Landmark Ruling on Healthcare Data Privacy
Not only can your facility and company be fined, but employees may be at risk personally
When Mediprocity was established in 2009 our aim was to protect patient health information and make HIPAA compliance for messaging simple. When it came to online browser access and mobile applications our goal was to simply protect our user’s data. During our launch we also made two critical decisions which we still hold true today:
· Private Practice Prescribers would be free
· Data mining of our users would not be allowed
Here we are in 2018, almost a decade later and although technology has made great leaps forward the Government still crawls it’s way forward with new regulations in healthcare technology. Also, one constant over the last decade that remains is empathy by healthcare professionals when handling other people’s electronic healthcare data.
Currently, we are seeing hackers holding healthcare companies hostage with ransomware attacks, while emails and browsers continue to become littered with phishing links and malware. The hackers continue to gain enormous access, the servers and mobile devices are left exposed much too often. Then there is the mac-daddy of them all, Facebook has finally been revealed to be sharing your data (Enter Mediprocity sarcasm — ‘shocker’).
Mediprocity has been working to make healthcare professionals understand that securing your text messaging is not only required by the Omnibus law if they contain patient health information but also by JACHO and CMS.
Text is the most widely used form of communication on the planet, and yet we still have difficulty getting healthcare professionals to understand the next time they plan to send an email or text using an unsecured technology — STOP!
There are many services on the market today that provide great security and workflow functionality (we of course like ours best). As a healthcare professional, having a secure communication system does not mean you log into it every few weeks or months — if you are one of those types then that means you only work in healthcare every few weeks or months rather than daily. Every once in a while does not cut it — it should be daily. All it takes is one mistake, one breach, to bring the Office of Civil Rights “OCR” to your door for an investigation that will lead to penalties and fines. Why does Mediprocity sound like a broken record and continue to lecture on this topic? Our answer is simple… users are still not in compliance and it is rampant. We never had any idea getting into the secure messaging business in healthcare was going to be like sitting down with children and making them eat their broccoli. It is hard to reason with a child that broccoli is good for their health and won’t hurt them. They take one look at it and push the plate away — I am not eating that!
Perhaps we can get everyone to start eating their broccoli, sorry we mean secure messaging, with this new warning shot coming out of the State of Connecticut. For those out there who still do not have a secure messaging provider in place for your organization take note.
This is important - based on what was ruled in Connecticut, if you are being a good steward of protecting patient data but your staff and/or other vendors are not also in lockstep with you -- they can not only expose you to HIPAA and Civil Penalty... but now also themselves!
A groundbreaking legal case in the state of Connecticut could have set a new precedence for the entire country under HIPAA. The ruling states that patients have the right to sue Doctors and other healthcare providers for the disclosure of their confidential medical records without their consent.
Now, considering the fact that Facebook just poured gasoline all over technology privacy standards and has people and Congress up in arms, compiled with a ruling against patient disclosure, the time to secure your messaging and attachments is not tomorrow — — it is today!
For those executives who are having trouble convincing their employees that compliance matters, well perhaps this ruling along with the HIPAA Omnibus law will get their attention. Have them take a look because they can now be put in the direct line of fire — personally. People need to remember that a breach does not mean a simple investigation — it is a long laborious stressful process that no organization or employee should have to endure.
Mediprocity is a leader in the Long-Term care messaging space. We protect Nursing Homes, Pharmacy, and Home Health and Hospice groups every day under HIPAA and HITECH guidelines, and, we don’t sell or mine your data.
Yes, there are a ton of great companies out there and you should find the one that has the right feature set for you, offers the type of customer service you are looking for as well as price. But at the end of the day, you need to pick one and now.
We, of course, are fans of our own product and we keep it simple. Contact Us Today to get started!
With the Centers for Medicare & Medicaid Services “CMS” releasing a memorandum summary at the very end of 2017, it further clarified the two positions on use of text messaging when dealing with patient information.
Can healthcare use regular text messaging that comes standard on all mobile devices? No!
Can healthcare use secure text messaging through HIPAA compliant systems for their mobile devices? Yes!
So here is the breakdown: Yes, to collaboration and clarifications (when using compliant messaging) and No, to sending orders.
