HIPAA compliance is vital for healthcare organizations handling sensitive medical information.
But the problem is, HIPAA compliance is complex. It can be difficult to understand and implement, resulting in big mistakes and unhappy patients.
That’s why we hosted a webinar with healthcare expert Dr. Danika Brinda from Planet HIPAA to identify the 5 most common HIPAA-compliance mistakes and how to overcome them.
Our webinar identifies compliance risks in healthcare organizations, examines simple proven solutions to easily overcome mistakes, and discusses most frequently asked questions.
If you’d like more information on HIPAA compliance, make sure to check out our other resources:
- Presentation slides from the webinar
- JotForm’s guide, “What is HIPAA compliance and how to get started.”
- Planet HIPAA’s 11-question HIPAA Checkup
- Best ways to create HIPAA compliance forms
Here is the full transcript of the webinar:
INTRODUCTION TO HIPAA COMPLIANCE MISTAKES
Annabel Maw: Hey everyone. Welcome to our webinar: the five most common HIPAA compliance mistakes and how to avoid them. We’re excited to announce that JotForm is cohosting this webinar with Dr. Danika Brinda from Planet HIPAA. Dr. Danika is a true expert on all privacy and security matters, which brings a wealth of practical experience to healthcare organizations and businesses with HIPAA requirements. Dr. Danika will be presenting today and available after the presentation for a short Q&A. We’ll also have David here from our JotForm support team available via chat to answer any technical questions. If you’d like to learn about JotForm’s online forms and affordable HIPAA-compliant plans, make sure to visit jotform.com/hipaa. OK. Without further ado, we’d like to pass the mic over to Dr. Danica to get started. We hope you enjoy.
Dr. Danika Brinda: All right. Thank you everybody. And I’m so excited you are here with us today to talk about the five most common HIPAA compliance mistakes and how to overcome them. I’m super excited to be here and share some of my knowledge with you that I’ve learned in the industry over the past 10 years. So what are we going to talk about today? We’re going to understand some of the key requirements of HIPAA. We’re going to discuss a few reasons why in 2019 we cannot continue to ignore HIPAA like we have potentially been in the past.
Then we’re going to dive in and look at what were some of the common HIPAA mistakes that we saw especially in 2018. And what are some simple steps that your organization can take to overcome those HIPAA complaints mistakes. So knowing that some of you might not have a lot of knowledge about HIPAA, I just wanted to take a quick second and kind of talk about the history of HIPAA. So HIPAA is not a new regulation. It was enacted back in 1996. So we’re talking about a regulation that was enacted over 22 years ago. In 2003, the HIPAA privacy rule went into place.
HISTORY OF HIPAA REGULATION
Dr. Danika Brinda: In 2005, the HIPAA security rule went into place. Then we got pretty comfy with what we were doing and then 2009 came around and something called the American Recovery and Reinvestment Act, which I’m sure you all remember, came out and had some provisions about privacy and security. Kind of the two biggest things that came out of that were the breach notification requirements and then the requirement that business associates, our third-party vendors that we work with, also need to be compliant with HIPAA. That was actually finalized in 2013 and here we are in 2019.
And what is in store for us now? Well, at the end of 2018, there’s been a lot of discussion about “Is it time to update HIPAA?”; “Does HIPAA need a refresh?” So, Department of Health and Human Services Office of Civil Rights, that’s the overseer the enforcement arm of HIPAA. They actually came out for a request for information to the industry to kind of figure out how they can modernize the HIPAA regulation for the digital age. Obviously it was written back in 1996 and many of us remember that cell phones really weren’t a thing and we didn’t see the first Apple phone until 2007.
So we’re talking about regulations that were built to be scalable into the electronic era but now probably are at a time where we need to evaluate if they need to be modernized. So, specifically the Department of Health and Human Services was looking at “how can we focus on that information sharing between treatment and care providers to be able to support the care coordination” and “How can we can continue to facilitate parental involvement but also respect to the state laws that may be out there as far as women or minors can access care without her parents involved.”
