The third webinar, "Electronic Devices," was held on March 5th, 2015. Jason Karn of Total HIPAA Compliance walked attendees through on overview of business associate agreements, and discussed some of the intricacies of this compliance requirement. Topics covered include:
To make the webinar a little easier to navigate, we divided it into shorter clips. If you'd like to view the entire webinar, just start with the first clip, and the rest will be queued up automatically. A transcript of the presentation is available below as well as answers to some of the questions we received during the Q&A.
To keep things simple, we divided the video transcript into short sections corresponding with the clips above. Just click on the section title to expand the transcript.
Shanyce: Good afternoon everyone! Thank you for joining us for our HIPAA Compliance webinar series. Today will be our third installment, Electronic Devices. I am Shanyce Watkins and I am the Digital Marketing Coordinator here at NueMD, and I’m going to turn it over presenter in just a second. But first, I wanted to let everyone know that we have this scheduled for 45 minutes. The presentation portion will take about 30 minutes, then we’ll leave the remaining portion for Q&A. As for questions, we’re going to keep everyone muted throughout the webinar. With this many folks, trying to mute and unmute can get a little messy, but we definitely want to hear from you. There is a Question box in your GoToWebinar control panel, so just type your question in there and we’ll be sure to get as many of your questions answered as possible. So without any further adieu, I’m going to turn it over to our expert today. He’s going to give you a little more detail on his background, and we’re fortunate to have Jason Karn from Total HIPAA Compliance.
Jason: Thank you so much Shanyce. I appreciate it! Hello everybody and thank you for attending today. I hope people are staying dry and warm with this storm hitting the East Coast. My name is Jason Karn and I’m the Director of Training and IT over at Total HIPAA Compliance. I’ve been involved with HIPAA in one shape or another since 2003 and I’m also one of the co-creators of the online training compliance over here. I’m also a frequent presenter across the country. A little bit about Total HIPAA, we have customized training and compliance plan templates for five different markets, so we work with medical, dental, insurance agents, employer groups, and also Business Associates and the Subcontractors that support these people. So without further adieu, we have a lot of information to cover today. I’m going to try to get through this as thoroughly and as quickly as possible so I can leave plenty of time for questions because as you’ll see there is a lot of information when it comes to electronic devices.
First thing I just want to cover, is this is an educational program and does not constitute legal advice or create an attorney-client relationship. Also, the information presented here is subject to change and it changes often. Technology as you know is moving all the time and changing all the time, so what I’m going to talk about today is what we know to be the most up-to-date information.
So, what we’re going to be covering today is faxes, encrypting email, data encryption, password protection, Wi-Fi, website security, cloud storage, firewalls, and virus protection. There are other things, but unfortunately we just don’t have enough time to cover everything. But I’ll try to touch on a couple other things if time permits.
Jason: Faxes. This is covered under the Privacy regulation. Faxing is still allowed. If it is possible, we recommend that you use a different way of sending information. This is not necessarily the safest way to send information to people. If you have to do it, always use a cover sheet. You want to also make sure that you’ve secured that fax machine. It needs to be in an area where nobody except your staff can access it. Especially if you’ll be receiving Protected Health Information (PHI) from other providers or healthcare carriers. You want to make sure it’s in a secure place just in case that information comes in and you don’t have somebody standing there by the machine.
If you are faxing to parties, I know with larger corporations and carriers this is impossible, but it’s really good practice to notify people if you’re going to be sending them a fax. Also, send a test fax before you send the actual documents. One of the big things is, make sure your fax machine isn’t saving any copies. And I’m going to expand that to say, make sure your copy machine isn’t saving any copies. Back on August 14th of 2013 Affinty Health Plan Incorporated was fined by HHS for $1.2 million for a photocopier issue. What happened was they were leasing their photocopiers, which most of us do, and they had been giving the photocopiers back and the hard drives on the photocopiers had been storing copies of everybodies PHI. So what happened was that HHS came in and did an audit of it and said you didn’t put this in your Security Risk plan and also all this information from about 347,000 people was thought to be compromised. This was PHI and all sorts of security information. So, make sure your fax machine is not configured to save any copies because it will save you a lot of headaches in the end.
