Archive for April, 2014
A recent HHS statement emphasizes the need for encryption, citing two recent OCR settlement agreements that totaled nearly $2 million as examples of the dangers posed by unencrypted devices in healthcare. Unencrypted computers and mobile devices pose a significant security risk for organizations because patient PHI is incredibly vulnerable if one of these devices in stolen or hacked.
OCR’s $1,725,220 resolution agreement with Concentra Health Services, a national healthcare company, for potential HIPAA violations stemming from the theft of an unencrypted laptop computer highlights the importance of encryption.
An OCR investigation revealed that during several risk analyses Concentra identified that its lack of encryption was a security threat. Although the organization took steps to encrypt its devices, its efforts were inconsistent and incomplete. Concentra failed to implement sufficient policies and procedures to detect and correct security violations by failing to execute appropriate risk management measures to reduce the lack of encryption, according to the resolution agreement.
Similarly, OCR agreed to a $250,000 monetary settlement with Arkansas-based QCA Health Plan, Inc., following an incident involving the theft of an unencrypted laptop containing PHI from a workforce member’s car. The health plan began its effort to encrypt its devices following the breach, but failed to comply with a multitude of HIPAA Privacy and Security Rule requirements from April 2005 to June 2012, according to the HHS statement. Much like Concentra, QCA Health Plan also failed to implement policies and procedures to prevent, detect, contain, and correct security violations, including conducting a thorough risk assessment, according to the resolution agreement.
Encryption is the best defense for covered entities and business associates, Susan McAndrew, OCR’s deputy director of health information privacy, said in the statement.
The Heartbleed Bug was independently discovered by a team of engineers in April after it threatened private and government systems in the United States. The bug creates a hole in an organization’s OpenSSL cryptographic software library and leaks the memory of a server to the client and from the client to the server, thereby compromising encryption, according to www.heartbleed.com.
The Heartbleed Bug illustrates the importance of PHI mapping, which is the practice of understanding the lifecycle of PHI in your organization by tracking it through various methods and ensuring it is secure. A proper risk analysis is not complete without PHI mapping, and risk analysis is critical to discovering holes in your privacy and security plan, says Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Ore. “[Heartbleed] created significant vulnerabilities with some of the servers around the country where everybody sort of just scrambled, getting everything fixed so somebody outside can’t steal information,” Apgar says. This incident also highlights the importance of sending regular security reminders, training your workforce, and using encryption for email and devices, he says.
When something like this occurs, privacy and security officers should work with their vendors to identify vulnerabilities and patch all applications and severs as quickly as possible, Apgar says. “It doesn’t have to be this huge, onerous thing,” he says.
Submit your HIPAA questions to Editor Jaclyn Fitzgerald at firstname.lastname@example.org and we will work with our experts to provide the information you need.
Q: I work for a hospital with a geriatric psychiatry unit. Many patients are discharged to nursing homes. Often, nursing homes contact the hospital for patient information, but we have only the patients’ psychiatric records and are hesitant to send them. We usually send a psychiatric discharge summary that includes history and physical notes, any ancillary test results, and a medication list. However, we exclude the psychotherapy notes. Is it permissible under HIPAA to send this information to nursing homes for continued care?
A: You are obligated under HIPAA to send the “minimum necessary” to accomplish the purpose. In this case, this includes a list of medications and problems, so sending the discharge summary makes sense.
Unless your state has special laws pertaining to mental health records and patient written consent (and many do), your approach sounds reasonable.
One note of caution: Psychotherapy notes are defined as notes that are kept separate from the medical record and are not used to substantiate billing. Unless your providers keep separate notes, you are likely referring to progress notes that do not enjoy any special protection under HIPAA (although they may be protected by state law).
This doesn’t mean you should send them, it just means that you and your providers should be aware that they are not psychotherapy notes and enjoy no special protection under HIPAA.
Also, remember that substance abuse treatment facilities are subject to federal laws dictating when and under which circumstances substance abuse treatment records may be released. Coincidentally, HHS recently released additional guidance on handling mental health records (http://tinyurl.com/mcpeoay).
Editor’s note: Chris Simons, MS, RHIA, the director of health information and privacy officer at Cheshire Medical Center/Dartmouth-Hitchcock in Keene, N.H., answered this question for HCPro’s Medical Records Briefing.
Wisconsin Governor Scott Walker signed Assembly Bill 453 (Act 238), also known as “HIPAA Harmonization,” into law April 8. This statute better aligns Wisconsin state law governing the uses and disclosures of protected health information with the HIPAA Privacy Rule, according to The National Law Review.
The new law addresses uses and disclosures of PHI in Wisconsin. The HIPAA Omnibus Rule redefined several HIPAA terms, and the new Wisconsin law similarly redefines the following terms so they more closely align with the Privacy Rule definitions:
- Business associate (BA)
- Covered entity (CE)
- Healthcare operations
- Protected health information
- Treatment and treatment facility
The state law also requires CEs that meet the definition of a treatment facility to comply with federal notice of privacy practices regulations.
Wisconsin law also provides that the restrictions in Wis. Stat. § 51.30 do not apply to use, disclosure, or request for disclosure of PHI by CEs and BAs if:
- The CE or BA makes the use, disclosure, or request for disclosure in compliance with 45 CFR 164.500–164.53
- The CE or BA makes the use, disclosure, or request for disclosure for the purpose of treatment, payment, or healthcare operations
The PHI of 9,700 patients at Service Coordination, Inc., in Frederick, Md., was compromised when the nonprofit organization’s computers were hacked, CBS Baltimore reported.
A hacker gained access to approximately 70% of the organization’s medical records, including Social Security numbers. However, there was no evidence that the PHI was misused. Investigators identified the alleged hacker and seized his or her equipment, CBS Baltimore reported.
Service Coordination is a state-licensed provider of services for developmentally disabled individuals. The breach first came to light in October 2013, but the U.S. Department of Justice requested that Service Coordination keep the incident under wraps during the federal investigation. Affected individuals were notified of the breach in March, CBS Baltimore reported.