Protecting your practice from HIPAA violations
Heather Dorsett: Welcome, everyone, to today’s PerfectServe webinar, “Protecting Your Practice from HIPAA Violations.” My name is Heather Dorsett. I am the Director of Marketing for PerfectServe, and I’ll be your host for today’s webinar.
Thank you, everyone, for joining us. Before we get started, let’s review the platform for today’s webinar. In the middle of your browser, you’ll see a box containing today’s slides. They will advance automatically throughout the presentation. To the right of the slides is a Q&A box where you can submit a question at any time during the presentation today.
We will address the questions during the Q&A portion at the end of the presentation. Below the Q&A box, you’ll see a Twitter feed with highlights from today’s presentation. Feel free to tweet commentary you find interesting using #pswebcast.
Finally, in the lower left‑hand corner, you’ll find our resource list containing a PDF of today’s slides along with a few other helpful resources.
In addition, today’s webinar is being recorded for our friends and colleagues who are unable to join us. We’ll have a recording available after.
As an audience member, you are in listen‑only mode. Please do make use of that Q&A box to communicate with our speaker or with me today. We will have a few polls scattered throughout the webinar. To submit your answers, simply type directly into the selections or an open‑text box located on the slide.
Finally, at the end of the webinar, we ask that you complete a short survey and tell us what you thought of today’s event.
For those of you who may not know PerfectServe, we provide healthcare’s only comprehensive and secure communications and collaboration platform. We’re used by 1 in 10 physicians in more than 200 hospitals and 25,000 practices and post‑acute care providers.
Specifically, PerfectServe supports practices in several ways. We help you manage all office and clinical communications and can replace traditional answering services.
We eliminate the human error inherent in answering services by routing calls and messages to the right provider at the right time in the way that provider wants to be contacted. We enable seamless call schedule management and we enable care coordination across the continuum.
This webinar series is a part of our ongoing promise to drive meaningful improvement in the care delivery process.
Now, it is my pleasure to introduce Kelly Ogle as today’s speaker.
Kelly holds Certified Healthcare OSHA Professional and Certified Medical Practice Manager certifications and brings over 10 years of experience in HIPAA training and consulting to help practices maintain compliance within their facilities and take corrective action to help reduce the risk of penalties before they even happen.
She’s Director of OSHA and HIPAA Services with DoctorsManagement, a practice management consulting organization.
Kelly, I will turn it over to you.
Kelly Ogle: Thank you so much Heather. I hope everybody is staying warmer, cool depending on where you’re located. We’re going to discuss some HIPAA stuff. We’ll go over a couple of things, and then we have a couple of stories that I want to tell you towards the end.
Hopefully, you may have some stories for me or some questions that you want to ask me. No question is crazy enough. I get all kinds of crazy questions about HIPAA. Feel free to ask any of those questions and I’ll do my best to answer them. If not, I’m a great researcher on it and I will try to get that answer for you.
Today, we’re talking about protecting your practice from HIPAA violation. With this on the agenda, we’ll talk a little bit about the definitions and titles. Not too much as to bore you. However, we will talk about personal identifiers. Things that we need to worry about because those are things that might get out there.
You might not realize how easy they are to be recognized, somebody recognizing somebody else’s personal information.
Let me get back here. The privacy rule, notice the privacy practices. Some patients write information, your breach notification, security, and also enforcement.
We have a poll question here. We want to ask you, “What is your greatest concern relative to HIPAA compliance within your practice?” Let me give you a few minutes or a minute or so to answer this question. We’d like to know your comments so we can talk about that into greater detail.
Go ahead. I’ll give you a few more seconds to do that. Then we will go on to the next slide and see what kind of results we do get from that.
Kelly: We see that your greatest concern in that is a really good concern, staff training. That is a big thing.
Technology, I will tell you will be one of your big things because a lot of people don’t realize the information or the stuff that you would have to take care of with your security. It has to do with a lot of electronic stuff with that technology. There is a great concern for that.
Yes, staff training, a lot of people do have trouble with that in trying to teach them what needs to be done. We will go over some of that in this webinar today.
What I’m going over today, if you make notes, this can be things that you can address during your office training, or what’s good is to have somebody come in there, answer questions for you, and do the training for you. There’s online training.
There are all different kinds of things that you can do. All of those are available to you. HIPAA does let you do any of that technology‑wise or in person.
HIPAA is the Health Insurance Portability and Accountability Act of 1996. It really started out with the Title I. It was Healthcare Access. What they worried about is you actually having access to your insurance if you were to move, and then the portability of it, so if you were to move from one job to another, how easy it was for you to carry that insurance on. COBRA is one of those examples.
Title II, they introduced and provided the Preventing Healthcare Fraud and Abuse. They started the transactions, code sets, the identifiers, all that stuff. What’s funny is they say that it’s administrative simplification. I think it complicates things, if you ask me.
