Experts reveal common technology missteps that are putting practices at risk of HIPAA violations.
A $1.2 million settlement with HHS for failing to erase photocopier hard drives containing electronic protected health information (ePHI). A $50,000 settlement with HHS after a laptop containing unencrypted ePHI is stolen. A $100,000 settlement with HHS after posting surgery and appointment schedules on a publicly accessible Internet calendar. Immeasurable reputation damage after a USB flash drive containing ePHI is lost and patients and the local media are notified.
These are just a few real-world examples of the consequences practices, health systems, and health plans have faced due to technology missteps. If you're not careful, such a breach - and the consequences associated with it - could happen to your practice. Medical practice technology consultant Marion Jenkins estimates that more than 80 percent of practices are using technology that could put them at risk of a HIPAA violation. He attributes that to lack of understanding, lack of skill, poor system setup, and user error.
To ensure your practice is using the right technology, in the right way, we asked Jenkins and other privacy/security experts to weigh in. Here are some of the biggest technology mistakes they said practices make, and some of the technology alternatives and additional security measures they said practices should consider.
So you're working in your EHR or sorting through your practice management system and you decide to copy some data to your local device. Don't do it! This is one of the most common technology errors practices make that could lead to a HIPAA breach, says Jenkins, adding that it often occurs when leadership is using data to compile documents such as patient lists, board reports, and profit-by-patient analyses. "Those are things that typically a very senior person in a practice is doing so they have access to all the data," says Jenkins, who is executive vice president of 3t Systems, a healthcare IT services company in Greenwood Village, Colo. "They'll pull all the data out of the [EHR] into another file, usually it's an Excel spreadsheet, and then they'll work on that or manipulate that, and then they'll keep it for a long time. The problem is they store all that stuff locally."
Storing unencrypted ePHI locally, of course, is not secure. If a device containing the data is stolen or misplaced, or hacked, all of that information is breached. While such breaches often occur when mobile devices such as laptops are stolen or misplaced, if the computers within your practice contain unencrypted patient information they are a high risk as well. In one of the largest breach reports to date, the theft of four unencrypted desktop computers from a Chicago-area physician group practice may have exposed the personal information of more than four million patients.
While requiring staff and physicians to encrypt ePHI before saving it to local devices will help secure it, Jenkins says such information should never be stored on local devices in the first place. "I'm not aware of a single breach that's occurred inside of a practice management or EHR system - they've all occurred outside," he says.
For that reason, Jenkins recommends practices forgo traditional client-server systems that allow users to store data locally. Instead, practices should implement newer systems using thin clients and/or desktop virtualization that create the user environment on a server farm in a secure data center. That way the data is stored in a secure data center, on servers with redundant hard drives, backed up by data replication systems, and protected by a secure firewall, he says.
As noted, many breaches occur when mobile devices containing unencrypted ePHI are stolen or misplaced. While practices sometimes supply their physicians and staff with mobile tools - such as smartphones, tablets, or laptops - many practices allow physicians and staff to use their personal mobile devices for clinical or business purposes.
Often this is referred to as BYOD (bring your own device), and it makes it even more difficult for practices to mitigate HIPAA risks associated with them, says Chris Apgar, CEO and president of Portland, Ore.-based Apgar and Associates, LLC, a healthcare consulting firm specializing in privacy and security. That's because it's more difficult for practices to control personal mobile device use, and users are more hesitant to implement security safeguards. "People sometimes assume, 'Well, it's mine, I'm never going to lose it and nobody's ever going to steal it,' or, 'It's too complex, I don't want to put that password on it, I don't want to encrypt it because it might slow things down when I have to start it up,'" says Apgar.
For that reason, he says practices must train physicians and staff on appropriate mobile device use, and he recommends requiring them to sign a mobile device use agreement. Visit bit.ly/mobile-agreement for a sample agreement to use in your practice.
Here are some additional precautions practices can take to mitigate HIPAA risks associated with mobile devices:
• Prohibit or wipe. If physicians and staff can access your EHR through their mobile devices, take extra precautions, says James Hook, director of consulting services at The Fox Group, LLC, a healthcare management consulting firm in Upland, Calif. "Most vendors, if they're good, they've written their system such that no information is left on the device after you've logged out of the system," he says. "If you check with the vendor though, and you find out that, well yes, the last note you just composed, it stays on your laptop even after you've left the system where you were logged in, then you have to figure out a way to encrypt it."
• Encrypt. Ensure that all mobile devices used for work-related purposes are password protected and encrypted.
• Manage. Consider implementing mobile device management software, says Apgar, noting that this is most practical for large practices. "It allows you to control the information on the phone or the tablet and say, '… Here's the personal stuff over here, but everything that's business related or clinic related is cordoned off in its own sector, and it's encrypted, protected, and then also when that person leaves [the practice], you can remotely wipe that section of the mobile device," he says.
In addition to storing unencrypted ePHI in the wrong places, another common mistake made at practices occurs when physicians and staff e-mail such information (or attachments including it) to their personal e-mail addresses. "Doctors are notorious for using ISP e-mail like Hotmail or Gmail and those are specifically noncompliant," says Jenkins. "... You should not e-mail documents to yourself. You should use a secure [virtual private network] or virtualized desktop environment to keep the data on the server and on the protected storage."
Other problematic e-mail scenarios include unencrypted e-mailing with patients, unencrypted e-mailing with other physicians, and unencrypted e-mailing with outside vendors, such as transcriptionists or billers, when e-mails or e-mail attachments contain ePHI.
