HIPAA Compliance for Medical Practices
62.2K views | +12 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

Medical Identity Theft: A Troubling Trend

Medical Identity Theft: A Troubling Trend | HIPAA Compliance for Medical Practices | Scoop.it

The Ponemon Institute, a nationally recognized privacy research firm, recently released its Fourth Annual Patient Privacy and Data Security Study. For healthcare providers, it is probably not much of a new revelation that the study found more criminals are stealing patient records to commit medical identity theft. This type of crime is a less-risk and highly profitable industry.

What is attention grabbing is that these criminal attacks on healthcare providers increased dramatically and are up 100% since 2010. According to the study, these breaches cost the industry about $5.6 billion a year.

If your medical or dental practice has electronic medical records (EMR) and is following all the proper HIPAA Security Rule safeguards, this can help to identity possible unauthorized access or fraud. If your practice has paper charts, the unauthorized access to patient records could be virtually untraceable until an identity theft cases occurs. For EMR, training staff to be alert to fraud trends can help, along with a systematic way to continuously review audit logs to see who is accessing patient records.

Here are three tips to help your practice be more proactive in fighting medical identity theft:

  1. Conduct background checks on ALL staff, regardless if access to patient records is required for their particular positions or not.
  2. Set up a robust education campaign to make patients aware of medical identity theft and teach them how to report any errors discovered on their Explanation of Benefits.
  3. Implement a response program for possible medical identity theft cases. The program needs to have comprehensive but understandable written policies and procedures for immediate action for a flagged record.

As the risk will only continue to grow, the reputation and credibility of your practice in addressing patient record breaches is at stake here. Having a proactive plan in place will help your practice quickly recognize possible medical identity theft cases and initiate an immediate and required action.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Compliance and EHR Access

HIPAA Compliance and EHR Access | HIPAA Compliance for Medical Practices | Scoop.it

In light of the recent massive security breaches at UCLA Medical Center and Anthem Blue Cross, keeping your EHR secure has become all the more important. However, as organizations work to prevent data breaches, it can be difficult to find a balance between improving security and maintaining accessibility. To that end, HIPAA Chat host Steve Spearman addresses digital access controls, common authentication problems, and how authentication meets HIPAA compliance and helps ensure the integrity of your EHR, even after multiple revisions.


Q: What are access controls?


A: Access controls are mechanisms that appropriately limit access to resources. This includes both physical controls in a building, such as security guards, and digital controls in information systems, such as firewalls. Having and maintaining access controls are a critical and required aspect of HIPAA compliance, and is the first technical HIPAA Security Standard.


Q: What’s the most common form of digital access control we see in healthcare?


A: The username and password is the most common form of access control by far. The Access Control Standard requires covered entities to give each user a distinct and unique user ID and password in order to access protected information. These unique credentials for each employee enable covered entities to confirm (“authenticate”) the identity of users and to track and audit information access.


Q: What are the most common problems with access controls and use of passwords in healthcare?


A: The most common problem is that covered entities often use multiple systems which each may require its own set of usernames and passwords along with varying requirements for these credentials, such as minimum character length or use of capital letters. Memorizing multiple sets of passwords and usernames for multiple systems is difficult for most people. In addition, there is a conundrum between password complexity and memorization. Complex passwords (longer with multiple required character types) are better for security but much harder to memorize. This is the conundrum.


Q: Are stricter password policies always more secure?


A: No, if passwords requirement are too strict, users then use coping mechanisms such as writing them down or re-using the same password over and over and across multiple systems. This compromises security rather than enhancing it. For example, a policy that required 14 digit passwords and required, lower-case, upper-case, numbers and symbols and expired every 30 days would create huge problems for most organizations. With these policies, staff would simply write down their passwords. But this compromises security. If a bad person gets a hold of a written list of passwords they have the “keys to the kingdom”, the ability to access the accounts on that written list. So passwords should not be written down.

In addition, overly strict password policies tend to overwhelm technical support staff with password reset requests.

So passwords should be sufficiently complex to make them hard to crack which also makes them hard to memorize.


Q: This sounds like a big problem. Do you have any suggestions to make things better?


A: At a minimum, organizations need to provide training to staff on straightforward techniques to create memorable but complex passwords. I have an exquisitely terrible memory. But I have great passwords using one particular technique. Just google “create good memorable passwords” and you can find dozens of videos demonstrating how to do it. But, of course, our favorite is the video featuring our very own, Gypsy, the InfoSec Wonderdog.


Enterprises should seriously consider additional technical solutions such as two factor authentication with single sign on (2FA/SSO).


Q: What is a good, reasonable password policy?


A: I recommend a policy that:


  • Requires a minimum of 8 characters
  • Requires two or three of the options of lower-case, upper-case, numbers and symbols
  • Expire every 3 to 6 months
  • And limit limit use of historical passwords so that the previous two cannot be used.


Q: You mentioned authentication before. What is that? What is two-factor or multi-factor authentication?


A: Authentication is the process of confirming the identity of a person before granting access to a resource. Computer geeks refer to the three factors of authentication:


  • What a user has (an ID badge or phone).
  • What a user knows (a PIN number)
  • Who a user is (biometrics)


For example, ATMs use two-factor authentication:

  1. What the user has: an ATM card and
  2. What they know: a PIN.


One of my favorite tools for two factor authentication is Google Authenticator which runs as an app on my mobile phone. Another common form of two factor authentication is text codes. With this method, the website or app, after entering a correct username and password, sends a text with a numeric code that expires after a few minutes to your phone that is entered into another field in the website before access is granted.


Everyone should enable two factor authentication on their most essential systems such as to online banking and to email accounts such as gmail.


In healthcare, there is a growing trend toward biometric authentication, the use of fingerprint readers or palm readers, etc. to authenticate into systems. Biometric authentication is generally very secure and is also very easy to use since there is nothing to memorize.


Q: What is SSO?


A: Single sign-on (SSO) lets users access multiple applications through one authentication event. In other words, one password allows access to multiple systems. It enhances security because users only have to remember one password. And because it is just one, it is commonly a good complex password. Once entered, it will allow access to all the core systems (if enabled) without having to re-authenticate.


Single sign-on combined with two factor authentication or biometrics work great together in tandem and are often sold together by vendors. The leading SSO/2FA vendor in healthcare is Imprivata, but there are other vendors making great in-roads into healthcare such as Duo Security2FA.com and Secureauth.com.


Q: What do you mean by “integrity” and what does it have to do with access control and authentication?


A: Integrity in System Standards is the practices used to track and verify all changes made to a health record. It is a condition that allows us to prevent editing or deleting of records without proper authorization.


Authentication and access controls are the primary means we use to preserve integrity of a record. If the information system is programmed to track its users’ activity, then it’s possible to track who made changes to a record and how they changed it.


This is why users should never share usernames and passwords with other users. Integrity becomes impossible if a username does not signify the same user every time it appears.


Q: Any final thoughts?


A: Finding that balance between HIPAA compliance, security and accessibility can be tricky. We recommend reducing digital access controls to a single multi-factor authentication or biometrics event. This single, secure method of authentication could be the balance between security and efficiency needed to keep your EHR secure and yet accessible. In addition to improving accessibility to your system, an MFA or biometrics sign-in method could help improve your organization’s EHR integrity.

more...
No comment yet.
Scoop.it!

The UCLA Health System Data Breach: How Bad Could It Be…?

The UCLA Health System Data Breach: How Bad Could It Be…? | HIPAA Compliance for Medical Practices | Scoop.it

Just hours ago, a Los Angeles Times report broke the news that hackers had broken into the UCLA Health System, creating a data breach that may affect 4.5 million people. This may turn out to be one of the biggest breaches of its kind in a single patient care organization to date, in the U.S. healthcare system. And it follows by only a few months the enormous data breach at Anthem, one of the nation’s largest commercial health insurers, a breach that has potentially compromised the data of 4.5 million Americans.


The L.A. Times report, by Chad Terhune, noted that “The university said there was no evidence yet that patient data were taken, but it can't rule out that possibility while the investigation continues. And it quoted Dr. James Atkinson, interim president of the UCLA Hospital System, as saying “We take this attack on our systems extremely seriously. For patients that entrust us with their care, their privacy is our highest priority we deeply regret this has happened.”


But Terhune also was able to report a truly damning  fact. He writes, “The revelation that UCLA hadn't taken the basic step of encrypting this patient data drew swift criticism from security experts and patient advocates, particularly at a time when cybercriminals are targeting so many big players in healthcare, retail and government.” And he quotes Dr. Deborah Peel, founder of Patient Privacy Rights in Austin, Texas, as saying, “These breaches will keep happening because the healthcare industry has built so many systems with thousands of weak links.”


What’s startling is that the breach at the Indianapolis-based Anthem, revealed on Feb. 5, and which compromised the data of up to 80 million health plan members, shared two very important characteristics with the UCLA Health breach, so far as we know at this moment, hours after the UCLA breach. Both were created by hackers; and both involved unencrypted data. That’s right—according to the L.A. Times report, UCLA Health’s data was also unencrypted.


Unencrypted? Yes, really. And the reality is that, even though the majority of patient care organizations do not yet encrypt their core, identifiable, protected health information (PHI) within their electronic health records (EHRs) when not being clinically exchanged, this breach speaks to a transition that patient care organizations should consider making soon. That is particularly so in light of the Anthem case. Indeed, as I noted in a Feb. 9 blog on the subject, “[A]s presented in one of the class action lawsuits just recently filed against it,” the language of that suit “contains the seeds of what could evolve into a functional legal standard on what will be required for health plans—and providers—to avoid being hit with multi-million-dollar judgments in breach cases.”


As I further stated in that blog, “I think one of the key causes in the above complaint [lawsuits were filed against Anthem within a few days of the breach] is this one: ‘the imminent and certainly impending injury flowing from potential fraud and identity theft posed by their personal and financial information being placed in the hands of hackers; damages to and diminution in value of their personal and financial information entrusted to Anthem for the sole purpose of obtaining health insurance from Anthem and with the mutual understanding that Anthem would safeguard Plaintiff’s and Class members’ data against theft and not allow access and misuse of their data by others.’ In other words, simply by signing up, or being signed up by their employers, with Anthem, for health insurance, health plan members are relying on Anthem to fully safeguard their data, and a significant data breach is essentially what is known in the law as a tort.”


Now, I am not a torts or personal injury lawyer, and I don’t even play one on TV. But I can see where, soon, the failure to encrypt core PHI within EHRs may soon become a legal liability.


Per that, just consider a March 20 op-ed column in The Washington Post by Andrea Peterson, with the quite-compelling headline, “2015 is already the year of the health-care hack—and it’s going to get worse.” In it, Peterson,  who, according to her authoring information at the close of the column, “covers technology policy for The Washington Post, with an emphasis on cybersecurity, consumer privacy, transparency, surveillance and open government,” notes that “Last year, the fallout from a string of breaches at major retailers like Target and Home Depot had consumers on edge. But 2015 is shaping up to be the year consumers should be taking a closer look at who is guarding their health information.” Indeed, she notes, “Data about more than 120 million people has been compromised in more than 1,100 separate breaches at organizations handling protected health data since 2009, according to Department of Health and Human Services data reviewed by The Washington Post.” Well, at this point, that figure would now be about 124.5 million, if the UCLA Health breach turns out to be as bad as one imagines it might be.


Indeed, Peterson writes, “Most breaches of data from health organizations are small and don't involve hackers breaking into a company's computer system. Some involve a stolen laptop or the inappropriate disposal of paper records, for example -- and not all necessarily involve medical information. But hacking-related incidents disclosed this year have dramatically driven up the number of people exposed by breaches in this sector. When Anthem, the nation's second-largest health insurer, announced in February that hackers broke into a database containing the personal information of nearly 80 million records related to consumers, that one incident more than doubled the number of people affected by breaches in the health industry since the agency started publicly reporting on the issue in 2009.”


And she quotes Rachel Seeger, a spokesperson for the Office for Civil Rights in the Department of Health and Human Services, as saying in a statement, following the Anthem breach, “These incidents have the potential to affect very large numbers of health care consumers, as evidenced by the recent Anthem and Premera breaches."


