Locking the box

In the 12 years since HIPAA first went into effect, this much has become clear: Many in the senior living industry still do not understand what the law requires or how it should influence daily operations.

Some have overstepped the intent of the regulations. Others still think they’re not included under the rules, which were designed, ultimately, to guide the flow of health information, secure an increasingly digitized healthcare system and protect patients’ and residents’ privacy.

For those who aren’t paying enough attention to the details, ethical and legal violations are a real possibility.

“A lot of healthcare organizations have done a great job of scratching the surface, but they’re not looking closely enough at the parts that can bite you,” says Candace LaRochelle, HIPAA privacy officer for eHealth Data Solutions, which provides clinical assessment, risk management and billing services to clients.

Although HIPAA’s components are clear about making protections, they leave the details of implementation to covered entities such as nursing homes and continuing care communities. That wiggle room, experts say, creates problems for facilities without the resources or knowledge to make technical decisions.

With the regulation’s latest revisions focusing on protecting information shared with business associates, new vulnerabilities have been revealed. 

“Privacy officers with skills and knowledge know to be checking up on vendors or have input into contracts,” says Michelle Dougherty, senior director of research and development for the American Health Information Management Association Foundation. “The concern is when we move to the organizations that don’t have that infrastructure.”

Kitty Williams, research and development director for The Compliance Store, says small, independent communities are more prone to making mistakes because they lack IT support, are crunched for time and might not understand HIPAA’s nuances.

It’s one thing to appoint a privacy official; it’s another to make sure that employee gets routine education and has the power to invest in technology and practices that provide security suited to a particular community’s physical location, as well as its use of business partners, electronic devices, wireless technology and off-site servers.

“Nothing ever ceases to amaze me, the things we still get questions on,” says Angela Rose, director, health information management practice excellence at AHIMA. “We have to continue to teach and educate and develop programs that continuously engage and energize employees.”

Bad practices

The good news is that the rollout of additional regulations — HIPAA debuted in 1996, got an update in 2009, and most recently expanded under the 2013 HITECH Omnibus rule — has created an entire industry designed to build good safety nets.

John DiMaggio, CEO of BlueOrange Compliance, has been working on privacy and security in pharmacies, skilled nursing settings and continuing care communities since 2012.

As part of a HIPAA review, his representatives conduct site visits and penetration testing to get a full picture of written, security-related policies and procedures; the technical working environment; the location and security of workstations and access to secure areas; and organizational information such as vendor agreements and documentation management.

“We’ve seen it all,” says DiMaggio. “Shared username and passwords. Simple, non-expiring passwords. No firewall.”

He adds that providers often have policies or training that is too limited in scope, fail to update antivirus software or don’t appoint a HIPAA security officer as mandated. Lack of encryption is a significant problem in this era of BYOD (Bring Your Own Device).

LaRochelle is a fan of third-party risk assessments because they provide non-biased information that creates targets for improvements. If leadership can’t be sold on annual reviews, she suggests at least building a checklist to standardize contracts with vendors so that everyone is working together to protect identifiable information.

A checklist approved by a lawyer is a start; a better bet is to check with someone with up-to-date and thorough knowledge of healthcare IT who speaks the right language. For example, Cheryl Field, MSN, RN, points to the concept of remote data storage. Having an RN/privacy officer with limited technical training review a contract with a business associate providing cloud-based storage for electronic medical records could be problematic.

“How does he know that it’s encrypted, encrypted at rest?” asks Field, vice president of healthcare and privacy officer for PointRight analytics. “He can’t see info in the cloud. They’re sort of at the mercy of the person doing the marketing.”

LaRochelle says small companies can get “taken advantage of because of the fear” associated with compliance or breach penalties.

In fact, many made drastic assumptions about the regulations when they were first passed in 1996. But HIPAA doesn’t require senior living settings to do away with sign-in logs at spas, stop calling patients by name in communal areas or remove their names from doorways.

Such incidental disclosures are specifically provided for within the regulations — provided they are limited in nature. Besides, placing over-the-top limits on privacy dampens the home-like environment providers are working so hard to cultivate.

“We’ve seen gun-shy caregivers unnecessarily withhold information for fear they would violate HIPAA, which could be solved with good training,” says DiMaggio.

Questions about HIPAA’s reach can often be answered by health care IT groups; AHIMA, for example, offers extensive HIPAA guidance on its website at www.ahima.org/topics/psc and at its annual conference.

And many companies offer online and group workshops tailored for IT staff, practitioners, even housekeeping.

“Everyone in the organization should be trained,” says Debbie Newsholme, senior director of content operations at HCCS. “Everyone has the potential to cause a breach or to access information they don’t need.”

Unwittingly wrong

Maria D. Moen, vice president of care innovation for VorroHealth, says she’s had well-meaning customers ask for generic log-ins, to allow archiving on personal devices, or to permit non-designated family members to access records. Once she explains that those actions undermine HIPAA standards, operators usually find alternative solutions.

“Senior living communities tend to be particularly sensitive to privacy and security issues with the aging population they care for,” says Moen.

Still, employees can cross lines unwittingly, whether it’s a medication aide sharing resident information in front of housekeeping staff, an activity director posting images on social media or an executive director opting for wireless Internet that offers only consumer-grade protections.

That last one is a major concern for Ginna Baik, business development executive with CDW Healthcare.

“There are unsecured networks within these 63,000 communities (across the country), and we don’t even know what’s getting hacked — no one’s tracking it,” says Baik. “We don’t know what we don’t know.”

If a visiting doctor logs on to a guest network, are his notes adequately protected? How sure are you that your 85-year-old residents won’t have their information stolen while using your system to shop Amazon?

Though senior living care has, as an industry, generally managed to avoid major HIPAA-related breaches so far, security experts predict the time is coming.

“It’s not ‘if.’ It’s ‘when,’” says HCCS’s Newsholme.

The fifth annual study by the Medical Identity Fraud Alliance found the number of patients affected by medical identity theft increased nearly 22% in the last year. It noted that 65% of victims surveyed paid more than $13,000 in resolution costs.

Sadik Al-Abdulla, director of security solutions for CDW, agrees with that assessment. He calls an attack on a senior living network “inevitable.”

“You have these cyber criminals going after bigger targets with larger piles of information. But as those places become more secure, they’re going to look for new targets,” he says. 

Nobody immune

And nearly everyone is at risk.

Al-Abdulla’s teams perform several types of security testing. Though none is designed to test HIPAA compliance specifically, they reveal privacy and security weaknesses.

During penetration tests, his IT professionals “always” gain access to protected systems. And he says data-loss prevention assessments reveal information in places his clients say it shouldn’t be 100% of the time (for instance, on an unencrypted spreadsheet). In about 80% of reviews intended to unearth existing breaches, CDW has found malware of other hostile programs that were operating unbeknownst to clients.

When the big breach finally hits long-term care, the best defense against huge penalties from the Office of Civil Rights might be proof of due diligence.