HIPAA Compliance for Medical Practices
63.7K views | +25 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

When does HIPAA require more than encryption?

When does HIPAA require more than encryption? | HIPAA Compliance for Medical Practices | Scoop.it

Encryption of sensitive electronic personal health information (ePHI) on mobile devices – including PCs – is often considered sufficient to protect that data well enough to achieve HIPAA compliance. However, it’s important that those handling this data understand the circumstances where encryption alone is not enough.


These situations do exist – and can be nightmares if they occur. The Department of Health and Human Services' HIPAA Security Rule describes satisfactory encryption as “an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key … and such confidential process or key that might enable decryption has not been breached.” That last part means that encryption is only adequate as a safeguard for HIPAA-protected ePHI if the situation is such that the encryption still secures the data.


There are several scenarios where even encrypted data can be breached relatively easily and, unfortunately, there are many real world examples of each of these scenarios occurring. The trouble with encrypted data is that it needs to be decrypted to be useful to those who would access it legitimately, and the bad guys will look to take advantage of those moments when encryption’s defenses are down. Encryption is a powerful defense for data when a device’s power is off and for when the password is unknown and can’t be learned or hacked. But putting it that way, we’ve actually rather narrowly defined where encryption is effective.


Here are some cases where it isn’t.


1. The data thief gains the password needed to get around the encryption on an ePHI-filled device. This can happen when the password is stolen along with the device - for example, if a laptop is taken along with a user’s notepad containing the password needed to access ePHI. HIPAA requires not only encrypting sensitive data but also paying attention to the safety of passwords or any such methods of access. Bad password security effectively negates encryption. Too often we’ve seen a sticky note of passwords attached to a laptop – or even passwords written on USB devices themselves – which is a great example of an encryption that is not HIPAA-secure.


In another type of case at Boston’s Brigham and Women’s Hospital, a physician was robbed at gunpoint and threatened into disclosing the pass codes on the laptop and cellphone that were taken from him, each of which contained ePHI. The doctor appears to have done all that could be done to comply with HIPAA as far as keeping data encrypted, but when forced to choose between personal health information and actual personal health, he made the reasonable choice. Still, the incident was a HIPAA breach, requiring patients and officials to be notified.


2. The stolen device is already running and an authorized user has already been authenticated. In this scenario, the legitimate user has already given his or her credentials and has a session accessing ePHI running when an unauthorized user gains control of the device. HIPAA contains measures to minimize the likelihood of this scenario, calling for the issue to be addressed with automatic log-off capability to “terminate an electronic session after a predetermined time of inactivity.” Still, authorized users should take care to close out sessions themselves if stepping away from their devices and leaving them unguarded.


3. A formerly authorized user becomes unauthorized, but still has access. This can happen when an employee quits or is terminated from a job but still possesses hardware and passwords to bypass encryption. A case such as this occurred at East Texas Hospital, where a former employee was recently sentenced to federal prison for obtaining HIPAA-protected health information with the intent to sell, transfer or otherwise use the data for personal gain. Criminals in these cases often use ePHI for credit card fraud or identity theft, demonstrating how important HIPAA safeguards can be to the patients they protect.


So how can ePHI be protected beyond encryption?


The safest security system to have in place when encountering each of these scenarios is one where the organization retains control over the data, and the devices containing ePHI are equipped with the ability to defend themselves automatically.


The fact is that employees will always seek and find ways to be their most productive, meaning that policies trying to keep ePHI off of certain devices are, for all intents and purposes, doomed to be burdensome and disrespected. For doctors and other healthcare staff, productivity trumps security. It’s best to take concerns around security off their plate and provide it at an organizational level. Organizations can implement strategies that maintain regular invisible communications between the IT department and all devices used for work with ePHI in a way that isn’t cumbersome to the user. Through these communications, the IT department can access devices to remotely block or delete sensitive data and revoke access by former employees. Software installed on devices can detect security risks and respond with appropriate pre-determined responses, even when communication can’t be established.


Given the high stakes of HIPAA compliance – where a single breach can lead to government fines and costly reputational damage – it would be wise for healthcare organizations to consider encryption only the beginning when it comes to their data security.

more...
Scoop.it!

