HIPAA Compliance for Medical Practices
61.1K views | +2 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

10 Reasons to be HIPAA Compliant

10 Reasons to be HIPAA Compliant | HIPAA Compliance for Medical Practices | Scoop.it

Here is a reprint of a recent online article submitted by Nick McGregor and posted by CMIT Solutions. # 7 on the list calls for an increase in enforcement of HIPAA compliance by HHS. More of an incentive to make this a priority if your small practice has not done so already.

Rather than asking, “What has changed for your business in the health care realm this year?” the better question might be, “What hasn’t changed?”

The Affordable Care Act, premium increases, existing policy cancellations, enrollment period confusion, continuing IT problems with the HealthCare.gov website… Each of these minor health care earthquakes has shaken the small business community to its core.

Add in constant worries about data security and IT functionality and it can be enough to drive a business owner mad. But there’s one feature of the health care landscape that represents an even more critical decision: new HIPAA rules, regulations, and compliance requirements.

If your business has any contact with electronic health records or medical information, either as a Covered Entity (CE) — health care provider, health plan, or health care clearinghouse — or a Business Associate (BA) — any vendor or subcontractor that helps a CE carry out its activities and functions — HIPAA compliance should be of the utmost importance for you.

Why? The following 10 reasons provide a good start:

  1. The HITECH Act and HIPAA Omnibus Rule have substantially increased civil penalties for non-compliance. The penalty cap for HIPAA violations was increased from $25,000/year to $1,500,000/year per violation. Willfully ignoring or failing to be compliant means mandatory investigations and penalties can be initiated by any complaint, breach, or discovered violation.
  2. New Breach Notification rules will increase the number of HIPAA violations determined to be breaches. The HIPAA Omnibus Rule expands the definition of a breach and the consequences of failure to address it properly. Providing proper notification can trigger federal investigations and eventual fines and penalties.
  3. The mandated deadline for new HIPAA compliance rules has already passed. All Covered Entities and Business Associates were required to update their HIPAA policies, procedures, forms, and Notices of Privacy Practices by September 23, 2013.
  4. All Covered Entities must have documented policies and procedures regarding HIPAA compliance. Recently, a dermatology practice in Concord, MA, learned this lesson the hard way, getting slapped with a $150,000 fine for allowing the health information of just 2,200 individuals to be compromised via a stolen thumb drive. The company also had to incur the cost of implementing a corrective action plan to address Privacy, Security, and Breach Notification rules.
  5. Business Associates are now required to be compliant with HIPAA Privacy and Security Rules. Business Associates will be held to that standard by Covered Entities, who are now responsible for ensuring their BAs are compliant.
  6. While Meaningful Use incentives for Electronic Health Records (EHR) are optional, HIPAA compliance is not. If you manage Protected Health Information (PHI), you must comply with federal regulations or face substantial civil and criminal penalties. If a Covered Entity accepts Meaningful Use funding, a Security Risk Analysis is required — and any funding may have to be returned if adequate documentation is not provided upon request.
  7. The Department of Human & Health Services’ (HHS) Office of Civil Rights (OCR) is expanding its Division of Health Information Privacy enforcement team. The federal bureau is stepping up hiring for HIPAA compliance activities calling for professionals with experience in privacy and security compliance and enforcement.
  8. State Attorney Generals are getting involved in HIPAA enforcement. HHS has even posted HIPAA Enforcement Training for State Attorneys General agendas on its www.HHSHIPAASAGTraining.com website.
  9. HIPAA compliance requires staff privacy and security training on a regular basis. All clinicians and medical staff that access PHI must be trained and re-trained on proper HIPAA procedures. Documentation of provided training is required to be kept for six years.
  10. Protecting your practice means avoiding the HIPAA “Wall of Shame.” The list of health care organizations reporting major breaches and receiving substantial penalties is growing at an alarming rate. The details of these breaches are widely available to the general public — and widely reported in the media.
Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Electronic data breach planning: 4 tips for reducing liability risk | Lexology

Electronic data breach planning: 4 tips for reducing liability risk | Lexology | HIPAA Compliance for Medical Practices | Scoop.it

There is no doubt that electronic data breaches are a hot topic. The recent breach of Morgan Stanley’s customer data is a prime example and chilling reminder that businesses, no matter the amount of security measures, are at risk of an electronic data breach. Indeed, as nearly every state has passed its own set of unique electronic data breach laws, electronic data breaches are becoming a much larger liability concern for companies, in terms of both financial and reputational harm.

