A Short Course on Encryption and Cloud Storage

Course excerpt from Ethics & Risk Management: Expert Tips 8

Encryption and cloud storage is a complicated area because it requires an analysis of the interplay of several variables, including confidentiality, encryption, cloud storage and HIPAA. Each of these variables is complex, but there are ways to make the situation more manageable.

Encryption and cloud storage. Let’s consider a few common questions:

“For the purposes of HIPAA, if you have adequately encrypted your data, does your cloud storage provider need to sign a Business Associate Agreement (BAA)?”

The bottom line is that there is no crystal-clear answer to this question. The Department of Health and Human Services (HHS) hasn’t specifically addressed this issue, so we are faced with the question of how to interpret the security rule.

There are two basic interpretations: “no,” and “yes.” Both have some support, and if you proceed with one interpretation you should consider the countervailing position.

First, the basics: HIPAA Covered Entities (CEs) who work with vendors are required to have their vendors sign BAAs. This is required because it allows the federal government to enforce the provisions of HIPAA on these third-party vendors.

The public policy at work is that CEs shouldn’t be allowed to offload their legal responsibilities to a third party that isn’t subject to regulatory oversight. BAAs are required whenever a third-party vendor has access to Protected Health Information (PHI).

Here’s where it gets complicated. PHI is identifiable data, but if the data are encrypted they are not identifiable. In such a case, why is a BAA necessary?

The interpretation against requiring a BAA for encrypted data finds some support in one of HIPAA’s safe harbor provisions, which states that losses of encrypted data do not trigger a breach notification (the letter CEs send out that apologetically admits to the disclosure of protected health information).

The reason why breach notifications is not required for encrypted data are that the data remain inaccessible if encrypted. The covered entity has essentially lost gibberish.

Thus, this interpretation goes, BAAs are also not required because the vendor does not have access to protected health information. That makes sense. However, it should be noted that this is a fairly permissive interpretation and HHS has declined to endorse this position.

The competing interpretation, which appears to be strongly supported by the official commentary on related regulations (especially the 2013 HITECH amendments to the HIPAA Privacy and Security Rules), is that BAAs are required even when the data are encrypted.

Support for this position includes: HHS has not made the criteria for breach notifications the same as the criteria for needing a BAA.

The statutory exceptions for BAAs, such as those with incidental access (e.g., a janitor or electrician) or those who are mere “conduits,” do not apply to cloud storage providers. HHS has indicated that a data storage company is not a conduit because of the “persistent nature” of its contact with the data. Thus, it is persistency, and not the degree of access, that HHS has specifically indicated warrants consideration for the purposes of BAAs.

Commentary prior to the adoption of the security rule asked whether or not BAAs could be something that CEs could address, and thus render unnecessary. In other words, the question was asked, “if we as CEs take adequate security measures to ensure the protection of PHI, can we make BAAs unnecessary?” HHS specifically declined to make BAAs an “addressable” requirement.

Besides the issue of protecting PHI, BAs have additional responsibilities. These responsibilities include accessibility, data integrity, etc. If encryption enabled vendors to escape “business associate” (BA) status, HHS would have no jurisdiction. (From a risk management perspective, the execution of a BAA is something that many CEs do to “distribute” the risk.)

The definition of BA isn’t explicitly restricted to those who have access to PHI. The definition also includes those who perform “any other function or activity regulated by this subchapter.” (See 45 CFR 160.103(1)(i)(B)) The amount of functions and activities that are regulated under HIPAA is huge.

I want to emphasize that I understand the argument that where vendors have absolutely no access to PHI because the data are encrypted, the vendor doesn’t have encryption keys, etc., then HIPAA is (theoretically) a non-issue. It makes a lot of sense. However, we just don’t know at this time if HHS agrees with that position and we have some strong evidence that casts this position as too narrow.

However, the ambiguity also applies to the other interpretation: We don’t know if HHS agrees with the position that the storage of encrypted PHI (where the vendor has zero access to the PHI) still requires a BAA.

I hope this helps or at least provides some things to consider.

---

By Adam Alban, PhD, JD

Adam Alban, PhD, JD, hosts a website of general information for mental health professionals in California. He has an M.A. and PhD in clinical psychology from Michigan State University and a JD from American University in Washington, D.C. He operates a law practice specializing in legal assistance to mental health practitioners and also has a clinical psychology practice, the Alban Psychology Group. He may be reached at: alban@clinicallawyer.com.

