Keep calm and pay your fines: This is not a good strategy
Mason Rothert, Mediprocity Inc.
For the past two years, healthcare data breaches have been skyrocketing. The Department of Health and Human Services' Office for Civil Rights has been posting on breach information since 2009. It appears to be on course for reporting another record-breaking year in 2017. The majority of breaches include hacking incidents (26%), unauthorized access and disclosures (28%) and theft (30%). Many organizations approach security as a ‘one and done' policy, thinking if they have encrypted email in place then they are fully protected. Today, when it comes to securing technology, it legally requires a bit more to be addressed and monitored.
Understanding your organization's security risks is critical. If the Office of Civil Rights “OCR,” who enforces HIPAA, walked into your office today, how would you respond to initial questions?
• Can we see your risk analysis book and corrective action plan?
• What technology do you have in place to protect patient information on mobile devices?
Answering these questions without hesitation can be challenging. Even worse would be to offer the responses, “we have not had anyone needing corrective action” or “we have a no text policy.” The OCR wants to see your nursing facility's risk assessment. Having a policy against use of text messaging, but not correcting the actions of employee who may send a text puts you at greater risk of willful neglect; likely leading to increased fines and longer OCR monitoring.
In April 2017, HHS Office of Civil Rights announced a $400,000 fine along with an imposition of a 3-year corrective action plan against a large federally qualified health center. That's right, the government essentially fined itself for a breach and non-compliance. The standard definitions used around willful neglect in HIPAA are:
• Reasonable cause - means an act or omission in which a nurse or doctor knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative policy, but in which the doctor or nurse did not act with willful neglect.
• Reasonable diligence - means the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances.
• Willful neglect - means conscious, intentional failure or reckless indifference to the obligation to comply with the administrative policy violated.
If you knew anyone on your staff was responding to a text from your doctor about a resident, and did not correct the action, that sounds like willful neglect of “do not text” policy.
Think of a breach as that loose string on a sweater, pulling on it can lead to problems. This is how it all began for this healthcare center, which had a breach around a “phishing” email scam when a worker opened up a pathway to hackers. The healthcare center took the necessary actions to correct this incident, however, it was revealed they failed to properly conduct a risk analysis. Upon further review of all their risk assessments, they simply had too many areas that were susceptible to threats and vulnerabilities. It was as if they were doing the ‘one and done' approach and just checked off enough boxes to get by and this mistake cost them $400,000 plus OCR monitoring.
The OCR is targeting the long-term care market and has already imposed multiple fines to facilities and physician offices. Despite the wave of breaches, many physician offices, nursing homes and pharmacies continue to operate in willful neglect.
If you are an officer, administrator or director of nursing, putting off a company risk assessment is an increasingly risky choice. Someone could make an innocent mistake such as falling for “clicking on a bad link in an email” that leads to a breach. Addressing compliance protects your organization.
One of the top threats to an organization today is around mobile devices and text messaging. In 2014, over 500 billion text messages were sent worldwide. That was a figure published three years ago, and the growth of smartphone ownership now has 77% of American adults owning one in 2017, according to Pew Research. Remember a no text policy that is not enforced is willful neglect and may increase the degree of the fine.
All it takes is for one nurse to send Patient Health Information in an unsecured method. Or for one department head or medical director to lose their phone. Are you comfortable with anyone walking out of the building to go to a dinner meeting and bringing a resident chart with them?
One smartphone now can hold ALL of your resident charts and must be encrypted and have the ability to remote wipe or log off. It must also be able to monitor if the information may have been accessed while out of the user's control. It does not matter if it is theft or just a lost device. If it includes 500 or more patient's information, that equals a minimum $50,000 fine per incident. It also requires the theft or loss to be reported to the media, and it is customary to provide credit protection to those who had their security put at risk. Just ask a Philadelphia skilled nursing facility employee who lost a phone that resulted in a $650,000 fine.
Being in healthcare means helping residents. Not protecting resident information hardly meets that standard. So do a risk assessment, track corrective actions gain access controls and give your staff a secure text tool that not only protects them but also streamlines communication and improves workflow.Mason Rothert is the CEO of Mediprocity Inc.