“How can we address the opioid crime crisis that’s happening right now and share information without violating some of the regulations that are out there looking in accounting of disclosures for treatment payment and health care operations?” And lastly, which I know would be a huge pleaser to many of healthcare organizations, is removing that good faith effort for certain providers, forgetting that signature for the acknowledgement of the receipt of the notice of privacy practices. So again, there are no regulatory changes that have happened right now but it is definitely something to keep on the radar as we go through 2019 and ultimately to get your practice kind of in order with HIPAA compliance now because if these changes take place we’re going to have to update again.
HOW CONFIDENT ARE YOU WITH YOUR ORGANIZATION’S HIPAA COMPLIANCE?
So there is a chat box in your screen and feel free to type something in. But I just want to take a second and ask you if I were to ask you, “How confident you are in your organization’s HIPAA compliance?” what would you say? Would you say, “We’re good; I’m confident.”? “We might be OK,” or “We’re not good. I know we need improvement.”? Go ahead type it in the chat if you want. All right. I see some zeros: “We’re not compliant. We know it.” “We have a little bit of everything.” “We’re good.”
So that’s what I find, a lot of everything coming in. There are people that say, “I think we’re OK, but I don’t really know what I’m missing,” or “I know I’m not OK, but I don’t know where to start. Our compliance is all over the board.” These are some great conversation points to have and something that I like to hear because you know getting and helping people get into HIPAA compliance is something that people can get to and can do. So another thing that I want to ask you is “What are your biggest barriers to feeling compliant?”
BARRIERS TO HIPAA COMPLIANCE
Dr. Danika Brinda: So we see all these, you know, we’re feeling good, we’re not feeling good, but if you had to pick a barrier, what would you say your barrier was?
Go ahead and type it in there.
“We’re not comfortable.” Right. “You’re not feeling confident.”
That’s a good one: “Behavioral changes in staff.” Right. That’s great. “Changing the routines.”
Fantastic! “Policies and procedures not tech savvy. It’s overwhelming.” These are all common things that I hear all the time. “Time, we don’t have time”; “It’s not my area of expertise”; “I don’t really know what I don’t know.” And that’s part of what we’re going to talk about in today’s presentation is to give you some sense of what needs to be happening with your HIPAA compliance program. So the reality is within the industry that HIPAA expectations have really created confusion and misunderstanding. Part of it is they’re interpreted different ways based on who you talk to, or sometimes you’re given information that’s not really true
MISUNDERSTANDINGS ON HIPAA COMPLIANCE
Dr. Danika Brinda: So let’s just talk through some of those common confusions and misunderstandings that I see when I work with organizations helping them get into HIPAA compliance. So first off — and these are all statements I’ve heard within the last six months, so I’m not just making these up — these are actually things I’ve heard. “My organization is compliant because we have our notice of privacy practices created, and we provide it to our patients.” So, the notice of privacy practices, does that document that you tell patients how you use and disclose their health information and what their rights are and we’re required to provide that with them or to them on their first day service?
Sometimes organizations that I work with feel that this is the only thing they have to do with HIPAA complaints so they’ll put this in place and they’ll be done. And that’s great that they have it in place because it is part of it. But it’s not all of it. So just know that if you have this in place, it’s great. It should be posted in your lobby. It should be posted on your internet site. If you have a public internet site that describes the services you provide and you should.
You don’t have to give it to the patient but you definitely have to offer it and collect that signature upon their first visit. The second thing is recreated policies and procedures in 2003 and 2005. Now, remember, those are when the privacy and security rule went into place. We don’t need to do anything else. Well, I will tell you again, if you wrote something in 2003 and 2005 and you haven’t taken the time to review them or update them, I’m guessing that you’re not [compliant].
Your practice does not look the same as it did in 2003 and 2005. So it’s time to look at them. I recommend that any time organizations implement a solid HIPAA program, they’re reviewing policies and procedures on an annual basis. Now that doesn’t mean they change annually, but it definitely means they review them and they document that they reviewed them to make sure that they’re still following what their policies and procedures say. All right, the next thing: “My organization has great practices when it comes to HIPAA compliance, and we don’t have to write that down, and I’m gonna be the first to tell you that you know.”