For that reason, Hook recommends practices use secure encrypted e-mail applications rather than traditional e-mail. Even better, he says, communicate with patients via a secure patient portal. "[Patients] can read a message from you, they can look at their lab results, they can look at their appointments and so on, but they are doing it from a secure environment - and the same thing in reverse," says Hook. "Once they are in the portal they can send messages to the practice or request appointments or any of those things in a secure environment."
A great alternative to physician-to-physician e-mailing for practices is an EHR, says Hook, adding that a growing number include provider-to-provider transmission capabilities. "If you want to send information to another physician, let's say a specialist you are referring a patient to, then you can use the capability of your EHR system to transmit that information," he says.
These tiny devices are packed with potential HIPAA problems. If they are used to store and transport unencrypted ePHI, obvious risks include being misplaced or stolen. But there's another big risk practices should be aware of, says attorney Susan Miller, a consultant at Health Transactions, Inc., a technology and compliance consulting company.
"You could bring malicious software on a thumb drive into the practice and it could invade your e-mail system, it could invade your [EHR]," she says, adding that even the owner of the device may be unaware it could harm your practice. "You have no idea what's on a thumb drive that one of your office staff brings in; you have no idea what's on the thumb drive that a patient brings in."
If malicious software is on a thumb drive and it invades your systems, it could damage or destroy ePHI, which could result in all sorts of HIPAA problems, says Miller. For that reason, she says practices should prohibit personal thumb drive use. "If [patients] want some information from you that you're capable of giving them and it's permitted under the rules, or it's a good business practice, then the practice should have a quantity of thumb drives in their own possession and use those." Other portable devices the practice has on hand, such as memory sticks, CDs, or DVDs, are also tools practices can use when patients want to take information home with them. Machines
Like thumb drives, fax machines, scanners, printers, and photocopiers contain hidden HIPAA risks. Obvious risks associated with these devices include sending a fax containing ePHI to the incorrect fax number, or leaving papers containing protected health information in, on, or near a scanner or copier unattended.
What many practices may be unaware of, however, is that fax machines, scanners, printers, and photocopiers manufactured in the last 12 years or so may contain hard drives. "A hard drive has a copy of every image that's ever been scanned or printed or faxed through that machine," says Jenkins. "[Practices] need to have that hard drive purged of all that data whenever they sell, or get rid of, or upgrade that machine."
If you lease the machine, ensure your rental contract states that when the lease is over you can either keep the hard drive or degauss or otherwise destroy the data it contains, says Miller.
To comply with the HIPAA Security Rule, practices must establish procedures to create and maintain retrievable exact copies of ePHI. In complying with this aspect of the rule, however, many practices are opening themselves up to potential HIPAA breaches. Backup data, which is found in many different forms - including DVDs, USB drives, portable hard drives, and servers - is stored in a "lot of funny places," says Apgar. Often, he says, these storage locations are not secure. "I've seen [backup data] sitting by servers or on servers, I've seen it sitting in an unlocked office or unlocked room in the back of an office building or their clinic, I've seen it everywhere."
Practices also face HIPAA risks when transporting backup data, such as backup tapes, to a secure facility, says Jenkins. "There have been quite a few breaches involving backup tapes transported from a practice to a storage center or stolen out of somebody's car."
To ensure backup data is secure, small practices might consider storing it in a fireproof safe, says Apgar. Even better: Move it to the cloud. "Cloud technology is such that there are some good vendors out there that can be used for back up," he says. "You can even set it up to do an automated backup for you so it's continuously doing a backup."
While specific technologies are prone to getting practices in trouble with HIPAA (often because of the way staff and physicians use that technology), the way technology systems are set up can also raise HIPAA risks. If technology is set up poorly, it's more likely staff and physicians will use it in a noncompliant or risk-inducing way, says Jenkins.
"Most of the workarounds, most of the bad user behavior is because systems are so cumbersome and hard to use," he says. For example, physicians and staff might save ePHI to local drives if it takes too long for them to access the EHR; or they might fail to log out of the EHR when it's not in use because it takes them too long to log back into the system. "You can't tell a provider in a memo, 'You can't do it this way,' if that [way] interferes with their practice," says Jenkins. "You need to set up a system so that the HIPAA-compliant way is actually the fast way."
Assess your risk
Your practice may be setting itself up for a HIPAA breach and not even know it. One way to determine what's putting your practice at risk: conducting a risk analysis. "It's a proactive approach to security," says Chris Apgar, CEO and president of Portland, Ore.-based Apgar and Associates, LLC, a healthcare consulting firm specializing in privacy and security. "You're taking a look at what do I have ... what can harm me, [and] what are the security controls I have in place to protect myself."
Still need some convincing that a risk analysis is worth your time? It's required of practices under the HIPAA Security Rule. Visit bit.ly/risk-analysis for guidance on how to get started.
If your practice is not using the right technology in the right way, it could be setting itself up for a HIPAA violation. Make sure your physicians and staff are not:
• Storing ePHI on local devices
• Failing to encrypt and password protect mobile devices
• E-mailing unencrypted ePHI
• Using personal or patient-provided thumb drives
• Discarding fax machines, scanners, or printers without shredding hard drives
• Failing to back up ePHI securely
Aubrey Westgate is an associate editor for Physicians Practice. She can be reached at firstname.lastname@example.org.
This article originally appeared in the January 2014 issue of Physicians Practice.