Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

When Disasters Hit – A Business Continuity Amazon Order List

Posted on October 11, 2018 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

My good friend, Mike Semel from Semel Consulting, has put together an amazing business continuity resource for healthcare organizations. Of course, a lot of this applies personally as well as professionally. You should download the full Semel Consulting Disaster Checklist to see how prepared you and your business are for disaster. This resource seemed appropriate as we watch Florida get hit with more tropical storms and hurricanes, wildfires happening in California and disaster after disaster happening around the world with no signs that they’ll be stopping.

Along with the checklist linked above, Mike also included a list of emergency items you can easily order on Amazon (see the list below with links) to make sure you and your healthcare organization are prepared in case of disaster. This is important since the time to prepare for a disaster is now. Once the disaster happens, stores sell out and you can’t get the things you’ll need to ride out the disaster. As an illustration of this, Mike shared his experience during SuperStorm Sandy:

The generator at my NY home burns 7 gallons per day. Before SuperStorm Sandy I bought the last two 5-gallon cans from my local Lowes, to add to the 5 I already had, so I could store 5 days of fuel. I was in line with about 50 people buying generators. I asked them how many gas cans they had at home and how much fuel they could store. Everyone said they had one can – the biggest was 5 gallons – not even enough to fill the generator once! They all wanted to pay me double or triple what the cans I was buying were worth. I didn’t sell.

Note: These are all Prime-Eligible for quick delivery. Click on the link to order.

Now for the list of emergency items on Amazon that Mike suggests you consider as part of your business continuity efforts.

Radio – weather channel, hand-crank, solar charger, flashlight

Batteries – AAA, AA, C-cell, D-Cell (for lanterns and radios), 9 volt, 2032 lithium

Lantern

Solar charger

External cell phone battery

115-hour candle – make sure you have matches

Water Jug

LifeStraw – for when the water supply isn’t safe to drink

Water Purification Tablets – for when the water supply isn’t safe to drink

Emergency Sleeping Bag

Emergency 2-person 3-day kit

Emergency Food – 18 400-calorie bars – during a disaster you need strength – eat calories!

Emergency Food – 12 meals – 3 days

Emergency Food – 30 days – good for businesses; preparation for sheltering-in-place

Toilet Paper – you won’t laugh when you are the only one in the shelter who thought ahead!

Gas Cans – Generators use 7 gallons per day if run continuously. Most people have less than 5 gallons for their mower.

Along with the stuff you should buy above, be sure to check out the full Disaster Checklist that covers a number of other things you should do to prepare for a disaster.

What have you done in your practice to prepare for emergencies? Are there other things you’d suggest that aren’t on this list? Let us know in the comments or on social media with @healthcarescene.

Embarrassment, Career Suicide, or Jail

Posted on July 26, 2018 I Written By

Mike Semel is a noted thought leader, speaker, blogger, and best-selling author of HOW TO AVOID HIPAA HEADACHES . He is the President and Chief Security Officer of Semel Consulting, focused on HIPAA and other compliance requirements; cyber security; and Business Continuity planning. Mike is a Certified Business Continuity Professional through the Disaster Recovery Institute, a Certified HIPAA Professional, Certified Security Compliance Specialist, and Certified Health IT Specialist. He has owned or managed technology companies for over 30 years; served as Chief Information Officer (CIO) for a hospital and a K-12 school district; and managed operations at an online backup company.

What You Can Learn from the Russian Army, the US Navy, and a Suspended Nurse

The General Counsel at one of our clients is a former district attorney who prosecuted identity theft cases. When I told him we work with people who think Identity Theft is a victimless crime, he got very angry, and rattled off a list of cases he had tried that had lasting damage to the victims. Cybercrimes and compliance violations are not victimless.

Identity theft victims have suffered threats of violence, financial ruin, threats of arrest, effects of business interruptions, damaged careers, and emotional and physical stress.  Some considered suicide.

Most data breaches are malicious, but some who committed bad acts did not know they were breaking laws. They thought their actions were just ‘mischief’, or mistakenly thought what they were doing was OK, but found out the hard way that they had committed crimes. Their careers were killed and some faced criminal charges. Some blamed their training, which may have been incomplete, but ignorance of the law is no excuse.

SPEAR-PHISHING by the RUSSIAN ARMY

Twelve members of the GRU, the Russian military intelligence service, were indicted by the United States for meddling with our elections, by using spear-phishing techniques that were remarkably effective. Those who were targeted suffered public shame and career damage.

Phishing is when hackers send out broadly-targeted e-mails, seemingly from banks, fax services, and businesses, trying to sucker many people into clicking on the link and sharing their personal data, or having malicious software silently install on their computer.

Spear-phishing is when a personally-targeted message is sent just to you, seemingly from a colleague or vendor – using names you recognize – asking you to send sensitive information or to click on a link that will install malicious software. These messages can be very tough to spot, because the hackers make you think that this is a personal message from someone you know. One popular method is to send the message from an e-mail address that is one or two letters different from a real address. Your eyes play tricks and you miss the slight difference in the address.

Spear-phishing resulted in the Russians allegedly getting the logins and passwords of Democratic and Republican party officials, which they used to get access to e-mails and other sensitive data.

Another personally targeted attack resulted in a company’s HR staff sending its W-2 tax details, including all employee Social Security Numbers, at the request of their CEO, who actually was a hacker using a very similar e-mail address to the CEO at the targeted company. Employees filed their tax returns, only to find out the hackers had already filed phony tax returns and gotten refunds, using their names and Social Security Numbers. Now these employees are on special lists of victims, delaying their future tax refunds; making it more difficult to get loans and maintain their credit ratings; and creating real stress and anxiety.

Spear-phishing has been used successfully by hackers to get CFO’s to transfer money to a hacker’s bank account, at the supposed request of their company’s CEO. These scams are often discovered way too late, only after a CFO casually says to a CEO that they transferred the $ 500,000 the CEO requested, only to see the look of panic on the CEO’s face.

What You Should Do

  • Individuals: Beware of every e-mail asking you to provide personal information, click on a link, transfer money, or send sensitive information. Call or meet face-to-face with the person requesting the information, to ensure it is legitimate.
  • Employers: Use a phishing training vendor to train your employees to recognize and report phishing and spear-phishing attempts. Use spam filters to block messages from known hackers. Implement policies to slow down the transfer of sensitive data, by requiring a phone or in-person verification any time someone in your organization receives a request for sensitive data, or a money transfer. While inconvenient, a delay is much better than discovering the request was fraudulent.

STEALING DATA – US NAVY SECRETS, and a SUSPENDED NURSING LICENSE

A former employee of a US Navy contractor was found guilty in federal court of stealing secret information simply by using a company computer to create a personal DropBox account, and transferring thousands of company documents. Jared Dylan Sparks is awaiting sentencing on six convictions that can each bring 10 years in federal prison, after he stole trade secrets from his current employer while seeking employment at another company.

In another case, the New York State Department of Health suspended a FORMER nurse after she took 3,000 patient records from a previous employer to her new job.

According to healthitsecurity.com, “the list included the patients’ names, addresses, dates of birth, and diagnoses. Martha Smith-Lightfoot asked for the list to ensure continuity of care for the patients. However, she did not receive the permission of URMC or the patients to give the information to her new employer.”

Smith-Lightfoot agreed to a one-year suspension, one year stayed suspension, and three years’ probation. She can’t work as a nurse for a year. What do you think her career chances will be, after her suspension, any time someone verifies her license status and sees why she was suspended?

