Welcome to my first newsletter in more than ten months. I dare say things have been busy in the world of healthcare information privacy and security regulatory compliance. Everyone is a bit scared that they’re already in trouble and don’t even know it. If the introduction of mobile technologies hasn’t created privacy and security issues enough, now the bad guys have finally woken up to the most poorly held secret in healthcare information privacy and security: if you want to steal someone’s identity to commit fraud, healthcare information is pure gold.
And of course that information is often used to commit health insurance fraud, which can affect the integrity of the patient’s record and present serious safety issues. On top of that, the complexity of health information handling and processing makes securing it nearly impossible. It’s just not getting any easier anytime soon. That’s why we love this work, right?
I’ll cover a few hot topics for you, and then get into some compliance questions and answers that I have received and provided over the last several months. Some of the best questions come from people who listen to a Webinar or seminar and have a particular wrinkle for which the answer is not immediately obvious. I can learn a lot from a new question, and many of you may have similar circumstances, so I’ll share a few in these newsletters. Not surprisingly, a lot of them have to do with communications, and with mobile devices and all the creative ways people use them, and their risks.
— HIPAA Changes —
••• As part of the executive branch implementation of federal gun control measures, on January 6, 2016, a new final rule was published to modify HIPAA §164.512, adding a new section (k)(7) to allow use or disclosure of PHI for purposes of reporting to the National Instant Criminal Background Check System the identity of an individual who is prohibited from possessing a firearm. The impact of this rule is limited to certain organizations, “only covered entities with lawful authority to make the adjudications or commitment decisions that make individuals subject to the Federal mental health prohibitor, or that serve as repositories of information for NICS reporting purposes.”
In other words, this is for the most part focused on government entities such as county courts, for instance. Disclosures may include only the limited demographic and certain other information needed for purposes of reporting to the NICS, and may not include diagnostic or clinical information. The new rule is available at: https://www.federalregister.gov/articles/2016/01/06/2015-33181/health-insurance-portability-and-accountability-act-hipaa-privacy-rule-and-the-national-instant
••• Speaking of changes, HHS has updated its Web site and it is much easier to use, much easier to find things on, more mobile-friendly, a huge improvement. But. In the process they’ve broken a lot of the links that led to many, many guidance documents and resources. I have looked through my links on the Resources pages of www.lewiscreeksystems.com and fixed dozens, and I keep checking them in my presentation and handouts, so I think I have them pretty well nailed down on my end, but if you find any faulty ones, please let me know. If you have older materials with now-broken links, you can find the new ones on my resources pages at http://www.lewiscreeksystems.com/resources.html or you can try fixing it by inserting "/sites/default/files" right after "hhs.gov", which works most of the time.
— HIPAA Guidance —
••• If you’re looking for guidance (and couldn't we ALL stand a little guidance these days?), one link that sure does work, and ain’t it grand, is for the new guidance from the HHS Office for Civil Rights on individuals’ rights to access their health information. The guidance includes general information and specifics about the details of proper implementation, and also includes an extensive Q&A section providing additional information. If this guidance is an indication of the quality of information we should expect from HHS on the Web, it’s a good sign.
The guidance is clear, well written, and well organized, and directly addresses one of the issues that has been consistently identified as a weakness in HIPAA compliance: patient access of records. The regulation is presented in detail and the Q&A section addresses many of the questions I have gotten from all of you. Providing access properly, and handling denials of access properly, have been identified by HHS enforcement leadership as an area where it is time for there to be better compliance, so we can expect to see this as a target issue in the upcoming round of HIPAA audits, expected “real soon now."
If you have questions on providing access under HIPAA, look here first. http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html If you don’t have questions, look it over anyway, and you may learn an important detail relevant to you. Are you prepared to handle denials of access properly? Make that your HIPAA compliance task of the week, and document it to show your consideration of compliance. See? Wasn’t that easy?
••• A little trickier is the work needed if you want to actually de-identify data for one purpose or another. The question is often, “what if I de-identify the data?” Well, what does that mean? Sure you can remove all 18 identifiers listed in the regulation, but context still remains, and context can reveal a lot about the identity associated with a piece of data. While the ultimate answer is far from always clear, NIST has announced a report on De-Identification of Personal Information, NIST Internal Report 8053.
The report summarizes two decades of de-identification research, discusses current practices, and presents opportunities for future research, including discussion of HIPAA methods for de-identification, and the effectiveness of the HIPAA Safe Harbor method. The report is available at http://nvlpubs.nist.gov/nistpubs/ir/2015/NIST.IR.8053.pdf If you are dealing with any issues of de-identifying PHI, READ THIS REPORT! Also, see HHS’s guidance from 2012 on De-identification of PHI, available at: http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/coveredentities/De-identification/hhs_deid_guidance.pdf (And yes, I fixed that link.)
••• If you’re thinking about how your mobile device connects to your cloud-based EHR (and let’s face it, isn’t just EVERYbody these days?) best to take a look at the first industry specific special publication in draft from NIST in SP 1800-1, focusing on the use of mobile devices in health care. The idea is, use multiple layers of security in controlling access (a.k.a. strong authentication), and ask your EHR vendor some hard questions — a good questionnaire is included in part “e” of the guidance. With the alarming increase in the number of breaches by hacking, caution is indicated. https://nccoe.nist.gov/projects/use_cases/health_it/ehr_on_mobile_devices
— Q&A —
Here is a question I get frequently in one variation or another, and my reply, regarding texting with patients.
