New HIPAA privacy and security rules released in late January have put healthcare industry members on notice about their role in protecting patient data. In essence, if sensitive information falls into the wrong hands, the federal government is looking to blame providers and levy serious financial penalties.
This new rule — known as the HIPAA Omnibus Final Rule — has particular significance for long-term care organizations because it serves as an impetus for providers to boost their information technology capabilities while developing new, tighter policies to protect residents’ data. Once providers undertake a thorough evaluation of the security threats that exist, they might be surprised to find how many potential breaches there are and how underprepared the facility is to handle it, say those familiar with IT security.
“Providers must protect personal health information from inappropriate use or disclosure as they would any sensitive, confidential data,” says Kevin Whitehurst, vice president of client services and HIPAA officer for MDI Achieve. “Providers need to be keenly aware that the fines are stiff for breaches and other violations. They should be wise about allocating proper resources and policies to protect their future.”
All providers should review their security and incident management programs to ensure they are in alignment with the requirements to include business processes to address a security incident, Whitehurst adds. Moreover, the review should not single out technologies, but be “organizationally cross-functional,” he says.
One of the biggest security concerns is the proliferation of mobile devices, such as smartphones, iPads and laptops. These represent a major security risk because they lack encryption or minimal security. Texting is another tenuous area because it has become the favored manner of communication for physicians and staff members. Personal health information could be put in jeopardy if lines are unsecured.
“Accessibility is key — everyone has these phones in their pockets,” says Debbie Johnson, corporate director of health information and privacy officer for Life Care Centers of America. “They are easy to use and people don’t think twice about it. It is easy for a physician to say, ‘Text me,’ but these lines aren’t secure. And the younger generation doesn’t see the line for when it’s right and when it’s wrong.”
As a result, mobile devices are responsible for causing “lots” of anxiety, Johnson says.
“We’re trying very hard to educate our staff about what they can or can’t do,” she says. “Our main message is, ‘Don’t put protected health information in electronic correspondence.’”
If the term “breach” wasn’t common in the industry’s vernacular before the new HIPAA rules came out, it will be from now on, says Miriam Murray, director of corporate compliance and privacy officer at SavaSeniorCare.
“The definition of breach presents a new landscape,” she says. “As all improper uses and disclosures are now considered breaches, providers will need to modify their investigations to include a more thorough analysis to determine the risk of the protected health information being compromised.”
New requirements for handling data breach notifications are just one part of the new HIPAA rule that will have a big impact, says Mark Woodka, CEO of OnShift.
“Providers need to take steps to understand the definitions, methods and incidences for conducting risk assessments,” he says. “They must also clarify the new definition for a business associate and who is now liable under the new rules, like subcontractors of companies that they may already be working with on a regular basis.”
These provider relationships with business associates merit close scrutiny, says David Burr, COO and chief compliance officer for AOD Software.
“The new rules clarify the importance of these relationships,” he says. “As a vendor and partner, we have a dedicated privacy and security compliance program that ensures we comply with HIPAA requirements. We are committed to protecting our clients’ data and security.”
Cindy Monak-Gagnon, RN, clinical designer with American HealthTech, says the risk assessment should include the types of identifiers involved in a breach, whether or not the exposure involved unauthorized people, whether or not actual health information was obtained and to what extent the disclosure was mitigated.
“Before this rule, there was no presumption of a breach unless there was significant risk present,” she says. “But now the burden is on the facility to show there is a low probability of harm based on the risk assessment. This assessment will determine the outcome.”
Monak-Gagnon also recommends providers have their privacy officer examine the policies in place and conduct a gap analysis to see what has changed and what needs improvement.
“As with most regulations, small providers are just as responsible as large providers, which means small providers probably have more work to do,” she says. “All providers need to take time to review their current HIPAA compliance plans, procedures, and business associate agreements to see if they are adequate. Take the opportunity to train staff again about protected health information and about using personal cell phones in the work environment. And if you don’t have a social media policy yet, you should create one.”
Protecting data on facility-based servers is becoming an ever-growing risk for providers, states Steve Herron, director of Cerner Extended Care. He recommends long-term care organizations consider using remote hosting instead.
“Over the last five to 10 years, there has been a major shift away from hosting sensitive data on servers within an LTC facility,” Herron says. “Many providers still feel they can keep their residents’ data more secure on the server in their facility, but in fact, the data is much more secure when it is hosted remotely by an organization that specializes in storing and securing systems and data.”
Omar Alvi, CEO of cloud-based search and booking company HealthPost, notes that remote cloud-based solutions have been gaining momentum in healthcare because they offer cost advantages while providing data purity and greater computing functionality.
“Overall cost of ownership is lower, so there is no need to get additional hardware or software,” he says. “We’re seeing a migration to the cloud for electronic medical records, practice management and various clinical systems.”
Alvi concedes that security concerns have long surrounded cloud computing, but says those fears are unfounded. In fact, the foundational principles of HIPAA are “baked into our thinking,” he says. “Our entire business is at stake, so it impacts everything from the methods we use to internal tools to levels of encryption and other security mechanisms.”
Feds ‘mean business’
The HIPAA final rule has increased enforcement and civil monetary penalties to include “willful neglect” and “failure to correct” which, depending on the specific situation, could range from $100 to $50,000 per violation with a cap up to $1.5 million per situation. Fines such as these could be crippling to a provider already facing rate reduction from both Medicare and Medicaid.
“The feds mean business and there are no more excuses for not understanding the HIPAA and HITECH rules related to privacy and security,” Monak-Gagnon says.
Providers have a resource to consult about how they can improve their security compliance, however. The LTC Consortium, formed in 1999 to address the original Health Insurance Portability and Accountability Act of 1996, is a team composed of people working in diverse areas of the industry.
Members include Johnson, Murray and Randy Kirk, executive vice president and chief technology officer for Direct Supply.
“This group is focused on HIPAA, working on this challenge and coming up with the compliance tools and framework to download,” Kirk says. “Their mission is to build a united front on obtaining compliance by creating best practices and tools for providers to use.”