---

Ethics & Risk Management: Expert Tips 8 is a 3-hour online continuing education (CE) course that addresses a wide variety of ethics and risk management topics, written by experts in the field.

• CE Credit: 3 Hours
• Target Audience: Psychologists | Counselors | Social Workers | Marriage & Family Therapists (MFTs)
• Learning Level: Intermediate
• Course Type: Online

This online course provides instant access to the course materials (PDF download) and CE test. After enrolling, click on My Account and scroll down to My Active Courses. From here you’ll see links to download/print the course materials and take the CE test (you can print the test to mark your answers on it while reading the course document). Successful completion of the online CE test (80% required to pass, 3 chances to take) and course evaluation are required to earn a certificate of completion.

Professional Development Resources is approved to sponsor continuing education by the American Psychological Association (APA); the National Board of Certified Counselors (NBCC ACEP #5590); the Association of Social Work Boards (ASWB Provider #1046, ACE Program); the American Occupational Therapy Association (AOTA Provider #3159); the Commission on Dietetic Registration (CDR Provider #PR001); the Alabama State Board of Occupational Therapy; the Florida Boards of Social Work, Mental Health Counseling and Marriage and Family Therapy (#BAP346), Psychology & School Psychology (#50-1635), Dietetics & Nutrition (#50-1635), and Occupational Therapy Practice (#34); the Ohio Counselor, Social Worker & MFT Board (#RCST100501); the South Carolina Board of Professional Counselors & MFTs (#193); and the Texas Board of Examiners of Marriage & Family Therapists (#114) and State Board of Social Worker Examiners (#5678).

 

Preventing Medical Errors for Florida SLPs

Preventing Medical Errors in Speech-Language Pathology is a 2-hour online continuing education (CE/CEU) course that addresses the impact of medical errors on today’s healthcare with a focus on root cause analysis, error reduction and prevention, and patient safety. Multiple scenarios of real and potential errors in the practice of speech-language pathology are included, along with recommended strategies for preventing them. Evidence shows that the most effective error prevention occurs when a partnership exists among care facilities, health care professionals, and the patients they treat.

This course satisfies the medical errors requirement for license renewal of Florida Speech-Language Pathologists (SLPs):

Florida Board of Speech Language Pathology & Audiology
CE Required: 30 hours every 2 years (50 if dual licensed), of which:
2 hours on Preventing Medical Errors in Speech-Language Pathology are required each renewal
1 hour on HIV/AIDS is required for initial licensure only
Online CE Allowed: No limit if ASHA-approved
License Expiration: 12/31, odd years
National Accreditation Accepted: ASHA – Professional Development Resources is approved by the Continuing Education Board of the American Speech-Language-Hearing Association (ASHA Provider #AAUM) to provide continuing education activities in speech-language pathology and audiology. Professional Development Resources is also approved by the Florida Board of Speech-Language Pathology and Audiology (Provider #50-1635) and is CE Broker compliant.
Notes: 10 hr limit on non-clinical courses
Date of Info: 6/15/2017

Florida SLPs may earn all 30 hours required for renewal through online courses offered @pdresources.org. Click here to view ASHA-approved online CEU courses.

We report to CE Broker for you – so you don’t have to! All courses are reported within a few days of completion.

 

The Impact of Suicide

By Laura More, MSW, LCSW

The health and economic consequences of suicide are substantial. Suicide and suicide attempts have far reaching consequences for individuals, families, and communities. In an early study, Crosby and Sacks (2002) estimated that 7% of the U.S. adult population, or 13.2 million adults, knew someone in the prior 12 months who had died by suicide. They also estimated that for each suicide, 425 adults were exposed, or knew about the death. In a more recent study in one state, researchers found that 48% of the population knew at least one person who died by suicide in their lifetime. Research also indicates that the impact of knowing someone who died by suicide and/or having lived experience (by personally having attempted suicide, having had suicidal thoughts, or having been impacted by suicidal loss) is much more extensive than injury and death. People with lived experience may suffer long-term health and mental health consequences ranging from anger, guilt, and physical impairment, depending on the means and severity of the attempt (Stone, Holland, Bartholow, et al., 2017).