Also, if you’re going to use an online fax program which is not a bad idea because that information will be encrypted from point to point and that’s very helpful. But make sure you have a Business Associate Agreement because it is required for this. So you want to see how they’re going to be encrypting that information. The industry standard, and I’ll be saying this a lot today, is 128-bit encryption. Most of them will use that and they will have what is called a Secure Socket License or an SSL License and I’ll be covering that a little later when we talk about the website. But they need to have that and that they authenticate who they are and the information is secure in transit. And the big alert I have here on this is if you send any faxes to the wrong party, that is considered a breach. So if it’s just one person’s record, that is considered a one-time breach. If it’s records from a number of patients, each record is considered an individual breach. If it’s under 500 people you have to hold onto that information, document it and report it to HHS at the end of the year. If it’s over 500 people you have to follow what I call the over 500 rule which means you need to inform HHS immediately, you need to report that to your local media and post it on your website, and you need to contact your clients. Whether it’s over 500 or under 500 you do need to contact clients and let them know what has happened and what information was released. That’s part of your job as the healthcare provider and holder of that information.
Jason: Moving on to email encryption. Now if you have the option to send information using an encrypted email, that is a much better option than sending a fax. It gives you much better control over the information and theoretically you’ll have a Business Associate Agreement with this company so you know how they’re going to be handling that information. Which means a client will then need to login to see that information.
As you know, and I’ve said this in earlier webinars for people that have been here, PHI according to the Security Rule needs to be encrypted in transit, rest, and storage. You need to make sure that your email encryption company is doing that for you. It should be 128-bit encryption or better. This is the industry standard but many companies will use something higher than that called enterprise-level which is 455-bit encryption.
Also, you want to review that ease of use. Is that email program going to work with my clients? Is it going to work with my Outlook, Apple Mail, Thunderbird, or whatever email client you use? You want to make it as easy as possible for your employees to use that email client. And if it’s not easy to use, they’re not going to use it or they’re not going to think to use it or it’s going to be a pain for them to use. You want to make it as easy as possible, so make sure that integrates with whatever system you’re using.
Also know that you need a Business Associate Agreement, it is required for this. I had a client ask me a question about that and they said, “We’re an email provider, but we don’t hold the keys we have a third party that holds the keys so we can’t theoretically decrypt the emails so we can’t even read them.” But, it doesn’t matter because they know where the keys are even though it would take a while to get that information. You still need to make sure you have that Business Associate Agreement because they are holding that information for you. And before you sign that agreement, be sure that you review your compliance plan.
Jason: Onto data encryption. Now this is encrypting information that is on your computer. We see these violations happen all the time and if there’s one thing I can send you away with today it’s the word encryption. And that is your best friend because if you lose information that is encrypted and you don’t have access to the keys or that encryption key is stored somewhere else and the thief or whomever does not have access to that...it is not a breach. And that can save you a lot of headaches and a lot of sleepless nights and clients going what happened to my information. So as you see here, your computers need to be encrypted and they also need to be password protected and we’ll be talking about password protection right after this.
For encryption, on your Windows machines, if you’re using Windows 7 unfortunately only Enterprise and Ultimate versions of Windows 7, there’s a free program that Microsoft offers called BitLocker. It’s very easy to use. You turn it on, it will run in the background and it basically encrypts all that information. So if anybody takes the hard drive out of your computer and puts it into another computer, they then have to have the key to unlock that hard drive. This key is usually somewhere between 13-23 random characters and letters. I was just playing around with some of the password strength tools you can find online and a password like that something like a century to break. That’s the kind of encryption you need. That does come standard on Windows 8.1 if you have one of those machines. You should use that. DiskCryptor is an open source program and is for anyone using Windows 7 that doesn’t have Enterprise or Ultimate or maybe you’re using Windows Vista. And I hope you’re not using Windows XP anymore, but if you are you need to make that switch happen. Windows stopped supporting that back on April 8th of 2014 so it’s been almost a year and that operating system is over 13 years old now. It’s time for you to move away from there. If you’re with Apple, FileVault2 is a great program. Again, it runs in the background. I know with those keys you can store it using your AppleID and you should do that. If you’re storing it locally, just make sure you’re using difficult passwords to protect your AppleID. And that brings us to password protection.
