breaches - american association of orthodontists...hipaa omnibus final rule you can be successful!...
TRANSCRIPT
3/2/2014
1
Complying with the HIPAA Omnibus Final Rule
You Can Be Successful!
Breaches
• Advocate Medical Group in Chicago had 4 desktop computers taken in a burglary that contained the personal information of over 4 million patients.
• A St. Louis orthodontist office was burglarized and company computers were taken with the data for over 10,000 patients.
• A physician practice at the University of Texas Health Science Center at Houston discovers a laptop has been stolen containing data for nearly 600 patients.
3/2/2014
Important Definitions
• HHS – Health and Human Services• OCR – Office for Civil Rights - Oversee and enforce the
Privacy and Security rules• CE - Covered Entity – Healthcare provider who performs
identified transaction electronically. For example, billing electronically for services provided.
• PHI – Protected health information• ePHI – Protected health information stored electronically.• BA - Business Associate – Performs duties for the CE
using patient health or financial information provided by the CE. Updated rules include sub-contractors.
• HITECH - Health Information Technology for Economic and Clinical Health
Protected Health Information Includes
• Health information whether oral or recorded in any form or medium
• Names• All geographical subdivisions
smaller than a State, including street address, city, county, precinct, zip code
• All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death
• Fax numbers• Electronic mail addresses• Social Security numbers• Medical record numbers• Health plan beneficiary numbers
• Account numbers• Certificate/license numbers• Vehicle identifiers and serial
numbers, including license plate numbers
• Device identifiers and serial numbers
• Web Universal Resource Locators (URLs)
• Internet Protocol (IP) address numbers
• Biometric identifiers, including finger and voice prints
• Full face photographic images and any comparable images; and
• Any other unique identifying number, characteristic, or code
HIPAA
• HIPAA, or The Health Insurance and Portability and Accountability Act, sets standards for protection and sharing of individually identifiable health information often referred to as protected health information.
o Privacy Rule establishes guidance on how health care providers must protect patient information and outlines certain patient rights.
o Security Rule identifies safeguards needed to protect health information stored in an electronic format.
3/2/2014
PRIVACY
Use of Protected Health Information
and Patient Rights
3/2/2014
2
Use or Release Information
• For treatment, payment and healthcare operations after providing a Notice of Privacy Practices.
• To the individual or legal representative.• To friends and family with informal approval or for
emergencies. o May ask the patient for permission to discuss healthcare
if accompanied by another person during exam.
• As authorized by the patient.• Based on professional judgment of the healthcare
provider which is in the best interest of the patient.
Friends and Family
• Relevant information may be shared with family members or friends involved in the patient’s care or payment for your health care, if the patient has provided permission, or if they do not object to sharing of the information.
• If the patient is not present or unable to give permission, a health care provider may share or discuss health information with family, friends, or others involved in the care or payment of care if the provider believes, in his or her professional judgment, that it is in the patient’s best interest.
• Information should not be shared which is not pertinent to the involvement/situation.
3/2/2014
True or False
• Healthcare providers may give prescription drugs, medical supplies, x-rays, and other healthcare items to a family member, friend, or other person the patient sends to pick them up.
• The doctor may discuss the drugs the patient needs to take with a health aide who came to the appointment.
• In the patient’s absence or if they cannot provide permission, a healthcare provider may share relevant information IF based on professional judgment, sharing the information is in the patient’s best interest.
• The doctor may discuss a patient’s drugs with their caregiver who calls with a question about the right dosage.
3/2/2014
True
True
True
True
Security
Protection of Information Stored or Transmitted Electronically
ePHI – Think Broader Than Your Computer
• Laptops, office PCs, servers• Smartphones • Thumb or flash drives• Back up devices• CD/DVD• Equipment such as fax or
copiers• ePHI during transmission
o Emailo Healthcare providerso Personal health records
ARRA Mandated Changes to HIPAA
• American Recovery and Reinvestment Act (ARRA).
• Health Information Technology for Economic and Clinical Health Act or the HITECH Act..
