Where In The Cloud Is Your PHI?

Where In The Cloud Is Your PHI?

Storing Protected Health Information (“PHI”) in the cloud can be a very useful thing for covered entities and business associates.  As we know, HIPAA does permit storing PHI in the cloud if the cloud storage provider executes a Business Associate Agreement.  However, do you know exactly where that PHI is stored by the cloud provider?  In some instances the cloud storage vendor might store, backup, or process the PHI in an overseas location.  How do you protect the PHI, and yourself, in such a situation?

HIPAA does not specifically forbid storing PHI in an offshore location (some states do forbid storing Medicaid data offshore), but it does create challenges.  First, you must determine where your cloud vendors will be storing the information, and whether it will be offshore or not.  If it is offshore, you need to determine the specific location and what local rules might apply to the PHI. Local laws in the international jurisdiction where PHI might be stored might actually allow for access to the data that would be in violation of HIPAA.  The duty is on you, as you contract with the cloud provider, to determine if the security efforts are sufficient or if the location of the data will pose any risks. Furthermore, offshore cloud providers might not be bound by HIPAA, but you – presumably operating in the United States – are.  If your international cloud provider is at fault for a breach but cannot be held accountable, you might determined to be liable even if the only action you took was selecting the wrong vendor.

Without question, storing PHI offshore brings unique challenges. Whether they are worth it or not can only be answered by you. However, if you are considering a vendor that will store PHI internationally, be sure to conduct a risk assessment to ensure you are not putting PHI in increased or unnecessary risk.

Can I Send Patient Information To…?

Can I Send Patient Information To…?

One of the most common questions I hear is, “Can I send patient information to…” with a plethora of situations and organizations completing that sentence.  Not only is this one of the most common questions, but it is also one of the most fundamental from a patient privacy perspective. I encourage everyone to analyze their unique environment and create a reference guide that captures typical disclosures for your organization.  Include when disclosure is appropriate, inappropriate, and when the Privacy Officer should be consulted.

The reference guide should be developed by analyzing the three types of disclosures of Protected Health Information (“PHI”),

  • Required Disclosures:  The instances in which the PHI must be disclosed include,

    • To individuals when requested for access or an accounting of disclosures; and

    • To the Secretary of U.S. Department of Health and Human Services when conducting a compliance investigation, review, or enforcement action.

  • Permitted Disclosures:  These are situations in which the PHI may be disclosed without the patient’s consent, but you are under no obligation to disclose at all.  Permitted disclosures include,

    • For treatment, payment, and healthcare operations to another covered entity or a business associate with whom you have an executed business associate agreement;

    • With the opportunity to agree or object:  Examples include inclusion in a facility directory, and to family, friends, or others involved in the patient’s care or payment for care;

    • Use or disclosure incidental to a disclosure that is otherwise permitted;

    • Public interest and benefit activities, including when required by statute, regulation or court order, for public health activities, victims of abuse, neglect or domestic violence, for health oversight activities, for law enforcement purposes, and several others (find the full list here); and

    • In a limited data set, which is data set which has specified direct identifiers removed for research, operations or public health purposes.

  • Authorized Disclosures:  Authorized disclosures include any disclosure that is not required or permitted.  These disclosures can only be made pursuant to a patient’s authorization.  Patient’s have wide deference in deciding what disclosures to authorize and duly authorized disclosures must be made unless it will bring harm to the patient.  Authorization must include specific items, such as,

    • Be in plain language;

    • Be specific about the information to be disclosed;

    • Identify who is disclosing and receiving;

    • Include a time or event for expiration; and

    • Permit the authorization to be revoked in writing.

While the healthcare industry becomes more complex by the day, all disclosures will still fit into one of these three categories. If it is not permitted or required, it must be authorized by the patient.  By placing typical disclosures within your organization into one of these three categories, you will be able to answer the question of whether you may send the patient information or not. For any atypical disclosures, that do not fit neatly into one of these groups, consult your Privacy Officer for the final determination.

Guarding Against Insider Threats

Guarding Against Insider Threats

Last week Anthem began informing 18,000 customers of a breach. It stemmed from a vendor’s employee who emailed Anthem members’ data to a personal email account. The employee was fired and is being investigated by authorities. It raises an important point that insider threats pose a significant risk to Protected Health Information (“PHI”).  Here are a few keys to mitigating this risk,

  • Screen New Hires: One of the best prevention methods is to not hire someone who turns out to be a malicious employee in the first place. You may consider completing a background check on all new hires and even periodic checks on current staff members. While not an exact science, it may help to identify potential bad actors before they cause any damage;

  • Perform Regular Access Audits: Having a process in place to review logs of who within your organization is accessing PHI and what they are accessing can be a helpful tool in spotting a snooping employee. To truly be effective, the logs need to be reviewed on a consistent basis to identify an employee who is accessing PHI unnecessarily or to pick up suspicious patterns of access; and

  • Train Staff on Sanctions: Training should include information that outlines the sanctions that can be imposed (both by you, the employer, and the authorities) for malicious actions involving the access or disclosure of PHI.