Jason: This is your first line of defense and this is going to cover all of your devices. You’re going to have numeric passwords for your portable devices like your phone, your iPad, your tablet computers, etc. But for your computers, you’re going to want more difficult passwords and you’re going to want to change those pretty regularly. We recommend quarterly, but I’ve worked at places that make you change them every 90 days.
So, what constitutes a difficult password? Eight characters or more with numbers, upper and lowercase letters and special symbols. If you have a word like “password” and you’re using that as your password, as I was saying I was playing around with the password difficulty tools and a password like that would take 1 millionth of a second to crack. So it’s almost instantaneous. You want to use non real words, again upper and lowercase letters so you can make it as difficult as possible. And you need to make sure that you require those password changes which should also be stated in your Security Policies and Procedures. You need to also make sure that you’re following up with your employees to ensure that they are changing their passwords. If you have a lot of passwords, you can use a password management software. And for this you don’t have to have a Business Associate Agreement because they’re not actually holding any PHI though they are holding those passwords. Just make sure you don’t authorize that to automatically fill in passwords for you. Make sure that you say every 3-4 or every 12 hours that resets.
Some great programs include LastPass, 1Password, I know Apple has Keychain. There are others out there, but just talk to your IT people to determine which program is best for you. Just be aware of the settings and that you don’t have them enabled to automatically fill in all the time because if somebody gets access to your computer and they have access to your web browser, now they have access to everything. So it’s very important that you use those password management programs properly.
Jason: On to Wi-Fi. Now, a lot of people don’t think about this, but you call up your local provider and tell them you want to get Internet and they give you a free router. But you want to go in and make sure that it’s set up for WPA2 which is Wi-Fi Protected Access 2 with Advanced Encryption Standard or AES and it will actually say that. It will give you a couple different options like one called PSK which is passcode, but you don’t want to use that. You want to use AES. And again you want to use a difficult password like what we said before.
If you do allow your patients or guests to use your network when they come to your office make sure that you use a guest portal. The more advanced routers will allow you to split to two different channels. And what we’re trying to do is limit the amount of access people actually have to your network. If you split those two things off, you’re giving yourself a little bit of an extra buffer. So, make sure you reset those factory passwords. They may send you a random code or whatever. Just make sure you reset those so nobody can get a hold of those passwords. Another thing to consider is limiting the power of that router. A lot of those routers will spread out and you can catch them in the parking lot. You may want to think about limiting the power so it’s only accessible within your practice or maybe out to the sidewalk, but that’s maybe something you just want to feel out or talk to your IT guy about.
Jason Karn: This is for your personal website. You need to make sure that you have an active SSL. That’s Secure Socket License TLS which is transport layer security and this is the industry standard. This is how you authenticate that your site is real. You get a certificate. Your web hoster will set it up for you and it authenticates what your site it so that people know who you are. You see that little green lock on the right hand side on your toolbar? That’s what SSL does for you.
You want to make sure you’re forcing what they call HTTPS. That’s hyper text transfer protocol secure vs. HTTP. The HTTPS means that all the information you’re going to be accepting is going to be sure and it’s going to be encrypted and protected.
If you’re going to be collecting information on your website, a lot of people collect protected health information, have new clients fill out forms, send in health information. Those sorts of things. It’s very easy to set up but tricky to set up properly. Make sure you’re doing those properly. Don’t let your web guy just say, “Hey, I can put a form up for you and use this plug in and make it happen”. You’re going to be accepting information and it’s not going to be encrypted in transit. It’s not going to have the proper protection and you’re going to opening yourself up for a breach. I’ve cautioned people on this. I’ve had doctors say, “Oh, I’ve got a programmer who will do this for me.” Just make sure that is set up properly.