What You Should Do

  • Individuals: Understand the requirements of your license or certification, and the laws that protect data. Licensing requirements for privacy and confidentiality pre-date HIPAA. While your organization may face a HIPAA penalty, you may face a damaged or destroyed career, as well as jail time.
  • Employers: Educate your workforce (EVERYONE, including employees, volunteers, contractors, vendors, etc.) about keeping patient, employment, and sensitive business information secure and confidential. Have everyone sign confidentiality agreements. You must be willing to evenly enforce your policies. Terminating a long-term employee when they break your rules may seem harsh, but necessary if you want to avoid corporate theft, compliance violations, and wrongful termination lawsuits if you fire someone after letting another person get away with a policy violation.

We have worked with clients whose current and workforce members used cloud-sharing services, like DropBox, Google Drive, and Microsoft OneDrive. By the time we discovered that these tools were installed on their network, many times it was too late. Data was already out the door, and no one knew what was taken. Implement Data Loss Prevention (DLP) security software that will automatically block critical data from being transferred to e-mail, cloud services, or portable thumb drives. Those that need to move data can be exempt from blocking, but you should protect your organization against everyone else.

People get hurt by data theft and violating regulations. Protect yourself, your patients, and your organization.

Are You Investing Enough in IT Security?

Posted on July 20, 2018 I Written By

Mike Semel is a noted thought leader, speaker, blogger, and best-selling author of HOW TO AVOID HIPAA HEADACHES . He is the President and Chief Security Officer of Semel Consulting, focused on HIPAA and other compliance requirements; cyber security; and Business Continuity planning. Mike is a Certified Business Continuity Professional through the Disaster Recovery Institute, a Certified HIPAA Professional, Certified Security Compliance Specialist, and Certified Health IT Specialist. He has owned or managed technology companies for over 30 years; served as Chief Information Officer (CIO) for a hospital and a K-12 school district; and managed operations at an online backup company.

Would you put a $ 10 fence around a $ 100 horse?

Does it make sense to put a $ 100 fence around a $ 10 horse?

For the right security, you need to know what your horse is worth.

The same concepts apply to protecting your data. What is your data worth?

Ask Cottage Health , which had two data breaches, totaling 55,000 records., and settled a $ 4.1 million lawsuit with patients, then paid a $ 2 million California penalty. They were sued by their insurer, which wanted the $ 4.1 million settlement money back, after it discovered Cottage Health had not consistently implemented the security controls it claimed on its insurance application. The $ 6.1 million in the settlement and penalty does not include its costs for legal fees, credit monitoring, notifying patients, public relations, or recovering the business lost from patients who moved to another provider.

One of our clients was audited for HIPAA compliance by the venture capital firm that wanted to invest in their company. Another client had us do a compliance assessment on a healthcare company they wanted to purchase. In both cases, HIPAA compliance was worth millions of dollars.

We asked a client how much the financial impact would be on their business if they lost the sensitive personal data they collected about business partners, and had to notify everyone. The owner said they would be out of business, costing millions of dollars.

Breaches result in lawsuits, with settlements in the millions. If you are a licensed or certified professional, you can lose your license or certification if you are breached.

Federal HIPAA penalties in 2014 – 2015 were $ 14 million. In 2016 – 2017 they tripled to $ 42 million. In 2018, they have already reached $ 7.9 million.

Data is worth more than gold.

Instead of words and images in a computer, think of your data as a pile of gold bars that is worth protecting.

When we work with our clients, we help you identify the types of data you have, where it is located, and how it is protected. We recently worked with a client that came to us for help protecting their patient information. They were shocked when we showed them that they had bigger risks related to the data they stored about workforce members, and job applicants they did not hire, than the people they served.

  • What data do you have that is regulated, that you must protect to comply with laws and other regulations?
  • What fines and lawsuit judgments might you face if your data is breached?
  • Beyond HIPAA that protects patient information, do you know your state data breach laws that apply to employee data?
  • Do you know the regulations that protect credit card data?
  • Do you have enough of the right type of insurance to protect your finances if you are breached?

Everyone has unregulated data that is sensitive or proprietary, that could hurt your business if it is lost, stolen, or accessed by a competitor or someone who wants to hurt you? Salaries, trade secrets, employment records, pricing models, merger and acquisition plans, lawsuit files, have all been stolen.

As part of our assessments, we search the Dark Web (the criminal side of the Internet) to see if our clients have employee passwords for sale by hackers. Over 90% have had at least one employee’s credentials stolen and offered for sale.

Most of our clients start out not knowing the value of their risks. They hadn’t approved IT security purchases, because the costs were high, and they didn’t know if security was worth the investment.

So, how much should you invest in protecting your data?

The recently-released 2018 Cost of a Data Breach report shows, through research of actual breaches, that in 2017 the average cost to a breached organization for a single lost healthcare record was $408. Across all industries the cost was $ 233 per record. Only a third of the cost was for the direct response to the breach – notifying patients, hiring lawyers and IT security experts, and paying for credit monitoring. Two-thirds of the $ 408/record was the financial effect on the healthcare organizations, by losing patients after violating their trust.

Here is a calculation you can use to estimate the value of protecting your patient data.

Number of Patient Records x $ 408 (cost per record of a breach) = $ ________________ in risk.

Example: 25,000 records x $ 408 = $ 10.2 million. (If this number startles you, imagine if your costs were only 25% of the total, which is still $ 2.5 million.)

Other ways to put a dollar value on your risk

  • How much would a breach affect the market value of your business?
  • How much investment capital do you need for expansion?
  • Personally, what will your retirement look like if you had to pay $ 1 million, $ 2 million, or more, to cover the costs of a breach?
  • What would your life be like if you went out of business?

Know the value of your cyber security risk. Do the math.

Ask your IT department, or an outsourced independent IT security consultant, to assess your risks, and recommend what you need to be fully protected. Our assessments calculate your risks based on dollars, and provide ‘under the skin’ data about the current status of your security. Don’t settle for guesses.

Base your security investment on the value of your risks, not just the general idea that your data needs to be protected.

And, if you own a $ 100 horse, upgrade your $ 10 fence.

Slow Learners Teach Big Lessons – $2 Million State HIPAA Penalty

Posted on December 4, 2017 I Written By

Mike Semel is a noted thought leader, speaker, blogger, and best-selling author of HOW TO AVOID HIPAA HEADACHES . He is the President and Chief Security Officer of Semel Consulting, focused on HIPAA and other compliance requirements; cyber security; and Business Continuity planning. Mike is a Certified Business Continuity Professional through the Disaster Recovery Institute, a Certified HIPAA Professional, Certified Security Compliance Specialist, and Certified Health IT Specialist. He has owned or managed technology companies for over 30 years; served as Chief Information Officer (CIO) for a hospital and a K-12 school district; and managed operations at an online backup company.

Editor’s Note: We’d like to welcome Mike Semel as the latest addition to the Healthcare Scene blog team.  We’ve been working with Mike for quite a while as a guest blogger, so it’s great to have Mike now covering security and privacy with us in a more formal capacity.  Check out all of Mike Semel’s EMR and HIPAA blog posts.

I think it is fair to call people slow learners if they get caught violating HIPAA:

  • after they published 50,000 patient records to the Internet for a 2-year period, so patients Googling themselves found their medical records,
  • and THEN DID IT AGAIN DURING THE INVESTIGATION for the first incident.