Recent HIPAA Decisions Suggest State Courts May Look to Federal Regulations to Define Negligence in the Data-Security Context - Data Protection - United States

Recent HIPAA Decisions Suggest State Courts May Look to Federal Regulations to Define Negligence in the Data-Security Context - Data Protection - United States | HIPAA Compliance for Medical Practices | Scoop.it

A recent decision of the Connecticut Supreme Court signals a growing trend in Health Insurance Portability and Accountability Act (HIPAA) jurisprudence that could prove significant in the broader data-security context. 

Although HIPAA contains no private right of action and preempts contrary state laws, several courts have held the HIPAA does not preempt state-law negligence claims for improper disclosure of private patient information and—importantly—that HIPAA regulations may inform the state-law duty of care. This trend and the most recent case, Byrne v. Avery Center for Obstetrics & Gynecology, P.C., should be of interest not only to health care providers, but also to all companies collecting or disseminating sensitive customer information.  Courts have yet to address the contours of any common-law duty to protect consumer data in the data-security context, but Byrne suggests that courts could look to federal regulations and standards, even if the federal-law sources do not provide private rights of action.
While certainly not new, data-breach lawsuits have become more common after numerous high-profile breaches within the past year.  But most of the litigation to-date has centered on a plaintiff's ability to state a cause of action. Plaintiffs have tried numerous common-law theories: breach of contract, unjust enrichment, invasion of privacy, misrepresentation and negligence. Courts generally reject contract, unjust enrichment and misrepresentation claims unless the defendants undertook some specific security obligations in their contracts or privacy policies.  Invasion of privacy claims frequently fail for lack of "publication," and negligence claims fail for lack of actual injury—e.g., identity theft—under either the economic loss doctrine or Article III standing. 

Few cases have gone beyond the pleadings, and fewer still have reached the question of what a state-law negligence duty entails in the context of data breach.  In the HIPAA context, however, courts have begun to look to federal regulations for guidance, a trend that could inform courts in data-breach cases that survive the pleadings.

The plaintiff in Byrne received treatment in connection with her pregnancy from the defendant obstetrics center, which agreed in its privacy policy not to disclose her health information without authorization. But after the child's father filed paternity actions and served a subpoena, the obstetrics center mailed a copy of the plaintiff's medical records to the family law court without informing Byrne. Before Byrne could seal the records, the father reviewed them and allegedly harassed and threatened her.  Byrne sued the obstetrics center, alleging, in pertinent part, statutory negligence, common-law negligence and negligent infliction of emotional distress. 

The trial court dismissed the statutory and common-law negligence claims and the negligent infliction of emotional distress count, reasoning that they were essentially HIPAA claims in disguise. More specifically, addressing the state statutory negligence claim, the court wrote that "[t]o the extent that [the statute] permits disclosure of protected medical records pursuant to a subpoena without the safeguards provided by HIPAA, it is both contrary to and less stringent than HIPAA and therefore superseded by HIPAA." Similarly, the trial court opined that if "common law negligence permits a private right of action for claims that amount to HIPAA violations, it is a contrary provision of law and subject to HIPAA's preemption rule" and "[b]ecause it is not more stringent [than HIPAA], the preemption exception does not apply." The court further ruled that insofar as the doctrine of negligent infliction of emotional distress "permits a private right of action for HIPAA claims" it is also is preempted by HIPAA.

The Connecticut Supreme Court reversed the trial court's decision, holding that HIPAA does not preempt state-law negligence actions for breach of patient confidentiality, as such actions are not "contrary" to HIPAA, but either complementary or "more stringent." Of interest in the broader data-security context, Connecticut joined courts in North Carolina, Kentucky, Delaware and Maine by ruling that "HIPAA and its implementing regulations may be utilized to inform the standard of care applicable" in state-law negligence actions. In addition, district courts in Tennessee and Missouri have remanded negligence claims predicated on HIPAA regulations to the respective state courts, implying that such claims are proper under state law.

These rulings apply only in the HIPAA context and only in those specific states. Even so, the cases bear watching from a data-security perspective, as courts could employ similar reasoning in data-breach actions, looking to regulations or pronouncements by the Federal Trade Commission, Federal Communications Commission, or other federal regulatory entities that have entered or might yet enter the data-security fray. 

It is important to note that the Connecticut Supreme Court in Byrne assumed, without holding, that Connecticut's common law recognizes a negligence action for breach of patient confidentiality, so state courts could still hold that companies owe no data-security duties beyond those assumed in contract or imposed by statute.  Moreover, the court noted that HIPAA regulations are relevant to the negligence standard of care to the extent they have become "common practice" for Connecticut health care providers. On this reasoning, only those standards that achieve frequent use within an industry or locale would inform a negligence duty. 

