hipaa best software practices - mitcagencies.com
TRANSCRIPT
FROM MITC, THE LEADER IN WORKFORCE MANAGEMENT SOLUTIONS DESIGNED
SPECIFICALLY FOR PROVIDERS SERVING THE I/DD AND BEHAVIORAL HEALTH
COMMUNITIES
WWW.MITCAGENCIES.COM 1
HIPAA BEST SOFTWARE PRACTICES
INTRODUCTION To be fully compliant with HIPAA rules and regulations, providers need to have a comprehensive understanding of how Protected Health Information needs to be managed within a software application.
In addition, Medicaid (CMS) has rules and regulations for data retention, which overlap with HIPAA rules and regulations. Both have to be considered. General data security rules also need to be integrated into HIPAA best software practices, as well as end-user usability.
This eBook provides a roadmap for providers to understand how all these related but separate issues translate in practice into a software deployment.
HIPAA HIPAA stands for the Health Insurance Portability and Accountability Act, passed in 1996. HIPAA determines the ways that organizations can store, share, manage and record protected health information (PHI). Any agency that provides services is considered a covered entity. All agencies use software. Your software vendors are covered entities and considered a Business Associate. Under HIPAA, both covered entities and their business associates must be compliant with the law. A Business Associate Agreement covers the joint responsibilities to protect PHI.
WHAT CONSTITUTES PROTECTED HEALTH INFORMATION (PHI)? All providers are aware that Electronic Health Records by definition contains PHI. What many providers overlook is that any software (or paper form) that identifies an individual receiving services is PHI.
CMS made it clear that a Time and Attendance or Scheduling application that identifies an individual receiving services constitutes PHI and is covered by HIPAA. This was recommended best practices by many HIPAA legal advisers prior to the CMS ruling but now it is official.
HIPAA BEST SOFTWARE PRACTICES
WHY HAVING A BUSINESS ASSOCIATE AGREEMENT (BAA) WITH YOUR SOFTWARE VENDORS IS IMPORTANT » Not all software vendors, including some very well-known companies, permit PHI (Protected
Health Information) to be stored at their data centers.
» Require your software vendors to sign a Business Associate Agreement to ensure your agency is not breaking the license agreements. Reading the fine print in agreements might result in HIPAA clauses being missed or misunderstood. For example this is from the Kronos (UKG) website in a long list of other items under a lengthy clause entitled Security “Customer agrees not to upload health information that falls under the United States HIPAA law”.
» When selecting a software vendor, ask questions about HIPAA such as:
» Does your company have a HIPAA Security Officer?
» Are all staff, such as Help Desk, who have access to PHI, trained and re-certified regularly?
» Please provide your HIPAA staff training records?
» HIPAA compliance is important. Ensuring your software vendors are HIPAA compliant helps protect your agency from the dangers of negligence law suits in the event of “PHI leakage or breaches”. Even if your agency hosts PHI on its own servers (not recommended – see below), a Limited BAA is important.
» Although it may seem like it, not every single software application is required to comply with HIPAA. The key question that sets apart those that fall under HIPAA and those that don’t is - does the software collect or hold protected health information that will be used by a covered entity? Payroll that only processes staff payroll may not fall under HIPAA but if individuals receiving service are paid, then payroll would fall under HIPAA. Usually accounting software would not fall under HIPAA but again it all depends on does the software collect or track the identity of individuals receiving services.
HOSTING YOUR OWN DATA?
Very few providers have the resources or technical expertise to comply with HIPAA rules and guidelines on physical security and data retention and backup. Not recommended.
HIPAA BEST SOFTWARE PRACTICES
AVOID APPLICATIONS THAT STORE DATA ON EMPLOYEE’S PHONES A case was settled in June of 2016, where an iPhone containing ePHI, including social security numbers, treatment and diagnosis information, medications, and more was stolen. In addition, the iPhone was neither password protected nor the data encrypted, leaving all ePHI vulnerable to access by anyone possessing the phone. A combination of nursing home residents and family members totaling 412 people were affected by the data breach. The provider was fined $650,000.
The employee phone is a particular area of HIPAA vulnerability as many care givers use their own phones, not agency provided and controlled devices. Even if an agency pays for the devices
or uses a BYOD (Bring-Your-Own-Device) reimbursement plan, controlling hundreds of devices is impossibly complex.
