HIPAA news stories are sometimes so short we need to bundle them together.  Some listeners questions are also addressed today.  So, we have a little bit of everything in this episode.  So stick with us as we go through our HIPAA hodge podge.

HIPAA For MSPs by David Sims HIPAA Hodge Podge
00:00:00 00:00:00

In this episode:

  • Stop using public facing Remote Desktop Protocol for remote access without a VPN.
  • Listener Questions
    • Do BAs report a breach to HHS or does the CE?
    • How can I use cloud storage tools and still meet HIPAA security requirements?
    • What do I do if my provider leaves patient information our for me to see during my own treatment time?
  • Teaching patients how to use a patient portal is a good idea but think it through before trying this one.
  • FAXing breaches in the news
    • FAXing PHI to a news station is really not going to end well.
    • How FAXing PHI to a wrong number could eventually end up in a Federal lawsuit.
  • Behavioral Health PHI and outsourcing services not working out
    • Reporter finds PHI in a dumpster
    • Employees hires an assistant using a Facebook

Shut down open RDP ASAP!!!!!!!

This is a known issue for some time now and attackers keep using this as a way in to get you. Please shut them down and find another way for remote access. Even if you think you have got this covered it really isn’t worth it anymore to assume that you do have it secured. The vulnerabilities in the tool along with so many weak credentials on networks out there, it is just not secure.

Set up a real VPN solution that requires a client connection and then authentication again to get into the network.

Questions from listeners

Reporting breaches to HHS

Brandy asks:

If a business associate (outside billing company) notifies us that a billing statement was sent to the wrong address, do we report that incident with the rest of ours for end of year, or does the BA report their own?

Donna says:

Someone has to notify the patient and report to HHS it doesn’t really matter which one.

Generally, the CE notifies the patient since you are ultimately responsible for that notification but you can have the BA participate as well.

Either of you can report to HHS, though. The reporting wizard asks who the contact entity is in relation to the breach. You have three choices:

  1. Are you a Covered Entity filing on behalf of your organization?
  2. Are you a Business Associate filing on behalf of a Covered Entity?
  3. Are you a Covered Entity filing on behalf of a Business Associate?

You would select option 3 and they would select option 2. So, it doesn’t matter who does it as long as someone does it in a timely manner. Many BAAs now include language about how this will be handled.

Using cloud file sharing apps

Jon asks:

Using a popular cloud-based file sharing app that is billed as “secure”. They have free file sharing (low volume) and fee-based sharing (high volume). Is there any difference in fee based versus free for utilizing the same platform? What are the HIPAA considerations for using this if it’s billed as secure utilizing two factor ID access?

Donna says:

All file sharing apps will tell you they are secure. Obviously, you get what you pay for when it comes to everything. However, when it comes to HIPAA you should not be using ANY file sharing app that doesn’t include a BAA between you and the vendor.

Listen to episode 80 https://helpmewithhipaa.com/hipaa-compliant-cloud-ep-80/ on cloud vendor compliance requirements. There should be no room for splitting hairs any longer on that requirement.

Most of the big services will sign a BAA but only for a paid account and some of them only for the business paid account.

What about a PHI breach during my appointment

David asks

I’m at the doctor, and was left in the room with ePHI and PHI left out in plain sight. I have my cell phone with me (doesn’t everyone?), and could have very easily taken pics of patient PII and PHI. What should I do? Do I tell the clinic? This could have turned into a breach.

Donna says:

Your experience is a common one for people who understand HIPAA. That was indeed a breach. Many people just ignore how big a problem this can be. In that situation, which I have been in before, I would snap a pic from an angle where you can’t read anything. Then, ask to speak to the privacy officer on my way out.

I am always nice about it. I even tell them they can get free training from our podcast. I never try to sell my services, just try to protect my information. If they don’t respond accordingly then I have to find another provider.

Technically, that should be evaluated as a breach for reporting to HHS. They may determine LoProCo based on how you handled it but it should be evaluated.