The simplification is that it drives it down into some numbers instead of a lot of words, simplifies it into some numbers, some codes, to hide everything under those codes. Hopefully, with the fraud, that you don’t use the wrong codes. That’s the big thing with that.
This does apply to all covered entities. However, it does apply to business associates, anybody that works with you with the patient’s information, and even subcontractors, anybody that would work with a business associate, or somebody working in your office that may not be more of a medical person and works with your information. We have to be careful about what we do with that information.
The personal identifiers. These can be anything that is used to actually identify the person. It could be their name, their email address, their account number, device identifiers, if you had a knee replacement.
It could be a rod in your leg could be numbered and that rod in your leg identifies you. With that number, they can go back and identify you in health records of who had that.
There are all different identifiers. There is where the problem lay, or lies, is that, if you’re going to have information in places that people can oversee it, or see it, then you don’t want these personal identifiers to be on that. That’s why we like to address the personal identifiers.
There are two rules. There’s the privacy rule and security rule. We’ll go over the privacy rule.
Any privacy rule, or security rule, mainly, is to protect individually identifiable information that relates to the condition, treatment, or payment. That is all of that. That is privacy, security, whatever.
However, the privacy rule will be any kind of information period. It will be written, oral, electronically stored, any of that. It could be any of it. With the security part, it is actually only electronic. We’ll get to that in a little bit.
The protected health information, or PHI, is any data that can be linked to an individual concerning their health or payment. That’s where those identifiers are coming from. I actually switched the slide. This says, “Identifiers on the next slide,” but it was on the previous slide.
The privacy officer. All our offices have to have someone in charge of our HIPAA. It can be the privacy officer. It could be the security officer, and they’re the privacy officer also. I will get into the differences in those two.
A privacy officer is the one that deals with the complaints/investigations having to do with the privacy information. It could be any information. However, a security person is mainly over the electronic information, just like the privacy rule and the security rule.
The Notice of Privacy Practices. I know we all have one. It’s funny how I will go into an office, and I will ask everybody within the office to tell me their honest truth and say, “Who in here has actually read through a whole Notice of Privacy Practices?” and I may get two people. It’s usually one of the doctors, and it’s usually the office manager.
That’s great that those two have read through it. However, everybody should know what is on your Notice of Privacy Practices, especially if you’re giving out this paperwork to your patients, and it’s good for you to know as a patient yourself.
The Notice of Privacy Practices, it has to be posted in three different ways. It has to be posted within the office, preferably right up front, near where they can see it when they check in.
It has to be listed on the website, if you have a website. You don’t have to have a website, to do it, but if you have a website, it must be on there.
It has to be offered to each patient and anybody that requests it. Most of the time, it’s to each patient as they come in as a new patient.
All three must be identical. If you have three different Notice of Privacy Practices, one was updated last year, the other one was from 1998, we have to change that. We all have to have them all on the same thing, saying the same thing.
These Notice of Privacy Practices tell the patients how their information can be used, and what their rights are as a patient, and how you protect their protected health information. Under HIPAA, the practice must attempt to get a signature. That signature just says that they have received it and read it, or that they acknowledged that they received a copy of it.
However, if you cannot get a signature, it is fine. You do not have to punish yourself for not getting a signature from somebody. If they do not sign it, just make sure you make any notes that need to be put down there about who asked, maybe the reason why they refused to do it, anything like that, and then the date, and your name. Make sure all that’s taken care of.
In an emergency, if you are getting a person in, they didn’t fill out the Notice of Privacy Practices, don’t fret. Have you not given them one, it’s OK. See the patient, deal with that later.
If you don’t give it to them right away, you can give it to them later. It doesn’t have to be given to them exactly when they call on the phone. You can mail it to them if you want, scheduling the first appointment.
Anything like that, they’re not so picky about, as long as, at some point, you have provided them a Notice of Privacy Practices, or it was offered within your office somewhere, like on the website or posted in the office near the check‑in area.
I will tell you this, though, if there are stricter laws that you know about in your state, you must follow the state law over the federal law. That pertains to pretty much anything. That pertains to OSHA, HIPAA, anything else that might be going on. If the state says something, it’s usually stricter, and you need to follow the stricter law.
The Notice of Privacy Practices, this is what it says. It says how their information can be used, as far as treatment, payment, and healthcare operation. The other reason is only if the law is requiring it. If you are going to use it for any other reasons, you have to obtain a patient signature.
The patients have the right to inspect their information or records, as long as it doesn’t have anything to do with psychotherapy notes. Some of those can be written, and you don’t have to share that with them because of harm that they might do to themselves or others.
Patients have the right to request amendments. The provider may override. In this case, what they would do is they may say, “OK, I need to change this,” or “I need to change where this information’s going,” or whatever.
Maybe they gave you their parents’ address, and you know for a fact that that address is not being used now. The provider can say, “Hey, we’re going to keep your address as is right now until we can get confirmation on your address that you’re giving us,” or something like that. That’s just a quick example of what could be a reason why they request amendments, and why you might refuse it.