DOCUMENTATION FOR HIPAA COMPLIANCE
Dr. Danika Brinda: If we live in healthcare, all of us are probably healthcare in some way. If we don’t write it down, it’s not done right. Same aspect when it comes to HIPAA compliance. You can have great processes. You can have great practices. You can train your workforce annually, but if you don’t have the documentation to support that with a policy and procedure or proof of who you trained and on the date you train them and what you train them on, you’re really going to not be able to prove your compliance if and when you’re ever investigated.
So it’s really important to have a solid foundation on how you’re documenting when it comes to HIPAA compliance. The next thing, and this is something that I deal with frequently, is “My organization is too small to have to implement HIPAA compliance.” So one of the things that is a question is “Am I a covered entity under HIPAA?”. Well, I will tell you if you send any type of bill for services in an electronic format to an insurance company, you have to comply with HIPAA regardless if you have a provider that works one day a week and is only sees five patients a month.
But if you are billing in an electronic format, you definitely have to. You are considered a covered entity, and you will have to comply with the HIPAA regulation.
It doesn’t matter what size you are. This is one that I see super frequently. The perception is my electronic health record vendor or practice management system, whatever you may use, took care of everything I need to do with privacy and security. Now your electronic health record vendor may be your partner in compliance. What I mean by that is they might be hosting your information; they might have the functionality to assign everybody their unique user ID, but it is still your responsibility as a covered entity to make sure, first of all, that you’ve implemented all of that. Sometimes that is something you have to make sure is implemented and just can’t assume and that is a very important step for HIPAA covered entities to take.
You just can’t assume. You have to verify that’s happening or you have to use the functionality that’s there and verify that it’s turned on.
So for example, if your electronic health record vendor or some type of system has an auto logoff procedure or process, if the system’s inactive for five or 10 minutes, it’ll flag up for the person to reauthenticate before they can sit back down and do anything within the system. Sometimes you actually have to turn that on, and it’s not the default.
They are your partner, they’re not responsible for your HIPAA compliance. You are. And this one I see far too much: “I purchased a HIPAA compliance manual, and it’s all I need to have a compliant program.” It’s that I purchased a manual back in 2003. It is sitting on my shelf and it has an inch of dust on it. I think purchasing manuals are a great way to get into HIPAA compliance. You don’t need to reinvent the wheel, but you do need to make sure that you are customizing that. You are following what’s in your HIPAA compliance manual because you are held to the standards that are written down in your policies and procedures or your compliance manual. And “We educated our workforce on HIPAA previously, so we don’t need to do it again.”
Again this should be something that’s in the forefront of your program. We have to create an environment, a culture of HIPAA compliance. Obviously you have many things to do besides HIPAA, but if we do have to let our staff know because we’re only as strong as what we provide our staff, and we want our staff to be successful so they help protect our patients. The other thing we see, for any of you who may pay attention to the news or maybe receive an email from your profession, you will see that HIPAA is in the news every single day and for a variety of reasons and also a variety of different types of healthcare organizations, from dental practice to a business associate to health plan to a multisystem large healthcare system.
THREATS TO DATA SECURITY
Dr. Danika Brinda: So let’s just look at a couple of them. That kind of flagged me. This is one of the ones that we’re seeing pretty frequently, “a phishing attack is happening where data breaches are happening, because someone clicks on an email and all of sudden credentials are shared and someone can hack into your system.” “Improper binder.” So if you’re keeping paper information, we have to make sure that we’re protecting the patient’s information. So this is an example of where a binder went missing and actually caused a data breach. Ransomware is a huge issue right now. There is just a big article today that you know like five 500,000 people in the past week were impacted by ransomware, and that’s where usually you click on a link or open an attachment and your entire system gets encrypted and you can’t gain access to it and they ask for money. A lot of times, if you pay the money, you don’t even get your information back.
And lastly, this is an example of a healthcare worker who went in and out of 29,000 patient records in a six-month period of time because I guess the healthcare worker had too much time on their hands, and they didn’t have a reason to be in them. So you can see that data breaches are happening at a very high level. In fact, if we look, and just a caveat, the federal government only produces data on data breaches over 500 but since September 2009 when the breach notification rule went into place, we have seen a pretty significant number of data breaches in the last three years — 2016, 2017, and 2018 — definitely have ticked up every year, and it’ll be interesting to see what 2019 brings.
