Protected Health Care Communications Using Mobile Devices ... How Does Your Policy Rate?

Do you have a corporate policy that governs your "protected communications" which may be sent or received through the use of mobile devices?  If yes, does your Policy address each of the following "Top 10" requirements?   Here's a checklist to assist you in reviewing, updating (and communicating) your Policy, today! 

1. Key Terms.  The Policy shall define certain key terms, including, but not limited to, Applicable :Requirements (i.e., Federal and State laws governing the privacy and security of protected health and other personal information), Protected Health (and Other Personal) Information (PHI), Protected Communications (i.e., e-mails or texts containing PHI) and Mobile Devices (i.e., laptop, tablet, smart phone).   
2. Policy Prohibition.  The Policy shall begin with an affirmative prohibition  that absolutely no personnel are permitted to use any Mobile Device, regardless of ownership, to send or receive any Protected Communication, whether on or off premises, on or off duty, except in accordance with all requirements set out in the Policy.  The Policy should also state an absolute prohibition of any social media communications or posts that contain PHI.  
3. Authorized Mobile Devices.  The Policy shall state all administrative, physical and technical safeguards necessary for a designated representative (i.e., Security Officer) to authorize a particular Mobile Device, whether owned by the organization or the individual, for use under the Policy.  The Policy should also include (or cross-reference to) an up-to-date log of all Authorized Mobile Devices.  
4. Authorized Software and Applications (Apps).  The Policy shall state all administrative, physical and technical safeguards necessary for a designated representative (i.e. Security Officer) to authorize particular Mobile Device software and applications for use under the Policy. 
5. Authorized Users.  The Policy shall state the requirements necessary for a designated representative (i.e., Chief Executive Officer) to authorize a particular individual, or alternatively, a particular job category, to use Authorized Mobile Devices under the Policy.  The Policy should also include (or cross-reference to) an up-to-date list of all Authorized Users, either by name or job category.  
6. Authorized (and Necessary) Purposes.  The Policy shall specify the particular circumstances when Authorized Users may use Authorized Mobile Devices to send or receive Protected Communications for authorized (and necessary) purposes.     
7. Additional Safeguards.  The Policy shall specify any additional safeguards that are necessary to limit the risk of any unauthorized access to a Mobile Device that continues to store a Protected Communication after the communication has been completed.  
8. Missing Mobile Devices.  The Policy shall require all personnel to immediately report any missing Mobile Device that may store a Protected Communication to a designated representative (i,e,, Security Officer) so to permit a prompt investigation and to mitigate and correct any losses or violations resulting from the incident.  
9. Sanctions.  The Policy shall state all internal and external sanctions that may result from an individual's violation of this Policy, including but not limited to the civil and criminal penalties arising under Applicable Requirements.    
10. Frequently Asked Questions.  The Policy should also attach a series of "frequently asked questions" that are answered concisely with examples, as much as possible.   

If we can assist your organization in updating your Protected Health (and Other Personal) Information Privacy and Security Policies and related forms, please contact us at Integrity Health Strategies for additional information about our cost-effective, fixed-fee service arrangements.   Thank you in advance.  

Susan E. Ziel, Consultant

Integrity Health Strategies

(317) 819-7704

sziel@ihsconsultinggroup.com

www.integrityhealthstrategies.com

HIPAA Business Associates ... How Do I Know Thee?

HIPAA, as amended by HITECH, imposes significant requirements on those persons or entities who qualify as a business associate (BA) as a result of their access to protected health information (PHI) in the performance of services on behalf of a covered entity (CE). 

For example, a BA could be a third party billing company, a shredding company, a law firm handling a Medicare audit appeal, a health care design consultant responsible for re-design of an emergency triage process, or even a third party responsible for storing PHI off-site. In each case, the drafting and negotiation of a business associate agreement (BAA) is an important step in confirming BA duties and obligations related to these service arrangements.   Some level of due diligence is also important before the BAA is executed and the CE is in a position to trust the BA with its PHI.  

To begin, the CE should confirm any and all names that have been used by the BA, whether now or in the past, so to confirm that none of these names are listed in the Office of Inspector General’s List of Excluded Individuals and Entities (OIG) or the General Services Administration’s System for Award Management (SAM), formerly known as the Excluded Parties List System.  

A review of the OIG Corporate Integrity Agreement database can also confirm any prior enforcement actions that may have involved a prospective BA. Additionally, if the BA maintains certain licenses, registrations or other credentials necessary to perform their services on behalf of the CE, these qualifications should be verified by the CE. Review of business references or a telephone interview with another CE may also be helpful.   

Proof of insurance coverage and some information about claims history should be requested. A general search for any public filings about the BA can provide additional information about their resources, business relationships and reputation. The BA may also be asked to disclose any outside business relationships which might represent a conflict of interest in doing business with the CE.   

Because the BA is subject to HIPAA, as a result of the HITECH amendments, the CE should inquire about the BA’s HIPAA compliance program, including but not limited to the recent completion of a HIPAA security risk assessment process, the adoption of HIPAA policies and procedures, and the extent to which the BA will engage the services of subcontractors to assist in the performance of services. Although not a HIPAA consideration, many CEs take additional steps to confirm the health status of the BA who will have any physical contact with the CE’s workforce or clients, including but not limited to up-to-date vaccination records and negative TB testing results.   

The CE can conduct its due diligence using a range of techniques. The BA could be asked to submit to a formal request for proposal process or the CE may ask the BA to complete and return a due diligence questionnaire. Selected HIPAA compliance documents may be requested as well. Depending on the nature of services to be performed, an in-person interview or a site visit may be in order.   

Once the BA arrangement has been finalized, pursuant to the terms and conditions of the BAA, the CE should adopt certain safeguards to verify, on a regular basis, the identification of any and all persons who perform services, whether in-person or remotely, so to prevent any risk of an unauthorized actor gaining access to CE PHI.  

For example, the CE contracts with a third party shredding vendor.  On a regular basis, the vendor comes on premises and removes secured documents to be shredded.  Without confirming the identification of any vendor employees before removing the documents, there is a serious risk that a "rogue actor" could represent themselves as a vendor employee and walk away with the CE documents, resulting in a serious HIPAA breach incident.  In the case of a remote or electronic arrangement, the CE and BA should also maintain an up-to-date list of those individuals who are authorized to access CE PHI on behalf of the BA, subject to the host of safeguards required under HIPAA security.  

In summary, the use of a well-drafted BAA, in addition to the use of an effective due diligence process, not only makes for a proper introduction to the BA but also serves another important purpose in allowing the CE to educate the BA and to communicate the importance of HIPAA compliance long before the parties sign on the bottom line.   Additionally, after the BAA has been executed, the CE should also institute safeguards to ensure that only authorized individuals perform the designated BA services for the duration of the business relationship.  

If you have any questions or require additional information regarding the establishment of a HIPAA-compliant CE-BA business relationship, please contact me through Integrity Health Strategies.