Patients have the right to request the accounting of disclosures up to three years back. It just depends on how far back your electronic records go. Your electronic records may have started two weeks ago. In that case, you can’t give them an electronic record three years back.
With healthcare operations, they include anything that you’re actually doing to improve your situation in your office ‑‑ financial, legal, administrative. I can go in there and do training for an office, and I’m part of your healthcare operations. If I come in there and audit your office, I’m still part of your healthcare operations, so I’m covered under the Notice of Privacy Practices.
If you have somebody that comes in that’s a consultant that walks through your office, looks at your information, helps to do your practice information and get you on track, they’re still part of the healthcare operations. They’re covered under the Notice of Privacy Practices, saying that we will protect that information. If I’m a consultant, I’m still going to protect your information and the patient’s information.
We have another poll question. We want to get your information, or what you think might be your current staff training. It’s relative to HIPAA compliance, or are you currently training your staff, and what you’re doing, how you’re doing it.
Let us know how you’re doing it now. There’s different ways that you can do it, great ways.
We do it a couple of ways through my office, or DoctorsManagement. We try to offer it any way we could possibly offer it to our clients.
It’s very interesting to see what all you do for your training. Let me give you a few more seconds on this, and we will hop on over to the results.
Kelly: All right, so how are you currently training your staff? It looks like computer‑based modules. That’s great. That’s great. It’s so much easier when you’re using a computer based that everybody can get their stuff in. It’s very easy to get everybody in there and get them trained and not have to worry about getting everybody together in one group section.
Even interoffice role play. Awesome. Awesome. Lunch‑and‑Learn sessions, great, and mock audits. Great, great, great. This is very good information. It’s great to see that you’re training your staff. Hopefully, getting the value out of that training is great.
Now, the patient’s rights. They have the right to restrict. They have the right to restrict the request the covered entity not disclose certain services. This is if they pay full out‑of‑pocket and also to opt out any fundraising communication.
They want a restriction if they want a restriction. I had somebody just ask me [laughs] the other day. I was working with a new client. They said, “Well, why would they refuse it?”
I said, “How long have you been working with patients? Because a patient might refuse for any reason and every reason.”
We have to be prepared for that. We have to come up with the reasons why we do what we do and why the patients ask what they ask.
Patients have the right to request any kind of confidential communication. If they would rather be contacted by their work number and not their home number, great. They may change their email 20 times. They may change their phone number 20 times.
Always keep up‑to‑date information because if something does occur and you have to get rid of their records, you have to contact them. Or if there’s been a large breach and you have to contact them and you don’t have a proper number, it’s very hard for you to get in contact with them. It’s very difficult for you in the long run.
Patients do have the right to lodge complaints. That’s why we have a nice privacy person in your office. They also have the right to contact Office of Civil Rights directly. Let’s hope they come through you first.
With privacy principles, professional judgment may override certain requests, and you’ll know. I think that you will have a feeling. You’ll know if you need to, I guess, refuse a request sometimes. You have that feeling. Maybe somebody comes in requesting their family’s records.
You have a funny feeling about this person might be using drugs, abusing the patient, or something like that, and you refuse to give them the record. Even though they do have a right to the record being a family member or maybe a personal representative for the patient, you can refuse that if you need to if you think that it could harm the patient in any way.
A good thing to go by ‑‑ what you do here, what you see here, what you hear here when you leave here, let it stay here. That actually came out of Oak Ridge, Tennessee where I lived close to and all the wonderful nuclear plants because they wanted to keep everything secret. That’s what we have to do with HIPAA.
Covered entities may not sell electronic PHI without specific authorization, privacy protection. They will continue 50 years beyond the end of life. If my records are in a doctor’s office and I die tomorrow, they have to keep my information private for 50 years after my death.
Confidentiality agreement continues ’til the end of life. That’s the confidentiality agreement that you sign as an employee for your employer. In that sense, anything that you see, do, or hear within the facility with the patient, you have to keep private.
Signed authorizations. I could probably go through this slide and let you know what the signed authorizations are. I would get a signed authorization for almost anything except for, of course, treatment, payment, health‑care operations that are normal day‑to‑day things.
If you have any question about it, if you say, “I’m not sure if I should get a signature,” just get a signature. This is going to cover you in the long run.
Yes, there are things you get signatures for. Yes, there are things that you don’t have to get signatures for. However, if you want to be safe, I would make sure that you get all kinds of signatures for everything.
This is like a law enforcement. If they call and they say, “Hey, I’ve got this lawsuit that’s against so‑and‑so, and we’re trying to find out if there’s been neglect for this elderly patient. We’ve got a case against them. We need this patient’s record,” actually those patients’ records can go straight to the lawyer if need be.