Providers out there need to start thinking about this too

What would you do if I came to you and told you this story?

More HIPAA Hodge Podge – News Stories

Suggestion to let tech savvy patients teach other patients about using portals and other tech like wearable device uses.

Misdirected FAX problems make it to the newsroom

Newsroom receives surgery center FAXes because of 1 digit difference
– Making a mistake is one thing but 7 different offices did it – WOW
– They didn’t count at first but once they did start they got to 28 before someone could stop it.
– Once all were notified the surgery center changed it’s FAX number
– Nice investigative piece on the Ft Worth news channel with a great ending

If you have concerns about how your doctor’s office handles your documents, you should call them. It’s also encouraged that patients do yearly credit checks. It’s all a reminder that your doctor has a role in both your physical and your financial health.

Misdirected FAXes sends one business to court to make it stop

Publishing firm sues to stop medical faxes it has mistakenly received since 2015
Milwaukee news makes it to USA Today
– Craig Berg, owner of Moose Moss Press (which publishes educational materials for science, math and social studies teachers from a home based business)
– They been getting medical faxes since the summer of 2015. By 2017 he is all done.
– WI law says you can not possess patient health records without authorization and can be fined $25K per offense
– Finally files a federal lawsuit to stop the faxes
– Supposed to go to EnvisionRxOptions – a health care and pharmacy benefit management company headquartered in Twinsburg, Ohio
– maybe they should have done like the surgery center and changed their fax number BUT…. the fax numbers aren’t remotely similar
– seems like those folks must have published a wrong number somewhere
– More than 120 faxes between August 2015 and December 2016. Deleted first and now securing them.
– Reporter couldn’t get a response from attorney of Envision and figured if he sent a FAX it would just end up back where he started with….. poor Craig

Dumping patient records in a dumpster again

  • Another one here in the ATL makes the news http://www.cbs46.com/story/34470411/fulton-county-clinic-dumps-sensitive-medical-records-in-plain-sight
    • South Fulton Mental Health Center
  • Reporter from news station found “hundreds of records” right on top of the pile in the dumpster
  • Walked right up to the dumpster and pulled them out in the middle of the day in front of employees
  • When they called county officials they “investigated” and called them back to say there were no records in the dumpster
    • Of course, they were already in the reporter’s possession so…. Our BAD – there was a problem
    • Guess what – moving an office to a new location and one employee was supposed to secure those documents but did not.
  • THEN, we are in the news again with it http://www.cbs46.com/story/34505007/victims-of-fulton-county-medical-record-breach-unlikely-to-be-compensated
  • Now, they say the employee had been with the office for years and had access to the documents but apparently the employee was upset her job was going away so BAM
  • They are supposed to provide a complete report with many answers in the future but couldn’t answer them now
    • I bet the reporter has an idea who the employee is because either they called him or someone is turning in that employee
    • This could get interesting.

Crazy employee stories keep coming this one is a new twist on a BA breach

  • Via databreaches.net we get this story
  • http://www.fox5dc.com/news/local-news/229730498-story
  • Washington DC Department of Behavioral Health
  • Outsourced case work to Inner City Family Services
  • Employee LaTonya Vaughter apparently got behind in her paperwork so she posted a job on FB
    • she wanted to “hire someone to do my notes for me $150 every two weeks.”
  • All comes to light when the student who answered the ad saying she was interested in the work reported what happened.
    • In response to her I am interested note she gets patient case files sent to her email inbox
    • Thankfully, the student is pre-law and she contacted Inner City Family Services
  • Let’s just say LaTonya Vaughter no longer works for Inner City
  • BUT it is very disturbing to learn that she has been sending harassing text messages to the student
    • You ruined everything – I would never do that to you
    • The number one point the student made was that YOU DON’T EVEN KNOW ME but you gave me patient records again You do not know me

Having a whole show that is just a HIPAA hodge podge of information may not always be ideal but this one was pretty fun to put together similar stories.  Who would think that multiple stories could blend together at least a little bit.