Security Rule | EMR and HIPAA

HIPAA Omnibus – What Should You Know?

I had the great opportunity to sit down with HIPAA expert, Rita Bowen from HealthPort, at HIMSS 2013 and learn more about the changes that came from the recently released HIPAA Omnibus rule. The timing for this video is great, because today is the day the HIPAA Omnibus rule goes into effect. In the video embedded below, Rita talks about what you should know about the new HIPAA changes, the new business associate requirements, and restricting the flow of sequestered health information.

The Final HIPAA Omnibus Rule: A Sharing of Accountability

Written by: John Lynn

The following is a guest post by Rita Bowen, MA, RHIA, CHPS, SSGB, SVP of HIM and Chief Privacy Officer, HealthPort. If you’re attending HIMSS, I’ll be doing an interview with Rita at HealthPort’s Booth 6841 at Noon on Tuesday 3/5/13. Come by and learn more about the HIPAA Omnibus Rule and get any questions you have answered.

It seems an eternity ago, four years to be exact, that the HITECH Act introduced changes to HIPAA. After much speculation, rumor, innuendo and anticipation, HHS released the final HIPAA omnibus rule, which significantly amends the original HIPAA Privacy, Security, Breach and Enforcement Rules. HHS Secretary Kathleen Sebelius introduced the new rule by stating:

“The final rule greatly enhances a patient’s privacy protections, provides individuals new rights to their health information, and strengthens the government’s ability to enforce the law.”

Ms. Sebelius conceded that healthcare has changed dramatically since HIPAA was first enacted and that the new rule is necessary to “protect patient privacy and safeguard patients’ health information in an ever expanding digital age.”

The new rule, at 563 pages, is not brief, but covered entities can’t let that inhibit them from becoming intimately acquainted with this document. I’ve made an initial review of the rule and culled what I feel are its key concepts:

Business Associates (BAs) of covered entities are now, for the first time, directly liable for compliance with certain requirements of HIPAA Privacy and Security rules, including the cost of remediation of breaches for which they are responsible.
The rule goes so far as to revise the definition of a “breach.” This new definition promises to make the occurrence of breaches – and the required notification of breaches — more common.
The use and disclosure of protected health information for marketing and fundraising purposes is further limited, as is the sale of protected information without individual authorization.
The rule expands patients’ rights to receive electronic copies of their health information and to restrict disclosures to health plans regarding treatment for which they’ve already paid.
Covered entities are required to modify and redistribute their notice of privacy practice to reflect the new rule.
The new rule modifies Individual authorizations and other requirements to facilitate research, expedite the disclosure of child immunization proof to schools, and enable access to decedent information by family members and others.
The additional HITECH Act enhancements to the Enforcement Rule are adopted, including provisions addressing enforcement of noncompliance with HIPAA rules due to willful neglect.

Getting to Compliance

And now comes the challenging part – compliance! The new rule goes into effect on March 26, and covered entities and BAs are expected to comply by September 23, so there is much work to do. Hospitals and clinics need to thoroughly comprehend — and then prepare for — the sweeping changes in BA liability. They’ll need to communicate these changes and new requirements to BAs and update their BA agreements accordingly. And since BAs are now directly liable for breaches, organizations must decide how they’ll enforce their BA agreements with regard to privacy and security. Additionally, comparable agreements must now be shared between BAs and their subcontractors.

What are the keys to successful compliance? The following tips should ensure your smooth transition into the new rule:

Become intimately acquainted with the new rule — and its ramifications for your organization, your BAs, and their subcontractors.
Identify a privacy officer within all of your partner organizations.
Define a process for the notification of patients in the event of a breach of their protected health information (PHI).
Update breach notification materials to reflect the new Rule.
Update, repost and redistribute your Notice of Privacy Practices.
Document current privacy and security practices, and conduct a risk assessment.
Make certain your healthcare security technology solution is flexible, secure, and scalable to handle the growing volume of audit inquiries promised by the RACs.
Encrypt all devices that store patient information.
Communicate new HIPAA requirements and expectations to BAs.
Update business associate agreements (BAAs) to clarify that BAs pay the cost of breach remediation, when the BA is responsible for the breach.
Provide a template of a comparable agreement for BAs to use with their subcontractors.
Monitor your partners’ efforts to protect patient data.