Also, a BA agreement is required with your web host. In those databases, especially if you're going to be accepting information from clients, they’re going to have access to your protected health information. You need to do some research on that. I did a little bit before this. I found that that one of the large hosting companies which is Hostgaters, they will not sign a business associate agreement. There are plenty out there that will. Just make sure that if you’re going to be accepting that information that you’re protecting yourself with that business associate agreement.
If you’re going be taking information, form collection on your site, it’s a good idea to use a third party for that. And with them you will need a HIPAA agreement. You will need to do some research and make sure they will sign those business associate agreements. Just because they will encrypt information does that make them HIPAA compliant. They need to sign the business associate agreement as well as follow HIPAA policies and procedures.
Jason Karn: So cloud storage- everyone is moving to the clouds. It's a great way for you to access information from wherever you are to having people work remotely. But you need to make sure you have it set up properly and working properly.
So you want to make sure before you sign with a cloud storage plan you look at it and say, "What level of encryption are they using?". You want to make sure it's 128-bit encryption. That's your key. A lot of these companies are using a lot more which is great.
Do they have access controls on data? This is an important question for everybody because you need to be able to set this up within your practice. You know, your doctor and your front desk don't need to see the same information. And you need to be able to limit that information. That falls under the minimum necessary- minimum amount of access to do their job. So a front desk my just need to know that Bob Smith is here. So just verify his DOB and make sure he is who he is and they say, "Great, the doctor will see you". And the doctor is going to need to see more of the medical record. So you want to make sure with a cloud storage plan, that they can do that for you also.
Is there an audit trail? That's an important question because if you do have a breach, you need to be able to figure out who had access to that information and who was the last person to touch it. This isn't just to cast blame on people. This is for you figure out where are your shortcomings, where are your holes, where did that information go along the way.
You need to figure out, and I know certain programs are easier to get audit trails from than other ones, you just want to have that conversation and figure out exactly how you're going to track that information.
And the biggest thing is what are they going to do if you have a failure? A lot of these people when you look at it you say, "OK, if you're using a cloud back-up and they're taking your information, backing it up for you then great. It's off site then wonderful. But if you have a terabyte or three of data how will they get that information back to you? If you have a server fail or a computer failure, what are they going to do? Are they going to stream it to you, which is going to take weeks? And then you can't get access to that information. Your computer systems is down for weeks, are they going to overnight you a hard drive that has that information to get you back up and running? What are they going to do to help you? And that's an important question to ask before you start using cloud programs.
Again, make sure you have a business associates agreement with these people. They will be storing your information and you need to make sure they are protecting it all the way. Remember it's transit, rest and storage that that information has to be protected. They're going to transmitting for you, storing it for you so make sure they are protecting you in that.
Jason Karn: This is a very important thing to have. As you go and you look at your programs and say 'I've got to protect my computers and I've got to protect my practice", virus protection is one of the best things you've got for you. What you want to look for is email scanning. And this would be not only for your email client like Outlook or Apple Mail, but also for web client. So if somebody is accessing Gmail or Yahoo Mail on their computer and they decide 'Oh, I'm going to download something', you want that to be scanned also. You want download protection, you also want spyware and malware scans.
Speed- how much is that going to take up of your processes? Is it going to slow your systems down? Is it a heavyweight program? You want to look at that and see what's going on. Compatibility- if you have an older system is this going to work with your system?
And you want real-time information- where things are going and what's happening along the way. You also want to think about Heuristic Analysis. What they looking for is families. It would be great if we knew what all the signatures were for each virus that was out there. But as these viruses were discovered, people morphed them. They take code from other viruses and they put them together. And so what these programs need to do is they need to look for families, for signatures or codes that look similar to other things they've seen. And what they'll do is called sandboxing it. They'll put it into a place where it can't do any harm, test it, figure out what's going on and then let you know whether or not to get rid of it or not.