Duh.

On November 22, California Attorney General Xavier Becerra announced a $2 million settlement with Cottage Health System and its affiliated hospitals for violating both state and federal privacy laws. The settlement came after two separate data breaches where more than 50,000 patient records were made publicly available online. The state settlement is on top of a $4.125 million class-action settlement with its patients, that Cottage Health’s insurance company is trying to recover, because it said Cottage Health was not truthful on its insurance application.

It’s bad enough that from 2011 until 2013 (after it was notified by a patient that he found his medical records online), Cottage Health had a server with protected health information that was not encrypted, password protected, protected by firewalls, or protected against unauthorized access.

What is truly stunning is that, in 2015, during the federal investigation for the first incident, Cottage Health reported that it made another 4,596 patient records available online.

I have been the Chief Information Officer in a hospital, and know how bad executive and departmental management and oversight would have to be to create an environment where that can happen once, let alone twice.

Based on the complaint provided by the California Attorney General, there are a lot of lessons you can learn from this penalty.

LESSONS

1. It not just the OCR. This HIPAA penalty was issued by a state Attorney General. The federal HITECH Act (2009) gave state AG’s the authority to enforce civil penalties for violations of the HIPAA Privacy and Security Rules. It doesn’t take the federal Office for Civil Rights to go after you. It could be your state Attorney General, who is probably motivated by wanting to impress voters for his campaign to be governor or senator someday.

2. Know your state laws. California’s Confidentiality of Medical Information Act and Unfair Competition Law were also cited in the penalty. Forty-eight states, plus DC and Puerto Rico, have their own laws protecting Personally Identifiable Information. Some, like California, have state laws that protect medical records beyond the scope of HIPAA. State laws have different patient notification requirements than HIPAA’s maximum of 60 days. In California, patients must be notified within just 15 days.

3. Management should pay attention to security and compliance, before it has to sign $6 million in checks, plus legal fees. From the IT department to the executive suite, this penalty is proof that management was not validating the organization’s security and compliance.

Cottage Health isn’t a small, rural hospital with 25 beds, trying its best, with limited resources, to serve a community. According to its 2016 Annual Report, Cottage health generated over $746 million in revenue and had 3,120 employees.  Seventeen of them are Vice Presidents.

At least Cottage Health’s CEO didn’t publicly blame his IT guy, like the former CEO of Equifax did in front of Congress. Maybe he realizes he could have avoided spending $6 million by having better management.

4. Patients are Consumers, who are protected against Negligence & Unfair Business Practices. The $4 million settlement plus the $2 million penalty are proof that management was ignoring the commitment it made to its patients every day in the Cottage Health Notice of Privacy Practices.

Our Pledge
We understand that medical information about you and your health is personal, and we are committed to protecting it.

The Federal Trade Commission forced the closure of a small medical lab because it said the lab violated its prohibition of Unfair Business Practices by not protecting patient information.

There is a lawsuit in Connecticut where the state appeals court certified a Notice of Privacy Practices as a contract with a patient.

Yes, patients (and now their lawyers) really do read those notices. Treat yours with respect because it is a contract, not a brochure.

5. Don’t Assume Your HIPAA Compliance Program is Working. Not having policies, procedures, basic IT security like passwords and firewalls, means that a lot of Cottage Health managers and executives had to be asleep at the switch. Not complying with the HIPAA Security Rule, effective since 2005, which protects electronic data, means that Cottage Health’s compliance program was a mirage. I can imagine their compliance and security staff telling management that they had everything handled. Management believed them. Over 50,000 patients and an Attorney General disagree.

6. Prevent the Triggering Event. This wildfire started with a small spark. An IT engineer configured a server and plugged it into the network. Things as simple as checklists could have prevented the negligent publication of the medical records to the Internet.

The NIST Cybersecurity Framework (NIST CSF) is a 41-page document simple enough for even small organizations to use to improve their data security.

Bring in a qualified independent third party to evaluate your compliance and security against the HIPAA rules and the NIST CSF, and give the report directly to the CEO. Not a good use of the CEO’s time? It’s much better than the CEO’s involvement after an investigation has started.

7. If You Are Being Investigated, Don’t Let the Same Problem Happen Again. Duh.

HIPAA May be the Least of Your Compliance Worries

Posted on November 21, 2017 I Written By

The following is a guest blog post by Mike Semel from Semel Consulting.  Check out all of Mike Semel’s EMR and HIPAA blog posts.

What requirements have you hidden away?

I visited a new healthcare client last week, and asked if anything in particular made them call us for help with their HIPAA compliance. They surprised me by saying that their insurance company had refused to sell them a cyber-liability/data breach insurance policy, after they saw the answers on our client’s application.

When was the last time you heard about an insurance company not selling a policy? That’s like McDonalds looking you over, and then refusing to sell you a Big Mac.

Our client was scared that they would have to risk the full financial burden of a data breach, which, based on the number of medical records they have, could exceed $10 million.

Everyone knows that HIPAA is a compliance requirement. But it isn’t the only one you should focus on. Use my definition of Compliance, which is, simply, having to do things required by OTHERS.

We personally deal with compliance requirements all the time. We stop at traffic lights. We have our car inspected. We fasten our seat belts. We empty our pockets at airport security. We pay our bills on time. At work, we wear an ID badge, show up on time, and park in an approved space. At home, we take our dirty shoes off before walking on the carpet. There are risks associated with NOT doing each of these things.

It can be a big mistake to focus so much on HIPAA that you forget other compliance requirements, including:

  • Other Federal and State Laws
  • Industry Requirements
  • License Requirements
  • Contractual Obligations
  • Insurance Requirements
  • Lawsuits

You should not take the narrow HIPAA approach, like buying a policy manual, using an online ‘We Make HIPAA Easy’ service, or think hiring out a Security Risk Analysis is going to make you compliant.

When we work with our clients, before we get started we help you identify all your compliance requirements.

OTHER FEDERAL REGULATIONS

Depending on the services you offer, you may be required to comply with other federal regulations, like Title 42, governing substance abuse treatment.

The Federal Trade Commission has come down hard on data breaches, including the controversial closure of a small medical lab. The FTC looks at patients as consumers, and considers a data breach to be an Unfair Business Practice because the organization losing the data failed to protect its consumers, and is in violation of its Notice of Privacy Practices.

STATE LAWS

Forty-eight states, plus DC and Puerto Rico, have data breach laws. Most states protect Personally Identifiable Information (PII), including driver’s license and Social Security numbers. Some states cover medical records, no matter who has them, while HIPAA only covers medical records held by certain types of organizations. Some of the state laws change the reporting requirements after a breach of patient records. For example, California requires patient notification within 15 days, instead of the 60-day maximum permitted by HIPAA.

Most states have separate laws requiring confidentiality of mental health, HIV, substance abuse, or STD treatment records. State attorneys general are willing to cross their state lines to protect the confidentiality of their voters.

We work with our clients to identify the states where your patients come from, not only where you are located. We build an Incident Management program that includes each applicable notification and reporting requirement.

INDUSTRY REQUIREMENTS

Industry requirements include PCI-DSS, the data security standards protecting credit card information. PCI stands for the Payment Card Industry. While not a law, if you don’t comply with PCI you can be prevented from accepting credit cards. What would that do to your bottom line and patient satisfaction?

