Category: SOS Blog

In late April, I received an email from Dr. Carolyn Stimel, Director of Professional Affairs and Acting Interim Executive Director for the Florida Psychological Association. She was sharing information provided by the American Psychological Association Practice Organization (APAPO) that I wanted to pass on to you. Those of you who are members of APA and contribute to the Practice Organization may have already read this information in the APAPO’s Practice Update.

The short version of this report can be boiled down to ‘perseverance pays.’ The longer version of the story includes the at-first futile but now successful efforts by a California psychologist. You can see the detail in the American Psychological Association Practice Organization’s article. The report also contains steps you should take if you were denied the incentive even though you believe you reported properly.

The psychologist’s Physician Quality Reporting System (PQRS) report to CMS for 2014 included data on 8 measures. According to CMS, in order to receive a 0.5% incentive payment, she would have needed to report on 9 measures. She argued that she could not find a 9th measure that was relevant to her practice and part of her scope of practice. With the help of an attorney, and ultimately the APAPO, she appealed and won.

If you tried to qualify for the incentive payment and were rejected, be sure to take a look at this report. If you have opted out of being a Medicare provider because you don’t want to deal with reporting quality measures, please reconsider. We baby boomers now on Medicare would like to be sure we can receive the quality services provided by psychologists.

The APA Practice Organization is supported by member dues.

 

We had our regular HIPAA training with all of our SOS staff this morning. This is a sometimes unexciting meeting, as we review SOS policies and procedures related to HIPAA and Protected Health Information (PHI). This morning, we noticed that the amount we have learned about HIPAA, our responsibilities as a Business Associate and the responsibilities of our mostly behavioral health customers as Covered Entities has resulted in much more refined discussion of what we should all be thinking about.

One of our regular concerns is that we, as a Business Associate to our customers, have in place and understand how to act on, policies and procedures to protect the PHI of our customers should it ever be in our hands.

This morning we found ourselves talking about the danger to Covered Entities of not having Business Associate Agreements (BAAs) with their computer tech, maintenance and repair consultants, and having no idea what the policies and procedures of those Business Associates are.

The Office of Civil Rights (OCR) sent out this information on May 3, 2016:

Covered Entities Should Consider:

1.  Defining in their service-level or business associate agreements how and for what purposes PHI shall be used or disclosed in order to report to the covered entity any use or disclosure of PHI not provided for by its contract, including breaches of unsecured PHI, as well as any security incidents.

HIPAA defines security incidents as attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.  (See the definition of security incident at 45 CFR 164.304).  HIPAA also identifies breaches as, generally, an impermissible acquisition, access, use, or disclosure under the HIPAA Privacy Rule that compromises the security or privacy of the protected health information. (See the definition of breach at 45 CFR 164.402).

According to the US-CERT, cybersecurity incidents could include the following types of activity, but are not limited to:

§  Attempts (either failed or successful) to gain unauthorized access to ePHI or a system that contains ePHI.

§  Unwanted disruption or denial of service to systems that contain ePHI.

§  Unauthorized use of a system for the processing or storage of ePHI data.

§  Changes to system hardware, firmware, or software characteristics without the owner’s knowledge, instruction, or consent.

2.  Indicating in the service-level or business associate agreements the time frame they expect business associates or subcontractors to report a breach, security incident, or cyberattack to the covered entity or business associate, respectively.  Keep in mind; incident-reporting should be done in a timely manner, and covered entities are liable for untimely HIPAA breach reporting to affected individuals, OCR, and the media, as applicable.  The quicker the incident is reported, the faster a covered entity or business associate can respond, possibly:

§  Minimizing the damages caused by the security incident.

§  Protecting and preventing further loss of electronic patient health information.

§  Preserving evidence for forensic analysis, if necessary.

§  Regaining access to and secure information systems.

3.  Identifying in the service-level or business associate agreements the type of information that would be required by the business associate or subcontractor to provide in a breach or security incident report.  The report should include:

§  Business associate name and point of contact information.

§  Description of what happened, including the date of the incident and the date of the discovery of the incident, if known.

§  Description of the types of unsecured protected health information that were involved in the incident.

§  Description of what the business associate involved is doing to investigate incident and to protect against any further incidents.

4.  Finally, covered entities and business associates should train workforce members on incident reporting and may wish to conduct security audits and assessments to evaluate the business associates’ or subcontractors’ security and privacy practices.  If not, ePHI or the systems that contains ePHI may be at significant risk.

