Home Health & Hospice Week

Don’t get slack about cyberattacks.

Sometimes HIPAA breaches are unavoidable — but more often, they are simple to prevent with staff training in crucial areas.

Review: If you find yourself with a HIPAA breach, expect to be on the hook for these four questions based on the HIPAA Breach Notification Rule:

1. What type of information was lost and how large an impact would it be?
2. Who obtained the PHI, and how and to whom was it leaked?
3. Did anyone actually receive and see the data?
4. What did your agency do to lessen the effect of the lost PHI?

The HIPAA Breach Notification Rule is online at www.hhs.gov/hipaa/for-professionals/breachnotification/index.html.

To help avoid breaches — and being called on the carpet for those questions — consider these common causes for breaches and how to avoid them.

Breach Scenario #1: Theft

Protected Health Information (PHI) and electronic Protected Health Information (ePHI) are commonly adulterated when provider and/or partner technology, information, or paperwork is stolen. This could mean anything from an office break-in, where actual hardware or physical files and property are taken, to lost or lifted portables that were snatched from employees’ cars or elsewhere and then compromised.

Remember: Employees steal PHI and ePHI too, recording patient data for their own personal gain. When this kind of HIPAA breach happens, patients’ records are often exposed and sold for profit. Theft is the easiest HIPAA violation to deal with and overcome. A good place to start is with the encryption of all your electronic devices, especially those used by visiting staff.

Scrutinize and educate: Performing a comprehensive background check on all your employees and business associates before hiring needs to be mandatory for added security. However, vetting processes aren’t perfect and employees are tempted by the easy access to patient information and financial data for numerous nefarious reasons — and in those cases, strict disciplinary guidelines should be imposed.

Breach Scenario #2: Unauthorized Access, Disclosure

This culprit is a frequent contributor to breaches and can easily be remedied with proper staff education. It often arises when providers and employees let policies slip when transferring PHI and ePHI to third parties like claims and collections companies, outside billers, and insurance carriers.

This could be a detailed phone message or fax about a patient to an unauthorized individual or business associate or emailing patient information to insurers for claims, but it also covers something as simple as displaying patient information on an agency or employee social media page. The combination of what can be related, who has access to it, and where the PHI/ePHI can officially go is the focus of this breach.

Train and retain: Constantly re-educating staff about your compliance practices and ensuring that they understand the importance of both agency and patient security is essential. Another crucial detail is having an ironclad business associate agreement that protects you against partners who aren’t always reliable.

Tip: When you go about enlisting outside resources, look for “sophisticated vendors that have very advanced HIPAA programs because smaller firms don’t know what the HIPAA rules are,” advises attorney Abby Pendleton of The Health Law Partners in the Southfield, Michigan office.

Breach Scenario #3: Cyberattacks

Unfortunately, more often than not, providers think they are prepared but are actually technically vulnerable. From social engineering schemes like phishing and spoofing to malicious attacks involving malware and spyware, healthcare’s cybersecurity is on the top of everyone’s watchlist. And that’s why it’s essential to follow the golden rule of HIPAA compliance: assess, analyze, and manage.

Federal help: This is where the Office of the National Coordinator for Health Information Technology (ONC) risk assessment tool comes in handy. The ONC site assists providers in the initial stages of HIPAA compliance planning and points you toward the best methods for addressing security.

Reminder: Hackers are a step ahead of providers, says attorney Clinton Mikel of The Health Law Partners. “If the OCR investigates and finds over 500 individuals were affected, the first thing they will look for is the security risk analysis.”

Exceptions: Since most breaches are accidental and relatively benign, guidelines for exceptions to the rule are available for providers to follow if an infraction is suspected. Here are a few examples:

• An employee might “unintentionally” give the wrong patient data to a clinician, but the person realizes the error and doesn’t use or access the PHI or ePHI.
• Authorized workers might unwittingly transfer ePHI to another “covered entity,” but that worker sees the mistake and deletes the information.
• Authorized personnel believe that the PHI could not be conveyed to another source — for instance, patient data was mailed but is returned unopened due to a wrong address.

Note: The ONC’s risk assessment tool is at www.healthit.gov/providers-professionals/securityrisk-assessment-tool.