So this latest breach is big, and it is scary. And it might be easy (and lazy blogging and journalism) to describe this UCLA Health data breach as a “wake-up call”; but honestly, we’ve already had a series of wake-up calls in the U.S. healthcare industry over the past year or so. How many “wake-up calls” do we need before hospitals and other patient care organizations move to impose strong encryption regimens on their core sensitive data? The mind boggles at the prospects for the next 12 months in healthcare—truly.

more...
No comment yet.
Scoop.it!

When does HIPAA require more than encryption?

When does HIPAA require more than encryption? | HIPAA Compliance for Medical Practices | Scoop.it

Encryption of sensitive electronic personal health information (ePHI) on mobile devices – including PCs – is often considered sufficient to protect that data well enough to achieve HIPAA compliance. However, it’s important that those handling this data understand the circumstances where encryption alone is not enough.


These situations do exist – and can be nightmares if they occur. The Department of Health and Human Services' HIPAA Security Rule describes satisfactory encryption as “an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key … and such confidential process or key that might enable decryption has not been breached.” That last part means that encryption is only adequate as a safeguard for HIPAA-protected ePHI if the situation is such that the encryption still secures the data.


There are several scenarios where even encrypted data can be breached relatively easily and, unfortunately, there are many real world examples of each of these scenarios occurring. The trouble with encrypted data is that it needs to be decrypted to be useful to those who would access it legitimately, and the bad guys will look to take advantage of those moments when encryption’s defenses are down. Encryption is a powerful defense for data when a device’s power is off and for when the password is unknown and can’t be learned or hacked. But putting it that way, we’ve actually rather narrowly defined where encryption is effective.


Here are some cases where it isn’t.


1. The data thief gains the password needed to get around the encryption on an ePHI-filled device. This can happen when the password is stolen along with the device - for example, if a laptop is taken along with a user’s notepad containing the password needed to access ePHI. HIPAA requires not only encrypting sensitive data but also paying attention to the safety of passwords or any such methods of access. Bad password security effectively negates encryption. Too often we’ve seen a sticky note of passwords attached to a laptop – or even passwords written on USB devices themselves – which is a great example of an encryption that is not HIPAA-secure.


In another type of case at Boston’s Brigham and Women’s Hospital, a physician was robbed at gunpoint and threatened into disclosing the pass codes on the laptop and cellphone that were taken from him, each of which contained ePHI. The doctor appears to have done all that could be done to comply with HIPAA as far as keeping data encrypted, but when forced to choose between personal health information and actual personal health, he made the reasonable choice. Still, the incident was a HIPAA breach, requiring patients and officials to be notified.


2. The stolen device is already running and an authorized user has already been authenticated. In this scenario, the legitimate user has already given his or her credentials and has a session accessing ePHI running when an unauthorized user gains control of the device. HIPAA contains measures to minimize the likelihood of this scenario, calling for the issue to be addressed with automatic log-off capability to “terminate an electronic session after a predetermined time of inactivity.” Still, authorized users should take care to close out sessions themselves if stepping away from their devices and leaving them unguarded.


3. A formerly authorized user becomes unauthorized, but still has access. This can happen when an employee quits or is terminated from a job but still possesses hardware and passwords to bypass encryption. A case such as this occurred at East Texas Hospital, where a former employee was recently sentenced to federal prison for obtaining HIPAA-protected health information with the intent to sell, transfer or otherwise use the data for personal gain. Criminals in these cases often use ePHI for credit card fraud or identity theft, demonstrating how important HIPAA safeguards can be to the patients they protect.


So how can ePHI be protected beyond encryption?


The safest security system to have in place when encountering each of these scenarios is one where the organization retains control over the data, and the devices containing ePHI are equipped with the ability to defend themselves automatically.


The fact is that employees will always seek and find ways to be their most productive, meaning that policies trying to keep ePHI off of certain devices are, for all intents and purposes, doomed to be burdensome and disrespected. For doctors and other healthcare staff, productivity trumps security. It’s best to take concerns around security off their plate and provide it at an organizational level. Organizations can implement strategies that maintain regular invisible communications between the IT department and all devices used for work with ePHI in a way that isn’t cumbersome to the user. Through these communications, the IT department can access devices to remotely block or delete sensitive data and revoke access by former employees. Software installed on devices can detect security risks and respond with appropriate pre-determined responses, even when communication can’t be established.


Given the high stakes of HIPAA compliance – where a single breach can lead to government fines and costly reputational damage – it would be wise for healthcare organizations to consider encryption only the beginning when it comes to their data security.

more...
Scoop.it!

CFO Gets Prison Time for HITECH Fraud

CFO Gets Prison Time for HITECH Fraud | HIPAA Compliance for Medical Practices | Scoop.it

A former Texas hospital CFO has been sentenced to 23 months in federal prison for submitting false documents so a medical center could receive payments under the HITECH Act electronic health records financial incentive program.


In addition to his prison sentence, Joe White, former CFO of the now-shuttered Shelby Regional Medical Center in East Texas, was ordered to pay restitution of nearly $4.5 million to the HITECH incentive payment program.


Court documents indicate that to help pay the restitution, White has been ordered to liquidate an IRA account and an annuity, which as of November 2014, had respective balances of about $115,000 and $2,500.


White, 68, of Cameron, Texas, pleaded guilty on Nov. 12, 2014, to making false statements in November 2012 to the Centers for Medicare and Medicaid Services that Shelby Regional Medical Center was a meaningful user of EHRs, when the hospital actually was primarily using paper records, according to the Department of Justice.


To obtain financial incentives from Medicare or Medicaid under the HITECH Act, hospitals and physicians must submit detailed documents that attest to meeting the requirements for the program, including conducting a HIPAAsecurity risk assessment.

Case Details

In a statement issued by the FBI on June 18, U.S. attorney John Bales said, "The EHR incentive program was designed to enhance the delivery of excellent medical care to all Americans and especially for those citizens who live in underserved, rural areas like Shelby County. There is no doubt that Mr. White understood that purpose and yet, he intentionally decided to steal taxpayer monies and in the process, undermine and abuse this important program."


According to information presented in court, White was CFO for Shelby Regional as well as other hospitals owned and operated by Tariq Mahmood, M.D., of Cedar Hill, Texas.


The 54-bed Shelby Regional closed last year amidst legal issues involving Mahmood, who was indicted by a federal grand jury on April 11, 2013. He was charged with conspiracy to commit healthcare fraud and seven counts of healthcare fraud.


Court documents indicate that Mahmood was sentenced on April 14 to 135 months in federal prison, and also ordered to pay restitution totaling nearly $100,000 to CMS, the Texas Department of Health and Human Services and Blue Cross Blue Shield.


White oversaw the implementation of EHRs for Shelby Regional and was responsible for attesting to the meaningful use of the EHRs to qualify to receive HITECH incentive payments from Medicare, according to the FBI.


As a result of White's false attestation, Shelby Regional Medical Center received nearly $786,000 from Medicare, the FBI statement says. In total, hospitals owned by Mahmood were paid more than $16 million under the Medicare and Medicaid EHR incentive program, the FBI says.


A Justice Department spokeswoman tells Information Security Media Group that the $4.5 million restitution that White was ordered to pay represents the EHR incentive money Shelby Regional received from CMS under false attestation, as well as EHR incentive money that other hospitals owned by Mahmood, for which White was also CFO, received from CMS. While White did not personally receive the incentive money from CMS, "restitution is mandatory pursuant to the Mandatory Victim Restitution Act of 1996," she explains, citing 18 USC 3663A(a)(1), which says, "Notwithstanding any other provision of law, when sentencing a defendant convicted of an offense described in subsection (c), the court shall order, in addition to...any other penalty authorized by law, that the defendant make restitution to the victim of the offense. ..."

More Cases to Come?

Healthcare attorney Brad Rostolsky of the law firm Reed Smith says that although most healthcare professionals and organizations participating in the HITECH meaningful use incentive program are trying to play by the rules, federal regulators must be on the look-out for potential fraudsters, considering the billions of dollars in incentives being paid.


"My sense is that the large majority of institutional and small/solo practice providers appreciate the context in which these meaningful use attestations are being made, and they focus on ensuring that the attestations are true and accurate," he says. "That said, in situations where the facts are as they are [in the Joe White case], it would not surprise me if the government continues to be aggressive in its enforcement."


Attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek, says he expects federal authorities will file more HITECH criminal cases. "The sense we have gotten from public statements by OIG and others involved in prosecuting healthcare fraud violations is that there are a number of investigations ongoing to determine if there has been fraud in obtaining funds through the EHR incentive payment program," he says.


Holtzman suggests that those organizations that have received HITECH incentives must keep thorough documentation to prove they met all the requirements.


"The key is to keep detailed documentation of the information that was used to support the representations in the attestation for seven years," he says. "An individual or organization can avoid criminal culpability through showing that a reasonable effort was made to support a belief that the provider or hospital had met the meaningful use requirements and was therefore eligible for receiving EHR incentive payments."

HITECH Audits

While criminal cases related to the HITECH Act EHR incentive program have been rare, federal regulators have been ratcheting up their audits of healthcare entities attesting to "meaningful use" of EHRs.


Among those selected was Temple University Health System in Philadelphia, which recently passed an audit for meaningful use compliance at one of its hospitals, says CISO Mitch Parker. The area of attestation most closely scrutinized by CMS auditors was Temple's HIPAA security risk assessment, he says.


"You can't skimp on the risk assessment. That's the first and foremost item that they look for," he says. "And it can't be one of those cut-and-dry ones. You have to be very detailed about it. We had about 300 categories in ours."

more...
No comment yet.
Scoop.it!

Think Your Practice is HIPAA Compliant? Think Again.

Think Your Practice is HIPAA Compliant? Think Again. | HIPAA Compliance for Medical Practices | Scoop.it

You may think you know HIPAA inside and out, but experts say many practices and physicians are making mistakes regarding protected health information (PHI) that could get them into big trouble with the law. Here are nine of the most common compliance missteps they say practices and physicians are making.

1. TEXTING UNENCRYPTED PHI


For most physicians, texting is an easy, convenient, and efficient way to communicate with patients and colleagues. But if a text contains unencrypted PHI, that could raise serious HIPAA problems.


"One of the big things people are doing these days is texting PHI, and people seem to be ignoring the fact that text messages can be read by anyone, they can be forwarded to anyone, [and] they're not encrypted in any fashion when they reside on a telecommunications provider's server," says Jim Hook, director of consulting services at healthcare consulting firm The Fox Group, LLC. "People really need to understand that [short message service (SMS)] text messaging is inherently nonsecure, and it's noncompliant with HIPAA."


That's not to say that texting PHI is never appropriate, it just means that physicians must find a way to do so securely. While the privacy and security rules don't provide explicit text messaging guidelines, they do state that covered entities must have "reasonable and appropriate safeguards to protect the confidentiality, availability, and integrity of protected health information," says Michelle Caswell, senior director, legal and compliance, at healthcare risk-management consulting firm Clearwater Compliance, LLC. As a result, Caswell, who formerly worked for HHS' Office for Civil Rights, says physicians must consider, "What would I put on my [smart] phone to reasonably and appropriately safeguard that information?" Most likely, the answer will be a secure messaging service with encryption, she says, adding that many inexpensive solutions are available to providers.


2. E-MAILING UNENCRYPTED PHI


Similar to text messaging, many physicians are e-mailing unencrypted PHI to patients and colleagues. As Robert Tennant, senior policy adviser of government affairs for the Medical Group Management Association says, e-mailing is becoming ubiquitous in our society, and healthcare is no exception.


If your providers are e-mailing PHI, consider implementing a secure e-mail application; for instance, one that recognizes when content included in the e-mail contains sensitive information and therefore automatically encrypts the e-mail. Your practice could use the application to specify certain circumstances in which e-mails should be encrypted; such as the inclusion of social security numbers or credit card numbers. The application would then filter e-mails for that specified content, and when it finds that content, encrypt those e-mails automatically, says Caswell.


Another option is to use a secure e-mail application to set up filters to automatically encrypt e-mails sent with attachments, or encrypt e-mails when senders include a word like "sensitive" or "encrypt" in the subject line, she says. An added benefit of encrypting e-mail is if a potential breach occurs, like the theft of a laptop containing e-mails with PHI, that is not considered a reportable breach if the e-mails stored on the laptop are encrypted, says Tennant. "You don't need to go through all of the rigmarole in terms of reporting the breach to the affected individual, and ultimately, to the government," he says. "So it's sort of a get out of jail free card in that sense."


