.st0{fill:#FFFFFF;}

Compliance

Help Me With HIPAA: Reboot Checklist (Ep 255)

 May 22, 2020

By  Anton Kiorolgo

Assess what impact the changes have made

We all have to figure out how we will function with this new world we live in. It feels like it changed overnight. We have to rebuild our business plans and implement new policies, procedures, and safeguards to address how things have changed and must change. We have to adapt to a world that includes this virus attacking humans and we humans will never be the same because of it. Rebooting checklists will be something we reflect on and refer to several times in the next year or so.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word.  As always, send in your questions and ideas!

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

Reboot Checklist

There is a lot to consider from dealing with the various employee related issues, financial planning, getting back on track with what is left of a business plan for 2020, and much more.  After we have been able to see just how important technology is to running the business it is important to deal directly with plans for all your tech needs. Have you considered these items in your checklist?

Document all the changes you have made.  

You need that documentation for many reasons. You may need to add it to your checklist in multiple places. Don’t think that you won’t need to know these details at some point a year or so from now.   Write up everything about both the tech stuff as well as the policies and procedures.  Document who was working remotely and how they were set up. Include your equipment changes and additions.  Make sure you get documentation from your IT team so you can follow up on them too.  Consider the following things: did you do any of them?

  • Buy. lease, borrow or share equipment – don’t forget using mobile phones
  • Reallocate equipment from old duties to new duties
  • Implement new software including mobile apps and communications tools
  • Handle communication between staff and customers or patients with new tools or devices
  • Change access controls for systems, applications, or users
  • Use new tools to share information between staff and customers or patients
  • Add remote access methods or allow others to use remote access that didn’t before
  • Deactivate any users who were furloughed, layed off, or resigned.  Even ones on long vacations or leave.
  • Relax policies and procedures or change them to adapt to the temporary requirements
  • Start using telehealth solutions or any other new service
    • Did any of them take advantage of the “enforcement discretion” announcements from OCR?

Document what you plan to do to reopen.

Without making a checklist of these things you can’t make sure all the potential security and privacy issues will be addressed.  This will also come back a year later for you to have to remember what you did or why you did or did not do something.

  • Will you be operating in the same manner as before?
  • What items listed above will be undone?
  • What items listed above will be implemented now?  Telehealth?  New services?  Remote work?

Now that you know what changed and what you want to put back it is time to build the plan and assess the privacy and security implications of everything.  Trying to do this without a plan is just begging for Ben Franklin to be staring at you over his glasses.  In fact, there will probably be hundreds of Ben’s staring at you saying Failing to plan is planning to fail.

It will be easier to start with a checklist of projects.  Then break that down into smaller manageable parts with their own checklist.  Here are some things we suggest you consider in your plans.

If you made a lot of changes to open up your network for remote access seriously consider engaging a forensics team to do a scan of the systems and network.  Remember how we discussed the dwell time and malware that lets the criminals hang around for a while.  Better to know now than when it is all back together and locked by ransomware.

Any applications you implemented and want to keep using should be reevaluated for security and properly documented and planned out.  Consider the past couple of months a trial period and now is time to get serious.

Equipment and devices should be scanned and checked for issues once they are back under your control.

Change passwords after all the scans have made sure no key loggers were in place.

Did data get stored on devices that should be wiped or at least make sure it has been locked down.

Take advantage of the opportunity

You rarely will have an opportunity to look at everything so objectively as you will now. If you were able to function securely without things do you really need them? Did your policies and procedures adapt well or not at all?  It may be time to revisit them.

Build a checklist to address the things you want to keep in your business after it is put back together. There will be plenty of things like making sure it is all secured and documented properly but also add to your checklist that training must take place.

The most important thing to remember

Keep all of this documentation and use it for your incident response plans.  You must do a post incident review.  Do not miss this opportunity. Get everyone together and ask them to make notes of things they thought worked well, what may have been missed or done differently plus any ideas they think should be considered if another crisis requires you to work this way.

Everyone suddenly created an incident response and business continuity plan on the fly if they didn’t have something in place already.  Even the ones in place never had this kind of crisis in mind.  Again, a golden opportunity, do not miss your chance to solve a problem we always struggle to resolve.  Have a plan that is well thought out and reviewed as you make these changes.

