HIPAA and the opioid crisis

by Cathy Bryant

On October 27, the HHS Office for Civil Rights issued guidance on how HIPAA allows information sharing to respond to the opioid crisis.

This guidance explains how health care professionals have broad ability to share health information with patients’ family members during certain crisis situations without violating HIPAA privacy regulations.

Current HIPAA regulations allow health care professionals to share information with a patient’s loved ones in emergency or dangerous situations, such as when that patient may be incapacitated due to an opioid overdose. This includes informing those in a position to prevent or lessen a serious and imminent threat to a patient’s health or safety.

Misunderstandings about HIPAA can create obstacles to family support, which is crucial for the proper care and treatment of people in a crisis situation, such as an opioid overdose.

Read the HHS guidance

Cyber security: Back to basics

by Cathy Bryant

It seems ironic that we have a Cyber Security Awareness Month. Every day must be cyber security awareness day given today’s threat environment. But, we do and it is in October. And it is a great opportunity to have cyber security awareness conversations with your staff.

Without a doubt, our electronic health information is more at risk than ever. All covered entities and business associates must meet the HIPAA Security Rule to ensure confidentiality, integrity, and availability of electronic protected health information (ePHI).

In the risk assessments we conduct at TMLT, we find that practices are failing to meet the basic requirements of HIPAA security. A recent study found that 73% of medical professionals report having shared their password to allow someone access to the EHR. The Health and Human Services Office for Civil Rights (OCR) offers the following tips for getting back to basics. (1)

Basic cyber security tips

Have a strong password. Make sure you use a strong password (i.e. usually 10 characters or more and includes upper case and lower case letters, numbers, and special characters like #$&*). Recent research suggests users could also consider using “passphrases,” which are sentences that may be easier to remember than a very complex password (e.g. “I got a pony for my 8th birthday!”). (2) Do not use passwords or phrases that would be easy to guess, such as a pet’s name or your birthdate. (3)

Training. Train your staff regularly on important cyber security issues, such as how to spot phishing e-mails and when/who to report possible cyber incidents to in your practice.

Multi-factor authentication. A username and password may not be adequate to protect sensitive information, privileged accounts, or information accessed remotely. As part of its risk analysis, an entity should determine what authentication practices to use to protect its systems and sensitive information. Multi-factor authentication typically includes a password and additional security measures, such as a thumbprint or key card.

Updates and patching. You should update and patch your systems and applications regularly, because updates and patches often fix critical security vulnerabilities.

Lock devices. Limit physical access to devices and lock devices when not in use.

Portable devices. Be cautious plugging a phone, USB, or other portable device into a secure computer or network. Portable storage devices may not be as secure and may contain malicious software that could corrupt your secure network. If the device is needed, be sure to follow your organization’s policies on the use of such devices, which could include prohibitions on the use of personal devices or having IT personnel review such devices to ensure they do not contain malicious software.

Do not wait. Do not wait to report possible cyber security threats to the right people in your organization. Time is often critical during a cyber incident. If you suspect a cyber threat, report it right away.

Cyber security and ePHI

Be aware. Be aware of your responsibilities as a covered entity or business associate under HIPAA. See 45 C.F.R. Parts160 and164. Also, be aware of current threats and trends in cyber security, so you can take action and update security measures as needed.

Plan. Covered entities and business associates are required to have security incident procedures and response plans in place, as well as contingency plans to ensure effective, concentrated, and coordinated means to respond to and recover from security incidents. These policies, procedures, and plans should provide a roadmap for response and recovery activities, be approved by management, and be reviewed and tested regularly.

Respond. Once a security incident is detected, immediately take steps to analyze the incident, contain its impact and propagation, eradicate the incident, remediate vulnerabilities that permitted the incident, recover from the incident, and conduct post-incident activities. (4) You should also take steps to mitigate any impermissible disclosure of protected health information.

Report. Breaches of e-PHI affecting more than 500 individuals must be reported to the OCR, affected individuals, and the media as soon as possible, but no later than 60 days after the discovery of the breach.

Breaches affecting fewer than 500 individuals must be reported to the affected individuals as soon as possible, but no later than 60 days after the discovery of the breach, and to OCR no later than 60 days following the calendar year the breach was discovered. Entities may delay its reporting of a breach if such a delay is requested by a law enforcement official.

The OCR encourages entities to report all cyber threat indicators to federal information sharing and analysis organizations (ISAOs), such as those maintained by the Department of Homeland Security and HHS Assistant Secretary for Preparedness and Response, as well as to private sector cyber threat ISAOs. Do not include PHI in these reports. OCR does not receive such reports from its federal or HHS partners.


1. U.S. Department of Health and Human Services Office of Civil Rights. Back to basics (Basic cyber security tips. Cybersecurity Newsletter. September 2017.

2. For more information, please see Appendix A-Strength of Memorized Secrets from NIST Special Publication 800-63B Digital Identity Guidelines. Available at: https://pages.nist.gov/800-63-3/sp800-63b.html. Accessed October 3, 2017.

3. For additional tips on creating strong passwords visit: https://www.stopthinkconnect.org/tips-advice/general-tips-and-advice.

A self-care resource for health care professionals

by Roxanna Maiberger

Hurricane Harvey’s impact has been catastrophic; historic rainfall has resulted in mass flooding and destruction. (1) Thousands have been displaced from their homes and forced to seek the services of emergency relief providers, including those of health care professionals. Throughout Texas and the nation, images of suffering and despair have evoked feelings of helplessness, guilt, and a sense of being called to action for those watching.

