Tag: HIPAA

Security and Backup: Yes…backup, again!

Posted on | by SOS Blog | Leave a Comment on Security and Backup: Yes…backup, again!

Once a month, on average, our technical support specialists are confronted with a customer whose database has become corrupted because of some hardware issue and who has no usable backup. After last week’s adventure, I decided I would again write about backup. Then, last night, I saw a discussion on a Psychology and Technology listserv that included some of our customers talking about full disk encryption of a Mac laptop. Encryption is something we recommend for every customer who uses our software or maintains any Protected Health Information (PHI) on a computer…especially on a laptop. To round out the clues that security and backup should be my topics of choice this week, I noticed an article in eweek of March 21, 2011 entitled ‘Remote access presents complexity, security issues.’

The rate at which users want to be able to access their work applications remotely has grown geometrically. Fifteen years ago, we were asked about remote access a couple of times a year. Five years ago, that increased to a couple of times a month as many more users wanted to be able to access their software from home. Now, everyone who carries a laptop, or even a smart phone, wants to be able to do everything they need to do for their jobs from wherever they are located with whatever device they have handy.

Whew! If only they realized what an expectation that is! And, all of these expectations complicate the issue of security in ways that those of us who are not very technically savvy cannot imagine. But imagine we must…if we plan to protect PHI, that is.

First, the issue of backup. This is the primary way in which you protect the security and integrity of client information. If you do not have a usable backup from which you could restore PHI in the event of a catastrophe, you are only one step away from having allowed the destruction of your client’s PHI.

Yes, the identifying demographics together with the diagnosis you use to file claims is PHI and is protected under HIPAA. Everything you have in an EMR is PHI. Yes, you are responsible to assure that this information is intact, safe from destruction, and secure from preying eyes (and hacks). Without a usable backup (preferably encrypted) stored in a secure location ready at a moment’s notice to replace data on your computer system, you are not even doing the most basic things necessary to provide protection to your patients. You could probably be demonstrated to be guilty of ‘willful neglect,’ the level of culpability that will generate the highest of fines from HHS and OCR under their HIPAA authority.

If you are not sure of what kind of backup strategy is minimally adequate, take a look at the backup recommendations and product suggestions we make to our customers.

The issue of remote access, especially from handheld devices like smart phones and iPads, is one that concerns me considerably. HIPAA requires that we must provide for the security of PHI while it is at rest (on a computer drive or CD or smart phone) and while it is in motion (being transmitted from one location or device to another).

Access tunnels like a secure VPN or MS Terminal Services are specifically designed to assure the safety and security of the data being transmitted through those tunnels. Those of us who are not very technically sophisticated may assume that the developers of the iPad and smart phones have already taken care of equivalent security for us. Not so, folks. While there are some products that will provide that security, they are not built into those hand held devices and we are on our own to find them.

Do you realize what that means? Do you understand that using your cell phone to access your desktop computer and patient information without adding specific protection assures that your data are vulnerable? There is not built-in security in your telephone or tablet. Even having your client names and phone numbers in your telephone contact list is potentially a breach of their privacy.

No one has volunteered to create a secure environment for your data…that is your job. You must do the research and determine which products will give your PHI the greatest protection.

Not being informed about a problem of insecurity is not considered an excuse by HIPAA. You must know what security your devices use to assure the safety of PHI. Do you have password protection on your phone? Do you have a way of wiping all data from the phone if you lose it or it is stolen? Have you initiated the services that are available to accomplish those purposes?

I know, this has started to sound like a rant. I do not mean to suggest that everyone is acting irresponsibly with client PHI. I do mean to suggest that we take a much too casual attitude toward protection of that PHI…especially when it comes to technologies about which we know little but assume much.

What policies does your organization have in place about use of portable devices and the protection of PHI? Have you found products that are wonderful to accomplish that protection? Will you share their names and your experiences with the rest of us?

Please enter your comments below.

