Locking the box
In the 12 years since HIPAA first went into effect, this much has become clear: Many in the long-term care industry still do not understand what the law requires or how it should influence daily operations.
Some have overstepped the intent of the regulations. Others still think they're not included under the rules, which were designed, ultimately, to guide the flow of health information, secure an increasingly digitized healthcare system and protect patients' privacy.
For those who aren't paying enough attention to the details, ethical and legal violations are a real possibility.
“A lot of healthcare organizations have done a great job of scratching the surface, but they're not looking closely enough at the parts that can bite you,” says Candace LaRochelle, HIPAA privacy officer for eHealth Data Solutions, which provides clinical assessment, risk management and billing services to LTC clients.
Although HIPAA's components are clear about making protections, they leave the details of implementation to covered entities such as nursing homes and continuing care communities. That wiggle room, say experts, creates problems for facilities without the resources or knowledge to make technical decisions.
With the regulation's latest revisions focusing on protecting information shared with business associates, new vulnerabilities have been revealed.
“Privacy officers with skills and knowledge know to be checking up on vendors or have input into contracts,” says Michelle Dougherty, senior director of research and development for the American Health Information Management Association Foundation. “The concern is when we move to the organizations that don't have that infrastructure.”
Kitty Williams, an RN and research and development director for The Compliance Store, says small, independent facilities are more prone to making mistakes because they lack IT support, are crunched for time and might not understand HIPAA's nuances.
It's one thing to appoint a privacy official; it's another to make sure that employee gets routine education and has the power to invest in technology and practices that provide security suited to a particular facility's physical location, as well as its use of business partners, electronic devices, wireless technology and off-site servers.
“Nothing ever ceases to amaze me, the things we still get questions on,” says Angela Rose, director, health information management practice excellence at AHIMA. “We have to continue to teach and educate and develop programs that continuously engage and energize employees.”
The good news is that the rollout of additional regulations — HIPAA debuted in 1996, got an update in 2009, and most recently expanded under the 2013 HITECH Omnibus rule — has created an entire industry designed to build good safety nets.
John DiMaggio, CEO of BlueOrange Compliance, has been working on privacy and security in LTC pharmacies, skilled nursing and continuing care communities since 2012.
As part of a HIPAA review, his representatives conduct site visits and penetration testing to get a full picture of written, security-related policies and procedures; the technical working environment; the location and security of workstations and access to secure areas; and organizational information such as vendor agreements and documentation management.
“We've seen it all,” says DiMaggio. “Shared username and passwords; simple, non-expiring passwords; no firewall.”
He adds that providers often have policies or training that is too limited in scope, fail to update antivirus software or don't appoint a HIPAA security officer as mandated. Lack of encryption is a significant problem in this era of BYOD (Bring Your Own Device).
LaRochelle is a fan of third-party risk assessments because they provide non-biased information that creates targets for improvements. If leadership can't be sold on annual reviews, she suggests at least building a checklist to standardize contracts with vendors so that everyone is working together to protect identifiable information.
A checklist approved by a lawyer is a start; a better bet is to check with someone with up-to-date and thorough knowledge of healthcare IT who speaks the right language. For example, Cheryl Field, MSN, RN, points to the concept of remote data storage. Having an RN/privacy officer with limited technical training review a contract with a business associate providing cloud-based storage for electronic medical records could be problematic.
“How does he know that it's encrypted, encrypted at rest?” asks Field, vice president of healthcare and privacy officer for PointRight analytics. “He can't see info in the cloud. They're sort of at the mercy of the person doing the marketing.”
LaRochelle says small companies can get “taken advantage of because of the fear” associated with compliance or breach penalties.
In fact, many made drastic assumptions about the regulations when they were first passed in 1996. But HIPAA doesn't require long-term care facilities to do away with sign-in logs at spas, stop calling patients by name in communal areas or remove their names from doorways.
Such incidental disclosures are specifically provided for within the regulations — provided they are limited in nature. Besides, placing over-the-top limits on privacy dampens the home-like environment providers are working so hard to cultivate.
“We've seen gun-shy caregivers unnecessarily withhold information for fear they would violate HIPAA, which could be solved with good training,” says DiMaggio.
Questions about HIPAA's reach can often be answered by health care IT groups; AHIMA, for example, offers extensive HIPAA guidance on its website at www.ahima.org/topics/psc and at its annual conference.
And many companies offer online and group workshops tailored for IT staff, practitioners, even housekeeping.
“Everyone in the organization should be trained,” says Debbie Newsholme, senior director of content operations at HCCS. “Everyone has the potential to cause a breach or to access information they don't need.”
Maria D. Moen, vice president of care innovation for VorroHealth, says she's had well-meaning customers ask for generic log-ins, allow archiving on personal devices, or permit non-designated family members to access records. Once she explains that those actions undermine HIPAA standards, providers usually find alternative solutions.
“Long-term care providers tend to be particularly sensitive to privacy and security issues with the aging population they care for,” says Moen.
Still, employees may cross lines unwittingly, whether it's a nurse sharing patient information in front of housekeeping staff, an activity director posting images on social media or an administrator opting for wireless Internet that offers only consumer-grade protections.
That last one is a major concern for Ginna Baik, business development executive with CDW Healthcare.
“There are unsecured networks within these 63,000 facilities (across the country), and we don't even know what's getting hacked — no one's tracking it,” says Baik. “We don't know what we don't know.”
If a visiting doctor logs on to a guest network, are his notes adequately protected? How sure are you that your 85-year-old residents won't have their information stolen while using your system to shop Amazon?
Though long-term care has, as an industry, generally managed to avoid major HIPAA-related breaches so far, security experts predict the time is coming.
“It's not ‘if.' It's ‘when,'” says Newsholme.
The fifth annual study by the Medical Identity Fraud Alliance found the number of patients affected by medical identity theft increased nearly 22 percent in the last year. Sixty-five percent of victims surveyed paid more than $13,000 in resolution costs.
Sadik Al-Abdulla, director of security solutions for CDW, aggress with that assessment. He calls an attack on a long-term care network “inevitable.”
“You have these cyber criminals going after bigger targets with larger piles of information. But as those places become more secure, they're going to look for new targets,” he says. “It's an intersection of how much data is available versus how easy it is to hack.”
And nearly everyone is at risk.
Al-Abdulla's teams perform several types of security testing. Though none is designed to test HIPAA compliance specifically, they reveal privacy and security weaknesses.
During penetration tests, his IT professionals “always” gain access to protected systems. And he says data-loss prevention assessments reveal information in places his clients say it shouldn't be 100% of the time (for instance, on an unencrypted spreadsheet). In about 80% of reviews intended to unearth existing breaches, CDW has found malware of other hostile programs that were operating unbeknownst to clients.
When the big breach finally hits long-term care, the best defense against huge penalties from the Office of Civil Rights might be proof of due diligence.
Routine assessments are one part of that equation. They are also becoming part of doing business with other healthcare providers, especially hospitals whose reputations are on the line. Baik says some are looking at technology at long-term facilities where they refer patients and even asking for a grading system.
“HIPAA is becoming a commodity,” says Field. “You're expected to have it in place. When you don't do it well, your business is in jeopardy.”
It's a two-way street. Moen says working with companies that have established track records in data protection is increasingly important to LTC clients, who are themselves feeling pressure from regulators to implement more technology.
“Many LTC vendors are doing just that, and those that aren't stand to lose market share as the provider needs and interest shift, resulting in alternative buying decisions,” she says. “Lead, follow or get out of the way was never more true than it seems to be now.” n