How Safe is Your Patient Data? Steps to Protect Electronic Health Information in Nursing Homes A collaborative effort brought to you by Harmony University The Provider Unit of Harmony Healthcare International, Inc. (HHI) And Kinara Insights Presented by: Sameer Sule, MS, MSc Founder & President
As digitization of the healthcare industry increases, the need to safeguard electronic patient data is also becoming increasingly important. Electronic protected health information (ePHI) is not just in the electronic medical records (EMRs). It also resides in emails, in documents and images on computers, servers, printer hard drives and mobile devices like laptops, cell phones, tablets and USB memory sticks. Healthcare professionals are also using texting and online file sharing services to conveniently share confidential information. The loss of this confidential patient health information is disastrous for patients and healthcare organizations.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
How Safe is Your Patient Data?Steps to Protect Electronic Health Information in Nursing Homes
A collaborative effort brought to you by Harmony University
The Provider Unit of Harmony Healthcare International, Inc. (HHI)
And Kinara Insights
Presented by:
Sameer Sule, MS, MSc Founder & President
Harmony Healthcare International
About SameerSameer Sule, MS, MSc., Founder and President of Kinara Insights !
Specialize in patient data security & HIPAA compliance. Author of “Protecting Electronic Health Information: A Practical Approach to Patient Data Security in your Healthcare Practice” Extensive experience in guiding clients through the planning, selection and technology implementation phases. Assisted clients through the OCR HIPAA audit process and provided recommendations to address the audit findings. Published in the Journal of Massachusetts Dental Society, The Granite State Report - a publication of the ACHCA New Hampshire Chapter, The Disaster Recovery Journal and the Worcester Telegram and Gazette. Regular blogger- provides insights, tips and advice on secure technology usage in a constantly changing healthcare landscape. MS from Syracuse University and MSc. from the Indian Institute of Technology, Bombay Co-inventor on 14 US, EU, and AU patents.
How Safe is Your Patient Data?Steps to Protect Electronic Health Information in Nursing Homes
Disclosure: The planners and presenters of this education activity have no relationship with commercial entities or conflicts of interest to disclose Planners:
Healthcare Technology ConsultingHelp healthcare organizations and their business associates use technology in a secure HIPAA compliant manner to be more efficient and deliver high quality patient care. Focus Data Security | HIPAA Compliance Mobile Technology | Cloud Computing KINARA | INSIGHTS
(Review /Development) Data Backup & Disaster Recovery Planning Data Security- HIPAA Compliance Training and Workshops Secure Cloud Computing, Mobile Solutions
This seminar is meant to provide information for educational purposes only Information presented in this seminar is not legal advice and must not be taken as such HIPAA rules and regulations are subject to different interpretations Please consult your attorney for legal advice specific to your case
Occurs when criminals use your personal information to obtain medical services, drugs or for fraudulent billing Fastest growing identity theft in the US Over 300,000 victims per year in the US
Rich in identity information Contains patient name, DOB, SSN#, insurance policy information, credit card details, medical history, emergency contact info of family members, etc. A complete medical record sells for $50 on the black market vs. $20 for credit card info alone
Possible social stigma and embarrassment Denial of insurance Loss of reputation Loss of time trying to get the records corrected in different healthcare systems that are not connected with each other
Recent HIPAA Penalties$4.8 million New York Presbyterian Hospital (NYP) and Columbia University Medical Center (CU)
Cause: Physician employed by CU attempted to deactivate a personally-owned computer server on the network containing NYP patient ePHI
Disclosure of ePHI of 6,800 individuals, including patient status, vital signs, medications, and laboratory results on internet search engines Lack of technical safeguards to check to see if the server was secure, no risk analysis to identify all systems with ePHI, failure to implement and appropriate policies for database access authorization and failure to comply with its own information access management policies
Cause: Unencrypted laptop was stolen from one of its facilities. Company had previously recognized in multiple risk analyses that a lack of encryption on its laptops, desktops, medical equipment, tablets and other devices containing ePHI was a critical risk Efforts at encryption were incomplete and inconsistent over time leaving patient ePHI vulnerable throughout the organization Insufficient security management processes
Recent HIPAA Penalties$1.2 million Health Plan, Inc
Cause: Photocopier Hard Drive Disclosure of ePHI of 344,579 individuals when it returned multiple photocopiers to a leasing agent without erasing the data contained on the copier hard drives
!Failure to incorporate the ePHI stored in copier’s hard drives in its risk analysis !Failure to implement policies and procedures when returning the hard drives to its leasing agents
Recent HIPAA Penalties$150,000 Dermatology practice in MA
Cause: Unencrypted thumb drive containing ePHI of 2,200 individuals stolen from a vehicle of one its staff members. Drive was not recovered. !Failure to conduct an accurate and thorough risk analysis as part of its security management process. !
First settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of HITECH Act.
HIPAA Settlements!In 7 cases resulting from a breach report, HHS has entered into resolution agreements or corrective action plans totaling more than $8 million in settlements.
Data Backup Plan (R) Disaster Recovery Plan (R) Emergency Mode Operation Plan (R) Testing and Revision Procedures (A) Applications and Data Criticality Analysis (A)
Evaluation
(Required)
Business Associate Agreements/Contracts and Other Arrangements
Loss / theft of laptops or mobile devices containing ePHI Lack of appropriate authentication/audit software and controls to secure access to ePHI Unsecure medical devices, printers connected to the network Software updates or system maintenance Stolen passwords or weak passwords that are easy to hack Use of unsecure file sharing software/services Use of unsecure email or text messaging services Viruses or malware in the computer system Unintentional employee action or error Intentional employee action Negligence of third party service contractors
An accurate and thorough assessment of the potential threats and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI).
Are you using web based email like Hotmail or Gmail to send ePHI? How about text messaging? Is the Wireless internet in the facility secure? Is staff accessing ePHI from remote locations using free/unsecure Wi-Fi?
2. Access and Audit Controls Who has access to ePHI? What are the policies/processes in place to grant individuals access to ePHI? What technology are you using to monitor access? How are alerts set up for monitoring unauthorized access? Do you have audit logs to monitor access to ePHI?
Addressable DOES NOT mean optional Is all your stored (at rest) ePHI encrypted? Is the ePHI encrypted during transmission (in motion) over the network? If the ePHI is not encrypted, what alternative safeguards do you have in place of encryption that ensure the security of ePHI?
Data backup plan (Required) Disaster recovery plan (Required) Emergency mode operation plan (Required) Testing and revision procedures (Addressable) Applications and data criticality analysis (Addressable)
6. Policies and ProceduresMust have well documented policies and procedures that comprehensively cover the administrative, physical, and technical safeguards in place to protect ePHI.
!Polices should cover risk management, access control to ePHI, contingency planning, employee termination etc.
!Make sure policies and procedures are relevant and up-to-date.
7. TrainingImplement a policy mandating periodic training for all personnel that handle ePHI. Must include permanent staff as well as temporary and contract workers. Conduct periodic training. Document the training. Implement a sanction policy in place that clearly spells out the severe consequences for anyone not following the security policies despite receiving compliance training.
!Humans can be the Weakest Link in the security chain!!!
Execute a Business Associate Agreement (BAA) with all third party vendors that come in contact with your ePHI, as a part to the services they provide you/on your behalf.
!(These include consultants, transcription companies, billing companies, accountants, legal companies, marketing companies, cloud based data backup services etc.)
9. Documentation!Is all your HIPAA related documentation organized and easily accessible? !You will need to produce this in case of a data breach or HIPAA Compliance Audit
Security Rule ComplianceDon’t assume that if the technology is compliant, the organization is also compliant. Compliance is achieved by a combination of: ❖ Technology ❖ Policies and procedures ❖ Regular staff training ❖ Strict enforcement and sanctions ❖ Periodic review and updates ❖ Proper documentation
Do it all by yourself and/or get outside help when needed. Example: You can use ready-made policy templates. But you need to customize them to your organization.
Author: “Protecting Electronic Health Information: A Practical Approach to Patient Data Security in Your Healthcare Practice” Amazon: http://www.amazon.com/author/sameersule Email: [email protected] Blog: www.kinarainsights.com/blog LinkedIn: http://www.linkedin.com/pub/sameer-sule/7/b1b/511 Twitter:@sameersule