LICENSING

Licensing requirements protecting patient confidentiality go back long before HIPAA, which became law in 1996. In 1977, 19 years before HIPAA, I became an Emergency Medical Technician (EMT). The first class I took was about maintaining confidentiality. After that, I knew that violating a patient’s confidentiality could cost me my license.

Think about your license, your certifications, even the Code of Ethics in your professional association. If I really wanted to get back at someone for violating my confidentiality, my first complaint would be to their licensing board, even before I submitted a complaint to their employer or the federal government. Losing your license may kill your career, and being investigated by your licensing board will certainly get your attention.

When you are justifying the costs related to Security and Compliance, be sure to quantify the effect on your income, lifestyle, and retirement, if you were to lose your license.

CONTRACTS

Many of our clients have signed contracts with other organizations, that include cyber security requirements as a contractual obligation to do business together. These contracts are often reviewed by attorneys, signed by executives, and then filed away. The requirements are not always communicated to the people on the front lines.

In 2012, Omnicell, a drug cart manufacturer, breached the records of 68,000 patients when an employee’s unencrypted laptop was stolen. The health systems – clients of Omnicell –  announced that Omnicell’s contract with them included a requirement that patient data would only be stored on encrypted devices. The loss of the laptop became a breach of contract discussion, not just a simple data breach.

My guess is that the contract was signed, and then just filed away. I don’t think Omnicell’s purchasing department was told it was supposed to order encrypted laptops for its field technicians. I don’t think its IT department knew it had a contractual obligation to install encryption on all laptops, and I doubt the field tech knew he was violating a contract when he transferred patient data to his unencrypted computer. Worse, no one who was aware of the contract requirements was auditing the company’s compliance.

During a recent client visit, I asked if our client had signed any contracts with their clients. She went through a list that included one of the top health systems in the country. I’m not a lawyer, but I asked to see the contract, because I knew the health system had included cyber security requirements as a contractual obligation with our other clients.

After a few minutes, she returned with the file folder containing the contract. I found the cyber security section, and read it to her. I asked if her company was meeting the requirements in the contract. She said no. I asked her what the future of her business would look like if they lost the business of one of the country’s leading health systems, because they breached their contract. She replied that her business probably would not survive.

We focused our project around meeting the specific requirements of their contract, not the vague and flexible requirements in HIPAA.

INSURANCE

Cyber Liability (also known as Data Breach) Insurance is a popular line of revenue for insurance companies. Unlike malpractice insurance, which assumes you will make a mistake, cyber insurance may only protect you if you are doing all the things you included on your insurance application. It may pay a claim only if you are doing everything correctly, and still suffer a breach. What you answer on the application may come back to haunt you.

In 2013, Cottage Health’s IT vendor accidently published a file server to the Internet, exposing patient information. Patients Googling themselves got back their medical records. The patients filed a class action suit, so Cottage Health brought in Columbia Casualty, their cyber liability insurance provider, to provide legal representation, and settle the claim.

The lawsuit was settled for $4.1 million, which was paid by Columbia Casualty. Columbia told Cottage Health that, even though it was making the payment, it still reserved its rights and would continue investigating the case.

Columbia Casualty then sued its own client, Cottage Health, to get the $ 4.1 million back. It said it determined that Cottage Health had made misstatements when it answered questions on the original policy application, including that it regularly maintained security patches on its devices. Columbia also said it should be excluded from losses because Cottage Health failed to continuously maintain the level of security stated on its application.

The lawsuit said that it did not matter if Cottage Health was mistaken, or had intentionally lied on the application.

As part of our assessments, we review insurance applications. When we work with our clients, we help you implement consistent programs to maintain the level of security you claim on your application.

LAWSUITS

While you don’t comply with a lawsuit, watching court cases can help you understand your risks and how to protect your organization.

Many people think that a HIPAA Notice of Privacy Practices is just a basic brochure you have to include with new patient paperwork. A patient is suing her doctor for negligence after her information was shared without her authorization. She claimed that the practice did not follow its Notice of Privacy Practices, and the Connecticut Supreme Court upheld that HIPAA can be used as a Standard of Care in a negligence suit.

Walgreen’s lost $1.44 million in a lawsuit after a pharmacist breached a customer’s confidentiality. Walgreens proved its pharmacist had received HIPAA training and had signed a confidentiality agreement. The company said it had done everything possible to prevent the breach. The jury disagreed.

By looking at law suits you can see that attorneys are using compliance requirements as the basis for claims. That can be scarier compared to the likelihood is that the federal government will make the effort to go after you.

LESSONS LEARNED

It’s really easy to focus just on HIPAA and think you are compliant. It’s also a mistake.

HIPAA is vague. It is flexible, giving you a lot of freedom to choose how to comply with the regulation. The ‘HIPAA-in-a-Box’ solutions can give you a false sense of Security and Compliance, because they are so narrowly focused.

The Federal Trade Commission can assess stronger penalties than the OCR, the federal agency that enforces HIPAA. The FTC has put businesses on 20-year monitored compliance programs. When we work with our clients, we help you create written evidence that your security policies and procedures are working.

State laws can change your patient reporting requirements. They also protect confidential information you have for your workforce members. Your Incident Management program can’t just focus on HIPAA.

Industry requirements can be very serious. Can you risk not accepting credit cards? Contact the merchant service that processes your cards to make sure you are complying with PCI-DSS.

Verify the reporting requirements of the entities that license your staff. You may have an obligation to report a breach to them, instead of waiting for someone to file a complaint.

Review the contracts you have in your files for cyber security requirements, and note any in new contracts you are about to sign. Make sure everyone in your organization who must comply with the contract requirements know about them.

You can’t buy insurance instead of doing the right things to protect data. However, if you do things right insurance may save you millions of dollars. You should review your policy application every quarter, and demand evidence from your IT department or vendor that you are in compliance with the policy requirements. Too much work? Would you rather have your insurance company fail to pay a multi-million-dollar claim?

Keep repeating to yourself, “Compliance isn’t just about HIPAA” and uncover the rest of your compliance requirements.

About Mike Semel

Mike Semel is a noted thought leader, speaker, blogger, and best-selling author of HOW TO AVOID HIPAA HEADACHES . He is the President and Chief Security Officer of Semel Consulting, focused on HIPAA and other compliance requirements; cyber security; and Business Continuity planning. Mike is a Certified Business Continuity Professional through the Disaster Recovery Institute, a Certified HIPAA Professional, Certified Security Compliance Specialist, and Certified Health IT Specialist. He has owned or managed technology companies for over 30 years; served as Chief Information Officer (CIO) for a hospital and a K-12 school district; and managed operations at an online backup company.

Business Associates are NOT Responsible for Clients’ HIPAA Compliance, BUT They Still Might Be At-Risk

Posted on August 25, 2017 I Written By

The following is a guest blog post by Mike Semel from Semel Consulting.

“Am I responsible for my client’s HIPAA compliance?”

“What if I tell my client to fix their compliance gaps, and they don’t? Am I liable?”

“I told a client to replace the free cable Internet router with a real firewall to protect his medical practice, but the doctor just won’t spend the money. Can I get in trouble?”

“We are a cloud service provider. Can we be blamed for what our clients do when using our platform?”

 “I went to a conference and a speaker said that Business Associates were going to be held responsible for their clients’ compliance. Is this true???”

I hear questions like these all the time from HIPAA Business Associates.