If you want to request them to come in and sign for it or give you a paper, they can do that, too, just so you can say, “Hey, I just want to make sure that I cover all my bases. Can I have something signed that says that you come and pick this up,” make sure you get that, too.
Marketing, releasing the PHI to the patient’s employer and research, any kind of research where the patient information is not de‑identified, you do have to have a signature by the patient.
Doctor’s excuses. So many people do this. They will send a doctor’s excuse to or through a fax to the school and have never gotten an authorization.
You have to have an authorization through that person to release any information. This includes doctor’s excuses and even medication. If I said, “I go to school. I have some medication. I’m going to use it” and they say, “Hey, you need to have a note for that,” I can’t call the school and say, “Hey, can you send me a note over here for my medication?”
They can take that, but they need a signed authorization. You have to sign something. Send it back to them to let them know that it is OK.
Medications, also photos. Make sure that, if you are posting photos, getting photos of people to put in certain books to go talk about the services that they’ve have done, make sure you get some signatures.
Even if you have to go back in some of the time, maybe a few years before you didn’t realize that, you want to get some signatures from some patients, make sure you get yourself covered.
Access to records. All patients have the right to access their records. If they ask for a copy of the records, you have to give it within 30 days of the request.
If they just want to come in and they want to view their record, or maybe they are in the office and you’ve got your paper chart with you and they say, “Hey, can I look at my record?” they have the right to look at their record. However, you want to supervise them. For one thing, they could take something out of their record, change something in their record.
Make sure that you stay with them. If they want a copy of it, give them a copy.
In electronic format. If you have the option to provide that through electronic format. Sometimes you don’t. The covered entity had EMRs or electronic medical record.
Then you can charge for copy. Each state provides you a per‑copy fee. When you see that per‑copy fee, you can charge it.
Tennessee, I think is a dollar per copy, but I think it tops out at $20. That may be the most you can pay for a copy of your chart.
You can also offer a summary. They’ve been coming to you for 30 years and you’ve got five charts filled up for them, paper charts. You may not want to supply all that to them. You may want to give them the last five years of their information and then maybe summarize the rest. You can provide them what you need to provide them that way.
Privacy issues. Minimum necessary. If you’re ever talking to somebody within the office about another patient, make sure that there’s nobody around that can hear you.
They could overhear information about a particular patient. If it’s somebody that’s working there, that’s one thing. If it’s another patient or maybe patient family members that are standing outside in the hall, make sure that you don’t do that. You are aware of your surroundings. That’s one big thing that I have to tell a lot of my clients is to be aware of the surroundings that you have.
I’ve got maybe three exam rooms that are side by side. However, the exam rooms are paper thin. I put three patients in there. I’ve got to be aware that one of those patients is hard of hearing. The next patient in the other room is going to hear everything I say, so we have to be aware. Maybe I just don’t put anybody in that middle section.
I move them or wait to put them in there until I talked to the patient that’s hard at hearing. Let’s adjust things in the office to make sure that the information that you are disclosing is the minimum necessary but also is what can’t be overheard by other people.
Privacy issues including disclosures of electronic protected health information, one free per year. You can charge if there’s more per year. This includes treatment, payment, health‑care operations in the EMR, disclosures for legal or government purposes. This could be a workers comp issue, too. Goes back no more than three years for the EMR.
Personal representative. This can be a lot of people. This could be patient, parent, guardian, durable power of attorney, even minors. The parents may be the personal representative, so some state laws will say a minor, maybe an adult, depending on what age they are. I think there’s one state that even says that a minor could be considered adult at age 15 depending on what their situation is.
It all depends on that and your state laws. The provider may make decisions based on a professional opinion to determine who should have the access to the PHI. Just like I was saying, if it was somebody you had a question about you didn’t want to give the patient’s information to that person.
You may consider refusing that, getting a signature from the patient to back up if the patient really wanted them to have it so that there’s no legal issues.
Business associates. We do have business associates that we work with as a covered entity. Those business associates take care of some of the information for us on our behalf.
This could be an attorney, consultant clearing house, billing company. Even a shredder company is a business associate. Your IT company is a business associate. This is how I like to explain it because it can get confusing. A covered entity is the person that takes care of the patient. A covered entity can be a lab even because the lab person takes care of the patient.
Then you go down to the business associates. Business associates are not necessarily going to be somebody that’s a medical person, but they will take care of the medical information that the covered entity will have. They come in contact directly with some medical information that you may need to worry about.
The business associate agreement is essentially the confidentiality contract that an employee signs. It has a little bit more writing in it. However, it does say, “Any of this information that you see while doing your job with us, you have to protect that information.”
Covered entities, they can have the business associates. They have to have the business associate agreement. As a business associate, they are held to the same privacy and security standards, which means if anything should happen, the business associate can get in just as much trouble as a covered entity can.
We have to keep that in mind when we do have business associates that work with us.