• Signed into law on February 17, 2009.• Final regulations to update the Privacy Rules,
outline process for breach identification and notification, and provide further definition of business associates published January 25, 2013.o Effective date – March 26, 2013o Compliance date – September 23, 2013
3/2/2014
3
Notice of Privacy Practices Notice of Privacy Practices (NPP)
• Statement which outlines the types of uses and disclosures which will require authorization.o Release of psychotherapy notes – Do not have to include if do not
record or maintain this information.o Disclosures for marketing purposes.o Disclosures for any purposes which require the sale of PHI.
• Statement that other uses and disclosures will not be made without written authorization.
• Notice of updated rights:o Right to restrict certain disclosures of protected health information to a
health plan where the individual pays out of pocket in full for the health care item or service.
o Will receive notification in the event of a breach scenario.• Notice of fundraising communications and the opportunity to opt
out.o Not required to include the opt-out process
NPP – Direct Care Providers
• Direct care providers are not required to print and hand out a revised NPP to all individuals seeking treatment.
• Providers must post the revised NPP in a clear and prominent location and have copies of the NPP at the delivery site for individuals to request to take with them.
• Providers are only required to give a copy of the NPP to, and obtain a good faith acknowledgment of receipt from new patients.
• Don’t forget to update the NPP on the company website.
Business Associate Relationships
Business Associate
• Create, receive, maintain, or transmit protected health information on the behalf of a covered entity.
• Rule has been updated to include the following:o A Health Information Organization, E-prescribing Gateway, or
other person that provides data transmission services with respect to protected health information to a covered entity and that requires routine access to such protected health information.
o A person who offers a personal health record to one or more individuals on behalf of a covered entity.
• Entity must obtain satisfactory assurances in the form of a contract or other arrangement that the business associate will appropriately safeguard the information.
Business Associate Subcontractors
• Create, receive, maintain, or transmit protected health information on the behalf of a business associate.
• Business associate must obtain satisfactory assurances in the form of a contract or other arrangement that the business associate will appropriately safeguard the information.
• Subject to same liabilities and responsibilities.o Security Rule compliance
o Use and disclosure only as outlined in the written contract
• CE has NO responsibility to enter into an agreement with subcontractors.
3/2/2014
4
NOT Considered BAs
• Couriers.
• Janitorial services.
• Banking and financial institutions which respect to payment and processing activities.o Check cashing.
o Fund transfer.
• Dental labs – provide a service for a patient and do not bill electronically for the service.• Provide the minimum necessary amount of information.
Business Associate Agreement
• Written contract required by law.o Existing BAA may stay in place until September 23, 2014.o If updated or modified between now September 23, 2013
must meet published standards.
• Minimum necessary applies to BA for use/disclosure.
• Updated contracts to include:
o Establish required uses and disclosures.
o Provision to comply with the security rule with respect to ePHI.
o Provision the BA must comply with the elements of the Privacy Rule which apply to the CE.
o Breach reporting requirements.
Other Clarifications
• When information is provided to another health care provider concerning the treatment of an individual, the receiving provider is not considered a business associate.
• Entities that maintain or store protected health information on behalf of a covered entity are business associates, even if they do not actually view the protected health information.
• Even if a contract is not in place, but the actions meet the definition of a BA the rules apply.
BREACH
What is a Breach?
• The unauthorized acquisition, access, use, or disclosure of PHI not permitted under the privacy rule, which compromises the security or privacy of such information.
• An acquisition, access, use, or disclosure of protected health information in a manner not permitted under the privacy rule is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised.
• Compliance date September 23, 2013.
Breach Exclusions
• Worker who has the authority to access information accidentally accesses a record in which they are not involved in the care of that patient.
• Worker who has the authority to access information inadvertently shares the information with another worker who is not involved in the care of the patient.
• Information is shared with an individual/entity who is not authorized but the unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.
3/2/2014
5
Risk Analysis Must Be Completed
1) The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification.
2) The unauthorized person who used the protected health information or to whom the disclosure was made.
3) Whether the protected health information was actually acquired or viewed.
4) The extent to which the risk to the protected health information has been mitigated.
Breach Notification
• Patients must be notified without reasonable delay and no later than 60 days of the discovery of the breach.
• Breaches involving 500 or more individuals:
• Notify prominent media outlets serving the State or jurisdiction with the notification sent to the individual.
• Notify the Secretary of HHS concurrently with the notification sent to the individual.