I know all of you have BAA’s in place, so the OCR’s advice is just repetitious to you. Or do you? If you do not know what your BAA’s should and do contain, if you do not have BAA’s with everyone who is not your employee and who may see your PHI, if you do not know your responsibilities as a Covered Entity, if you do not regularly train your employees on HIPAA and its requirements…please take a look at OCR’s website where this information is provided.

We worry about you guys! Please make sure you (and your patients) are protected!

Here at SOS Software, we talk to lots of people each day — current customers as well as new prospects — and frankly, we are often surprised by what people say. Maybe you have heard comments like these, too.

• “I always communicate with my clients by email. Who is going to see my email?”
• “I definitely want to use a cloud product for my records. That way I don’t have to worry about security or backup. The company says they are HIPAA compliant and will sign a BAA. They must be okay.”
• “I am the only one in my office. It would be silly to encrypt my laptop.”

Every time I hear such comments, I get concerned for the clients of the person speaking. After all, their understanding of their responsibility to secure and keep private the Protected Health Information of their clients is limited, at best. Finding secure ways to maintain and to safely share the PHI of clients is what the Health Insurance Portability and Accountability Act (HIPAA) requires of Covered Entities.

What steps and tools will help you do this? Let’s go through comment by comment.

1. “I always communicate with my clients by email. Who is going to see my email?”First, please understand that email is not secure. At the foot of every email I send to a customer is the following statement: REMEMBER: Typical email is not secure. Never include sensitive financial, personal, health, or account credential (eg. password) information in unencrypted email communications!

SOS President, Seth Krieger, uses the analogy of a postcard when talking about email. You should only send information that you would be comfortable mailing on a postcard — an open, totally unsealed document. That is because email is so easy to hack. It may be unlikely, but it is very easy.

The solution? Encrypted email. We use a product called Virtru when necessary. This morning I got an email from them detailing new and updated features in their Pro product. One of these was right on target: HIPAA Compliance Rule Pack. In fact, they have a white paper called HIPAA Compliance in the Cloud that you might find useful. There are certainly other companies that provide encrypted email services, some free of charge. Please find one for your organization. (SOS has no relationship with Virtru except that we subscribe to their product.)

2. “I definitely want to use a cloud product for my records. That way I don’t have to worry about security or backup. The company says they are HIPAA compliant and will sign a BAA. They must be okay.”

Cloud products can make it easy for you to login from anywhere that you have an internet connection. If they are providing a hosted product, they keep the software up to date for you and certainly back things up. But just because a software provider or cloud storage company says you do not need to worry about anything does not mean that is so.

As the Covered Entity, you are responsible for doing due diligence on any provider of services you use. You need to be sure that the methods they say they are using and the places they say they are storing your data are what they actually do. Signing a BAA does not guarantee that their line staff know what handling PHI actually means.

In fact, you need to understand that a product or a company cannot be HIPAA compliant and cannot guarantee that you will be HIPAA compliant. They are merely providing a tool for your use. If you misuse the tool, you are not behaving in a compliant fashion. For example, you need a login and password to get to your account on their system. But when you get up to take care of your crying infant and your four year old sits down at your computer, your client information is exposed and you are not using the software tools in a HIPAA compliant fashion.

HIPAA requires that you have policies and procedures to secure and keep private the PHI entrusted to you — and that you follow them. No one else can do that for you.

3. “I am the only one in my office. It would be silly to encrypt my laptop.”

Being the only one in your office is no guarantee of security. A disturbance in your waiting room while you are with a client will certainly result in your leaving for a few moments. Your computer is likely exposed to your client during that time. Being a solo provider surely does not prevent you from leaving that unencrypted laptop on the subway. Lost or stolen unencrypted computers are among the largest source of breached health information.

An encrypted computer is called a “safe haven” in HIPAA-speak. If the machine is encrypted, you are protected from charges of willful neglect and your clients’ sensitive information is shielded from prying eyes and from identity thieves intent on making big money from stealing health records.

The bottom line is that you are responsible for following the requirements of HIPAA. Do you know what they are? How are you handling your responsibilities? Are your employees properly trained and updated often?

Please share your comments in the section below.

On March 21, the Office for Civil Rights (OCR) announced the second phase of its mandated audit program. In the first phase, OCR primarily audited organizations that had reported a serious breach or against whom a complaint had been filed. In this second phase, OCR will proactively “review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules.”