Agency Workforce Management does not store ePHI data on local devices.
HOW DO AGENCIES ACCIDENTALLY “LEAK” PHI? The New York Attorney General levied a $200,000 fine on a provider for HIPAA violations impacting 3,751 clients. PHI was published on the provider’s website without password protection. The employee who published the client information was trying to help staff get access to information staff needed. The information was accessed by unauthorized parties including individuals outside the USA.
Accidental PHI leakages occurs at agencies in a number of ways. These are the most common areas that agencies tend to forget that are covered by HIPAA:
» Paper forms used to share information about individuals receiving services. This can include paper timesheets used in an HCBS program or attendance records for a day program
» Personal email or texts used to distribute information about individuals receiving services
» Spreadsheets used to distribute information about individuals receiving services
» Time and Attendance where staff clock-in/out for individuals receiving service or clients clock-in/out as part of a supported employment or vocational program
» Scheduling services to individuals in HCBS programs
» Piece and Production software used in vocational programs
HIPAA BEST SOFTWARE PRACTICES
EVV » In a July 2018 letter to ANCOR, CMS (Centers for Medicare & Medicaid Services) confirmed
EVV systems “are subject to HIPAA privacy and security protections”.
» HIPAA compliance impacts the choice of EVV systems available to providers to choose from. This is because EVV requires the tracking of the individual receiving service and the service provided.
» In addition, different state data aggregators require alot more PHI to be tracked and transmitted with EVV.
» Verify your EVV Alternate Vendor is HIPAA compliant. Require your EVV vendor to sign a Business Associate Agreement.
HIPAA SECURE COMMUNICATIONS » Providers need to have a strong communication system to ensure care givers and the
individuals being served receive the care needed. Unfortunately using personal email and texting is inherently not HIPAA secure. However using a professional email system is relatively expensive and difficult to maintain if care givers are included.
» In the absence of an effective internal communication system, front line staff often resort to communicating through personal text. The casual information exchanged can very easily be PHI. “Mary had a bad day. Her med’s were changed” type of communications will inevitably happen if there is no HIPAA secure communication option.
» myCommunications and other HIPAA secure communication systems are easy to maintain as employees can be synchronized with payroll and / or HR, groups set up automatically and communications retained in a database. Care givers can only access their communications through their self-service portal that requires a password and user name. Communications cannot be forwarded accidentally or on purpose to others outside the agency.
HIPAA COMPLIANT TEXTING » A HIPAA compliant texting like myAlerts is an affordable secure
messaging solution which enables providers to safeguard electronic protected health information (ePHI) while still allowing an open flow of communication to caregivers and individuals receiving service.
» Text messaging is HIPAA compliant under certain circumstances and provided that administrative, physical and technical safeguards exist to ensure the confidentiality, integrity, and security of electronically stored or transmitted private health information.
HIPAA BEST SOFTWARE PRACTICES
USERNAMES AND PASSWORDS » Medicaid requires that a record of who changed what records and when it was changed.
For transactions that create billing and documentation, a copy of the original is retained. It is important therefore that all users have meaningful user-names that easily identifies who changed a record.
» Audit reports track changes and can be used to generate reports for any date range.
» Password rules should be designed and applied with password expiration dates.
» Make sure all temporary ‘testing” passwords are removed before rolling out software across the agency when the Pilot Program is completed.
AUTO LOG-OFF » Auto Log-Off disables the screen when an employee is not using it. This reduces the risk that
someone else sees PHI or actually uses the device to see more PHI.
» Auto-Log should never be more than 30 minutes.
» A lower setting will help with performance as forms can still be active and making server requests even if not used.
ROLES BASED ACCESS CONTROL (RBAC) » Role-based access control (RBAC) refers to assigning permissions to users based on their role
within an organization. It offers a simple, manageable approach to access management that is less prone to error than assigning permissions to users individually
» Before any software can be deployed beyond the Pilot Program stage, providers need to decide on who needs to see what data and design roles based permissions. Typical options are restricting access to application areas, restricting access to data the employee does not need to see to do their job, particularly Protected Health Information (PHI).
HIPAA BEST SOFTWARE PRACTICES
» Managers are usually restricted so access is only granted to the employees whose time,
schedule and PTO that manager approves. Similarly with the individuals being served
and the locations are which service is delivered. Any one manager does not need to see
everything.