• Breaches involving less than 500 individuals:• Maintain a log or other documentation of the
breaches and report no later than 60 days after the end of each calendar year in which the breach was discovered.
• Provide the notification as listed on HHS website.
Reporting Breach Information
http://1.usa.gov/WjyhJS
Breach Notification and Business Associates
• Must provide notice to the covered entity (CE) without reasonable delay and no later than 60 days from the discovery of a breach.
• MUST address timing of reporting either known breaches or suspect situations in the BA contract.
• It is the CE ultimate responsibility to report the breach to impacted individuals.o Reporting of the incident may be delegated by contract to the
BA.
o Does not lessen the responsibility of the CE.
o Both parties should NOT report.
What Does This Mean?
• All events must be documented; this includes exclusion events and why they are determined to meet the definition.
• CE and BA have the burden of proof: • To demonstrate that all breach notifications were provided. • An impermissible use or disclosure did not constitute a breach
such as by demonstrating through a risk assessment that there was a low probability that the protected health information had been compromised.
• Must maintain documentation sufficient to meet that burden of proof.
• CRITICAL QUESTION: How will BAs communicate potential breach scenarios?
Patient Notification Process
• Written notice to affected individuals, provided by first class mail or by electronic mail is specified as the preferred method by the individual.o May be provided in one or MORE mailings as information becomes
available.o Phone notice is allowed in an urgent situation, but must be followed by
written notice.• Substitute notice to affected individuals if contact information is
insufficient or out-of-date must be provided. This may be provided via email.
• Insufficient contact information for 10 or more individuals, the notice must be a conspicuous posting on the home page of the covered entity’s Web site for 90 days or notice in major print or broadcast media in the geographic areas where the affected individuals likely reside.o Toll-free number must be included where individuals can learn
whether their information was included in the breach.
3/2/2014
6
Patient Notification to Include
• Brief description of what happened.• Description of the types of unsecured PHI that were
involved in the breach (name, Social Security Number, etc.).
• Steps individuals should take to protect themselves from potential harm.
• Brief description of what the covered entity is doing to investigate the breach, mitigate damage, and protect against further breaches.
• Contact information at the covered entity for questions by patients.
• Must make a decision on credit monitoring services.
And Now…. The Rest of the Story
Access to PHI
• Must provide a copy of their PHI if maintained in an electronic format in the electronic form and format the patient requests if possible.o If not readily producible, must offer in at least one readable
electronic format.
o Not required to purchase software or hardware to comply, but entity MUST be able to produce the information in a least one readable electronic copy.
o If requested must transmit the copy to a third party.
o If sent via unencrypted email must advise of the risk.
• Must supply within 30 days with one 30 day extension allowed.
Health Information of Deceased Individuals
• The HIPAA Privacy Rule protects the individually identifiable health information about a decedent for 50 years following the date of death of the individual.
• During the 50-year period of protection, the Privacy Rule generally protects a decedent’s health information to the same extent the Rule protects the health information of living individuals but does include a number of special disclosure provisions relevant to deceased individuals.
Release of Decedent Information
• To alert law enforcement to the death of the individual, when there is a suspicion that death resulted from criminal conduct (§164.512(f)(4).
• To coroners or medical examiners and funeral directors (§164.512(g).
• For research that is solely on the protected health information of decedents (§ 164.512(i)(1)(iii).
• To organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of cadaveric organs, eyes, or tissue for the purpose of facilitating organ, eye, or tissue donation and transplantation.
• To a family member, or other person who was involved in the individual’s health care or payment for care prior to the individual’s death, unless doing so is inconsistent with any prior expressed preference of the deceased individual that is known to the covered entity.
Marketing
• Making a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.
• If financial remuneration (direct or indirect payment from or on behalf of a third party whose product or service is being described) occurs, prior authorization must be obtained. o Direct or indirect payment does not include any payment for
treatment of an individual
• Marketing does not include a communication made:• (i) To provide refill reminders or otherwise communicate about a
drug or biologic that is currently being prescribed for the individual, only if any financial remuneration received by the covered entity in exchange for making the communication is reasonably related to the covered entity’s cost of making the communication.
