August 27, 2020 When it’s time to upgrade to that new wallet or purse you’ve been wanting, you probably take out all your sensitive information – credit cards, license, etc. – before tossing out the old one (we hope so at least). It should be no different when it comes to disposing of old devices or hard drives that contained sensitive ePHI, yet practices continue to miss the mark. It may be obvious that paper records require proper disposal – in most cases, shredding or recycling so that the information cannot be read by the wrong parties. Despite this being common knowledge, incidents continue to arise – such as the recent batch of medical records found unattended at an Odessa recycling center in Texas. Because the records weren’t shredded, their sensitive data was made easily accessible. Improper disposal is even more common when it comes to disposing of electronic protected health information (ePHI) properly. What data needs to be properly disposed of? Anything that does or could have once stored PHI – some you may not even realize – should be properly disposed of to wipe any traces of patient information. This includes: Many devices unknowingly have stored patient information – in emails or text messages, documents accessed on your device web browser, pictures or screenshots, medical images, voicemails, or applications that stored PHI during use. Devices may contain their own storage drives, especially if IoT enabled (connected to your WiFi or internal network). RELATED: So You Have PHI to Dispose of – Now What? What is considered proper digital data disposal? Unfortunately, clicking the ‘delete’ button does not completely remove digital data. Even if you overwrite files, they can still be recovered using software tools. The following are a few ways you can ensure your devices are disposed of properly: Now before you grab those hammers and start smashing up your Windows 7 PC, HIPAA law requires practices to store PHI for at least 6 years and potentially more depending on your state. Devices with data that falls within that 6 year timeframe should be backed up before they are wiped clean, and data should then be encrypted while being stored. Regardless of whether the data is on paper or disk, or the destruction method you choose, it’s imperative to properly dispose of PHI – and make sure nothing retrievable ends up in the wrong hands.
OCR Highlights Asset Log as Key HIPAA Recommendation
August 25, 2020 Earlier today, the Office for Civil Rights (OCR) sent out their seasonal Cybersecurity Newsletter on a very timely and relevant topic – the importance of keeping track of devices that contain electronic protected health information (ePHI). The OCR’s newsletter highlights two important things for independent practices: first, that having an asset log is the recommended method for tracking and thus safeguarding devices that contain ePHI, and second, that the OCR views practice’s lack of knowledge around where their devices are as a key area of concern. Part of the HIPAA Security Rule, practices are required to implement the necessary technical safeguards covered in the Security Risk Analysis (SRA) – including encrypting and securing their devices that contain sensitive ePHI. While an asset log isn’t directly required under HIPAA, the OCR highly recommends the creation and maintenance of an IT asset inventory to better understand where ePHI may be stored and strengthen overall compliance with these requirements. What does an Asset Log entail? We know it’s hard to keep tabs on everything within your practice, but when it comes to your devices keeping inventory is key. As the OCR’s newsletter highlights, the asset log should be a comprehensive list of all IT assets with corresponding descriptive information. The OCR notes that this list could include ALL devices, even those that don’t access ePHI directly, as they could contain ePHI unknowingly or be an entry point for cyberattackers to your network. Your list should include: When documenting these assets, Abyde recommends including all the following information: Additionally, it is important to regularly update your asset log as devices are moved around by location or by assigned staff members. Just like an SRA, your asset log should not be a ‘one and done’ project, and should instead be reviewed regularly. You should also track when devices are disposed of, as properly disposing of devices that contain ePHI is a common cause of HIPAA violations. No matter the size of your practice, creating and maintaining a thorough asset log isn’t an easy task. With a program like Abyde, our built in Asset Log covers all the OCR recommendations and then some – helping you track devices at high risk and making your IT inventory intuitive. Having the ability to access your asset log within a cloud-based solution like Abyde makes reviewing and updating inventory a breeze, and helps ensure you’re complying with all the right technical safeguards.
Properly Encrypting ePHI: What Your Practice Should Know
August 20, 2020 Even before COVID-19, electronic solutions were transforming the way practices work and communicate with patients and other providers. As technology continues to evolve within the healthcare industry, it’s important to understand how to properly secure sensitive protected health information (PHI) when stored or transmitted. What does encryption actually mean? Protecting patient data from cyberthreats goes beyond having appropriate passwords. It means having the right technical safeguards in place including properly encrypting any PHI created, stored, sent, or received by your practice. So what exactly is encryption? Encryption means that content containing sensitive data is made unreadable for anyone except those authorized to view the information. This process essentially uses a software or algorithm to ‘lock’ the data or written text and requires an encryption key to make the information decipherable again. What should be encrypted? So what should be encrypted? Simply put, the answer to this question is pretty much anything containing PHI. This includes data that is being sent to someone else such as a patient, business associate, or another provider. Examples of this include: Why does encryption matter? For a typical practice, your EHR system is likely already encrypted – but your EHR isn’t all that matters. All other laptops, external hard drives, servers, and communication systems are at high risk if they are not also properly encrypted to protect from cyberthreats. In fact, failing to encrypt devices has been the cause of various HIPAA violations. Recently, a covered entity in Rhode Island faced a $1,040,000 fine from the OCR on top of a 2 year corrective action plan. The violation resulted from a stolen unencrypted laptop, leading to over 20,000 patients data being exposed. Part of the reason for the hefty fine was the organization’s “systemic non-compliance” when it came to proper encryption of devices. The entire incident could have been avoided if the entity had the proper technical safeguards in place. With cybersecurity threats on the rise and electronic communication becoming more commonplace, it’s all the more important to ensure the protection of your patients’ information. Implementing encryption services is a great way to best protect your practice and prevent HIPAA violations. If using an external vendor for encryption, make sure to have the appropriate business associate agreement in place as well.