HIPAA Privacy Requirements: Serious business

Posted on | by SOS Blog | 1 Comment on HIPAA Privacy Requirements: Serious business

In the past year, the Office for Civil Rights, the federal office responsible for enforcing HIPAA privacy requirements, has finalized the rule by which all covered entities and their business associates are required to protect the personal and health information of patients they serve. The rule details the actions a breach of the privacy rule requires including notification of patients. In the past month, OCR has begun to publish significant fines to organizations who have been found responsible for a breach of that privacy rule.

Lots of folks have been waiting to see what kind of fines the OCR would impose upon organizations found responsible for breaches. We are beginning to find out.

On February 14, 2011, HHS entered into an agreement with Massachusetts General Hospital in which the hospital organization agreed to pay $1 million because of the loss of data of 192 patients of one of its outpatient practices. The information lost was on paper and was lost on a subway train. The hospital also agreed to enter into a Corrective Action Plan (CAP) including the implementation of policies and procedures to protect the PHI of its patients.

For those of you who thought these requirements do not affect you if you do not keep any patient information in an electronic form, it is clear that is not how OCR views it. Paper is also vulnerable and OCR is determined to protect that PHI.

The second announced fine was placed on Cignet Health of Prince George’s County Maryland. They were fined $4.3 million. They were accused of denying 42 patients access to their medical records, failed to cooperate with OCR in their investigation of the complaints, indeed failed to reply to OCR’s notifications. OCR determined that “the failure to cooperate was due to Cignet’s willful neglect to comply with the Privacy Rule.”

For those of you who have thought that not keeping records of treatment might be the safest course of action, please think again. If you cannot provide the record when a patient requests it, they have every right to complain and to seek a judgement against you.

Of course, your organizations all have Privacy Policies. Do you know what they are? Do you follow the Procedures that your organization has developed? Does everyone? Part of the requirement is that employees be properly trained in what the policies and procedures are and that their training is regularly refreshed. Oh, and yes, part of the requirement is that the Privacy Officer makes sure the owners of the practice or the Executive Director or Board of Directors is well-informed about how the policies are implemented.

How is your organization doing with the stricter Privacy Rule requirements imposed by the HITECH Act? Please share your thoughts, fears and struggles with these requirements and how they affect your organization. Just enter your comments below.

It’ll Never Happen To Me…

Posted on | by SOS Blog | 2 Comments on It’ll Never Happen To Me…

This week one of our customers experienced a “happy ending” to a very unhappy story. We thought we would share it with you.

They were sure they had a good backup. When their server hard drive crashed, they were distressed but not terrified. Instead of dealing with the loss of all their data, it merely meant that they would need to get a new server and have someone spend time rebuilding the hard drive from installation CDs and all of the backed up data.

That’s when reality set in. Their consultant technician installed our software onto their new server from a CD and went to restore the data. The data folder was empty. He was unable to recreate his client’s practice management data from a usable backup. That is also when the customer’s panic started.

I don’t know if you have ever considered this scenario for your organization. After all, your IT specialist set up a tape or external drive backup for you and the system automatically backs up every day. Sometimes there is a strange error message on the monitor when you remove the tape or you get an email that says an error has occurred, but you don’t really have time to pursue it.

Have you ever tried restoring from one of your recent backups? Do you know that the data are usable? If someone in your organization has never restored one of your current backups to your system and made sure the restored data worked, then your backup process is incomplete and you are at risk for the same kind of upset our customer experienced this week.

Happy ending to this story. . . a hard drive retrieval company was able to pull data off the crashed drive. . . at a cost of $7500! Since that certainly played havoc with the budget, this happy ending is really a mixed one.

If you want reminders about backup procedures and our best thinking about what to consider take a look here and here and here and here. We have not written about this as recently as I thought, but data backup is a subject that we try to remind ourselves and our customers about regularly. Please think about and take action about yours.

