HIPAA for Midwifery 101: Part 3 – The Security Rule – keeping electronic information safe

This is the third article in a series about HIPAA in the Midwife Workflow.

Read Part 1 – The Basics.

Read Part 2 – Disclosures, Communication and Storage.

 

This last article in our three part series on HIPAA Privacy and Security is going to focus on the Security Rule and how it relates to a typical midwife workflow. As we said in our article on The Basics of the HIPAA Rules, most of the safeguards midwives need to take are based on common sense and professional practice standards. Most HIPAA blunders occur when we start using electronic tools like email for health care and communication, which most of our typical young and tech-savvy clients seem to embrace.

HIPAA Security Rule defined:

“The rule establishes national standards to protect individuals’ electronic personal health information (ePHI) that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.” Health Information Privacy, US Dept. Health and Human Services.

 

Paper Charting? You still might have ePHI to keep secure

Even if you are charting on paper, if you keep any amount of PHI (protected health information, or any information that could identify a client) in an electronic format, like files or email on your computer or contacts in your phone, the HIPAA requirements for protection of that information fall under the Security Rule. The Rule outlines specific safeguards that everyone needs to take in their practice, whether large or small, to ensure the security of your client’s PHI.

 

Number 1 HIPAA Security Breach: Theft of Your Laptop

I recently attended a workshop on HIPAA privacy and security issues, held at the HIMSS11 conference , by Adam Greene, JD, MPH, senior health IT and privacy specialist with the Office for Civil Rights at the Department of Health and Human Services. As a representative of the government entity charged with processing complaints regarding HIPAA breach incidents and enforcement, Greene presented some interesting data about common HIPAA mistakes. Over 65% of HIPAA Security breaches are due to theft or loss of a laptop or other computer.

 

Over 65% of HIPAA Security breaches are due to theft or loss of a laptop or other computer. The best way to avoid having your laptop stolen is to NEVER leave it in your car. For homebirth midwives who often need to drive around with their birth bags at the ready, keep your laptop and your charts (whether paper or electronic) with you or in your office under lock and key. Since the penalties for not ensuring this simple safeguard range from $100 minimum -$50,000 maximum per incident, it certainly pays to be cautious with PHI..

 

Securing Devices in your Home or Office

Now that you are making sure that you are keeping your valuable electronic devices secure from theft or loss, you should also consider the HIPAA guidelines created by the Center for Medicaid Services on Security for the Small Provider. The following is a quick summary of the areas that are most relevant to a midwife workflow. Some of the guidelines are required [R] and some are addressable [A], which means that you aren’t required to implement the standard unless you have the “reasonable and appropriate” means to do it. Reasonable and appropriate are terms that are intended to allow you to take into consideration things like the size of your practice, capabilities of your existing systems, and the cost of implementing new ones.

 

Secret Passwords [R]

The best way to restrict access to PHI on your computer or portable device is through a unique password or other authentication process to access your email, files, and contacts. This is done on a computer or laptop by setting up a user account. On a cellphone there is generally only one account and you just need to set up a password that is required in order to do anything but answer incoming calls. These unique passwords also add a layer of security if these devices are lost or stolen because the entire device would need to be wiped clean in order for someone to use it again if they don’t know your password.

 

Automatic Shutoff [A]

This is a feature that you probably already have on your computer. It is what makes your computer go to sleep or turn itself off after a specified amount of time and then requires a password in order to wake it back up. Many of us turn this feature off on our personal computers because it is cumbersome. However, if you have any PHI stored on your computer, you need to turn it back on. Adam Greene defined “addressable” this way “if you have the feature available in your system, but choose not to use it, then it would be a violation of the guidelines under HIPAA”.

 

Back up of Data [A]

We’ve all experienced the dreaded hard drive meltdown. Losing your own information to a system failure is bad enough, but what if you had client records stored on a computer that cannot be recovered? While it is a very good practice to keep your electronic files stored on a back up hard drive, those hard drives can also be corrupted, lost, or stolen. Fire and other natural disasters are things that may be unlikely, but can create a real problem for both electronic and paper file storage. Under HIPAA, and possibly your state licensing laws, you are responsible for ensuring that your client’s records is readily available. The time frames for availability are usually defined under state law and can range anywhere from 5 to 18 years.

 

The best way to ensure access to back up records is you keep it on the web “cloud”. This may sound counter-intuitive since you can’t see this cloud, but it actually means that you can access it from any computer with a unique login. So if your computer is damaged or stolen, it doesn’t matter because your PHI data is not stored on it. You just buy a new computer and access your account again with no stress. There are many commercial cloud storage systems available for low cost. Because you are storing ePHI, you need to make sure that the system uses standard security protocols when you are uploading and downloading your data and that they keep your data secure on their servers. Most Electronic Health Record (EHR) and Practice Management Systems can handle this kind of data storage for you as part of the package.