Catch that “when using compliant messaging” did you? There has been some confusion on what can and cannot be sent via "Text". So, let us provide a brief history. In 2011, the Joint Commission “banned text” since the technology was new and not really vetted for healthcare. In the Spring of 2016 The Joint Commission approved Secure text and outlined what needed to be done to be compliant, but partially reversed itself to ban sending patient orders a few months later. Essentially text messaging in healthcare went from little to no regulations to completely banning, then completely approved, back to banning some things and allowing others when communicating about patients.
So now you know you can message patient information, but how do you do this in a compliant fashion?
Well time for a little vocabulary lesson…while text or even "secure text" is a common term in the HealthIT space... it really is part of the confusion. Actually, SMS Text is the non-compliant technology for any sharing of potential patient identifying information (PHI). To add a further level of complexity "Secure Messaging" has a number of areas it needs to address be "compliant messaging". For example, the financial markets have different regulation on secure... so secure to a bank is different than secure to a hospital. To sum up, text is not secure and not compliant, secure messaging could be compliant, and if someone claims compliance in healthcare they should have a Third-party risk assessment and a Business Associate Agreement in place (BAA).
(Sorry about this mouthful coming)
So for Mediprocity we focus on securing healthcare communications and risk assessments to meet OCR/NIST, as well as Federal/State regulations to securely communicate patient information compliantly. Lastly is the push for CPOE (Computerized Provider Order Entry) being preferred, with written and verbal being allowed, which leaves integration as an area to cross over. Texting patient information among members of the health care team is permissible if accomplished through a secure platform.
This ruling came after there was some confusion by a response from CMS stating that texting any kind of patient information was prohibited. To clarify, CMS and the Office of Civil Rights “OCR” which governs HIPAA does not allow texting patient information of any kind unless it is done within a fully HIPAA compliant platform. HIPAA compliant platforms must meet and should exceed HIPAA Security Rule, 45 CFR Parts 160 and 164. Mediprocity meets and exceeds this ruling and therefore may be used to text patient health information.
JACHO and CMS have also reaffirmed their position that no patient orders should be sent via text regardless of the platform utilized. The preferred method is a CPOE, which is a computer provider order entry system. CMS does go on to say that physicians and licensed independent practitioners should enter orders into the medical record via a hand-written order or through a CPOE. Since text messaging is the preferred method of communication today, with over 23 billion texts being exchanged daily – it is safe to assume that some of that communication includes patient health information. Your organization at this point should be using a secure texting solution to comply with HIPAA. It is hard to believe in the year 2018 that your staff does not ever use text messaging. If you honestly believe no one in your organization sends texts daily, we have a great bridge in Brooklyn to sell you.
If everyone in your organization was still using a rotary phone or an old cellular block phone then this argument would hold up. Realistically, almost everyone has some sort of smart phone and/or tablet and is using text daily.
• Do you have a mobile phone policy in place if the OCR were to perform an audit?
• Do you have access controls and remote wipe in place?
• Do you have retention of text records?
Mediprocity turns these questions into a yes! Mediprocity also allows your team to clarify orders on patients while discussing patient health information. CMS recognizes that texting as a means of communication with other members of the healthcare team has become an essential and valuable means of communication. CMS goes on to say they expect the texting platform to meet HIPAA standards, and that the functionality of the platform will help to avoid negative outcomes that could compromise the care of patients.
The effective date on this ruling is immediate. All state survey, certification staff and managers have been made aware of this memorandum. If you do not have a HIPAA compliant texting solution in place and a state surveyor asks to see what you use, what will be your answer? If your answer is we never text and you have a breach, you will be on record and fall into willful neglect. This places you in the high-risk fine arena which is a place you do not want to be, as organizations and individuals can be held accountable.
Need some proof? Most recently a 2 million dollar fine was imposed on a Cancer Treatment Company that is now filing for bankruptcy protection. Texting without a secure platform today is no joke. Mediprocity can help by becoming your mobile device policy, a trusted source to improve your communication and improve patient care. So let’s recap…
Can I text patient health information? Only if using a HIPAA complaint text platform.
Can I send orders via text? Only if using a CPOE or hand-written order into the medical record.
Can I clarify orders and ask questions using a HIPAA compliant platform like Mediprocity? YES!
• Free for physicians.
• No long-term contract.
• Accounts as low as $6 per user / per month.
• Free Training.
• Free Support.
• And, we are super friendly!
Contact us today and protect your organization! We can have you up and running in less than 30 minutes.
