Archive for Policies and Procedures
While many popular Web sites have strong privacy practices in place, there is no better time to analyze where, when, how, and if your personal health information (PHI) is circulating through these types of Web sites.
The Ponemon Institute and TRUSTe released its 2009 Most Trusted Companies for Privacy Award recently and ranked eBay, Verizon, the US Postal Service, WebMD, and IBM as the top five.
But health leaders must also beware of employees sending any PHI on the Internet. The last thing you want is to get burned because someone in your organization without authorization sent PHI across Yahoo!, Facebook, or similar sites.
It’s not common—though it’s possible—for healthcare workers to use these sites to intentionally and maliciously violate patient privacy laws. More often, healthcare workers sign on during breaks, or when they are off work, and vent about their day with friends without realizing that they share identifiable information and violate HIPAA.
Regardless of how you respond to these privacy and security vulnerabilities, education is crucial, says Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR and a HIPAA expert. “A lot of people are panicking,” Apgar says. “But one thing that’s not well understood is the danger related to all this.”
Transmission over an unsecure network is inevitable, particularly if the sender and the receiver don’t share a secure network, says Apgar. Combat this with these four education models:
- New employee training (orientation)
- Annual refresher training
- Security reminders (weekly helpful e-mails; information in hospital newsletters; and flash reminders on staff computer monitors)
- Communications policy—as with confidentiality agreements, require staff members to acknowledge in writing that they have read and understand it. Do this annually at staff performance reviews.
An article in the September issue of the Journal of the American Medical Association entitled “Online Posting of Unprofessional Content by Medical Students,” revealed that 60% of 80 medical school deans reported incidents involving unprofessional postings on these types of Web sites. Another 13% acknowledged incidents that violated patient privacy. Some of these violations resulted in expulsions from medical school, according to the article.
“These professionals are well educated, but that doesn’t mean they are savvy with security,” says Apgar. The finality of disclosures on these types of Web sites is what makes it so dangerous, says Apgar. “Once you put something out there, it’s out there, and it’s never coming back,” he says.
Simply banning these Web sites from the hospital network is one strategy that many organizations use, Apgar says.
Spring Harbor Hospital, in Westbrook, ME, doesn’t allow access to Web sites, such as Facebook, on facility computers, says Chris Simons, RHIS, who serves as the facility’s director of HIMS and privacy officer. “We also include it in orientation as a no-no,” she says. “We have had some issues with staff on Facebook saying inappropriate things about their managers, and have addressed that.”
Access to personal e-mail accounts is just as dangerous for many reasons, and organizations are beginning to ban this practice as well. A physician who logs onto a personal Yahoo! Mail account to send himself or herself a list of patients to access at home is one example of inappropriate use, Apgar says. That’s a breach of a lot of information, says Apgar. The hospital network may be encrypted, but the information won’t be on the other side once the physician opens the e-mail at home.
Freelancer Corey Goodman contributed to this report.
Q. Our facility is taking steps to implement a “Grateful Patient Program” to help raise money. What measures must we take when contacting patients by mail to ensure that we stay within HIPAA guidelines?
A. Covered entities may use or disclose limited PHI to a business associate or institutionally related foundation for fundraising. Patient authorization is not required to use PHI for fundraising, but covered entities must tell patients about this use in their Notice of Privacy Practices. Covered entities may use or disclose the following PHI for fundraising without patient authorization:
- Demographic information relating to an individual, such as name, address, telephone number, and date of birth
- Dates of healthcare provided to an individual
Covered entities are not permitted to use diagnostic information to target their fundraising appeals to certain groups. For example, you may not use PHI to determine which individuals have been treated for breast cancer in the past five years when you send a special appeal to raise money for a new breast cancer treatment center.
Editor’s note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, answered this question. This is not legal advice. Consult your attorney regarding legal matters.
Consider these tips to maintain compliance with the HHS interim final rule on breach notification:
-
Know what constitutes a breach. Rebecca Herold, CISSP, CIPP, CISM, CISA, FLMI, privacy, security, and compliance consultant at Rebecca Herold & Associates, LLC, in Des Moines, IA, says covered entities (CEs) and business associates (BAs) must read closely and understand section 164.402 of the interim final rule on definitions, especially the definition of a breach. “The exclusions listed are commonly the cause of much confusion,” she says.
-
Know when to provide notification. CEs should know they must provide breach notification to affected individuals, and BAs should know they must notify CEs as soon as possible when breaches occur, Herold says. “Great confusion and harm could result if a BA notified individuals and provided inaccurate, incomplete, or otherwise inappropriate information,” she adds.
-
Sharpen your training. Under section 164.530 of the interim final rule, CEs must train all staff members on the new requirements. The clock starts ticking on the notification requirements as soon as you know—or reasonably should have known—about the breach, says Chris Simons, RHIA, director of UM & HIMS and the privacy officer at Spring Harbor Hospital in Westbrook, ME. Staff members should receive training on how to report any breach regardless of its significance, and ongoing communication is also crucial for compliance, Herold adds. “Make sure you are providing effective training,” Herold says. “Effective training is a comparatively low-cost activity, but can provide the greatest impacts for improving information security and privacy.”