 

Encryption [A]

By it’s very definition, encryption is hard to understand because its all about making your text or data hard for other people to understand unless they have the secret code or authorization to do so. Encryption is a method of converting an original message of regular text into encoded text. The text is encrypted by means of an algorithm (type of formula). If information is encrypted, there would be a low probability that anyone other than the receiving party who has the key to the code or access to another confidential process would be able to decrypt (translate) the text and convert it into plain, comprehensible text.

 

If this sounds like a bad spy movie all of a sudden, it’s because electronic espionage is exactly what encryption is designed to protect against. The reality is that most hackers who are looking to get at PHI are looking for big caches of data for resell or identity theft. Simple direct email back and forth between you and your client is not likely to be hacked, but it is the right of your client to refuse to allow any exchange of information that is not encrypted.

 

Because the cost of encryption, especially for paper based practices who do little ePHI exchange, is so high it is not a requirement of all covered entities to send all ePHI via encrypted format. However, if you have any Business Associates (Insurance Biller, EHR or Practice Management Software) they also need to ensure that both the stored data and the sent data on your behalf is encrypted. This is something that is handled by the software vendor, and you should make sure that they are handling your practice data in compliance with HIPAA.

 

Contracts with your Business Associates [R]

HIPAA requires that you “make sure” your Business Associates are handling PHI properly on your behalf by having a Business Associate Contract. Most of us have clicked “Yes, I have read the Terms and Conditions and Privacy Policy” button when we sign up for anything online from a hotel room to a Netflix account. These forms have become so standard that many of us don’t really read them. It is important to understand that you are responsible for the actions taken on your behalf and therefore, I recommend that you read all Terms and Conditions with any vendors you choose to work with in your practice.

 

Disposal [R]

Whether you are transitioning from paper to electronic charting, or just need to toss out mail or other forms that include PHI, you need to address disposal of that information as part of HIPAA security. 21% of security breaches (the second largest HIPAA complaint) happen with improper disposal of paper based PHI.

 

You can’t just toss PHI into the landfill or recycle it. You first need to shred or otherwise alter it to a point where no information is retrievable. The simplest way to incorporate this into your workflow is to buy a quality shredder and shred-as-you-go. Don’t let the paper pile up. Not only is it then vulnerable to loss or theft, but you are just causing a quick task to build up to a burdensome one. That shredded paper can now be recycled or used in your garden as extra mulch!

 

Making Security Part of Your Workflow

We’ve talked a lot in this series about the importance of analyzing your workflow. As I outlined last month in “All midwives have a workflow, what’s yours?”, workflow is “how you do things” in your practice. Ideally, your workflow makes sense and can be articulated to others. If you have a workflow written out or as you take the time to write it out now that you know about it, you can use the opportunity to really look at how you do things in your practice and decide if things might need some tweaking. During the process you can meet two more HIPAA Security Rule requirements.

 

A Risk Analysis [R]

Doing a risk analysis is required by all covered entities. Though the frequency is not specified, if you’ve never done one at all then the frequency is… as soon as possible. The process involves reviewing your workflow and then adding some special thought to the places where you might be at risk of exposing PHI.

 

A Risk Management Plan is something like your practice guidelines or protocols for routine midwifery care.

 

Risk Management Plan [R]

After conducting the risk analysis, you then need to draft a plan that includes the steps you are taking to maximize security in your practice. This is something like your practice guidelines or protocols for routine midwifery care. The plan should include how your practice addresses everything that we have talked about here as well as a “Facility Security Plan”[A], which includes who has keys to the office files and other access to PHI, and a “Sanction Policy”[R] which refers to how you will handle violations of the plan by any of your staff.

 

We never said this was easy, but hopefully this series has made it a little bit clearer how to maintain HIPAA compliance in your practice. While you don’t need new software to be HIPAA compliant, considering options for workflow support that is also helping you to achieve HIPAA compliance is what Private Practice hopes to achieve.

 

Did you miss Part 1 in this series? The Basics – read it now.

Did you miss Part 2 in this series? Disclosures, Communication and Storage – read it now.

 

Disclosure: This article is an attempt to provide information about HIPAA to midwives and related parties who are struggling to understand and integrate HIPAA-compliance. It is meant to support, not supplant, any previous understanding that you may have about HIPAA and should not be considered the first or the last word on HIPAA-compliance.

 

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>