If your practice would rather prohibit the use of e-mail altogether, a great alternative might be a patient portal that enables secure messaging.


Finally, if patients insist on having PHI e-mailed to them despite the risks, get their permission in writing for you to send and receive their e-mails, says Tennant.


3. FAILING TO CONDUCT A RISK ANALYSIS


If your practice has not conducted a security risk analysis — and about 31 percent of you have not, according to our 2014 Technology Survey, Sponsored by Kareo — it is violating HIPAA. The security rule requires any covered entity creating or storing PHI electronically to perform one. Essentially, this means practices must go through a series of steps to assess potential risks and vulnerabilities to the confidentiality, integrity, and availability of their electronic protected health information (ePHI).


Though the security risk analysis requirement has been in place since the security rule was formally adopted in 2003, it's been pretty widely ignored by practices, says Hook. Part of the reason, he says, is lack of enforcement of the requirement until recently. Since conducting a security risk analysis is now an attestation requirement in the EHR incentive program, auditors are increasingly noting whether practices are in compliance.


4. FAILING TO UPDATE THE NPP


If your practice has not updated its Notice of Privacy Practices (NPP) recently, it could be violating HIPAA. The HIPAA Omnibus Rule requires practices to update these policies and take additional steps to ensure patients are aware of them, says Tennant.

Some of the required updates to the NPP include:


• Information regarding uses and disclosures that require authorization;


• Information about an individual's right to restrict certain disclosures of PHI to a health plan; and


• Information regarding an affected individual's right to be notified following a privacy or security breach.


In addition to updating the NPP, a practice must post it prominently in its facility and on the website, and have new patients sign it and offer a copy to them, says Tennant. "I'd say of every 10 practices, hospitals, dental offices I go into, nine of them don't have their privacy notice in the waiting room," he says.


5. IGNORING RECORD AMMENDMENT REQUESTS


Don't hesitate to take action when patients request an amendment to information in their medical records, cautions Cindy Winn, deputy director of consulting services at The Fox Group, LLC. Under the HIPAA Privacy Rule, patients have the right to request a change to their records, and providers must act on those requests within 60 days, she says.


If you disagree with a patient's requested change, you must explain, in writing, why you are not making the requested change, says Hook. Then, share that reasoning with the patient and store a copy of it in the patient's medical record, as well as a copy of the patient's written request for the amendment.


6. NOT PROVIDING ENOUGH TRAINING


The privacy and security rules require formal HIPAA education and training of staff. Though the rules don't provide detailed guidance regarding what training is required, Hook recommends training all the members of your workforce on policies and procedures that address privacy and security at the time of hire, and at least annually thereafter.


The HIPAA Security Rule also requires practices to provide "periodic security reminders" to staff, says Caswell, adding that many practices are unaware of this. Actions that might satisfy this requirement include sending e-mails to staff when privacy and security issues come up in the news, such as information about a recent malware outbreak; or inserting a regular "security awareness" column in staff e-newsletters.

Finally, be sure to document any HIPAA training provided to staff.


7. OVERCHARING FOR RECORD COPIES


With few exceptions, the privacy rule requires practices to provide patients with copies of their medical records when requested. It also requires you to provide access to the record in the form requested by the individual, if it is readily producible in that manner.


While practices can charge for copies of records, some practices may be getting into trouble due to the fee they are charging, says Tennant. "HIPAA is pretty clear that you can only charge a cost-based fee and most of those are set by the state, so most states have [limits such as] 50 cents a page up to maybe $1 a page ... but you can't charge a $50 handling fee or processing fee; at least it's highly discouraged," says Tennant.


To ensure you are following the appropriate guidelines when dealing with record copy requests, review your state's regulations and consult an attorney. Also, keep in mind that though the privacy rule requires practices to provide copies within 30 days of the request, some states require even shorter timeframes.


8. BEING TOO OPEN WITH ACCESS


If your practice does not have security controls in place regarding who can access what medical records and in what situations, it's setting itself up for a HIPAA violation. The privacy rule requires that only those who have a valid reason to access a patient's record — treatment purposes, payment purposes, or healthcare operations — should do so, says Caswell. "If none of those things exist, then a person shouldn't [access] an individual's chart."


Caswell says practices need to take steps to ensure that staff members do not participate in "record snooping" — inappropriately accessing a neighbor's record, a family member's record, or even their own record.


She recommends practices take the following precautions:

• Train staff on appropriate record access;

• Implement policies related to appropriate record access; and

• Run EHR audits regularly to determine whether inappropriate access is occurring.


9. RELEASING TOO MUCH INFORMATION


Similar to providing too much access to staff, some practices provide too much access to outside entities, says Caswell. For instance, they release too much PHI when responding to requests such as subpoenas for medical records, requests for immunization information from schools, or requests for information from a payer.


"If there's, say, for instance, litigation going on and an attorney says, 'I need the record from December 2012 to February 2014,' it is your responsibility to only send that amount of information and not send anything else, so sort of applying what's called the minimum necessary standard," says Caswell. "When you receive outside requests for PHI, pay close attention to the dates for which information is requested, as well as the specific information requested."

more...
No comment yet.
Scoop.it!

HITECH Act Stage 3: Security Concerns

HITECH Act Stage 3: Security Concerns | HIPAA Compliance for Medical Practices | Scoop.it

Some healthcare associations, including those representing IT and security leaders, are seeking more clarity from federal regulators about proposed security and privacy requirements for Stage 3 of the HITECH Act "meaningful use" incentive program for electronic health records. Among the concerns raised were issues related to EHR risk assessments and patients' electronic access to their health information.


Stage 3 of the HITECH Act incentive program is slated to begin in 2017 or 2018. Beginning in January 2018, healthcare providers lacking a certified EHR system will begin to face financial penalties.

The concerns cited by the various healthcare associations echoed some of the worries expressed by security and privacy experts shortly after the proposed rules were issued in March.


May 29 was the deadline for public comment on proposed rulemaking by the Department of Health and Human Services. On March 20, HHS' Centers for Medicare and Medicaid Services issued a notice of proposed rulemaking for Stage 3 of the Medicare and Medicaid EHR incentive program. Meanwhile, HHS' Office of the National Coordinator for Health IT issued a proposed rule spelling out updated requirements for EHR software that qualifies for the incentive program: 2015 Edition Health Information Technology Certification Criteria.

Security Assessment Concerns

Under Stage 3 of the HITECH incentive program, which already has provided nearly $30 billion in incentives to eligible hospitals and healthcare professionals for "meaningfully" using EHRs, these healthcare providers can qualify to receive additional incentives by achieving a proposed new list of objectives. One of those proposed requirements deals with risk assessments.


While healthcare providers are still expected to conduct a broader HIPAA security risk analysis, the Stage 3 proposal states that healthcare providers must conduct an assessment that specifically looks at risks to information maintained by the certified EHR technology.


Here's the language in the HHS proposal, which some commenters found confusing, or even unnecessary, in light of existing HIPAA requirements: "The requirement of this proposed measure is limited to annually conducting or reviewing a security risk analysis to assess whether the technical, administrative and physical safeguards and risk management strategies are sufficient to reduce the potential risks and vulnerabilities to the confidentiality, availability and integrity of ePHI created by or maintained in [the certified EHR technology]."


The College of Healthcare Information Management Executives, an association of healthcare CIOs and other IT leaders, in its comments to HHS called the risk assessment proposal "superfluous, given the fact that the HIPAA privacy and security requirements already apply to providers and we see no need to impose any additional requirements through the EHR meaningful use program."


But CHIME added in its comments to HHS: "We understand and agree with the need to protect electronic personal health information. As such, our concern is that providers may be confused over the timing of required assessments or reviews."


To clarify and simplify the objective, CHIME suggested HHS rework the proposal to state that eligible healthcare providers must conduct the security risk analysis upon initial installation of certified EHR technology or upon upgrade to a new edition of certified EHR technology.


CHIMS contends that this clarification "will help providers understand their responsibilities vis-à-vis this objective and avoid any possible misunderstanding that reviews be required every time a provider receives a patch or other update to their EHR from a vendor."

Guidance Sought

Meanwhile, another association of health IT professionals, the Healthcare Information and Systems Management Systems Society, said it generally supports the government's risk assessment proposal, but that more guidance is still needed by many healthcare sector organizations on how to conduct a risk analysis.


"HIMSS observes that providers today likely need to increase the frequency of their security risk analysis," the organization says in its feedback. "However, merely doing the security risk analysis without addressing the risks may not lead to adequate safeguarding of the ePHI. Accordingly, risk management should be done as well, and providers need to be educated on how to manage risk in today's electronic environment."


HIMSS recommends the proposed requirement for Stage 3 be modified "so that providers not only do the security risk analysis, but also address the risks themselves." HIMSS also recommends that providers receive guidance on where to obtain security updates and how to correct deficiencies. "HIMSS recommends that providers need guidance on what an acceptable baseline is for a security risk analysis - without such guidance, some providers may conduct [minimal] security risk analysis, expending only a handful of hours to do such a task."

Other Concerns

Some healthcare associations also wrote in their feedback that they were concerned about a Stage 3 proposal regarding providing patients with access electronic access to their records.


Under the HHS proposal, patients may either be provided access to view online, download, and transmit their health information through a patient Web portal or provided access to an application program interface certified by ONC. Those APIs can be used by third-party applications or devices.


In its comments, CHIME says it opposes the API provision. "There is tremendous uncertainty regarding APIs, including potential security and authentication issues, and even whether they will be readily available in [technology] vendor products by 2018."


Similarly, the American Hospital Association wrote in its comments: "Stage 3 proposals, such as relying on third-party applications to access sensitive patient data in EHRs, may be a successful mechanism for the exchange of patient data information, but they raise important questions about patient privacy and information security that must be carefully considered."


An HHS spokesman tells Information Security Media Group that ONC and CMS "are now reconciling and beginning to review all of the comments. We don't yet have a total count of the number of comments, nor have we had time to separate them by issue. We are now beginning the process to get us to the issuance of the final rules, which we expect to be later this summer."

more...
No comment yet.
Scoop.it!

Data Breach Costs to Soar to $2.1 Trillion

Data Breach Costs to Soar to $2.1 Trillion | HIPAA Compliance for Medical Practices | Scoop.it

The rapid digitization of consumers’ lives and enterprise records will increase the cost of data breaches to $2.1 trillion globally by 2019.

That’s according to Juniper Research, which found in a recent study that breach costs will increase to almost four times the estimated cost of breaches in 2015. And, the average cost of a data breach will exceed $150 million by 2020, as more business infrastructure gets connected.


The research, entitled ‘The Future of Cybercrime & Security: Financial and Corporate Threats & Mitigation’, has found that the majority of these breaches will come from existing IT and network infrastructure. While new threats targeting mobile devices and the Internet of Things (IoT) are being reported at an increasing rate, the number of infected devices is minimal in comparison to more traditional computing devices.

The report also highlights the increasing professionalism of cybercrime, with the emergence of cybercrime products (i.e. sale of malware creation software) over the past year, as well as the decline in casual activist hacks. Hacktivism has become more successful and less prolific—in future, Juniper expects fewer attacks overall, but more successful ones.


“Currently, we aren’t seeing much dangerous mobile or IoT malware because it’s not profitable,” noted report author James Moar. “The kind of threats we will see on these devices will be either ransomware, with consumers’ devices locked down until they pay the hackers to use their devices, or as part of botnets, where processing power is harnessed as part of a more lucrative hack. With the absence of a direct payout from IoT hacks, there is little motive for criminals to develop the required tools.”


In terms of geography, nearly 60% of anticipated data breaches worldwide in 2015 will occur in North America, the firm said, but this proportion will decrease over time as other countries become both richer and more digitized.



more...
No comment yet.
Scoop.it!

Health Research Bill Would Alter HIPAA

Health Research Bill Would Alter HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

Some privacy experts are concerned that a bipartisan 21st Century Cures bill, as drafted, would weaken HIPAA privacy protections for patient information. The measure, among other things, is designed to help the medical community speed up the development of new drugs and treatments.