The economic recession probably brought healthcare CEOs closer to their organizations’ day-to-day activities. New federal HIPAA laws should have too. Daniel Nutkis, CEO of The Health Information Trust Alliance (HITRUST), believes compliance with HIPAA privacy and security starts from the top.
“Our experience shows that the more executive management and the board of directors are engaged in understanding the challenges and issues the more diligent the organization is in addressing information protection,” says Nutkis. “HITRUST has seen a significant increase in the number of organizations that have added information protection as a component of their overall corporate responsibility measure or corporate philosophy.”
HIPAA Update caught up this week with Nutkis for a Q&A about HIPAA privacy and security. The following are some highlights. The full Q&A can be found here.
HIPAA Update: Federal laws on HIPAA changed with the signing of the American Recovery and Reinvestment Act (ARRA) of 2009. Did you see this coming?
Nutkis: ARRA is pushing for the broad adoption and utilization of health information systems, electronic health records, and electronic exchanges of health information. ARRA also recognizes the importance of information security in meeting this objective. Efficiency and reduced costs for consumers was the driver. HITRUST recognized this long before the signing of the bill, and we continue to be an advocate for more effective and efficient information protection in the healthcare industry.
HIPAA Update: What were the major flaws in HIPAA rules before the signing of the ARRA?
Nutkis: The primary issues with HIPAA are a lack of clear requirements and enforcement by government agencies. ARRA allows for a risk-based implementation of the safeguards outlined in HIPAA, which are themselves subject to interpretation, meaning there is no consistent application of security controls across the industry. While there are penalties for non-compliance, the industry rarely saw repercussions and subsequently rarely took HIPAA serious. While ARRA does not necessarily provide the prescriptive security requirements needed in HIPAA—like we find with PCI https://www.pcisecuritystandards.org/—it does provide focus for covered entities on breach notification, securing PHI, and business associate compliance.
HIPAA Update: What kind of an impact does the move to electronic health records have on HIPAA privacy and security?
Nutkis: The impact from EHRs comes in the form of increased focus on privacy and security. It is widely known to the general public that this is the direction the healthcare industry must go to contain costs and increase efficiency in healthcare. However, without proper security and assurance that personal health information will be kept private, consumers will be no more willing to share their health information electronically than they would their bank account or credit card number.
HIPAA Update: How should healthcare facilities be reacting right now to the new HIPAA laws in the Health Information for Economic and Clinical Health (HITECH) Act?
Nutkis: Healthcare organizations will need to revisit and adjust their information security governance practices and make additional areas of investment to align with the new requirements. HITRUST recommends that healthcare organizations focus on the following key areas for their security strategic plans over the next 24 months:
- Develop and implement an overall compliance strategy: Update policies, processes, and technologies to manage and document compliance efforts
- Realign policies: Ensure that internal policies, standards, and procedures are aligned with regulatory requirements
- Perform a gap analysis: Conduct a gap analysis of existing security practices against HIPAA and new regulatory requirements
- Develop a roadmap for compliance: Develop a plan outlining responsibilities, budget, and timelines to address gaps identified during the assessment
- Maintain an audit ready state: Based on recommendations by the OIG in 2008 and the new legislation, HHS will more assertively perform compliance audits in the upcoming years.
HIPAA Update: What are some weaknesses you see with healthcare facilities as they attempt to comply with HIPAA privacy and security?
Nutkis: During the development of our Common Security Framework (CSF), a certifiable framework that any and all organizations in the healthcare industry can implement and be certified against to reduce risk, the professionals from healthcare organizations of all segments provided us with input on the top issues affecting the industry resulting in the most severe breaches and loss of covered information. These include:
- Insecure and/or unauthorized removable transportable media and laptops (internal and external movements)
- Insecure and/or unauthorized external electronic transmissions of covered information
- Insecure and/or unauthorized remote access by internal and third-party personnel
- Insider snooping and data theft
- Malicious code and inconsistent implementation and update of prevention software
- Inadequate and irregular information security awareness for the entire workforce
- Lack of consistent network isolation between internal and external domains
- Insecure and/or unauthorized implementation of wireless technology
- Lack of consistent service provider, third party, and product support for information security
Editor’s note: This is the first of a two-part series from our interview with Nutkis. In the next installment: The importance of business associates complying with the HIPAA Security Rule.
The Health Information Technology for Economic and Clinic Health (HITECH) Act changed the ballgame for sanctions related to HIPAA violations.
The law provides a tiered system for assessing the level and penalty of each violation. CMS, which enforces the HIPAA Security Rule, and OCR, which enforces the HIPAA Privacy Rule, can supersede the following limits, but with a cap of $50,000 per violation and $1.5 million for the calendar year for the same type of violation.
Read the full article by HealthLeaders Media’s Dom Nicastro.
Get blog updates in your e-mail
Subscribe to our e-zine
Click here to learn how!