And you also want automatic updates. You can have the best virus program in the world but the signatures change constantly. They update them all the time. Usually daily, sometimes more than that, it just depends on what's out there and what's being found.
Jason Karn: We do have a whole list of resources here. There's a page on our site here dealing with email encryption. We have a couple of different companies that do cloud storage. There are two different choices for firewalls- software and hardware firewalls. Depending on the size of your practice or business, your IT person may only decide to use software firewalls say if you have only a two person or three person practice.
Hardware firewall is an actual appliance that's a little bit easier to configure for more computers. Talk to your IT person to see which one is going to work best for you.
Secure texting- texting in its base form is not acceptable for communication of PHI. That's something that everybody needs to know. If you're going to be texting information to people, you need to use a secure program. There are secure programs out there if that's the way you want to communicate. It's a great way to communicate, just make sure you're doing it properly. If you're going to be using your general messaging platforms on your phones then make sure you let your employees know that it's not acceptable to send PHI and that they need to not send PHI that way. They need to use either encrypted email or a secure chat program.
We have file sharing, form collection, consultants if you feel like you need help with your HIPAA compliance program. And also some HIPAA breach insurance if that's something you feel like you need also.
During the webinar, attendees were able to ask questions directly to Jason. While we tried to get through as many as we could, we simply did not have time to answer all of them. So, we put together a round up of the top unanswered questions. We've organized them by section to keeps things simple.
Q: What are the best practices for sending PHI via e-mail?
A: You need to send it via encrypted email. You could also share the files using a HIPAA Compliant file sharing program. Here is a list of recommended programs.
Q: Are password protected PDFs sent as email attachments ok?
A: Yes, this is acceptable. Make sure you send the password in a separate communication.
Q: Does Gmail provide sufficient encryption for PHI?
A: The free Gmail does not offer enough protections to send PHI. However, If you use the paid Google App, you can configure it to be compliant. Here is what Google says about using their products for HIPAA Compliance. Make sure you have a signed Business Associate Agreement with Google before you go this route.
Q: When sending email, how should we limit PHI? If there is a breach, what is the threshold amount of exposed PHI that needs to be reported?
A: You should limit you PHI to the minimum amount necessary. There is no need to send the entire medical record, unless that is what is requested.
Any breach of PHI is required to be reported to HHS. If the breach contains information on under 500 people, you have until the end of the calendar year. If it affects over 500 people, you have within 60 days of discovery. Whenever a breach occurs, the patient should be contacted and informed what information was released.
Q: If patients pay their bill via credit card on our website, is this HIPAA compliant?
A: This depends on the protections you have on the site. If you have a SSL/TSL license in place for the website, if the patient is required to login to view the bill, and you have that information encrypted, then you should be ok.
Q: If a website visitor joins a newsletter/email list and/or comments on a blog platform, are these actions a violation?
A: Joining a newsletter is not covered under HIPAA, and patients are free to do this. As for blog commenting, that shouldn’t be an issue, but I would monitor to see if anyone is putting out PHI on the blog. If they do, delete that post immediately.
Q: The only patient info we get on our website are names and addresses ... do I need a BAA?
A: Patients do not receive BAA. If the patient requests a brochure on a medication or procedure that is the same as the patient giving permission for you to market to this person.
Q: Our EMR allows us to make labs, medication refills, etc accessible to our patients via the Patient Portal. Do I need to be sure there is some sort of security on this? Our EMR system is secured and managed.
A: Yes, there should be a SSL/TLS license on the site that will encrypt the information in transit. Your EMR will probably have these protections, but it is better to be safe than sorry. Also, make sure you have a Business Associate Agreement with your EMR Company.
Q: Our portal sends patient an email with a link to the webportal. We supply the patient with the login name and password. Is this compliant?
A: Yes, this is assuming that you have the proper valid SSL/TLS license on the site, and that your information is encrypted using 128 bit encryption or better. This is a good practice to have clients reset their passwords. If you can, have your site enforce difficult passwords. 8+ Characters, upper and lowercase letters, 2 numbers and symbols.
