This week's blizzard and contingency planning
Posted by: Robert Markette
February 17, 2007

After two days working at my kitchen table, I returned to the office.  Our firm is located in Indianapolis and the city spent Tuesday and Wednesday digging out from under the snow.  The snow storm and its effects on the area are what lead me to today?s post.  The response to the snow storm had me wondering how home health agencies contingency plans were working.

For agencies within Indianapolis, even on Tuesday, as the snow was piling up, it was possible, although not advisable, to get to he office as necessary.  For example, to access  files.  However, in some of the northern counties, I understand it may not have been possible at all.  There weren?t any stories related directly to health care, but I did see in the paper how a few other businesses responded.  For example, a local realtor rescheduled a client meeting to a local coffee shop, because it was accessible whereas the client?s house was not very accessible at all.

For home health agencies in the Midwest, blizzards should be considered in your contingency planning.  If roads are impassable, how do you access patient files?  How do you serve your patients?  For the latter, unless a patient cannot survive without services, a blizzard most likely means a missed visit and then a follow up as soon as possible.  But what if a patient has to be seen?  What if the blizzard is accompanied by heavy ice?  That can lead to power outages and other problems.  

If a blizzard leads to your power being down, it may be down for weeks.  My wife, who grew up in Tennessee, spent ten days without electricity one winter because an ice storm/blizzard knocked so many of the power lines in her area down.  In a case like this, an agency will need to consider how to operate until the power is restored.  This may include an alternate office location.

I know of a business here in Indianapolis that was forced to relocate its offices for six weeks, because of a flood.  The flooding wiped out all of its IT and rendered its offices unusable.  The time to plan for that type of emergency is before it happens, not after it happens.  Even if it is not a likely occurrence, it is still something to think about sooner rather than later.  

Having to relocate information systems and other administrative equipment while also digging out from under the snow can be very difficult.  Failing to have a plan in place in advance will only delay getting things ?back to normal? even farther.

For our firm, the contingency plan is very simple ? take your laptop and files home with you.  But that plan won?t work for most agencies.  If you found yourself trying to come up with a contingency plan on Monday night, maybe now is a good time to plan for future contingencies.

Permalink

Human error - the privacy rules weakest link.
Posted by: Robert Markette
February 13, 2007

A reporter at home health line forwarded a story to me last week about another computer related incident.  According to the story, Johns Hopkins University has a contractor who routinely makes microfiche backups of certain data.  The contractor receives computer tapes with the data and then makes its backups from the tape.  The contractor who creates the microfiche uses a courier to pick up and deliver the tapes from the hospital to its offices and then to return the tapes when the backups have been created.

In the reported case, the tapes with patient information never made it to the business associate.  The parties think that the courier service?s employee left the tapes at one of his stops on his way to the contractor.  The good news is the tapes were apparently incinerated by the party that received them.

Once again, a potential security incident occurred because an individual made a mistake.  In this case, it was the contracted courier of a covered entity?s business associate.  When you are contracting for services, your contractor may use a subcontractor. This is in compliance with the Privacy Regulation which specifically allows for business associates to use subcontractors. If you look at your business associate agreement, it allows for subcontractors.  The agreement simply requires the business associate to pass the assurances on to the subcontractor.

Having business associate agreements in place establishes what your business associate and its subcontractors are supposed to do to protect your PHI, but that will not stop every potential breach.  Individuals will make mistakes, either because they are unaware of the appropriate procedures to follow, or because they fail to follow procedures or simply fail to do their job properly at all, as in this case.  As a covered entity, you should not let that stop you from using contractors.  

One issue that this incident brings to light is the need for your business associate agreements to require prompt notification in the event of these kinds of mistakes, because you will need to move quickly.  Unlike dealing with your own employees, you have no way to train your business associates employees on HIPAA.  You do not have an obligation to police their compliance, but you will have to respond when a mistake occurs.  Thus, the faster you learn about the problem, the better.

Another way to address this problem would be for the covered entity to deal with the courier directly and require confirmation of delivery.  This would reduce the amount of time that passed before the covered entity learned that the items were lost in transit, because it would remove a layer of communication.  The covered entity could also notify the contractor when its courier picked up the tapes and have the contractor call when they arrived.  

Unfortunately, either method will not prevent a mistake, it will simply speed up the notification process.  These kinds of mistakes will happen.  Your business associates should be prepared to notify you quickly and you should simply be ready to respond.

Permalink

Biometric Security on my recent vacation
Posted by: Robert Markette
February 07, 2007

One of the topics that frequently comes up when discussing HIPAA security rule matters is biometric security devices.  As technology improves, there are more and more biometric security options, in fact, one popular model of laptop has a built in fingerprint scanning device.  Of course, the downside of biometric devices is that they do not always work as efficiently as advertised.

My favorite example of the use of biometric security devices is Disney World.  I have previously mentioned the biometric devices used at the entrances to Disney World, but I discovered last week (when my wife and i took our three children to Disney for a vacation) that they have changed to a fingerprint scanning device.  For those of you who have not been to Disney World, when you first use a multiple day park ticket, you use the biometric scanner to identify yourself as the ticket?s owner.  Every time you use the ticket to get into a park, you have to submit to the same scan, before you can enter the park.Currently, they have a fingerprint scanning device.  You put your ticket into the turnstile, put a finger on the scanner and off you go.  At least that is how it is supposed to work.  As I discovered during my vacation last week, it is not quite that simple.  On our second day at Disney World, the fingerprint scanner repeatedly rejected my fingerprint as incorrect.  After trying my right index finger three or four times, I switched to my left finger.  That solved the problem. (Even though I will swear, that I used my right finger for the initial scan.)Well, I decided I must have forgotten which finger I used.  So on day three, when trying to enter the Magic Kingdom, I placed my left index finger on the scanner.  Of course, it did not work.  The attendant suggested that because the scanner is on the right hand side, I probably used my right hand.  I replied that no, I had gained entry to the parks using my left hand the day before.  She then proceeded to explain how I should   try varying the position of my finger on the scanner.  After three or four tries, all of them unsuccessful, she finally just overrode the scanner and let me into the park.  (Overriding the repeated failed scans raises another question about the usefulness of the scanner.  It appears that if your fingerprint doesn?t match you get in anyway?)I mention, this story, both to explain the lack of posts last week (I was out of town) and to demonstrate the potential downside for biometric security devices ? difficulty in using them.  Admittedly, in this case, the operator error was enhanced by a lack of instructions, but nevertheless, when considering potential biometric security devices, one of the considerations you should make is the potential effect use of the device will have on your employees efficiency.  In other words, you want to make sure that the devices are user friendly.  An employee who spends ten minutes a day trying to get the device to allow him or her access to his computer or other device, is going to become very frustrated very quickly, and will try to avoid using it to the extent that is possible.If you do implement such a system, be sure your employees are trained and familiar with it.  Knowing how to properly use the system should go a long ways towards avoiding the frustration that come with a system that does not function ?as advertised.?

Permalink