HIPAA Say What!?!
Another don’t blame HIPAA story from Ken.
David got an email asking a question that in many ways just made us feel sad.Hello! My name is Joshua and I own a cleaning business. We do mostly residential, but I have relationships with a few medical companies and want to be HIPAA Compliant so I can clean their buildings. How do I go about this? I have no idea where to even start.
Post of the day
From online forum – you pay to be part of:
When it comes to HIPAA, the biggest obstacle you will face is the effect that compliance has on their workflow, and therefore their bottom line. Due to the nature of operations, hygienists, assistants, and doctors often bounce from room to room with frequency, thus making the “each user must have their own unique username and complex password with 15 minute screen auto lock” a serious disruption. Not many offices are on board with that level of requirement, so a liability waiver would definitely be a consideration.
No More Guessing What OCR Expects
Wow, things are getting really interesting in the HIPAA world with yet another settlement from OCR in back to back weeks. The most important thing is another CAP has been released with very specific requirements. They are not leaving room for interpretation in these. Listen up folks! The time to play around with squeaking by on the bare minimum is over! This is some for real get it done language.
Lifespan is a CE that is a non-profit health system in Rhode Island. They are set up as an Affiliated Covered Entity or ACE. An ACE is a bit tricky. Legally, it is a collection of other CEs. Each one is a legally separate entity but they are all under common ownership or control. That lets them combine the group into an ACE so they can all use the same NPP, policies and procedures, training, BAAs etc. But, they are still independent in other ways.
The Lifespan ACE includes several hospitals in the state. I think it counts as 7 entities under one roof.
This one all started on Feb 25, 2017. An employee’s car was broken into while parked in a public parking lot. A laptop, specifically a MacBook, was stolen. Just so happens the employee used the laptop for work purposes. It isn’t apparent who owned the computer but they did determine the work emails may have been cached in a file on the hard drive.
Assuming that the file was there, that meant that the thieves had access to all kinds of PHI. They have to assume it even included PHI from other affiliated providers including pharmacies and much more. This is why we don’t like PHI in emails at all. Too many apps can be used that will download that data and you have no control over it.
Most importantly, the laptop was not encrypted. Obvi, or we wouldn’t be talking about this, would we?
What are the findings from the investigation?
Here is the quote from the Director. We always use this as our clue. It is the point they are trying to get across with this enforcement action.
Laptops, cellphones, and other mobile devices are stolen every day, that’s the hard reality. Covered entities can best protect their patients’ data by encrypting mobile devices to thwart identity thieves.
Roger Severino, OCR Director
Surprisingly, the SRA isn’t mentioned as something they did wrong. I think they get a special feather in their cap just for that, but in the end it wasn’t enough. Lifespan got dinged for the following issues:
- Did not implement policies and procedures to encrypt all devices used for work purposes
- Did not implement policies and procedures to track or inventory all devices that access the network or which contain ePHI
- Did not have the proper business associate agreements in place between Lifespan Corporation and the Lifespan healthcare provider affiliates that are members of the Lifespan ACE
- Impermissibly disclosed the PHI of 20,431 individuals
While they didn’t skip the SRA it appears that they noted the requirements for encryption as something that should be done but they never did anything about it.
So the agreed payment of $1,040,000 is nothing to ignore. That is for sure. But the 2 year CAP has the interesting stuff.
What is so important about OCRs requirements in the CAP?
There are things in here that aren’t specifically mentioned in the findings. It seems not so bad in that part, but when you get to the details it is much more obvious what needs to be done.
The first point is they need to get their ACE setup in order. Apparently, that isn’t documented properly. They have 30 days to get that done correctly.
The Business Associate Agreements must have also been a mess. A couple of points in here to note.
Designate one or more individual(s) who are responsible for ensuring that Lifespan enters into a business associate agreement with each of its business associates… prior to Lifespan disclosing protected health information (PHI) to a business associate. That says an entity should make it clear that someone is responsible for making sure that BAAs are in place where they should be. PLUS, it should be done PRIOR to giving them PHI. We can not count the number of times this is being done wrong in organizations every day.
The next part of these requirements are in our recommendations for a BA contracting workflow. Review to make sure who is a BA and have a process for making sure a BAA is signed. Create a template that is your standard BAA and use it, not different ones all the time. Plus, keep the documentation where you can find it. And most importantly, make sure you limit disclosures to BAs to the minimum necessary.
