts a HIPAA security risk assessment, but fails to update the assessment. Every time the Security Rule is updated, or that provider adds or upgrades its technology, a risk assessment must be done. The failure to update the risk assessment is itself a HIPAA violation. Plus, without a current risk assessment, the provider does not know the extent of its HIPAA risks, and has likely not mitigated them. The Example. A university entered a $400,000 HIPAA settlement after ephi for 17,500 patients was left unsecured for 10 months. The university s firewall protections were disabled and its risk assessments were incomplete and did not identify potential risks. The university did not have policies for routine review of its information security, which is why it failed to identify the disabled firewall. Similarly, a managed care company entered a $1.7 Million HIPAA settlement after an unsecured online application database left the PHI of 612,402 patients accessible to unauthorized individuals. The company failed to perform a risk assessment in response to a software upgrade. This is another reminder that new technology can bring value and efficiency to an organization, but it can also bring new HIPAA security vulnerabilities. What You Can Do. Conduct HIPAA Security risk assessments at least annually. Also conduct assessments when the HIPAA Security rule is updated or if HIPAA Security guidance is issued, and when you introduce new technology or otherwise update your IT environment. Treasure the Paper Trail The Hazard. By now it should be clear that failing to comply with HIPAA has high stakes. So does failing to document that you comply with HIPAA. The Example. A surgical practice entered a $100,000 HIPAA settlement after it posted patient appointments on a publicly accessible Internet calendar. The OCR investigated, and found a litany of HIPAA violations, such as lack of policies and procedures, lack of documentation of employee training, lack of a security risk assessment, and lack of business associate agreements. 5 June 2014

6 What You Can Do. Give yourself credit for compliance. Do you have informal policies? Write them down. Do you train employees on HIPAA? Have them sign in, and keep the curriculum. Did you conduct a risk assessment? Make sure it is documented, along with any updates. Do your business associates agree to safeguard your PHI? Make sure you have updated, signed business associate agreements in place. The Bottom Line: The Gloves Are Off In a recent record-breaking HIPAA settlement, two companies entered a combined $4.8 Million HIPAA settlement, which is the largest we have seen under HIPAA enforcement. A physician who developed applications for both entities attempted to deactivate a personally-owned computer server on a shared network that contained ephi. Because adequate technical safeguards were not in place, this ephi became accessible on the internet and showed up in Google searches. Upon investigation, the OCR found that the providers HIPAA security programs were lacking. The OCR sent a warning to providers who, like the providers in this settlement, are behind on HIPAA security: The message here is to get your house in order The gloves are off. 2 If you need to get your HIPAA house in order, visit MPA s web page for HIPAA resources, and to take a Free HIPAA Assessment: Margaret Scavotto, JD Director of Compliance Services Management Performance Associates ext. 24 MCS@healthcareperformance.com 2014 Management Performance Associates. Because MPA is a consulting company and not a law firm, neither MPA nor any of its employees provide legal advice or legal services. Nothing contained in this article constitutes legal advice. It is strongly recommended that all providers consult with competent legal counsel versed in HIPAA as they address HIPAA compliance. 2 HealthcareIT News, May 8, June 2014

7 Do-It-Yourself Compliance Tools HIPAA Tool Kit The Office of Civil Rights (OCR) is launching a new series of HIPAA Privacy, Security and Breach Notification audits in Fall Are you ready to respond to an audit? OCR audits typically involve a review of policies and procedures, plus employee interviews. Prepare yourself for a HIPAA audit with MPA s HIPAA Tool Kit: HIPAA Privacy Policy and Procedure Manual Form (includes Breach Notification) HIPAA Social Media Policy HIPAA Auditing Workbook with Dashboards (Privacy, Security and Breach Notification) HIPAA Security Threat Analysis Spreadsheet Tool MPA s privacy and breach notification policies and procedures, threat analysis and auditing workbook, combined with the Security Risk Assessment Tool provided by the OCR ( provide the tools you need to promote HIPAA compliance and defend a HIPAA audit. Price: $750 MPA s Compliance Subscription Service includes: Compliance Program Policy Forms o Compliance Program Policy o Board Resolution adopting Compliance Program o Code of Conduct o Employee Acknowledgments of Compliance Program and Code of Conduct o Compliance Officer & Committee Policy o Training and Education Policy 7 June 2014

8 Compliance Risk Area Policy Forms* o Resident Rights o Employee Screening o Billing and Claims Submission o Cost Reporting o Kickbacks, Inducements and Self-Referrals o Compliance Records o Anti-Supplementation o Medicare Part D Plan Selection o Quality Assurance Handbook and Tools Auditing and Monitoring Handbook* o Resident Rights o Employee Screening o Billing and Claims Submission o Cost Reporting o Kickbacks, Inducements and Self-Referrals o Compliance Records o Anti-Supplementation o Medicare Part D Plan Selection o Quality Assurance Handbook and Tools o Annual Review Updates to the above Forms and Tools 10% discount on MPA s Executive Training Workshop 2 hours of consulting per year * HIPAA sold separately Fee: $3295 First Year; $495 Renewal fee MPA s Compliance Subscription Service Plus includes: Everything included with the Compliance Subscription Service, plus 1 hour per month of consulting (an $1,800 value) 15% discount on MPA s Executive Training Workshop Fee: $4595 First Year; $1495 Renewal Fee Compliance Internal Marketing/Training Campaign A compliance program is only as strong as its employees. Do your employees know how to recognize non-compliance, and how to report it internally? Do your employees understand 8 June 2014

9 when a perk or gift is an illegal kickback? When the use of social media violates HIPAA? When the way they speak to a resident violates resident rights? Compliance is a lot to keep up with. Annual training is not enough to keep compliance top-ofmind. Invest in a compliance campaign that educates your employees on an ongoing basis, helping them do their jobs and helping you stay compliant. Annual/New Hire Compliance PowerPoint Monthly Compliance Moments for your organization to share with its employees. Monthly Compliance Moments will address one or more compliance topics a month (e.g. reporting non-compliance, HIPAA, resident rights, quality, kickbacks, documentation accuracy). Suggestions for dissemination of the Monthly Compliance Moments in unique ways Compliance Week Handbook with suggested events, trivia and content to use during your own Compliance Week. Annual Fee: $500 Compliance News Service Keep your compliance program effective with monthly compliance news. MPA prepares a monthly newsletter with the latest OIG and OCR enforcements and guidance, with tips for how you can incorporate them into your compliance program. Annual Fee: $350 For more information, contact: Margaret Scavotto, JD Director of Compliance Services Management Performance Associates ext. 24 mcs@healthcareperformance.com 9 June 2014