Creating and conducting an organizationwide risk analysis: Part 1
Editor's note: This is part one of a series about implementing organizationwide risk analyses. Look for part two in an upcoming issue of BOH.
OCR's breach settlements, corrective action plans (CAP), and penalties often take organizations to task for not completing a regular organizationwide risk analysis, yet it's all too easy for this important job to fall by the wayside. A lack of resources and competing demands within an organization can push the risk analysis to the bottom of the list of priorities. But this leaves an organization vulnerable to threats it will only see in hindsight. It also often leads to scrutiny from OCR and the public.
Q: The emergency department (ED) at the hospital where I work often becomes so busy that we do not have enough rooms for all of our patients. This occurred last weekend, which meant that several patients were brought into the ED on stretchers to be evaluated but could not be placed in a room. I witnessed a nurse perform a physical/abdominal examination on a patient who was on a stretcher in the ED hallway and discuss medical history and current treatment options with the patient in this open space where plenty of patients and staff members could see/hear the encounter. Is this a HIPAA violation?
A: What you are describing is an incidental disclosure, not necessarily a HIPAA violation. Organizations must take steps to limit incidental disclosures and mitigate the risks to the patient’s privacy and the security of information. In the case you describe, for instance, could a screen have been erected to protect the patient’s privacy even if circumstances led to no choice but to perform the exam in the hallway? Could a white noise machine have been brought over to reduce the chance of being overheard? Could the gurney have been moved to a private area (or even a slightly more private one) when the exam had to take place? Could the exam have been postponed until a more private space was available, or was it necessary to do it right then? These are the questions staff should ask themselves in these situations.
Editor's note: Simons is the director of health information and privacy officer of Maine General Medical Center in Augusta. She is also an HIMB advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Send your questions related to HIPAA compliance to Editor Jaclyn Fitzgerald atjfitzgerald@hcpro.com.
OCR's long-awaited Phase 2 HIPAA Audit Program is finally in full swing. On March 21, OCR announced that it will begin verifying the contact information of covered entities (CE) and business associates (BA) selected for audits (www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/phase2a...). This shouldn't surprise savvy healthcare organizations. The audits kicked off after a flurry of activity from OCR and HHS, including pricey HIPAA settlement fines and the publication of user-friendly HIPAA guidance for providers, developers, and patients.
"Don't click on that link" is a common warning from security officers. That hasn't stopped many staff from clicking on suspicious links that at first glance appear to be valid, and the result can be a significant loss of PHI and other sensitive data. This type of hack, phishing, represents one of the more significant risks when it comes to breaking into networks and stealing data.
Tips for small covered entities charged with HIPAA compliance
"OCR has bigger fish to fry than me."
You may have heard that before—or even said it. Maybe you're an employee in a tiny healthcare facility. Or maybe you've seen the big headlines on data breaches, noted how they seem to always involve large insurance companies and massive healthcare facilities, and thought, "That won't happen to us."
Know thy BA
BAs are a part of HIPAA life—no matter how big or small your entity is. So how far should CEs go to ensure their BAs are HIPAA compliant?
Roger Shindell, CHPS, the CEO of Carosh Compliance Solutions in Crown Point, Indiana, notes that things changed in the HIPAA Omnibus Rule, HHS' biggest set of modifications to the HIPAA Privacy and Security rules per the HITECH Act. Prior to 2013, if a CE had a valid BA agreement in place, and the BA had a breach, the CE had a safe harbor exemption for the breach, he notes.
Entities are required to conduct an "accurate and thorough assessment" of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI.
BA agreements stipulate that the BA will comply with all the requirements under HIPAA/HITECH, per the HIPAA Omnibus Rule. So BAs need to be ready, just like you.
Should CEs offer training to the BAs? No, says Shindell.
"The BA has their own obligation to conduct training," he adds, "and if training is on specific policies and procedures, the CE would not know what these are and what is appropriate."
PHI and marketing, disclosure of mental health information, and revising NPPs
by Mary D. Brandt, MBA, RHIA, CHE, CHPS
Q. Would a physician be expected to report a patient’s mental and behavioral health information to the National Instant Criminal Background Check System (NICS) or the FBI? Are there specific assurances CEs should get before they release this information?