A discussion draft unveiled on April 29 proposes that the Secretary of the Department of Health and Human Services would "revise or clarify" the HIPAA Privacy Rule's provisions on the use and disclosure of protected health information for research purposes.


Under the current HIPAA Privacy Rule, PHI is allowed be used or disclosed by a covered entity for healthcare treatment, payment and operations without authorization by the patient. If a proposed provision in the draft legislation is signed into law, patient authorization would not be required for PHI use or disclosure for research purposes if covered entities or business associates, as defined under HIPAA, are involved.

The draft was jointly issued by Fred Upton, R-Mich., chairman of the House Energy and Commerce Committee, Rep. Diana DeGette, D-Col., ranking member of the Oversight and Investigations Subcommittee, and several other Republican and Democratic House members. Work on the legislation began a year ago, and a markup version of the bill, which covers a broad range of topics, is expected this week.

"Most significantly, the bill would require HHS to revise the HIPAA regulations so that uses and disclosures for research are treated the same as uses and disclosures for a covered entity's own healthcare operations, as long as any disclosures go to a HIPAA covered entity or business associate," says privacy attorney Adam Greene of the law firm Davis Wright Tremaine.


"This seems to mean that such research uses and disclosures could occur without an individual's authorization or an Institutional Review Board's or Privacy Board's waiver of authorization," he says. Essentially, research uses and disclosures would only be restricted by the 'minimum necessary' standard, he says. The HIPAA Privacy Rule generally requires covered entities to take reasonable steps to limit the use or disclosure of, and requests for, PHI to the "minimum necessary" to accomplish the intended purpose.

Easing Research

Backers of the bill say it's needed because it has the potential of helping to knock down barriers to advancing medical innovation and treatment, including tapping breakthroughs in molecular medicine, genomics and related health technologies.


"For the first time ever, we in Congress are going to take a comprehensive look at what steps we can take to accelerate the pace of cures in America," DeGette says in a statement. We are looking at the full arc of this process - from the discovery of clues in basic science, to streamlining the drug and device development process, to unleashing the power of digital medicine and social media at the treatment delivery phase."


A source at the Energy and Commerce Committee say the markup of the bill is expected on May 14. "We are very careful to limit the potential to use PHI for research purposes only to covered entities and business associates working for covered entities - trusted organizations that have a relationship with the individual and that are already allowed to use PHI to improve care," the source says. "The committee wants those covered entities to not only improve care in their own institution, but be able to publish the findings of their research - without disclosing any identifiable PHI, of course. The bill ensures that PHI used for research is fully covered by the protections of the HIPAA privacy, security and breach reporting rules."


But some privacy experts say the bill goes too far in potentially removing patient privacy protections when it comes to the use of PHI for research.


The privacy provisions, as they appear in the draft bill, "roll back essential protections of the control that patients have over how their information is used and disclosed," says privacy attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek. "Because PHI used for research could involve genetic information, the [research exemption] could potentially provide [use and disclosure] of information on the genetic traits of family members. Once that data is out, you can't get it back."

Other Privacy Provisions

The bill also proposes providing individuals with one-time authorization that would allow the use and disclosure of their PHI for future research purposes.


"In cases where the covered entity or business associate needs an authorization, it would require HHS to put its interpretation into regulation that an authorization can encompass future research studies," Greene says. The bill's proposals appear to further expand the authority to use and disclose protected health information for research and codify in regulation a recent HHS interpretation allowing an advanced authorization for future research."


While HHS indicated in the HIPAA Omnibus Rule commentary that an authorization may authorize uses and disclosures of protected health information for future research studies, Greene says, "this bill would require HHS to put this into the HIPAA regulations themselves."

Deborah C. Peel, M.D., founder of Patient Privacy Rights, an advocacy group, tells Information Security Media Group the future-research proposal is "a very bad idea," adding "no data should ever be used except for a single purpose. It's especially bad because today we have no 'chain of custody' for our health data. It's impossible to know where in the world it is or how it's being used. The risks of today's ubiquitous data surveillance and collection systems are unknown. When has it ever been smart to agree to something you have no understanding of?"


Another provision in the draft bill would give researchers remote access to PHI maintained by a covered entity if ''appropriate security and privacy safeguards are maintained by the covered entity and the researcher, and the protected health information is not copied or otherwise retained by the researcher."


Greene says that in cases where the disclosure of PHI is to a researcher that is not a covered entity or business associate, "the statute would broaden the permission for disclosing protected health information preparatory to research, allowing a covered entity to grant remote access to the researcher, rather than requiring that the review occurs at the facility."


Additionally the bill would make changes regarding PHI used in paid research. "The proposed bill appears to also allow covered entities and business associates to receive remuneration, such as payments, in exchange for disclosing protected health information for research," Greene notes. "Currently, such payment would be limited to the reasonable cost for preparation and transmittal of the protected health information."


The remuneration proposal also diminishes patients' control over how their PHI is used for paid research, Holtzman says. "The proposals remove key reforms in the HITECH Act [HIPAA Omnibus final rule] that require specific [patient] authorization for disclosures of information when money is changing hands," Holtzman says. "That [HITECH provision] is to give an individual a choice when there is remuneration involved. The proposal would roll back important rights requiring patient permission when their health information is disclosed in exchange for payment."

More Scrutiny Needed

Holtzman says he hopes the provisions in the draft bill are thoroughly vetted before the legislation progresses further. "This document appears to be in the early stages. I trust that the privacy community would undergo exhaustive debate and review of this document at it develops."


Greene predicts that the proposal "may garner strong views from both the research community and privacy advocates, with researchers perhaps indicating that HIPAA is standing in the way of good research and that these changes are necessary, while some privacy advocates may claim that these changes go too far in allowing uses and disclosures without an individual's consent or authorization.

Peel, the consumer advocate, contends: "These new provisions are really out-of-date and clearly designed for paper consents - a total nightmare."


Under the current language in the bill, HHS would be required to make the changes to HIPAA "not later than 12 months after the date of the enactment of the Act."


more...
No comment yet.
Scoop.it!

The New World of Healthcare Cybercrime

The New World of Healthcare Cybercrime | HIPAA Compliance for Medical Practices | Scoop.it

In healthcare, the number and volume of the breaches are ever increasing. For many of these breaches, phishing is the initial point of compromise. The human tends to be the weakest link and so hackers tend to exploit the low hanging fruit. Much of the information which is exfiltrated ends up on the black market (e.g., medical identity information, intellectual property, financial information, etc.).


We often hear about healthcare information being very valuable on the black market. But, for anyone who may dare to look at the dark web or even public dump sites, the black market can indeed be somewhat of a scary place—or at least, eye opening. The type of information which is traded on the black market includes healthcare and related identity information and bad actors may use the stolen information to commit medical identity theft and fraud. Indeed, the Medical Identity Fraud Alliance has a lot of information on this subject, including a survey on point.


And, now, law firms that support healthcare organizations and other entities are the target of hackers. Law firms have valuable information, such as data on mergers and acquisitions, intellectual property, protected health information, and other types of sensitive information which they are entrusted to safeguard on behalf of their clients. Indeed, several law firms have reportedly been considering standing up a law firm information sharing and analysis center “to share and analyze information and would permit firms to share anonymously information about hackings and threats on computer networks in much the same way that bank and brokerage firms share similar information with the financial services group.”


All businesses, including healthcare organizations, need to make cybersecurity a business priority. Just like other kinds of risk management, cybersecurity needs to be part of the equation. Reacting to incidents, in the long run, will only prove to be very costly for your organization, in terms of expenditure, manpower, and damage to your organization’s goodwill. Instead, appropriate investment needs to be made in technology and skilled personnel to detect and remove hackers from systems and to make it more difficult for hackers to infiltrate into the systems.


In addition, avoid being low hanging fruit for the hackers. Practice good cyber hygiene, adopt and implement an appropriate security framework for your organization and best practices, have a culture which embraces information security, be vigilant, and call in the good guys when you are in need of help (or even before there is a problem). The importance of information security has increased as a priority for many organizations—it should have a high priority for yours as well. The cyber threat is real and we all need to stay ahead of it.


more...
No comment yet.
Scoop.it!

How Rush Medical Stays HIPAA Compliant, Uses Cybersecurity

How Rush Medical Stays HIPAA Compliant, Uses Cybersecurity | HIPAA Compliance for Medical Practices | Scoop.it

Staying HIPAA compliant is not always an easy task, especially as new technological options develop, such as cloud computing, mobile devices, and EMRs.


Rush University Medical Center has altered its cybersecurity measures over the last few years in order to keep pace with changing technologies. However, Rush VP of IT Operations and Associate CIO Jaime Parent told HealthITSecurity.com that even with new systems, the facility works hard to stay HIPAA compliant and keep all employees educated.


HealthITSecurity.com: Tell me a little about Rush Medical’s approach to cybersecurity. What steps have been taken over the last few years to ensure patient data security?


Jaime Parent: Over the last several years our threat protection has moved from reactive to proactive. Gone are the days where a standard firewall, anti-viral software, and anti-spam software, offer adequate protection. Today’s threats are much more sophisticated and now include ransomware and network exploits. Organizations must be agile, dynamic, flexible and adaptable. With the onset of zero day viruses and latency threats such as Heartbleed, new threats require new ways of thinking in cybersecurity.


I would say the only thing that’s consistent with protection strategies used five years ago would be the continuing need for end user education. Social engineering is still the largest vulnerability for any organization.


HITS.com: That ties into employee education as well, right?


JP: Employee education and awareness is a vital part of any comprehensive cybersecurity plan.  At Rush, we have patients, staff, faculty, students and visitors – a very difficult environment to manage and protect. We have to be cognizant of the security parameters that need to be in place to protect the network, even though we may have non-Rush assets on our public network. Our awareness campaign is called “ICARE/IProtect,” and it is both comprehensive and easy to understand. Making everyone vigilant goes a long way.


HITS.com: Have mobile devices been one of the greater challenges in staying HIPAA compliant?


JP: In addressing mobile device security, we take into account the user experience. Rush’s systems are configured in a way that promotes centralize storage and discourages local data storage. We also moved to encrypted USB drives and laptops.


Nobody wants to be the victim of a breach, but with the proper tools and awareness, users know how to protect their data and they learn to avoid phishing scheme. Preventing that click is extremely important.

HITS.com: How do large-scale data breaches, like Anthem and Premera, affect your privacy and security measures, if at all?


JP: We try to learn from these experiences. After these events, the question I get asked most often is – could this thing happen to us? And the short answer is that there really is no 100 percent ironclad way to keep all threats out. But, if you remember to address the basics, the latest anti-viral updates, patch management, user education, etc., you have the best combination in place to avoid being a victim.


HITS.com: What are some of the key privacy and security focal points for providers in 2015?


JP: Be proactive rather than reactive. Invest in smart technologies that work best for your organization. Patch aggressively. Deploy the latest updates. Finally, educate your users who continue to be vulnerable in this dynamic environment.


HITS.com: In terms of privacy and security, what do you think the current outlook is for the healthcare industry?


JP: In my personal opinion, the bad guys are winning right now. The digital age is here and not everyone thinks about security. Breaches are on the rise. It wasn’t too long ago that medical records were locked in the basement somewhere relatively inaccessible. Now, this information is at your fingertips on devices where some users may not even use a password. The genie is out of the bottle and it’s going to stay out of the bottle for a long time. Healthcare will continue to be a target.


HITS.com: After the Anthem data breach in particular, many people were upset over the notification process. In your opinion, how important is the aftermath of a data breach?


JP: Our first thoughts are always with the patient. That’s just our approach. Organizations should always take the appropriate steps to notify patients as soon as possible. At Rush, we cherish our patients and the relationships we have throughout the city of Chicago. Patient care and safety are at the core of what we do – our patients deserve nothing less.


more...
Quensetta Adams's curator insight, April 28, 2015 9:55 PM

Hipaa needs loud computing, mobile devices, and EMRs; let's add IoT!

Scoop.it!