This stuff may be news to some folks, but we can blow on by it here.
They have 60 days to complete the policies and procedures around all of this and show it to HHS for review. That is interesting. But, once it is approved by HHS, they then have 30 days to provide two things:
- An account of BAAs between the Corp and the members of the ACE that includes the name, description of services and the date those services began.
- A copy of all of those agreements proving it had been done.
This is the important part. For years there has been regular discussions about the addressable requirements for encryption at rest under HIPAA. We had to take the stance that if it moves it should be encrypted… period. After that you can offer up some reason to not encrypt everything else but it really should be done at some point. Imagine a large organization with all those devices, because this is the whole ACE now.
Within ninety (90) days of the Effective Date, Lifespan shall provide proof of encryption and access controls by submitting to HHS a written report or reports regarding the status of encryption of Lifespan devices (“Encryption Report”) and an update on their Network Access Controls report (NAC Report), which shall consist of:
a. The total number of Lifespan devices and equipment including, but not limited to, desktop computers, laptop computers, tablets, mobile telephones, USB drives, and medical equipment, that may be used to access, store, download, or transmit Lifespan ePHI as of the date of the Encryption Report (“Covered Electronic Media”);
b. The total number of Covered Electronic Media that are encrypted as of the date of the Encryption Report, as well as evidence of such encryption; and
c. For any Covered Electronic Media that are not encrypted as of the date of the Encryption Report, either (i) a description of Lifespan’s plan to encrypt such Covered Electronic Media and an estimate of when such Covered Electronic Media will be encrypted; or (ii) a description of why encrypting such Covered Electronic Media is not reasonable and appropriate, and a description of the compensating alternative measures implemented to safeguard the ePHI accessed, stores, downloaded, or transmitted by such Covered Electronic Media.
d. An updated report on how Lifespan is controlling access to their network. Additionally, this NAC report should indicate what network access controls have been implemented and any pending updates to their access control policies and procedures.
Settlement with Lifespan CAP
It then defines how the report “may be described and organized by category”. Not sure why it was nice there because it then defines exactly what must be included in the report for each category.
shall document the encryption solution used (e.g., native or third party encryption product) including the version number of the encryption solution as well as the encryption algorithms/ciphers the encryption solution is configured to use. The evidence of encryption required under paragraph V .B. l .b. may be provided in the form of a screenshot that demonstrates encryption for a particular category of Covered Electronic Media, a copy of the license for the encryption software deployed on a particular category of Covered Electronic Media, or other reasonable means of demonstrating such Covered Electronic Media are encrypted.
Settlement with Lifespan CAP
They are not playing around with what encryption should be used and how it should be documented. All these years when we would ask about the encryption in place there has been pushback. Well that will not be acceptable any longer will it. But wait…. There’s more.
They “shall” provide an update to HHS regarding its encryption status which shall include the status of the encryption, as expected. But, the report must include:
supporting evidence, of Lifespan’s implementation of a Mobile Device Management (MDM) solution that will ensure all Lifespan-owned and personally-owned mobile devices (tablets, smart phones, and other mobile devices) that access ePHI on Lifespan’ s secure network are encrypted, except for any mobile devices for which Lifespan has granted exceptions to the encryption requirement. If Lifespan has granted exceptions for the encryption requirement to any mobile devices, it will provide evidence of reasonable compensating controls that have been implemented to protect the ePHl on such devices. Lifespan shall complete initial deployment of an MDM solution within one hundred and twenty (120) days of the Effective Date.
This is hugely important to note. They must prove they have implemented an MDM solution that makes sure the encryption is in place including on personal devices.
They are also supposed to prove they are periodically testing the effectiveness of the encryption solution for all devices on their secure WIRED network. The initial deployment of a solution on all wireless devices must be done within 120 days.
The rest of the CAP includes your normal update of policies and procedures with distribution and training. But this part about encryption should be on everyone’s required reading list if they are responsible for technology and HIPAA.
While we have always used the CAPS to determine our privacy and security program compliance. The latest versions are so specific we will be checking all of our systems and methods to make sure we are providing the most up to date information possible. If you haven’t started getting these ducks in a row, now would be the time to be making your list if nothing else.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!