The first step in this process will be an email to covered entities and business associates requesting updated contact information. If there is no response, OCR will utilize publicly available information to create the pool for their audits.

If an entity does not respond to OCR’s request to verify its contact information or pre-audit questionnaire, OCR will use publically[sic] available information about the entity to create its audit subject pool.  Therefore an entity that does not respond to OCR may still be selected for an audit or subject to a compliance review.  Communications from OCR will be sent via email and may be incorrectly classified as spam.  If your entity’s spam filtering and virus protection are automatically enabled, we expect entities to check their junk or spam email folder for emails from OCR.

If you receive an email from OCR, it does not mean you will automatically be audited, but not responding to the email will not protect you from audit.

We have been writing about HIPAA since 2008, when I first started writing this blog. A search of our blog posts since then turned up 62 mentions of the Health Insurance Portability and Accountability Act. This is an important issue for all covered entities and their business associates. If you do not know what those terms mean, if you have no Privacy Practices or documented Security Procedures, it is time you get some. If you have not trained new staff about HIPAA, now is the time to do so.

Willful neglect of these requirements will get you in big trouble if you have a breach. Being a small provider of behavioral health services does not protect you. Perhaps it is time for you to review your Risk Assessment, Privacy Notice, Privacy Practices, and Security Procedures just in case you are selected for audit.

Please share your comments in the box below.

The article below has just been shared by Seth Krieger, Ph.D., President of Synergistic Office Solutions, Inc., with our User Group. I thought our blog readers might also be interested.

Many of you are aware that there has been an explosion of so-called “ransomware” malware infecting systems ranging from stand-alone home computers to hospital systems. Once you have been infected, this malware gets busy encrypting files on your drives — including shared network drives — and ultimately notifies you with a screen message that you will have to pay a ransom to regain access to those files.

Two people I know (one a family member, and one a close friend) who work in healthcare were recently infected through email attachments clicked by staff in their offices. Luckily, both were able to stop the infection from getting too far, and had good backups from which they were able to recover the files that had been encrypted.

As with most serious computer threats, these depend on the naiveté of computer users to start the ball rolling. At present there are two main vectors of infection. One is email attachments. Watch out for GIF’s and supposed attached “invoices”, both of which are known delivery mechanisms for ransomware, and could even come from the email address of someone in your contact list.

The other vulnerability being exploited more and more frequently is delivery via flash, java, and acrobat pdf extensions in web browsers. This type of malware is often delivered via web site ads that use these extensions. Your best bet is to disable these extensions, or at least set them to require your approval before running. Most web sites will work fine without them. At present, it appears that the most secure browser to be using is Google’s Chrome browser, which keeps itself up to date automatically, and prevents many attacks that other browsers may not.

SOS recommends that you also install a product called MalwareBytes, which is available in a basic, free version as well as a more rigorous paid version. It works alongside your anti-virus to extend the range of threats that can be detected and disarmed. (We have no business association with MalwareBytes except that we use their software.)

If you should suspect that you are infected with an active ransomware program, immediately disable all network connections to other computers to prevent the infection from spreading. Ultimately, however, full recovery will depend on whether or not you have current backups of files that were, or could be, encrypted.

In the past, backups were insurance against hardware failure, fire, theft, or accidental erasure. These are pretty rare events, so many computer users were less than diligent about backing up their computers and critical business data. Thanks to these ever-increasing malware attacks, the need for good backups is also increasing at the same rate. In addition, some of these infections are sophisticated enough to target backup files that can be located on USB drives and network shared resources, so off-line backups (removable media) are more essential than ever!

PLEASE prepare yourself:

• Use a highly rated anti-virus product, as well as additional malware protection such as MalwareBytes. Make sure that it is set to update itself at least daily.
• Be VERY careful about clicking email attachments. When in doubt, call the sender to be sure it is legit.
• Disable flash, java, and adobe pdf browser extensions. Consider using Chrome as your default browser.
• Backup your entire system periodically, and your irreplaceable data every day, to media that is then disconnected from the potentially infectable computer. On-line backup solutions like Carbonite, Mozy and CrashPlan have their place, but unless you have super-fast internet, having a copy of your backup locally can get you back in business much faster than downloading backups from one of those services.

Be careful out there!

Seth Krieger, Ph.D.
President, Synergistic Office Solutions, Inc.