ONC Updates its Privacy and Security Guide

ONC Updates its Privacy and Security Guide | HIPAA Compliance for Medical Practices | Scoop.it

Last week during the annual Healthcare Information and Management Systems Society (HIMSS) conference, the Office of the National Coordinator for Health IT (ONC) published a revised version of its “Guide to Privacy and Security of Electronic Health Information.”

In the foreword of the guide, ONC says that its intent is to help healthcare providers ―especially Health Insurance Portability and Accountability Act (HIPAA) covered entities (CEs) and Medicare eligible professionals (EPs) from smaller organizations―better understand how to integrate federal health information privacy and security requirements into their practices. The new version of the guide provides updated information about compliance with the Medicare and Medicaid Electronic Health Record (EHR) Incentive Programs’ privacy and security requirements as well as the HIPAA Privacy, security, and breach notification rules, says ONC.


In a blog post from Lucia Savage, chief privacy officer, ONC, she says that this is the first step towards fulfilling the commitment the federal agency made in its Interoperability Roadmap— helping individuals, providers, and the health and health IT community better understand how existing federal law, HIPAA, supports interoperable exchange of information for health.


According to Savage’s post, “the guide includes practical information on issues like cybersecurity, patient access through certified electronic health record technology (CEHRT), and other EHR technology features available under the 2014 Edition Certification rule. The guide also includes new, practical examples of the HIPAA privacy and security rules in action, to help everyone understand how those rules may impact their businesses and the people they serve.”


The guide additionally offers: many scenarios for anyone who has struggled to understand when someone is or is not a business associate; provides information about when a provider (or any HIPAA-covered entity) is permitted to exchange information about an individual for treatment, payment, or healthcare operations without being required to have the individual sign a piece of paper before the exchange occurs; and provides practical tips and information about security, Savage said.


more...
No comment yet.
Scoop.it!

OIG to CMS: Make EHR fraud prevention efforts a priority

OIG to CMS: Make EHR fraud prevention efforts a priority | HIPAA Compliance for Medical Practices | Scoop.it

The Office of Inspector General is once again calling out CMSfor failing to adequately address fraud vulnerabilities in electronic health records. Despite submitting recommendations back in 2013, a new OIG report underscored that the agency is still dragging its feet with implementing EHR fraud safeguards.  

 
Part of the Office of Inspector General's role is to audit and evaluate HHSprocesses and procedures and put forth recommendations based on deficiencies or abuses identified. Turns out, a lot of these recommendations are ignored, disagreed upon or unimplemented, according to OIG's new Compendium of Unimplemented Recommendations report. And EHR fraud is on that list. 
 
"HHS must do more to ensure that all hospitals' EHRs contain safeguards and that hospitals use them to protect against electronically enabled healthcare fraud," OIG officials wrote in the report. 
 
Specifically, audit logs should actually be operational when an EHR is available. And CMS should also develop concrete guidelines around the use of copy-and-paste functions in an electronic health record. According to OIG data, most hospitals using EHRs had RTI International audit functions in place, but they were significantly underutilized. What's more, only some 25 percent of hospitals even had policies in place regarding copy-and-paste functions. 
 
These recommendations have come up repeatedly in recent OIG reports, and despite CMS officials agreeing with the outlined recommendations, the agency is still not making it enough of a priority.  
In a January 2014 report, OIG also called out CMS for failing to make EHR fraud a priority. Specifically, OIG said, the CMS neglected to provide adequate guidance to its contractors tasked with identifying said EHR fraud, citing the fact that the majority of these contractors reviewed paper records in the same manner they reviewed EHRs, disregarding the differences. Moreover, only three out of 18 Medicarecontractors were found to have used EHR audit data in their review process. 
 
When it came to identifying copy-and-paste usage or over documentation, many contractors reported they were unable to do so. Considering some 74 percent to 90 percent of physicians use the copy/paste feature daily, according to a recent AHIMA report, the implications are significant. 
 
As Diana Warner, director of HIM practice excellence at AHIMA, recounted back at the October 2013 MGMA conference, that dueto copy-and-paste usage, they had a patient at her previous medical practice who went from having a family history of breast cancer to having a history of breast cancer. The error was caught by the insurance company, which thought the patient had lied, was poised to change her healthcare coverage. "We had to work for months to get that cleared up with the insurance company so her coverage would not be dropped," Warner said. "We had to then find all the records that it got copy and pasted into" incorrectly and then track down the locations the data was sent to.


more...
No comment yet.
Scoop.it!

Will 2016 be Another Year of Healthcare Breaches?

Will 2016 be Another Year of Healthcare Breaches? | HIPAA Compliance for Medical Practices | Scoop.it

As I listened to a healthcare data security webinar from a leading security vendor, I had to ask: “Are we now experiencing a ‘New Normal’ of complacency with healthcare breaches?” The speaker’s reply: “The only time we hear from healthcare stakeholders isAFTER they have been compromised.”

 

This did not surprise me. I have seen this trend across the board throughout the healthcare industry. The growing number of cyberattacks and breaches are further evidence there is a ‘New Normal’ of security acceptance — a culture of ‘it-is-what-it-is.’ After eye-popping headlines reveal household names were compromised, one would think security controls would be on the forefront of every healthcare action list. Why then are we seeing more reports on healthcare breaches, year after year? 

 

This idea comes from the fact that, due to a lack of enforcement, acceptable penalties, and a culture of risk mitigation, more breaches are to be expected in the healthcare industry. Until stricter enforcements and penalties are implemented, a continuation of breaches will occur throughout the industry.

 

The Office of Civil Rights (OCR), the agency overseeing HIPAA for Health and Human Services, originally scheduled security audits for HIPAA to begin in October 2014. Unfortunately, very few audits have occurred due to the agency being woefully understaffed for their mandate covering the healthcare industry, which accounts for more than 17 percent of the U.S. economy.

 

Why Sweat a Breach?

Last September, newly appointed OCR deputy director of health information privacy, Deven McGraw, announced the launching of random HIPAA audits. In 2016, it is expected 200 to 300 covered entities will experience a HIPAA audit, with at least 24 on-site audits anticipated. However, this anticipated figure only accounts for less than one percent of all covered entities —not much of an incentive for a CIO/CISO to request additional resources dedicated to cybersecurity.

 

Organizations within the industry are approaching cybersecurity from a cost/benefit perspective, rather than how this potentially affects the individual patients. For payers who have been compromised, where will their larger customers go anyway? Is it really worth a customer’s effort to lift-and-shift 30,000, 60,000 or 100,000 employee health plans to another payer in the state? This issue is similar to the financial services industry’s protocol when an individual’s credit card has been compromised and then replaced, or when individual’s want to close down a bank account due to poor service: Does anyone really want to go through the frustration with an unknown company?

 

For some of the more well-known breaches, class-action lawsuits can take years to adjudicate. By then, an individual’s protected health information (PHI) and personally identifiable information (PII) has already been shared on the cybercriminal underground market. In the meantime, customers receive their free two-year’s worth of personal security monitoring and protection. Problem solved. Right?

 

The Cost of Doing Business?

When violations occur, the penalties can sting, but it’s just considered part of the cost of doing business. In March 2012, Triple-S of Puerto Rico and the U.S. Virgin Islands, an independent licensee of the Blue Cross Blue Shield Association, agreed to a $3.5 million HIPAA settlement with HHS. In 2012, Blue Cross Blue Shield of Tennessee paid a $1.5 million fine to turn around and have another HIPAA violation in January 2015..

As of December 2015, the total number of data breaches for the year was 690, exposing 120 million records. However, organizations are unlikely to be penalized unless they fail to prove they have steps in place to prevent attacks. If an organization does not have a plan to respond to a lost or stolen laptop, OCR will possibly discover areas for fines, but this can be a difficult process. Essentially, accruing a fine after a cyberattack or breach is relative.

 

A more recent $750,000 fine in September 2015 with Cancer Care group was settled, but the occurrence happened in August of 2012 — nearly three years later. A 2010 breach reported by New York-Presbyterian Hospital and Columbia University wasn’t settled until 2014 for $4.8 million. Lahey Hospital and Medical Center’s 2011 violation was only settled in November 2015 for $850,000. With settlements taking place several years after an event, settling may appear to be a legitimate risk assessment, further reinforcing the ‘New Normal’ of cybersecurity acceptance.

 

At one HIMSS conference, the speaker emphasized to a Florida hospital the need to enforce security controls. They replied with, “If we had to put in to place the expected security controls, we would be out of business.”

 

Simply put: The risks of a breach and a related fine do not outweigh the perceived costs of enhancing security controls. For now, cybersecurity professionals may want to keep their cell phones next to the nightstand.

more...
Guillaume Ivaldi's curator insight, April 2, 2016 10:18 AM
Simply amazing: cost of providing a decent security is clearly not aligned with the business outcomes, and therefore it is economically better to endure the fine than being fully compliant to the regulation ...
Elisa's curator insight, April 2, 2016 5:47 PM
Simply amazing: cost of providing a decent security is clearly not aligned with the business outcomes, and therefore it is economically better to endure the fine than being fully compliant to the regulation ...
Scoop.it!

Healthcare Hacker Attacks: The Impact

Healthcare Hacker Attacks: The Impact | HIPAA Compliance for Medical Practices | Scoop.it

he recent string of major hacker attacks in the healthcare sector, including the cyber-attack on UCLA Health, calls attention to the urgent need for organizations to step up their security programs.


Security experts say healthcare organizations need to carefully reassess their risks and then take appropriate security measures, which, in many cases, will include implementing multifactor authentication; improving breach monitoring and detection; and ramping up staff security education, among other steps.

The sophistication of cyber-attackers is making defending against threats in the healthcare sector more challenging, says John Halamka, M.D., CIO of Beth Israel Deaconess Medical Center in Boston.


"Five years ago, external attacks on healthcare were most often from single actors or curious students. Today they are from organized crime, state-sponsored cyberterrorism and hacktivism," he says.

Healthcare is becoming a bigger target for hackers and other cybercriminals for three main reasons, Halamka contends. "One, healthcare has traditionally under-invested in IT compared to other industries, leaving it more vulnerable. Two, healthcare tends to aggregate a large amount of personally identified information in one place, making it easy to breach a large number of records in a single attack. Three, medical identity theft - fraudulently receiving healthcare services - can be more profitable than financial identity theft."

Insufficient Efforts

Even some well-meaning healthcare organizations are also realizing that the diligent efforts they've been putting into information security aren't enough, notes privacy and security attorney Kirk Nahra, a partner at the law firm Wiley Rein.


"Many healthcare industry organizations thought they had pretty good information security. But these attacks have been eye-opening to many companies, that 'we really need to beef up' in terms of protection against these external risks," he says.


Christopher Paidhrin, who recently became information security manager for the city of Portland, Ore., after 15 years as an information security leader at West Coast healthcare provider PeaceHealth, offers a similar assessment. "If CISOs are not now assessing their cybersecurity posture - and exposure - they soon will," he says.

"The scope of vulnerabilities is increasing, and the 'defensive' security program model is failing to meet the challenge of the threats," he says. "Surveys over the past few years indicate that more than 90 percent of organizations sampled have already been hacked. That is a startling number that requires a national emergency-level response."


The attacks on the healthcare sector will only worsen, Paidhrin predicts. "Cybercriminals are motivated by money, easy money. Healthcare offers one of the greatest return on investment efforts with the lowest level of detection and risk. Medical information is data rich, and durable. Credit card data lasts for a month or two, before a bank disables an account. Health information is much more durable, with much of it unchangeable for the life of the affected individual."

UCLA Health Breach

In the latest headline-grabbing hack attack in the healthcare sector, UCLA Health estimates that data on as many as 4.5 million individuals potentially may have been impacted by a cyber-attack that is thought to have begun last September and is "believed to be the work of criminal hackers." UCLA Health says it is working with FBI investigators and has also hired private computer forensic experts to further secure information on network servers.


"In today's information security environment, large, high-profile organizations such as UCLA Health are under near-constant attack," the organization said. "UCLA Health identifies and blocks millions of known hacker attempts each year."


As for who was responsible for the UCLA Health breach, and how the hackers gained access to the systems, "the cyber-attack on UCLA Health is still under investigation, we are unable to discuss particulars or provide further information regarding the attack," a spokesman for UCLA Health tells Information Security Media Group.


