The international health insurance division of Bupa Global recently disclosed a data breach that affected approximately 547,000 customers of their international health insurance plans. According to Bupa, names, birth dates, nationalities and some contact information was compromised, but no financial data or medical information was breached. The culprit was an employee who copied and removed customer information.
A nurse aide, lab tech, medical assistant – or any other healthcare employee – is new on the job. They are excited about their new position and decide to take a selfie to memorialize the occasion, then send it off to Facebook, Instagram, Twitter and Snapchat, with the click of a button, in under 20 seconds. What could go wrong?
Today's blog is a guest post by Dorrie J. Seyfried, Vice President of Risk Management Services, IPMG. Dorrie discusses the rising financial and identity theft risks to nursing home residents, when they can amount to abuse, and what you can do about it. If you do run into a theft that involves patient information, remember to analyze it from a HIPAA standpoint, too.
Today's HIPAA blog comes from guest blogger Maggie Hales.
Maggie Hales is a lawyer and CEO of ET&C Group LLC which helps untangle the laws of HIPAA for the healthcare industry. She graduated from Webster University with Honors, and St. Louis University School of Law.
Communicating With Your Patients
MACRA AND MIPS ACCELERATE PATIENT ENGAGEMENT
Health care providers who accept Medicare are adapting to new rules under the Medicare Access and CHIP Reauthorization Act or MACRA. The law is dense and complicated, but essentially, its purpose is to adjust payment measures to reward the delivery of high-quality patient care. The Merit-based Incentive Payment System (MIPS) is a core element of the change from prior rules. The relevance to HIPAA is that a central element of MACRA is an increased focus on patient engagement because when patients are engaged in their own healthcare, outcomes improve.
Effective patient engagement requires regular patient communications. The problem is that communications raise the risk of disclosure of protected health information (PHI). And today, with the use of email and text messaging, the risk is even greater. Ninety-nine percent of patients today use social media and most prefer regular, unencrypted email and texting. Unfortunately, they may not have considered the consequences.
Using unencrypted emails and text messages is like handing a postcard to someone in L.A. who will hand it off to a million people as it travels to N.Y., and each of those million can read it anywhere along the line.
HIPAA CAN HELP WITH EASY TO FOLLOW STEP-BY-STEP RULES
HIPAA provides a 3-step safeguard that helps both providers and patients - providers will stay in compliance and patients are engaged in maintaining privacy of their own PHI.
Simply stated, it includes:
Notice - a duty to warn;
Let the patient decide; and
Document the warning and response in writing.
If a patient says “no” to unencrypted communication, take steps to encrypt and inform your workforce and business associates, and document these steps. A common misunderstanding is that if a patient initiates communication through email, the provider can assume the patient accepts this method. Although this was the HHS policy in 2008, it changed in 2016 when the duty to warn became law.
Read more about encryption options, as well as more of Maggie's blog posts, here.
On June 15th, the HHS Healthcare Cybersecurity and Communications Integration Center (HCCIC) issued an unprecedented warning regarding North Korean cybercriminal activities and their tactics of using Microsoft operating system vulnerabilities. This HHS memo follows a joint DHS (Department of Homeland Security) and FBI alert issued on June 13th warning that a North Korean hacker group called "Hidden Cobra" has launched attacks against global institutions, including media organizations, aerospace and financial industries and critical infrastructure. The separate HHS warning was issued by HCCIC because healthcare organizations and medical devices are cybercriminal targets.
On September 12, 2014, the OCR received a complaint alleging that the Spencer Cox Center disclosed sensitive PHI information including HIV status, medical care, sexually transmitted diseases, medications, sexual orientation, mental health diagnosis and physical abuse. St. Luke’s-Roosevelt Hospital Center Inc., which operates the Spencer Cox Center, entered a resolution agreement and corrective action plan with the OCR for possible HIPAA violations and has paid a $387,200 fine.
A Simple Mistake?
The OCR investigation found that St. Luke’s disclosed PHI of two patients by faxing PHI to the employer of one patient and faxing PHI to an office where the second patient volunteered. The OCR stated that St. Luke’s failed to reasonably safeguard the patients’ PHI from “intentional or unintentional disclosure.”
The OCR’s resolution agreement requires St. Luke’s to:
- Review and if necessary, revise, its policies and procedures concerning the uses and disclosures of PHI including mailing, faxing or other electronic PHI transmission.
- Distribute the policies and procedures to new hires and current employees, and obtain a signed compliance certification from each workforce member.
- Assess, update and revise the policies and procedures at least annually.
- Review and revise training programs pertaining to the safeguarding of PHI.
- Train new and existing employees on PHI safeguards.
- Review training at least annually and when there are updates needed to address changes in Federal law or HHS guidance, or any issues discovered during internal audits or reviews.
- Block PHI access to any employees that has not certified receipt of safeguarding PHI policies and procedures.
This Has Happened Before
In 2010, a St. Louis man filed a lawsuit alleging that Quest wrongfully disclosed his HIV status when it faxed his lab results to his employer. The patient’s doctor wrote the patient’s work fax number on a lab order, so that office staff could fax the order to the patient at work. The patient took the order to Quest, who ran the labs, and faxed the results to the patient at work. Quest mistakenly believed the fax number was written on the order so that Quest would fax the results to the patient’s employer. Six months after the fax was received, the patient was terminated.
