You Are Viewing Healthcare

Handling Paper Health Records Requires Adequate Security Measures

Posted by fgilbert on June 23rd, 2014

Security breaches affecting electronic records have taken such a preeminent place on the first page of our daily news reports that it might be easy to forget that paper records may contain information that is just as sensitive and deserves just as much attention. An HHS action against Parkview Health System, Inc., a non-profit Indiana corporation, reminds entities operating in the healthcare market that paper health records are within the scope of HIPAA, and must be protected with appropriate security measures.

HIPAA covered entities that may have focused their efforts and budget on electronic health records should pay proper attention to the protection of paper health records if they want to avoid an HHS investigation and an $800,000 fine.

Factual Background

The Parkview enforcement action arose after Parkview employees abandoned boxes of patient health records on a driveway, accessible for anyone to take. A physician had provided the paper records of more than 5,000 patients to Parkview, in connection with the transition of her practice as part of her retirement. Parkview was assisting the physician in transitioning the patients to other providers, and was considering the possibility of accepting some of these patients.

In connection with these transactions, Parkview employees were tasked with delivering boxes of health records. Even though they had been made aware that the intended recipient was not present to accept delivery, the Parkview employees left 71 boxes of patient health records on the physician’s driveway, unattended, accessible for anyone to take. The physician reported Parkview’s conduct to the HHS Office of Civil Rights (OCR), which investigated the incident.

Settlement

The OCR found that Parkview had failed to comply with Section 45 CFR 164.530(c) of the HIPAA Privacy Rule, which requires covered entities to use appropriate technical, physical and administrative measures to safeguard protected health information. The Resolution Agreement between OCR and Parkview requires the company to pay a $800,000 fine, and develop, maintain, and revise, as necessary, written policies and procedures (“Policies and Procedures”) to protect its paper health records. These Policies and Procedures must be followed by its workforce and that of all covered entities that are owned, controlled, or managed by Parkview Health System, Inc. These Policies and Procedures must be consistent with the HIPAA Privacy Rule, and must be submitted to HHS OCR for its approval.

The Resolution Agreement also requires Parkview to train its personnel who have access to PHI in the proper handling of paper PHI, provide an implementation report to the HHS OCR, and keep, for six years, records of all activities conducted in implementing the Resolution Agreement.

Effect of 45 CFR §164.530(c)

The OCR based most of its action against Parkview on violations of Section 164.530(c) of the HIPAA Privacy Rule. The important nuance in the Parkview case is that the records left on the physician’s driveway were paper records. Thus, they were not within the scope of the HIPAA Security Rule, which covers only “electronic protected health information” or ePHI.

Section 45 CFR 164.530(c) of the HIPAA Privacy Rule, however, contains a broader security requirement that protects all health records. This provision was written in the early days of HIPAA rulemaking, before the HIPAA Security Rule was first published. Section 45 CFR §164.530(c) provides in its entirety:

(c)(1) Standard: Safeguards. A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.

(2)(i) Implementation specification: Safeguards. A covered entity must reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications or other requirements of this subpart.

(ii) A covered entity must reasonably safeguard protected health information to limit incidental uses or disclosures made pursuant to an otherwise permitted or required use or disclosure. 

Section 164.530(c) of the HIPAA Privacy Rule has been significantly overlooked since the adoption of the HIPAA Security Rule. Many covered entities have focused on the stringent provisions of the HIPAA Security Rule, which address the protection of ePHI, and may have neglected their obligations concerning the protection of paper PHI records.

In the Parkview case, the OCR relied on Section 164.530(c) of the HIPAA Privacy Rule to create an obligation to implement security measures for the protection of paper PHI records since they are outside the scope of the HIPAA Security Rule. The Resolution Agreement does not provide any detail of what OCR would deem to be appropriate physical, technical, or administrative measures to protect paper PHI.

What should health organizations and other HIPAA covered entities do?

If, like most healthcare organization, your company creates or handles paper records containing PHI, you should ensure that these paper records are adequately protected. Consider the following checklist:

  • Determine the extent to which your policies and procedures adequately address the protection of paper PHI records.
  • Determine the extent to which your contracts with your business associates and other service providers (and their respective business associates and service providers) adequately address the protection of paper PHI records.
  • Determine the extent to which the policies and procedures of your business associates and service providers (and their respective business associates and service providers) adequately address the protection of paper PHI records.
  • Develop, maintain, and revise, as necessary, your written policies and procedures to adequately address the protection of your paper PHI records after having conducted a necessary risk assessment.
  • If you do not know what measures to take to protect these paper records, look at the HIPAA Security Rule. Most of its provisions would apply to the paper world. It is likely that it will serve as a reference.
  • Train your workforce on the adequate protection of paper records, their responsibilities in the collection, use, storage, disposal and transmittal of paper PHI records.
  • Keep appropriate records of the activities conducting in the development and implementations of the security program described above, and of the training provided to your personnel.