3/2/2014
7
Marketing
(ii) For the following treatment and health care operations purposes, except where the covered entity receives financial remuneration in exchange for making the communication:
o For treatment of an individual by a health care provider, including case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual;
o To describe a health-related product or service (or payment for such product or service) that is provided by, or included in a plan of benefits of, the covered entity making the communication, including communications about: the entities participating in a health care provider network or health plan network; replacement of, or enhancements to, a health plan; and health-related products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits; or
Sale of PHI
• Prohibited without patient permission except in the following circumstances:
o Public health activities
o Research
o Sale, transfer, merger or consolidation with another Covered Entity
o Paying a BA under BAA
o Providing copies of information to a patient or personal representative
Restriction Request
• Must agree to the requested restriction of sending PHI to a health plan for the purpose of payment or healthcare operations, unless the disclosure is otherwise required by law, if the restriction applies to information that pertains solely to a health care item or service for which has been paid out of pocket in full.
• Payment may be by another family member, other persons, even secondary insurance.
• Does not require creation of a “separate” medical file, but there must be some sort of flag to denote protection of this information.
Restriction Request
• If filing of a claim is required by law, then law takes precedent.
• From HHS, “we clarify that the responsibility to notify downstream providers of a restriction request in this situation also remains with the individual, and not the provider. However, we do encourage providers to assist individuals as feasible in alerting downstream providers.
• For follow-up appointments, if restriction is not requested the claim may be filed which may include release of the restricted information to justify medical necessity.o Providers again encouraged to advise patients about this
scenario.
HHS Guidance – Disclosure to Law Enforcement
• With the individual’s signed HIPAA authorization. • Without the individual’s signed HIPAA authorization in
certain incidents, including: o To report PHI to a law enforcement official reasonably able to
prevent or lessen a serious and imminent threat to the health or safety of an individual or the public.
o To report PHI that the covered entity in good faith believes to be evidence of a crime that occurred on the premises of the covered entity.
o To alert law enforcement to the death of the individual when there is a suspicion that death resulted from criminal conduct.
o When responding to an off-site medical emergency, as necessary to alert law enforcement to criminal activity.
o To report PHI to law enforcement when required by law to do so (such as reporting gunshots or stab wounds).
Willful Neglect
• Fines now range from $100 - $1.5 million
• Violation was due to willful neglect and was timely corrected, an amount not less than $10,000 or more than $50,000 for each violation.
• Violation in which it is established that the violation was due to willful neglect and was not timely corrected, an amount not less than $50,000 for each violation.
• Penalty for violations of the same requirement or prohibition under any of these categories may not exceed $1,500,000 in a calendar year.
• Secretary of HHS has waiver authority.
3/2/2014
8
How Much of a Fine and Investigations
• Nature and extent of the violation.
• Number of individuals impacted.
• Nature and extent of harm, including reputational harm.
• Indications of non-compliance – Broadly includes past issues around compliance.
• Investigations:o Indications of willful neglect will result by law in an investigation.
o Civil money penalties will NOT be imposed if the violation is corrected within 30 days from when the entity is aware of the violation UNLESS due to willful neglect.
OCR Enforcement Example
• The Hospice of North Idaho (HONI) has agreed to pay HHS $50,000 to settle potential violations of the HIPAA Security Rule.
• First settlement involving a breach of unsecured ePHIaffecting fewer than 500 individuals.
• Unencrypted laptop computer containing the ePHI of 441 patients had been stolen in June 2010. OCR discovered that o HONI had not conducted a risk analysis to safeguard
ePHI. o Did not have in place policies or procedures to
address mobile device security as required by the HIPAA Security Rule.
Leon Rodriguez
“This action sends a strong message to the health care industry that, regardless of size, covered
entities must take action and will be held accountable for safeguarding their patients’ health
information.”
“Encryption is an easy method for making lost information unusable, unreadable and
undecipherable.”
OCR Enforcement
• $1.2 million settlement – A managed care company impermissibly disclosed PHI by failing to erase the hard drives when returning multiple leased copiers.
• A mental health center did not provide notice of privacy practices (NPP) to a father or his minor daughter, a patient at the center at their first encounter.
• A staff member of a medical practice discussed HIV testing procedures with a patient in the waiting room. Also computer screens displaying patient information were easily visible to patients.