» Manager access can be controlled by Location or Employees. Location provides access to
all employees who worked at a location such as a group home or with an individual who
received services in the community. Multiple locations & Individuals can be assigned to a
manager. Employee provides access to all employees assigned to that Manager.
» Usability though is also a valid consideration. A manager should not necessarily be
restricted to only their group of employees when trying to fill an open position. An overly
limited view might result in excessive overtime. It is important to remember HIPAA requires
the employer to protect data but not to the point that it interferes with an employee doing
their job effectively.
» Scheduling and time and attendance might need different rules. For example a centralized
scheduler will need to have access to all employees and locations but not to approve the
same employees time and attendance.
» Where ever there is a considerable volume of PHI data such as in Electronic Health Records
greater care needs to be taken to restrict access than in Time an Attendance or Scheduling.
For Electronic Health Records, employees might only have access to limited parts of an
individual’s PHI data.
» Client Profiles allows providers to control not only access to records but what pat of
those records staff can view or edit. Different Information Groups can have different
permissions.
addition, the manager only
“sees” relevant data and
can make quicker choices.
HIPAA BEST SOFTWARE PRACTICES
» For example, if a manager is trying to manage a call-off and fill an open position, intelligent automated filters not only restrict the data a manager sees but narrows their range of choices to the most likely, suitable candidates.
MINIMUM ACCESS GUIDELINES » Under the HIPAA minimum necessary standard, HIPAA-covered entities are required to
make reasonable efforts to ensure that access to PHI is limited to the minimum necessary information to accomplish the intended purpose of a particular use, disclosure, or request.
» Employees and Job/clients can be imported or entered into databases with restrictions on who can see and use data.
» Employees should be restricted so when they clock-in/out the only choices available are job/clients the employee works with. This requires some planning and coordination. There is no point an employee being scheduled to cover a shift or visit, the employee does not usually work at or with, if the employee cannot clock-in or complete documentation due to restrictions.
» Restricting the list of services is usually simpler. An employee might provide Respite and Community Habilitation services to the same individual but never perform Assessments.
» Restricting access to data also can have a positive impact on data accuracy as the likelihood of mistakes decreases when fewer choices are available.
» Managers will need access to and training on Employee/Job & Client Validations and Job & Client/Activity Validations as changes in schedules will impact what data a care giver needs to see to clock-in/out and complete documentation.
DOCUMENTATION & PROGRESS NOTES » Documentation plans may need to be restricted within an individual receiving multiple
services. For example any care giver providing services to an individual may need to have access to the individual’s documentation plans for Community Habilitation and Respite but not have access to the Quarterly Assessment documentation plan.
» Requiring care givers to complete documentation before clocking-out can ensure documentation is not completed in an inappropriate setting where others might have access such as the care givers home or at a public location.
» Documentation plans for facilities like group homes and vehicles (inspections) should be restricted to those individuals who are authorized to perform inspections.
SELF-DIRECTED SERVICES » The care giver should only be able to “see” the individual or individual(s) by whom they are
employed.
» If consumers have access to time and attendance or schedules, the consumer should only “see” the records of the care givers who provide services to them.
REPORTS » When reports are shared, care should be taken to
use report filters so reports only have the specific data necessary. Applies to hard copy and PDF!
» If reports are created by the Report EZ report writer, the content of the report can be controlled as well as report filters applied.
HIPAA BEST SOFTWARE PRACTICES
GPS » Agency Workforce Management tracks the location of where records are
added and edited. This allows providers to track if caregivers are accessing data in inappropriate, non-secure public setting.
» Geo Fencing can be used to restrict the distance from a service location where a care giver can clock-in/out. This can further inhibit the likelihood that a care giver is accessing data in an inappropriate setting (multiple EVV & Billing & Payroll related reasons why this needs to be controlled apart from HIPAA).
AGENCY WORKFORCE MANAGEMENT Agency Workforce Management tracks activity in the background that may not be visible to customers. If a PHI leakage occurs additional information is available from MITC above and beyond the standard reports.
ABOUT AGENCY WORKFORCE MANAGEMENT Agency Workforce Management supports all the needs of I/DD and behavioral health service providers — time & attendance, EVV, scheduling, hiring, training, HR, payroll and billing integration, documentation, electronic health records and more.
