You get out of a taxi and realize the laptop in your briefcase has sped off, along with your patient notes saved in Microsoft Word. Or unbeknownst to you an email just went out to your entire contact list stating you’re in a foreign country and need money desperately. Or your cell phone gets lifted from your pocket – and your patient’s phone numbers and appointments go with it as well. What should you do next for protecting patient information and privacy – and your practice?
While your mind may start to race thinking about the Health Insurance Portability and Accountability Act (HIPAA) in these scenarios, mulling about HIPAA in the abstract typically generates more yawns or irritation more than fear or action. First passed in 1996 and continually strengthened since then, HIPAA protects patients’ personal health information (PHI), and its Security Rule extends that into electronic PHI (ePHI). While noble in their intentions, these regulations put a high burden on clinicians in protecting patient information, who typically have minimal technological background, little to no administrative support, and minimal time to devote to such drab matters. Meanwhile, fines and random audits have increased lately, and a series of major hacking incidents at Blue Cross, Home Depot and Target has increased the pressure to comply. But if major corporations are having difficulty safeguarding their data, what’s the little guy to do?
What is ePHI and how to protect it
Any information, including the medical record, demographic info, billing, and scheduling, that can be linked to a unique patient, and that is stored or transmitted electronically, is ePHI. To secure this information, various administrative, technical and physical safeguards must be in place. If not feasible for the provider to carry out, these must be outsourced to a business associate (BA), and a signed Business Associate Agreement (BAA) that covers how the BA will protect the ePHI must be in place.
The following are some examples of ePHI:
- saving patient notes on your computer or phone
- allowing patients to leave remotely stored voicemails
- using an e-fax service
- using an electronic medical record
- using email, calendars, and/or to-do lists with patient info, whether those platforms are online or on your computer.
There are a few electronic formats that do not require special protections: phone calls, fax to fax if in secure locations, and answering machine messages (the old clunky ones). Unencrypted email to your patients is exempt if each patient has signed a release in which the risks of a breach are covered – and if providers have an audit trail of these emails and tamper-proof archival (which no free email service will provide).
And patients can’t waive any other HIPAA requirements on your or their behalf, even if they’re willing to – for example, your unencrypted email communications about patients with colleagues is never exempt.
Interestingly, an across-the-board exemption apparently applies to providers whose claims are not submitted electronically. However, providers should use this defense at their own peril, as HIPAA has been implemented by so much of the field and for so long, that it is arguably the standard of care. Meanwhile, state laws and licensing board regulations may be more stringent, and these supersede HIPAA.
Breaches and enforcement
Even without a breach, there are several ways that failure to implement appropriate safeguards would become apparent: complaints and random audits. And if there is a breach, mandatory disclosure rules apply.
The US Department of Health and Human Services (HHS) has set up an anonymous complaint form that any patient can fill out. As of June 2014, the HHS Office of Civil Rights (OCR) has investigated more than 22,706 cases that have led to corrective actions (and private practices, not hospitals, were the most common culprits); and has received approximately 901 complaints alleging a violation of the Security Rule (HHS, 2015).
Second, random audits are being increased by the HHS OCR. These audits are very time intensive and onerous, and they cover a long list of scrutinized HIPAA items.
Finally, providers are required to disclose any breach of ePHI, and the HHS keeps a running tally of the breaches. Providers are also required to notify the media if there are more than 500 patients involved.
The consequences for a breach are harsh. Fines start at:
- $100 per violation – that is, per incident per patient – assuming the provider has actually tried to implement safeguards.
- If no effort has been made, the fine is $1000 per violation, and can go to $50,000 per violation for “willful neglect.”
- Other expenses include investigation costs, serving notice to patients, potential licensing board fines, and having to provide identity protection coverage.
Note that most malpractice policies provide only minimal, if any, coverage for “cyber-liability” and these costs would be borne by the provider her/himself. Harder to quantify, but perhaps even more expensive to recover from, is the damage to one’s professional reputation – imagine your name in the newspaper if a breach occurred, even if not your fault? What would this say about your practice and how you care for your patients?
While clinicians bear the legal responsibility for protecting patient information and shielding ePHI, they also have mitigating options at their disposal. With some minor intervention and thoughtful outsourcing, the burden can be reduced and/or transferred. The following are specific areas that providers can have the most control over — and accordingly these are the areas in which providers will be held to the highest level of accountability.
- Passwords are a start, but not as strong as passphrases, which are essentially sentences, like “Ihavetoprotectallinfo.” Passphrases are easier for the user to remember because they actually make sense, and harder for “brute force” password crackers to break because they are so long.
- Passphrases are not enough – if your computer is stolen, the data can be removed from the hard drive directly. Encryption is an absolute must, and if encrypted ePHI is obtained, it is not considered a breach. Fortunately encryption is no longer as complicated as it used to be. Windows 8.1 pro users have this option built-in, and Mac users can enable Filevault.
- USB drives or other peripherals must be encrypted
- Iphones and ipads come with built-in encryption, but you do need to have a login password set up to trigger the encryption.
- Android phones typically have a setting that must be activated.
- The time between requiring you to enter passwords should be as tight as possible.
- You should force a lockout after a only a few incorrect password attempts.
- Make sure to turn on the option to remote “lock” and/or “wipe” phone data.
Websites where you store PHI
- Make sure written a BAA is in place with you and the vendor.
- Do not save login passwords on your computer. Even better, use sites that offer two-factor authentication – a second form of protection.
Risk assessment resources
- A risk assessment can be anxiety provoking, as well as very useful in pointing providers to where they need to shore up their efforts. It is also required, and a sample one is available through healthit.gov.
The backbone of BAA agreements is outlined by the HSS. Typically BAs will provide a complete one, but they may ask you to provide one. The bottom line: if a vendor won’t sign a BAA with you, then they are not HIPAA compliant and you shouldn’t do business with them.
Conclusions for Protecting Patient Information
The answer to the scenarios at the beginning is: it depends. If the laptop and phone did not have encryption activated, or the email list included patient emails, then these are breaches that must be reported. Thus, while daunting at first, providers must take reasonable proactive steps to defend themselves against breaches and regulatory body investigations, and most importantly, to keep the trust their patients have in them.
Simple steps to reduce your risk – coming in part II