Also from the ‘It’ll Never Happen To Me’ department. . . I attended a webinar on the HIPAA and HITECH breach notification requirements a couple of weeks ago. This was done by a company named IDExperts that specializes in guiding companies through the risk assessment process after a breach has occurred. They also have a software product that will walk you through the post-breach risk assessment and track the histories of all breaches. Their take on data security and the risks involved are like this: if you were interested enough to attend the webinar, the question is not if you will experience a data breach, but when. Statements like that always jar me. Since we are not a Covered Entity and have no PHI of our own, I am not too concerned about us experiencing a breach; our procedures are solid and any electronic PHI temporarily in our possession only resides on encrypted computers. Obviously the worry is not small for health care providers, especially large ones.

The concern about security and privacy of PHI has recently been complicated by the fact that HHS has decided to reconsider the final rule on breach notification. After privacy and security groups were distressed and complained to HHS about the methods for deciding whether the release of data presents a risk to involved patients, HHS decided to reconsider the final rule. There is speculation that the rule will be made tougher than it was. Up to this time, the organization that experienced the breach has been responsible for determining the severity of the risk to patients caused by the data loss and whether HHS needed to be notified off the breach. HHS did not indicate when a new rule could be expected.

Who in your organization is responsible for verifying that your backups are usable? When was the last time a test restore of crucial data was done? Would you have any idea how to do this; if not, who does? What is your plan of action if protected health information is accidentally released when it should not have been? Are you convinced it’ll never happen to you?

Please share your comments and your experience so all our readers can benefit from best practices on data backup and protection.

Patient Consent for Exchange of Information

Posted on | by SOS Blog | Leave a Comment on Patient Consent for Exchange of Information

The HITECH section of the American Recovery and Reinvestment Act (ARRA) added privacy and security requirements that providers of health care services must follow in handling the Protected Health Information (PHI) of those they treat over and above those provided for in HIPAA. HIPAA allowed PHI to be exchanged for treatment and operations without patient consent as along as patients were so notified in the organization’s Statement of Privacy Practices.

HITECH provides for stronger controls. It requires that the provider be able to inform the patient (upon the patient’s request for the information) about all the times that PHI has been released by the organization (disclosures), to whom it was released, and the purpose of the release. This includes release of information for operations and billing. If you send claims to an insurance carrier via a clearinghouse, you would need to be able to document every time a claim was sent and that it went to both the clearinghouse and the insurance company. If you send it to the payer directly on their web site, you would still need to be able to document every time you did that.

HHS has been gathering comments from provider organizations about the burden this will place upon them. How the rules are ultimately written remains to be seen.

At the same time, the HealthIT Policy Committee has been working on a framework for privacy and security of PHI as we move toward EMRs and the electronic exchange of identifiable personal information. An attempt is being made to come up with methods and understandings that will allow a national standard and method of exchanging PHI in spite of different laws and requirements in each of the 50 states. A Privacy and Security white paper series explores these issues.

Part of the current concern is the point in an exchange at which a specific consent should be required from a patient for release of their information. It is believed that patients feel fairly secure when provider #1 releases information to provider #2 whether the provider is a lab or another physician. Trying to determine the point at which comfort in an exchange is lost and the requirement of consent is triggered is part of the challenge. For example, if provider #1 has consent to send information to provider #2 but the only method of doing so is through a third party (like a clearinghouse or directory), does additional consent need to be obtained for that transaction? What kind of situation must exist to trigger a patient’s right to “opt out” of the electronic transaction.

These are important issues that pertain to information electronically exchanged for billing and operations as well as for treatment. Avoiding the use of an EMR will not shield you from addressing these issues if you send claims electronically. . . even at a payer’s web site. 

What do you think about protecting the PHI of the consumer of services?  What are you doing to assure that you meet the requirements of the law? Please share your thoughts and comments below.

Bits of News for Behavioral Health Providers

Posted on | by SOS Blog | Leave a Comment on Bits of News for Behavioral Health Providers

I have recently noticed several pieces of news that I thought would be of interest to providers of behavioral health services and others.

