“Top 10” List for Security Law Compliance
As we bid farewell to late night comedy host David Letterman, I thought it appropriate and timely to give a nod to one of Letterman’s most iconic segments, his “Top 10”, with my own Top 10 list for complying with applicable Security Law:
#10. THE HIPAA SECURITY AUDIT. If you are feeling overwhelmed and anxious with every new Big Data breach announced (hello Anthem!) and don’t know where to start with getting your own Security Compliance program up to snuff, start with the HIPAA Security Audit. Not only is it legally required under HIPAA (see 45 C.F.R. 164.306), the comprehensive checklist of Technical, Administrative and Physical Implementation Specifications that must each be evaluated, if done right, will get your organization well on its way to identifying risks and allowing it to hopefully prevent a breach before it happens. Unfortunately, many organizations either do not complete the Security Audit properly (not thorough enough) or do not do enough to mitigate the gaps that are identified. Concentra recently ended up paying the feds (HHS) $1.7Million because although they identified 254 of their 597 laptops were NOT encrypted, they did NOTHING until a breach caused ePHI to be compromised when an unencrypted laptop was stolen. So the moral of the story here is complete the HIPAA Security Audit, do it right, and if you identify gaps in security, fix them!
# 9. LEARN FROM RESOLUTION AGREEMENTS. The Federal Department of Health and Human Services (HHS) posts every resolution agreement it enters into with a covered entity for HIPAA non-compliance (and in the near future, we expect to see resolution agreements with Business Associates too!) To date, there are 24 Settlement Agreements posted and one lucky winner (Cignet) that was assessed Civil Monetary Penalties. You can read them all here: www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html. Why are these important for Security Law compliance? Because they highlight areas where others have fallen short, and what issues HHS has focused on and looks for in an effective security compliance program. Resolution Agreements are a GREAT opportunity to learn from others’ mistakes. Failure to complete updates to the Security Analysis, failure to encrypt devices, improper disposal, lack of policies and processes, and failure to implement security measures are among the mistakes HHS has no tolerance for, and that your organization cannot afford to make. We know this because others have made the same mistakes, and the Resolutions Agreements tell us that these failures resulted in hefty settlement amounts, to the tune of millions in some cases, that Covered Entities had to pay to HHS.
# 8. LEARN FROM BIG BREACHES. We all shake our heads when the next big data breach hits the headlines — “Anthem hacked, 80 Million records compromised”; “Premera breached, 11 Million records compromised”; “TRICARE unencrypted back up tapes stolen, 4.9 Million records compromised” — and the list goes on, and on. Indeed, these headlines induce uncontrollable head-shaking in shock, in disgust, in exasperation. But, these cases also offer another opportunity to LEARN from others’ mistakes. With each new BIG BREACH case announced, we should be asking “what went wrong?” and “how to I prevent that from happening to my organization?” In Anthem, while the facts are sill coming to light, it is known that the access credentials of a System Administrator were somehow obtained and this led to an external hack. The employee realized this when he saw queries being run across the database, which he did not initiate (good catch, employee!). This was immediately reported, and notifications were issued to individuals without delay. One take away here is to ask why or how the access credentials were compromised. Employees should be WELL educated and trained regarding not sharing access credentials, not writing them down (and throwing them out), not storing their user name and passwords in unsecured electronic devices, and not responding to “phishing” emails where someone poses as “IT personnel” and asks for the employee’s access credentials. Do your employees all have a heightened sensitivity to phishing for access credentials? Does your organization have policies that prohibit IT personnel or others from requesting access credentials by email or other unsecured or unauthenticated means? If you don’t, you should — or you might end up like Anthem.
# 7. GET CONTROL OVER YOUR BUSINESS ASSOCIATES. I know. Trying to get Business Associate Agreements in place with vendors is as easy as herding cats. But, it must be done. All vendors that require access to PHI to perform a function or service on behalf of a covered entity are business associates (note: if they don’t require access to PHI, then the vendor is not a BA and a BAA is not needed). Once you have identified all your BA vendors, getting contractual language in place is critical; and, I don’t mean just “HIPAA-compliant” BAA language. There is a lot at stake when an organization hands over their PHI to a third party, and although BAs are now directly liable for non-compliance with the HIPAA Security Rule, a basic bare bones HIPAA BAA does not address a LOT OF OTHER STUFF. There are many other important issues to be addressed, such as allocating responsibility as to who secures ePHI and when, allocating risk, allocating costs and liability, and migration of the data post termination of the relationship (and who pays and how much?!). The time to address these issues and manage these risks is during the contracting process with your BA vendors, because later it will be too late.