Many health care professionals have been providing care under extraordinary measures to patients in need. It is critical for those providers to take proactive measures in self-care techniques in order to continue providing quality care to patients. This article outlines the concept of self-compassion and lists practical self-care techniques to encourage sustainability for emergency health care service providers.

Self-compassion is a concept researched by Kristin Neff, an associate professor at The University of Texas at Austin. (2) Her research on self-compassion consists of a three-pronged theory involving:

  1. Self-kindness;
  2. Common humanity; and
  3. Mindfulness.

Health care providers should take an active role in their own self-preservation and sustainability, in order to effectively care for others. Self-kindness is not synonymous with self-indulgence, self-pity, or self-esteem. Rather, it is a concept based on reducing isolation by increasing awareness of the suffering associated with situations that you and others around you may be facing. Positive self-talk is an important aspect of self-kindness.

Common humanity
Common humanity encompasses our collective human experience, and it interconnects the human race. During challenging times, all people face emotional states involving a range of traumatization, suffering, and stress. Acknowledging these various states of mind, as well as our common experience, allows communities to unite, move forward, and begin to heal. The concepts of self-compassion and common humanity provide a foundation for acknowledging and encouraging human connection, a critical aspect of quality patient care.

Mindfulness includes evaluating the reality of a situation and being aware of any associated emotional and physical impacts. Being mindful, or engaged with the present moment, can create a foundation for effectively navigating difficult situations.

The severity of the damage from Hurricane Harvey is still unfolding. It has been a life-changing event for many. It is important to remember that patients will be prone to mental health concerns (e.g. PTSD, shock, anxiety), physical health ailments, non-compliance with medication due to pharmacy closures, and more. These circumstances will remain an ongoing reality for patients affected by Hurricane Harvey. Maintaining compassionate care for both self and others contributes to patients receiving the care they need, and health care providers effectively engaging in emergency response efforts.

During these difficult times along the Texas coastline and the Houston metropolitan area, many health care providers are being pushed to their limits emotionally and physically. Some self-care tips to encourage sustainability include: (3)

  1. Acknowledge moments of suffering;
  2. Remain empathetic to yourself, as this fosters empathy with others; and
  3. Practice self-compassion as a means to promote quality health care.

Below are additional self-care tips, recommended by the Centers for Disease Control and Prevention that can be used during natural disaster emergency response events. (4)

  1. Know the signs of compassion fatigue and burnout;
  2. Develop a support network/use the buddy system;
  3. Debrief about experiences;
  4. Know that it is not selfish to say ‘no’;
  5. Take breaks and do not exceed working more than 12 consecutive hours;
  6. Have adequate water and food intake.

We appreciate the efforts of our policyholders in providing exceptional care to patients, especially during times of crisis. The well-being of our policyholders and Texas patients is of utmost importance to TMLT.



  1. Chokshi N, Astor M. Hurricane Harvey: The devastation and what comes next. The New York Times. August 28, 2017. Available at https://www.nytimes.com/2017/08/28/us/hurricane-harvey-texas.html?mcubz=3. Accessed September 8, 2017.
  2. Neff K. Definition of self-compassion. Available at http://self-compassion.org/the-three-elements-of-self-compassion-2/. Accessed September 8, 2017.
  3. Neff K. Self-Compassion: The Proven Power of Being Kind to Yourself. William Morrow. 2011. Available in print.
  4. Centers for Disease Control and Prevention. Emergency preparedness and response. April 15, 2016. Available at https://emergency.cdc.gov/coping/responders.asp. Accessed September 8, 2017.
  5. For information on the symptoms of burnout, here is a helpful article http://www.compassionfatigue.org/pages/healthprogress.pdf.

FDA warns of risk associated with liquid-filled intragastric balloon systems to treat obesity

The U.S. Food & Drug Administration (FDA) has issued a risk alert after receiving five reports of unanticipated deaths in patients with liquid-filled intragastric balloon systems used to treat obesity.

All five reports indicate that patient deaths occurred within a month or less of balloon placement. In three reports, death occurred as soon as one to three days after balloon placement.

At this time, the deaths have also not been directly attributed to the devices or the insertion procedures for these devices.

The FDA recommends that health care providers closely monitor patients treated with these devices for complications and that you promptly report any adverse events related to intragastric balloon systems.

More information, including how to report an adverse event, is available on the FDA website.

TMLT changes online payment interface, vendor

On Thursday, August 31, 2017, TMLT will move its online premium payment services to JPMorgan Chase. The change will have a minimal effect on policyholders currently making online payments through our policyholder portal, myTMLT. However, some slight changes to the interface will occur.

  • Policyholders who are currently enrolled in auto-pay will need to re-enroll. We will halt all auto-pay processes beginning Friday, August 25. If you use auto-pay, you will receive an email the week of August 14 with instructions on how to re-enroll. Please be on the look out for that important message.
  • When making a payment, and/or adding a new credit or debit card, policyholders will be re-directed to TMLT’s Chase banking page. Our payment-processing page remains a single sign-on. Separate login credentials will not be necessary.
  • If a policyholder has both a TMLT and a TMIC policy, these payments will be made separately. This capability allows policyholders to use separate credit cards to pay each premium. The two premiums (TMLT and TMIC) will now be listed on separate tabs within the “Payment Options” page.

Please contact our Customer Service Team, 1-800-580-8658 ext. 5050, with any questions or to enroll in auto-pay.