Protecting LTC Residents' PHI: Eight Tips For Avoiding A Data Breach

April 23, 2019 Protecting LTC Residents' PHI: Eight Tips for Avoiding a Data Breach Layna Cook Rush Baker Donelson + Follow x Following x Following - Unfollow Contact LinkedIn Facebook X Send Embed To embed, copy and paste the code into your website or blog:

Organizations that meet the definition of "covered entity" under the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (HIPAA) must be diligent to maintain the privacy and security of residents' protected health information (PHI), but even organizations that do not fall under the purview of HIPAA may still be subject to state and federal laws that require the organization to maintain the privacy and security of residents' personal information. Moreover, the failure to adequately safeguard personal information could result in civil liability if residents seek judicial redress of an unauthorized disclosure or a security incident.

As such, organizations that maintain PHI or personal information should have in place policies and safeguards to protect against threats to the privacy and security of that information.

The following are considerations that may protect against an unauthorized disclosure of residents' personal information or a security incident that compromises that information:

1. Update Business Associate Agreements routinely. The Privacy Rule requires Covered Entities to enter into Business Associate Agreements with persons or organizations who perform certain functions or activities on behalf of, or provide certain services to, the Covered Entity that involve the use or disclosure of PHI. Business Associate Agreements should be routinely reviewed to determine if the agreement complies with the law and to determine if the agreement accurately describes the relationship between the Covered Entity and Business Associate. If the underlying relationship between the parties has changed or the manner in which the Business Associate will use or disclose PHI, the Business Associate Agreement should be revised to reflect that change.
2. Conduct and review risk assessments. The Security Rule requires Covered Entities to conduct a risk analysis to evaluate the likelihood of potential risks to electronic PHI (e-PHI) and to implement appropriate security measures to address the risk identified in the risk analysis. Even those organizations which are not subject to HIPAA but which use or maintain residents' personal information should still conduct a risk assessment to identify vulnerabilities, the likelihood of an occurrence and the potential impact of that occurrence. An organization cannot adequately guard against potential risk if it does not assess those risks. Risk assessments should be reviewed on an annual basis and any time that there has been a change in processes that could impact electronic information.
3. Beware of phishing attacks. A phishing attack is a fraudulent attempt to obtain sensitive information such as usernames and passwords by disguising as a trustworthy entity in an electronic communication. Phishing emails are one of the primary ways that bad actors access an organization's data. Employees should be trained to recognize phishing emails and should be made aware of the organization's process for reporting suspicious emails.
4. Develop rules for use of portable devices. Another way that the organization's information may be compromised is by lost or stolen equipment or data. From January 1, 2018 through August 31, 2018, the Office of Civil Rights received reports of 192 theft cases affecting more than two million individuals. Organizations should implement device controls such as inventory of equipment and password requirements to guard against loss or theft of data, and simple policies, such as prohibiting employees from leaving devices in plain sight in a vehicle Organizations should also consider encrypting portable devices, which will protect information should there be a loss or theft of a device.
5. Enforce password restrictions. Even if an organization does not encrypt its portable devices, it can update a level of protection by instituting "strong" password requirements. For example, an organization can implement a policy that the password must be at least eight characters in length and alphanumeric. Additional protections include requiring that passwords be changed every 90 days and that forgotten passwords be replaced, not reissued. Employees should also be cautioned regarding sharing or publically posting passwords.
6. Train employees. Organizations should routinely train employees on the organization's policies and procedures for safeguarding PHI and personal information. In addition to annual training, organizations should consider periodic reminders, particularly regarding the organization's most substantial risks.
7. Enforce sanctions. The HIPAA Privacy Rule requires Covered Entities to have a policy addressing sanctions for the unauthorized use or disclosure of PHI. All organizations that maintain PHI or personal information should have a sanctions policy that sets forth the repercussions for violating the organization's privacy and security policies. And it is not enough to simply have a policy; the sanctions policy should be enforced to foster a culture of compliance.
8. Get cyber insurance. In 2018, the average total cost of a security breach was $3.86 million. Even small incidents involving one thousand compromised records cost between $52,000 and $87,000. It has been reported that 62 percent of small businesses go out of business within six months of a successful cyber-attack. Cyber insurance can help defray the cost of a breach and potentially save an organization from financial ruin. It is strongly recommended that organizations assess their potential liability and obtain insurance with adequate limits.

Send Print Report

Related Posts

• Imminent Deadline For Submitting Annual Notice of HIPAA Breach
• Top Ten Ways to Avoid Litigation in Long Term Care
• The Trend of Stricter State Data Breach Laws Continues with Florida

Latest Posts

• U.S. Court of International Trade Sheds Light on Path to IEEPA Tariff Refunds
• UPDATED: The June 9 & December 16 Travel Bans: Who is Impacted and What You Need to Know

See more »

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Baker Donelson

Refine your interests »

Written by:

Baker Donelson Contact + Follow x Following x Following - Unfollow Layna Cook Rush + Follow x Following x Following - Unfollow more less

What do you want from legal thought leadership?

Please take our short survey – your perspective helps to shape how firms create relevant, useful content that addresses your needs:

Take the survey now »

Published In:

Business Associates + Follow x Following x Following - Unfollow Covered Entities + Follow x Following x Following - Unfollow Cyber Insurance + Follow x Following x Following - Unfollow Data Breach + Follow x Following x Following - Unfollow Data Privacy + Follow x Following x Following - Unfollow Data Security + Follow x Following x Following - Unfollow Data Use Policies + Follow x Following x Following - Unfollow Electronic Protected Health Information (ePHI) + Follow x Following x Following - Unfollow Employee Training + Follow x Following x Following - Unfollow Encryption + Follow x Following x Following - Unfollow Health Insurance Portability and Accountability Act (HIPAA) + Follow x Following x Following - Unfollow HIPAA Privacy Rule + Follow x Following x Following - Unfollow Long Term Care Facilities + Follow x Following x Following - Unfollow Long-Term Care + Follow x Following x Following - Unfollow OCR + Follow x Following x Following - Unfollow Passwords + Follow x Following x Following - Unfollow Patient Privacy Rights + Follow x Following x Following - Unfollow Patients + Follow x Following x Following - Unfollow Phishing Scams + Follow x Following x Following - Unfollow Popular + Follow x Following x Following - Unfollow Portable Devices + Follow x Following x Following - Unfollow Risk Assessment + Follow x Following x Following - Unfollow Consumer Protection + Follow x Following x Following - Unfollow Health + Follow x Following x Following - Unfollow Labor & Employment + Follow x Following x Following - Unfollow Privacy + Follow x Following x Following - Unfollow Science, Computers & Technology + Follow x Following x Following - Unfollow more less

Baker Donelson on:

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra: Sign Up Log in *By using the service, you signify your acceptance of JD Supra's Privacy Policy. - hide - hide