Also, keep in mind what we discussed last week with the risk of terminated users. Reasonable procedures can mitigate the risk and prevent a costly and damaging breach from the inside.

Termination of User Access

Termination of User Access

Every covered entity and business associate, whether large or small, struggles with prompt termination of user access. Whether it be interns, temporary or permanent employees it is a common struggle to have HR communicate with IT that someone has left the organization or no longer need access to PHI.  This poses a high risk by having individuals who may no longer be with the organization still having access to PHI; some of whom may be disgruntled.  Here are a few tips to help mitigate the risk.

  1. Establish a consistent process for which IT is notified by HR when anyone leaves the organizations or changes job functions to no longer need access to PHI.  HR likely has a process it goes through when an employee leaves.  Work to include communicating to IT who is leaving and when.  Often times this can be done simply by submitting a ticket to whomever provisions access to systems with PHI.

  2. For temporary users (i.e. interns, volunteers, students, auditors, temporary staff), have HR provide you with a date when the user will be leaving.  If they don’t know the exact date, have them provide a “safe” date in which the user will no longer need access.  While not ideal, it will reduce the risk of having access for terminated users for an extended amount of time.

  3. Review access logs periodically to purge users who are no longer with the organization or have not logged in for an extended period of time (i.e. 3 months).  This can be a significant amount of data to review for larger organizations with many users, therefore a log review schedule should be implemented (i.e. once a month) to remove inactive users.

The most effective method is working closely with HR to know immediately when users leave.  However, reviewing logs and establishing access termination dates can also help in mitigating the overall risk.

Implementing Restricted Communications

Implementing Restricted Communications

Far too often HIPAA is used as a barrier for appropriate PHI sharing. However, when a patient wants to create a barrier to sharing in the form of a restricted communication, it must be followed. A patient might request a restriction for any number of reasons. Often it is in response to a threatening family member or a sensitive diagnosis. Regardless of the reason, covered entities must have a process for implementing the restriction across the entire organization.

A patient may tell a nurse practitioner to not send mail to their house, or only contact them at a specific telephone number.  The act of telling that one staff member is tantamount to telling everyone within the organization, therefore everyone who may send communications to the patient needs to be made aware.  Often this is done through a note in the EHR, or some type of flag in the patient’s record.  If they do not want to be contacted at a certain phone number or e-mail address, that information can simply be removed.  If you know you have to follow up by some method of communication after the visit, it might be a good habit to simply ask the patient if it is okay to contact them at a certain number, or if they have a preferred contact method.

Implementing a patient’s request for restricted communication is a simple HIPAA requirement to implement, which can promote patient safety and increase trust in the care you provide.

What To Do With Unexecuted Business Associate Agreement

What To Do With Unexecuted Business Associate Agreement

Transferring PHI without an executed Business Associate Agreement (“BAA”) has become a point of intense focus for federal regulators, and one from which we can expect continued fines. Typically in practice, BAAs are not always easy to get executed, for a plethora of reasons. With all of these things in mind, here are few tips and best practices that will be helpful for organizations looking to get outstanding BAAs executed.

  1. Get the ball rolling: Whether you are a business associate, covered entity, or subcontractor don’t hesitate to be the first to send a BAA for negotiation and execution. It establishes the parameters of the negotiation, states that this is a serious matter to you, and takes the first step in getting a BAA executed. If you need a place to start, there are plenty of examples readily available, including some provided by U.S. Department of Health and Human Services (HHS).
  2. Stress the importance: A business associate is determined by the specifics of the business relationship, not by the existence of a BAA. In other words, not executing a BAA does not absolve an organization from HIPAA required safeguards, therefore there is no compelling argument not to execute a BAA. It is a requirement of both the business associate/subcontractor, and the covered entity to have a BAA in place. The requirement is not one-way.
  3. Cause for termination: Almost all contracts outlining the business relationship will permit (or require) the termination of the agreement if one party does not comply with applicable laws or regulations. Signing a BAA is required by HIPAA, and not signing one will be grounds for termination. While it might be a disconcerting thought, your only protection against an organization that refuses to sign a BAA is to stop the transfer of PHI. This may create an incredibly challenging situation, but in extreme situations it is the only option. Most likely, when threatened with terminating the underlying contract, organizations will agree to execute the BAA.

This topic is one of the more difficult facing the entire healthcare industry at present. It is not that the answer to the situation is an unknown, it is that the best answer is the most challenging solution. However, you must ask yourself one question, “How much can you trust an organization that will not execute a BAA to ensure the privacy and security of PHI?” I am willing to guess an organization that won’t execute a BAA is probably an organization you don’t want to do business with.

 

Read more:

Cloud Providers, DYK You Need to Sign a Business Associate Agreement?

How To (Reasonably) Oversee Your Business Associates