medical practices icon

The fifth webinar, "Risk Assesments" was held on March 26th, 2015. Daniel Brown, Esq. of Taylor English Duma LLP and Jason Karn of Total HIPAA Compliance walked attendees through on overview of business associate agreements, and discussed some of the intricacies of this compliance requirement. Topics covered include:

  • Why is the Risk Assessment Required
  • What is expected in your Risk Assessment
  • What are Administrative, Technical and Physical Safeguards
  • How often do you need to perform a Risk Assessment
  • How your Risk Assessment helps you create your Privacy and Security Policies and Procedures

Video Playlist

To make the webinar a little easier to navigate, we divided it into shorter clips. If you'd like to view the entire webinar, just start with the first clip, and the rest will be queued up automatically. A transcript of the presentation is available below as well as answers to some of the questions we received during the Q&A.

 

Webinar Transcript

To keep things simple, we divided the video transcript into short sections corresponding with the clips above. Just click on the section title to expand the transcript.

Downloads
Slide Deck
Audio MP3

P1 - Intro

Shanyce: Good afternoon, everyone. Thank you for joining us today for our HIPAA Webinar Series. Today we will have our fifth installment and will discuss Risk Assessments. We’re fortunate to have Jason Karn from Total HIPAA Compliance and Daniel Brown from the law firm of Taylor English.

Jason: Thanks, Shanyce. My name is Jason Karn, I’m the Director of Training and IT at Total HIPAA Compliance and we specialize in training and compliance for medical practices, dental practices, insurance agent, employer groups and business associates.
And without further adieu, I’m going to turn you over to Dan Brown.

Dan: Thanks, Jason. I want to first thank everyone for being with us this afternoon and thank NueMD for sponsoring the program. I’m an attorney in Atlanta, Georgia and I’ve been practicing healthcare law for about 30 years. And I work with clients both large and small work through their HIPAA Compliance obligations and what happens to them when they get in trouble. That’s what we’re going to talk about today.  What’s one of the very first things we can do to make sure that we’ve covered our bases and won’t get into big trouble if we do have an unfortunate breach of protected health information.

First, a little housekeeping. I am  a lawyer, but not necessarily your lawyer at this point. We will be talking about some legal concepts, but only in a general and educational way. None of this information is intended to be legal advice. Having said that, we will entertain questions at the end of the presentation.

P2 - What is a Risk Assessment

Shanyce: Good afternoon, everyone. Thank you for joining us today for our HIPAA Webinar Series. Today we will have our fifth installment and will discuss Risk Assessments. We’re fortunate to have Jason Karn from Total HIPAA Compliance and Daniel Brown from the law firm of Taylor English.

Jason: Thanks, Shanyce. My name is Jason Karn, I’m the Director of Training and IT at Total HIPAA Compliance and we specialize in training and compliance for medical practices, dental practices, insurance agent, employer groups and business associates.
And without further adieu, I’m going to turn you over to Dan Brown.

Dan: Thanks, Jason. I want to first thank everyone for being with us this afternoon and thank NueMD for sponsoring the program. I’m an attorney in Atlanta, Georgia and I’ve been practicing healthcare law for about 30 years. And I work with clients both large and small work through their HIPAA Compliance obligations and what happens to them when they get in trouble. That’s what we’re going to talk about today.  What’s one of the very first things we can do to make sure that we’ve covered our bases and won’t get into big trouble if we do have an unfortunate breach of protected health information.

First, a little housekeeping. I am  a lawyer, but not necessarily your lawyer at this point. We will be talking about some legal concepts, but only in a general and educational way. None of this information is intended to be legal advice. Having said that, we will entertain questions at the end of the presentation.

P3 - Why You Need to Conduct a Risk Assessment

Dan: We need to do it because HIPAA tells us we have to do it. If we go directly to the Code of Federal Regulations (45 C.F.R. § 164.308), implementation specifications. As a covered entity, I’m obligated to implement certain specific HIPAA things and one thing I must do is a HIPAA Risk Analysis. And that is to conduct an accurate and thorough assessment of the potential risk and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information.

So, we have to make sure that we have an accurate and thorough assessment of potential risk and vulnerabilities.  Where are the holes? As to confidentiality, who can see it? Integrity, who can get to it and mess around with it? And availability of electronic health information. Is it available only on a password protected computer or is it on a thumb drive that’s sitting out on somebody’s desk?