The new HPAA omnibus rule has arrived and the challenges it presents should not be underestimated. Communication and organization will be your keys to success!

Rita Bowen, MA, RHIA, CHPS, SSGB

Ms. Bowen is a distinguished professional with 20+ years of experience in the health information management industry. She serves as the Sr. Vice President of HIM and Privacy Officer of HealthPort where she is responsible for acting as an internal customer advocate. Most recently, Ms. Bowen served as the Enterprise Director of HIM Services for Erlanger Health System for 13 years, where she received commendation from the hospital county authority for outstanding leadership. Ms. Bowen is the recipient of Mentor FORE Triumph Award and Distinguished Member of AHIMA’s Quality Management Section. She has served as the AHIMA President and Board Chair in 2010, a member of AHIMA’s Board of Directors (2006-2011), the Council on Certification (2003-2005) and various task groups including CHP exam and AHIMA’s liaison to HIMSS for the CHS exam construction (2002).

Ms. Bowen is an established speaker on diverse HIM topics and an active author on privacy and legal health records. She served on the CCHIT security and reliability workgroup and as Chair of Regional Committees East-Tennessee HIMSS and co-chair of Tennessee’s e-HIM group. She is an adjunct faculty member of the Chattanooga State HIM program and UT Memphis HIM Master’s program. She also serves on the advisory board for Care Communications based in Chicago, Illinois.

Health Data Hacking Likely To Increase

Written by: Katherine Rourke

Wondering about trends in the various protected health information breaches you seen in the news every now and then? Here’s some hard numbers, courtesy of IT security firm Redspin, which has pulled together data on incidents reported to HHS since breach notification rules went into effect in August 2009.

According to Redspin research, a total of 538 large breaches of PHI, affecting 21.4 million patient records, have been reported to HHS since the notification rule when into effect as part of the HITECH Act. The largest breach in 2012 resulted in exposure of 780,000 records.

Between 2011 and 2012, there was a 21.5 percent increase in the number of large breaches reported, but interestingly, a 77 percent decrease in the number of patient records impacted, Redspin reports.

More than half of the breaches (57 percent) involved a business associate, and 67 percent were the result of theft or loss. Thirty-eight percent of incidents took place due to data on a laptop or other portable electronic device which wasn’t encrypted.

During 2012, the top five incidents contributed almost two-thirds of the total number of patient records exposed. They each had different causes, however, making it hard to draw any broad conclusions as to how PHI gets breached.

Meanwhile, if that business associate stat intrigues you, check this out: historically, the firm concludes, breaches at business associates have impacted 5 times as many patient records as those at a covered entity. (It certainly encourages one to take a second look at how skilled their business associates are at maintaining security.)

While all of this is interesting, perhaps the most important info I came away with was that Redspin thinks health data hacking is likely to increase in coming years. From 2009 to the date of the report, hacking has contributed to only 6 percent of breaches, but the biggest breach, an Eastern European-based attack on the State of Utah “should end any complacency,” Redspin advises.

Mixing Physical, Mental Health Data Lowers Readmissions

Written by: Katherine Rourke

Ordinarily, it makes sense to treat psychiatric records with particular sensitivity, given how private these issues are for most patients. Also, one might assume that medical doctors simply don’t need access to psychiatric records — and if so, why increase the risk of a HIPAA breach by giving them needless data access?

Apparently, however, these assumptions may be working against patients, according to a new study by researchers at Johns Hopkins. A new study by researchers at the university found that in some cases, keeping mental health records separately from physical health records in an EMR as a privacy measure may actually decrease quality of care.

