Emergency Preparedness Best Practices

Emergency Preparedness Best Practices

In the wake of two damaging hurricanes, the topic of emergency preparedness is at the top of mind for many Covered Entities and Business Associates. The goal of emergency preparedness is to ensure electronic protected health information (ePHI) is secure, and the confidentiality, integrity, and availability of ePHI is not jeopardized both during and after an emergency.

Effective emergency preparedness consists of having a contingency plan which includes a data backup plan, disaster recovery plan, and emergency mode operation plan.  The disaster recovery plan ensures that you have accurate backups of the ePHI, while the disaster recover plan is how you recover from those backups.  The emergency mode operation plan outlines how ePHI will remain secured during the course of the emergency.  While not specifically required, your organization should consider testing your contingency plan and revise it as necessary.

When thinking about putting you plan together, you can follow a seven step process,

  1. Assess your situation;

  2. Identify risks;

  3. Formulate an action plan;

  4. Decide if and when to activate your plan;

  5. Communicate the plan;

  6. Test the plan; and

  7. Treat the plan as an evolving process.

While this process is linear, these steps can take considerable time to finalize.  If you don’t have a contingency plan in place now, you should begin the process to develop and implement one as soon as possible.

Guarding Against Insider Threats

Guarding Against Insider Threats

Last week Anthem began informing 18,000 customers of a breach. It stemmed from a vendor’s employee who emailed Anthem members’ data to a personal email account. The employee was fired and is being investigated by authorities. It raises an important point that insider threats pose a significant risk to Protected Health Information (“PHI”).  Here are a few keys to mitigating this risk,

  • Screen New Hires: One of the best prevention methods is to not hire someone who turns out to be a malicious employee in the first place. You may consider completing a background check on all new hires and even periodic checks on current staff members. While not an exact science, it may help to identify potential bad actors before they cause any damage;

  • Perform Regular Access Audits: Having a process in place to review logs of who within your organization is accessing PHI and what they are accessing can be a helpful tool in spotting a snooping employee. To truly be effective, the logs need to be reviewed on a consistent basis to identify an employee who is accessing PHI unnecessarily or to pick up suspicious patterns of access; and

  • Train Staff on Sanctions: Training should include information that outlines the sanctions that can be imposed (both by you, the employer, and the authorities) for malicious actions involving the access or disclosure of PHI.

Also, keep in mind what we discussed last week with the risk of terminated users. Reasonable procedures can mitigate the risk and prevent a costly and damaging breach from the inside.

Termination of User Access

Termination of User Access

Every covered entity and business associate, whether large or small, struggles with prompt termination of user access. Whether it be interns, temporary or permanent employees it is a common struggle to have HR communicate with IT that someone has left the organization or no longer need access to PHI.  This poses a high risk by having individuals who may no longer be with the organization still having access to PHI; some of whom may be disgruntled.  Here are a few tips to help mitigate the risk.

  1. Establish a consistent process for which IT is notified by HR when anyone leaves the organizations or changes job functions to no longer need access to PHI.  HR likely has a process it goes through when an employee leaves.  Work to include communicating to IT who is leaving and when.  Often times this can be done simply by submitting a ticket to whomever provisions access to systems with PHI.

  2. For temporary users (i.e. interns, volunteers, students, auditors, temporary staff), have HR provide you with a date when the user will be leaving.  If they don’t know the exact date, have them provide a “safe” date in which the user will no longer need access.  While not ideal, it will reduce the risk of having access for terminated users for an extended amount of time.

  3. Review access logs periodically to purge users who are no longer with the organization or have not logged in for an extended period of time (i.e. 3 months).  This can be a significant amount of data to review for larger organizations with many users, therefore a log review schedule should be implemented (i.e. once a month) to remove inactive users.

The most effective method is working closely with HR to know immediately when users leave.  However, reviewing logs and establishing access termination dates can also help in mitigating the overall risk.

Implementing Restricted Communications

Implementing Restricted Communications

Far too often HIPAA is used as a barrier for appropriate PHI sharing. However, when a patient wants to create a barrier to sharing in the form of a restricted communication, it must be followed. A patient might request a restriction for any number of reasons. Often it is in response to a threatening family member or a sensitive diagnosis. Regardless of the reason, covered entities must have a process for implementing the restriction across the entire organization.