With the exception of UCLA Health, most of the largest hacker attacks so far this year targeted insurers, including Anthem Inc., which was hit by a breach affecting nearly 80 million inidividuals; Premera Blue Cross and CareFirst Blue Cross Blue Shield.

Will Spending More Help?

Some observers say all the recent headlines about hacker attacks could make it easier for CISOs and CIOs to win support from senior leaders for funding to ramp up information security efforts. But will increased spending make a difference?


"The argument for funding will be easier, because the frequency and size of healthcare sector attacks provide CISOs with mounting evidence to justify increased funding, but it will not guarantee action," Paidhrin says. "Funding generally occurs when the 'what, specifically, can be done?' question can be answered with a price tag less than the perceived cost of assuming the risk. ...Healthcare is struggling, as are all other sectors, to find affordable and effective technologies, skilled cybersecurity personnel and process maturity."


But technology investments won't necessarily stop hackers who rely on social engineering to scam users into providing their network credentials through phishing attacks. "Although spending increases on healthcare IT and cybersecurity will help, the most effective risk mitigator is education," Halamka says. "We are as vulnerable is our most gullible authorized user."


Paidhrin sees a "disturbing trend" toward advanced persistent threats and social engineering, which both largely bypass network perimeter defenses. "APTs are stealthy, very effective at exploiting under-the-radar vulnerabilities that do not trigger the alert thresholds of many security systems," he notes. "Social engineering, basically tricking an authorized user to assist an attacker into an action that exploits a vulnerability, is much simpler than a frontal assault on a network. Why break a lock when you can ask for the keys, and get them?"

Wake-Up Call

The most significant impact the recent hacker attacks will have on the healthcare sector is "information security will need to be considered as an integral part of the security and operations processes of healthcare organizations," says Mitch Parker, CISO of Temple University Health System. "They will need to become more proactive and consider risk as equally as utility."


The hacker attacks should serve as a wake-up call for some organizations that have skimped on their information security risk management practices. "Organizations are supposed to re-assess their information security programs, processes, and technologies on a regular basis to continually improve," Parker says. "That is the purpose of risk management. Incidents such as these should be used to evaluate your organization's current practices and make changes or improvements beneficial to your organization."


Paidhrin says many organizations need to take four "not-so-easy steps" to bolster their security. Those include:


  • Two-factor authentication. "Weak passwords, seldom if ever changed, are the bane of information security. Requiring a token, something other than a username and password - both things you know - is the cheapest big step up the security ladder," he says.
  • Data segmentation. "Valuable, sensitive information needs to be segmented from general user access, not all accessible from one network or one level of user account."
  • Proactive monitoring for unauthorized use. "When 90 percent or more of organizations are potentially compromised, real-time detection of threat actors is essential."
  • Rapid response. "The meme of today is 'It's not if, but when we will be breached.' If an organization cannot respond to an attack and penetration, with effective countermeasures, all of the other information security measures, funding, planning and effort will be undone."


Organizations in all sectors, not just healthcare, need to up their game, says Nahra, the attorney. "It's a real challenge. The healthcare sector isn't alone in terms of facing weaknesses and threats."

more...
No comment yet.
Scoop.it!

Six Potential HIPAA Threats for PHOs and Super Groups

Six Potential HIPAA Threats for PHOs and Super Groups | HIPAA Compliance for Medical Practices | Scoop.it

Physician Hospital Organizations (PHOs) and super groups are on the rise. About 40 percent of physicians either work for a hospital or a practice group owned by a hospital, or they ban together to form a super group. Individual practices share operations, billing, and other administrative functions, gain leverage with insurance companies, add specialist resources and increase referrals, improve patient outcomes with a cohesive care plan, and more. The benefits are plentiful.

But just like a negative restaurant review on Yelp can hurt customer patronage and the restaurant's reputation, one practice that commits a HIPAA violation can affect the entire group, and result in an expensive fine, cause distrust among patients, and in extreme cases, the data breach can lead to medical identity theft.


For PHOs and super groups, adherence to HIPAA rules becomes more complicated when compliance isn't consistent among the group's practices, and a compliance officer isn't on board to manage risks and respond to violations.


At a minimum, the group should identify the potential sources for exposure of electronic protected health information (ePHI) and take measures to avert them. For example:


Super groups include smaller practices that struggle with HIPAA compliance and associated time and costs. Although PHOs or super groups may be abundant in physicians, employees, and offices, these assets could come from a majority of smaller organizations. Historically smaller practices struggle with resources to comply with HIPAA and hiring expensive compliance consultants could be prohibitive at the individual practice level.


Each practice uses a different EHR, or the EHR is centralized but the ePHI is stored on different devices. It becomes difficult to assess HIPAA compliance as well as how patient data is being protected when there are various EHRs implemented across multiple practices. Some EHRs may be cloud based while other systems reside in an individual practice's office. Getting an accurate inventory of where ePHI is stored or accessed can be challenging.


Hospitals can't conduct thorough security risk assessments for each practice in the group. A PHO could have 20 or more individual practices and the time required to perform individual security risk assessments could be daunting. These risk assessments are labor intensive and could strain the resources of hospital compliance staff.


Meaningful use drives HIPAA compliance and grants from HHS could be significant, especially with a large number of providers. Along with these funds comes responsibility to comply with meaningful use objectives. One of the most frequent causes of failing a meaningful use audit is ignoring a HIPAA security risk assessment. If one practice fails an audit, it could open the door to other practices in the group being audited, which could result in a domino effect and a significant portion of EHR incentive funds having to be returned.


For physician groups that share patient information the security is only as strong as the weakest link — one practice or even one employee. A breach at one practice could expose patient information for many or all other practices. Security is then defined by the weakest link or the practice that has the weakest security implemented.


Untrained employees in the front office unwittingly violate HIPAA and a patient's right to privacy. An employee could fall for a phishing scam that gives criminals access to a practice's network, and compromises the security of many or all practices within the PHO or super group.


The best way to avoid a HIPAA violation and a patient data breach is to create a group policy that requires each practice to:


• Perform regular HIPAA security risk assessments;

 •Inventory location of patient information;

• Assess common threats;

• Identify additional security needs;

• Set up policies and procedures;

• Stay up to date on patient privacy rules and requisite patient forms; and

• Properly train employees in protecting both the privacy and security of ePHI.


Make sure every practice in the group treats HIPAA compliance with the same care as a patient's medical condition.

more...
Roger Steven's comment, July 10, 2015 6:34 AM
nice article www.mentorhealth.com
Scoop.it!

Patients Demand the Best Care … for Their Data

Patients Demand the Best Care … for Their Data | HIPAA Compliance for Medical Practices | Scoop.it

Whether it’s a senior’s first fitting for a hearing aid, or a baby boomer in for a collagen injection, both are closely scrutinizing new patient forms handed to them by the office clerk.  With 100 million medical records breached and stolen to date, patients have every reason to be reluctant when they’re asked to fill out forms that require their social security number, driver’s license, insurance card and date of birth — all the ingredients for identity fraud.  Patients are so squeamish about disclosing their personal information, even Medicare has plans to remove social security numbers on patients’ benefits cards.


Now patients have as much concern about protecting their medical records as they do about receiving quality care, and they’re getting savvy about data protection.  They have every right to be assured by their physician that his practice is as concerned about their privacy as he is about their health.


But despite ongoing reports of HIPAA violations and continuous breaking news about the latest widespread patient data breach, medical practices continue to treat ePHI security as a lesser priority.  And they neglect to train front office staff so the patient who now asks a receptionist where the practice stores her records either gets a quizzical look, or is told they’re protected in an EHR but doesn’t know how, or they’re filed in a bank box in “the back room” but doesn’t know why.


In some cases, the practice may hide the fact that office staff is throwing old paper records in a dumpster. Surprisingly this happens over and over.  Or, on the dark side, the receptionist accesses the EHR, steals patients’ social security numbers and other personal information and texts them to her criminal boyfriend for medical identity theft.


Another cybercrime threatening medical practices comes from hackers who attack a server through malware and encrypt all the medical files.  They hold the records hostage and ask for ransoms.  Medical records can vanish and the inability to access critical information about a patient’s medical condition could end up being life threatening.

Physicians should not only encrypt all mobile devices, servers and desktops, regularly review system activity, back up their servers and have a disaster recovery plan in place, etc. they should also share their security practices and policies with the patient who asks how his office is protecting her records.


Otherwise, the disgruntled patient whose question about security is dismissed won’t only complain to her friends over coffee, she’ll spread the word on Facebook.  Next time a friend on Facebook asks for a referral the patient tells her not to go to her doctor — not because he’s an incompetent surgeon but because he doesn’t know the answer when she asks specifically if the receptionist has unlimited access to her records.


And word gets out through social media that the practice is ‘behind the times.’  The doctor earns a reputation for not taking the patient’s question seriously, and for not putting the proper measures in place to secure the patient’s data.  This is the cockroach running through the restaurant that ends up on YELP.


It’s time to pull back the curtain and tell patients how you’re protecting their valuable data.  Hand them a HIPAA security fact sheet with key measures you’ve put in place to gain their confidence.  For example, our practice:


  • Performs annual risk assessments, with additional security implemented, including encryption and physical security of systems that contain patient information.
  • Shows patients that the organization has policies and procedures in place
  • Trains employees on how to watch for risks for breaches
  • Gives employees limited access to medical records
  • Backups systems daily
  • Performs system activity regularly


Practices that communicate to patients how they are protecting their information, whether it’s provided by the front office staff, stated in a fact sheet or displayed on their websites, not only instills confidence and maintains their reputations, they actually differentiate themselves in the market place and attract new patients away from competitors.

more...
No comment yet.
Scoop.it!

Chip-powered credit cards to challenge providers this fall

Chip-powered credit cards to challenge providers this fall | HIPAA Compliance for Medical Practices | Scoop.it

In an effort to improve security, America's banks and credit-card issuers will switch in the next few months from strip-based to microchip-based cards. That means healthcare providers will face another significant financial-systems conversion, in addition to the looming ICD-10 switchover

More than half a billion of these “EMV” cards, so-named for the initials of the major card issuers that developed them—Europay, MasterCard and Visa—are expected to be issued and in use by the end of 2015.

The cards already are in use in Europe and Canada. Canada started a slow rollout of EMV cards in 2006, and now about 95% of Canadian merchants have converted to chip card readers, said Karen Cox, vice president of payments and retail solutions for Moneris Solutions, a Toronto-based provider of financial processing systems, owned by Canada's two largest banks, Royal Bank of Canada and Bank of Montreal. 

According to research estimates, by October, 63% of U.S. cards and 47% of terminals used across all industries to process transactions will be converted to EMV technology, she said.

Unlike the planned, industry-wide and federally mandated Oct. 1 upgrade to ICD-10 diagnostic and procedural codes, which is creating a big lift for everyone in the healthcare claims stream, there is no federal requirement that any U.S. business, including hospitals and office-based physician practices, switch to EMV cards. 

But efforts to reduce fraud will drive the conversion to chip cards, Cox said. 

In the U.S., a shift in financial liability for fraudulent charges will drive merchant adoption of chip-card technology, or at least that's the intention, Cox said. The change in liability will be enforceable by the credit-card issuers through their agreements with businesses that accept credit card payments, Cox said. 

“After October, if someone (a fraudster) with a chip card would hit a chip terminal, the merchant is protected from charge back,” by the card issuer, Cox said. But if the merchant, hospital or medical practice is still using an older magnetic strip reader, the liability for charge-backs falls on the business still using the older technology. 

Cox says providers shouldn't worry about the expense of new card readers.

“Your typical countertop terminal is $200 to $300 for one that does everything,” Cox said. The rub more likely will come with software conversions for hospital financial and office-practice management systems, she said.

Cox says not all vendors are ready for the conversion and no one should take on the task of writing EMV interface themselves.

The Electronic Health Records Association, a trade group for EHR developers, many of which also have financial systems, declined to comment. 

The linchpin for chip-card technology adoption going forward—as it has been in the past—remains with the banks, not the vendors, said Robert Tennant, senior policy advisor with the Medical Group Management Association, who recently received a smart-chipped American Express card in the mail. “The vendor's argument is, 'Why should we build in the technology when the financial vendors haven't switched over?' ” he said.