To examine this issue, researchers at Johns Hopkins surveyed the psychiatric departments at 18 of the hospitals ranked most highly by U.S. News & World Report’s Best Hospitals of 2007, according to blogger Melissa Le Furge. The survey concluded that less than 25 percent of the hospitals allowed non-psychiatric physicians to have full access to patients’ mental health EMR data. Not so surprising, given the current state of practice.

What’s really interesting, though, is that at the hospitals that allowed non-psychiatric clinicians to have access to mental health records, patients were 40 percent less likely to be admitted within a week of discharge than industry baseline.

Melissa notes that there are many reasons why this might be:

Depression and other mental illnesses sometimes make it difficult for patients to follow physicians’ instructions after a heart attack or stroke and are less likely to take proper care of themselves…[Also,] being uninformed about medications prescribed by a psychiatrist can cause the primary care physician to prescribe medications that create adverse reactions.

Segregating mental health records may make sense from a social standpoint, but perhaps it’s not good medicine. At minimum, this issue deserves further study.

Healthcare Faces Massive Cybersecurity Risks

Written by: Katherine Rourke

When a consumer publication like The Washington Post – hardly an insider journal of computing — picks out your industry and slams it for having poor cybersecurity, you know something’s amiss.

The newspaper has just published a report, following a year-long cybersecurity investigation, arguing that healthcare is one of the most vulnerable industries in the U.S., making it a tasty target for terrorists, black-hat hackers and criminals.

It’s rather embarrassing, but it’s hard to argue with the Post’s conclusion that healthcare data security isn’t what it could be. A few data points:

* Researchers are finding that healthcare institutions routinely fail to fix known bugs in aging software, something other industries have largely overcome.

* Providers are making careless use of such public cybertools; the paper cites the example of the University of Chicago medical center, which at one point operated an unsecured Dropbox site for new residents managing care through their iPads (with a single user name and password published online, yet!)

* According to Post research, open source system OpenEMR “has scores of security flaws that make it easy prey for hackers”

* In perhaps the scariest example, the paper notes that clinicians routinely work around cybersecurity measures to get their job done.

Another factor contributing to cybersecurity holes is confusion about the FDA’s position on security. While the agency actually wants vendors to update FDA-approved device interfaces and systems, vendors often believe that the FDA bars them from updating device software, the Post found.

That leaves devices, especially defibrillators and insulin pumps, open to attacks. Researchers have been able to find these devices, linked to the web in the clear, simply by using a specialized search engine.

As wireless medical devices and smartphones, iPads and Android devices creep into the mix, cybersecurity vulnerabilities are likely to get worse, not better. I wonder whether we’ll need to see a cybersecurity disaster take place before the industry catches up to, say, financial services?

EMRs May Be The Next Hacker’s Prize

Written by: Katherine Rourke

Black-hat hackers are beginning, slowly but at an increasing pace, to lock down and encrypt medical data, then demand a ransom fee before they’ll turn over the data in usable form again.

While reports of such activity are scattered and few at the moment, my guess is that we’re at the beginning of a wave of such attacks, especially attacks targeting small medical practices with unsophisticated security set-ups.

Consider what happened recently to a clinic in Queensland, Australia. Over one weekend, a server holding seven years of patient records was breached and the data encrypted with “military-grade” tools, according to blog Naked Security.

The attackers, who seem to be based in Eastern Europe or Russia, are demanding $4,000 AUD for the release of the records, the blog reports. The clinic is attempting to avoid paying by bringing in its own security experts, but the experts retained by the clinic are apparently fairly doubtful that they can break the encryption scheme.

Such attacks have begun to occur in the U.S. as well, all targeting smaller medical practices with minimal security support. It’s little wonder that such practices are being targeted; even if they have decent, industry-standard firewalls, antivirus software and password-protected servers — as the Aussie clinic did — such protections are child’s play to defeat if you’re a professional cybercriminal who’s done this kind of thing many times before.