The answers are No, No, No, No, and No.

“A business associate is not liable, or required to monitor the activities of covered entities under HIPAA, but a BA has similar responsibilities as a covered entity with respect to any of its downstream subcontractors that are also BA’s,” said Deven McGraw, Deputy Director for Health Information Privacy, US Department of Health and Human Services Office for Civil Rights (OCR), Acting Chief Privacy Officer for the Office of the National Coordinator for Health Information Technology. on August 17, 2017.

So, while you aren’t responsible for your clients’ HIPAA compliance, what they do (or don’t do) still might cost you a lot, if you aren’t careful.

In my book, How to Avoid HIPAA Headaches, there are stories about HIPAA Covered Entities that suffered when their Business Associates failed to protect PHI. North Memorial Health Care paid $ 1.55 million in HIPAA penalties based on an investigation into the loss of an unencrypted laptop by one of its Business Associates, Accretive Health.

Cottage Health, a California healthcare provider, is being sued by its insurance company to get $ 4.1 million back from a settlement after Cottage Health’s IT vendor, a Business Associate,  accidently published patient records to the Internet.

Your marketing activities; what you and your salespeople say to prospects and clients; and your written Terms & Conditions; may all create liability and financial risks for you. These must be avoided.

Semel Consulting works with a lot of Business Associates.

Many are IT companies, because I spent over 30 years owning my own IT companies. I’ve been the Chief Information Officer for a hospital and a K-12 school district, and the Chief Operating Officer for a cloud backup company. I now lead a consulting company that helps clients address their risks related to regulatory compliance, cyber security, and disaster preparedness. I speak at conferences, do webinars, and work with IT companies that refer their clients to us.

I look at the world through risk glasses. What risks do our clients have? How can I eliminate them, minimize them, or share them? When we work with our healthcare and technology industry clients, we help you identify your risks, and quantify them, so you know what resources you should reasonably allocate to protect your finances and reputation.

Under HIPAA, compliance responsibility runs one way – downhill.

Imagine a patient on top of a hill. Their doctor is below the patient. You are the doctor’s IT support company, below the doctor, and any vendors or subcontractors you work with are below you.

The doctor commits to the patient that he or she will secure the patient’s Protected Health Information (PHI) in all forms – verbal, written, or electronic. This is explained in the Notice of Privacy Practices (NPP) that the doctor gives to patients.

Under HIPAA, the doctor is allowed to hire vendors to help them do things they don’t want to do for themselves. Vendors can provide a wide variety of services, like IT support; paper shredding; consulting; malpractice defense; accounting; etc. The patient is not required to approve Business Associates, and does not have to know that outsourcing is happening. This flexibility is also explained in the patient’s Notice of Privacy Practices.

As a vendor that comes in contact with PHI, or the systems that house it, you are a HIPAA Business Associate. This requires you to sign Business Associate Agreements and, since 2013, when the HIPAA Omnibus Final Rule went into effect, it also means that you must implement a complete HIPAA compliance program and be liable for any breaches you cause.

IT companies may decide to resell cloud services, online backup solutions, or store servers in a secure data center. Since the HIPAA Omnibus Final Rule went into effect, a Business Associate’s vendors (known as subcontractors) must also sign Business Associate Agreements with their customers, and implement complete HIPAA compliance programs.

Because compliance responsibility runs downhill, the doctor is responsible to the patient that his Business Associates will protect the patient’s confidential information. The Business Associates assures the doctor that they, and their subcontractors, will protect the patient’s confidential information. Subcontractors must commit to Business Associates that they will protect the information. A series of two-party agreements are required down the line from the doctor to the subcontractors.

It doesn’t work the other way. Subcontractors are not responsible for Business Associates, and Business Associates are not responsible for Covered Entities, like doctors.

HIPAA compliance responsibility, and legal and financial liability, are different.

A HIPAA Covered Entity is responsible for selecting compliant vendors. Business Associates are responsible for selecting compliant subcontractors. Subcontractors must work with compliant subcontractors.

Because Covered Entities are not liable for their Business Associates, and Business Associates are not liable for their Subcontractors, they are not required to monitor their activities. But, you still need to be sure your vendors aren’t creating risks. The Office for Civil Rights (OCR) says that:

… if a covered entity finds out about a material breach or violation of the contract by the business associate, it must take reasonable steps to cure the breach or end the violation, and, if unsuccessful, terminate the contract with the business associate. If termination is not feasible (e.g., where there are no other viable business alternatives for the covered entity), the covered entity must report the problem to the Department of Health and Human Services Office for Civil Rights. See 45 CFR 164.504(e)(1).

With respect to business associates, a covered entity is considered to be out of compliance with the Privacy Rule if it fails to take the steps described above. If a covered entity is out of compliance with the Privacy Rule because of its failure to take these steps, further disclosures of protected health information to the business associate are not permitted.

In its Cloud Service Provider (CSP) HIPAA Guidance released in 2016, the OCR said:

A covered entity (or business associate) that engages a CSP should understand the cloud computing environment or solution offered by a particular CSP so that the covered entity (or business associate) can appropriately conduct its own risk analysis and establish risk management policies, as well as enter into appropriate BAAs.  See 45 CFR §§ 164.308(a)(1)(ii)(A); 164.308(a)(1)(ii)(B); and 164.502. 

Both covered entities and business associates must conduct risk analyses to identify and assess potential threats and vulnerabilities to the confidentiality, integrity, and availability of all ePHI they create, receive, maintain, or transmit.  For example, while a covered entity or business associate may use cloud-based services of any configuration (public, hybrid, private, etc.),[3] provided it enters into a BAA with the CSP, the type of cloud configuration to be used may affect the risk analysis and risk management plans of all parties and the resultant provisions of the BAA.

How can a Business Associate be affected by a client’s compliance failure?  Here are some scenario’s.

(FYI, I am not a lawyer and this is not legal advice. These ideas came out of meetings I had with my attorney to review our contracts and our marketing. Talk to your lawyer to make sure you are protected!)

  1. IT companies should never tell your client, “We’ll be responsible for your IT so you can focus on your medical practice.”

Sound familiar? This is what many IT Managed Service Providers tell their prospects and clients.

Then the client has a data breach because they were too cheap to buy a firewall, they refused to let you implement secure passwords because it would inconvenience their staff, or they lost an unencrypted thumb drive even though you had set up a secure file sharing platform.

Someone files a HIPAA complaint, the OCR conducts an investigation, and your client pays a big fine. Then they sue you, saying you told them IT was your responsibility. Maybe they misunderstood what you included in your Managed Services. Maybe you did not clearly explain what responsibility you were accepting, and what IT responsibility was still theirs. Either way, you could spend a lot on legal fees, and even lose a lawsuit if a jury believes you made the client believe you were taking over their compliance responsibility.

  1. You must clearly identify what is, and what is not, included in your services.

Your client pays you a monthly fee for your services. Then they have a breach. They may expect that all the tasks you perform, and the many hours of extra labor you incur, are included in their monthly fee. They get mad when you say you will be charging them for additional services, even though they have just hired a lawyer at $ 500 per hour to advise them. Without written guidelines, you may not be able to get paid.

  1. You must be sure you get paid if your client drags you into something that is not your fault.

Imagine you were the IT company that set up an e-mail server for a recent presidential candidate. As unlikely as this may sound, this becomes a political issue. You just did what the client requested, but now you must hire attorneys to advise you. You must hire a public relations firm to deal with the media inquiries and protect your name in the marketplace. You must send your techs and engineers – your major source of a lot of income – to Washington for days to testify in front of Congress, after they spent more unbillable time preparing their testimony.

