HIPAA Compliance for Medical Practices
59.9K views | +8 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

The Cloud is Good, But Know Where Data Go

The Cloud is Good, But Know Where Data Go | HIPAA Compliance for Medical Practices | Scoop.it
A recent settlement announcement from the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) highlights the need to evaluate web-based applications and storage solutions. Web-based or cloud solutions are viable options and tools for healthcare entities to utilize, but those tools need to evaluated for compliance with HIPAA security requirements.

Saint Elizabeth’s Medical Center (“SEMC”), located outside of Boston, MA, learned this lesson the hard way. On November 16, 2012, certain workforce members at SEMC reported suspected non-compliance with HIPAA to OCR. The report focused upon use of an internet-based document sharing and storage application. The specific site is not identified in the OCR Resolution Agreement, but Dropbox is an example of an online storage site that does not meet HIPAA security requirements. OCR notified SEMC of the results of its investigation on February 14, 2013. Fast forward a year and SEMC then reported a breach regarding a workforce member’s unsecured laptop and USB storage device. The combination of events led OCR to conclude that SEMC failed to implement sufficient security measures required by HIPAA and SEMC did not timely identify or mitigate harmful effects from identified deficiencies.

As a result of the two reported incidents, SEMC is now paying $218,400 to OCR in settlement funds. The settlement continues to trend of not being able to accurately guess the amount of a fine that will be levied. As stated in the announcement, OCR “takes into consideration the circumstances of the complaint and breach, the size of the entity, and the type of PHI disclosed.” This statement potentially gives some insight, which can be interpreted to mean that entities with bigger pockets will be hit with larger fines because such entities can absorb larger fines.

The other consideration raised by the SEMC settlement is what to do about cloud based storage and sharing solutions. Should all such tools be locked away from use healthcare organizations? This is not necessarily the answer because some tools do follow HIPAA security requirements. For example, some cloud storage services were built specifically for healthcare, and as such are more cognizant of applicable regulatory requirements. More general sites, such as Box, noted HIPAA requirements and claim to meet required standards. As such, it is possible for organizations to utilize cloud based options.

However, it is not necessarily the choices of an organization as a whole that are troublesome. In SEMC’s case, it is not clear whether the workforce members acted under SEMC’s direction or utilized the cloud sites without SEMC’s direct knowledge. The unsupervised actions of workforce members are what can cause an organization a lot of concern. Organization’s need to train and educate workforce members, but cannot always control their actions. Despite the inability to constantly track what a workforce member is doing, certain steps could be taken to alleviate concerns. One measure would be to block access to websites that could lead to a potential breach or other non-compliance. Such a measure may not make all workforce members happy, but an organization should assess its risks and take appropriate measures. Additionally, an organization can suggest sites that are compliant be used.

Regardless of the approach taken, organizations need to be cognizant of the risks posed by cloud based storage, especially on the individual level. OCR’s settlement with SEMC is only the most recent action to highlight the concern. As has been stated before, once OCR releases a settlement addressing an issue, subsequent organizations with the same issue can expect greater focus on the identified issue and less leniency when it comes to a violation.
more...
No comment yet.
Scoop.it!

VA Healthcare Data Breach Exposes Info of 7,000 Veterans | HealthITSecurity.com

The VA experienced a healthcare data breach after a third-party vendor allegedly had an online security flaw.

The Department of Veterans Affairs (VA) experienced yet another healthcare data breach, as it announced last week that approximately 7,000 veterans’ information was potentially exposed after a contractor’s database flaw.

The VA was notified of the incident on Nov. 4, and said that it was due to a potential flaw in a vendor’s system, according to Federal News Radio. The VA told the news source that the vendor was supposed to provide home telehealth services to veterans. More than 790,000 veterans reportedly took advantage of this program in 2014.

“An investigation was immediately initiated and security scans were conducted by VA, which confirmed the concern,” the spokesman said. “The contracted vendor has assured VA that only vendor staff and VA staff had accessed this information. The security flaw in the vendor database was immediately corrected and VA continues to closely monitor the application.”

Information that was potentially exposed via the internet includes names, addresses, dates of birth, phone numbers and VA patient identification numbers. Veterans who were possibly affected have been notified by the VA and are being offered complementary credit protection services.

