HIPAA wake-up callBy Andrea Driscoll, Rick Hindmand, JD, and Helen Simmons

Risk and Compl iance Management

Physician practices, like other HIPAA-covered entities, face a daunting array of threats to their patient protected health information (PHI) and must be diligent when protecting the privacy and security of their records.

Reviewing reported breaches can offer healthcare providers, health plans and business associ-ates guidance on how they can protect PHI.

Data breach landscape Healthcare breaches have become so widespread and difficult to prevent that everyone involved in handling patient information needs to be aware of the importance of the steps that help prevent a breach.

Combining data from the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) reports since mandatory reporting began in 2009 with unresolved breaches in the past 24 months shows the total number of reported incidents through May 2018 exceeds 2,299, affecting almost 262 million individuals. »

MGMA Connection • July 2018 • p a g e 2 7 ©2018 MGMA. All rights reserved.

» Insurers (tallied under “Health plan” in Figure 1) were responsible for the highest number of reported breaches, followed by healthcare providers, busi-ness associates and lastly healthcare clearinghouses, which process medical claims.

The types of breaches affecting the most individu-als over the past eight years have been hacking/IT incidents (more than 216 million individuals affected) and theft (more than 25.3 million individuals affected). The simplest solution to prevent the hackers from reading or otherwise using the data is by enforcing data encryption that is in accordance with the HHS guidance. Though an objective assessment of a breach incident is always required to determine notifica-tion, keep in mind that under the modified HITECH Act of 2009, the loss or theft of a device need not be reported if it was encrypted following the guidance of the National Institute of Standards in Technology (NIST).

Where do you stand on HIPAA?In its HIPAA settlements and guidance, OCR has focused on the following failures by a covered entity or business associate:

Failure to conduct adequate risk analysis. Risk analysis has been central to most of OCR’s published resolution agreements. The HIPAA Security Rule requires each covered entity or business associate to conduct an accurate and thorough analysis of the

potential risks and vulnerabilities to the confiden-tiality, integrity and availability of ePHI held by the covered entity or business associate.

In addition to violating the Security Rule on its own, failure to conduct appropriate and timely risk analysis often prevents a covered entity or business associate from taking appropriate risk management steps to protect ePHI, thereby increasing exposure to breaches as well as potential penalties and litigation.

Failure to enter into appropriate business associate agreements (BAAs) before allowing busi-ness associates to access PHI. OCR has expanded its enforcement focus on business associates, with a string of resolution agreements holding covered entities accountable for allowing business associ-ates to access PHI without entering into BAAs. OCR specifically reminded covered entities and business associates in October 2017 that using a cloud service provider to maintain ePHI without entering into a BAA violates HIPAA rules and that cloud service ar-rangements need to be accounted for in risk analysis and risk management. Within the past several years, three physician practices have made settlement payments for disclosing PHI to business associates without BAAs, including a $750,000 payment in 2016 by a North Carolina orthopedic clinic.

Failure to implement appropriate safeguards to manage risks and vulnerabilities that were (or should have been) identified in the risk analysis. The

ENTITY TYPEBusiness Associate Health plan

Healthcare clearing house

Healthcare provider Grand total % Breach

typeTYPE OF BREACH

Hacking/ IT incident 13,019,287 183,297,534 0 19,926,825 216,246,646 82.42%

Improper disposal 570,905 34,933 4,204 395,729 1,005,711 0.38%

Loss 5,894,584 133,002 0 2,037,146 8,064,732 3.07%

Other 461,168 164,845 0 824,892 1,450,905 0.55%

Theft 9,053,431 3,762,903 11,250 12,449,128 25,276,712 9.63%

Unauthorized access/disclosure 2,641,466 2,763,402 2,300 3,013,099 8,420,267 3.21%

Unknown 1,900,768 10,066 0 6,625 1,917,459 0.73%

Grand total 33,541,609 190,166,685 17,754 38,653,444 262,379,492 100%

Figure 1: 2009-2018 (YTD) Individuals affected and type of breach

Source: U.S. Department of Health and Human Services Office for Civil Rights Breach Portal, accessed May 11, 2018

p a g e 2 8 • MGMA Connection • July 2018 ©2018 MGMA. All rights reserved.

Risk and Compl iance Management

Security Rule requires a covered entity or business associate to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level, and refers to this safeguard as “risk management.”

Strong IT support: Improving your IT hygieneMedical practices often don’t see compliance as a priority and are reluctant to spend money in this area until a breach occurs, at which time spending likely will be much greater than the cost to implement ap-propriate safeguards.

Operationally, it is not unusual for a private medi-cal practice to adopt a hybrid model in which the physician and administrator share IT responsibilities with an IT staff person or consultant. This break/fix model focuses on addressing issues as needed instead of providing proactive, 24/7 monitoring and management of the IT infrastructure. This approach has plagued the IT industry and can put the medi-cal practice at risk. It is not enough to call someone when there’s a problem. By then it’s usually too late. Most attacks succeed because they take advantage of vulnerabilities that are not identified within an orga-nization. Often this is due to a misperception that the medical practice is protected.