Visit www.mitcagencies.com or email [email protected] to learn more.
WWW.MITCAGENCIES.COM 1
HIPAA BEST SOFTWARE PRACTICES
INTRODUCTION To be fully compliant with HIPAA rules and regulations, providers need to have a comprehensive understanding of how Protected Health Information needs to be managed within a software application.
In addition, Medicaid (CMS) has rules and regulations for data retention, which overlap with HIPAA rules and regulations. Both have to be considered. General data security rules also need to be integrated into HIPAA best software practices, as well as end-user usability.
This eBook provides a roadmap for providers to understand how all these related but separate issues translate in practice into a software deployment.
HIPAA HIPAA stands for the Health Insurance Portability and Accountability Act, passed in 1996. HIPAA determines the ways that organizations can store, share, manage and record protected health information (PHI). Any agency that provides services is considered a covered entity. All agencies use software. Your software vendors are covered entities and considered a Business Associate. Under HIPAA, both covered entities and their business associates must be compliant with the law. A Business Associate Agreement covers the joint responsibilities to protect PHI.
WHAT CONSTITUTES PROTECTED HEALTH INFORMATION (PHI)? All providers are aware that Electronic Health Records by definition contains PHI. What many providers overlook is that any software (or paper form) that identifies an individual receiving services is PHI.
CMS made it clear that a Time and Attendance or Scheduling application that identifies an individual receiving services constitutes PHI and is covered by HIPAA. This was recommended best practices by many HIPAA legal advisers prior to the CMS ruling but now it is official.
HIPAA BEST SOFTWARE PRACTICES
WHY HAVING A BUSINESS ASSOCIATE AGREEMENT (BAA) WITH YOUR SOFTWARE VENDORS IS IMPORTANT » Not all software vendors, including some very well-known companies, permit PHI (Protected
Health Information) to be stored at their data centers.
» Require your software vendors to sign a Business Associate Agreement to ensure your agency is not breaking the license agreements. Reading the fine print in agreements might result in HIPAA clauses being missed or misunderstood. For example this is from the Kronos (UKG) website in a long list of other items under a lengthy clause entitled Security “Customer agrees not to upload health information that falls under the United States HIPAA law”.
» When selecting a software vendor, ask questions about HIPAA such as:
» Does your company have a HIPAA Security Officer?
» Are all staff, such as Help Desk, who have access to PHI, trained and re-certified regularly?
» Please provide your HIPAA staff training records?
» HIPAA compliance is important. Ensuring your software vendors are HIPAA compliant helps protect your agency from the dangers of negligence law suits in the event of “PHI leakage or breaches”. Even if your agency hosts PHI on its own servers (not recommended – see below), a Limited BAA is important.
» Although it may seem like it, not every single software application is required to comply with HIPAA. The key question that sets apart those that fall under HIPAA and those that don’t is - does the software collect or hold protected health information that will be used by a covered entity? Payroll that only processes staff payroll may not fall under HIPAA but if individuals receiving service are paid, then payroll would fall under HIPAA. Usually accounting software would not fall under HIPAA but again it all depends on does the software collect or track the identity of individuals receiving services.
HOSTING YOUR OWN DATA?
Very few providers have the resources or technical expertise to comply with HIPAA rules and guidelines on physical security and data retention and backup. Not recommended.
HIPAA BEST SOFTWARE PRACTICES
AVOID APPLICATIONS THAT STORE DATA ON EMPLOYEE’S PHONES A case was settled in June of 2016, where an iPhone containing ePHI, including social security numbers, treatment and diagnosis information, medications, and more was stolen. In addition, the iPhone was neither password protected nor the data encrypted, leaving all ePHI vulnerable to access by anyone possessing the phone. A combination of nursing home residents and family members totaling 412 people were affected by the data breach. The provider was fined $650,000.
The employee phone is a particular area of HIPAA vulnerability as many care givers use their own phones, not agency provided and controlled devices. Even if an agency pays for the devices
or uses a BYOD (Bring-Your-Own-Device) reimbursement plan, controlling hundreds of devices is impossibly complex.
Agency Workforce Management does not store ePHI data on local devices.