Breach notification, notification of a breach. There are certain breaches that are accidental disclosures that occur within the facility. Maybe somebody picked up a piece of somebody’s record that fell out of a paper chart, and it was a patient, and they returned it to the front desk.
That’s still a breach. However, it is not one of those breaches that you have to be concerned about, but you do have to look at the facts, “Would it affect the patient? What kind of information was on it? Could they have taken the person’s Social Security number and wrote it down before they handed back the page?” “Yes, maybe.” Did it have it on there?
There are things that you have to look at that. If they just picked up a thing that said, “This patient was excused from our office on this date,” and it was a page, they’re not going to worry too much about that. It depends on the actual information that was seen.
Unsecured protected health information is anything that’s been rendered unusable. Anytime that you take those ‑‑ what I was telling you about ‑‑ those identifiers off of there, if you take all of those identifiers off of there, but you’re telling them every surgery I had, in every hospital, but it doesn’t link to me in any way, then it’s not protected health information.
As long as they can’t come back and figure out who it was that information was based on. If you can, it is a breach, and you have to look at how serious a breach it was.
There are three exceptions, unintentional, the one I was telling you about. The inadvertent person authorized to have the information actually hears it. If they work for the same covered entity, it’s going to show we work together. You’re not going to use the information against this patient.
In a covered entity, your business associate has good faith that this unauthorized person that received it will not use the information.
For example, if I accidentally sent my information to a physician’s office that I was supposed to send to another physician’s office, and this other physician’s office, the first one that I sent it to, did not know me whatsoever, but they have all my patient information.
I know that this covered entity is not going to use that information against me. They’re not going to use it against the physician that I go to. This is one of these exceptions.
If you feel that they could use it for any reason, you may want to write it down. Even if it’s a small breach notification, or even if it’s one of these exceptions, you may still want to write it down and make a note of it, because if this is a regular occurrence, then you need to work on your HIPAA stuff.
You need to make sure that these things aren’t happening, because there could be an intentional breach and you don’t want that to happen. We don’t want that to occur.
Breach discovery. If you do discover that there is a breach, it did affect patients, you need to report it as soon as possible, document all the information, and I can’t tell you enough about documenting ‑‑ document, document, document. Because if you don’t have that information documented, they cannot prove this information.
Write it down, get people’s interviews, whatever you need to do, and make sure that you correct the issue before you ever get in trouble for it. Make sure it’s taken care of, because it’s going to come back on you. They’re going to ask you a lot of questions if it was serious enough.
I have a wonderful story for you at the end about this information.
Report to the privacy security officer, and then you’ll investigate. That person that you have will investigate, notify any affected individuals. They’ll report to the media or health and human services if you have to. Then implement corrective actions, including disciplinary actions, if necessary.
This is one thing that health and human services, or office of civil rights, actually likes to see, is that you are actually taking initiative as an employer, to discipline those that don’t do what they’re supposed to do, especially if it could hinder patient information or the privacy of patients.
I skipped one. Sorry about that.
The confidentiality non‑disclosure agreement. I usually tell my clients to have anybody, anybody that they feel could have access to their patient information within their office. If you have paper charts within your office still, and you’re not using the EMR, then I would have your housekeeping staff sign a confidentiality agreement.
That doesn’t mean if they’re in there cleaning and you’re not there that they’re not looking at those charts. This way you’re covering yourself. You had them sign that. They know that the information is private. If they let that stuff out there, or if they take any of that information, you’re probably still going to get in trouble.
However, you are going to get in less trouble because you tried to make sure that they understand that the information that they may see is private and should not be shared.
Making sure that everybody signs one of those agreements that you feel may have contact with your patient information.
We were talking about earlier with the security and privacy overlapping, same reason that you do both of them. You’re protecting the patient information. However the security is only electronic, so far, and then the privacy is everything, everything out there that has to be with protected health information.
The purpose of the security rules. This is maintain the integrity of the medical record, ensure the availability of the PHI, and also to protect patient confidentiality.
The paper and oral may be addressed later. They may decide to put that in there, hopefully, don’t make a lot of changes. I guess, they’re getting very strict with a lot of this HIPAA stuff, even business associates.
If you’re a business associate, they’re even cracking down on business associates, because some of them, I guess, were letting things slack as a business associate. They’re letting the covered entities, they’re taking a lot of the brunt of it, so now they’re going back to the business associates and what they’re doing.
The security rule. It’s separated into three categories ‑‑ administrative, physical, and technical. When I come out and do an audit, I check all these. I ask you lots, and lots, and lots of questions to perform this audit. Part of this has to do with if you’re doing some of this, if you’re making sure this done. It’s kind of a walk through of, “OK, are you complying?”
Risk analysis and management. Are you looking through your stuff? Are you taking a checklist, “OK, I need to improve on this. My firewall is not strong enough. I need to put a better firewall in there.”
Maybe we’re being too lax on how we take care of people that are not doing what they’re supposed to do with HIPAA privacy. They’re up front talking too loud, and the patients in the lobby are overhearing it, and they’re complaining that they can hear information.