What happens if we don’t do a Risk Assessment? Let’s assume there’s a breach. There’s some electronic health information that get’s out to the public in a way that we did not intend. A laptop is stolen. A hard drive is stolen. There won’t be an investigation because we have an obligation to report those breaches to the Department of Health and Human Services. So, if there’s ever an audit, even if you don’t do a breach report and somebody comes in and says, ‘What do you have?’...the first thing they’re going to ask for is where is your Risk Assessment? Where is it written and documented that you went around and looked at your fax machine, your computer, and your hard drives? Where is it written that you did that exercise? If you don’t have it written, then you are automatically in violation of HIPAA. And that puts you behind the eight ball just to begin with.

Now, let’s assume you do a Risk Assessment. And you need to do one. This will be your blueprint for performing and writing all of your HIPAA Policies and Procedures. Because as HIPAA tells us, not only must we do the assessment, but once we do the assessment we have to take it back and then use what we find in the assessment to draft the Policies and Procedures for Privacy and Security that we as an organization have to do. It’s going to reveal areas that need special attention. For example, we let everybody use their own laptop. We don’t have any mechanism to track those laptops. It’s also a first step in protecting your business and your patients. Now, let’s take a look at some actual real life issues and penalties that can show up if you don’t do a Risk Assessment.

P4 - Penalties

Dan: The big daddy one of all, is this Alaska Department of Health and Human Services. This is a $1.7 million fine that was assessed to an Alaska healthcare system and what was discovered was that the hospital did not have adequate Policies and Procedures in place to protect their electronic health information and they had not done a Risk Assessment.

So, what really happened here? It’s kind of fascinating in that it shows a window into what will happen if you have a breach and if you report what you need to and what’s going to happen once all of that bad stuff takes place. First thing, the Office of Civil Rights which is an entity in the Department of Health and Human Services which enforces HIPAA, issued a report which explained that there was a hard drive that was stolen in 2009 that had some protected health information on it. The hospital then reported this to the Office of Civil Rights and within a few months the Office of Civil Rights did an investigation. During the investigation, they asked the Alaska hospital to send over their Risk Assessment documentation and Policies and Procedures so they could review them. As a result of this investigation, the Office of Civil Rights determined that the Alaska hospital did not and had not completed a Risk Assessment. They had insufficient risk management measures. They did not complete security training. And they did not have controls in place for their devices. So what did they do? The hospital entered into a corrective action plan and received a fine of $1.7 million. And the scary part about that is not only did they have to pay $1.7 million, but they had to pay it immediately. There was no installment plan offered by the government. So we can see right away that because there was a failure by the hospital to conduct a Risk Assessment to find their holes and then they failed to adopt procedures for safeguarding and encrypting devices that there were penalties assessed.    

A similar result, but not quite so big was obtained in Idaho in 2013 by a hospice facility that settled a security breach case for only $50,000. In this case, there was a laptop which was unencrypted and it was stolen. Under the HITECH law, if there’s a breach where less than 500 patient records are affected then you don’t have to give notice within 60 days to all those who are affected. You can wait and once a year make the disclosure to the Department of Health and Human Services. In the hospice case, this was one of those instances because less than 500 records were involved. In fact it was just 441. An admission was made to the Department of Health and Human Services and they asked for the hospice facility’s Risk Assessment and because they did not have one they received a fine of $50,000.

The last one is again back up in Alaska at the Anchorage Community Mental Health. Here we have a behavioral health center and it was fined $150,000 by the Office of Civil Rights for their failure to have a HIPAA plan and for failure to complete a Risk Assessment. Here, there wasn’t a lost laptop or a hard drive left on the table. But some malware or bad software that somehow got into the system and there weren’t safeguards in place to prevent this malware from making available the protected health information of around 2,700 patients. The Office of Civil Rights came through and the behavioral health center cooperated the best they could and entered into a $150,000 settlement plus corrective action plan.

So we can see that whether you’re a big hospital health system or a behavioral health center or a hospice, these risks are out there for your patients but also for your pocketbook for not taking proper steps to first assess the risk and find those holes and patch them up.

With that, I’m now going to turn it over to Jason and he can tell us exactly how one does a Risk Assessment and what to do with what you find.

P5 - What is a Meaningful Risk Assessment

Jason: Great! Thank you so much, Dan. That was some great information. So, what is a Meaningful Risk Assessment? And we see this word a lot - the Meaningful Risk Assessment. This is just a thorough audit of your practice’s processes. So you’re going to look through your administrative processes, your physical processes, and your technical. So what does that exactly mean? And I’ll give some examples of things that you’ll find and questions you’re going to be asking yourself as you go through this process.