A. No. Mental health providers are not expected to report information to the NICS or FBI. NICS checks available records on persons who may be disqualified from receiving firearms. It was developed by the FBI in 1998. Individuals are prohibited from buying a gun from a licensed dealer if a background check reveals that they have been any of the following:
Involuntarily committed to a mental institution
Declared incompetent by a lawful authority
Found incompetent to stand trial or found not guilty in a criminal case by reason of insanity
These disqualifications constitute what NICS calls the federal “mental health prohibitor” for gun ownership.
Courts of law are not bound by HIPAA, so they have been free to report mental health determinations to NICS. However, some state agencies covered by HIPAA also make mental health determinations or store records on them. Many of these agencies have refrained from reporting to NICS due to concerns about violating HIPAA.
An HHS rule issued January 6 modified the HIPAA Privacy Rule to specifically allow state agencies that are also CEs to disclose limited information to NICS. Agencies cannot report diagnostic or clinical information about the individual to NICS, only that he or she is subject to the mental health prohibitor, along with basic demographic information. This reporting loophole was not extended to individual physicians, hospitals, and other healthcare professionals. The rule is available at www.gpo.gov/fdsys/pkg/FR-2016-01-06/pdf/2015-33181.pdf.
However, providers may have a duty to warn based on ethical standards, state laws, and court decisions. HIPAA permits a covered healthcare provider to warn appropriate persons if the provider believes there is a serious and imminent threat of a patient physically harming him- or herself or others. See 45 CFR 164.512(j).
Editor’s note Brandt is a healthcare consultant specializing in healthcare regulatory compliance and operations improvement. She is also an advisory board member for BOH. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are that of the author and do not represent HCPro or ACDIS. Email your HIPAA questions to Associate Editor Nicole Votta at nvotta@hcpro.com.
Subpoenas are a sometimes-unwelcome fact of life for privacy officers. They can be complicated, requesting broad amounts of information that is time-consuming to gather. They can be written in dense legal language that takes time and finesse to decipher. If a subpoena requests PHI, it can also raise privacy concerns and questions about how to honor the subpoena while releasing only the necessary information. Some subpoenas may request information that an organization considers sensitive for other reasons. It can be all too easy to put off dealing with a subpoena until the last minute, then rushing to react without taking the time to really read and understand what it says.
Interoperability isn't a new goal, but 2016 may be the year it becomes closer to a reality. HHS' 2017 budget includes a boost in the Office of the National Coordinator for Health Information Technology (ONC) funding specifically for the development of interoperability guidelines and standards, like an interoperability code of conduct, as well as efforts to combat information blocking.
Staying ahead of change
Being a hot-button issue alone won't solve interoperability's problems. It's a complex initiative, and reaching the goals outlined in the ONC's Interoperability Roadmap means providers, vendors, and policymakers have to work together to create practical guidelines and products that meet all applicable existing legislation, including HIPAA and other privacy and security laws. Interoperability also requires software vendors and developers to go against the very nature of their business and work with the competition.
It's a tall order, but achieving interoperability could greatly reduce the technical burdens many security officers struggle with, as well as create an atmosphere in which providers and vendors can work together to keep PHI safe. If it's not achieved, greater administrative burdens, technological problems, and, at worst, significant security weaknesses could result, cautions Chris Apgar, CISSP, president of Apgar and Associates, LLC, in Portland, Oregon.
Security officers need to pay close attention to interoperability, Apgar says. "Any time code is touched or changes are made in how an application or interface works, [it] raises the risk that the end product will not include the required security controls."
If 2016 is the year the healthcare industry starts making real progress on the road to interoperability, security officers need to make sure they read the map and scout the territory to ensure their organizations don't take any wrong turns.
Email encryption, file sharing, and mailbox security
by Chris Apgar, CISSP
Q: We are in the process of building a new office. Would it be HIPAA compliant to have an outside locked mailbox for our general postal mail and therapist paperwork that is dropped off at night? If not, would a mail slot on our front door work better?
A: An outside locked mailbox will suffice to secure incoming mail and therapist paperwork. Ensure that the mailbox is secure and not easily broken into. If the mailbox is secured with a key, it's a good idea to implement a solid key management program so it's known who has a key. Keys should be recovered when an employee resigns or is terminated. If an employee leaves without returning his or her key, it's wise to re-key the lock on the mailbox.
Editor's note
Apgar is president of Apgar & Associates, LLC, in Portland, Oregon. He is also a BOH editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Email your HIPAA questions to Associate Editor Nicole Votta at nvotta@hcpro.com.