Systems activity review. Texting, or vision [inaudible 39:04] procedures. Also, emergency mode operation plan. What you’re to do if you can’t get to that information on the computer. Do you have paper backup?
Data backup. I’ve had people that will backup data, they will back it up, back it up, and back it up, and then they’ll realize, “Guess what, we didn’t test our backup.” Then when they have to put that backup in, all of a sudden it doesn’t work. It didn’t get backed up. For some reason, the disk didn’t take it.
Login monitoring, protection for malicious software, security reminders, access authorization. A lot of this stuff, and the other stuff that I am going to talk about with the security, the privacy, the administrative, PerfectServe does some stuff like this for you.
I’m going to let Heather speak a minute on what they do, or can do for you.
Heather: Thanks, Kelly. PerfectServe is relevant to Kelly’s list here on administrative safeguards. We often hear concerns about ePHI relative to texting. We know that texting back and forth between care providers is happening at most organizations.
It’s becoming a common mode of communication in patient care, but keeping that ePHI secure needs to stay top of mind to mitigate any violations.
That’s why PerfectServe is a secure platform that allows you to send messages, make calls, even send attachments, and it’s all secure. It’s in a secure environment that does meet HIPAA and high tech standards.
You do want to make sure that any communication mode that you’re looking at, especially texting, is also safeguarded against any kind of ePHI.
Kelly, I’ll turn it back over to you. Thank you.
Kelly: Thank you.
We’ll talk about technical safeguards. We’ll also talk about the security safeguards.
There’s unique identification as far as a user on a computer, emergency access procedure, automatic logoff, encryption, decryption, authentication of the ePHI, and integrity control.
One thing I do see in a lot of offices, and I mean just about every office, except for my doctor’s office that I go to, that I don’t do HIPAA for. They’re very HIPAA‑compliant with their sign‑in and sign‑off. They have a badge that they come in and they’ll scan their little computer. It pops up. They use it, put the information in. They’ll scan it before they leave, and it shuts it down.
Perfect. I can’t say how good that is, because I can’t go over and play on that computer. So sad, but I cannot go over there and open that computer and see what’s on it.
Many of my clients, I’ll do that. I’ll go over and I’ll sit at their computers. I’ll move their mouse, and I will pull up a whole group of information about one of their patients right there, and I can read all about their health, automatically.
If a patient was led into that room and said, “Here, have a seat. The doctor will be in with you in a minute,” and they decided to get up and look at the computer, guess what. They’re going to see all that information.
It’s very important that you log off and keep that information private. Sometimes I think offices just don’t take it as serious as they need to on that.
With the physical safeguards, contingency operations, facility security plan, device and media, making sure this information is safe.
When she was talking about making sure that your texting is safe and everything, I’ve had offices in the past, and they’ll ask me, “You know these doctors have been texting things back and forth, and back and forth. Is this information safe?”
No, you can’t protect that information on most phones unless you have a service that’s going to take care of it. You can’t guarantee that somebody is not going to break into that phone and to your information. It makes sense having the security that you do on your computers to protect this stuff from getting hacked. There is the problem. We want to protect that information.
Maintenance records. This is all the reason why we do this physical, administrative, technical safeguard is to protect this information. It’s the whole reason we do it.
Sample security control, regular virus protection, encryption/decryption, set screen savers, making sure that somebody actually has a business associate agreement. If there’s a transcriptionist or somebody that takes a laptop home with the patient information, if it’s on that laptop itself, not on the cloud, if it’s on there and they save it and all of that, that is to be off‑limits to anybody else. They’re going to be using that.
We do that with us, and our office, and our consultants. They will take computers home and they have that information on their computers, and we say, “Do not let your family use this computer. It is used for company business.”
Termination process. Making sure that you go through a list and making sure you remove them from the passwords, retrieve office keys, if you have to change locks, access codes, block them from the work stations. Position the computer monitors where the patients can’t read them, or getting one of those privacy screens.
Passwords. I can’t stress enough how important it is to have a really good password and that you’re changing it often, even if you put a simple password in there. If I decide to put “Dog123, change it. I need to change it to “Cat345,” or “Dog897.”
Something different, about every three months, because if somebody does hack into your system, think of it this way. If somebody hacks into your system and they do get your password, it is readily guessed, and you don’t change it, guess how long they’ll have that pass code, as long as you don’t change it.
They could be continually getting into your server, getting stuff before you ever realize it. Making sure that these pass codes get changed very frequently is very, very good.
The other thing is sharing passwords. This is another thing that I go over with the client, is making sure that you don’t share passwords, because if I let somebody use my password and they decide that they want to go in someplace they shouldn’t be in, then I’m going to get blamed for it.
Because there’s little breadcrumbs left, and they’re going to say, “Kelly, why were you in this person’s chart at this time?” “I wasn’t.” “This is when it says.” Then I realize that my co‑worker was in her chart, but I can’t say that I shared my password with them. Be careful with that.