P6 - Administrative

Jason: Starting with the administrative...and these are things like have you appointed your Privacy and Security Compliance Officers? You’re going to need to have a list of all your workforce members, their roles, and what their access is. And we’ve talked about this in previous webinars about controlling access to information. So you really want to make sure that administrators have a certain level, nurses have a certain level, but maybe those at the front desk don’t have that same access. Maybe you have a way of limiting that access through your EHR or through file sharing or however you do that.

Next, do you have a written disciplinary and sanction policy for HIPAA violations? This is very important. We’ve seen fines that have stemmed from this where there wasn’t a sanction policy or the sanction policy wasn’t enforced. There was an incident with a pharmacy where somebody was inappropriately accessing information and it turned out that there was a huge fine that came from that because the pharmacist was never sanctioned and or fined for that inappropriate access. And this turned out to be a huge lawsuit.

Do you have a HIPAA training program, and if so, how are you keeping a record of that? Do you have somebody who’s keeping those records online? Do you keep those records in your office? How often are you retraining people? We recommend annual retraining. It’s very easy with all the training they have to go through to forget things. And it’s just a good business practice to refresh people’s memory. We know that nurses have a lot of responsibility, so it just helps to jog people’s memory especially with turnover staff or those who may have missed out on the initial training.  

What Business Associates are you working with and do you have agreements with them in place? And those are things you’re going to look for. If you’re pushing information out to your cloud provider or cloud backup services, knowing that they've done their due diligence also in looking at their compliance plan. So you would document who’s getting the information and how are you going to handle a breach if it happens. And this is an unfortunate reality that happens to a lot of people, so you want to have a plan in place beforehand. For example, you want to say...when we’re dealing with a Business Associate, the Business Associate has 15 days to notify us if they have a breach so that we can then put our plan into action and know who to contact, what we’re going to do if we have to contact the press, how we’re going to deal with that sort of contact, and also how we’re going to mitigate things as far as what people would say if they’re contacted by the press.

P7 - Physical

Jason: So on to physical…this is how are we going to secure your offices. Do you just lock the doors at night; do you have key cards, alarms, a combination of these items? What do you do after you have somebody who maybe leaves the office, who quits or is terminated, do you re-key? How do you keep track of that information? And where are your personal records secured and stored. I know a lot of physicians they have records… if they’re still using paper records they might be in the front office… how do you protect those at night? How do you keep people from accessing them, who may be in your waiting room? Things like that. Also could be, if you’re still dealing with paper records, you may have different cabinets for different patients or different ways to access it, so that you can try to limit that access to people who don’t need that access.

Do you have an inventory of all your electronic assets: this is all your computers, if you have servers, hard drives, anything that you may own. And you also want to keep track, if you’re allowing your staff to use their own devices, you want to keep a catalog of those too. You want to know, if there’s an issue, how you can mitigate and control who may have access to that device, if you can erase it (we spoke about that in the bringing your own device webinar about how you can control that device with the information it has on it).
What do you do with old media? Old hard drives, copying machines, we talked about and I’ll bring it up again because that is one we don’t always think about. Fax machines, you want make sure those aren’t configured to store any copies of information. There was a big fine that came out of that for an insurance company that had a copy machine that stored data. And they turned it back in for the lease, and they ended up getting hit with a fine because it had all this PHI on it that was found.

You want to make sure you’re destroying your hard drives and wiping them properly.  You don’t just want to say “okay that hard drives out of use, let’s just throw it away.” That could be a really big issue for you because of all the information that is stored on there.  And if you’re just going to erase it and maybe try to resell it or trade it in make sure you do a secure erase on that. There are many programs that will do that. They’ll wipe it out, write over it with ones and zeros and that’s something that you really need to look into.
How do you dispose of your paper records?  Now we’ve been seeing a lot of this recently, where records were found in dumpsters that were not shredded, that were not properly destroyed and this is a huge issue.  You want to make sure if you’re contracting with a paper shredding company that you do an evaluation, and make sure that they’re really doing what they’re saying they are doing and they’re not just taking it and dumping it in the dumpster. Does that mean they shred it on site? How do you look into that? Those are things that you want to document in your physical Risk Assessment.

And also, who has access to your office space during business hours and after hours.  Do you have a cleaning crew that comes in after hours? Who has access?  Are they supervised? Just think about these things. You have a landlord… does he have access to the site? May he come in and fix plumbing issues or whatever after hours?  We recommend that you actually have an agreement with the landlord that says “we know you have access to this site, and there is protected health information on this site, and these are your responsibilities as a building owner to make sure you protect us as a business also.” 