1. The National Council Public Policy Update of April 8, 2010 pointed out an important change in timely filing requirements for Medicare claims:

Requirements of the Patient Protection and Affordable Care Act makes (sic) several changes to the Medicare timely filing requirements. Under the new law, all claims from before Jan. 1, 2010 must be filed by Dec. 31, 2010. Beginning on Jan. 1, 2010, all claims must be filed within one year after the date of service in order to be considered timely.

Sec. 6404 of the law details the requirements. This is a change from the former allowance of 3 calendar years to file a claim. Be clear about this: you now have 1 calendar year after the date of service to file a timely claim for payment for those services.  Now might be a good time to use your billing software to learn which old Medicare claims have not been paid (the claims may have been lost) and if there are any Medicare services that have not been billed. If these are not already three years old, you have only until the end of 2010 to file them, and with services that are new in 2010, you have one calendar year to file a claim for the services.

2. Seth recently posted a message on our User Group about the potential privacy and security problems that can be caused by data left on newer copiers and multifunction machines. NJAMHAA Newswire of May 3, 2010 also commented on the possibility of HIPAA violations that can result from careless use of these machines. Seth’s comments follow:

Now that you finally got all your computer hard drives encrypted and you are feeling pretty smug, here comes another headache — thousands of images containing PHI stored on a hard drive hidden inside other office machines. Take a peek at this investigative report by CBS news:

http://www.youtube.com/watch?v=6pIFUOav2xE

This is a pretty big vulnerability. If you have one of these higher end digital copiers, printers, or multifunction machines and it is stolen — or you neglect to remove or wipe the hard drive before selling or trading it in, you have a reportable security breach. Nobody would be likely to have a list of the patient documents that had been copied over the years, so you
would have to assume that EVERYONE’s protected information was at risk. That means reporting to the Feds, taking out the newspaper ad announcing your negligence, and the rest of the breach notification nightmare!

Apparently all major manufacturers offer security add-ons of some sort. Now would be a good time to inventory your document devices to determine if they contain hard drives and whether you can retrofit appropriate security add-ons to avoid a potentially disastrous situation in the future.

3. The National Council on April 23 published a review of Parity Act implementation that will allow you to determine whether your insurer or the payer with which you are dealing is in compliance with the Parity Act. Is your insurer in compliance with the Parity Act? will help you ask the right questions and provides resources to help you answer the question.

4. On April 22, FierceEMR and other sources reported that hospital-based doctors are now eligible for ARRA incentive payments for meaningful use of certified EHR technology, and that a bill has been introduced by Rep. Patrick Kennedy (D-RI) and Rep. Tim Murphy (R-PA) seeking to include mental health professionals, Community Behavioral Health Organizations (CBHOs), psychiatric hospitals and chemical dependency programs in the ARRA incentives. Time will tell what will fly.

5. And finally, the Mercom Capital HIT Report of May 3 indicated that HHS is seeking comment on the anticipated impact the stricter disclosure reporting requirements included in the HITECH Act will have on providers.

To help guide the Health and Human Services Department in tightening rules for health information privacy, HHS has asked providers, payers and consumers to comment on the benefits and burdens of accounting for the disclosure of protected health information, even if the data is intended for treatment and billing purposes. The HITECH Act called for HHS to strengthen the privacy rule of the Health Insurance Portability and Accountability Act (HIPAA). With the changes, providers, plans and their business partners will have to account for disclosures of patient information contained in an electronic health record, even if the data is for healthcare provision and payment. 

HHS’ Office of Civil Rights (OCR), which oversees health information privacy, published a request for comments in the May 3 Federal Register 
“to inform our regulations under the HITECH Act,” according to the announcement. Under HIPAA, providers and plans currently do not have to report releases of protected data when the disclosures are related to patient treatment, payment and healthcare operations. HHS said in the notice that it will remove the exemption for those disclosures when it involves an electronic health record (EHR).

Needless to say, there is a great deal going on in the world of behavioral health care and health care in general. Please feel free to share news items you discover that might be useful to other readers.

Don’t forget, your comments are always welcome. Please share them below.