A patient may tell a nurse practitioner to not send mail to their house, or only contact them at a specific telephone number.  The act of telling that one staff member is tantamount to telling everyone within the organization, therefore everyone who may send communications to the patient needs to be made aware.  Often this is done through a note in the EHR, or some type of flag in the patient’s record.  If they do not want to be contacted at a certain phone number or e-mail address, that information can simply be removed.  If you know you have to follow up by some method of communication after the visit, it might be a good habit to simply ask the patient if it is okay to contact them at a certain number, or if they have a preferred contact method.

Implementing a patient’s request for restricted communication is a simple HIPAA requirement to implement, which can promote patient safety and increase trust in the care you provide.

What To Do With Unexecuted Business Associate Agreement

What To Do With Unexecuted Business Associate Agreement

Transferring PHI without an executed Business Associate Agreement (“BAA”) has become a point of intense focus for federal regulators, and one from which we can expect continued fines. Typically in practice, BAAs are not always easy to get executed, for a plethora of reasons. With all of these things in mind, here are few tips and best practices that will be helpful for organizations looking to get outstanding BAAs executed.

  1. Get the ball rolling: Whether you are a business associate, covered entity, or subcontractor don’t hesitate to be the first to send a BAA for negotiation and execution. It establishes the parameters of the negotiation, states that this is a serious matter to you, and takes the first step in getting a BAA executed. If you need a place to start, there are plenty of examples readily available, including some provided by U.S. Department of Health and Human Services (HHS).
  2. Stress the importance: A business associate is determined by the specifics of the business relationship, not by the existence of a BAA. In other words, not executing a BAA does not absolve an organization from HIPAA required safeguards, therefore there is no compelling argument not to execute a BAA. It is a requirement of both the business associate/subcontractor, and the covered entity to have a BAA in place. The requirement is not one-way.
  3. Cause for termination: Almost all contracts outlining the business relationship will permit (or require) the termination of the agreement if one party does not comply with applicable laws or regulations. Signing a BAA is required by HIPAA, and not signing one will be grounds for termination. While it might be a disconcerting thought, your only protection against an organization that refuses to sign a BAA is to stop the transfer of PHI. This may create an incredibly challenging situation, but in extreme situations it is the only option. Most likely, when threatened with terminating the underlying contract, organizations will agree to execute the BAA.

This topic is one of the more difficult facing the entire healthcare industry at present. It is not that the answer to the situation is an unknown, it is that the best answer is the most challenging solution. However, you must ask yourself one question, “How much can you trust an organization that will not execute a BAA to ensure the privacy and security of PHI?” I am willing to guess an organization that won’t execute a BAA is probably an organization you don’t want to do business with.


Read more:

Cloud Providers, DYK You Need to Sign a Business Associate Agreement?

How To (Reasonably) Oversee Your Business Associates

Best Practices For Faxing PHI

Best Practices For Faxing PHI

Faxing PHI is still a prevalent method of transferring information throughout the entire healthcare ecosystem. While the technology is rapidly changing in many areas of the industry, it is important to remember that “low-tech” methods can be useful in keeping faxed PHI secure. HIPAA allows PHI to be transferred by fax for treatment, payment, healthcare operations, and other reasons assuming appropriate safeguards are in place. Here are few best practices on securing PHI when it is transferred by fax,

  • Place the fax machine in a secure location that is not accessible to the general public;

  • Always use a cover page that includes the sender’s name and contact information, the intended recipient’s name, a confidentiality statement, and instructions if is it sent to an unintended recipient. The cover page should not include any PHI;

  • Remove incoming faxes promptly; and

  • If your fax machine is storing any PHI, have a process to permanently remove it before you take the machine out of service.

Before you send a fax,

  • Double check you have correctly entered the recipient’s number;

  • Consider programming numbers into the machine and confirming their accuracy with a fax containing no PHI.

Sending PHI to an unintended recipient is a common occurrence which should be investigated to determine if a breach of PHI occurred. If you send a fax to the wrong person,

  • Notify the appropriate person (i.e. Privacy Officer) immediately;

  • Attempt to retrieve all copies of the fax or ensure the recipient destroyed the fax; and

  • Complete an incident alert form as directed.

While it may not have seen the same technological improvements or disruptions as other methods of communication, if used appropriately, faxing can still be a secure way to exchange PHI.