In 2014, Kentucky passed KRS 365.732 and joined 46 other states in quantifying and qualifying what constitutes a data breach and the obligations that arise from a breach. Like most states, Kentucky’s law does not include breaches of financial or health information which are covered under federal law in the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act.

Because of this increased liability, businesses should be proactive in trying to manage risk in the event a data breach occurs.

Is My Company at Risk for an Electronic Data Breach?

While the news has focused on large electronic data breaches of major retailers, electronic data breaches of a smaller scale are much more common. Even more problematic may be the reputational loss of consumer trust and confidence resulting from an electronic data breach. Any business or organization that electronically collects and/or stores personal information is susceptible to a breach. Consider the following five questions:

  1. Do you have customers’ or potential customers’ information stored electronically?
  2. Do you store or transmit electronic files with customers’ information?
  3. Do you have client information stored on a cloud or with a third party vendor?
  4. Do you process credit card transactions?
  5. Do you have wireless networks in your office?

If you answered yes to the first question, you are at risk of an electronic data breach. Answering yes to any of the questions that follow greatly increase your risk for a data breach.

What is a Data Breach?

In general, a data breach occurs when there is an unauthorized disclosure of personal information. There is no model rule for what constitutes a breach of someone’s personal information and each state can define what constitutes personal information.

In Kentucky, personal information is defined as a person’s name coupled with a social security number, driver’s license number, or credit/debit card or account number and passcode. However, some states define personal information much more broadly. For example, Texas defines personal information as any “sensitive” information.

A data breach is commonly thought of in context of computer hacking, however, data breaches can occur in a number of more innocuous ways. In fact, most statutes are defined so broadly that a data breach occurs if an employee loses his/her cellphone containing personal information of a customer. As such, most companies today, no matter size, are at risk.

Decreasing Your Company’s Electronic Data Breach Liability

Planning for and proactively adopting preventative measures in the event of an electronic data breach is the most important thing you can do to protect against potential liability. Being prepared can save you time, likely a significant amount of money, and any reputational harm associated with the data breach.

Most state laws require actual damages to bring a claim for a breach of data. Not surprisingly, in reviewing cases in which customers brought a claim for a breach of data, damages were less or non-existent when companies reacted and notified their customers quickly of the breach. (See generally Giordano v. Wachovia Sec., 2006 U.S. Dist. LEXIS 52266, Civ. No. 06-476JBS, 2006 WL 2177036 (D.N.J. July 31, 2006); Key v. DSW, Inc., 454 F. Supp. 2d 684 (S.D. Ohio 2006).

4 Tips for Reducing Liability Risk

While the type and amount of data a company collects or has access to will lead to varying plans, the following are some general tips that all businesses should know:

#1: Know what type of information is electronically stored. If a breach occurs, the information compromised may not be considered “personal information” under certain state laws. In addition, many state laws do not require action or impose liability if data is compromised that is encrypted. Further, take a hard look at the personal information you are collecting and determine whether such information is necessary to serve and know your customer. If the answer is no, not collecting that data would reduce your liability, as well as save valuable server or cloud space.

#2: Know where that information is stored. Most businesses use “clouds” to store their data on a remote server. Clouds offer different types of data storage, services and security levels. Many cloud vendors actually rely on subcontractors to hold their customers’ information. In many cases, these subcontractors are located overseas making any attempt to seek indemnification for a breach very difficult and expensive.

#3: Be ready to react. Have your notification template in place to communicate and know who is making that communication if a data breach occurs. Figuring out what should be done and communicated and who should lead this charge should occur before a breach occurs. Not having a plan of action will delay a reaction and likely lead to increased liability and reputational harm.

#4: Test your systems and your plan. A data breach does not have to mean that you breached the duty of care to your customers. Showing that you are using the best in class systems to prevent a breach and that you test your systems for a breach in a consistent manner, will assist in showing that you are meeting your duty of care owed to your customers.

Not only will the steps above help in limiting any liability your company may face if a data breach occurs, but it will also likely allow you to identify potential gaps in your data security, therefore, preventing a breach from occurring. Data breaches are inevitable these days, which is why having a well-defined incident response plan and team in place is important.

If you do believe customer data has been compromised, you should contact an attorney immediately to help you understand what duties you may have to notify and further protect your customers’ information. As stated above, reacting quickly can help reduce any liability that may be caused by the breach.

more...
No comment yet.
Scoop.it!