Who pays? How do you keep from losing your client? How do you protect your reputation?

HOW TO PROTECT YOUR FINANCES AND YOUR REPUTATION

  • Make sure you and your salespeople are careful to not overpromise your services. Make sure you and your sales team tell your prospects and clients that they are always ultimately responsible for their own security and compliance.
  • Make sure your contracts and Terms and Conditions properly protect you by identifying what services are/aren’t covered, and when you can bill for additional services. Don’t forget to include your management time when sending bills. Use a competent lawyer familiar with your needs to write your agreements and advise you on any agreements presented to you by others.
  • State in your Terms & Conditions that you will be responsible for your own company’s compliance (you are anyway) but that you are not responsible for your clients’ compliance.
  • Include terms that require your client to pay for ALL costs related to a compliance violation, government action, investigation, lawsuit, or other activity brought against them, that requires your involvement. Use a competent lawyer familiar with your needs to write your agreements and advise you on any agreements presented to you by others.
  • My attorney said we should include “change in government regulations” in our Force Majeure clause to allow us to modify our contract or our pricing before a contract expires. The 2013 HIPAA Omnibus Rule created a lot of expensive responsibilities for Business Associates. You don’t want to get stuck in an existing contract or price model if your costs suddenly increase because of a new law or rule.
  • Get good Professional Liability or Errors & Omissions insurance to protect you if you make a mistake, are sued, or dragged into a client’s investigation. Make sure you understand the terms of the policy and how it covers you. Make sure it includes legal representation. Ask for a custom policy if you need special coverage.
  • Make a negative a positive by promoting that you offer the specialized services clients will need in case they are ever audited, investigated, or sued.

If you do this right, you will protect your business and leverage compliance to increase your profits. When you focus on compliance, you can get clients willing to pay higher prices because you understand their compliance requirements. I know. I have generated millions of dollars in revenue using compliance as a differentiator.

About Mike Semel

Mike Semel is a noted thought leader, speaker, blogger, and best-selling author. He is the President and Chief Security Officer of Semel Consulting, focused on HIPAA (and other regulatory) compliance; cyber security; and Business Continuity planning. Mike is a Certified Business Continuity Professional through the Disaster Recovery Institute, a Certified HIPAA Professional, Certified Security Compliance Specialist, and Certified Health IT Specialist. He has owned or managed technology companies for over 30 years; served as Chief Information Officer (CIO) for a hospital and a K-12 school district; and managed operations at an online backup company.

Don’t Worry About HIPAA – When Your License Is At-Risk!

Posted on October 24, 2016 I Written By

The following is a guest blog post by Mike Semel, President and Chief Compliance Officer at Semel Consulting.
medical-license-revoked
Not long ago I was at an ambulance service for a HIPAA project when one of their paramedics asked what the odds were that his employer would get a HIPAA fine if he talked about one of his patients. I replied that the odds of a HIPAA penalty were very slim compared to him losing his state-issued paramedic license, that would cost him his job and his career. He could also be sued. He had never thought of these risks.

Doctors, dentists, lawyers, accountants, psychologists, nurses, EMT’s, paramedics, social workers, mental health counselors, and pharmacists, are just some of the professions that have to abide by confidentiality requirements to keep their licenses.

License and ethical requirements have required patient and client confidentiality long before HIPAA and other confidentiality laws went into effect.  HIPAA became effective in 2003, 26 years after I became a New York State certified Emergency Medical Technician (EMT). Way back in 1977, the very first EMT class I took talked about my responsibility to keep patient information confidential, or I would risk losing my certification.

While licensed professionals may not talk about an individual patient or client, weak cybersecurity controls could cause a breach of ALL of their patient and client information – instantly.
health-data-encryption
Most certified and licensed professionals will agree that they are careful not to talk about patients and clients, but how well do they secure their data? Are their laptops encrypted? Are security patches and updates current? Do they have a business-class firewall protecting their network? Do they have IT security professionals managing their technology?
psychologist-loses-license-prostitute-takes-laptop
Lawyers have been sanctioned for breaching confidentiality. Therapists have lost their licenses. In one well-publicized case a psychologist lost his license when a prostitute stole his laptop. In rare cases a confidentiality breach will result in a jail sentence, along with the loss of a license.

Cyber Security Ethics Requirements
Lawyers are bound by ethical rules that apply to confidentiality and competence. The competence requirements typically restrict lawyers from taking cases in unfamiliar areas of the law. However, The American Bar Association has published model guidance that attorneys not competent in the area of cyber security must hire professionals to help them secure their data.

The State Bar of North Dakota adopted technology amendments to its ethics rules in early 2016. The State Bar of Wisconsin has published a guide entitled Cybersecurity and SCR Rules of Professional Conduct. In 2014, The New York State Bar Association adopted Social Media Ethics Guidelines. Lawyers violating these ethical requirements can be sanctioned or disbarred.

A State Bar of Arizona ethics opinion said “an attorney must either have the competence to evaluate the nature of the potential threat to the client’s electronic files and to evaluate and deploy appropriate computer hardware and software to accomplish that end, or if the attorney lacks or cannot reasonably obtain that competence, to retain an expert consultant who does have such competence.”

Some licensed professionals argue that their ethical and industry requirements mean they don’t have to comply with other requirements. Ethical obligations do not trump federal and state laws. Lawyers defending health care providers in malpractice cases are HIPAA Business Associates. Doctors that have to comply with HIPAA also must adhere to state data breach laws. Psychiatric counselors, substance abuse therapists, pharmacists, and HIV treatment providers have to comply with multiple federal and state confidentiality laws in addition to their license requirements.

There are some exemptions from confidentiality laws and license requirements when it comes to reporting child abuse, notifying law enforcement when a patient becomes a threat, and in some court proceedings.

While the odds of a federal penalty for a confidentiality breach are pretty slim, it is much more likely that someone will complain to your licensing board and kill your career. Don’t take the chance after all you have gone through to earn your license.

About Mike Semel
mike-semel-ambulance
Mike Semel is the President and Chief Compliance Officer for Semel Consulting. He has owned IT businesses for over 30 years, has served as the Chief Information Officer for a hospital and a K-12 school district, and as the Chief Operating Officer for a cloud backup company. Mike is recognized as a HIPAA thought leader throughout the healthcare and IT industries, and has spoken at conferences including NASA’s Occupational Health conference, the New York State Cybersecurity conference, and many IT conferences. He has written HIPAA certification classes and consults with healthcare organizations, cloud services, Managed Service Providers, and other business associates to help build strong cybersecurity and compliance programs. Mike can be reached at 888-997-3635 x 101 or mike@semelconsulting.com.

2.7 Million Reasons Cloud Vendors and Data Centers ARE HIPAA Business Associates

Posted on July 25, 2016 I Written By

The following is a guest blog post by Mike Semel, President of Semel Consulting.
Cloud backup
Some cloud service providers and data centers have been in denial that they are HIPAA Business Associates. They refuse to sign Business Associate Agreements and comply with HIPAA.

Their excuses:

“We don’t have access to the data so we aren’t a HIPAA Business Associate.”

“The data is encrypted so we aren’t a HIPAA Business Associate.”

