The U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently announced new enforcement actions and settlements for violations of Health Insurance Portability and Accountability Act (HIPAA) rules. These actions provide several key takeaways for healthcare providers, other covered entities, and their business associates such as medical transcription companies. OCR’s announcement came following a healthcare provider’s failure to report a breach of protected health information (PHI) and continued noncompliance with the HIPAA Rules, including failures to conduct thorough, enterprise-wide HIPAA security risk analyses and implement HIPAA Security Rule policies and procedures. Covered entities that don’t conduct a comprehensive HIPAA risk analysis are at risk for penalties for HIPAA violations.
The HIPAA Security Rule defines a risk analysis as an “accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.”
HSS recommends that, based on the likelihood and impact of potential risks to e-PHI, covered entities should implement appropriate security measure to address those risk areas. The security measures and the reason for adopting those measures should also be documented.
According to OCR’s guidance, a HIPAA risk analysis should include the following nine elements (www.healthitsecurity.com):
- Wide scope of analysis: Organizations should assess the potential risks and vulnerabilities to the confidentiality, availability, and integrity of all ePHI it creates, receives, maintains, or transmits in any form and/or location. Even email, spreadsheets, Word documents, and PowerPoints should be examined for ePHI, noted a legal expert in the Health IT Security article.
- Collect and examine data: Data should be collected to identify where the ePHI is stored, received, and maintained. Data collection can be done by reviewing past and/or existing projects, performing interviews, reviewing documentation, etc.
- Recognize and document potential threats to ePHI: anticipated threats to ePHI and vulnerabilities that can lead to disclosure of ePHI should be identified and documented.
- Security measures: Current security measures used to protect ePHI should be evaluated to ensure that they are configured and used properly. It should be checked whether security measures mandated by the Security Rule are in place.
- Determine the probability of threat occurrence: Organizations should consider the likelihood of possible risks to ePHI and document all threat and vulnerability situations along with likelihood estimates that may affect the confidentiality, availability, and integrity of ePHI.
- Assess the potential impact of threat occurrence: The extent of the potential impact resulting from a threat triggering or exploiting a specific vulnerability that can compromise the integrity of ePHI should be assessed and documented.
- Determine the level of risk: All threat and vulnerability combinations identified during the risk analysis should be assigned risk levels. Corrective actions to be performed to mitigate each risk level should also be documented.
- Finalize documentation: Good risk analysis documentation is crucial to the risks management process.
- Make risk analysis a continuous process: Risk analysis should be periodically reviewed to see if updates are needed. The Security Rule does not specify frequency of performance and this will differ among covered entities.
HIPAA Compliance: Medical Transcription Outsourcing Alert
In 2018, KrebsonSecurity reported on an ePHI breach in a Kansas-based company that provides medical transcription services for hospitals, clinics and private physicians. The breach, purportedly due to a “ransomware infestation”, resulted in leaking of sensitive patient medical records for thousands of physicians, according to the report. Issues reported include exposure of the password-protected portal physicians use to upload audio-recorded notes about their patients for transcription as well as unauthorized access to the numerous online tools intended for use by the employees of the medical transcription company. The site was taken down and rebuilt following this ransomware attack.
In 2015, we reported on predictions about rising incidence of healthcare data breaches. The ever-increasing number of access points to PHI and other sensitive data through electronic medical records (EMRs) and the growing popularity of wearable technology have contributed to making healthcare data a vulnerable target for cyber criminals.
These breaches should serve as a reminder for organizations to closely monitor outsourcing medical transcription services and other functions that involve transferring and maintaining data online. Here are some of the important considerations when choosing a healthcare outsourcing company:
- Ensure that the company is HIPAA compliant
- Has a non-disclosure agreement drawn up with the employees
- Ensures that your data is securely stored
- Employs strong encryption
A reliable HIPAA compliant medical transcription company will be alert to updates in HIPAA compliance and enforcement actions. Such companies undertake periodic risk assessments to protect against breaches and ensure secure handling of sensitive patient data.