According to Tennant, the switch to chip-based technology will be “an enormous change” for the retail sector, and a somewhat of a lift for medical groups, who will have to buy and reconfigure their credit-card processing equipment and software at their pay windows. But there could be long-term benefits, too. 

“Nothing is ever foolproof, but as far as it goes, I think it's significantly more security than what we have now,” Tennant said.

The MGMA also is part of a 40-member industry collaboration formed last year, and led by the Workgroup for Electronic Data Interchange, to automate the patient registration and intake process. The group is hoping to hammer out an industry consensus around the component parts of a so-called “digital clipboard”containing basic patient demographic and payer or payment information used at registration. 

“On the healthcare side, it opens up a lot more opportunities for data movement,” Tennant said. “If we're going to be moving to this technology, it's a very short step toward using that technology for other purposes.”

Hopes for using smart-card technology in healthcare have risen and fallen several times over the past decade. Last month, the Government Accountability Office recommended that Medicare ought to consider issuing smart cards to beneficiaries to speed patient identification and eligibility verification.

more...
No comment yet.
Scoop.it!

EHR Vendor Target of Latest Hack

EHR Vendor Target of Latest Hack | HIPAA Compliance for Medical Practices | Scoop.it

Web-based electronic health record vendor Medical Informatics Engineering, and its personal health records subsidiary, NoMoreClipBoard, say a cyber-attack has resulted in a data breach affecting some healthcare clients and an undisclosed number of patients.


In a statement, Medical Informatics Engineering says that on May 26, it discovered suspicious activity on one of its servers.


A forensics investigation by the company's internal team and an independent forensics expert determined that a "sophisticated cyber-attack" involving unauthorized access to its network began on May 7. The breach resulted in the compromise of protected health information relating to certain patients affiliated with certain clients, the company says.


"We emphasize that the patients of only certain clients of Medical Informatics Engineering were affected by this compromise and those clients have all been notified," the company says. Clients include: Concentra, a nationwide chain of healthcare clinics; Fort Wayne (Ind.) Neurological Center; Franciscan St. Francis Health Indianapolis; Gynecology Center, Inc. Fort Wayne; and Rochester Medical Group, Rochester Hills, Mich.


Information exposed in the breach affecting the Web-basedEHR system includes patient's name, mailing address, email address, date of birth, and for some patients a Social Security number, lab results, dictated reports and medical conditions. "No financial or credit card information has been compromised, as we do not collect or store this information," the company says.

PHR Also Breached

Medical Informatics Engineering says it also determined that the cyber-attack compromised PHI of its NoMoreClipboard subsidiary, which serves patients who assemble personal health records. A separate notice was issued for affected clients and patients. Information exposed for individuals who use a NoMoreClipboard portal/personal health record, includes name, home address, username, hashed password, security question and answer, email address, date of birth, health information and Social Security number.


"We strongly encourage all NoMoreClipboard users to change their passwords," the company says in its statement. "We also strongly encourage everyone to use different passwords for each of their various accounts. Do not use the same password twice. The next time a NoMoreClipboard user logs in, we will prompt a password change."

As part of the password change process, the company says it will send a five-digit PIN code to a cell phone, via an automated phone call, or to an email address already associated with the NoMoreClipboard account. "Users will have to enter this five-digit code to reset their password," the company says. "We are also emailing NoMoreClipboard users to encourage this password change."


Medical Informatics Engineering says the breach has been reported to law enforcement, including the FBI, and the company is cooperating with the investigation. Upon discovering the breach, the company says it "immediately began an investigation to identify and remediate any identified security vulnerability."


Medical Informatics Engineering and its NoMoreClipBoard subsidary are offering affected individuals free credit monitoring and identity protection services for the next 24 months.


The company did not immediately reply to a request for comment.

Going After Patient Data

This incident shows that any healthcare-related company or business associate is a target for attackers, says security and privacy expert Kate Borten, founder and CEO of The Marblehead Group consultancy.

"Assuming the attack was targeted, this is just another example of going after a big chunk of patient data," she says. "I don't think it matters to an attacker whether the company is a health plan/insurer or a health information exchange, or a provider. It's just an organization with a significant volume of PHI."

more...
No comment yet.
Scoop.it!

Kareo Announces Apple Watch App To Improve Medical Practice Efficiency

Kareo Announces Apple Watch App To Improve Medical Practice Efficiency | HIPAA Compliance for Medical Practices | Scoop.it

Kareo, the leading provider of cloud-based medical office software for independent medical practices, today announced the launch of its Apple Watch App. Kareo’s most recent innovation extends the functionality of the company’s EHR to Apple Watch, streamlining care delivery and enhancing the patient experience by improving communications, reducing patient wait times, and increasing practice efficiency.


Kareo is launching this new Apple Watch App in response to the growing demands on physicians to increase their focus on all aspects of patient engagement. “Physicians are on their feet attending to the needs of patients for the majority of the day, leaving little time to check their schedules and prepare for the next appointment,” said Dr. Tom Giannulli, CMIO of Kareo. “Recognizing this demanding care delivery environment, Kareo’s Apple Watch App will help doctors better manage their schedule while enabling enhanced communication throughout the day, improving their ability to deliver a great patient experience.”

Kareo’s Apple Watch App provides the most relevant, practice-oriented information necessary to improve care and increase practice efficiency. Key functionalities of the App include:


  • Secure messaging that allows the user to send, reply, and read messages via dictation. Messages can be sent to staff or patients using Kareo’s secure messaging system, improving overall patient engagement and practice communication.
  • An agenda that allows the provider to quickly reference their schedule and see the status of appointments checked-in, no show, late, checked out, etc., helping reduce wait times and improve practice efficiency.
  • Appointment reminders that can be sent five minutes before the next scheduled appointment. The notification subtly vibrates the watch, indicating that the doctor has an impending appointment.
  • Appointment information that is accessible within a notification or through the agenda, allowing the provider to review details such as the patient’s name, time of appointment, visit type, and reason for the visit.
  • “I’m Running Late” pre-set messages that allow the doctor inform other staff members when they are running behind and how much longer they expect to be. This improves practice communication and enables the front desk to give patients a more accurate wait time estimate.
  • Apple “Glances” that provide a quick overview of key practice metrics, including how many patients are scheduled throughout the day, how many patients are waiting to be seen, and which patients are currently waiting in an exam room.


All features of Kareo’s Apple Watch App are HIPAA compliant and secure, ensuring all data are private, yet easily accessible.

“Independent physicians need new tools to grow strong, patient-centered practices, and Kareo’s Apple Watch App is another example of Kareo’s focus on helping physicians leverage innovative technology to drive their success,” said Dan Rodrigues, founder and CEO of Kareo. “With key practice and patient information accessible on their wrists, physicians are able to discreetly and efficiently provide updates to staff while staying focused on what matters most – the patient.”


more...
No comment yet.
Scoop.it!

Don’t Forget the Paper: Records and Policies

Don’t Forget the Paper: Records and Policies | HIPAA Compliance for Medical Practices | Scoop.it

Another HIPAA breach settlement announcement and another lesson from the Department of Health and Human Services Office for Civil Rights (“OCR”). Cornell Prescription Pharmacy (“Cornell”) is a single location pharmacy located in Colorado that will pay OCR $125,000 to resolve allegations of a variety of HIPAA violations. When the facts of the circumstances are described, it will likely raise questions as to why the settlement was so low.


The issues at Cornell were revealed to OCR by a local new station. The news station found paper-based protected health information disposed of in unsecure dumpster generally accessible to the public. After receiving the report, OCR investigated Cornell. OCR’s investigation revealed that Cornell had no written policies in place to implement the HIPAA Privacy Rule, no training regarding Privacy Rule requirements was conducted, and protected health information was not reasonably safeguarded.


Despite all of these findings, as indicated above, Cornell only faces a $125,000 settlement amount in addition to the usual requirement to enter into a corrective action plan. It is interesting to note that on April 27, 2015 when the settlement was announced, the first Resolution Agreement posted showed a resolution payment of $767,520. No information has been provided to explain the reduction. One possible answer is that Cornell is a very small entity and may not have been able to afford the higher resolution amount. It would be beneficial to monitor for more information on this account.


As set forth in the settlement announcement, OCR wants every entity to know that it may be subject to HIPAA enforcement, including fines and penalties. A quote from OCR Director Jocelyn Samuels says it all: “Regardless of size, organizations cannot abandon protected health information or dispose of it in dumpsters or other container that are accessible by . . .unauthorized persons.” It is incumbent upon all organizations to implement appropriate policies and procedures to satisfy HIPAA requirements.


One of the more stunning aspects of the Cornell settlement was the revelation that Cornell had no written policies or procedures to comply with the Privacy Rule. This is slightly different from other settlements where OCR found inadequate or non-existent security policies. Arguably, privacy policies are easier to implement because the Privacy Rule provides a pretty comprehensive and clearcut guide with regard to what policies and procedures need to be put into place. Additionally, there is not a need to do an equivalent of a risk analysis to determine what security policies to put into place.


While the statement about no policies being in place should be shocking, multiple surveys recently have found that a lack of knowledge about HIPAA is still fairly widespread. HIPAA in its original form has been around for almost 20 years at this point. Why is it that organizations still do not know what they need to do to comply? Is it unintentional lack of awareness or something more deliberate? No matter the reason, the government is clearly monitoring and looking for organizations that are not in compliance. The resolution amounts remain wildly unpredictable, but many statements have suggested that recent fines will pale in comparison to fines that will be levied in the future. It is better for organizations to get their houses in order at this point rather than having an audit uncover deficiencies. It will be a safe bet that any problems found in an audit will result in higher fines being assessed.


more...
No comment yet.
Scoop.it!

Network design considerations in evolving healthcare systems

Network design considerations in evolving healthcare systems | HIPAA Compliance for Medical Practices | Scoop.it

Today’s healthcare systems are a far cry from the systems your mother new. Today, healthcare is largely (an increasingly) data-driven, and a patient’s full medical history is fully contained within an Electronic Medical Records (EMR) and Electronic Healthcare Record (EHR). And those records need to be managed and transmitted in an effective and secure fashion between healthcare providers and other entities.

For the purposes of this discussion, ‘EMR’ is a term that refers to the medical data that’s collected in a single provider’s office. Electronic Health Records (EHR) is a more comprehensive set of data that provides a more comprehensive view of the patient and their medical history. But whether we’re talking about EMR or EHR, both are data-sets that are particular to the healthcare information of individual patients, and both benefit from an efficient network for transmitting those records.

The Effects of HIPAA

Of course, any EMR/EHR management system or network needs to be fully compliant with HIPAA policies. HIPAA is the Health Insurance Portability and Accountability Act of 1996. HIPAA mandates the requirements for healthcare information to be portable between different healthcare providers, laying out rules for how healthcare records are standardized, managed, and transferred between healthcare providers, insurance companies, and other third parties.

That means that the network used to transmit those records needs to be configured to support the right encryption levels automatically, so that any records transmitted across it are encrypted right from the start. Requiring manual encryption by clinic or hospital staff at the desktop won’t work – the network needs to do it without any interaction or direction from users.


This encryption, then, introduces overhead that takes additional network capacity, and is another consideration when implementing healthcare networks.

Traffic and Bandwidth Management

If electronic transfer of EMR data is to become truly widespread, then the network will need to be truly available and useful at all times. In fact, this is not only a question of convenience and performance, but potentially has life-saving (or life-threatening) aspects. Because of this, the network connections transmitting that EMR data need to not only be built for availability, but for performance as well.

The size of a patient’s EMR/EHR varies widely, and is determined by the amount of care that a given patient has received, the type of treatments that were given, and the data generated by the those treatments. For a patient with little or no treatment, it’s possible for their EHR to be just 1MB in size, with the average being closer to 40MB in size. And for patients with a significant amount of data and imagery (i.e., x-rays), that number can grow to 3 -5 GB. When you multiply this by the numbers of patients that an average city hospital has in its system at any one time (100,000 is not uncommon), the data requirements can be large.

Costs and the Clinic

EMR and EHR systems are expensive to implement, with large systems running well into the millions, and small clinic-based systems running into the tens of thousands. With those kinds of costs involved for the system alone, network costs can exacerbate an already expensive proposition.