These medical practices may have strong business controls but often lack the expertise and attention needed to protect their network, necessary security layers and access controls, making them vulnerable to hackers. Healthcare data on the black market is valued higher than even Social Security or credit card numbers.1 With ransomware added to the mix, you have a billion-dollar business that shows no

signs of slowing down. Having the appropriate ex-pertise in place is crucial in protecting your business from these attacks.

Problem areas for HIPAA compliance• Set it and forget it approach: HIPAA compliance

and IT security are ongoing responsibilities. Risk analyses need to be performed on a regular basis, especially as problems are identified or changes occur in the operating environment. Effective security incorporates a proactive approach with ongoing management.

• Workstation or server updates: Turning on automatic updates on each workstation or server without monitoring success or failure is common. Consider centralizing the management of the up-dates to gain visibility and catch problems early.

• Backups: Lack of offsite backup or verification on the integrity of the backups is common. An effec-tive IT company centralizes the management of updates and backups and regularly verifies their integrity.

• Cost: Many medical group budgets don’t allow for month-to-month managed services contracts. The “we’ll just call you when something is broken or if we need you” approach is often seen as the most cost-effective solution. This approach may be short-sighted and could end up costing the practice more. The cost of a breach can be much higher than the cost of a month-to-month man-aged services contract.

• Staffing: Physicians and other non-IT profession-als are typically not qualified to manage IT. While anyone can search the internet for how to do

Unknown 0.73%

Theft 9.63%

Hacking/IT incidents 82%

Unauthorized access/ Disclosure 3.21%

Improper disposal 0.38%Loss 3.07%

Other 0.55%

Figure 2: Individuals affected by type of breach

»

Source: U.S. Department of Health and Human Services Office for Civil Rights Breach Portal, accessed May 11, 2018

MGMA Connection • July 2018 • p a g e 2 9 ©2018 MGMA. All rights reserved.

something IT related, it’s not realistic to manage an entire IT environment in this fashion and expect to target all security points.

• How hardware and services are used: Devices and services alone aren’t compliant. It’s how they’re imple-mented and managed that makes them compliant and eff ectively secure. Many of the HIPAA security require-ments must be addressed within each piece of hardware or service.

Checklist: Action steps for medical groups• Conduct enterprise-wide risk analysis accounting for all

of your practice’s PHI, whether maintained within your organization, in the cloud or by business associates.

• Implement safeguards based on the risk analysis to re-duce the identifi ed risks and vulnerabilities to reasonable and appropriate levels.

• Review and update your organization’s incident response plan, privacy, security and breach notifi cation policies and procedures.

• Identify all business associate relationships and ensure that you have an appropriate business associate agree-ment in place before allowing a business associate to access PHI.

• Make privacy and security priorities within your orga-nization with policies and procedures in place to ensure consistency and compliance.

• Conduct ongoing privacy and security training.• Encrypt all data at rest and in transit. • Ensure that uses and disclosures of PHI align with your

organization’s notice of privacy practices.• Implement a layered security model to protect from inter-

nal and external threats. Email, for example, is a common point of entry for viruses. Invest in a reputable spam fi ltering product that will address the latest threats and other vulnerabilities.

• Consider a security monitoring system with 24/7 vis-ibility, alerting and auditing to fi nd IT problems early and reduce risk.

• Develop access levels following the least privileged model, unique logins, enforcement of complex passwords, two-factor authentications, automatic log-off , forced periodic password changes and account monitoring. Do not rely on intuition to gauge the strength in these areas. Verify that these safeguards are implemented, enforced and audited.

• Stay current and keep your systems up to date. A ransom-ware attack swept through the UK shutting down services at hospitals and clinics when hackers took advantage of older operating system Windows XP, which had not been supported since 2014. Microsoft stopped releasing updates for XP three years ago.2

Key questions to askUnderstand the need to focus on identifying your risks and working with a qualifi ed IT service provider who will do more than fi x your hardware as needed. If you seek out a managed service provider, you need to understand whether they provide functionalities such as 24/7 monitoring, auditing, reporting, regular patching and updates, layered security and more. Evaluating vendors can be challenging for those who do not specialize in IT. If a vendor representa-tive contacts you, ask these key questions: • Have you ever performed a vulnerability risk analysis for

a client? • Do you currently have any clients that are physicians or

healthcare companies? • Are you familiar with referenced standards for password

use and encryption provided by the National Institute of Standards and Technology (NIST)?

• What services do you provide under contract? • Does this include 24/7 monitoring, auditing and regular

patching of all systems and applications? A reputable IT company can independently supply a peri-

odic executive summary report that shows an overall health score in areas such as antivirus, web protection, backups, patch management, at-risk devices and more. Empower yourself with this information before investing in a solution for your group. Contact Andrea Driscoll at adriscoll@adhealthcareconsultingllc.com.Contact Rick Hindmand at rhindmand@mcdonaldhopkins.com.Contact Helen Simmons at hsimmons@medicmgmt.com.

Notes:1. Yao M. “Your electronic medical records could be worth $1,000

to hackers.” Forbes. April 14, 2017. Available from: bit.ly/2wK9OrHC.

2. Barrett B. “If you still use Windows XP, prepare for the worst.” Wired. May 14, 2017. Available from: bit.ly/2qH7wpj.

Risk and Compl iance Management

»

MGMA Connection • July 2018 • p a g e 3 1 ©2018 MGMA. All rights reserved.