HOW DO AGENCIES ACCIDENTALLY “LEAK” PHI? The New York Attorney General levied a $200,000 fine on a provider for HIPAA violations impacting 3,751 clients. PHI was published on the provider’s website without password protection. The employee who published the client information was trying to help staff get access to information staff needed. The information was accessed by unauthorized parties including individuals outside the USA.
Accidental PHI leakages occurs at agencies in a number of ways. These are the most common areas that agencies tend to forget that are covered by HIPAA:
» Paper forms used to share information about individuals receiving services. This can include paper timesheets used in an HCBS program or attendance records for a day program
» Personal email or texts used to distribute information about individuals receiving services
» Spreadsheets used to distribute information about individuals receiving services
» Time and Attendance where staff clock-in/out for individuals receiving service or clients clock-in/out as part of a supported employment or vocational program
» Scheduling services to individuals in HCBS programs
» Piece and Production software used in vocational programs
HIPAA BEST SOFTWARE PRACTICES
EVV » In a July 2018 letter to ANCOR, CMS (Centers for Medicare & Medicaid Services) confirmed
EVV systems “are subject to HIPAA privacy and security protections”.
» HIPAA compliance impacts the choice of EVV systems available to providers to choose from. This is because EVV requires the tracking of the individual receiving service and the service provided.
» In addition, different state data aggregators require alot more PHI to be tracked and transmitted with EVV.
» Verify your EVV Alternate Vendor is HIPAA compliant. Require your EVV vendor to sign a Business Associate Agreement.
HIPAA SECURE COMMUNICATIONS » Providers need to have a strong communication system to ensure care givers and the
individuals being served receive the care needed. Unfortunately using personal email and texting is inherently not HIPAA secure. However using a professional email system is relatively expensive and difficult to maintain if care givers are included.
» In the absence of an effective internal communication system, front line staff often resort to communicating through personal text. The casual information exchanged can very easily be PHI. “Mary had a bad day. Her med’s were changed” type of communications will inevitably happen if there is no HIPAA secure communication option.
» myCommunications and other HIPAA secure communication systems are easy to maintain as employees can be synchronized with payroll and / or HR, groups set up automatically and communications retained in a database. Care givers can only access their communications through their self-service portal that requires a password and user name. Communications cannot be forwarded accidentally or on purpose to others outside the agency.
HIPAA COMPLIANT TEXTING » A HIPAA compliant texting like myAlerts is an affordable secure
messaging solution which enables providers to safeguard electronic protected health information (ePHI) while still allowing an open flow of communication to caregivers and individuals receiving service.
» Text messaging is HIPAA compliant under certain circumstances and provided that administrative, physical and technical safeguards exist to ensure the confidentiality, integrity, and security of electronically stored or transmitted private health information.
HIPAA BEST SOFTWARE PRACTICES
USERNAMES AND PASSWORDS » Medicaid requires that a record of who changed what records and when it was changed.
For transactions that create billing and documentation, a copy of the original is retained. It is important therefore that all users have meaningful user-names that easily identifies who changed a record.
» Audit reports track changes and can be used to generate reports for any date range.
» Password rules should be designed and applied with password expiration dates.
» Make sure all temporary ‘testing” passwords are removed before rolling out software across the agency when the Pilot Program is completed.
AUTO LOG-OFF » Auto Log-Off disables the screen when an employee is not using it. This reduces the risk that
someone else sees PHI or actually uses the device to see more PHI.
» Auto-Log should never be more than 30 minutes.
» A lower setting will help with performance as forms can still be active and making server requests even if not used.
ROLES BASED ACCESS CONTROL (RBAC) » Role-based access control (RBAC) refers to assigning permissions to users based on their role
within an organization. It offers a simple, manageable approach to access management that is less prone to error than assigning permissions to users individually
» Before any software can be deployed beyond the Pilot Program stage, providers need to decide on who needs to see what data and design roles based permissions. Typical options are restricting access to application areas, restricting access to data the employee does not need to see to do their job, particularly Protected Health Information (PHI).
HIPAA BEST SOFTWARE PRACTICES
» Managers are usually restricted so access is only granted to the employees whose time,
schedule and PTO that manager approves. Similarly with the individuals being served
and the locations are which service is delivered. Any one manager does not need to see
everything.
