A critical issue for any business is its internal controls. Typically, we think of internal controls as the policies and procedures designed by management to safeguard assets and manage resources. For health care providers and certain employers/plans, it is not just the typical business assets that are subject to internal controls but also the personal health information (PHI) of the patients and employees. Under the Health Insurance Portability and Accountability Act (HIPAA), the responsibility to protect this information became law in 2003. So, why are we discussing HIPAA in January 2015? It’s simple – as part of your internal control best practices, you need to review your security policies and update your risk assessment on at least an annual basis, or any time there are significant changes to your environment. When was the last time you took the time you reviewed your internal controls relating to PHI?
In early December 2014, the United States Department of Health and Human Services (HHS) assessed a $150,000 HIPAA violation penalty against a small mental health nonprofit agency for HIPAA security rule violations. The assessment focused on the organizations failure to retain updated IT systems – software that had not been updated with newer security patches, outdated anti-malware and a lack of staff training were all cited as reasons for the significant fine (the maximum that can be assessed is $250,000).
According to Tod Ferran, CISSP, of SecurityMetrics, a security breach has multiple detrimental effects to all involved. For the entity, a breach can cause bad public relations, with between 35 and 46 percent of patients leaving the entity, Ferran said. A breach can also lead to harm to the patient’s health and safety due to identity theft, particularly when identity theft results in significant changes to a patient’s medical record. Ferran estimates that the actual cost of a breach is $359 per each record. As reported by the Secretary of HHS to Congress, there were 56,899 breaches in 2011 and 2012.
Whether you are a health care provider, employer or plan subject to HIPAA PHI provisions, as you make your assessment, consider the following:
- Consider the date of your most recent risk assessment to determine what has changed.
- Determine the date of the most recent updates to:
- is it installed on each computer?
- Firewall and/or web filtering
- Operating system and software
- Consider a HIPAA compliant cloud server.
- Not all employees are equal in their need to access PHI – assign different levels of security clearance to specific people. Role-based security helps to prevent employees from accidentally changing or seeing information that does not pertain to their specific duties.
- Establish strong password policies:
- Never share passwords between staff members
- Require that passwords be changed at least every 90 days
- the systems administrator should not have access to user passwords
- Establish strong access policies:
- Implement user session timeouts to avoid leaving live screens unattended
- Lock user accounts after too many failed login attempts
- Deactivate login credentials for terminated employees immediately
- Interview employees to make sure they are not sharing sensitive PHI with others who shouldn’t have access, including co-workers or personal acquaintances.
- Secure all paperwork containing PHI by placing in a drawer or folder when not in use. Cover charts so patient names are not visible. Never leave records and other PHI unattended.
- Minimize occurrences of others overhearing patient information. Do not use a patient’s whole name within hearing distance of others. Remember that patients in an examining room can frequently hear conversations that are held in the hallway.
- Avoid accessing a patient’s record unless needed for work or with written permission from the patient.
- Establish communications policies that require:
- Use of a cover sheet when faxing PHI.
- PHI to be sent via e-mail through an encryption process
- Remember, even e-mail sent internally is still e-mail and should be protected.
- Establish a mobile device policy.
- Shred all paper files containing PHI information.
- Obtain a Business Associates Agreement with any vendors or other businesses associated with your practice who may come in contact with PHI.
- Provide training:
- New hires
- Annual update and reminder of all internal policies
In the event of a breach, the importance of documentation is critical. Save all notes from phone calls and interviews, even if it is determined a breach did not occur. Organizations have a burden of proof in breach situations, and documentation can help meet that burden.
Data breach insurance, and ensuring it covers all scenarios including intentional breaches by an employee, is important to have.
For an independent review of your internal IT controls, contact John Jamison (firstname.lastname@example.org; 330.315.7823) or for your healthcare organization’s or plan’s internal control, contact Sue Peirce (email@example.com; 330.315.7850) or any of your Apple Growth team members.