Even if the practice has tougher security in place than usual, how likely is it to have good security hygiene, such as frequently updated and patched firewalls and strong, regularly switched out passwords? Without security staff on board, not too likely.

Given the devastating consequences that can occur if a medical practice is unable to regain its data, it seems to me that it’s time the entire healthcare industry take an interest in this problem. Smaller practices need help, and we’ve got to figure out how to make sure they get it.

BYOD And HIPAA Compliance: Can You Have Both?

Written by: Katherine Rourke

With doctors among the biggest fans of smartphones around, hospitals and medical practices are having to face the reality that Bring Your Own Device is here to stay. The question is, is BYOD so hard to manage that it all but guarantees HIPAA breaches?

On the one hand, BYOD seems to have arrived to stay. According to a recent report by KLAS Research surveying 105 CIOs, IT specialits and physicians, 70 percent said they used mobile devices to access their EMRs. Even this small group was accessing virtually every major enterprise EMR via mobile, reports MobiHealthNews.

But the pressures on hospitals to corral BYOD security gaps are growing. Hospitals will soon have to provide increased protection of patient health information under Meaningful Use Stage 2. And the HHS Office of Civil Rights will be doing stepped up HIPAA-compliance audits, which gives hospitals even less leeway than they’d have had otherwise.

Of course, hospitals have been dealing with doctors bringing one device — a laptop — for quite some time. One might think this would have prepared hospitals for dealing with security-hole-ridden portable devices that staff and clinicians bring to work. But as we all know, laptops have proven to be major sources of security breaches, most typically by being stolen when loaded down with unencrypted data.

BYOD on the mobile side is if anything a riskier proposition. For one thing, doctors and executive staff are likely to own more than one device, such as a phone and a tablet, multiplying the risk that an unguarded device could be stolen and bled for information. And managing mobile devices calls for IT to support two additional operating systems (iOS and Android) configured in whatever way the user prefers.

Folks, I know I’m not saying anything crashingly original, but I’d argue it’s worth repeating: It’s time for hospitals to stop waffling and develop comprehensive protocols for BYOD use. It’s clear that left alone, the problem is going to get worse, not better.

Hospital Forced To Provide EMR Data Access By Court

Written by: Katherine Rourke

A New Hampshire hospital has been forced by the state’s Superior Court to provide public health officials with access to its EMR so they can further investigate a major hepatitis C outbreak.

Exeter Hospital had been ordered by the state’s Division of Public Health Services to release patient records, but had challenged the order, arguing that it would be violating state and federal law if it provided free access to EMR records.

The issue dates back to July, when a lab technician formerly employed by the hospital was arrested in connection of a hep C outbreak affecting more than 30 patients. The lab tech, who has hep C, allegedly stole fentanyl-filled syringes from the hospital, injected the fentanyl, then refilled the dirty syringes with another substance.

The hospital sought guidance from the courts in an effort to learn just how much access it would have to provide without running afoul of HIPAA and state privacy laws. (If I were running Exeter Hospital I certainly would have done the same thing; otherwise, one would think it’d be wide-open liable to suits by patients who objected to the data sharing.)

Now, it seems, the hospital is satisfied that patients involved in the outbreak are adequately protected. From its official statement on the matter:

The Court pointed out that the State needs to follow very specific, CDC-sanctioned protocols in collecting data from Exeter Hospital’s electronic medical record system and can only obtain the minimum amount of information necessary to complete its investigation. The Court has also emphasized that the information collected by the State cannot be re-published which helps to protect the privacy of patients.

For both the patients’ and Exeter’s sake, let’s hope that the public health authorities involved handle such explosive data with extreme care. A data breach at this point would not only have devastating consequences — particularly if the hepatitis C sufferers’ names were made public — it would also plunge all involved into a legal nightmare. For their sake, I’m hoping for the best.