The VA did not name the vendor that was involved. However, according to the third-party company, no data was actually exfiltrated through the security hole. Rather, the information was potentially seen after a database was inadvertently exposed online, according to the Federal Times.

This is just the latest in long line of cybersecurity issues for the VA. In November, the agency failed its annual cybersecurity audit for the 16th straight time. Full results were not released, but VA Chief Information Officer Stephen Warren presented the audit results at a House Veterans Affairs Committee hearing. According to Warren, the results were disappointing, especially since “significant time and effort” were put into 2014.

Even so, auditors told VA leaders that noticeable progress had been made from the year before. In 2013, the IG found 6,000 specific cybersecurity vulnerabilities and made 35 separate recommendations to close weaknesses. This year, the IG said the list of vulnerabilities had been cut by 21 percent.

The cybersecurity report followed a US Government Accountability Office (GAO) investigation that also said the VA was lacking in terms of cybersecurity. While the VA took action to fix problems that led to a 2012 breach, the GAO stated that weaknesses identified on VA workstations had not been corrected in a timely manner. This could increase the risk that sensitive data, such as veterans’ personal information, can be compromised.

“Specifically, by not keeping sufficient records of its incident response activities, VA lacks assurance that incidents have been effectively addressed and may be less able to effectively respond to future incidents,” the GAO report stated. “In addition, without fully addressing an underlying vulnerability that allowed a serious intrusion to occur, increased risk exists that such an incident could recur.”

These security issues demonstrate why healthcare organizations must not only maintain their own cybersecurity measures, but also ensure that all third-party companies have current protections in place. Creating business associate agreements (BAA) that account for cybersecurity issues are critical, and can help keep all parties accountable should a healthcare data breach occur. The contract will also clarify and limit how a business associate uses and discloses protected health information (PHI). Without a clear BAA, it can be more difficult to maintain patients’ privacy and mitigate a possible healthcare data breach.


more...
No comment yet.
Scoop.it!

Cloud still sparks fear of breaches | Healthcare IT News

Cloud still sparks fear of breaches | Healthcare IT News | HIPAA Compliance for Medical Practices | Scoop.it

These days, it seems, data breaches and hacking are regular news in health — and across industries.

The fear of breaches, subsequent fines and reputation loss are among the reasons why some healthcare technology leaders have been hesitant to embrace cloud-based technology writ large. They need not fear, but should be informed.

Indeed, almost 20 percent of healthcare organizations have suffered a security breach, some 804 breaches have occurred with more than 500 patient records between 2009 and 2013, and this summer the hospital network Community Health Systems was hacked, according to a report from the Institute for Health Technology Transformation, or iHT2.

Looking outside of healthcare, there have been frightening breaches of cloud-based data, like the 2011 incident involving Sony’s PlayStation 3 accounts on Amazon Web Services. Then there’s the celebrity photo hacking in Apple accounts, which actually happened through password guessing, not cloud-system hacking, but nonetheless contributes to the fear.


One health cloud skeptic is Chris Logan, chief information security officer of Care New England, a three-hospital system based in Providence, R.I. Though the system’s vendor, Cerner, has a remote-hosted EHR, Logan told iHT2 he still prefers a dedicated infrastructure over a multi- tenant public cloud.

“Most cloud vendors have huge servers and are carving pieces up to give to customers. The thing that scares me about that is, what if the controls aren’t in place and my data slips into somebody else’s environment, or their data slips into my environment? What’s the downstream issue there? What’s the effect? It’s significant.”

HIPAA is starting to take care of that, with its most recent update in 2013 specifically defining cloud services as business associates, which have to comply with HIPAA security rules and also take on direct liability for security breaches.

Even with the BA protection, though, there’s still a risk for healthcare organizations. “Your name and your reputation are always at stake if there’s a security breach,” Jeff Pearson, CIO at Trinity Mother Frances Hospitals and Clinics, in Tyler Texas, told the report's authors. “So you have to worry that if you make a poor choice of a cloud vendor, your organization is still going to suffer.”


While there is no undoing bad PR stemming from a breach, health organizations can dig deep into their contracts with cloud vendors and negotiate upward on caps for damages stemming from breaches.

Relatedly, one of the biggest factors to consider in the long-term is long-term subscription cost, according to iHT2. Renting cloud-space may not necessarily be cheaper than purchasing and hosting an internal system.

