The start of a new year is a good time to take stock of HIPAA compliance. Providers can learn lessons from 2019 so they are prepared for 2020. In the past year, for example, the US Office for Civil Rights (OCR) announced it would crack down on healthcare providers who are deficient in providing health information to patients.
Under HIPAA, OCR expects providers to give patients records they request in a timely manner, at a reasonable cost, and in the format patients prefer. Although providers have 30 days to provide requested information or offer a written response to patients with reasons why there might be a delay, this time requirement is longer than providers should take, said Chris Apgar, president and CEO of Apgar &Associates, based in Tigard, Oregon. “The 30 days should be an outlier,” he said. “They [OCR] really expect providers to give the information to patients sooner.”
A study by Deven C. McGraw, JD, and colleagues at Ciitizen Corporation found that more than 50% of healthcare providers do not comply with HIPAA right of access. The study appears as a preprint on medRxiv, which publishes manuscripts that have not been peer reviewed.
Another challenge with right of access is what providers charge patients for compiling records. According to HIPAA, providers either need to have a specific way to calculate the cost or charge $6.50 per request. HIPAA supersedes any state law giving providers the right to charge more than that unless state law caps the amount that can be charged is less than permitted by HIPAA. In that case state law would supersede HIPAA.
Tom Walsh, founder and managing partner of tw-Security, a health care privacy and information security firm in Overland Park, Kansas, said 2019 was a “banner year” for hacking incidents, the most common being phishing. “Users click on stuff, and no matter how many times we tell them not to, they are still going to do it,” he said.
Phishing is a relatively low-tech, simple way to get into a system. Once there, hackers can access a wealth of information. This is particularly true in large healthcare organizations where providers frequently use the same password for different systems. Getting one set of credentials may allow a hacker into email, payroll, and human resource accounts.
Phishing is a risk in any industry. Healthcare has lagged behind other industries in setting up mock attacks to train their workforce. The idea is to get people to click on a phishing link and then provide feedback letting them know they were tricked and what to look for in the future.
“There’s no reason they can’t go to PhishMe or other vendors and run an exercise 2 to 3 times a year,” Apgar said.
Instead of the “same old” annual HIPAA training, he recommends using staff meetings or emails to keep current issues like phishing or social engineering in front of employees.
An issue arising this year may be less threatening to providers, but one they should be aware of nevertheless. Microsoft has announced that it will no longer be providing support for Windows 7 and Windows 2008 as of mid-January.
According to a report by San Jose, California-based Forescout Technologies, Inc., more than half of all healthcare organizations still use Windows 7 on some of their devices – more than any other industry. Though it seems like healthcare has antiquated technology vulnerable to attacks, Walsh said it is not as bad as it sounds. Many of the older systems like Windows 7 are used on biomedical machines like large imaging devices, not laptops or workstations, he said. Also, hackers tend not to target decade-old technology.
“If they are going to spend a lot of time building a new program, do they want to put it in a diminishing system or one that 90% of people are using today?” Walsh asked. “The older systems can be hacked, it’s just not that common.”
Apgar recently performed an audit of a large health plan whose servers and workstations were all at the “end of their life.” They are unable to switch over all at once because of the size and cost. In such situations, providers have a few options: change to new systems, complete a plan that shows when they will do so in case of a breach, or isolate the older devices from the internet so they cannot be hacked.
Apgar also has another cautionary tale for 2020. Providers, he said, should beware of employee snooping. Over the past few years, he has been involved as an expert witness at a handful of trials where employees were caught looking at someone’s records to which they were not supposed to have access.
Typically, an employee sneaks a peek at somebody’s records and tells someone else what they saw. Apgar said it’s likely that someone will complain and people find out. They usually then see that the employee has been looking at a slew of unauthorized records. Healthcare providers may not be fined through HIPAA for this kind of infraction, but lawyers are happy to file lawsuits for clients citing breach of trust or gross negligence.
“They are often settled out of court, but the covered entity is still paying,” he said.
He typically sees this in larger organizations that have protections to keep bad actors out, but do not track what is going on inside the system. An office’s IT vendor is only looking through audit logs if it tells them to in their contracts. Maintaining internal audit logs and not tracking them can be considered willful neglect, Apgar said.