Doctors Increasingly Texting, But HIPAA Protection Lacking

Written by: Katherine Rourke

A new study of physicians working at pediatric hospitals has concluded what we might have assumed anyway — that they prefer the use of SMS texting via mobile phone to pagers. What’s worrisome, however, is that little if any of this communication seems to be going on in a HIPAA-secure manner.

The study, by the University of Kansas School of Medicine at Wichita, asked 106 doctors at pediatric hospitals what avenues they prefer for “brief communication” while at work. Of this group, 27 percent chose texting as their favorite method, 23 percent preferred hospital-issued pagers and 21 percent face to face conversation, according to a report in mHealthWatch.

What’s interesting is that text-friendly or not, 57 percent of doctors said they sent or got work-related text messages. And 12 percent of pediatricians reported sending more than 10 messages per shift.

With all that texting going on, you’d figure hospitals would have a policy in place to ensure HIPAA requirements were met. But in reality, few doctors said that their hospital had such a policy in place.

That’s particularly concerning considering that 41 percent of respondents said they received work-related text messages on a personal phone, and only 18 percent on a hospital-assigned phone. I think it’s fair to say that this arrangement is rife with opportunities for HIPAA no-nos.

It’s not that the health IT vendor world isn’t aware that this is a problem; I know my colleague John has covered technology for secure texting between medical professionals and he’s also an advisor to secure text messaging company docBeat. However, not much is going to happen until hospitals get worried enough to identify this as a serious issue and they realize that secure text message can be just as easy as regular text along with additional benefits.

In the mean time, doctors will continue texting away — some getting 50-100 messages a day, according to one researcher — in an uncertain environment. Seems to me this is a recipe for HIPAA disaster.

Access To Clinical Data Too Easy Via Phone

Written by: Katherine Rourke

Lately, I’ve had reason to be in touch with my health insurance company, my primary care doctor and multiple specialists. In speaking with each, what I’ve noticed is that the data they collect to “protect my privacy” isn’t likely to do a good job. And I’ve been wondering whether an EMR can actually help tighten up access.

When I called to discuss clinical matters, both the payer and providers asked for the same information: My date of birth, my street address and my name. As far as I know, folks, you can get all of that information on a single card, a driver’s license. So, anyone how finds or steals or has access to my wallet has all the info they need to crawl through my PHI.

So, OK, let’s say providers and payers add a requirement that you name the last four digits of your social security card.

There’s a few problems with that approach. First, anyone who has your wallet may well have your Social Security Card. Second, storing patients’ SSNs in the clear in an EMR is an invitation to be hacked, as the SSN is the gold standard for identity theft. Third, if you want to store them in a form that only allows the last four digits to be read, that’s another function you need to add to your system.

So, what’s the solution? Would it work to have patients identify which doctor they see (something a thief wouldn’t know) or a recent treatment or procedure they’d had? Probably, although some patients — forgetful elderly, or the chronically ill with multiple providers — might not remember the answers.

Seems to me that when there’s universal use of patient portals by both providers and payers, this problem will largely go away, as patients will be able to be looking at their own records when talking to providers. This will make a more sophisticated security screening possible.

But in the mean time, I’m troubled to know that my payer and several of my doctors use a security method which can be so easily compromised. Do any of you have suggestions as to what those offices might do in the interim between now and when they have a useful portal to offer?

HIPAA Omnibus – What Should You Know?

The Final HIPAA Omnibus Rule: A Sharing of Accountability

Health Data Hacking Likely To Increase

Mixing Physical, Mental Health Data Lowers Readmissions

Healthcare Faces Massive Cybersecurity Risks

EMRs May Be The Next Hacker’s Prize

BYOD And HIPAA Compliance: Can You Have Both?

Hospital Forced To Provide EMR Data Access By Court

Doctors Increasingly Texting, But HIPAA Protection Lacking

Top EMR & HIPAA Posts

Calendar

Recent Posts

EMR & HIPAA Resources

Recent Comments

Categories

May 2013
M	T	W	T	F	S	S
« Apr
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31