P8 - Technical

Jason: And Technical. This covers your encryption policies.  With the anthem breach that just happened, and a couple other breaches, people say to me “you know encryptions… it’s an addressable standard, not a required standard.”  But as you do the Risk Assessment, if you read the law a little bit closer, I think you’ll find that yes, for your specific practice, you are going to need to encrypt information. I caution anybody to say after going through this process “well I discovered I don’t need to encrypt emails I send to my patients with protected health information.” I think you’ll find yes, that is indeed a necessity and a requirement for your practice. You’ll want to make sure those hard drives are encrypted, your emails are encrypted and any electronic files you may store in the cloud or backup files and backup drives are encrypted.

Can you audit who’s been accessing your records? That’s important; a lot of your EHRs will allow you to do that. To look through and say “this person had access at this time” or “this person accesses records and wasn’t allowed to access those records.” I know there was a case; I think out of Nebraska, one of the Ebola patients was being treated. Had been brought over from Africa, and was being treated at a hospital, and there were two nurses who were not authorized to access that patients record. They were not treating that patient, they were just in the hospital and they went and accessed the record to see where he was and what was going on.  They were terminated. That was part of their sanction policy for the hospital.  They said that if you’re not treating that patient you have no reason to access that record.  You’ll see that also with celebrities that may go into hospitals. You have to be very careful with who is accessing those records, and making sure that the people who are accessing it really have the authority and need to access those records. Now, you know people do access records inadvertently and it can be accidental, and they should document that and let people know that, but it’s important that you have a way to audit that.

Does each employee have their own password and login? That’s one of the ways you want to track that information. So you want to be able to say, “At our workstations, everybody has to log in, it times out”- those sorts of things. And do you have a data backup plan? Now these 3 things are requirements as part of the technical guidelines. You need to have a data backup plan and that goes back to looking at not only integrity but availability of information. If the information on a patient is not right or whole then it’s as if you don’t have it. And that’s a real issue when it comes to you as a covered entity. So you want to make sure you have a good data backup plan. That can be a good cloud storage company, that can be back-ups on site but you want to make sure you take those hard drives to a safe deposit box off site. That way if there is a natural disaster you then have a way to get back up and running.

And that feeds into “What is your disaster recovery plan? What do you do if you have a fire? Who would you get back up and running? What do you do if you lose a server or you lose just a workstation? Or a printer goes down or a copier goes down, fax machine stops working and you run out of toner?” These are things you want to think about and it’s part of your risk assessment. You want to sit down and say “What do we do in this situation? How will we access information because we will need to keep going?” That also goes to your emergency mode of operation. So what do you do in these emergencies? How are you going to function? Does that mean you go back to paper files? These are things you’d explore through your technical Risk Assessment.

P9 - How Do You Complete Risk Assessment

Jason: So how do you complete this? There is a really great Risk Assessment tool from HHS. You can expect anywhere from 10 to 12 hours to complete this. This is a very thorough tool. A lot of people may find it overwhelming. You may find an outside vendor that you’d like to work with. Vet your outside vendor before you work with them because they will come in contact with protected health information. So make sure you have those Business Associate Agreements. Make sure if you’re going to be talking about PHI with them that you’re using encrypted emails for those transactions. Again you can use this comprehensive tool yourself or you can go with an outside vendor to help you with that.

P10 - How Often Should I Perform A Risk Assessment

Jason: So how often should I perform a Risk Assessment? First, when you initially form your compliance plan. That’s going to be your first step to know where you’re going to go with your policies and procedures. But you do want to do a new Risk Assessment when you have major change in hardware or software. You may not necessarily have to evaluate everything in the practice. So for example when you change to a new operation system, say from Windows 7 to 8 or 9. Or when you change EHRs. Why are you changing EHRs? What are some of the risks you’re taking with that? Or you may be going from paper files to electronic, those sorts of things. Anytime you’re changing processes in your practice, you’ll want to go back and do a Risk Analysis. If you haven’t had any changes, you’ll want to look at it every 2 or 3 years. You can go back and see what worked and what didn’t. It’s an opportunity for you to see what you can do to make your practice run safer, smoother and better and streamline things.

And if you have a breach, you’re going to have to do a Risk Assessment. You going to say “Ok, where is this hole? Why didn’t we see it? What do we do to plug it?” You’re going to have to do that when you send your breach report to HHS. They’re going to ask you those questions about what did you find? What did you do to mitigate that risk? So you want to document that very clearly. If it was an employee issue you’ll want to document that that person was sanctioned and what you did for the next step.

