Here at Systeem, we consider ourselves lucky to have built a network of incredible experts over the years. Because we would never be so selfish as to keep them to ourselves, today we’re sharing an interview with one of our close friends, Larry Neiswender.
Larry is the Founder and Managing Partner at Protect EHR where he provides HIPAA required Security Risk Assessments (SRA), documented Policies and Procedures, and employee training for medical practices. Not only is Larry recognized for his working knowledge on HIPAA, but he also has an extensive background with Meaningful Use and Technology. Making him uniquely positioned to share about HIPAA, Security, and Technology with us today.
We’ll get right to it, checkout our interview with Larry below.
Can you give us a quick summary of HIPAA?
HIPAA is a set of rules that started in 1996 and the primary reason was to protect our confidential, personal information in relation to working with doctors and medical faculties.
In today’s world of Electronic Health Records (EHR), and other technologies, what does a practice need to be aware of to keep Personal Health Information (PHI) safe online?
There are certain very basic things that any medical facility can do to protect patient information. The first thing to realize is that information goes two ways. You’re going to take information in and transmit it out, to a hospital, another provider, a business associate or to an internet based EHR company.
Because so much of our industry today is technology based, one of the most important things to do is to protect that initial point where your internet first comes into the office with a properly set up firewall, because that gateway goes both ways. Your internet service provider, (ISP) will bring in a device and they’ll tell you: “Don’t worry about it, this serves as a router and a firewall”. Nothing could be further from the truth in a medical office – not in today’s environment.
Secondly, you need to use an anti-virus program. It’s important to have a good quality program, not just something free you find on the Internet, and a company like Systeem can advise you about the right program to use based on your particular office.
Finally, you need to document every policy and procedure you’re going to have related to protecting patient data. It’s essential to write custom policies and procedures, specific to your practice. Avoid using policy and procedures templates that you can find online; they’ll often have information that doesn’t pertain to your organization. Once you’ve created this document, train your employees based on your policies and procedures.
What are the most common mistakes practices make?
The biggest and most common mistake is believing that “this” won’t happen to us – it only happens to everybody else and that includes, the belief that “we’re too small”, “nobody will have anything to do with us”, the belief that “my EMR is now cloud based, so it’s the vendor’s responsibility”. This is especially true when talking about cyber-crimes against practices.
I teach every practice a similar lesson. I always share a blank screen, and I tell the participants: “This is your practice. That’s the way you look to a cybercriminal. Until they get on the inside, they don’t know who you are, how big you are, or whether you have something worth stealing. But once they’re on the inside, it's too late”.
In 2016 The Department of Health and Human Services (HHS) finally declared a ransomware attack to be a HIPAA violation. One of the less understood but significant parts of that was the use of the word: control.
Before 2016 if they stole your data or it could be proven that they had viewed, touched, exfiltrated, or done something with your data, that would be a breach. Now, if they get into your computer and lock you up to the point that you can’t access your data, you have basically lost control. HHS said, if unauthorized individuals take possession or control of your data, it's a reportable breach.
Some practices still use paper-based records. They haven't gone to an EHR yet. But they’ll use a computer-based scheduling program to allow people to book their own appointments. So, they're still creating, maintaining, receiving, transmitting patient information. Which means they still have to have a Security Risk Analysis done, because the burden of privacy is on your practice’s shoulders.
If a laptop is stolen that has data stored on it, is that considered a breach?
That’s a great question because it can go two ways.
First, if the patient data is only password protected, then yes, it is a breach. HHS and the Office for Civil Rights will tell you that they only recognize two forms of protecting patient data – total destruction and encryption. There are multiple cases where patient data has been lost and the practice fined because the data was only password protected.
“IT companies bear responsibility for helping to protect data for the clients that they work with.”
The second option is with the data properly encrypted. Have you ever heard of the Safe Harbor Rule? It requires that a practice make a reasonable attempt to protect data. So, if you had encrypted that laptop, and have proof, it would not be a breach because you attempted to mitigate an unauthorized release of confidential patient information.
What’s the number one cause of HIPAA security breaches?
Employees. Without a question. And in the vast majority of cases, it’s without malicious intent but, here’s the thing: employees have no liability. So as long as they have no liability, what’s at stake for them? But just so you know, part of that is also because the practices don’t take seriously how important the training aspect is. It’s the business’ responsibility to ensure privacy of data and, training your employees goes a long way to help ensure the protection of PHI.
The truth is, there are multiple parties that are responsible for the protection of PHI. The practice itself, and any vendors they exchange data with - including technology companies. That’s why these little safeguards are so important. You start off with the firewall, antivirus, and if you’re going to keep data locally, that data is expected to be encrypted at rest and in transmission.
Once those things are in place, it falls to the staff to do the rest. That’s why training is so important.
I hope practices realize that IT companies like Systeem, they’re not out to sell, sell, sell. IT companies bear responsibility for helping to protect data for the clients that they work with. The problem is, unlike Systeem, most IT companies have no concept of the kinds of liabilities that medical practices operate under daily and so they don’t even attempt to advise the practice on what is truly needed.