"Most cloud services are by subscription, and subscription fees come out of our operating budget," David Reis, chief information security officer at Lahey Health, in Burlington, Mass., told the researchers. “When we buy a system, we can capitalize that cost and it doesn’t count against our operating budget. So financing these cloud services is a very significant inhibitor. This has been a conversation at Lahey for the 2.5 years I’ve been here. It’s the undiscussed story of the cloud.”

On the flip-side, in-house systems face the costs of downtimes — as much as $264 per minute for a 500-bed hospital.

“Most on-premises systems have downtimes,” said Drew Koerner, chief healthcare solutions architect at cloud service company VMware. “The people who run the cloud-based infrastructure — including us — have got 10 times less downtime than you would have within an on-prem system.”

In the end, healthcare organizations with mixed feelings about the cloud may want to watch their peers — and learn from them.

More than 83 percent of hospitals and health systems are using the cloud for at least some technology, according to a recent HIMSS Analytics survey of 150 organizations. About half are using the cloud for clinical operations, about three quarters are using it for administration and about three quarters are using hybrid cloud services that give them more control over their data but less than the full potential for savings promised by large public clouds.

A bit less than a quarter of the hospitals and health systems surveyed are using the public cloud, which is available to the general public and, according to vendors, can yield savings of up to 40 percent over five years, compared to internal hosting, while private clouds come with savings of up to 20 percent.

Wary health organizations should know, too, that some business throughout the rest of the economy are also waiting before diving in. Less than 40 percent of cloud users across industries are using a public cloud, according to a 2013 survey by North Bridge Venture Partners.



more...
No comment yet.
Scoop.it!

Healthcare Mobile Apps, the Cloud, and HIPAA Compliance

Healthcare Mobile Apps, the Cloud, and HIPAA Compliance | HIPAA Compliance for Medical Practices | Scoop.it
Google Fit, Apple Health Kit, and even the Affordable Care Act have companies scrambling to build healthcare-focused mobile apps and/or upgrade existing medical devices. However, the process of bringing a new product to market in the healthcare industry brings about a whole other set of challenges. Not only do you have to worry about a product’s design and functionality, but now there’s the issue of HIPAA compliance and whether your product meets the criteria for FDA regulation. If you’re interested in building a healthcare-focused mobile app or medical device, don’t let these things deter you from doing so. Instead, let’s go over a few things you’ll need to be aware of before you jump in with both feet.
What is HIPAA?

The Health Insurance Portability and Privacy Act, also known as HIPAA, was first signed into law in 1996. HIPAA was written with the intent to protect individuals from having their healthcare data used or disclosed to people or agencies that have no reason to see it. It has two basic goals:

1.) Standardize the electronic exchange of data between health care organizations, providers, and clearinghouses.
2.) Protect the security and confidentiality of protective health information.

There are four rules of HIPPA, but today we’ll focus on the HIPAA Security Rule.
What is PHI?

Protected Health Information (PHI) includes medical records, billing information, phone records, email communication with medical professionals, and anything else related to the diagnosis and treatment of an individual. Examples of non-PHI include steps on your pedometer, calories burned, or medical data without personally identifiable user information (PII).

When building a healthcare app or medical device with the intent to collect, store, and share PHI with doctors and hospitals, it is absolutely mandatory make sure you’re HIPAA-compliant (or else you’ll face some hefty fines). Additionally, if you’re planning on storing data in the cloud, you must take appropriate measures to ensure you’re properly securing the data and working with a HIPAA-compliant cloud storage service, too.

Here are some steps you’ll need to take:
Determine if your mobile app or medical device must be HIPAA-compliant.

Are you collecting, sharing, or storing personally identifiable health data with anyone who provides treatment, payment and operations in healthcare (aka a covered entity)? If yes, then you must be HIPAA-compliant.
Determine if your mobile app or medical device must FDA-regulated.

The U.S. Food and Drug Administration (FDA) regulates medical devices to ensure their safety and effectiveness. If you plan to market your product as a medical device, then it may be subject to the provisions of the Federal Food Drug & Cosmetic (FD&C) Act. Find out if your product meets the definition of a medical device as defined by section 201(h) (or a radiation-emitting product as defined in Section 531) on the FDA website. (Visit Is This Product a Medical Device? for more information.) You can also contact the FDA directly if you are unsure whether your mobile app is considered a “Mobile Medical App” and will need to be FDA-regulated. (See Mobile Medical Applications.)
Work with a HIPAA-compliant cloud storage service provider.

