F-Tag 164 Privacy & Confidentiality for messaging
On June 2nd, 2014 it was reported that the first deficiency around an unsecured text message in the long-term care market was issued. North Carolina's Division of Health Services Regulation (survey & certification) issued a notice to all facilities of a recent survey citation centered around F tag 164 - Patient Privacy.
As CEO for Mediprocity, over the years I’ve found that many in healthcare do not see the need or believe there will ever be an infraction handed out over text messaging. Others adopt a "do not text" policy which is hardly a policy under the weight of $10 million in fines handed out in the 2nd quarter in 2014. If you take a look at all the fines in Q2 2014, the underlying theme is they didn't have a policy and procedure in place. And perhaps more importantly, a “no text” policy isn’t a solution for your staff!
As pointed out in the very informative article written by Rod Baird, "LTC Compliance Alert - Text Messages and PHI Do Not Mix! Is There a Solution?", the state of North Carolina has made it very clear. If a LTC facility is caught without a policy in place and/or using unsecured text a deficiency F tag 164 will be issued.
Another area of concern is civil monetary penalties (CMP) which are fines attached to Federal tags. And if F-164 is now being recognized and enforced in North Carolina, how long until other states begin to follow suit?
If your facility has not yet set up a policy and procedure to protect your communication, improve your workflow, and retain and transfer resident records properly; you are at risk.
Secure PHI using Mediprocity HIPAA compliant solution
Looking at negligence in the healthcare workplace, a recent lawsuit that was decided in the Connecticut Supreme Court 'Byrne v. Avery Center for Obstetrics and Gynecology, P.C. (2014) (The 'Byrne Case') sheds a bright light on a breach.
The case discussed an action of negligence from a health care provider's breach of a patient's privacy that was not preempted by Health Insurance Portability and Accountability Act of 1996 (HIPAA). This case decision was a reverse from a previous trial decision, which resulted in "Mr. Byrne's state law claims for negligence and negligent infliction of emotion distress preempted by HIPAA."
This case has very specific issues and would not be a blanket for all healthcare covered entities or business associates. But, what it does show is that one of the highest courts in a state agreed that the plantiff did suffer harm from the breach. Even though the physician office took steps to inform the patient and comply with HIPAA, it did have a breach and those steps did not protect the entity from the lawsuit.
In the end, all covered entities and business associates should be aggressive in their approach to Patient Health Information. They are simply the stewards of this information and do not own it. Many in the healthcare space for years have felt some sort of authority over these records, however, that authority only lies with a patient.
- If you are communicating patient information with other healthcare professionals using electronic devices you must encrypt.
- If you are sharing patient information documents with other healthcare professionals you must encrypt.
- Never share a patient's medical record without notifiying the patient of the third party request, getting the patient's approval.
Conduct Your Risk Analysis to avoid consequences
After reading an article put out by one of the top HIPAA enforcers, Jocelyn Samuels, it was clear that keeping your head buried in the sand when it comes to securing electronic patient health information (ePHI) is basically like playing russian roulette. When the head of OCR who enforces the HIPAA rules and regulations sits down and gives you a clear explanation of what you should be doing, she is basically sending a last friendly warning before federal regulators ramp up their enforcement activities and compliance audits.
They are saying very clearly "You must conduct a comprehensive and timely risk assessment - or face the consequences."
Taking the time to hire a 3rd party to come in and meet and educate you on what entails a proper risk analysis is not a time consuming matter. Going through that assesment step-by-step and realizing what threats and vulnerbilities need to be addressed, again, not a time consuming matter. However, failing to plug those gaps and fix those areas of weakness and then having an audit or fine is not only time consuming but will cost you.
Jocelyn Samuels, director of the Department of Health and Human Services Office for Civil Rights - gave specific hightlights at the 2014 annual HIPAA conference sponsored by OCR and the National Institute of Standards and Technology.
"We continue to see a lack of comprehensive and enterprisewide risk analysis and risk management that leads to major breaches and other compliance problems," Samuels said. "That is why enforcement is a critical part of our arsenal of tools to ensure compliance. Resolution agreements that include a monetary settlement are only a small fraction of complaint and compliance reviews we undertake. These enforcements send out an important message about compliance issues and the need for covered entities and business associates to take their obligations seriously."
When the OCR investigates a breach, Samuels said, "we not only look at what was done to correct and remedy a breach but what led to the incident to determine if noncompliance played a part. Comprehensive enterprise risk analysis followed by ... timely risk management practices is the cornerstone of any good compliance program."
Samuels also emphasized the importance of training the workforce to identify and respond appropriately to security incidents. That, she said, helps to "ensure that entities take the necessary steps to address and prevent future incidents and to mitigate harm to affected individuals."
From a secure messaging standpoint if you have conducted your analysis and found that you have gaps in staff using their smartphones to communicate via text message with other staff and/or medical professionals with patient health information and your stance is 'we have a do not text policy' you will most likely get nailed.
You need to have first located and identified mobile devices as a vulnerability in your analysis and then you need to find a system that allows your staff to communicate while remaining compliant. You need to train your staff.
Keep in mind, you need to do this across the board for your organization because if you are hit with a random audit they will look in all sorts of areas and you cannot be certain what investigators will find when they begin to dig.
Being proactive and showing you did your full analysis, you identified areas that could lead to a potential breach and you offered ways to fix these will shine a positive light on your organization when those investigators begin to dig. If you simply crossed your arms and said we are good enough, our policy of don't do it will be suffficient can open you up to a world of gray area to defend.
Here is a key point:
"And it's not necessarily the breach itself that will bring a potential financial penalty from OCR - it's what investigators find when they dig into the incident, she pointed out. "Did you have systems and a plan and tools in place to reduce risk? Did you do an assessment to mitigate risks?"
In response to an audience question about how frequently organizations should perform a comprehensive risk analysis, Sanches said assessments should be conducted "when there are changes in the environment ... new records management, new devices."
This should speak volumes to your organization and when it comes to securing your text messaging - the time is now not later to put Mediprocity to work for your organization's communication needs.