And if we’re starting to see some of the decrease in data breaches happening, but we definitely continue to see a trend. Just looking at where data breaches are happening in 2018, the biggest area where we saw these large-scale data breaches were people hacking into email systems or network servers, but you still see the second highest is still paper. So, we have to make sure we’re protecting that paper and we’re making sure that we’re safeguarding patient information regardless of where it is. The second thing is that the reasons and the causes of healthcare data breaches, hacking, and unauthorized access are the number one. We’re definitely seeing a trend where hacking is increasing, and the theft and loss is decreasing, which is a good thing.
But now we have something else to evaluate. If I would have shown you this like three years ago, the hacking IT would’ve been way low in the theft, and loss would’ve been higher.
And lastly, just to give you a breakout of what types of organizations are having data breaches, you can see that the largest part come from healthcare providers. So, that’s why it’s important for healthcare providers to really home in and make sure they have a good HIPAA compliance program.
MISTAKE ON HIPAA COMPLIANCE — MISSING POLICIES AND PROCEDURES
Dr. Danika Brinda: All right. So we’re going to spend the next 20 minutes looking at the five most common HIPAA compliance mistakes and giving you little tips that you can take to overcome these mistakes. The first one is missing organization-specific policies and procedures. So HIPAA requirements, basically, there are three rules. And if you’ve ever tried to build a house without a foundation, you know that it probably wouldn’t work so well. And that’s really what your policies and procedures create when it comes to HIPAA compliance. They create your foundation and the expectations of your HIPAA compliance program and the three parts of the regulation when it comes to HIPAA.
The privacy rule, the security rule, and the breach notification rule. They all require that you have written HIPAA policies and procedures in place and that you’re providing them to your workforce. So the most important thing to do is understand the different components of the HIPAA privacy and security regulations, and make sure that you have a written policy and procedure to comply with all of those. So, for example, one of the requirements under the regulation is to make sure that your organization has training for your workforce. It is important that you are making sure that you have a process for training and that you have a written policy and procedure that talks about how you train, when you train, and what documentation will say.
Now the one thing when writing policies and procedures that I like to talk about with people is to be what I call specifically vague, and I know this is an interesting term, but one of the things with policies and procedures is that you want to be specific to your organization: you want to discuss your practice, but you don’t want to be so specific that you have no wiggle room. So the regulations say you must comply with this, you must have a policy and procedure in place. So, for example, a very specific policy and procedure for risk analysis might say a risk analysis will be conducted in June and December every year and then will be provided to the board of directors within 10 days of the completion.
This is a great example of a policy and procedure, and a statement that you can have in place, but it’s very specific. If your organization cannot prove that you’re doing those risk analyses every June and December and providing that report within 10 days, you could be found not out of compliance with HIPAA but out of compliance with your own policies and procedures. A better way to write this, I call it specifically vague, is that a risk analysis will be conducted annually with major technology changes or updates to regulations, and that it will be provided to the board of directors at the completion of the risk analysis report.
Same concept, same proving that you’re complying with the regulations, but it allows for some flexibility within your policy. So if something happens and you can’t get it done in a specific month, you know that you will get it done annually. So that’s just an example of what you can do with your policies and procedures. Now one of the things I wanted to show you in this presentation is what happens when you don’t comply with HIPAA. HIPAA enforcement is happening just so people know there are fines that can be assessed.
CONSEQUENCES OF NOT BEING HIPAA COMPLIANT
Dr. Danika Brinda: It’s not the common practice. Most of the common practice is for the government to enter into what they consider a corrective action plan. So if they see that an organization is really trying to comply with HIPAA but maybe they’re missing something, they’ll actually enter into a corrective action plan versus just fining the organizations. But this is an example where an organization, an allergy practice, had someone that they didn’t have written policies and procedures on how to comply with this. So a provider, a patient went to a provider and complained to the media, the media came to the doctor, and the doctor basically provided some specific information about the patient, which was a violation of the regulation, but they didn’t have a policy and procedure in place.
But when I talk about a corrective action plan, not only did this organization have to pay the money, but they also had to enter into this corrective action plan. So if you look at what it says, this organization has to update their policies and procedures within 60 days of the effective date, then provide them to the Department of Health and Human Services. They’ll review them and get them back to them. They must be revised within 30 days, and then they have to do training on them with their workforce and make sure that they’re updated in a very specific period of time.