The OCR "Office of Civil Rights" which governs HIPAA put out a great reminder tool checklist for cybersecurity. They mention that threats never take a day off and when an office and staff have their guard down is when a vulnerability can arise and that increased risk can compromise an entire organization in an instant. Mediprocity plans to share some good data tips on our blog in the early months of 2018 and wanted to start off with the OCR checklist.
On The Go
Think about how vulnerable you are when you are traveling for home or work. This is the time to take extra steps and precautions to safeguard your devices that can have patient health information stored. Identify your phone, laptop or tablet and make sure you have it password, TouchID or Facial protected. Additionally, make sure that any area on the device that stores PHI is encrypted and you can remote log off from any location in the event you lose the device. If you do not need your work phone or laptop then do not bring it. More devices are stolen out of cars during travel that are accidentally left in the backseat.
Bring and Use Your Own Power Adapters and Cords
It’s never safe to charge your devices using anything other than your own power adapters. Cyber thieves may install malware onto hotel lamps, airport kiosks and other public USB charging stations. If you absolutely must charge your device on the road, and you don’t have access to your charger/adapter, power down your device before you connect it into any airport chair or public USB charging station.
Back Up Your Electronic Files
Before you leave, back up your contacts, photos, videos and other mobile device data with another device or cloud service. And make sure your back-ups are encrypted and secure!
Install Security Updates and Patches
Be sure to patch and update operating systems and software (including mobile device apps). This should be a regular practice, but it is particularly important if you will be unable to update while traveling. Updates and patches can fix security flaws and enable security software to detect and prevent new threats.
Create New Passwords and Change Passwords
Change passwords you will use while traveling, and add multi-factor authentication, if possible. Don’t skimp on password creation either—a numerical sequence is not ideal. Passwords should be at least 10 characters or longer with a combination of letters, numbers, and symbols. Consider using a passphrase – a combination of words that are easy to remember, such as “Mydogatemyhomeworkandgotindigestion”. Once you’re home, change your passwords again!
Lock Devices Down
Most smartphones, laptops, and tablets come equipped with security settings that will enable you to lock the device using a PIN or fingerprint ID. Do this on every available device. In the event you misplace or lose a device, this will be the first line of defense against a security breach.
Turn Off WiFi Auto-Connect and Bluetooth
Go into your device’s Settings feature, and disable the WiFi auto-connect option so that you manually connect when it is safe to do so. Similarly, disable Bluetooth connectivity. If left on, cyber thieves can connect to your device in a number of different and easy ways.
Avoid Public WiFi
Avoid connecting to any public WiFi network. You didn’t connect to the free, open WiFi on the airplane, so continue that mindset on the ground. Using your mobile network (like 4G or LTE) is generally more secure than using a public wireless network. Do not conduct sensitive activities, such as online shopping, banking, or sensitive work, using a public wireless network. Always log into your work networks through VPN, and only use sites that begin with “https://” when online shopping or banking.
Ensure Physical Security of Your Devices
NEVER let your devices leave your sight. If you cannot physically lock devices in your hotel room safe or other secure place, take them with you. There are no good hiding spots in your hotel room! Many breaches occur because a device was left unattended when an opportunistic thief struck. When traveling with laptops and tablets, the best protection is to carry them with you. It’s never safe to pack your devices in your checked luggage.
Create Unique PINs
Don’t use the same PIN for the hotel safe and a mobile device, especially one that you’re storing in the hotel safe! Do you really want to make it that easy for a thief?
Use Geo-Location Cautiously
Most social media sites are happy to automatically share your location as you post photos and messages. This also tells thieves back home that you are away, which is a great time to break in. So, limit the information you post regarding your location at any point in time.
For HIPAA Covered Entities and Business Associates
The HIPAA Security Rule requires that covered entities and business associates conduct a risk analysis to identify risks and vulnerabilities and to mitigate identified threats and vulnerabilities. Risks to ePHI created, received, maintained, or transmitted on workplace owned equipment, and personal equipment if permitted, when workforce members travel must be included as part of a covered entity’s or business associate’s risk analysis and risk management process.
This information was provided by The HHS Office for Civil Rights (OCR) web site which provides guidance on the HIPAA Security Rule as well as guidance on specific cybersecurity topics. A PDF of this newsletter may be found at: https://www.hhs.gov/sites/default/files/ocrcybersecurity-newsletter-december-2017.pdf