HIPAA, Security, and Digital Risk pdf pdf

(1)

(2)

Published in the United States by Sanok Counseling PLLC, Traverse City, MI.

(3)

Legal Stuff:

This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is provided with the understanding that the author and publisher are not engaged in rendering legal, accounting, or other professional services. If legal advice or other expert

(4)

HIPAA

STRUGGLES

Identity Issue

The biggest struggle for people is to get really

theoretical about it. For therapists, there's actually an identity issue around HIPAA. There are a couple of pieces to HIPAA, and the one we tend to have the easiest time with, is what's called the HIPAA Privacy Rule. That's the one where you have to give clients the HIPAA form which has your Privacy Practices on it. It's actually called the Notice of Privacy Practices, but everyone just calls it the HIPAA form. That one's pretty easy, because it's just consists of how you're going to take care of confidentiality and what your office policies are around obtaining record requests, etc.

(6)

you're putting client information on a device, where does that information flow? Who has access to your

information when you put it on a cloud service? Therapists have a lot of resistance to the idea of

learning to understand this and learning how to manage it the way we've always managed clients security. While it’s now referred to as ‘confidentiality’, it’s the same as client security which we've done for decades. But, suddenly, because of the digital side of things, there's a big technical aspect and a lot of therapists struggle with the identity issues surrounding this.

Overwhelm Leads To Avoidance

People are so overwhelmed, not even just unique to HIPAA, but with marketing or social media, that they become paralyzed by perfection. They want to do it right, and make sure they’re good at it, but they also like don't know where to start. When it comes to learning how HIPAA Security Compliance works, therapists often feel overwhelmed. When this happens, they turn to avoidance. They'll say, “Well, I'm not going to bother with it, because I don't I can't understand it, so why deal with the pain of being overwhelmed?”

Ignoring What You Can’t See

(7)

messed up, you feel it and you feel motivated to fix it. Like, for example, leaving the file outside of the filing cabinet, or handing it over to some shady guy on the street who says, “I'll take care of it for you”. Therapists wouldn’t do this. Instead, we're pretty good at coming up with the right kind of security measures to take care of the things, i.e.: client files, we can see. But, when it comes to things we can't see, like the Internet, people tend not to have an understanding of what it physically looks like when you put a record on a practice

management system, which is in the cloud somewhere. People can’t really conceptualize that. An anology that might help is to think that when we use any email service, we're basically doing the equivalent of handing our client files to some guy on the street. With every email service we use, there are people holding on to all the emails we have exchanged, but we don't realise that, because we don't see it. This is not necessarily anyone's fault, because it's not in our day-to-day conversations, or even in the news. We don’t generally talk about the tech in our lives. So, you don't see it, no one talks about it, and it ends up being out of mind. It almost taps into something deeper in the brain where the things that are right in front of us, we tend to take action on, whereas the things outside of that, we don't.

(8)

This struggle ties in with the feeling of overwhelm

leading to avoidance, and ignoring that which we cannot see. One thing we've been taught since the early 90s about technology, is that someone else takes care of it. You just use it. The general philosophy in software development is that you should make something that just works. It shouldn't be something you think about, or have to have a concept of how it works. You just do it, you just use it, and it just works. So we've been trained to think about our tech that way since the early 90s, and not for entirely bad reasons. But, now that we're

suddenly moving information everywhere, using the internet, that philosophy is starting to become

(9)

MAKING

SECURITY A

PRIORITY

Within the realm of things we understand as therapists, we do this already. We didn't call it ‘security’ in grad school, but we have always made security a priority. We just called it ‘confidentiality’. When it comes to dealing with confidentiality in the online realm, or in your digital tech, it works the same. And, you want to be as vigilant as you are with your physical file cabinet. For example, if someone started mucking about with your file cabinet, or tried to walk into the room while you’re in session, you would be pissed off, right? You know that your client trusts you and considers your office a safe space, which is something you want to protect. So, we need to extend that attitude into the digital realm. It's hard, however, to have that attitude when you don't really know what's going on. You want to be able to trust someone else to take care of it for you and, to a certain extent, you can. You don’t have to learn how networking works, for example, but you do need to build an understanding about networking. When you begin to learn the

(10)

WHAT YOU NEED

TO KNOW ABOUT

HIPAA AUDITS /

INVESTIGATIONS

The frustrating thing is that there are colleagues in this niche who also try to help people with HIPAA specifically, not just tech. They are trying to help them with the compliance and security side, and they'll mention things like, ‘The 2016 random audits are coming, are you prepared?’ Yet, the truth of the matter is that you will never be randomly audited. There have only been two random audit programs in the history of HIPAA, and both of them did about one hundred and fifty. That includes everything, even business associates, for example, companies that serve healthcare like Office Ally.

Furthermore, they don't actually randomly choose them. What's random is who gets the initial survey to ask about your practice. But then, based on the surveys, they explicitly choose who taught it and they don't choose individual private practitioners or mental health practitioners. That just doesn't serve their goals.