According to HealthIT.gov, the average costs of installing an EHR system is $48,000 for an on-premise EHR system, and $58,000 for a SAAS-based EHR system. And both systems require network access for the accessing and transfer of that data.

More Applications are On the Way

The use of technology is medicine is still, in many ways, quite limited. While there are of course a huge range of technologies involved in the providing of healthcare services, the back-office platforms of most healthcare systems pale by comparison.

But that’s changing as well, as mobile applications, computer-based diagnostics and telemedicine increase in scope and sophistication. These applications have great promise, but they also bring increased overhead to the health provider’s networks.

Meeting the Challenges

All of the requirements and challenges noted above have implications for your network architecture. But there are network management strategies and techniques that can help to address these challenges. By using broadband bonding, for example, multiple smaller network links can be bonded into a single larger network connection. Likewise, efficient WAN orchestration can make efficient use of network resources by prioritizing traffic and ensuring that critical data gets more bandwidth than less-critical applications.

The key is to stay ahead of the changes to come by implementing the right network management now, before the ever-increasing requirements placed on your network overwhelm your ability to keep up with them. It’s only through proactive design and implementation that your network will be able to keep pace with the changes that have not only taken place in the healthcare market, but are certain to keep coming for the foreseeable future.


more...
No comment yet.
Scoop.it!

As Health Apps Hop On The Apple Watch, Privacy Will Be Key

As Health Apps Hop On The Apple Watch, Privacy Will Be Key | HIPAA Compliance for Medical Practices | Scoop.it

One day soon, you may be waiting in line for a coffee, eyeing a pastry, when your smart watch buzzes with a warning.


Flashing on the tiny screen of your Apple Watch is a message from an app called Lark, suggesting that you lay off the carbs for today. Speak into the Apple Watch's built-in mic about your food, sleep and exercise, and the app will send helpful tips back to you.


The notion of receiving nutrition advice from artificial intelligence on your wrist may seem like science fiction. But health developers like Lark are making a bet that Apple's first wearable device, the Apple Watch, will fly off the shelves and this kind of behavior will become the norm.

Lark is just one of over a dozen health developers with new apps for the Apple Watch, which ships to consumers this week. These apps range from medication management to a button that provides instant, virtual access to a doctor.


Apple has made no secret of its health and fitness plans for the Apple Watch. And in recent months, it has recruited medical experts to work on services like ResearchKit and HealthKit, which aim to open up the flow of health data between consumers, mobile developers and medical researchers.


But is Apple doing enough to protect the privacy of your sensitive health data?


In advance of the Apple Watch's release, the company has taken some steps to put you in control of how your data is shared. You can choose to share health information with third-party apps like Lark via Apple's Health app, which comes with the device. Your health data, collected via the Apple Watch or the iPhone, is stored on Apple's HealthKit.

"Apple is leaving your HealthKit data on the device and not collecting it," said Morgan Reed, executive director at The App Association, a Washington, D.C., nonprofit that works with patient advocates and app developers.


According to Reed, this prevents third-party app developers from selling your health data without your consent.

"It also means that if an employer wants access to your health care information, they would have to demand that you give it to them," he said.


But it's still early days for the Apple Watch, and it remains to be seen whether health developers will follow Apple's privacy guidelines.

"We haven't had a developer ecosystem for a product like a smart watch," said Ben Bajarin, who specializes in consumer technology for Creative Strategies, a consulting firm. "This is [uncharted] territory."


A Message On The Wrist


Health app developers hope the Apple Watch will improve how doctors and patients communicate.


Imagine a doctor receiving a buzz on the wrist for an e-prescription request, which could be approved with a few taps. A patient could receive a similar alert when test results are available.


Developers are exploring these possibilities and more.

"We are predisposed to small changes on the skin. It was not that long ago — and is still the case in parts of the world — that mosquitoes used to kill us with a light touch," said Ron Gutman, chief executive of HealthTap, a website and mobile app for secure video calls with a doctor.


"It is so easy to turn off a notification from a website, but you can't ignore what's on your wrist," he said.

Gutman was so intrigued by Apple's smart watch that he developed three apps: one to help you manage your meds; another that connects you to a doctor with the touch of a button; and a third, which helps physicians reach new patients.


"Be prepared to take charge of your health information, and feel free to say no to sharing data with apps."

- Morgan Reed, executive director at The App Association

Managing Medications

For patients who are juggling a variety of meds — all with different dose requirements — an Apple Watch app that sends alerts to the wrist could prove useful.


WebMD, used by millions of people to check their medical symptoms, tossed around a bunch of ideas before settling on medication adherence.


"All we wanted is for the user to be reminded that it's time to take their medication, and then quickly tell us whether they plan to take it or skip it or snooze," said Ben Greenberg, who heads up WebMD's mobile products. "That interaction demands so little." The app also instructs people whether to take their medication with food, or at a certain time of day.


Other companies that are developing medication adherence apps for the Apple Watch include MangoHealth, which can also tell you how well you've managed your prescriptions over time, and pharmacy giant Walgreens.


Appealing To Doctors


Some app developers hope that doctors will flock to buy the Apple Watch to help them manage an overload of patient information.

"Doctors are finally getting amazing hardware that just works, and they're willing to pay a premium for it," said Daniel Kivatinos, cofounder of Drchrono, an electronic medical record company.


Using Drchrono's app for the watch, a doctor can receive alerts, such as when a patient has arrived at their office.


The watch could prove useful in helping doctors communicate with each other about tricky medical cases. Doximity, the Facebook for doctors, has developed a secure app that care providers can use to dictate notes, send messages and receive notifications that a fax has arrived.


But the Apple Watch's appeal may be limited to certain specialties, such as family physicians and dermatologists. Surgeons routinely remove their rings and watches before procedures, to ensure their hands stay sterile.


Moreover, doctors will need to do the work to ensure that apps they use are taking adequate steps to protect patient data. Apps may say that they are meeting privacy requirements, but most aren't properly vetted. The government has long been concerned about the proliferation of mobile health apps that make false or misleading medical claims.


Opportunities And Challenges


Privacy experts and policymakers have been worried about developers that collect and sell personal health information.


The U.S. Federal Trade Commission concluded in a recent study that developers of 12 mobile health and fitness apps were sharing user information with 76 different parties, such as advertisers.


Apple has responded to some of these fears by barring developers from selling health data that it collects via Apple devices to advertisers. After some high-profile hacks to celebrities' accounts, Apple also forbade developers to store sensitive health information in iCloud.

"Apple has clear privacy rules, but consumers should still be on guard," said Reed from the App Association. "Be prepared to take charge of your health information, and feel free to say no to sharing data with apps."


more...
No comment yet.
Scoop.it!

Stage 3 Meaningful Use: Breaking Down HIPAA Rules

Stage 3 Meaningful Use: Breaking Down HIPAA Rules | HIPAA Compliance for Medical Practices | Scoop.it

CMS released its Stage 3 Meaningful Use proposal last month, with numerous aspects that covered entities (CEs) need to be aware of and pay attention to. While the proposal has a large focus on EHR interoperability, it continues to build on the previously established frameworks in Stage 1 and Stage 2 – including keeping patient information secure.


HIPAA rules and regulations cannot be thrown out the window as CEs work toward meeting meaningful use requirements. We’ll break down the finer points of Stage 3 Meaningful Use as it relates to data security, and how organizations can remain HIPAA compliant while also make progress in the Meaningful Use program.


Stage 3 further protects patient information


One of the top objectives for Stage 3 Meaningful Use is to protect patient information. New technical, physical, and administrative safeguards are recommended that provide more strict and narrow requirements for keeping patient data secure.


The new proposal addresses how the encryption of patient electronic health information continues to be essential for the EHR Incentive Programs. Moreover, it explains that relevant entities will need to conduct risk analysis and risk management processes, as well as develop contingency plans and training programs.


In order to receive EHR incentive payments, covered entities must perform a security risk analysis. However, these analyses must go beyond just reviewing the data that is stored in an organization’s EHR. CEs need to address all electronic protected health information they maintain.


It is also important to remember that installing a certified EHR does not fulfill the Meaningful Use security analysis requirement. This security aspect ensures that all ePHI maintained by an organization is reviewed.  For example, any electronic device – tablets, laptops, mobile phones – that store, capture or modify ePHI need to be examined for security.

“Review all electronic devices that store, capture, or modify electronic protected health information,” states the ONC website. “Include your EHR hardware and software and devices that can access your EHR data (e.g., your tablet computer, your practice manager’s mobile phone). Remember that copiers also store data.”


It is also important to regularly review the existing security infrastructure, identify potential threats, and then prioritize the discovered risks. For example, a risk analysis could reveal that an organization needs to update its system software, change the workflow processes or storage methods, review and modify policies and procedures, schedule additional training for your staff, or take other necessary corrective action to eliminate identified security deficiency.

A security risk analysis does not necessarily need to be done every year. CEs only need to conduct one when they adopt an EHR. When a facility changes its setup or makes alterations to its electronic systems, for example, then it is time to review and make updates for any subsequent changes in risk.


Stage 3 works with HIPAA regulations


In terms of patient data security, it is important to understand that the Stage 3 Meaningful Use rule works with HIPAA – the two are able to compliment one another.


“Consistent with HIPAA and its implementing regulations, and as we stated under both the Stage 1 and Stage 2 final rules (75 FR 44368 through 44369 and 77 FR 54002 through 54003), protecting ePHI remains essential to all aspects of meaningful use under the EHR Incentive Programs,” CMS wrote in its proposal. “We remain cognizant that unintended or unlawful disclosures of ePHI could diminish consumer confidence in EHRs and the overall exchange of ePHI.”

As EHRs become more common, CMS explained that protecting ePHI becomes more instrumental in the EHR Incentive Program succeeding. However, CMS acknowledged that there had been some confusion in the previous rules when it came to HIPAA requirements and requirements for the meaningful use core objective:


For the proposed Stage 3 objective, we have added language to the security requirements for the implementation of appropriate technical, administrative, and physical safeguards. We propose to include administrative and physical safeguards because an entity would require technical, administrative, and physical safeguards to enable it to implement risk management security measures to reduce the risks and vulnerabilities identified.


CMS added that even as it worked to clarify security requirements under Stage 3, their proposal was not designed “to supersede or satisfy the broader, separate requirements under the HIPAA Security Rule and other rulemaking.”


For example, the CMS proposal narrows the requirements for a security risk analysis in terms of meaningful use requirements. Stage 3 states that the analysis must be done when CEHRT is installed or when a facility upgrades to a new certified EHR technology edition. From there, providers need to review the CEHRT security risk analysis, as well as the implemented safeguards, “as necessary, but at least once per EHR reporting period.”


However, CMS points out that HIPAA requirements “must assess the potential risks and vulnerabilities to the confidentiality, availability, and integrity of all ePHI that an organization creates, receives, maintains, or transmits” in all electronic forms.


Working toward exchange securely


The Stage 3 Meaningful Use proposal encourages CEs to work toward health information exchange and to focus on better health outcomes for patients. As healthcare facilities work toward both of these goals, it is essential that health data security still remains a priority and that PHI stays safe.


While HIPAA compliance ensures that CEs avoid any federal fines, it also ensures that those facilities are keeping patient information out of the wrong hands. The right balance needs to be found between health information security and health information exchange.


more...
No comment yet.
Scoop.it!

ONC releases updated privacy and security guide

ONC releases updated privacy and security guide | HIPAA Compliance for Medical Practices | Scoop.it

The Office of the National Coordinator (ONC) released the revised “Guide to Privacy and Security of Electronic Health Information”April 13 to help organizations integrate federal health information privacy and security requirements.

The guide is geared toward HIPAA covered entities and Medicare eligible professionals from smaller organizations. The updated version features information about compliance with the privacy and security requirements of CMS’ Electronic Health Record (EHR) Incentive Programs as well as compliance with HIPAA Privacy, Security, and Breach Notification Rules.

The guide covers such topics as:

  • Increasing patient trust through privacy and security
  • Provider responsibilities under HIPAA
  • Health information rights of patients
  • Security patient information in EHRs
  • Meaningful Use core objectives that address privacy and security
  • A seven-step approach for implementing a security management process
  • Breach notification and HIPAA enforcement



more...
No comment yet.