Top 6 Ways to Be Prepared for a HIPAA Audit
August 14, 2020 Let’s be real – there’s probably a few things in life we all have an“Oh, it won’t happen to me” mentality about. For many medical professionals, that may be exactly how you feel about HIPAA audits – yet HIPAA investigations are becoming more common than you might think. While the odds of facing a totally random HIPAA audit might not be high, they increase significantly when you factor in additional investigation triggers like data breaches, cyber attacks, and patient complaints- none of which a medical practice is immune to. Proactively preparing for anything that might be thrown your way is imperative for your practice to have the ability to handle a HIPAA audit without the consequence of a hefty violation. Here are the top 6 things you should have in place BEFORE a breach, complaint or audit investigation occurs: 1. Security Risk Analysis The first thing the OCR looks for upon investigation is a properly documented and up to date Security Risk Analysis (SRA). This shows that you’ve assessed your practice operations and identified any vulnerabilities – BEFORE an audit occurs. While it’s the first step of HIPAA compliance, only 17% of practices audited by the OCR met this requirement. 2. Practice-Specific Policies & Procedures Proper documentation is key for all aspects of your compliance program including your practice specific HIPAA policies and procedures. These policies and procedures serve as the guidelines for how protected health information (PHI) should be handled within your practice and the proper documentation is necessary to prove the expectations and standards you have set for your organization. 3. Disaster Recovery Plan Disasters happen, most of the time without warning. Having a disaster recovery plan in place is important to ensuring continuity of patient care and continued access to important medical records. As the saying goes, if you fail to plan, you plan to fail. 4. Implement Proper Administrative, Technical and Physical Safeguards Securing all forms of PHI with the necessary safeguards already implemented within your practice is essential to successfully meeting HIPAA requirements – and ultimately protecting your patients. 5. Staff HIPAA Training Properly train your workforce on all HIPAA privacy and security policies and procedures. This training should be ongoing to ensure that staff is staying up to date with any changes to HIPAA regulations or practice operations. 6. Business Associate Agreements It’s important to be on the same page with everyone that has access to your patient’s secure information. Implementing the proper business associate agreements (BAAs) with all third party vendors that could potentially access PHI ensures patient data is secure while also offsetting liability to business associates should they be the cause of a data breach. There’s a lot that goes into your HIPAA program, even more than the top 6 items listed here, which is why it’s all the more important to have a true culture of compliance in place and a complete HIPAA program to prevent and minimize threats to your patient’s data.
OCR Alert: Windows 7 a Growing Risk for Cyberattacks
August 13, 2020 Have you updated your Microsoft Windows version recently? If your answer is no, then you might be at a greater risk of experiencing a cyberattack. The Office for Civil Rights (OCR) in partnership with the FBI sent out an alert just this morning regarding the increase in cyberthreats to outdated computer networks, specifically the Windows 7 operating system (OS). Windows 7 went end of life (meaning it is no longer supported or patched by Microsoft) in January of this year. Because it is no longer monitored or supported, the OS is missing the necessary security updates to continuously protect against hackers. Utilizing the outdated system dramatically increases the risk of cyberattackers accessing your computer systems – including the sensitive patient data they house. In their alert, the OCR expands on the various vulnerabilities that come from failing to safeguard your practice’s computer network by continuing to use Windows 7, including that: Other factors that increase the current risk include the shift to working remotely and the less secure network connections typically used at home. It is highly recommended to upgrade any outdated computer systems as soon as possible to reduce risk. In addition to updating your operating system, ensure your anti-virus and firewalls are all up to date to best protect your devices from outside threats. While updating core operating software may mean additional costs and resources, the OCR emphasized the importance of following their recommendation in their alert, stating that, “these challenges do not outweigh the loss of intellectual property and threats to an organization.” While HIPAA does not specify a required operating system, meeting required technical safeguards does include keeping your systems secure and as protected as reasonably possible from cyber threats. In this case, that means having an active OS that is still receiving critical security updates. We highly recommend protecting your critical patient information and upgrading any systems necessary as soon as possible.