Failure to Follow HIPAA Policies Results in $150,000 Liability and Corrective Action Plan | JD Supra

The U.S. Department of Health and Human Services, Office for Civil Rights (HHS-OCR) has recently released information about another HIPAA settlement, emphasizing yet again the government's focus on the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. The settlement underscores that organizations cannot merely adopt HIPAA policies but that they must actually implement and follow those policies in practice.

On December 8, 2014, HHS-OCR issued a bulletin stating that Anchorage Community Mental Health Services (ACMHS), a nonprofit organization providing behavioral health care services in Anchorage, Alaska, agreed to settle potential violations of the HIPAA Security Rule. HHS-OCR opened an investigation upon receiving notification from ACMHS regarding a breach of unsecured electronic protected health information (ePHI). The breach was the result of a malware that compromised the security of ACMHS' information technology (IT) resources and affected 2,743 individuals. During its investigation, OCR-HHS found that ACMHS had adopted sample HIPAA Security Rule policies and procedures in 2005, but these policies and procedures were not followed. Significantly, ACMHS may have avoided the breach (and would not be subject to the HHS-OCR settlement agreement) if it had followed the policies and procedures it adopted and regularly updated its IT resources with available patches.

The settlement agreement requires ACMHS to pay $150,000 and adopt a corrective action plan to correct deficiencies in its HIPAA compliance program and to report to HHS-OCR on the state of its compliance for two years. The Resolution Agreement can be found on the OCR website.

The settlement with ACMHS is just one of a handful of recent settlements arising from an HHS-OCR investigation prompted by an organization self-reporting a breach of unsecured ePHI; however, HHS-OCR may also examine an organization's HIPAA compliance program after receiving a complaint or as part of its annual audit protocol. In every instance, HHS-OCR will expect an organization to have fully implemented its HIPAA compliance program and/or policies and procedures.

According to HHS-OCR, compliance with the HIPAA Security Rule requires organizations (among other things) to address risks to ePHI on a regular basis and to review systems for vulnerabilities and unsupported software. Organizations cannot simply adopt HIPAA policies and procedures and then place those documents on a shelf. HIPAA compliance programs must be dynamic and reviewed and updated on a regular basis to reflect changes within the organization, including discovered vulnerabilities and ever-evolving external threats. Threats to ePHI are real and can have a devastating impact on a business – and patients' privacy. All organizations subject to HIPAA, regardless of size, must devote the necessary resources to protect the organization's data from these threats.



more...
No comment yet.
Scoop.it!

State law may provide a remedy for breach of HIPAA’s privacy rules | Lexology

State law may provide a remedy for breach of HIPAA’s privacy rules | Lexology | HIPAA Compliance for Medical Practices | Scoop.it

When a woman received extortion threats and other forms of harassment from an ex-lover, she sued her medical provider for unauthorized disclosure of her medical records. Byrne v. Avery Center for Obstetrics and Gynecology, P.C., 314 Conn. 433 (2014). She further alleged that the threats and harassment directly resulted from a breach of the defendant’s duty of confidentiality under the Health Insurance Portability and Accountability Act (“HIPAA”). During her course of treatment, the defendant provided her with a copy of its notice of privacy practices that expressly stated it would not disclose medical records without obtaining authorization from the patient. Additionally, the plaintiff specifically instructed the defendant not to disclose her medical records to her ex-lover. But, when her ex-lover filed a paternity suit against her and served the defendant with a subpoena requesting a copy of her medical records, the defendant failed to notify her of the subpoena, to file a motion to quash the subpoena, or to appear in court. Instead, the defendant mailed a copy of her medical records to him.

As a result, the plaintiff filed four claims against the defendant. First, the plaintiff alleged that the defendant breached its contract when it disclosed her protected health information (“PHI”) in violation of its notice of privacy practices. Second, she claimed that the defendant was negligent when it failed to care for her PHI and disclosed her PHI without her authorization. Her third and fourth claims were for negligent misrepresentation and negligent infliction of emotional distress.

Since HIPAA does not create a private right of action for breach of its privacy provisions, the trial court interpreted common law claims for negligence and negligent infliction of emotional distress that relate to a breach of HIPAA’s privacy rules as inconsistent with HIPAA. Thus, in reliance on HIPAA’s preemption provision, the trial court granted the defendant’s motion for summary judgment on the claims for negligence and negligent infliction of emotional distress. Notably, the claims for breach of contract and negligent misrepresentation were not dismissed by the trial court, thus these claims were not reviewed on appeal.