The economic toll of suicide on society is immense as well. According to conservative estimates, in 2013, suicide cost $50.8 billion in estimated lifetime medical and work-loss costs alone (Florence, Simon, Haegerich, Luo & Zhou, 2015). Adjusting for potential under-reporting of suicide and drawing upon health expenditures per capita, gross domestic product per capita, and variability among states in per capita health care expenditures and income, another study estimated the total lifetime costs associated with nonfatal injuries and deaths caused by self-directed violence to be approximately $93.5 billion in 2013 (Shepard, Gurewich, Lwin, Reed & Silverman, 2016). The overwhelming burden of these costs were from lost productivity over the life course, with the average cost per suicide being over $1.3 million. The true economic costs are likely higher, as neither study included monetary figures related to other societal costs such as those associated with the pain and suffering of family or other impacts (Stone, Holland, Bartholow, et al., 2017).

Suicide Prevention: Evidence-Based Strategies is a 3-hour online continuing education (CE) course that reviews evidence-based research and offers strategies for screening, assessment, treatment, and prevention of suicide in both adolescents and adults. Suicide is one of the leading causes of death in the United States. In 2015, 44,193 people killed themselves. The Centers for Disease Control and Prevention (CDC) notes, “Suicide is a serious but preventable public health problem that can have lasting harmful effects on individuals, families, and communities.” People who attempt suicide but do not die face potentially serious injury or disability, depending on the method used in the attempt. Depression and other mental health issues follow the suicide attempt. Family, friends, and coworkers are negatively affected by suicide. Shock, anger, guilt, and depression arise in the wake of this violent event. Even the community as a whole is affected by the loss of a productive member of society, lost wages not spent at local businesses, and medical costs. The CDC estimates that suicides result in over 44 billion dollars in work loss and medical costs. Prevention is key: reducing risk factors and promoting resilience. This course will provide a review of evidence-based studies on this complex subject for psychologists, marriage & family therapists, professional counselors, and social workers. Information from the suicide prevention technical package from the Centers for Disease Control and Prevention will be provided. Included also are strategies for screening and assessment, prevention considerations, methods of treatment, and resources for choosing evidence-based suicide prevention programs. Course #30-97 | 2017 | 60 pages | 20 posttest questions

This online course provides instant access to the course materials (PDF download) and CE test. After enrolling, click on My Account and scroll down to My Active Courses. From here you’ll see links to download/print the course materials and take the CE test (you can print the test to mark your answers on it while reading the course document). Successful completion of the online CE test (80% required to pass, 3 chances to take) and course evaluation are required to earn a certificate of completion. Click here to learn more.

About the Author:

Laura More, MSW, LCSW, is a healthcare author and licensed clinical social worker. Laura was one of the founding partners of Care2Learn, a provider of online continuing education courses for the post-acute healthcare industry. She now provides healthcare authoring services. She has authored over 120 online continuing education titles, co-authored evidence-based care assessment area resources and a book, The Licensed Practical Nurse in Long-term Care Field Guide. She is the recipient of the 2010 Education Award from the American College of Health Care Administrators.

CE Information:

Professional Development Resources is approved to sponsor continuing education by the American Psychological Association (APA); the National Board of Certified Counselors (NBCC ACEP #5590); the Association of Social Work Boards (ASWB Provider #1046, ACE Program); the Florida Boards of Social Work, Mental Health Counseling and Marriage and Family Therapy (#BAP346), Psychology & School Psychology (#50-1635); the Ohio Counselor, Social Worker & MFT Board (#RCST100501); the South Carolina Board of Professional Counselors & MFTs (#193); and the Texas Board of Examiners of Marriage & Family Therapists (#114) and State Board of Social Worker Examiners (#5678).

 

Memorial Weekend CE Sale – Buy 2 Get 1 Free

Memorial Weekend CE Sale @pdresources

Celebrate and honor our fallen soldiers and kick-off the start of summer during our Memorial Weekend CE Sale where you can Buy Any 2 Courses and Get 1 FREE!

Have a coupon? Apply it at checkout for even greater savings > Shop now!

Choose any 3 CE courses and the lowest priced 3rd course will automatically deduct at checkout (courses must be purchased together, one free course per order). Memorial Weekend Sale ends Wednesday, May 31, 2017. Offer valid on future orders only.