Recently Offboarded Staff? Don’t Forget About HIPAA Requirements
August 6, 2020 Many practices have an organized system for welcoming a new employee to the team. Usually, new staff is an exciting addition, and you’ve likely got your welcome bag, name tags and business cards at the ready. But, when it comes to the end of an employee’s life cycle at your practice – not uncommon in 2020 due to COVID-19 – the process may not be as exciting or as organized. The uncertainty that surrounds having to terminate an employee can be messy, leading to paperwork and processes being executed in haste. In this hurry, mistakes are often made leaving sensitive patient data exposed to unauthorized recipients. Even if you have the best intentions and think it’ll never happen to you, data breaches continue to surface stemming from improperly terminated access. Whenever you part ways with a former workforce member, full offboarding measures must be taken to ensure full protection of your practice as well as your patient’s data. The HIPAA Security Rule specifically details the required termination procedures in Section 142.308(a)(11) as the “formal, documented instructions for ending employment and closing off internal and external access.” This removal of access can be done by implementing the following offboarding actions: Even for former employees, documentation is still essential when it comes to HIPAA compliance. Your practice should keep all HIPAA training certificates on file for up to 6 years even if terminated. If a breach occurred prior to an employee’s termination, or an audit occurs even after termination, you will need to produce a copy of the training certificate to prove that each staff member was properly trained at the time. Other steps that should be taken on a regular basis to help improve the security within your practice as well as help ensure a smoother offboarding process include: You may have a system in place for offboarding, but if you’re a busy practice there’s no harm in waiting a month or two to make sure access is revoked, right? Well…not so much. Every day that your former staff still have access to PHI is not only another day of increased risk, but also a major concern if ever audited or investigated by the OCR. In fact, failing to properly implement these procedures when offboarding employees has been the catalyst for multiple HIPAA breaches. In 2018, a Colorado Hospital found themselves in a HIPAA violation costing them $111,400 after terminating an employee without proper offboarding. The employee was not removed from the hospital’s online-based scheduling calendar which contained PHI – ultimately allowing continued access to the PHI of almost 600 patients. Along with the former employee’s access, it was found that the medical center’s web-based scheduling calendar vendor also received access to PHI without the proper Business Associate Agreement in place. In response to this settlement OCR Director, Roger Severino emphasized that “This case underscores the need for covered entities to always be aware of who has access to their ePHI and who doesn’t.” Equally as important as staff is properly offboarding any vendors your practice worked with. If any of your vendors have any access to your practice both physically as well as electronically they must be properly removed when your work contract is terminated. Things like disabling remote access to servers from any accounts with administrative privileges are often overlooked and can be a huge risk for data breaches and HIPAA violations. In fact, having a proper Business Associate Agreement in place with these vendors puts them on the hook for removing access and returning or destroying any PHI they may have had or created on behalf of your practice. Having a comprehensive plan from the start to finish of an employee’s time at your practice will have a huge impact on ensuring the security of the sensitive patient information within your organization. While you most likely won’t have to deal with an employee gone rogue, being proactive and making certain that there are no loose ends when it’s time for a staff member to leave will help make the offboarding process seamless and stress-free.
Abyde Joins Forces With North Carolina Dental Society to Deliver HIPAA Compliance Solutions to Dental Practices
August 5, 2020 August 5, 2020, Tampa, FL – Abyde, a user-friendly HIPAA compliance software solution for dental practices, today announced it has joined North Carolina Dental Society (NCDS) as an endorsed HIPAA compliance solution for North Carolina dentists. As HIPAA complaints and breach threats continue to rise in 2020, the need for practices to understand and implement HIPAA compliance programs is now more important than ever. Abyde’s collaboration with NCDS as an endorsed solution showcases collaborative efforts to help dental practices meet this need and to provide NCDS members with essential tools to realize HIPAA compliance on an ongoing basis. Abyde’s software solution is the easiest way for any sized dental practice to implement and sustain comprehensive HIPAA compliance programs. Abyde’s revolutionary approach guides providers through mandatory HIPAA requirements such as the Security Risk Analysis, HIPAA training for doctors and staff, managing Business Associate Agreements, customized policies, and more. “Joining North Carolina Dental Society as an endorsed solution showcases the value and ease of use dental providers have found with Abyde, and our joint commitment to helping providers realize HIPAA compliance when they need it most,” said Matt DiBlasi, President of Abyde. “We are honored to be a part of North Carolina Dental Society’s select solutions and to play a role in educating and protecting their practices.” “The North Carolina Dental Society chose Abyde for its easy to use and comprehensive program for our members. We are pleased to have Abyde as an endorsed solution,” said Duncan Jennings, Managing Director of NC Services for Dentistry. “We research and endorse solutions allowing our members to focus on their patients in this changing healthcare landscape. Abyde will make identifying compliance opportunities, tracking results, and staying current simple.” About AbydeAbyde (Tampa, FL) is a technology company dedicated to revolutionizing HIPAA compliance for medical professionals. Launched in January 2017, Abyde was formed with the idea that there could exist an easier, more cost-effective way for healthcare providers to comply with government-mandated HIPAA regulations. For more information on Abyde visit abyde.com. About NCDSThe North Carolina Dental Society was founded in 1856 and remains one of the oldest dental societies in the country. Representing 3,900 member dentists across the state, our mission is to help all members succeed. The NC Dental Society is a part of the American Dental Association, the nation’s largest dental association, representing 163,000 member dentists, and the leading source of oral health information. For more information, visit https://www.ncdental.org. Read the full press release here.