So, again, a two-part component: this organization didn’t have good procedures in place, and then they also got a fine for that as well as entered into the corrective action plan. So, mistake number two, and I would say this is probably one of the most confusing parts of the HIPAA regulation, is not having a regular process for conducting what the government considers the HIPAA risk analysis as well as mitigating or correcting those risks that your organization has found. So one of the things that we see is over 95 percent of all corrective action plans that go into place indicate that there is a missing or an insufficient risk analysis and because of that this has really become a focus of the federal government.
HIPAA RISK ANALYSIS
Dr. Danika Brinda: So what is the HIPAA risk analysis? So ultimately, the requirement is that you have to do an assessment of any potential risks to your organization and look at what are those risks and what are the likelihood of those happening, and then determine what are the highest risks and how can you mitigate them. So, for example, you have people that work for you. So, when you’re evaluating your risk assessment, one of the things to ask is when a person leaves the organization, do we have a process to terminate their access out of our electronic systems that have patient information?
If you say yes, that’s great. Then that potentially would not be a risk to your organization, but if you say no, we don’t have a good process; it just happens whenever we remember it, that would be a risk to your organization. That would be something that you would have to mitigate and fix. The goal of it is to make sure that you’re reducing or preventing any breaches from happening or anything from happening to protected health information. The risk management piece of it, all of you have probably been involved in risk management at some point in time, can we put new measures, whether it’s a process whether it’s technology, whether it’s training in place to help alleviate or reduce those risks to our organization? So, to kind of talk through high level, this is a very high-level sample risk analysis plan.
The first thing is to identify your scope, and what I tell people with this process is that ultimately know where your patient information is. So, for example, if you are using an electronic health record vendor, that would be something you would want to evaluate in your risk analysis. If you’re storing patient information on a desktop on a computer, that would be part of your risk analysis. If you’re using a third-party company like JotForm, that would be part of your risk analysis, and you just have to look at what are the risks associated with that.
And can we do anything to implement or reduce that risk?” “What are the threats and vulnerabilities?” “What current security measures do we have in place?” And then you look at the likelihood in impact, and that’s really how you determine the risks. So, let’s just talk about computers. So let’s say you have a whole bunch of laptops in your organization, and currently you don’t have your laptops encrypted, but your laptops don’t leave your organization. And you don’t save any patient information on your laptop. So that is a threat to your organization. It is a vulnerability, but the likelihood of something is pretty low because if someone got one of your computers, hopefully they wouldn’t have access to any of your information.
But you can’t prove it. So the impact would be high. That way, you have to look at what encryption technology makes sense on these workstations, even though they’re not leaving our organization or should we just put a lock in place so that if someone broke into our organization, they really couldn’t steal these unless they had a lock cutter? Those are some things to think about. Identify your security measures. The biggest thing with a risk analysis is to make sure that you do have some type of report in place when you complete it. This is just an example.
This is an organization that had five different data breaches, and one of the top things that they find them on was the fact that this organization had back-to-back data breaches and they all could have been prevented if the organization would have done a HIPAA risk analysis. And because they didn’t, and these data breaches occurred, they were assessed a $3.5 million fine. They also had to create a risk analysis, define the methodology within 14 days, and provide the risk analysis to the federal government within 180 days. So pretty significant, quick timelines. All right.
Dr. Danika Brinda: Mistake number three: lack of employee education. So, if you remember one of the myths we talked about, “I educated my employees once.” The lack of education is really becoming a concern in healthcare. In fact, 78 percent of healthcare workers. So, these are employees that work for your organizations who say that they lack data privacy and security preparedness and education. And that makes human error the biggest threat in the healthcare sector. And that is a really important component to remember. So again, when it comes to requirements as far as training, all three of the regulations that we talk about require you to train your workforce.
They don’t say how often, but they do require you to train your workforce. Best practices is to train on an annual basis and within 30 days of a new employee coming on. So for a training program, the first thing is to establish a schedule. If you’re going to train in January every year, that is going to be your process. Stay consistent, provide your big annual training. However you do it, whether you hire a consulting company to come in and do it or whether you purchase an online solution or whether you do it yourself.