Q: How can I use live video and instant messaging and mantain HIPAA compliance?
A: There are HIPAA Compliant video services for providers. Here is a great list of the ins and outs of different video sharing services.
Q: If more than one person uses a computer, do we need separate user accounts for each person.
A: Yes, you need to have separate logins on that computer for each person. That way you can track what information that person has been accessing if there is an issue. This will also help you limit the information person is allowed to access.
Q: What are the best virus protectors?
A: There are many great choices out there. Here is a list of products that have been reviewed by PC Magazine
Q: What are some guidelines for using Facebook, Twitter, Linkedin.
A: In addition to PHI, Make sure your employees are not posting anything discriminatory, harassment, threats of violence or similar content on their profiles. Any items that violate this policy should lead to disciplinary action or termination. Here is a sample policy from the Society of Human Resource Management (SHRM) that covers Social media policies
Q: I’m using a web host that says it’s HIPAA Compliant. Do I still need a BAA with them?
A: Yes, you need to have a Business Associate Agreement with your hosting provider. Make sure you audit this provider for their HIPAA Compliance before you sign that agreement.
Q: If we use a professional company to shred PHI would they need to have a BAA with them?
A: Yes, they are a Business Associate since they are handling PHI on your half.
Q: Where would I find a template for a BAA contract?
A: Here is the free template from HHS http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html
Q: I hired an IT/computer person to back up my computers. Do I need a BAA with them?
A: Yes, you need a Business Associate Agreement with that provider. He is coming in contact with PHI, and needs to have his own HIPAA Compliance Plan in place.
Q: If using GoDaddy, will they be responsible for ensuring security/encryption- and do we need a BA with them?
A: You need a Business Associate Agreement with your hosting company, and GoDaddy will not sign a Business Associate Agreement. This is not a HIPAA Compliant option if you’re receiving PHI from patients on your site. We have partnered with a company that has affordable HIPAA Compliant Web Hosting and forms for gathering information from patients - LuxSci.com
If you are not receiving information from clients and the website is only there tell patients where to contact your practice, then you don’t need a HIPAA compliant server.
Q: Our website is through Weebly. Do we need a BAA with them? No patient information is transmitted through this site.
A: You shouldn’t need a BA with Weebly since you are not receiving any information on your website from your patients. If you do decide to start receiving information from clients on your website, you would need to change hosts.
Q: We use Citrix Fileshare. Do we need BAA with Citrix or just with recipient of info?
A: You need a Business Associate Agreement with FileShare, and with any BA’s that will be receiving information from you.
Q: So if a billing company shares documents w/PHI with a client over One Drive by Microsoft, the client needs a BAA with the Billing company and Microsoft and the Billing company needs a BAA with Microsoft?
A: Yes, in this case, both parties would need to have a Business Associate Agreement with Microsoft.
Q: Are AR and appointment making part of PHI?
A: Potentially yes. It depends on how much information the receptionist is given to make the appointment. Use the Minimum Necessary amount of information to make the appointment and for reminders. Keep messages short and only state the appointment time and date and the Doctor’s name.
Q: Can we be held liable if patients text PHI to a provider on their own? For instance, a patient sends a text with a photo of a rash.
A: This is the patient’s action, and you cannot be held liable for that information in transit to you. However, once you have that information, it is up to you to protect it. This is why you need to make sure your mobile devices are password protected. You should have a policy that states you will destroy such information received on your phone. I would warn the patient that this is not a secure way to transmit information, and request that they send communications like that through secure email or a patient portal.
Q: Is a fax with at least one page sent to a wrong party still required to be reported to HHS?
A: If this page has PHI, then yes you are required to report this information to HHS, and you need to notify the patient that there was a breach of their information, what happened, and how you mitigated that issue. This violation would need to be reported to HHS at the end of the calendar year.
Have some insight on HIPAA you'd like to share? Maybe a question you'd like answered? Leave comments below!