Home Health & Hospice Week

Don’t neglect a risk analysis.

If you allow employees to use web-based document sharing applications without thoroughly evaluating the risks, you’re leaving your organization wide open to a HIPAA violation and a breach incident. Learn from these most important lessons in a recent breach case.

Last July, the HHS Office for Civil Rights announced that St. Elizabeth’s Medical Center in Brighton, Mass., agreed to settle potential HIPAA violations by paying out $218,400 and adopting a corrective action plan (CAP).

Part of the settlement agreement stemmed from an OCR complaint back in 2012 alleging that SEMC staff members were using an Internet-based document sharing application to store documents containing electronic protected health information. OCR’s investigation determined that SEMC failed to perform a risk analysis before beginning use of the application.

“Organizations must pay particular attention to HIPAA’s requirements when using Internetbased document sharing applications,” warned OCR Director Jocelyn Samuels in a statement. “In order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner.” Takeaway: Make sure your organization’s HIPAA policies and procedures “address the use of Internet-based applications, including document and file-sharing applications,” advised attorneys Elizabeth Hodge and Thomas Range in an analysis for Akerman.

Remember risk analysis: But the webbased document sharing application wasn’t itself the only problem — the big problem here was that SEMC didn’t perform a risk analysis prior to using the application. Under HIPAA, covered entities (CEs) “are required to implement and periodically review administrative, physical and technical safeguards to protect the security of the ePHI that they create, transmit, receive, store or maintain,” wrote attorneys Laurie Cohen, Valerie Montague and Brooke Lane in an analysis for Nixon Peabody.

“Risk assessments are intended to identify and correct potential vulnerabilities in security procedures and systems,” the Nixon Peabody attorneys stated. And in light of heightened scrutiny of CEs and their business associates (BAs) by OCR, all organizations that handle PHI should evaluate their HIPAA compliance plans, including security systems and procedures.

Bottom line: This case offers the lesson that you should perform a risk analysis before using new technologies, according to Jim Sheldon-Dean of Lewis Creek Systems in Charlotte, Vt. You can use OCR’s security risk assessment tool to get started on your risk analysis, at www.healthit.gov/providersprofessionals/security-risk-assessment.

Encrypt All Portable Devices With PHI

The CAP and Resolution Agreement also require SEMC to conduct a self-assessment of its workforce members’ knowledge and compliance with its policies and procedures, noted the Akerman attorneys (see story, p. 47).

The other part of this settlement agreement involves a separate breach incident. In August 2014, SEMC notified OCR of a breach incident involving unsecured ePHI stored on a former employee’s personal laptop and a USB flash drive. The breach affected 595 individuals.

An oft repeated but important lesson from this case is that you must “encrypt all laptops or portable devices with any PHI,” Sheldon-Dean stressed.

Best bet: “Implement robust policies addressing the use of portable devices, including encryption requirements and ‘wiping’ technology,” the Akerman attorneys advised. Also, respond to suspected security incidents in a timely manner, “including mitigating the harm from such incidents and documenting how the incident was addressed.”

Note: You can read the SEMC Resolution Agreement at www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/SEMC/semc.html.