You just need to make sure that you have big annual HIPAA training. You’re testing your knowledge. The other thing you want to do is train those new workforce members, I always say before they get access to patient information. I know that’s not the reality of what happens. I say within the first 15 to 30 days of employment, because if you only provide training once a year on HIPAA, in January, let’s say, and they’re hired in February, they will work for you for 11 months before they get training, and that’s not acceptable.
The other component is that you need to be providing periodic updates to your workforce. So if there’s a new virus going around or maybe there’s some information that comes out about patient rights under HIPAA. Just make sure you have a process printed out and stick it in the break room. Talk about it in a staff meeting. Something you can just keep it up. Sometimes that also drives some great questions for organizations. Obviously, maintain documentation. When the training occurred, who was there? If you cover a PowerPoint, just keep a copy of the PowerPoint or high-level, what was addressed. Here’s an example.
This one’s an interesting one. A whole bunch of patients’ information was sent out in an envelope, or it was sent by fax to an employer versus the requested personal post office that the patient requested it for. So, this is an example where an employee did not follow and was not properly trained on the policies and procedures that the organization had established in disclosing patient information. And this organization also had to do a lot of stuff when it came to compliance. Just overall, they had to review their current training materials.
They had to update it and provide to the Department of Health and Human Services to get approval. Once they got approval, they had to train all workforce members in 60 days. And therefore, every 12 months after that. So in my eyes, why HIPAA regulations don’t say you have to train every so often, you can see in the corrective action plans, and this is not unique to this one, that the federal government is saying you must train your staff every 12 months. Very important. Mistake number four: not having business associate agreements in place.
BUSINESS ASSOCIATE AGREEMENTS
Dr. Danika Brinda: So one of the questions that I always hear is “What is a business associate?” So, it is a person or a business that works on your organization’s behalf to do something on your behalf. An individual or an organization that potentially creates, receives, maintains, or transmits protected health information on behalf of you.
If they provide any legal, actuarial, accounting, consulting services, basically any type of accreditation or financial services, they also might be a business associate. Now, the biggest one I get is my janitorial staff or my custodians. Are they business associates? They are if they do something with your protected health information, but if they are truly only cleaning your office and they don’t do anything, then they would not fall under the business associate category. And then there’s some called mere conduits for you do not have to have a business associate agreement in place, and it’s very narrow, such as the U.S. Postal Service or your internet service provider.
So what is the requirement? What are you as covered entities responsible for when it comes to business associates? First and foremost, you have to make sure that you have a compliant business associate agreement in place with all of your third-party vendors. That would be classified as a business associate. You need to conduct your due diligence that the protected health information that you will be sharing is properly secured and protected. Now, that looks very different, and every organization might just be verifying that there’s a login process, that your third-party vendor uses encryption, that they are willing to enter into a business associate agreement with you and that they’ll enter into one with subcontractors.
Some people want to know that it’s encrypted on the servers. Do the due diligence and ask the questions, or sometimes it’s detailed out in some type of agreement. Only provide them access to what they need to do on your behalf. So, if they only need access to billing information, don’t provide them access to your entire medical record or your entire documentation system. Only provide them what they need to have access to. And ultimately, remove the vendor as appropriate if it’s a vendor that multiple people within their organization have access to under a unique user I.D. If that person leaves the organization, terminate them.
Or if you no longer work with that organization, make sure you’re terminating their access as well. The biggest thing we’re seeing is do not provide any business associate access until you get that business associate agreement signed. The reason I say that is there’s been a couple of cases where a healthcare organization hasn’t had a business associate agreement in place, and they started sharing the information with the business associate. They had a contract but not a business associate agreement, and it was actually considered an improper disclosure of health information and that’s what we see.
Here’s an example. Not having a business associate agreement cost an organization $31,000. Another one, $750,000 to an orthopedic clinic because they didn’t have a business associate agreement in place. This one is an interesting one. This is a data breach that happened in Minnesota where there were two organizations involved, and one organization had a business associate agreement in place and one didn’t. The business associate lost the laptop, and the one that didn’t have an agreement got a fine. The one that did have an agreement did not get assessed a fine.