Professional Development Resources is a nonprofit educational corporation 501(c)(3) organized in 1992. Our purpose is to provide high quality online continuing education (CE) courses on topics relevant to members of the healthcare professions we serve. We strive to keep our carbon footprint small by being completely paperless, allowing telecommuting, recycling, using energy-efficient lights and powering off electronics when not in use. We provide online CE courses to allow our colleagues to earn credits from the comfort of their own home or office so we can all be as green as possible (no paper, no shipping or handling, no travel expenses, etc.). Sustainability isn’t part of our work – it’s a guiding influence for all of our work.

We are approved to sponsor continuing education by the American Psychological Association (APA); the National Board of Certified Counselors (NBCC); the Association of Social Work Boards (ASWB); the American Occupational Therapy Association (AOTA); the American Speech-Language-Hearing Association (ASHA); the Commission on Dietetic Registration (CDR); the Alabama State Board of Occupational Therapy; the Florida Boards of Social Work, Mental Health Counseling and Marriage and Family Therapy, Psychology & School Psychology, Dietetics & Nutrition, Speech-Language Pathology and Audiology, and Occupational Therapy Practice; the Ohio Counselor, Social Worker & MFT Board and Board of Speech-Language Pathology and Audiology; the South Carolina Board of Professional Counselors & MFTs; the Texas Board of Examiners of Marriage & Family Therapists and State Board of Social Worker Examiners; and are CE Broker compliant (all courses are reported within one week of completion).

 

Transgender Military Ban May Soon Be Lifted

From The Huffington Post

Pentagon leaders are finalizing plans aimed at lifting the ban on transgender individuals in the military, with the goal of formally ending one of the last gender- or sexuality-based barriers to military service, senior U.S. officials told The Associated Press.

An announcement is expected this week, and the services would have six months to assess the impact of the change and work out the details, the officials said Monday. Military chiefs wanted time to methodically work through the legal, medical and administrative issues and develop training to ease any transition, and senior leaders believed six months would be sufficient.

The officials said Defense Secretary Ash Carter has asked his personnel undersecretary, Brad Carson, to set up a working group of senior military and civilian leaders to take an objective look at the issue. One senior official said that while the goal is to lift the ban, Carter wants the working group to look at the practical effects, including the costs, and determine whether it would affect readiness or create any insurmountable problems that could derail the plan. The group would also develop uniform guidelines.

During the six months, transgender individuals would still not be able to join the military, but any decisions to force out those already serving would be referred to the Pentagon’s acting undersecretary for personnel, the officials said. One senior official said the goal was to avoid forcing any transgender service members to leave during that time.

Several officials familiar with the planning spoke on condition of anonymity because they were not authorized to talk about the issue publicly before the final details have been worked out.

In a statement to The Associated Press, Carter said, “we must ensure that everyone who’s able and willing to serve has the full and equal opportunity to do so. And we must treat all of our people with the dignity and respect they deserve. Going forward the Department of Defense must and will continue to improve how we do both.”

 

Read more @ http://www.huffingtonpost.com/2015/07/13/transgender-in-military_n_7787060.html?ir=Politics&utm_campaign=071315&utm_medium=email&utm_source=Alert-politics&utm_content=FullStory&ncid=newsltushpmg00000003

—

Related Online CEU Courses:

Gender Identity and Gender Variance is a 3-hour online continuing education (CE/CEU) course that presents basic facts about homosexuality, transgendered individuals, and gender identity.

GLB Issues in Psychotherapy is a 6-hour online continuing education (CE/CEU) course that examines psychotherapy with gay, lesbian, and bisexual individuals.

Professional Development Resources is approved by the American Psychological Association (APA) to sponsor continuing education for psychologists. Professional Development Resources maintains responsibility for all programs and content. Professional Development Resources is also approved by the National Board of Certified Counselors (NBCC); the Association of Social Work Boards (ASWB); the American Occupational Therapy Association (AOTA); the American Speech-Language-Hearing Association (ASHA); the Commission on Dietetic Registration (CDR); the California Board of Behavioral Sciences; the Florida Boards of Social Work, Mental Health Counseling and Marriage and Family Therapy, Psychology & School Psychology, Dietetics & Nutrition, Speech-Language Pathology and Audiology, and Occupational Therapy Practice; the Ohio Counselor, Social Worker & MFT Board; the South Carolina Board of Professional Counselors & MFTs; and by the Texas Board of Examiners of Marriage & Family Therapists and State Board of Social Worker Examiners.