Information System Activity Review

/in /by

HIPAA’s Security Rule requires in paragraph 164.308(a)(1)(ii)(D) that covered entities “Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.” Many organizations are not in full compliance with this required specification.

The purpose of reviewing system activity is to identify whether any EPHI is used or disclosed in an inappropriate manner. In many cases, audit logs are only reviewed when a problem arises, and an investigation is launched. However, the intent of this specification is to have entities schedule reviews on a regular basis to proactively look for potentially problematic activity.

An ideal process would be to schedule reviews approximately monthly. Constrain reports to one- or two-day’s worth of data, as a longer period would lead to overwhelming information. Review the report to determine whether access has been appropriate, or if anything requires further investigation. You may need to contact a support representative from your EHR system to find out how to run summary audit logs or access reports. Retain reports electronically or in printed form for a minimum of six years.

If audit log/access reports are not available through your EHR system, you could utilize an alternate approach in which you randomly select a couple users each month, reviewing their activity to ensure it has been consistent with their job duties/function. Document this process in the same manner.

Some questions to answer include:

  • What are the audit and activity review functions of the current information systems?
  • Are the functions adequately used and monitored to promote continual awareness of information system activity?
  • What logs or reports are generated by the information systems?
  • Is there a policy that establishes what reviews will be conducted? (Subscribers to the Eagle Associates HIPAA Compliance System have a policy in Section 4.06d of the HIPAA policy manual.)
  • Is there a procedure that describes specifics of the reviews?

When reviewing access logs/audit reports, some things to look for are failed login attempts, logins at inappropriate times or from unauthorized locations, credentials being utilized of a user who is no longer with your organization, credentials being used when a user is scheduled to be out of the office, etc.

In addition, your IT vendor likely monitors activity on your firewall to ensure that there is no improper access to your network, shared drives, etc. Verify this fact with your IT vendor/support staff or establish monitoring if it is not already in place. You might also have a conversation about the security specifications of your firewall, ensuring it is robust enough to protect EPHI and other sensitive data, etc.

If your review finds something that might qualify as a security incident or breach, be sure to follow the procedures to document and investigate the incident thoroughly. Corrective actions and disciplinary action (sanctions) might be necessary. Early detection will help to reduce the impact of improper access.

Cyberattack on Change Healthcare

/in /by

In late February of this year, Change Healthcare, a unit of UnitedHealthcare Group (UHG), experienced a large-scale cyberattack. With UHG being the largest billing and payment system in the U.S., the attack has affected healthcare organizations across the country, delaying payments and other essential healthcare operations. The Department of Health and Human Services’ Office for Civil Rights (OCR) is still investigating the cause and scope of the attack. OCR published a letter regarding the ongoing investigation.

These wide-reaching cyberattacks serve as reminders to implement appropriate safeguards to protect the EPHI for which each covered entity is responsible. The letter from OCR emphasizes the importance of business associate agreements. Such agreements serve to protect covered entities if a business associate with whom they share EPHI experiences a breach or cyberattack.

In addition to reviewing your organization’s business associate agreements, conducting an annual Security Risk Analysis will help your organization assess both internal and external risks posed to EPHI and implement corrective actions to mitigate those risks.

Subscribers to Eagle Associates’ HIPAA Compliance System have access to templates for a Security Risk Analysis and an Audit Plan/implementation guide.

MIPS Assistance from HiQ

/in /by

We are often asked whether we can assist with MIPS (Merit-based Incentive Payment System) reporting and although we cannot, we can now offer a resource!

HiQ (Healthcare Interoperability & Quality Services) is a consulting company that helps organizations maximize revenue with expert MIPS optimization, minimize regulatory compliance risks and continue to maintain high-quality patient care without distractions.

HiQ offers MIPS Essentials™ in three service tiers, Bronze, Silver, or Gold, depending upon the primary goal of the organization and the level of assistance needed. Some of the benefits offered include:

  • 2024 MIPS – Start planning now – no more COVID-19 EUC exceptions available.
  • Information Blocking Regulations – Learn the requirements and risks.
  • Measure Changes – Make sure you understand new QPP measures, IRIS QCDR measures with scoring potential, the cataract episodic cost measure and 2024 MIPS scoring methodology.

Eagle Associates clients are eligible for a no-cost, no-obligation 30-minute MIPS consultation.

Feel free to contact:
mike@hiq-services.com
(704) 995-7593

OCR Emphasizes Importance of Sanctions Policies

/in /by

HHS’s Office for Civil Rights (OCR) has issued a bulletin underlining the importance of maintaining and implementing an effective sanctions policy when it comes to the privacy and security of protected health information (PHI) under HIPAA Rules. Both the Privacy Rule and the Security Rule require sanctions policies for all covered entities and their business associates.

Sanctions policies address disciplinary actions taken by a covered entity when one or more workforce members violates the privacy and security policies or procedures of the organization. By imposing consequences on workforce members who violate an organization’s policies, sanctions communicate that each individual is responsible for complying with HIPAA Privacy and Security Rules and will be held accountable for failing to do so. Sanctions may be communicated to workforce members through training and onboarding. Employees may be asked to sign a Confidentiality Statement and an Acceptable Use policy to indicate their understanding.