Given the increase in data-breach lawsuits and the trend in HIPAA cases, companies should pay close attention to federal regulatory efforts, especially those that gain common use, even if those standards do not carry penalty provisions or private rights of action.


more...
No comment yet.
Scoop.it!

Using E-mail at Your Medical Practice: 5 Security Tips

Using E-mail at Your Medical Practice: 5 Security Tips | HIPAA Compliance for Medical Practices | Scoop.it

Methods for transferring protected health information (PHI) have been broken for a long time. Even with the advent of EHRs, data exchange methods haven't kept pace with industry expectations for privacy and convenience.

It's time to retire the usual stable of secure alternatives to e-mail, like patient portals, faxes, or snail mail. They're far too burdensome for both practitioner and patient. Like it or not, e-mail is synonymous with accessibility. To deliver the best care possible, it's essential to meet patients on their terms. It's harder than ever to ignore e-mail, just as it's becoming more difficult to embrace it in good conscience.


Most e-mail security solutions focus on simple text, but the real risk comes with files and attachments. That's because sensitive data typically resides in files. Files, in turn, often get duplicated and cached on devices, making them hard to easily track or protect. So when we talk about the risks facing medical practices when it comes to communicating, it's about files—not simple text messages. The question, of course, is where all that leaves most practices.

The key lies with file encryption. Encryption essentially scrambles messages so that they're only legible by intended users. That's why encryption is so often the means through which healthcare providers guarantee HIPAA compliance. Although most secure e-mail tools focus on the body text of an e-mail, that part might not even be necessary to encrypt. After all, the real threat lies in what comes appended to the e-mail. Whether they're voice recordings, digital X-rays, intake forms, or medical bills, it's essential to encrypt the files themselves.


Seeking Solutions


Finding the right solution, though, is another story. E-mail encryption services exist for handling simple text correspondence with patients by scrambling the messages and sending them through a secure connection. But even these have risks. Many HIPAA-compliant e-mail providers are simply adding yet another system to your already disconnected work flows, rather than integrating seamlessly or solving some of the other problems you have, like storing files and auditing access. What's more, they aren't foolproof.


Here are five tips to help practices communicate with patients and other provider and business associates while maintaining airtight security.


1. Look for file encryption. File-level encryption ensures that protections follow the file no matter where it ends up. With built-in authentication controls, file-level encryption also eliminates the threats associated with mistakenly entering the wrong e-mail address.


2. Don't forget about secure file storage. Many encrypted e-mail services that purport to comply with HIPAA destroy messages after a set period of time. The issue, of course, is that practices need to keep detailed records — and the best place for that, in my humble opinion, is the cloud. Which brings us to …


3. The best solutions will integrate seamlessly with other work flows. The cost of inconvenience is too high, because inconvenience often leads users to seek out workarounds that aren't compliant, including popular cloud services like Dropbox. So the expensive EHR system you've built or bought is nothing more than a loophole to circumvent. In some ways, the cloud presents the ideal all-in-one solution, eliminating the need for e-mail attachments by allowing you to store and share links or folders themselves. In those deployments, it's essential to ensure that your Dropbox files are encrypted and HIPAA-compliant. If you have file encryption, you can use e-mail and Dropbox the same way you would in your personal life — just more securely.


4. Many easy-to-use secure providers don't include a safety net for mistakes. We're all familiar with the horror stories and HIPAA fines that have been levied against practices that mistakenly e-mailed lab results to the wrong patient or faxed a form to the wrong number. That's why the best HIPAA-compliant sharing tools will help prevent or create solutions for mistakes by showing just what was attached and offering the ability to revoke access to the wrong recipient. If a file itself is encrypted, access and modification can be audited even if it was mistakenly downloaded.


5. You don't need to encrypt everything. It isn't necessary — and maybe even inappropriate — to treat all information equally. Flexible solutions that allow you to set permissions according to their sensitivity are ideal.


There's no shortage of options for communicating, but many secure e-mail technologies can leave much to be desired. The key in striking a balance between convenience and compliance lies in finding a solution that does the hard work of communicating securely for you. The onus should be on the technology — not the patient or your employees — to strike that balance.


more...
No comment yet.