The doctor argued that the lab results did not reveal the patient’s HIV status. And, the employer claimed it already knew the patient was HIV positive, and terminated his employment for financial reasons.
Still, Quest had to pay to defend this lawsuit. It is easy to imagine the dire consequences when a fax is misdirected, especially when that fax contains sensitive information.
Could This Happen To You?
The OCR resolution agreement provides a roadmap for all providers to address similar issues. This settlement is one example of how a mistake can lead to a hefty HIPAA fine. Use your HIPAA Security Risk Analysis process, plus HIPAA Walk-Through audits, to identify areas where your employees could be making inadvertent or sloppy mistakes that could jeopardize patient confidentiality.
On April 18, 2017, a woman was arrested in St. Louis, MO and is facing federal charges of health care fraud and identify theft after working as an agency nurse in the intensive care unit and geriatric psych unit at a local hospital for three months. The woman is accused of working as a nurse, despite lacking a nursing license or degree in any state.
The Red Flags
In March 2017, this individual applied for a job with a nurse staffing company in Chicago. As reported in the St. Louis Post-Dispatch, the co-owner of the firm found the following problems with her employment application:
- She failed a basic ICU skills test
- She reported a New Mexico nursing license, but her social security number did not match any nursing license in New Mexico
- The copy of her nursing license looked like it was copied and pasted with incorrect numbers and formatting as well as crooked text
Separate criminal charges have also been filed against the woman in New Mexico, where the authorities claim she was hired as a nursing instructor at the Brown Mackie College School of Nursing in 2015 – despite not having a nursing degree or license.
Don’t Let This Happen to You
How does an individual who is not a licensed nurse get hired as 1) a hospital ICU nurse and 2) a school of nursing instructor? This mistake was easily found by the Chicago staffing company which tried to verify her credentials with the state.
License verification is a necessary procedure for all new hires. This requires independent verification with the state – never rely on documentation provided by applicants or staff. Verification should also occur on a monthly basis. Many state license boards publish monthly lists of professionals whose licensed have been disciplined, suspended or revoked. Someone in the HR or Compliance departments should be reviewing this list to see if any staff or contractors are listed. HR and Compliance should also collaborate to audit these procedures periodically to make sure these simple steps are being completed.
Finally, staffing agencies should be thoroughly addressed. If your company uses temporary or agency staff, be confident that the agency(ies) are properly vetting the individuals they send to work in your organization. You are billing Medicare and Medicaid for their work, and exposing your patients to these individuals, after all. The agency’s duty to screen their staff can be addressed by contract. The provider can – and should – also audit the agency to verify that screening occurs. Finally, it is wise for providers to also conduct screens of agency or temporary staff whenever feasible.
An exclusive interview with Montez Fitzpatrick, Director of Information Security and Compliance for Keystone Technologies.
Over the weekend, the WannaCry ransomware attack was reported widely in the media to have affected more than 200,000 computers in over 150 countries. Despite the breadth of the attack, only $50,000 in bitcoin payments have been made as of Monday morning (5/15/2017). Infected organizations were being asked for payments to decrypt files for $300, rising to $600 after 72 hours.
Ransomware attacks have been on the rise. In an U.S. government interagency report that was released in 2016, there have been 4,000 daily ransomware attacks since early 2016, a 300% increase over the 2015 rate of 1,000 daily reported attacks.
For answers and tips to prevent a WannaCry attack, MPA interviewed Montez Fitzpatrick, the Director of Information Security and Compliance for Keystone Technologies.
WannaCry has been described as ransomware. What is ransomware?
Simply put, ransomware is a malicious application or program. Once ransomware infects the victim's computer, the overarching goal is removing access to files. Those files tend to be documents, pictures, videos and other commonly used file types.
How does a computer or network get “infected?”
Good question, as of right now it is always a computer that becomes infected. We have not seen widespread infections which target network devices. The industry term for how a computer gets infected is called a 'vector.' The most common vector is still through an unsolicited e-mail message.
Sending out these e-mails with the hopes that an individual will click and execute the malicious application is called 'phishing.' Each iteration of phishing attempts are called 'campaigns.' Large campaigns tend to be covered in news-media hype cycles which make it seem that ransomware comes in waves. That is false, ransomware campaigns never stop.
Why is this attack so widespread?
WannaCry variants have some specific worm components, which are very sophisticated, that exploit weaknesses in older protocols on Windows computers. A portion of those sophisticated components were likely part of the National Security Agency's Tailored Access Operations division. Somehow the NSA lost control the source code which makes WannaCry variants possible. The hackers who stole the source code, published it online.
What are the basic steps that should be taken to reduce exposure to the WannaCry attack?
Microsoft issued a patch for supported operating systems back in March. In a somewhat unprecedented move, they issued a patch for Windows XP, Windows 8 and Windows Server 2003 last Friday. It is unprecedented as those operating systems are no longer officially supported.
What can be done to reduce exposure to future ransomware attacks?
It is not so simple. But healthy doses of security awareness, least privilege practices and good backup strategies go a long way. Each person should create their own "personal mental baseline." Be wary of e-mails and attachments from unknown sources. If someone you know sends you an e-mail which is uncharacteristic or atypical of the types of messages this person is known to send; reach out to that person via another channel, such as by phone, to verify the authenticity of that e-mail.
In 2016, the OCR published a Fact Sheet to assist covered entities and business associates in preventing and responding to ransomware attacks.