HIPAA Security Rule

Posted by fgilbert on June 4th, 2010

On February 20, 2003, the U.S. Department of Health and Human Services (HHS) published the final draft of the new National Standards for Safeguards to Protect Personal Health Information that is maintained or transmitted electronically (“Security Rule“). Required as part of the administrative simplification provisions included in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), these standards are separate from, and in addition to, those set in the HIPAA Privacy Rule.

Most covered entities have until April 21, 2005 to comply with the standards; small health plans have an additional year to comply.

The Security Rule lists measures that health plans, health care clearinghouses, and health care providers (“covered entities”) must take to protect the confidentiality, integrity, and availability of individually identifiable health information in electronic form in their custody, or while transmitting it to third parties. These measures include Administrative, Physical, and Technical Safeguards, Organizational Requirements and Policy Procedures and Documentations Requirements. The Security Rule labels these measures as “standards” and “implementation specifications.

In all cases, each covered entity must meet the standards. Each standard is associated with Implementation Specifications, which are either “required” or ” addressable.”

Required Implementation Specifications must be implemented by all covered entities.

Addressable Implementation Specifications allow some flexibility. Each organization must decide whether the security measure to apply fits within its particular security framework. Based on its evaluation of its specific circumstances, each covered entity can (1) implement the specification if reasonable and appropriate; (2) implement an alternative security measure to accomplish the purposes of the standard; or (3) not implement anything if the specification is not reasonable and appropriate and the standard can still be met.

The nine Administrative Safeguards include requirements for the implementation of Security Management Process, assigning Security Management Responsibility, establishing Workforce Security. A covered entity must implement Information Access Management, and Security Awareness and Training. Formal, documented Security Incident Procedures must be in place to ensure that security violations are reported and handled promptly. A Contingency Plan must be in effect for responding to system emergencies. Like for the Privacy Rule, the covered entity must obtain Satisfactory Assurances from its Business Associates that each of them will appropriately safeguard the information in accordance with the Security Standards. Finally, to demonstrate and document their compliance with the entity’s security policy and the other requirements of the Security Rule, the covered entity must periodically conduct an Evaluation of its security safeguards.

The four Physical Safeguards include Facility Access Controls, control of the Workstation Use and Workstation Security, and of other Device and Media. For example, a covered entity must implement policies and procedures to document modifications to the physical components of a facility that are related to security, such as hardware, walls, doors, and locks. In addition, each organization must put in place physical safeguards to secure workstations, and control the use of other devices and media. This would involve policies and procedures that govern the receipt and removal of hardware and/or software (for example, diskettes and tapes) into and out of a facility.

Five Technical Safeguards require policies and procedures for Access Control, Audit Control, ensuring Integrity of the protected health information, Mechanism to Authenticate the persons or entities sending the data, and Transmission Security.

The Security Rule includes, in addition, requirements for the Implementation of the standards. Final responsibility for a covered entity’s security must be assigned to one Official who will manage and supervise the use of security measures to protect data, and the conduct of personnel in relation to the protection of data. The covered entity must implement written policies and procedures to comply with standards and implementation specifications, and review these policies and procedures periodically and update them as needed. The covered entity must also document in writing its actions, activities, or assessments taken or conducted. All documentation must be retained for 6 years from date of creation or from date when last in effect.

The Center for Medicaid and Medicare Services (CMS) is responsible for implementing and enforcing the Security Rule, whereas HHS’ Office for Civil Rights is responsible for implementing and enforcing the Privacy Rule.

The Security Rule works in concert with the final Privacy Rule, which was adopted by HHS in its final form in August 2002, and took effect for most covered entities on April 14, 2003. The HIPAA Privacy Rule defines the authorized or required uses of PII, and the patients’ rights with respect to their PII. The HIPAA Privacy Rule is available at: http://www.hhs.gov/ocr/hipaa/finalreg.html.

The HIPAA Security Rule resides in part 164 of subchapter C of title 45 of the Code of Federal Regulations. The complete text of the final Security Rules is available at http://www.cms.hhs.gov/SecurityStandard/02_Regulations.asp – TopOfPage.