And lastly, the one I was just talking about, that happened this fall. This is an organization in Florida that actually was sharing information with a business associate for billing purposes but never had a business associate contract in place. And because of that, it was considered improper disclosure, and they were assessed a fine by the federal government. And the last component that we are going to talk about before wrapping it up and going to questions is the lack of use of technical safeguards, and what I mean by that is HIPAA is really built to be a technology-neutral regulation.
THE LACK OF USE OF TECHNICAL SAFEGUARDS
Dr. Danika Brinda: It doesn’t say you have to use specific technology. It doesn’t even say you have to use specific elements of encryption standards. It’s just built to say, “Please use this based on your organization’s needs.” It’s built to be scalable, so it’s built to make sense to the smallest organization up to the largest integrated health care system. But the interpretation has been not to use technology. So, for the regulations that are considered addressable, people say, “Oh it’s addressable, I don’t have to comply with it.”
So, I don’t want to implement this technology, and that’s been the interpretation, and because of that, organizations aren’t using technology to support compliance, and that’s what this slide is all about is. Within the security rule, because of that flexibility and the ability to let organizations decide how they’re going to use some technology, there are standards that are addressable. They do not mean that you don’t have to comply with them. They mean that based on your size and technical infrastructure, the cost and the probability of something happening, you can decide how you want to use that technology within your organization.
Examples of how technology can support compliance: encryption. Encryption basically scrambles the data so that it’s not usable by an outside source, even if they get access. So if it’s data at rest on your computer, if you lost a workstation, really, it just becomes a big paperweight. Data in motion is that point where it’s going from point A to Point B, whether it’s through some type of secure connection or an email is a common one. But making sure you have encryption there. Any type of notification you can have. If you haven’t had a user log on for 30 days, notification of that will make you be able to assess that and look into that. Using usernames and passwords. Having some type of intrusion detection software that will tell you if maybe someone with an IP address that’s not in the same country that you are in is in your system.
I’m using up-to-date antivirus solutions that do both proactive and reactive monitoring. Having a strong and complete firewall and having good backup solutions, making sure your data is being backed up, that it’s stored in a place and that it’s retrievable. And from a JotForm perspective, this article I just came across on March 5, but this is an example of what you want to look at when you’re looking for compliance with your third-party vendors. Is JotForm HIPAA compliant? It uses 256-bit encryption levels, so that’s a pretty high encryption level.
It also is prepared to enter into a business associate agreement because, again, they would become your business associate, because they’re storing information, they’re collecting information, and they’re ultimately transmitting it back to your organization. So, we should use technology to help support compliance. So, I just want to wrap up and say the reason that I push encryption a little bit is it’s our “Get Out of Jail Free card.” I’m sure everybody’s played the wonderful game of Monopoly. and you know you hope to get that card so you don’t have to pay to get out of jail, but what encryption does for your organization is that if you lose a laptop or a tablet or a phone that may have email on it, that all might have personal or protected health information on it.
If you can verify that it is encrypted, it is considered unusable, indecipherable, and unreadable, which means that it is never a data breach unless, of course, you write your encryption password and keep it with your phone or with your laptop, and that would be an issue. But that’s our “get out of jail free card.” So encryption is a way to protect information, and from the federal government’s perspective, it’s really the way to make sure that data breaches continue to go down. So, if you are unsure about how you’re doing with HIPAA compliance or you watch this video and you’re just a little concerned, we do, through Planet HIPAA, have a free HIPAA checkup.
It’s just 11 questions, and from those 11 questions, we basically do an automatic assessment of looking at where you are with HIPAA compliance. So it’s not a full risk analysis, but it definitely gives you that quick checkup on how I’m doing. And you’ll get a report sent to your organization and whatever email address you use, immediately upon completion of it, and you can go ahead and take that at https://planhip.com/checkup. So, I do encourage you if you have any concerns or you’re kind of in that middle ground.
Go ahead take this. Assess how you’re doing and if you can build from there. So lastly, before we open it up for questions, it’s not only for what we do that we are held responsible but also for what we don’t do. A lot of people will say, “I never will get caught. Nobody will ever know.” Well, the reality is you could not do your taxes but eventually someone will know. Same kind of concept with HIPAA compliance is that you need to be doing it because it’s the right thing to do.
