HIPAA wake-up call Insight Article HIPAA HIT Regulations Sign in to save Andrea Driscoll Helen Simmons Rick Hindmand JD Physician practices, like other HIPAA-covered entities, face a daunting array of threats to their patient protected health information (PHI) and must be diligent when protecting the privacy and security of their records. Reviewing reported breaches can offer healthcare providers, health plans and business associates guidance on how they can protect PHI. Data breach landscape Healthcare breaches have become so widespread and difficult to prevent that everyone involved in handling patient information needs to be aware of the importance of the steps that help prevent a breach. Combining data from the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) reports since mandatory reporting began in 2009 with unresolved breaches in the past 24 months shows the total number of reported incidents through May 2018 exceeds 2,299, affecting almost 262 million individuals. Insurers (tallied under “Health plan” in Figure 1) were responsible for the highest number of reported breaches, followed by healthcare providers, business associates and lastly healthcare clearinghouses, which process medical claims. The types of breaches affecting the most individuals over the past eight years have been hacking/IT incidents (more than 216 million individuals affected) and theft (more than 25.3 million individuals affected). The simplest solution to prevent the hackers from reading or otherwise using the data is by enforcing data encryption that is in accordance with the HHS guidance. Though an objective assessment of a breach incident is always required to determine notification, keep in mind that under the modified HITECH Act of 2009, the loss or theft of a device need not be reported if it was encrypted following the guidance of the National Institute of Standards in Technology (NIST). Where do you stand on HIPAA? In its HIPAA settlements and guidance, OCR has focused on the following failures by a covered entity or business associate: Failure to conduct adequate risk analysis. Risk analysis has been central to most of OCR’s published resolution agreements. The HIPAA Security Rule requires each covered entity or business associate to conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI held by the covered entity or business associate. In addition to violating the Security Rule on its own, failure to conduct appropriate and timely risk analysis often prevents a covered entity or business associate from taking appropriate risk management steps to protect ePHI, thereby increasing exposure to breaches as well as potential penalties and litigation. Failure to enter into appropriate business associate agreements (BAAs) before allowing business associates to access PHI. OCR has expanded its enforcement focus on business associates, with a string of resolution agreements holding covered entities accountable for allowing business associates to access PHI without entering into BAAs. OCR specifically reminded covered entities and business associates in October 2017 that using a cloud service provider to maintain ePHI without entering into a BAA violates HIPAA rules and that cloud service arrangements need to be accounted for in risk analysis and risk management. Within the past several years, three physician practices have made settlement payments for disclosing PHI to business associates without BAAs, including a $750,000 payment in 2016 by a North Carolina orthopedic clinic. Failure to implement appropriate safeguards to manage risks and vulnerabilities that were (or should have been) identified in the risk analysis. The Security Rule requires a covered entity or business associate to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level, and refers to this safeguard as “risk management.” Strong IT support: Improving your IT hygiene Medical practices often don’t see compliance as a priority and are reluctant to spend money in this area until a breach occurs, at which time spending likely will be much greater than the cost to implement appropriate safeguards. Operationally, it is not unusual for a private medical practice to adopt a hybrid model in which the physician and administrator share IT responsibilities with an IT staff person or consultant. This break/fix model focuses on addressing issues as needed instead of providing proactive, 24/7 monitoring and management of the IT infrastructure. This approach has plagued the IT industry and can put the medical practice at risk. It is not enough to call someone when there’s a problem. By then it’s usually too late. Most attacks succeed because they take advantage of vulnerabilities that are not identified within an organization. Often this is due to a misperception that the medical practice is protected. These medical practices may have strong business controls but often lack the expertise and attention needed to protect their network, necessary security layers and access controls, making them vulnerable to hackers. Healthcare data on the black market is valued higher than even Social Security or credit card numbers. With ransomware added to the mix, you have a billion-dollar business that shows no signs of slowing down. Having the appropriate expertise in place is crucial in protecting your business from these attacks. Problem areas for HIPAA compliance Set it and forget it approach: HIPAA compliance and IT security are ongoing responsibilities. Risk analyses need to be performed on a regular basis, especially as problems are identified or changes occur in the operating environment. Effective security incorporates a proactive approach with ongoing management. Workstation or server updates: Turning on automatic updates on each workstation or server without monitoring success or failure is common. Consider centralizing the management of the updates to gain visibility and catch problems early. Backups: Lack of offsite backup or verification on the integrity of the backups is common. An effective IT company centralizes the management of updates and backups and regularly verifies their integrity. Cost: Many medical group budgets don’t allow for month-to-month managed services contracts. The “we’ll just call you when something is broken or if we need you” approach is often seen as the most cost-effective solution. This approach may be short-sighted and could end up costing the practice more. The cost of a breach can be much higher than the cost of a month-to-month managed services contract. Staffing: Physicians and other non-IT professionals are typically not qualified to manage IT. While anyone can search the internet for how to do something IT related, it’s not realistic to manage an entire IT environment in this fashion and expect to target all security points. How hardware and services are used: Devices and services alone aren’t compliant. It’s how they’re implemented and managed that makes them compliant and effectively secure. Many of the HIPAA security requirements must be addressed within each piece of hardware or service. Checklist: Action steps for medical groups Conduct enterprise-wide risk analysis accounting for all of your practice’s PHI, whether maintained within your organization, in the cloud or by business associates. Implement safeguards based on the risk analysis to reduce the identified risks and vulnerabilities to reasonable and appropriate levels. Review and update your organization’s incident response plan, privacy, security and breach notification policies and procedures. Identify all business associate relationships and ensure that you have an appropriate business associate agreement in place before allowing a business associate to access PHI. Make privacy and security priorities within your organization with policies and procedures in place to ensure consistency and compliance. Conduct ongoing privacy and security training. Encrypt all data at rest and in transit. Ensure that uses and disclosures of PHI align with your organization’s notice of privacy practices. Implement a layered security model to protect from internal and external threats. Email, for example, is a common point of entry for viruses. Invest in a reputable spam filtering product that will address the latest threats and other vulnerabilities. Consider a security monitoring system with 24/7 visibility, alerting and auditing to find IT problems early and reduce risk. Develop access levels following the least privileged model, unique logins, enforcement of complex passwords, two-factor authentications, automatic log-off, forced periodic password changes and account monitoring. Do not rely on intuition to gauge the strength in these areas. Verify that these safeguards are implemented, enforced and audited. Stay current and keep your systems up to date. A ransomware attack swept through the UK shutting down services at hospitals and clinics when hackers took advantage of older operating system Windows XP, which had not been supported since 2014. Microsoft stopped releasing updates for XP three years ago. Key questions to ask Understand the need to focus on identifying your risks and working with a qualified IT service provider who will do more than fix your hardware as needed. If you seek out a managed service provider, you need to understand whether they provide functionalities such as 24/7 monitoring, auditing, reporting, regular patching and updates, layered security and more. Evaluating vendors can be challenging for those who do not specialize in IT. If a vendor representative contacts you, ask these key questions: Have you ever performed a vulnerability risk analysis for a client? Do you currently have any clients that are physicians or healthcare companies? Are you familiar with referenced standards for password use and encryption provided by the National Institute of Standards and Technology (NIST)? What services do you provide under contract? Does this include 24/7 monitoring, auditing and regular patching of all systems and applications? A reputable IT company can independently supply a periodic executive summary report that shows an overall health score in areas such as antivirus, web protection, backups, patch management, at-risk devices and more. Empower yourself with this information before investing in a solution for your group.