On November 11, 2014, the Supreme Court of Connecticut held that HIPAA does not preempt a private cause of action arising from the unauthorized disclosure of PHI based on state common law, thereby reversing the trial court’s dismissal of the plaintiff’s claims for negligence and negligent infliction of emotional distress. Specifically, the Court found that if state law provides a plaintiff with a remedy for a medical provider’s breach of its duty of confidentiality, HIPAA does not preempt the plaintiff’s state law remedies for negligence or negligent infliction of emotional distress. Rather, a state law will be preempted by HIPAA only if it is impossible for a medical provider to comply with both the federal and state laws. Furthermore, a state law is not preempted by HIPAA if it relates to the privacy of PHI and provides an individual with greater privacy protection than HIPAA.

The Court did not analyze whether Connecticut law provides a remedy for a medical provider’s breach of its duty of confidentiality, it only determined that HIPAA would not preempt an available remedy under state law. Thus, the Court did not decide whether the plaintiff was successful in her claims for negligence and negligent infliction of emotional distress. The Court did, however, find that HIPAA may be used to determine the applicable standard of care for such state law claims.



more...
No comment yet.
Scoop.it!

Time to Get Real About Data Breaches

At the CHIME-iHT2 Lead Forum on Data Security, being held March 2 at the Hyatt Fisherman’s Wharf in San Francisco, and co-sponsored by the College of Healthcare Information Management Executives (CHIME) and the Institute for Health Technology Transformation (iHT2—a sister organization to Healthcare Informatics under the two organization’s umbrella parent, the Vendome Group, LLC), Mac McMillan, the CEO of the Austin, Tex.-based CynergisTek, offered a bracing and yet carefully balanced portrait of the current landscape around data security in healthcare, for an audience of healthcare IT executives.

Among other comments he made, McMillan, long a data security guru in healthcare, spoke out about the recent, massive data breach at Anthem Inc. “Per Anthem,” he said, “people were missing the point” in most comments on that breach. “There is not an organization on this planet that can keep from being hacked,” McMillan said bluntly. “All it takes is one mistake, one misconfiguration, one missed patch, etc., to create entrée to someone trying to get in the door. But what shouldn’t be so easy is to exploit the network once you’re in and to be able to move around and extract so much data,” he said. “It’s like if Mrs. McMillan and I are sitting in our living room and the Fifth Infantry marches through our living room, and we don’t notice. We may not be able to stop people from getting in, but we should be able to react once they get in.”


One of the key problems, McMillan told his audience, is that “We have become over-reliant on our systems.  In any hospital today, over 90 percent of their processes are automated, and over 90 percent of their data is digitized. When I started in healthcare 15 years ago,” he noted, “the average number of people who looked at a record in an encounter was fewer than 50; today, that number is more than 150, and fewer than half are in the hospital or involved directly in care. It is amazing the number of people who are actually touching our data,” he added. “And the main risk is still from people on the inside—either making mistakes, or doing things deliberately.”

Per that, McMillan added that CEOs and other senior patient care organization executives need to allow their chief information security officers (CISOs) to share with them the blunt truth about the risks and issues they face in their organizations, and provide the support and resources needed to gain realistic control over their data security situations.

What are some of the current developments to be thinking about right now in the data security arena? As McMillan noted, “A survey last year found that 51 percent of CISOs said that they believed the negligent insider was their biggest threat, while 37 percent said security end-user training was ineffective. I think that number was low, actually,” he said, referring to perceptions of the effectiveness of end-user training. “In fact, most people in hospitals are still basing their training on compliance requirements rather than security requirements, which is a big mistake,” as compliance-based training is far too weak, he said.

Of course, even when adequate training is done, there will be individuals doing the wrong things, and catching them is not a simple process, McMillan noted. “Traditional data auditing methods aren’t going to catch a lot of this activity,” he said. “What we need is behavior modeling and pattern detection. When you look at people inside who breached any particular system, they often didn’t break any rules from a compliance perspective, but had a different behavioral pattern from everyone else. So instead of looking at 50 records a day like their colleague, the admitting person committing data breaching patients’ records will have looked at 150 records a day, because they’re surfing, looking for information. And they get brazen over time,” he noted “We’ve had three cases this year already” that his consulting firm was called on to address, “where they caught individuals who had been doing this for over seven years. And these hospitals implemented a privacy monitoring program and looked for patterns, and then they suddenly realized what was going on and caught them.”

The reality, McMillan stressed, is that the breaching is only going to get worse over time, because of the value of the intellectual property in U.S. patient care data, and also because of the monetary value involved in hacking into individual patient records. But, he said, at the same time, “You can’t throw in the towel; we do have victories out there. And part of the problem is that we only talk about the problems.” Indeed, he noted, “Last week, in addition to dealing with the reporters, and asking my opinion about recent breaches, we also had two hospitals we work with, where my teams were able to help them avert a breach, because they detected what was going on early, were able to quickly isolate and eradicate the issue, and they were able to get back online within a few hours.”

