Member Doctor Responsibilities to Safeguard Protected Health Information under HIPAA
By Mike Stokes and Janet O'Hallaran - AOA Staff
The Current Focus on Hacking Health Care Data & the Particular Vulnerabilities of Member Doctor’s Practices
As our lives become more complicated and our personal data becomes more emmeshed in various databases (most of which are accessible via the web), the need to ensure security for our personal data becomes heightened. In addition, maintaining privacy of protected health information is a necessary concern for all health care professionals and is governed by federal law – the Health Insurance Portability and Accountability Act (HIPAA). Unfortunately, health care information is extremely attractive to cybercriminals. It reportedly yields the highest sales prices on the dark web. According to a Trustwave report released on June 30, 2021, a healthcare data record may be valued at up to $250 per record on the illegal market. In addition, between 2019 and 2020, the Office of Civil Rights (OCR) in the Department of Health and Human Services (HHS) noted an increase of 68% from the previous year in health care breach reports to the HHS. What this means for AOA member doctors is that more criminals are focusing on hacking health insurance companies, hospitals, and practitioners. Although there are typically fewer patient records available at doctor’s offices as opposed to hospitals and insurance companies, there is the perception that doctor’s offices are a softer target, easier to gain access to and easier to steal data from.
Data Security-An Essential Element of HIPAA Compliance
Knowing this, we will focus first on the essential element of HIPAA compliance: data protection. HIPAA requires that any company or individual who comes into contact with protected health information must establish and enforce appropriate policies, procedures, and safeguards to protect data. Violations of HIPAA often result from one of the following occurrences: lack of adequate risk analysis; lack of comprehensive employee training; inadequate business associate agreements, inappropriate disclosures of PHI; ignorance of the minimum necessary rule and failure to report breaches within the required timeframe. (See www.hipaaguide.net). In this memo, we will focus on risk analysis, the paramount inquiry for compliance with the Security Rule under HIPAA.
Elements of Practitioner Preparation- (1) (a)Conduct A Risk Analysis to Ensure Compliance with the Security Rule
(1) Determine where health data is created, received, maintained, and processed
The first thing every office should do is conduct an in-depth risk analysis. First, the practice needs to prepare for the assessment by understanding where electronic protected health information is created, received, maintained, and processed. The practice must:
- understand where electronic personal health information (hereinafter referred to as ePHI) is created, received, maintained, processed, or transmitted.
- Identify where ePHI is generated within the organization,
- where and how it enters the organization (e.g., web portals),
- where it moves and flows within the organization (e.g., to specific information systems),
- where it is stored, and
- where ePHI leaves the organization.
The practice also must consider:
- Is ePHI transmitted to external third parties, such as cloud service providers or other service providers?”
- physical boundaries and logical boundaries.
- any remote working arrangements.
- risks to ePHI as it enters the organization, flows within the organization, and leaves the organization.
-
current security controls” (source: www.hipaaguide.net)
(2) Identify Realistic Threats
The Practitioner should think about what types of threats are posed to the security of your data and identify common threat sources.
- One basic threat source consists of natural disasters which could include floods, earthquakes, or tornados. These types of events can threaten the physical security of data or interfere with privacy safeguards.
- ·The main threat source is deliberate or unintentional human acts such as network-based attacks, a malicious software upload, or phishing attacks in which a bad actor persuades a staff person to grant access to confidential information by posing as another staff person, vendor, or government official.
- Another possible risk is from a staff person losing a laptop with unencrypted patient information (or having the laptop stolen).
- Another threat may be vulnerabilities in remote worker’s internet systems.
(3) Identify Potential Vulnerabilities and Predisposing Conditions
The Practitioner should consider internal and external sources of information in assessing potential vulnerabilities. For the internal perspective, you may review prior audits or think of previous IT challenges you have faced in the past.
External sources to consider include information provided by your vendors, insurance carriers, and vulnerability databases, such as the National Vulnerability Database maintained by the National Institute of Standards and Technology, part of the U.S. Department of Commerce. The Common Vulnerabilities and Exposures (CVE) Program defines a vulnerability as: "a weakness in the computational logic (e.g., code) found in software and hardware components that, when exploited, results in a negative impact to confidentiality, integrity, or availability. Mitigation of the vulnerabilities in this context typically involves coding changes but could also include specification changes or even specification deprecations. You may need to rely on your in-house IT expert or bring an IT expert in for this type of assessment.
(4) Assess Current Security Measures
Measure what your practice’s current security measures against the required security measures under HIPAA. Questions to consider include, but are not limited to:
- Does your organization have a designated security officer responsible for the development and implementation of policies and procedures required under HIPAA?
- Has your organization implemented policies and procedures for authorizing access to electronic protected health information?
- Have you implemented a security awareness and training program for all members of your workforce?
- Have you implemented the appropriate contingency plans including a data backup plan; a disaster recovery plan, an emergency mode operation plan?
These questions are just four of many more inquires required under HIPAA. This assessment can be a daunting proposition for an optometric practice but there are resources out there to guide the optometric practice through the process.
Practitioners might consider using free resources offered by the government, such as the Guide to Privacy and Security of Electronic Health Information. Alternatively, a doctor seeking more streamlined and efficient product may consider using a commercial HIPAA compliance product. One of the benefits of a commercial product is that typically, there will be a designated individual you can work with who will walk you through the entire process, and many of the processes will be automated so you will not overlook any steps.
(5) Determine the likelihood that this threat could occur, as well as the likelihood that the threat would result in an adverse impact.
In particular, the practice is asked to assess the probability that the threat will occur. “If a threat is “reasonably anticipated”, then the optometric practice is required to address it. An organization must assess the magnitude of the potential impact resulting from a threat triggering or exploiting a specific vulnerability. An entity may use either a qualitative or quantitative method, or a combination of the two methods, to measure the impact on the
organization. Organizations are asked to assign risk levels for all threat and vulnerability combinations identified during the risk analysis. The level of risk could be determined, for example, by analyzing the values assigned to the likelihood of threat occurrence and resulting impact of threat occurrence. The output should be documentation of the assigned risk levels and a list of corrective actions to be performed to mitigate each risk level.” See additional information from HHS here.
(6) Document the risk assessment results.
HIPAA requires the risk analysis to be documented but does not require a specific format. A narrative which details the results of each of the foregoing six elements of the risk analysis process should be sufficient.
Once the risk analysis has been completed, the practice must develop a risk management process and formulate and enforce sanctions policies for security breaches and implement procedures to allow for periodic monitoring of audit logs, access reports and security incident tracking reports. We will cover these requirements and others in more detail in a future memo.