HIPAA Rules allow covered entities to implement sanctions policies in a manner consistent with the size, structure, and nature of the organization. This leaves the specifics of a sanctions policy up to the discretion of the covered entity. While HIPAA Rules are flexible to allow for variations across different organizations, OCR recommends the following steps for creating an effective sanctions policy:

  1. Create a formal process for documenting sanctions and sanctions policies.
  2. Require workforce members to acknowledge in writing that violations will result in sanctions.
  3. Document the sanctions process, including the personnel involved, the procedural steps, the time-period, the reason for the sanctions, and the final outcome of an investigation.
  4. Create sanctions that are appropriate to the nature of the violation.
  5. Create sanctions that vary depending on factors such as the severity of the violation, whether the violation was intentional or unintentional, and whether the violation indicated a pattern or practice of improper use or disclosure of PHI.
  6. Create a range of sanctions that vary in severity from verbal warning to termination.
  7. Provide examples of potential violations and appropriate sanctions.

Meaningful and well-documented sanctions policies can promote HIPAA compliance throughout an organization by setting expectations and deterring misconduct. The OCR also emphasized the importance of executing a sanctions policy consistently. This means considering how sanctions can be applied fairly throughout the organization, including management and providers. Applying sanctions inconsistently or unfairly can undermine the integrity of the organization’s compliance program and be cause for citations and fines. OCR cites two investigations in which PHI was impermissibly disclosed and the covered entities either did not apply sanctions or did not document the sanctions imposed against the workforce members involved in the violation.

In a time in which malicious outside actors are targeting PHI, it is imperative that organizations responsible for PHI act with integrity and transparency when it comes to inside threats to privacy and security. Clearly communicating policies and penalizing noncompliance through sanctions will help to promote compliance in your organization.

Securing Smartphones

/in /by

Personal devices, especially smartphones, are often neglected when considering the ways that electronic protected health information (EPHI) is received, stored, and transmitted in healthcare settings. While most workforce members may be prohibited from using their personal devices or smartphones to receive, transmit or store EPHI, providers often cannot avoid it. Any text, email or voice message containing EPHI will necessitate appropriate security measures on the device in order to avoid a privacy breach in the event that the device lost or stolen.

This article will outline the security measures recommended by the Office of the National Coordinator for Health Information Technology, as well as some guidance from other information technology (IT) providers. Not all smartphones or mobile devices will feature the security controls mentioned, however it is important to obtain or enable those that are available.

Delete all stored EPHI on a regular basis

It is often unnecessary to store EPHI on a mobile device once it has been used and/or documented elsewhere, like in a patient’s record. Regular removal of data minimizes risk.

Use a password or other authentication

Authentication is the process of verifying the identity of a user by requiring a password, personal identification number (PIN), or passcode to gain access to it. Enable the phone to activate a screen lock after a period of inactivity to prevent unauthorized access.

Install and enable encryption

Encryption is the conversion of data into a form that cannot be read without the decryption key or password. It is important to encrypt data that is stored on a smartphone as well as data that is sent from it, such as through text message or email. Some devices have built-in encryption capabilities, but it may be necessary to buy and install an encryption application (app) or use a secure messaging service. Ensure that mobile apps are from a trusted source prior to downloading them to your device.

Activate remote wiping and/or remote disabling

Remote wiping is a security feature that enables the user to remotely erase data on a device or smartphone if it is lost or stolen. Note that using a cloud-based system to back up data on your mobile device will ensure that it is available to you even if the device has to be erased. Remote disabling enables you to lock a device remotely if it is lost or stolen, and to unlock it if the device is recovered.

Keep your security software up to date

Enable automatic updates whenever possible to ensure that your smartphone or device has the latest tools to prevent unauthorized access to EPHI. Ensure that both application updates and operating system (OS) updates are installed promptly.

Enable (or install) a firewall

A personal firewall on a mobile device can protect against unauthorized connections. Firewalls intercept incoming and outgoing connection attempts and block or permit them based on a set of rules defined by the user. Ensure that the firewall is enabled on your device or install a firewall app.

Avoid using public Wi-Fi networks or hot spots

Information could be intercepted between your device and the Wi-Fi system connection. Ensure that data is encrypted or otherwise secured if using a public Wi-Fi connection.

OIG Issues New Guidance

/in /by

On November 6, 2023, the Office of Inspector General (OIG) released new General Compliance Program Guidance (GCPG) for the healthcare community. The GCPG is voluntary guidance that discusses general compliance risks and compliance programs. OIG states that the guidance is not intended to serve as a model compliance program, but sets forth compliance guidelines and tips and to identify some risk areas that it believes individuals and entities engaged in the healthcare industry should consider when developing and implementing a new compliance program or evaluating an existing program.

The GCPG is organized into seven sections: an introduction, an overview of health care fraud enforcement and other standards, compliance program infrastructure (the seven elements), compliance program adaptations for small and large entities, other compliance considerations, OIG resources and processes, and a conclusion. You may access the GCPG here:

https://oig.hhs.gov/compliance/general-compliance-program-guidance/

If your organization is unclear why an OIG compliance program is mandatory for Medicare and Medicaid providers when the OIG guidance is voluntary, please refer to the article “Office of Inspector General Compliance Program” in the October 2023 Advisor® issue.

Note: Although the new OIG guidance is not binding, Eagle Associates will provide an update to its OIG Compliance Program in March 2024 to incorporate additional information from the guidance that will further help users to implement a successful fraud, waste and abuse prevention program.