3/2/2014
$150,000 – Ouch!
• Dermatology practice investigated by Office for Civil Rights (OCR) after they received a report that an unencrypted thumb drive containing the electronic protected health information (ePHI) of approximately 2,200 individuals was stolen from a vehicle of one its staff members.
• Investigation revealed:o No risk analysis performed related to potential risks to the
confidentiality of ePHI as part of its security management process.
o No written policies or training of workforce in place to comply with the Breach Notification Rule.
• First settlement with Health and Human Services related to policies for breach notification.
3/2/2014
Tips to Protect Information
3/2/2014
9
How to Begin
To keep information secure in your environment, you must first understand all of the places it is stored:
Written communication
Electronic files
Business Equipment
Fax Machines, copiers/printers, equipment
Computers, servers, portable hard drives
Thumb Drives - flash drives - smart phones
Any transmission of protected health information
And don’t forget verbal
communication
Training
• Baseline training for all new employeeso Train specific job functions on targeted areas of need
• Priority to train employees regarding breacho Definition
• Protection strategieso Minimum necessary
o Logins/passwords
o Computer protections – physical security
o Social media
o Acceptable information sharing sites
o Remote access
What Can Others See or Hear?
Be mindful of hallway conversations which may be overheard.
Know what you can discuss with who in patient care areas when others are brought back into the exam area.
What information is viewable on your computer screen?
Are the appointments for the day posted?
Is patient information in the regular trash?
When PHI is printed out, double check whose information it is before it is given to a patient (common problem!).
Report anything unusual which could indicate improper use, access, or disclosure of protected health information.
Safeguarding ePHI
• Access information with personal login and password.
o Passwords must not be shared!
• Log off or lock computer when moving away from work area.
• Be mindful of the physical security of especially mobile devices containing ePHI (laptops, smart phones).
• Only open email/attachments from reliable sources.
• Access only approved internet sites.
• Patient information should not be mentioned on personal social media accounts.
• Data encryption – back-up devices, phones, servers, computers.
Encryption
• Must follow National Institute of Standards and Technology guidelines.
• Dependent on:o Strength of the encryption algorithmo Security of the decryption key or processo Keys that might enable decryption have not been breached
• Items to consider: o Portable devices – Laptops, thumb/flash drives, smart phoneso Devices in your office – Computers in practice, copiers, scanners,
faxo Server – need to weigh risko Information being transmitted o Media being transportedo Business Associate data
• Email containing PHI must be sent in a secure manner.
o This includes emailing information for referral purposes.
o Emailing between employees within the practice is acceptable if the email system is secure.
• Means of protection include:
o Patient portal.
o Encryption.
• At the patient’s request, PHI may be sent unsecured if you have informed the patient of the risk.
o Request should be in writing using the Authorization for Release - Compound Release form.
3/2/2014
3/2/2014
10
Risk Analysis and Audits
• Risk Analysis required by the Security Rule• Audits
o Logons outside usual business hourso Remote access reporto File update or change reportso Review of daily activityo Review of employees logged ino Record access.o Logon when person is out of officeo Change reporto Exceptional access or printo VIP record access
Checklist to Success
• Ensure an updated NPP is being distributed.
• Review list of BAs and status of BAA.
• Review current policies/procedures to ensure the updated standards are reflected.
• Review current Risk Analysis and address areas of vulnerabilities.
o Mobile devices
o Copy machines, scanners, fax machines
o Encryption
• TRAIN, TRAIN, TRAIN
3/2/2014
Thank you!
Karen Gregory, RNDirector of Compliance and Educationwww.totalmedicalcompliance.comKaren@totalmedicalcompliance.com888.862.6742
1
BREACH/ INCIDENT INVESTIGATION REPORT
Report Date ____________________ Incident Date ____________________
Practice Name _________________________________________________________________
Practice Address _______________________________________________________________
Description of the incident - Describe the incident/use/disclosure with information relevant to how it happened, how it was detected, individuals involved, how it was reported, etc.
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
Record elements of the investigation – Reports reviewed, people talked to, etc.
__________________________________________________________________
_________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
Risk Analysis – Answer the following questions to determine status of the incident (Breach or inappropriate use/disclosure).