Storing data in the cloud is appealing to the healthcare industry because of the amount of data that needs to be stored and easily accessible yet remain secure. The cloud allows individuals and businesses to store large amounts of information in massive data centers around the globe, rather than on internal servers and software. That data can be accessed from anywhere, anytime. Depending on the amount of data (which in healthcare can be A LOT), it can be more cost-effective to store data in the cloud when you account for the costs of hardware, maintenance, staff, and energy when storing locally.

That being said, you need to make sure you’re working with a HIPAA-compliant cloud storage service provider, like Amazon Web Services or Google Apps, though there are several others you can consider.
Get a signed Business Associate Agreement.

Just because you’re working with a HIPAA-compliant cloud storage service provider doesn’t mean you’re covered. Any vendor or subcontractor who has access to PHI is considered a Business Associate, and therefore must sign a Business Associate Agreement. That includes your cloud storage service provider.
Secure sensitive data.

Developers should take appropriate safeguards to ensure that PHI is secure and cannot be accessed by unauthorized individuals. People lose their smartphones and iPads or don’t enable passcodes at all, so it’s even more important to make sure the app or medical device is HIPAA-compliant. Things like data encryption, unique user authentication, strong passwords, and mobile wipe options are just a few requirements. See InformationWeek’s article about developers and HIPAA compliance for additional information.

Finally, there is no official certification process to ensure that you’re in compliance with HIPAA’s Security Rule. The U.S. Department of Health and Human Services website states:

“The purpose of the Security Rule is to adopt national standards for safeguards to protect the confidentiality, integrity, and availability of electronic protected health information (e-PHI) that is collected, maintained, used or transmitted by a covered entity. Compliance is different for each organization and no single strategy will serve all covered entities.” (HHS.gov)

That means that it is up to the organization to implement its own strategy and follow the requirements, or else face those hefty fines.

So that’s an overview of HIPAA compliance. Have you gone through this process? What obstacles did you face? Are you interested in building a mobile app or medical device but concerned about the regulations? Leave a comment below, or send us an email with your questions.
more...
No comment yet.
Scoop.it!

Insurer Loses Thousands of Records

Insurer Loses Thousands of Records | HIPAA Compliance for Medical Practices | Scoop.it

The loss of thousands of paper records for those with coverage from a Philadelphia-based health insurer sends a strong reminder that all employees within organizations need to be trained on data security best practices.

Independence Blue Cross is notifying 12,500 members that four boxes containing reports with sensitive information are missing.

In October, the boxes were moved from one floor of the Blue Cross plan's office to another, the insurer says in a statement provided to Information Security Media Group. The boxes, however, never arrived at their intended destination.


"We initially believed that these boxes had been sent to our offsite storage facility," the insurer says. "On Nov. 14, we determined that the boxes had not been placed in storage, but were discarded by the maintenance team in error. We also determined that the method used to discard these boxes did not meet the company's standards for disposing of member information."

The incident highlights the importance training all personnel within an organization on information security practices, says privacy and security consultant Rebecca Herold. "Had these maintenance workers had training on how to protect sensitive information?" she asks. "Were procedures followed for making a request to move paper documents as opposed to disposing [them]? All these basic, low-tech types of activities can have significant impacts to privacy and security, as this incident shows."

In addition, occasional reminders and awareness communications need to be sent frequently to staff as part of a good risk management plan, Herold says. "It [also] points to the need to have documented procedures for moving any form of protected health information," she says.

Information at Risk

Information that may have been exposed includes member name, address, home phone number, physician name, healthcare plan and group number. Approximately 8,800 of the impacted members also had their member identification number (Social Security number with a two-digit suffix) included in the reports, the insurer says.

Those whose member identification numbers were potentially exposed are being offered free credit monitoring for one year. Independence Blue Cross says it has not received any reports of misuse of member information thus far.

"To reduce the risk of another incident, we no longer allow our maintenance team to dispose of full boxes in the trash," the insurer says. "We are also reminding all associates of our existing policies and the appropriate safety precautions to take when discarding reports that contain member information or other sensitive and proprietary information."


more...
No comment yet.