Cloud and hosted phone vendors claim “We are a conduit where the data just passes through us temporarily so we aren’t a HIPAA Business Associate.”

“We tell people not to store PHI in our cloud so we aren’t a HIPAA Business Associate.”

Wrong. Wrong. Wrong. And Wrong.

2.7 million reasons Wrong.
Lawsuit
Oregon Health & Science University (OHSU) just paid $2.7 million to settle a series of HIPAA data breaches “including the storage of the electronic protected health information (ePHI) of over 3,000 individuals on a cloud-based server without a business associate agreement.”

Another recent penalty cost a medical practice $750,000 for sharing PHI with a vendor without having a Business Associate Agreement in place.

The 2013 changes to HIPAA that published in the Federal Register (with our emphasis) state that:

“…we have modified the definition of “business associate” to generally provide that a business associate includes a person who “creates, receives, maintains, or transmits” protected health information on behalf of a covered entity.

…an entity that maintains protected health information on behalf of a covered entity is a business associate and not a conduit, even if the entity does not actually view the protected health information.  We recognize that in both situations, the entity providing the service to the covered entity has the opportunity to access the protected health information.  However, the difference between the two situations is the transient versus persistent nature of that opportunity.  For example, a data storage company that has access to protected health information (whether digital or hard copy) qualifies as a business associate, even if the entity does not view the information or only does so on a random or infrequent basis.” 

A cloud service doesn’t need access to PHI – it just needs to manage or store it– to be a Business Associate. They must secure PHI and sign Business Associate Agreements.

The free, consumer-grade versions of DropBox and Google Drive are not HIPAA compliant. But, the fee-based cloud services, that utilize higher levels of security and for which the vendor will sign a Business Associate Agreement, are OK to use. DropBox Business and Google Apps cost more but provide both security and HIPAA compliance. Make sure you select the right service for PHI.
Encrypted
Encryption
Encryption is a great way to protect health information, because the data is secure and the HIPAA Breach Notification Rule says that encrypted data that is lost or stolen is not a reportable breach.

However, encrypting data is not an exemption to being a Business Associate. Besides, many cloud vendors that deny they have access to encrypted data really do.

I know because I was the Chief Operating Officer for a cloud backup company. We told everyone that the client data was encrypted and we could not access it. The problem was that when someone had trouble recovering their data, the first thing our support team asked for were the encryption keys so we could help them. For medical clients that gave us access to unencrypted PHI.

I also know of situations where data was supposed to be encrypted but, because of human error, made it to the cloud unencrypted.

Simply remembering that Business Associates are covered in the HIPAA Privacy Rule while encryption is discussed in the Breach Notification Rule is an easy way to understand that encryption doesn’t cancel out a vendor’s status as a Business Associate.
27864148 - it engineer or consultant working with backup server. shot in data center.
Data Centers
A “business associate” also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate.

Taken together, a cloud vendor that stores PHI, and the data centers that house servers and storage devices, are all HIPAA Business Associates. If you have your own servers containing PHI in a rack at a data center, that makes the data center a HIPAA Business Associate. If you use a cloud service for offsite backups, or file sharing, they and their data centers are Business Associates.

Most data centers offer ‘Network Operations Center (NOC) services,’ an on-site IT department that can go to a server rack to perform services, so you don’t have to travel (sometimes across the country) to fix a problem.  A data center manager was denying they had access to the servers locked in racks and cages, while we watched his NOC services technician open a locked rack to restart a client server.

Our client, who had its servers containing thousands of patient records housed in that data center, used the on-site NOC services when their servers needed maintenance or just to be manually restarted.
37388020 - pushing cloud computing button on touch screen
Cloud-Based and Hosted Phone Services
In the old days, a voice message left on a phone system was not tied to computers. Faxes were paper-in and paper-out between two fax machines.

HIPAA defines a conduit as a business that simply passes PHI and ePHI through their system, like the post office, FedX, UPS, phone companies and Internet Service Providers that simply transport data and do not ever store it. Paper-based faxing was exempt from HIPAA.

One way the world has changed is that Voice Over Internet Protocol (VOIP) systems, that are local or cloud-based, convert voice messages containing PHI into data files, which can then be stored for access through a portal, phone, or mobile device, or are attached to an e-mail.

Another change is that faxing PHI is now the creation of an image file, which is then transmitted through a fax number to a computer system that stores it for access through a portal, or attaches it to an e-mail.

Going back to the Federal Register statement that it is the persistence of storage that is the qualifier to be a Business Associate, the fact that the data files containing PHI are stored at the phone service means that the vendor is a Business Associate. It doesn’t matter that the PHI started out as voice messages or faxes.

RingCentral is one hosted phone vendor that now offers a HIPAA-compliant phone solution. It encrypts voice and fax files during transit and when stored, and RingCentral will sign a Business Associate Agreement.

Don’t Store PHI With Us
Telling clients not to store PHI, or stating that they are not allowed to do so in the fine print of an agreement or on a website, is just a wink-wink-nod-nod way of a cloud service or data center denying they are a Business Associate even though they know they are maintaining PHI.

Even if they refuse to work with medical clients, there are so many other types of organizations that are HIPAA Business Associates – malpractice defense law firms, accounting firms, billing companies, collections companies, insurance agents – they may as well give it up and just comply with HIPAA.

If they don’t, it can cost their clients if they are audited or through a breach investigation.

Don’t let that be you!

About Mike Semel
Mike Semel is the President of Semel Consulting, which specializes in healthcare and financial regulatory compliance, and business continuity planning.

Mike is a Certified Security Compliance Specialist, has multiple HIPAA certifications, and has authored HIPAA courseware. He has been an MSP, and the CIO for a hospital and a K-12 school district. Mike helped develop the CompTIA Security Trustmark and coaches companies preparing for the certification.

Semel Consulting conducts HIPAA workshops for MSPs and has a referrals program for partners. Visit www.semelconsulting.com for more info.

Don’t Blame HIPAA: It Didn’t Require Orlando Regional Medical Center To Call the President

Posted on June 13, 2016 I Written By

The following is a guest blog post by Mike Semel, President of Semel Consulting. As a Healthcare Scene community, our hearts go out to all the victims of this tragedy.

Orlando Mayor Buddy Dyer said the influx of patients to the hospitals created problems due to confidentiality regulations, which he worked to have waived for victims’ families.

“The CEO of the hospital came to me and said they had an issue related to the families who came to the emergency room. Because of HIPAA regulations, they could not give them any information,” Dyer said. “So I reached out to the White House to see if we could get the HIPAA regulations waived. The White House went through the appropriate channels to waive those so the hospital could communicate with the families who were there.”    Source: WBTV.com

I applaud the Orlando Regional Medical Center for its efforts to help the shooting victims. As the region’s trauma center, I think it could have done a lot better by not letting HIPAA get in the way of communicating with the patients’ families and friends.

In the wake of the horrific nightclub shooting, the hospital made things worse for the victim’s families and friends. And it wasn’t necessary, because built into HIPAA is a hospital’s ability to share information without calling the President of the United States. There are other exemptions for communicating with law enforcement.

The Orlando hospital made this situation worse for the families when its Mass Casualty Incident (MCI) plan should have anticipated the situation. A trauma center should have been better prepared than to ask the mayor for help.

