questionsWe have gotten a flurry of listener questions and comments lately.  Since it is so much easier to do an episode based you listener questions that writing up a whole plan we are definitely doing those today.    We really do read and respond to as many as we can.  So here we go with a list of questions and a few comments.

Sent in by a listener:  Chances of being hit by cyber vs bear attack

Varonis collected some statistics about the likelihood of a cyber attack compared to other things people find less than likely. For example, did you know that you’re more likely to encounter a cyber attack than you are to experience a home burglary? Here are a few stats that may surprise you:

·  1 in 4 chance of experiencing a cyber attack

·  1 in 50 chance of experiencing a home burglary or invasion

·  1 in 100 chance of having your tax return audited

·  1 in 3,000 chance of getting a hole-in-one

·  1 in 14,600 chance of getting struck by lightning

“According to the World Economic Forum’s 2018 Global Risks Report, the top three risks to global stability over the next five years are natural disasters, extreme weather, and cyber attacks. When it comes to preparing for the physical risks, we are quick to board up our windows and evacuate to safer locations.”

There are lots of factors that contribute to a cyber attacks high likeliness. For instance, there are 230,000 new malware samples appearing every day. This goes to show that protecting your personal and work systems is well worth the time since attacks are much more prevalent than one would think. Take a look at some other alarming stats:

·  There’s an estimated cyber attack every 39 seconds

·  There’s been 3.8 million records stolen every single day since 2013

·  The average data breach cost is predicted to exceed $150 million by 2020

We loved this article and appreciate you passing it along for us to discuss.

Questions about electronic signatures

The physicians would like to use electronic signatures for one of our locations. Specifically, they want to sign at POC using electronic keypads. Please advise of HIPAA, computer or compliance issues.

You need to do an SRA and evaluate potential security issues with the devices.  Make sure you get input from people who understand the devices AND security.  If you can address any security issues, you should be fine implementing it.  Of course, you need to include policies and procedures that monitor these devices and make sure they are secured physically and technically.

Listener survey including a question

What would make our website more helpful to you?

A printable/downloadable list of episodes and a one- or two-sentence description of the episode (like liner notes in Spotify) to help log training time and topics.

We have zero staff to manage our little podcast / labor of love so we just don’t have the resources to build a list like this.  We would love to do it but resources are very slim.  One of the reasons we added the option to email show notes from the app for your training doc is because we wanted to make sure we could do something.  If anyone wants to collaborate and help build and maintain a list hit us up!

Any other feedback for us?

Do a giveaway/contest for admission to your next HIPAA Bootcamp!

Very interesting suggestion.  We are considering what we will be able to do with this suggestion.  Thanks very much.

Any questions you have been meaning to submit but haven’t?

1) How do we handle disclosures of PHI for a patient who is in a nursing home and is brought in by a nurse aide or transportation for care, but doesn’t have a PoA or other caregiver present to sign intake forms and help coordinate care?

Patient care comes first.  You do the best you can with what you have to work with to care for the patient.  Contact the provider where they reside.  Confirmation from them as to the patient’s needs should be enough to get the paperwork started.  No matter what do NOT make paperwork more important than patient care.  You don’t understand what is happening in this person’s life and why they may be alone.  Do not make a stressful time more stressful or confusing.

2) How do I get staff to care about protecting information? Likewise, how do I convince upper management to be “inconvenienced” by security?

This is something we deal with every day.  We do not have a magic wand but we do know a few things that never work and some that do.  Most important you make privacy and security a patient care issue.  Dollars and cents work with some folks but real stories of what happens to patients tends to get clinical staff to pay attention more.  Financial staff will pay more attention to the financial impact on the patients and the organization.  Do not talk about it is the law.  You say the word HIPAA and you have many folks just turn off.  You lose them before you even start talking.

3) Is it a breach if the office sends PHI to another covered entity not involved in the patient’s care? For example, a follow-up letter is sent to a primary care physician, let’s say Dr. Smith. However, the office sent it to the wrong Dr. Smith, who has never seen the patient.

Well, yes it is a breach because you have an unauthorized disclosure.  However, there are some exclusions when it comes to notification requirements.  One of those includes situations where you have a reasonable belief that the information will be destroyed and never misused.  Other CEs are required to protect the data also.

4) If upper management won’t approve compliance software in the budget, what’s the best way to organize compliance activities using the good ol’ fashioned 3-ring binder method?

You can use the tools that are low or no cost for managing documentation, projects, etc.  The tools you have in place may work for you as long as you work out a plan to allow access by the right team.  We use Trello for project management.  There is a free version which would work well.  There are also other tools which allow you to store and access documents, spreadsheets, images and more.  Get creative and find ways around the limitations.  Keep the info and improve your program in spite of the lack of support.  You will get a chance to so what is required at some point.  When that happens you can point out how much more effort and time you spend on managing this information.

More Emails

Hi David and Donna,

I provide IT services for medical practices and have been listening to your podcast from the start and love it. One issue though- I appreciate your concern about how folks misspell HIPAA (one of my clients provided documents to patients that read HIPPA throughout their docs). I only noticed this when they offered me a free eye exam and had me review/sign their “notice of privacy”. While you criticize those who mispell HIPAA you at times refer to “Health Information Portability and Accountability Act”. Your guests have done this as well- i.e. episode 197 with Jack. Don’t you mean “Insurance” rather than “Information”. Sorry to be a nitpick. -Larry

We copied this exactly as it was written.  Thanks Larry – but we did get a kick out of you misspelling the word misspell.

Office Space

Hello, Donna and David! Question for you/for the podcast – if we lease office space in a building we do not own and store PHI (i.e., paper charts) within that space, is the owner of the building a business associate? Our administrators say no, because it’d be just like if we were running a clinic in leased space, but I’m not so confident, especially after listening to Ep 119 about leasing data center space.

The landlord question comes up often.  A BA is required for data centers because they are being paid to store and protect PHI.  The physical space landlord is being paid to provide space for you to run your business.  That job does not make them a BA because they can do that job without ever needing access to PHI.

The Power of Overkill

Donna & David,

Just catching up on a few episodes of the podcast.  In Episode 207, David talks about a scenario where his employees are required to bring in another employee if they need to make a stop while transporting PHI.  David suggests that his employees think that this procedure may be overkill, but here’s what I think:  Never underestimate the value of overkill!    Even if David’s employees think the procedure is overkill, that’s a good thing, because they realize how important it is to David that PHI be protected at all times, even when doing so is not convenient.  

As always, thank you both for all of the time and effort that you put into making such a great podcast!

-Chris Dix

I agree with you Chris.