Therefore, if a company is trying to sell you a product by instilling the fear of ‘HIPAA random audits’ in you,

(11)

The things that are likely to actually get you into it an audit, or what's called an investigation, is if someone specifically files a complaint to the Feds about your HIPAA compliance. This doesn’t mean filing a complaint to your board. Your board isn't going to investigate that. The people who investigate HIPAA is the Federal Office of Civil Rights, which is part of Health and Human Services, or your State Attorney General. Those are the people who can enforce HIPAA. So, the biggest reason people ever get into those investigations is when someone complains. And, complaining is actually very easy. There's a website where you go fill out a form and, once you've filed your complaint, they will follow up. The other possible way to get into an investigation is if you have a security breach. Meaning, you accidentally disclose records, for example, you lose records or someone gets access to the records. Essentially, a confidentiality breach. But, that's not how they frame it. Then, based on that, and depending on how many people were impacted and whether you have a pattern of this happening in the past, and various other factors, they might investigate you.

Recently, they stated that they're starting to investigate breaches that are smaller than 500 individuals. So, it's possible that if you have a significant breach, something that impacts a dozen or so clients, they will follow up on that with an investigation. There is, however, no

(12)

Examples Of Complaints

The complaint has to be founded on a HIPAA problem. For example, the person has to complain that you're not complying with HIPAA and they have to show the way in which you're complying. Usually, the biggest way that that happens is the person complains about your privacy policies. Either, you're not following them, or your

privacy policy is not actually HIPAA compliant. For example, if you don't release records on time, or you're just really cagey about releasing records. That's the biggest reason mental health practitioners get into trouble. That and if their policy for releasing records is not actually compliant with HIPAA.

The other thing people complain about is, for example, not getting a timely notice of privacy practices.

(13)

PRACTICE BASICS

Full Device Encryption

The first thing you need to do when it comes to HIPAA compliance regarding tech is ensure that you have full device encryption. Essentially, encryption consists of secret codes. So, when we say ‘full device encryption’, we're referring to a kind of complex process that has a very simple outcome. What it means is that all the information that's stored on the device is encrypted. So, if that device gets stolen, or lost, you can assume that the information on it is basically impenetrable. So, you can safely say that, if it's lost or stolen, there was no confidentiality breach, because all of the information was encrypted. To encrypt a Mac, for example, you go into the security settings and click on the picture of a vault with a roof on it. Then, there's a tab that says ‘File Vault’, which is the name of the encryption program on

Macintoshes, go into that and turn it on. Then, follow the instructions.

Passcodes

(14)

Android or iPhone. You need a stronger passcode than what they let you do by default. You have to go into the phone settings and change it. It allows you to set a really long passcode and you need to do that, because that's the weak link in your encryption. These days, pretty much everybody can log into their phone with their thumbprint. So, setting a really long passcode is not a big deal, because you just use your thumb to get in instead of typing the passcode every time.

Encryption On PCs

For computers, and Windows in particular, you need to get the Pro Version of your Windows. This will ensure your device becomes encrypted. For some reason, however, nobody gets the Pro Version. It never seems worthwhile to therapists, if they don't know about the encryption piece. But, you need the Pro, because you need a program called ‘BitLocker’. BitLocker is what you use to do the full device encryption on a PC.

Two-Step Login

The thumbprint is not to be confused with a two-step login. It is more like an alternative login to your

(15)

system. There are various different terms for this including two-step login, two-step authentication, and / or multi-factor authentication. All of these mean that you have two things you do in order to login. While the first thing almost always involves a passcode, the other thing is often a text message to your phone that contains a little code in it, which you then have to type in. Then, between that and entering the correct password, they let you in.

Password Management Systems

Most people will end up using different variations of the same password, which is not smart. The biggest way that people end up getting into your Google email

(16)

your wallet safe. These days, however, we need even more passwords, because we have a lot more accounts. Thankfully, we have a lot of great software that allows us to us store our passwords, instead of putting them in our wallets. This software is is known as ‘password

management systems’ and there a few different services that you can use to do this. These include 1Password and LastPass. With LastPass, for example, if you update a password, or have a password, it pops up and asks whether you want to add this to your vault. So,

whenever you create a new password, you can just hit the keyboard with numbers and symbols, until it says it's hyper secure, and then LastPass will save that

combination for you so that you don’t have to remember it. Furthermore, the program synchronizes between all of your devices. So, your iPhone will have all of your passwords updated all the time, along with your

computers and other devices. Then, you can just click a button and it will log you into your websites.

Anti-Malware

People have this idea that Macs are safe and PCs are not. Macintosh Apple loves its reputation that it's

(17)

as good as how often it's updated. So, if you don't update your Macintosh software every day, the antivirus in the Macintosh will not be as good as the antivirus on a PC. The PC updates its antivirus every day. So, you want to have anti-malware software on your Macintosh, and there aren't a lot of anti-malware software packages that work well with the Macintosh. While every company will say ‘This is for Mac’, almost all of them will actually slow down your Mac. So, don't get Norton or Symantec for your Mac. Good ones for the Mac are Sophos, ESET, or Kaspersky.

Business Associate Agreements

(18)

always occur to us that when we use an online service, that means we're handing client information to some other company. So, to get a Business Associate