Question: Are offices allowing their clinical and/or front desk staff to text with patients? We want to allow our providers to text for scheduling and location purposes. All of our patients are homeless or recently rehoused and sometimes they go off the radar. They tell our providers, nurses, case managers over and over again "Just text me - I ran out of minutes." So they are asking for this form of communication. We're a small practice and want to make sure we aren't doing anything "crazy" if we start allowing texting.
Answer: The short answer is yes you can use texting, but you need to be prepared to handle it properly as a communication medium. That is, you need to be sure you document any text exchanges that could be considered part of the record, just as you would any communication. And you need to be ready to deal with people wanting to text 24/7, and the proper handling of those.
The idea is, the Security Rule requires you to consider encryption of all transmissions, but doesn’t outright require encryption. When you do the risk analysis, you see that you really should encrypt all communications like e-mail and texting that contain any PHI, because the information is not secured and could be exposed, and that would be a breach. For business communications involving PHI, yes, encryption is basically necessary.
But when it comes to communication with patients/clients, they have certain rights under the Privacy Rule to communicate in the way they see fit so long as you can reasonably do that. The guidance says, if they want to use insecure e-mail (and by extension, texting), let them know that it is not a secure communication and it could be exposed, and if they want to go ahead, you can. It’s a good idea to document their consent to use an insecure method, either through having a good process, or getting a signature, or both.
And that gets us back to the issue I mentioned at the top, that you need to be prepared to handle it properly. Always have a secure, documented method of communication you can start from, and then allow insecure ones as necessary to provide services, with consent. If it’s more than you feel you can handle, you don’t need to do it. But if you want to, you can; just explain the risks and get a consent to do so, and document your exchanges.
————
Here is a question on texting of reminders of appointments, which is a growing practice.
Question: We [a dental office] periodically text appointment reminders to our patients using a web based text system. We do NOT include their names in the text, just the day and time of their appointment. Is this OK? If we were to move to texting phi in the future, how do we do this securely?
Answer: This is one of those gray areas. The phone number can be an identifier, so it depends on the detail in the reminder. If you don’t explicitly identify the organization, but use its initials, you’d be better off than if you used the entity name, which could provide some information about the kind of services being provided. Of course, a dental appointment is not the same as an appointment for cancer treatment or reproductive health, so the actual risk of a real issue is small [for a dental office].
Nonetheless, I would also secure consent from the individuals to send reminders by text message, advising them of the insecurity of text messages. Even if you have consent, keep the content to a minimum and as de-identified as you can. [The most secure reminders do not identify the office or the nature of the appointment, they come from a reminder company and only say for what time the appointment is scheduled.] The consent doesn’t need to be terribly complicated, but should be documented somehow.
Also, take a moment to document your accepted practices for this, so you can help prevent the use of texting for other purposes that you haven’t protected.
————
And finally, a question on Business Associates and Risk Analysis.
Question: My concern is getting business associates to comply with doing a risk analysis. How have you seen other CE’s do this? Also, if there is a breach by a business associate, would HHS hold the CE or the business associate accountable? Or both?
Answer: CE’s are beginning with making sure they have the right kind of a BAA in place first, and that calls for the BA to be in compliance with the HIPAA rules, including the Security Rule, which requires a risk analysis. You need to feel sure that the BA is in compliance, which ties into your second question. If you feel you have assurances that the BA is in compliance (which begins with the BAA, but doesn’t necessarily end there), chances are that any breach will be their responsibility. But if you don’t have sufficient assurances that they’re meeting the requirements in their BAA, you could also be held liable for breaches — the new rule doesn’t let you off the hook entirely.
This is a very difficult situation, as there are many BA relationships in which the BA does not realize what they’re signing when they sign a BAA with the CE.
While the entirety of the security rule applies, the place to begin is for them to do a risk analysis and make sure they have breach notification policies and procedures. I suggest you let them know that they need to follow the rules according to the regulations and the BAA, and that they have a period of time (60-90 days) within which to provide you some kind of documentation that they have actually done something to be in compliance with the rules. You’d like to see a summary of their risk analysis report or the table of contents to their HIPAA policies, things like that.
This will take time, but it is being tackled, slowly, by the industry. [You can also ask to see a third-party evaluation such as an SSAE 16 SOC Type 1 or 2 Report, or submit a questionnaire similar to that presented by NIST in their draft guidance in SP 1800-1 part e, available at: https://nccoe.nist.gov/projects/use_cases/health_it/ehr_on_mobile_devices ]
I wish it was easier, but with the high profile breaches these days on the increase in health care, these are good things to do.
————
I have a lot more questions I can answer, but this is a start, and I hope to get to the next newsletter in something less than ten months so I’ll save some. I also hope to get the next one out using a modern newsletter management platform, so expect to see a different look and feel, but the same attitude inside.
This is a time of change in HIPAA and a change in the privacy and security landscape the likes of which we’re not likely to fully comprehend for some time. It’s a good time to keep your eyes open and look for ways to protect privacy and security before you discover you haven’t.
I don’t want to turn this into a promotional newsletter, but my mission is to make HIPAA easier for the world, so I have to mention that I have several Webinars and seminars scheduled around the country coming up — check in at http://www.lewiscreeksystems.com/upcoming_public_seminars.html And I’m working on a book on the "10 Day HIPAA Compliance Plan," for which I have been asked by many, and which I hope to have completed in the next few months. Would it be of interest to you? Something to answer the question, “Yeah Jim, but where do I start and what do I actually do?” Would you prefer a hard copy or electronic or both?
And of course, if you have any questions for me in the meantime, I always learn as much from you as you do from me, so please let me know.
Thanks.
Jim