Once you have created all these various checklists you may want to create a checklist for your checklists. The amount of change will continue to adapt to over the next year we will need things written down and double checked. This is the best way to go about it in our opinion anyway. 

Listener questions to cover:

Interesting questions as always coming from our listeners. Here are a couple we handled recently.

Randy Elliott sent us an email asking about all kinds of things he is finding when a client asked him to “help them with HIPAA” LOL. He reports that our podcasts “have been an invaluable resource” to him. We were not surprised that the group had an MSP but they only handled a few things. Randy found a substantial list of problems like unencrypted laptops and “the key to the shredder stored ON the shredder”.

In the process, their website came up.  Of course when he asked who maintained it there was the ummmm answer.  He sees that there is a gmail account sending an email to an O365 account when someone completes a form requesting an appointment.  The form has a reason for visit included in the options.

At that point he asked his question:

So my question — is there a way to get this information in a compliant manner? What do other practices do? They do have a portal (Athena) but for a reason I’ve forgotten either can’t or don’t want to use it for this purpose.

Thanks — you guys are great.

I explained you could make a G Suite account compliant with a BAA but as I am typing this I realize he said GMail not GSuite.  Often groups just remove that from the form because you are always going to ask again when you talk to them.  I suggested he just change the form to “call me” kind of wording instead of the I want an appointment wording.

Our next one is from Jenn and she cracked us UP!

Donna and David,

There’s a new sheriff in town, and it’s ME! And it’s because of you two!

I work for a medium-sized Physical Therapy clinic in southwestern PA and I was delegated the role of HIPAA compliance officer. I’ve been reviewing and updating our BAAs and found that one of them (our reminder call service) had refused to sign our BAAs (back in 2016), and we had signed only theirs. So I called to send over a new copy and they still stated that they do not sign BAAs of CEs. “Our agreement should cover any legalities that would be in yours.” When I pushed further asking for risk and security assessments to have on record or “specifically how they are HIPAA compliant” he said he can forward my requests to their legal team but I “probably wouldn’t get anything on paper.”

So my question. I know we can just stop using them. But do I push harder before terminating? Should things like this be reported to HHS? Can I say “legally you have to sign ours?” Our documentation system recommends this Reminder Call service, should I contact them to let them know that the call service is not complying?

Am I getting too big for my HIPAA britches??? Am I the next Erin Brockovich?

Love the podcast so much! It’s so helpful and snarky and fun.

Thanks so much,

Jenn

This is certainly a tricky one we run into all of the time.

Who’s BAA gets signed is always a negotiation.  Usually the larger entity wins.  You can usually challenge the terms which are very important to do just to get their attention that you are paying attention.

I have no doubt that you are at risk with these folks when you get that kind of response about their program then you know there is no concern for privacy and security.  Their BAA is required to have some language about termination in it.  You can use that to terminate contracts you may be locked into with a vendor to switch.

You can choose to report it to HHS on the complaint portal with your concerns. Keep in mind OCR could ask you about your program too.  See what happened in the first settlement for 2020. If the vendor is particularly unhelpful it may be worth it.

I would definitely go to the vendor that recommends them – talk to their HIPAA officer about it.  If they don’t take things seriously you may not get far.  Tell them to listen to HMWH and get back to you. But, your best bet is to use this company along with yours to put pressure on the vendor to get their house in order.  It is just unfortunate that you may find another vendor you have to worry about not taking things seriously.

Your first contacts with both vendors can be by phone but take notes.  After that everything should be in writing to get their attention.  Include your concerns in your termination letter to cover you should you find out later they have already had a breach. It is important that you show you took action once things looked like they were not taking things seriously..

In the interim I would definitely be looking for a replacement vendor or vendors.  You can go through the process to vet others.  That part isn’t easy with these kinds of services we find.

In other news

Another alert from CISA: APT Groups Target Healthcare and Essential Services

Keep these in mind as you review the things we are about to discuss.  In case you aren’t a nerd APT stands for advanced persistent threat which means in basic terms that the criminals are very good and they are in your network or in the network of your business partners.The pandemic has likely raised additional interest for APT actors to gather information related to COVID-19. For example, actors may seek to obtain intelligence on national and international healthcare policy, or acquire sensitive data on COVID-19-related research. CISA Alert

Subscribe to our newsletter now!