It’s important for people to know, McMillan said, that “Those victories happen every day in healthcare, but we don’t talk about those. And we don’t celebrate the victories in healthcare IT. And we do need to talk about the things that go right. There’s still stuff going on out there, but when we have the right people and processes in place, it doesn’t have to end badly all the time. And I think we need to do a better job of that in healthcare IT security.”


more...
No comment yet.
Scoop.it!

Threat Info Sharing: Time for Leadership

Threat Info Sharing: Time for Leadership | HIPAA Compliance for Medical Practices | Scoop.it

The healthcare sector has a big problem. There's a great deal of information security immaturity and a lack of resources among smaller clinics, rural hospitals and other organizations. In the push to exchange electronic patient data nationwide, those entities are potential weak links in the security chain.

More has to be done to ensure these smaller organizations are aware of emerging cyberthreats and vulnerabilities - and are prepared to mitigate them. That potentially requires more handholding from federal agencies - such as by issuing timely cyber-alerts and guidance. But it also means broader outreach and more affordable membership fees for information sharing organizations, such as the National Health Information Sharing and Analysis Center and others, so that the little guys are also in the cybersecurity intelligence loop.

 More has to be done to ensure smaller organizations are aware of emerging cyberthreats and vulnerabilities - and are also prepared to mitigate them. 


Last week, the Department of Health and Human Services took an important initial step toward addressing the issue of improving cyberthreat information sharing. HHS announced it would investigate various options to ensure important cyber-intelligence gets to all healthcare organizations, regardless of size. It's weighing whether to establish another ISAC for the healthcare sector or bolster the capabilities of an existing organization.

It's good to see that HHS is focusing attention on an important issue, although the move is long overdue. Now, it's time for the agency to take prompt leadership action, because improving accessibility to cyberthreat intelligence for organizations of all sizes is urgent, in light of growing evidence that the healthcare sector is increasingly being targeted by hackers.

For example, Boston Children's Hospital was hit by a distributed-denial-of-service attack earlier this year. And Community Health Systems fell victim to a hack attack, perhaps involving the Chinese, that exposed millions of records.

The old adage says that you're only as strong as your weakest link. At a time when healthcare providers are being urged by the federal government to exchange electronic patient records to improve the quality of care - and consumers want to share health data they collect on their own wearable gadgets - we must eliminate weak spots. That means we must make sure, for instance, that providers of all sizes and types have timely access to information about new malware, software flaws or cyberthreats - and the steps they need to take to mitigate those issues.



more...
No comment yet.
Scoop.it!

Phishing, ransomware attacks on health industry to rise

Phishing, ransomware attacks on health industry to rise | HIPAA Compliance for Medical Practices | Scoop.it

While security experts predict increased cyberattacks on healthcare organizations in 2015, they foresee phishing and ransomware posing particular challenges.

Phishing emails try to lure recipients into giving out information such as usernames, passwords or credit card numbers. They also can give attackers ways to infiltrate the enterprise network, according to an article in iHealthBeat by John Moore of Chilmark.

"Phishing emails often provide the entry point," Scott Koller, a lawyer at BakerHostetler, says in the article.

Ransomware allows cybercriminals to hold data hostage while they demand payment to unlock it. If they demand to be paid in Bitcoin, a digital currency, they can be difficult for law enforcement officials to track down.

Cybercriminals are growing more sophisticated in their ransomware attacks, according to an article at NPR. Increasingly, they use the anonymous online network Tor to conceal all communication between the attacker and victim, preventing even top executives from identifying and blaming a particular employee.

In the face of increasing threats, healthcare organizations are boosting their security efforts, according to the iHealthBeat article. Among their top priorities are:

  • Encryption and mobile device security
  • Two-factor authentication
  • Security risk analysis
  • Advanced email gateway software
  • Incident response management

"Encryption very much needs to be on everybody's radar," Koller says. In September, Forrester Research reported that only about half of healthcare organizations secure data using full-disk encryption or file-level encryption.

Just last week, Experian's 2015 Data Breach Industry Forecast called healthcare "a vulnerable and attractive target for cybercriminals." While predicting more data breaches, it noted that many doctors' offices, clinics and hospitals may not have adequate resources to safeguard patients' personal health information.



more...
No comment yet.