» Manager access can be controlled by Location or Employees. Location provides access to
all employees who worked at a location such as a group home or with an individual who
received services in the community. Multiple locations & Individuals can be assigned to a
manager. Employee provides access to all employees assigned to that Manager.
» Usability though is also a valid consideration. A manager should not necessarily be
restricted to only their group of employees when trying to fill an open position. An overly
limited view might result in excessive overtime. It is important to remember HIPAA requires
the employer to protect data but not to the point that it interferes with an employee doing
their job effectively.
» Scheduling and time and attendance might need different rules. For example a centralized
scheduler will need to have access to all employees and locations but not to approve the
same employees time and attendance.
» Where ever there is a considerable volume of PHI data such as in Electronic Health Records
greater care needs to be taken to restrict access than in Time an Attendance or Scheduling.
For Electronic Health Records, employees might only have access to limited parts of an
individual’s PHI data.
» Client Profiles allows providers to control not only access to records but what pat of
those records staff can view or edit. Different Information Groups can have different
permissions.
addition, the manager only
“sees” relevant data and
can make quicker choices.
HIPAA BEST SOFTWARE PRACTICES
» For example, if a manager is trying to manage a call-off and fill an open position, intelligent automated filters not only restrict the data a manager sees but narrows their range of choices to the most likely, suitable candidates.
MINIMUM ACCESS GUIDELINES » Under the HIPAA minimum necessary standard, HIPAA-covered entities are required to
make reasonable efforts to ensure that access to PHI is limited to the minimum necessary information to accomplish the intended purpose of a particular use, disclosure, or request.
» Employees and Job/clients can be imported or entered into databases with restrictions on who can see and use data.
» Employees should be restricted so when they clock-in/out the only choices available are job/clients the employee works with. This requires some planning and coordination. There is no point an employee being scheduled to cover a shift or visit, the employee does not usually work at or with, if the employee cannot clock-in or complete documentation due to restrictions.
» Restricting the list of services is usually simpler. An employee might provide Respite and Community Habilitation services to the same individual but never perform Assessments.
» Restricting access to data also can have a positive impact on data accuracy as the likelihood of mistakes decreases when fewer choices are available.
» Managers will need access to and training on Employee/Job & Client Validations and Job & Client/Activity Validations as changes in schedules will impact what data a care giver needs to see to clock-in/out and complete documentation.
DOCUMENTATION & PROGRESS NOTES » Documentation plans may need to be restricted within an individual receiving multiple
services. For example any care giver providing services to an individual may need to have access to the individual’s documentation plans for Community Habilitation and Respite but not have access to the Quarterly Assessment documentation plan.
» Requiring care givers to complete documentation before clocking-out can ensure documentation is not completed in an inappropriate setting where others might have access such as the care givers home or at a public location.
» Documentation plans for facilities like group homes and vehicles (inspections) should be restricted to those individuals who are authorized to perform inspections.
SELF-DIRECTED SERVICES » The care giver should only be able to “see” the individual or individual(s) by whom they are
employed.
» If consumers have access to time and attendance or schedules, the consumer should only “see” the records of the care givers who provide services to them.
REPORTS » When reports are shared, care should be taken to
use report filters so reports only have the specific data necessary. Applies to hard copy and PDF!
» If reports are created by the Report EZ report writer, the content of the report can be controlled as well as report filters applied.
HIPAA BEST SOFTWARE PRACTICES
GPS » Agency Workforce Management tracks the location of where records are
added and edited. This allows providers to track if caregivers are accessing data in inappropriate, non-secure public setting.
» Geo Fencing can be used to restrict the distance from a service location where a care giver can clock-in/out. This can further inhibit the likelihood that a care giver is accessing data in an inappropriate setting (multiple EVV & Billing & Payroll related reasons why this needs to be controlled apart from HIPAA).
AGENCY WORKFORCE MANAGEMENT Agency Workforce Management tracks activity in the background that may not be visible to customers. If a PHI leakage occurs additional information is available from MITC above and beyond the standard reports.
ABOUT AGENCY WORKFORCE MANAGEMENT Agency Workforce Management supports all the needs of I/DD and behavioral health service providers — time & attendance, EVV, scheduling, hiring, training, HR, payroll and billing integration, documentation, electronic health records and more.
Visit www.mitcagencies.com or email [email protected] to learn more.