Top Questions

During the webinar, attendees were able to ask questions directly to Jason. While we tried to get through as many as we could, we simply did not have time to answer all of them. So, we put together a round up of the top unanswered questions. We've organized them by section to keeps things simple.

Risk Assessment

Q: Why does it take so long to do a risk assessment (10-12 hours)?
A: Because of the amount of detail you need to go into. Documenting what you’re administrative processes are, then looking at your technical and physical.  There’s a lot of detail and you’ll want to be thorough.  If you think about your entire business and all the points information touches, it’s a lot of work.

Q: Is there a separate Risk Assessment for privacy?
A: Yes, but there is a lot of overlap, especially when you look at the HHS tool. There’s an intersection between privacy and security aspects of HIPAA compliance, but there are separate rules. Typically you can do both risk assessments at one time and cover both aspects.

Q: When starting up the process for a brand new practice, does the Risk Assessment need to take place? Before we even begin communicating with insurance companies?
A: Yes, it needs to happen right away. There is no statute that says you have 30 days to put in a HIPAA compliance plan. It’s something that you need to have in place before you open. It should be an easier process, since you have the luxury of building from the ground up instead of changing the way you do things.

Q: If I open a medical practice and I’m not a doctor, what is my risk and what should I look out for as far as HIPAA?
A: As a matter of scale, even if you’re a single physician practice, you’re a covered entity under HIPAA you still have to do these things. You’re required to go through all of these steps, make the documentations, have them available, have your policies and procedures and training on the wall and training occur. There really is no small practice exception.

So, have your HIPAA compliance plan in place from start, if you’re opening a brand new practice. If you’re buying an existing practice you’ll want to confirm they have correct policies and procedures.
HIPAA compliance not only protects you from the HHS and fines, but really to protects your patients. You’re in a job that’s supposed to instill trust. If you have security holes, you’re not going to engender trust with your patients.

Q: When dealing with hosting companies i.e. subcontractors, what if the subcontractor’s servers are outside the US where HIPAA is not enforceable but they do have safeguards?
A: You can choose whoever you want to do business with, but you have an obligation to ensure everyone you share PHI with takes steps consistent with HIPAA to protect it. Typically that’s done through a Business Associate Agreement. The laws of the United States don’t govern how a server in India handles their protection, but if you choose to use the India server farm and there’s a breach, you will be liable.
We recommend you avoid partnering with those that outsource to foreign countries. There are many companies with server farms in the United States.

Privacy Breaches

Q: Do you have to report a breach if it involves less than 500 patients?
A: Yes! You do have to report it, but the rules are slightly different. When it’s Over 500, you have 60 days to notify the HHS and prominent media outlets. If you don’t have current contact information for more than 10 affected people you must post it prominently on your website. You also need to have information prepared for any public request. When it’s less than 500, you have until the end of the calendar year to report to the HHS. If you feel there is an imminent threat to the person’s information, you’re required to call and inform them.  There is a portal on the HHS for reporting breaches online.

Q: What about a minor breach where a medical record inadvertently faxes to the wrong number? If we attempt to notify the patient and attempt to retrieve the record from the incorrect party, is that sufficient? Or do we need to report it anywhere else?
A: You are still obligated to report it. Let’s talk about who you report it to. So you’ve got patient X. Patient X’s information was faxed to patient Y. You immediately told patient Y to destroy or return the record, etc. At that point you should pick up the phone and let patient X know what’s going on. There has been an unauthorized disclosure.

Resources

Q: I have a company that sells me new computers. I don’t have a network consultant that can advise me on cloud backup, encryption, firewalls, virus, or file sharing. What should I do?
A: Check out the resource page at Total HIPAA. You should have an IT person on staff. Have that conversation with them about what they recommend. Most of these companies that are really into security will also do BAA with you. And they’re very aware of what’s happening. Just make sure you vet them beforehand and see if they sign BAAs. If they say yes then ask to see their Risk Assessment or Policies and Procedures. If they don’t have those than that’s a company you shouldn’t be doing business with.

Q: Are there any good resources like a checklist or a booklet for the Risk Assessment that we can customize for our office?
A: The most comprehensive resource is the HHS checklist. The HHS document is a word document that is very easy to customize. It explains what part of the law requires you do the specified items.

Comments on the Webinar

Have some insights on HIPAA you'd like to share? Maybe a question you'd like answered? Leave comments below!