Backup. If your keeping them in a cloud base and if you have EMR, great, great. Just make sure that that cloud service or your EMR is making sure that all that stuffs documented or you can have access to that documentation of how they are taking of that information. So if you do get a HIPAA audit that you have that available.
If you do still have stored backup tapes, make sure that they’re locked in a fireproof and waterproof safe, and that they’re kept off site away from the facility if something should happen.
With the data backup, stored backup tapes, like I said, make sure that the backup tapes work, that you tested them. I think also that they can test the cloud information to make sure that stuffs backed up also.
Just make sure that you have all that information documented. Because if something should happen and they hade a question about that, documentation is going to save you.
I’m going to let Heather talk a little bit about this information. I’m going to turn it over to Heather for a few seconds.
Heather: Thank again, Kelly. It’s interesting. I came across a statistic, in August of the past year on Healthcare IT News about data backup, and apparently there’s a Hermes analytic survey that found disaster preparedness is now one of the leading reasons why healthcare CIOs are making the decision to shift resources onto cloud platforms.
The cloud, if you haven’t heard about it much, you will start to hear about it even more. From our perspective, at PerfectServe, the importance of the cloud goes beyond file storage and data backup into clinical communication.
PerfectServe is cloud‑based. We do offer secure texting, secure messaging, secure communications, but we are cloud‑based which means that you are able to communicate beyond geographic and organizational barriers. You can connect and communicate with provider colleagues and other care team members, no matter their location.
If you’re in your practice, and you need to communicate with folks in a hospital setting, or at a skilled nursing facility, or some other setting, you can do that very easily with PerfectServe to coordinate patient care across the continuum. That’s all because we’re based in a cloud.
Think about other cloud‑based technologies that also support your HIPAA compliant standards in addition to data backup.
I’ll turn it back over to you, Kelly. Thank you.
Kelly: You’re welcome.
Our next one, passwords, so the same. Don’t share them. Change at least every six months, if not more often. At least seven positions, random letters, numbers, not easily guessed. You could do “Supercalifragilisticexpialidocious” if you really want to.
Something that’s harder guessed is much better. I know you’re going to have a harder time to remember it, but you don’t have to necessarily change it too much. You could put five or six different letters in there.
A lot of times people will put a phrase of words, like, “My dog has fleas.” That’s very hard to guess, or “My husband has fleas.” You could put any of that. As long as you’ve got a string of words, that’s going to help you a lot.
Technology considerations. Being careful with this. She was talking about texting patient information, also remote access. Be very, very, very careful. I see a lot of times sometimes, offices have to draw a line and say, “OK, no we cannot do any social media posting. This will end.”
I can actually play towards the employee part on here. If you are an employee, just don’t post it. Don’t try to get away with it. Don’t forget that you can’t post it, because you can lose your job over this. Don’t post.
I’ll just give you a quick example. If somebody posted something about a famous patient being in the office, you just can’t do it. You can’t because somebody else in the office told on her. It’s going to happen, and I don’t want you to lose your job. Just be very smart about it and make sure that you are taking the precautions you need.
Some reminders. Minimum necessary, keep your information to yourself and not around unauthorized people.
Software, do not bring software from home. Be very careful with that, because it could infect your hardware if you bring something in there. Same thing with downloading programs from the Internet.
Email attachments. If you have any questions, send that over to your IT person, let them look at it. Making sure that hardware and software is treated like it needs to be treated. That is very important, because it keeps all that information for you and keeps it private. Also, electronic lock between the reception and clinical area is going keep people from wandering back there.
That’s another thing I catch people on, too, is leaving the door open, and they can just walk on back and do whatever they want. I did that with one of my client’s offices. Before they ever noticed me, I was back there for about 10 minutes.
Also, we have enforcement. If they are going to come out and look at your office, it’s very important that you know they can come out at any time. They don’t have to have a reason. Most of the time, they will have a reason, because there’s too many of us that they can come out to find out or come to see.
It’s very important that you do realize, though, if they decided to come out or if you got a complaint, and they said, “Hey, that’s a good idea. We’ll just go out and check them.” Make sure that it’s mandatory that you know if somebody is complaining on you, you be ready. I’ll get to those at the end.
Penalties for violation, sliding scale based on the severity and the violation. We’ll talk about this quick here. It can go from $100 to $50,000. It can also go from $1,000 to $50,000, $10,000 to $50,000, and $50,000, and your cap‑out is $1.5 million. Now, this does not just include the price that you will pay. It will include jail time.
It does not just include the employer or the patient. It can include any employee that works for any of this. If we get in trouble, we can get charged for this.
Internal penalties, I was saying with the disciplinary actions, it’s not just a wonderful thing that they do it, but you want to make sure that it is important that the employees know that the employer can discipline them if anything should occur.
