Healthcare providers have gained unprecedented flexibility to collect and access resident and patient data from outside the walls of the facility. New requirements for electronic health records are accelerating the pace of innovation. Along with the increased efficiency and timeliness of action these technologies allow, new risks of compromising protected health information (PHI) have also developed.
Data from the Health and Human Services (HHS) Office for Civil Rights, the investigative agency concerned with HIPAA and HITECH Act compliance, show more than 5 million patients had their PHI compromised in 2010. Laptops and other mobile storage and access devices accounted for 59% of the incidents. Twenty percent of the incidents were from business associates, who are now covered under the HITECH Act.
The stakes are higher than ever before with the HITECH Act having increased the monetary consequences of PHI breaches. For instance, Massachusetts General Hospital resolved a “potential” violation of HIPAA Privacy and Security Rules for $1 million on February 14, 2011. (You can learn more about the case specifics at www.hhs.gov/ocr/privacy/hipaa/news/mghnews.html.)
HHS has also imposed a $4.3 million civil money penalty on CIGNET of Maryland for HIPAA Privacy Rule violations. As you can see, the Office for Civil Rights is serious about protecting an individual's PHI.
RISKS FOR PROVIDERS
The Minimum Data Set that is completed on residents contains complete medical, social, and mental data on the people being assessed. Unauthorized disclosure of electronic records compromises their privacy to an extent not possible with paper-based records.
Long-term care facilities care for the population most vulnerable to identity theft. Our residents are adults with work histories and Social Security numbers. Many are not able to manage their affairs. So in addition to the risk of compromised PHI, they are also at risk of identity theft. An MDS form contains all of the information needed to fabricate an identity, even down to the person's nickname. An unsecured laptop, tablet, PDA, or smartphone could harbor a treasure trove of this information. A misplaced backup hard drive or memory stick can also contain thousands of opportunities for identity theft.
PROTECT ELECTRONIC PHI
The Office for Civil Rights advises covered entities to be extremely cautious in allowing the offsite use of, or access to, electronic protected health information (ePHI). This guidance was written in 2006, before the explosion of mobile devices, but it is still in effect, and is still the best advice. Covered entity security officers must include all ePHI access and storage in their risk assessment and mitigation. Additionally, all ePHI must be secured when at rest, in movement, and in use. This can be more challenging for mobile devices, especially newer devices that offer increased ease of use but may not have the security features necessary to be HIPAA-compliant.
Periodic assessment of all PHI and ePHI is required by HIPAA. Significant emphasis and attention should be directed toward remote access and portable ePHI. All of the standards of the HIPAA Privacy and Security rules apply to remote access ePHI.
If a device does not meet HIPAA standards, it must be either modified or not used to access ePHI. For example, smartphones often have 4-digit “passwords,” far below the common requirement of a strong password of seven characters from upper case, lower case, number, and symbol. The device should not be considered to access ePHI unless secondary access software implements appropriate security.
Specific policies and procedures should be developed for safeguarding ePHI during remote access. Security awareness must be constantly reinforced for all personnel whom are given remote access. All other personnel must be aware of the prohibition for remotely accessing ePHI. This means employees who wish to work from home must obtain the proper permissions, training, and technology to safely do so. Also, the unauthorized copying of data containing ePHI must be prohibited.
HHS Office for Civil Rights
This website has a wealth of information, including the source legislation and regulations discussed in this article. Citations and actions are listed, with the names of the institutions, nature of breaches, and numbers of individuals affected.
Go here for the Advanced Encryption Standard requirements and the listing of validated applications. Presence on this list should be cited by vendors to demonstrate compliance of the technology they propose if they claim to meet the Advanced Encryption Standard.
Yale University HIPAA compliance
This (and many other university websites) has excellent guidance and examples that can be modified for a facility's use.