1. Nature of the event?
Types of PHI involved* Include the amount and type of clinical information released and the nature of the service (mental health, infectious disease)
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
*Risk increases when credit card/SS info released due to identity theft.
2
2. Who is the unauthorized person/entity on the receiving end?
Record who the information was released to or accessed by. Was the recipient another CE or BA covered by HIPAA or other privacy rules or an unknown recipient?
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
3. Was the information actually viewed or simply exposed to a potential breach?
Provide detail on how it was determined which event occurred. For instance audit trail documents access to information in question, mailing returned and unopened or forensic evidence proves data on a computer was never accessed
_________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
4. To what extent was the risk mitigated? Mark all that apply.
Quick response to the event
Information returned
Signed confidentiality agreement and PHI being destroyed
Additional supporting comments below:
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
3
Was the access, use or disclosure ruled a Breach or not? – Describe why the decision was made. The Burden of Proof is on the practice.
Determined not to be a breach for the following reason:
Data encrypted
Meets one of the following exceptions allowed by the Privacy Rule
o Unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or a business associate. Information is not further used or disclosed in a manner not permitted under the privacy rule.
o Inadvertent disclosure by a person who is authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the same covered entity or business associate, or organized health care arrangement. Information is not further used or disclosed in a manner not permitted under the privacy rule.
o Unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.
Signed confidentiality agreement and PHI being destroyed
Other reason/Additional details:
__________________________________________________________________
__________________________________________________________________
Determined to be a breach for the following reason:
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
For BREACH
Date Patients Notified: ___________________________________________________________
Date HHS Notified: _____________________________________________________________
Date prominent media outlet informed (list media outlet): _______________________________
For Breaches impacting 500 or more patients, HHS and a prominent media outlet MUST be notified at the same time patients are informed.
NOTE: Attached all supporting documentation to include copy of patient communication.
For Inappropriate Disclosure
Date Accounting of Disclosures entries made in the client record: _________________________
4
Corrective action taken or planned to prevent any reoccurrence - Include in this description procedural or system changes made, policies written or changed, sanctions of workforce members, employee training, etc.
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
The report was prepared by _________________________________________________
___________________________________ _________________________ Preparer Signature Date _________________________________________________ ____________________________________ Privacy Officer Signature Date
HIPAA Compliance Checklist
Check items which are implemented in your site. For all unchecked items determine actions necessary to address outstanding issues. HIPAA Administrative Safeguards
Do you have an assigned Privacy and Security officer? Can employees identify the person if asked?
Do you have written policies on how patient information will be protected?
Is there a business associate agreement on file for all business associates?
Is access to patient information assigned based on job function?
Is there a written Contingency Plan clearly listing actions to take to resume/restore functions in order to provide patient care?
Are new patients provided a copy of your Notice of Privacy Practices (NPP)?
Is your NPP posted in a prominent area in your practice? On your website?
Have employees been trained on processes to protect patient information which is in written, electronic, and verbal format? On the definition of BREACH?
Is there a clearly defined process for deletion of access to patient information/access to the building for terminated employees?
Technical Safeguards
Has your practice completed a Risk Analysis of the electronic environment to identify any vulnerability which may put patient information at risk?
Is there a comprehensive inventory of electronic devices which store or allow access to patient information? Includes computers, services, back‐up devices, thumb drives, printers/copiers, fax machines, patient equipment.
Does each user having access to protected health information have an individual user name and password?
If utilizing Wi‐Fi for patient access when in the facility, is it separate from the practice network?
Are safeguards in place for any information sharing sites (Dropbox)? Is there a BAA in place for the site?
Is encryption utilized to protect patient information which is being stored?
Are mobile devices (laptops, smart phones, thumb drives) with PHI encrypted for protection against a breach if lost or stolen?
Have you restored data from back‐up devices to ensure the backup is not corrupted?
If emailing patient information is a secure method of email being utilized?
Is there a strong working relationship with an IT company who is in compliance with the HIPAA regulations?
Physical Safeguards
What physical security measures are in place to protect patient information? Alarm, deadbolt locks, limited access to areas of the practice which house patient information by non‐employed staff.
How is patient information protected after hours? Hard copies of records secured? Placed out of sight?
Are visitors accompanied when in areas housing/utilizing patient information?