Not only from a business perspective but also from a patient engagement satisfaction perspective. At this point in time, I know that we had some great questions asked before. I am going to go through a few of these questions that were asked before.
I do want to give you some chances to also ask questions.
Dr. Danika Brinda: So if you want to go ahead and type in your questions in the question box, we will get to a couple of those. The first question that I’m going to cover is “Is it OK to email unencrypted patient information amongst coworkers on the same email server?” I’m going to say yes. If your organization purchases an email solution such as Google business or, you know, Office 365, and it’s at planethipaa.com, everything you email between your organization is within your firewall and within your platform.
So it is OK to share information with them. It’s when you’re emailing an outside person. If you were to email it at so-and-so.com, that’s when you would want to make sure the encryption is in place. One of the other questions we got is “What data must be HIPAA compliant? Can you please provide specific examples?” Protected health information, by definition, is considered what you need to be able to protect and that is any information that does or could reasonably identify a patient based on past, current, or future information.
There’s about 18 key identifiers that are listed within the regulations, that have name, date of birth, age, address, medical diagnoses, dates of service, any type of identifier whether it’s a medical record number, maybe an implant number ,or any type of full face or full body photography, would be considered identifying information. Those are just some of the examples. But I would say any specific information that may identify a client on any behalf is considered protected health information. One of the other questions I’m going to address is “How complex does a security risk analysis have to be year after year?”
“Is it recommended that an outside consultant come in every so many years to do this? And if so how many years?” So again, the regulations are built to be scalable to your organization. You are not required to hire someone to come in to do your third-party risk analysis or to do a risk analysis unless you feel it’s necessary. The biggest thing is that you’re doing that risk analysis on a regular basis. So how complex is it? You can go check it out. The federal government actually has a free tool that you can use to conduct a risk analysis.
But how complex is it? You can definitely see that there are a lot of things that you have to look at, and the complexity that can be high, depending upon what your technical infrastructure looks like, how many third-party vendors you work with, all the different places you store protected health information. I always recommend that you should do a risk analysis with an outside party at least once. Just because sometimes when you’re in the midst of it all and when you’re in the operations of it all, you’ve really missed some of the things that could be risks to your organization.
So, those outside eyes could be a great starting point, especially if you don’t know where to start with your HIPAA compliance. So at this point in time, I want to be able to open it up. I think Annabel was going to ask some questions.
Annabel Maw: Yeah. Thanks Danika. That was such a great presentation and lots of really good information. It looks like we do have a couple questions that haven’t been addressed yet. So there is one here from Paul, and he says, “Being an Australian college that requests data from hospitals, do we need to be compliant with HIPAA? If we request this data from a U.S. hospital, do we need to be compliant?”
Dr. Danika Brinda: Wow, that’s a great question.
I don’t know if I can give you a 100-percent answer for that. Part of the reason is that you and Australia have your own privacy regulations, but you obviously know about and you would have to protect that health information that you’re collecting. The HIPAA regulations actually do not start to discuss or talk about international lines and what that looks like and what the requirements are to companies internationally. I would say that, you know, from a perspective of storing and maintaining protected health information, you’re really going to have to look at your Australian requirements when it comes to the privacy and security protections, protected health information and make sure that you’re on par with those.
Dr. Danika Brinda: I also want to say, not to open another can of worms but, there’s also European Union requirements that you would have to comply with, and they just updated their requirements and if you have any type of European resident information, you would have to comply with the GDPR.
Annabel Maw: Awesome, thanks Danika. Well it looks like we’re actually just about to be out of time. So if anybody else has other questions, please feel free to email Danika. Danika let you take that away with your contact information.
Dr. Danika Brinda: The last slide here is the contact information.
Again, use that free checkup tool that’s out there. You can visit our website at planethipaa.com. It is two A’s one p, and my email address is here as well: firstname.lastname@example.org. And then we also have JotForm contact information. Both information regarding their HIPAA compliance plan and what that really entails as well as their contact information. So thank you everybody for joining us today and we hope you have a great rest of the day.
Annabel Maw: Thank you everyone.