As usual, HIPAA got the blame for someone’s lack of understanding about HIPAA. Based on my experience, many executives think they are too busy, or think themselves too important, to learn about HIPAA’s fundamental civil rights for patients. Civil Rights? HIPAA is enforced by the US Department of Health & Human Services’ Office for Civil Rights.

HIPAA compliance and data security are both executive level responsibilities, although many executives think it is something that should get tasked out to a subordinate. Having to call the White House because the hospital didn’t understand that HIPAA already gave it the right to talk to the families is shameful. It added unnecessary delays and more stress to the distraught families.

Doctors are often just as guilty as hospital executives of not taking HIPAA training and then giving HIPAA a bad rap. (I can imagine the medical practice managers and compliance officers silently nodding their heads.)

“HIPAA interferes with patient care” is something I hear often from doctors. When I ask how, I am told by the doctors that they can’t communicate with specialists, call for a consult, or talk to their patients’ families. These are ALL WRONG.

I ask those doctors two questions that are usually met with a silent stare:

  1. When was the last time you received HIPAA training?
  2. If you did get trained, did it take more than 5 minutes or was it just to get the requirement out of the way?

HIPAA allows doctors to share patient information with other doctors, hospitals, pharmacies, and Business Associates as long as it is for a patient’s Treatment, Payment, and for healthcare Operations (TPO.) This is communicated to patients through a Notice of Privacy Practices.

HIPAA allows doctors to use their judgment to determine what to say to friends and families of patients who are incapacitated or incompetent. The Orlando hospital could have communicated with family members and friends.

From Frequently Asked Questions at the HHS website:

Does the HIPAA Privacy Rule permit a hospital to inform callers or visitors of a patient’s location and general condition in the emergency room, even if the patient’s information would not normally be included in the main hospital directory of admitted patients?

Answer: Yes.

If a patient’s family member, friend, or other person involved in the patient’s care or payment for care calls a health care provider to ask about the patient’s condition, does HIPAA require the health care provider to obtain proof of who the person is before speaking with them?

Answer: No.  If the caller states that he or she is a family member or friend of the patient, or is involved in the patient’s care or payment for care, then HIPAA doesn’t require proof of identity in this case.  However, a health care provider may establish his or her own rules for verifying who is on the phone.  In addition, when someone other than a friend or family member is involved, the health care provider must be reasonably sure that the patient asked the person to be involved in his or her care or payment for care.

Can the fact that a patient has been “treated and released,” or that a patient has died, be released as part of the facility directory?

Answer: Yes.

Does the HIPAA Privacy Rule permit a doctor to discuss a patient’s health status, treatment, or payment arrangements with the patient’s family and friends?

Answer: Yes. The HIPAA Privacy Rule at 45 CFR 164.510(b) specifically permits covered entities to share information that is directly relevant to the involvement of a spouse, family members, friends, or other persons identified by a patient, in the patient’s care or payment for health care. If the patient is present, or is otherwise available prior to the disclosure, and has the capacity to make health care decisions, the covered entity may discuss this information with the family and these other persons if the patient agrees or, when given the opportunity, does not object. The covered entity may also share relevant information with the family and these other persons if it can reasonably infer, based on professional judgment, that the patient does not object. Under these circumstances, for example:

  • A doctor may give information about a patient’s mobility limitations to a friend driving the patient home from the hospital.
  • A hospital may discuss a patient’s payment options with her adult daughter.
  • A doctor may instruct a patient’s roommate about proper medicine dosage when she comes to pick up her friend from the hospital.
  • A physician may discuss a patient’s treatment with the patient in the presence of a friend when the patient brings the friend to a medical appointment and asks if the friend can come into the treatment room.

Even when the patient is not present or it is impracticable because of emergency circumstances or the patient’s incapacity for the covered entity to ask the patient about discussing her care or payment with a family member or other person, a covered entity may share this information with the person when, in exercising professional judgment, it determines that doing so would be in the best interest of the patient. See 45 CFR 164.510(b).

Thus, for example:

  • A surgeon may, if consistent with such professional judgment, inform a patient’s spouse, who accompanied her husband to the emergency room, that the patient has suffered a heart attack and provide periodic updates on the patient’s progress and prognosis.
  • A doctor may, if consistent with such professional judgment, discuss an incapacitated patient’s condition with a family member over the phone.
  • In addition, the Privacy Rule expressly permits a covered entity to use professional judgment and experience with common practice to make reasonable inferences about the patient’s best interests in allowing another person to act on behalf of the patient to pick up a filled prescription, medical supplies, X-rays, or other similar forms of protected health information. For example, when a person comes to a pharmacy requesting to pick up a prescription on behalf of an individual he identifies by name, a pharmacist, based on professional judgment and experience with common practice, may allow the person to do so.

Other examples of hospital executives’ lack of HIPAA knowledge include:

  • Shasta Regional Medical Center, where the CEO and Chief Medical Officer took a patient’s chart to the local newspaper and shared details of her treatment without her permission.
  • NY Presbyterian Hospital, which allowed the film crew from ABC’s ‘NY Med’ TV show to film dying and incapacitated patients.

To healthcare executives and doctors, many of your imagined challenges caused by HIPAA can be eliminated by learning more about the rules. You need to be prepared for the 3 a.m. phone call. And you don’t have to call the White House for help.

About Mike Semel
Mike Semel, President of Semel Consulting,  is a certified HIPAA expert with over 12 years’ HIPAA experience and 30 years in IT. He has been the CIO for a hospital and a K-12 school district; owned and managed IT companies; ran operations at an online backup provider; and is a recognized HIPAA expert and speaker. He can be reached at mike@semelconsulting.com or 888-997-3635 x 101.

The Just Enough Culture of HIPAA Compliance

Posted on September 10, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Today I was lucky to finally have a long lunch with Mike Semel from Semel Consulting. Ironically, Mike has a home in Las Vegas, but with all of his travel, we’d never had a chance to meet until today. However, we’ve exchanged a lot of emails over the years as he regularly responds to my blog posts. As Mike told me, “It feels like I’ve known you for a long time.” That’s the power of social media in action.

At lunch we covered a lot of ground. Mostly related to HIPAA security and compliance. As I try to process everything we discussed, the thing that stands out most to me is the just enough culture of HIPAA compliance that exists in healthcare. I’ve seen this over and over again and many of the stories Mike shared with me confirm this as well. Many healthcare organizations are doing just enough to get by when it comes to HIPAA compliance.

You might frame this as the “ignorance is bliss” mentality. In fact, I’m not sure if it’s even fair to say that healthcare organizations are doing just enough to comply with HIPAA. Most healthcare organizations are doing just enough to make their conscience feel good about their HIPAA compliance. People like to talk about Steve Jobs “reality distortion field” where he would distort reality in order to accomplish something. I think many in healthcare try and distort the realities of HIPAA compliance so they can sleep good at night and not worry about the consequences that could come upon them.

Ever since HIPAA ombnibus, business associates have to be HIPAA compliant as well. Unfortunately, many of these business associates have their own “reality distortion field” where they tell themselves that their organization doesn’t have to be HIPAA compliant. I don’t see this ending well for many business associates who have a breach.

The solution is not that difficult, but does take some effort and commitment on the part of the organization. The key question shouldn’t be if you’re HIPAA compliant or not. Instead you should focus on creating a culture of security and privacy. Once you do that, the compliance part is so much easier. Those organizations that continue this “just enough” culture of HIPAA compliance are walking a very thin rope. Don’t be surprised when it snaps.