# 6. SOCIAL MEDIA & THE INTERNET. Does your organization have policies specifically regarding social media use and the Internet? If it doesn’t, it should. Use of professional chat groups and other social media may be appropriate, but disclosing PHI on such sites, either inadvertently or negligently, is not. Things I’ve seen: a video is posted on You Tube for what seems like a good cause, but when you zoom in on the video, you can see a whiteboard with patient names and other identifiable information in the background (this is a breach); a doctor posts a case on a professional chat circle to see what other colleagues think about the case, but while she does not disclose her patient’s name, she discloses sufficient other general information that someone on the chat group coincidentally was able to identify the patient (this is a breach); a nurse posts a picture of a patient’s echo cardiogram on her Facebook site that shows a very, very rare disease. Since it’s just a picture, she thinks there is no way that the patient can be identified. However, one of her distant “friends” knows what hospital she works at, and knows that her neighbor has spoken about having a rare cardiac condition that lines up to the picture and so in all likelihood can identify the patient (this is a breach). Social media and the Internet pose a new wild wild west and challenge for security. Corralling in this relatively new security risk starts with developing good policies on these topics, and then educating employees on what is and what is not allowed when it comes to the Internet and social media use.
# 5. NO SNOOPING! The temptations can be great, but employees must be made aware of the repercussions of snooping. Snooping violates patient privacy and security. In Walgreens v. Hinchy, a jury awarded a patient/customer 1.44 Million dollars because a Walgreen’s pharmacist snooped in a patient record for her own personal purposes (she wanted to know if her husband’s ex-girlfriend had prescription for a condition that she believed her husband contracted). In the Walgreens case, the corporation was forced to pay up under legal theories of resondeant superior, making an employer essentially liable for the illegal act of it’s employee. But this case might have been avoided with better training and internal sanctions. Employees should also be made aware that State AGs have CRIMINALLY PROSECUTED individuals, including doctors, nurses and other staff, who have snooped in patient records with NO legitimate purpose. Therefore, the stakes are high (for both the employer and the employee), but the solution is easy. If the reason one wants to access a record is not an “authorized” purpose (i.e. treatment, payment, health care operations etc), then the access is prohibited. Period.
# 4. E-MAIL & TEXTING. Gmail, msn, iCloud, yahoo, hotmail etc. THEY ARE ALL UNSECURE! Patient information should NOT be sent through unsecured email and texting. Unfortunately, employee non-compliance is high as they do not want to give up the efficiency of using these easy means to “quickly” send a file or other patient information. Unfortunately, the speed at which the information travels does NOT directly correlate to the level of security those methods offer. With all the focus HHS is placing on encryption and how breaches could have been avoided with encryption, I would not recommend allowing emailing and texting (there is an exception HHS allows if a patient requests for their PHI to be sent directly to them by email, and is informed of the security risk of the provider/covered entity doing so). Luckily, secure alternatives and solutions are continuing to pop up, such as DIRECT messaging, encrypted patient portals, Tiger Text and PingMD. Look into them, and get your employees to stop texting patient information!
# 3. ENCRYPT. This includes data-in-motion and data-at-rest. If you do not encrypt devices that house or facilitate ePHI, you better have a very, very exceptional reason why you do not — AND you have to document it (per the HIPAA Security Rule), otherwise you will be getting no sympathy from HHS when data is breached. Encryption is also a Safe Harbor under the Breach Notification Rule, so if a device is lost, stolen or hacked but the ePHI is encrypted, you do not have to notify HHS or individuals (at least under HITECH, but check your individual state’s breach laws).
# 2. REPORT BREACHES & SECURITY INCIDENTS. Here, I am talking about the internal kind of reporting. Employees are the “eyes and ears” of an organization. A covered entity must notify HHS and individuals of a Breach as soon as it is discovered or “should have been discovered with reasonable diligence” (see 45 C.F.R. 164.404(a)). That means that as soon as an employee is aware of a breach, the 60-day time frame within which an organization has to make its notifications starts ticking. For this reason, it is critical for employees to know who they must report such knowledge too. If they don’t, then the covered entity can be assessed additional penalties for every patient and every day late the notices were made. Delay in notifying individuals about a breach or in discovering a breach may also lead to larger volume of data being compromised and for a longer period of time —which is why time is of the essence when getting information from the employee to a person who is able to properly act on it.
# 1. EDUCATE & TRAIN. The human factor is probably one of the weakest links in Security compliance. The only way to begin to try and manage this risk and weakness is to start with establishing a culture at your organization that Security is vitally important. Then, employees must be constantly educated and trained on the organization’s policies and expectations. I’ve found that the most effective method to training employees is through use cases. What should the employee do when he/she discovers about a breach? What kinds of phishing emails might you see, and how to respond. A well-educated and trained workforce that is given constant Security Reminders on the latest and greatest hacking schemes and security vulnerabilities will better insure that your Security program is more effective and your organization is hopefully less vulnerable to breaches.