[BreachExchange] Confusion over HIPAA leads to violations

Tue Dec 26 19:52:25 EST 2017

http://www.modernhealthcare.com/article/20171225/NEWS/171229958

Every day, physicians across the country are flirting with privacy trouble.
They're texting each other protected health information, storing it in
shared notes on their iPhones, and even posting about their patients on
Facebook. Often, they don't even know what they're doing could be breaking
the Health Insurance Portability and Accountability Act's privacy rule.

"You would think that physicians would hear about breaches and think they
don't want that to happen to them, but at the same time, they're just going
as fast as they can to get their job done just like the rest of us," said
Kathy Downing, director of practice excellence for the American Health
Information Management Association.

Clinicians don't necessarily have time to think about HIPAA, and they might
not know whether or not they're adhering to the regulations. At one
university-owned orthopedic practice, providers are using shared iOS
notes—stored in the cloud—to pass information to each other about patients'
eligibility for trials, Downing said. If their electronic health record
vendor, Epic Systems Corp., gave them a way to track that eligibility,
they'd be doing it in the EHR, she said. But it doesn't.

Efficiency and convenience also lead physicians to communicate via text
message. Although texting doesn't necessarily break any rules, it could,
said Pamela Hepp, a healthcare lawyer with Buchanan Ingersoll & Rooney. If
protected health information were sent to the wrong recipient or if someone
got a hold of a non-secured phone with protected health information stored
in the texting app, that would be considered a violation.

"The workarounds are the real problem," Downing said. Though these
providers knew what they were doing wasn't quite right, they also weren't
really thinking about that, focusing instead on getting the job done, she
said.

Naiveté goes beyond physicians and nurses; it extends to medical office
staff too. One administrative worker in a provider's office was upset with
one of his neighbors for personal reasons, so he posted about that person
on Facebook. The problem? He mentioned that the neighbor was a patient of
the office where he worked, thereby breaking HIPAA rules.

The provider would have been on the hook for that violation, said William
Horton, a partner with Jones Walker, whose clients include that provider.
"That's something the provider didn't control. There's a breach even though
there's nothing the provider could have done to prevent it," he said.
"That's frustrating."

Sometimes, adhering to HIPAA has the opposite effect, leading fearful
providers to avoid taking allowable actions. "Because HIPAA is a fairly
complicated statute and set of regulations, you will not uncommonly hear
providers say, 'We can't do XYZ because HIPAA won't let us,' when in fact
that's not the case," Horton said. "Sometimes I think people default to
that as an excuse for not doing things they don't want to do."

But sometimes it's just plain misunderstanding. "People tend to be very
risk-averse, and it's much easier to say 'HIPAA won't let us do that,' "
Horton said.

Providers often think that all email is off limits, Hepp said. "If the
email goes to the right person, it's not a breach," Hepp said. Still, she
pointed out, many organizations put rules in place that forbid emailing
protected health information.

Another area of confusion is business associate agreements. Providers are
sometimes unsure when agreements are needed. One of Horton's clients
thought they needed a business associate agreement with someone who was an
employee. If someone is employed by the group, they are part of the covered
entity.

Part of the overall problem is what providers understand the purpose of
HIPAA to be. "They often think of HIPAA as how they're set up in the EHR or
patients' rights in the EHR," Downing said.

Provider organizations might solve some of these issues with better
training. "HIPAA requires regular training," Downing said. "Annual is not
often enough." Physicians must know who their privacy officers are, she
said.

But that's not possible for some, whose organizations don't have privacy
officers in the first place. These organizations risk not only getting
fined for HIPAA violations but also losing to cyberattacks.

"If the providers aren't being safe about technology, that's going to cost
them way more than the Office for Civil Rights penalty," Downing said. "The
security piece is even bigger than the HIPAA violations."

She recommended having employees read the OCR's cybersecurity newsletter to
improve security without incurring a significant expense.

When organizations do have privacy officers, it's important for those
people to focus on privacy and nothing else, Horton said.

"In order to do the best you can to ensure compliance, you've got to have
somebody who is willing and able to dig into the requirements and remain up
to speed on them."

Their job also includes vetting vendors to make sure all software is secure.

It's not enough to use generalized training for employees, Horton said.
Providers should be trained according to the specific risks they face given
their environments. "If you don't have policies that address that
particular work setting, then you're really leaving yourself open for
potential exposure," he said. "That takes time and money, but it's money
well spent."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171226/e33b8ab4/attachment.html>