Accountability for everyone across the board, and it’s unlike OSHA, that because the only person that gets fined is the employer. Everybody can get fined.
Policies and procedures, make sure you have that. This is a quick review to make sure that you have this stuff.
You need to have policies and procedures. You need to have a privacy officer, security officer in place, you need to have passwords, making sure that you have strict enough passwords. Medicine privacy practices in place up to date.
The privacy rule, everybody knows the privacy rule. The employee training, it’s done yearly. It is recommended yearly, it is not required yearly. However, it does look good on you to do it.
Confidentiality contract, business associate agreement, subcontractor agreement, anything you need there.
A confidentiality plan. That’s what you’re going to do if anything should happen to your information you can’t get contact with it. For example, if your cloud shut down and you couldn’t get to your cloud, you going to have pay for backup and you going to tell them how you’re going to do that.
Encryption, decryption, virus protection, a firewall, making sure that all getting updated. Also, active limitations for employees.
I shouldn’t be able to go in there and look at all the financial information about our patients or the financial information about other staff or their billing information, because I don’t work in the billing part of it.
Accessing or limiting that access is very important also. That keeps people from getting in there and getting information they shouldn’t have.
Records monitoring, making sure that you make sure that people are doing what they’re supposed to do and not in places they shouldn’t be. Records monitoring backup, breach response, auditing, risk assessment. These are all very, very important.
We’re actually going to get this poll question here, I apologize. We want to be able to give you some information here and actually want to give you the availability to ask questions.
Quick case study. Let me tell you this really quick. An orthopedic practice in Georgia that I’ve worked with, they had a breach of a 100 ‑‑ [laughs] I think my number keeps going up every time I talk about this and I’m going to do a low number today ‑‑ 125‑126 thousand charts, and they were electronic charts. The person that got into it was somebody they would call the dark of the Lord. They broke into them through a third‑party vendor.
They got in there, they hacked in, stole the information and held it for ransom and told them, “We will start putting outpatient information if you don’t pay our ransom.” They did pay their ransom. They had two patients information go out with complete charts of the patient information, credit information, Social Security numbers, all kinds of stuff and that got out.
They came, and they went through every nook, cranny, and cobweb they had within the facility. This took days.
They checked their passwords, everything that I mentioned today, passwords, encryption, decryption, emails, how often people were accessing information. They did it all. I don’t even know what the fines are going to be for this practice. They haven’t even found out yet.
However, we don’t want this information to go on, or this information to do that to you all. One of their big things was their security, making sure that their security was good in all their electronic stuff. They weren’t.
Their passwords weren’t safe enough. They went in there and figured out at least half of the people that worked there had very simple passwords. They guessed them.
In a dentist office in Nashville, we had the office manager, who was the husband of the dentist, the dentist, which is the female, and then they had two assistants and two hygienists, so six people in all. What happened is one night she goes in to close out everything, turned out all the equipment and everything.
She goes in to turn off this computer, realizes somebody’s email is up, reads the email, and it’s about her patients. It’s about her patient information. She found out that the assistants and the hygienists were all working together, making money, selling the patient information that they had there at their office to another doctor.
In that case, there was nothing she could do because, I thought about this later, I said, “Why didn’t you turn them in?” She couldn’t do anything because she would have got in a lot of trouble because she wasn’t protecting the information like she should.
For all you employers out there, she had to pay unemployment benefits to these people while they were off work. She should’ve had to fine them or get them in trouble.
One quick thing about the orthopedic office in Texas, it was the one that I was saying that a famous person came in. The medical office person saw that this person was famous and didn’t know they were in there until they opened the door, saw them, screamed their name out. Everybody in the office now knows. Then she went immediately and posted it on Facebook. She immediately got in trouble.
Do not take this stuff lightly. Be very serious with all of this and how you need to protect your information.
If you have any questions, I do see that a lot of you do have some questions that I can get to, I hope to answer those. Then I’m going to pass it on to Heather and Wendy, and let them complete the information for you.
Heather: Thanks, Kelly, wonderful, really educational information today. We are out of time for today. I do see there’s probably about 10 or 11 questions in here in the Q&A box, some around clarification on consent forms and things like that.
What we’ll do, since we’re out of time today, is get these out to you in writing. We’ll work with Kelly to get answers out to you as quickly as possible. Thank you for all those questions.
We’re going to go ahead and wrap up today. As I mentioned, we are dedicated at PerfectServe to supporting improvement in care delivery. We’ve got a couple more webinars coming up here in February and March. Take at look at those. You can register for those on the webinar platform using the link.
I think we’re going to wrap up with a poll question, or Wendy may have already pushed that out about getting more information on securing your clinical communications.
Finally, thank you, Kelly Ogle, for an amazing and educational presentation, and thanks to our audience for joining us.
That does conclude our webinar today. Please take a moment to complete a short survey and tell us how we did. Have a great afternoon, thank you.