HIPAA Compliance for Medical Practices
61.1K views | +12 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

Will 2016 be Another Year of Healthcare Breaches?

Will 2016 be Another Year of Healthcare Breaches? | HIPAA Compliance for Medical Practices | Scoop.it

As I listened to a healthcare data security webinar from a leading security vendor, I had to ask: “Are we now experiencing a ‘New Normal’ of complacency with healthcare breaches?” The speaker’s reply: “The only time we hear from healthcare stakeholders isAFTER they have been compromised.”

 

This did not surprise me. I have seen this trend across the board throughout the healthcare industry. The growing number of cyberattacks and breaches are further evidence there is a ‘New Normal’ of security acceptance — a culture of ‘it-is-what-it-is.’ After eye-popping headlines reveal household names were compromised, one would think security controls would be on the forefront of every healthcare action list. Why then are we seeing more reports on healthcare breaches, year after year? 

 

This idea comes from the fact that, due to a lack of enforcement, acceptable penalties, and a culture of risk mitigation, more breaches are to be expected in the healthcare industry. Until stricter enforcements and penalties are implemented, a continuation of breaches will occur throughout the industry.

 

The Office of Civil Rights (OCR), the agency overseeing HIPAA for Health and Human Services, originally scheduled security audits for HIPAA to begin in October 2014. Unfortunately, very few audits have occurred due to the agency being woefully understaffed for their mandate covering the healthcare industry, which accounts for more than 17 percent of the U.S. economy.

 

Why Sweat a Breach?

Last September, newly appointed OCR deputy director of health information privacy, Deven McGraw, announced the launching of random HIPAA audits. In 2016, it is expected 200 to 300 covered entities will experience a HIPAA audit, with at least 24 on-site audits anticipated. However, this anticipated figure only accounts for less than one percent of all covered entities —not much of an incentive for a CIO/CISO to request additional resources dedicated to cybersecurity.

 

Organizations within the industry are approaching cybersecurity from a cost/benefit perspective, rather than how this potentially affects the individual patients. For payers who have been compromised, where will their larger customers go anyway? Is it really worth a customer’s effort to lift-and-shift 30,000, 60,000 or 100,000 employee health plans to another payer in the state? This issue is similar to the financial services industry’s protocol when an individual’s credit card has been compromised and then replaced, or when individual’s want to close down a bank account due to poor service: Does anyone really want to go through the frustration with an unknown company?

 

For some of the more well-known breaches, class-action lawsuits can take years to adjudicate. By then, an individual’s protected health information (PHI) and personally identifiable information (PII) has already been shared on the cybercriminal underground market. In the meantime, customers receive their free two-year’s worth of personal security monitoring and protection. Problem solved. Right?

 

The Cost of Doing Business?

When violations occur, the penalties can sting, but it’s just considered part of the cost of doing business. In March 2012, Triple-S of Puerto Rico and the U.S. Virgin Islands, an independent licensee of the Blue Cross Blue Shield Association, agreed to a $3.5 million HIPAA settlement with HHS. In 2012, Blue Cross Blue Shield of Tennessee paid a $1.5 million fine to turn around and have another HIPAA violation in January 2015..

As of December 2015, the total number of data breaches for the year was 690, exposing 120 million records. However, organizations are unlikely to be penalized unless they fail to prove they have steps in place to prevent attacks. If an organization does not have a plan to respond to a lost or stolen laptop, OCR will possibly discover areas for fines, but this can be a difficult process. Essentially, accruing a fine after a cyberattack or breach is relative.

 

A more recent $750,000 fine in September 2015 with Cancer Care group was settled, but the occurrence happened in August of 2012 — nearly three years later. A 2010 breach reported by New York-Presbyterian Hospital and Columbia University wasn’t settled until 2014 for $4.8 million. Lahey Hospital and Medical Center’s 2011 violation was only settled in November 2015 for $850,000. With settlements taking place several years after an event, settling may appear to be a legitimate risk assessment, further reinforcing the ‘New Normal’ of cybersecurity acceptance.

 

At one HIMSS conference, the speaker emphasized to a Florida hospital the need to enforce security controls. They replied with, “If we had to put in to place the expected security controls, we would be out of business.”

 

Simply put: The risks of a breach and a related fine do not outweigh the perceived costs of enhancing security controls. For now, cybersecurity professionals may want to keep their cell phones next to the nightstand.

more...
Guillaume Ivaldi's curator insight, April 2, 2016 10:18 AM
Simply amazing: cost of providing a decent security is clearly not aligned with the business outcomes, and therefore it is economically better to endure the fine than being fully compliant to the regulation ...
Elisa's curator insight, April 2, 2016 5:47 PM
Simply amazing: cost of providing a decent security is clearly not aligned with the business outcomes, and therefore it is economically better to endure the fine than being fully compliant to the regulation ...
Scoop.it!

The UCLA Health System Data Breach: How Bad Could It Be…?

The UCLA Health System Data Breach: How Bad Could It Be…? | HIPAA Compliance for Medical Practices | Scoop.it

Just hours ago, a Los Angeles Times report broke the news that hackers had broken into the UCLA Health System, creating a data breach that may affect 4.5 million people. This may turn out to be one of the biggest breaches of its kind in a single patient care organization to date, in the U.S. healthcare system. And it follows by only a few months the enormous data breach at Anthem, one of the nation’s largest commercial health insurers, a breach that has potentially compromised the data of 4.5 million Americans.


The L.A. Times report, by Chad Terhune, noted that “The university said there was no evidence yet that patient data were taken, but it can't rule out that possibility while the investigation continues. And it quoted Dr. James Atkinson, interim president of the UCLA Hospital System, as saying “We take this attack on our systems extremely seriously. For patients that entrust us with their care, their privacy is our highest priority we deeply regret this has happened.”


But Terhune also was able to report a truly damning  fact. He writes, “The revelation that UCLA hadn't taken the basic step of encrypting this patient data drew swift criticism from security experts and patient advocates, particularly at a time when cybercriminals are targeting so many big players in healthcare, retail and government.” And he quotes Dr. Deborah Peel, founder of Patient Privacy Rights in Austin, Texas, as saying, “These breaches will keep happening because the healthcare industry has built so many systems with thousands of weak links.”


What’s startling is that the breach at the Indianapolis-based Anthem, revealed on Feb. 5, and which compromised the data of up to 80 million health plan members, shared two very important characteristics with the UCLA Health breach, so far as we know at this moment, hours after the UCLA breach. Both were created by hackers; and both involved unencrypted data. That’s right—according to the L.A. Times report, UCLA Health’s data was also unencrypted.


Unencrypted? Yes, really. And the reality is that, even though the majority of patient care organizations do not yet encrypt their core, identifiable, protected health information (PHI) within their electronic health records (EHRs) when not being clinically exchanged, this breach speaks to a transition that patient care organizations should consider making soon. That is particularly so in light of the Anthem case. Indeed, as I noted in a Feb. 9 blog on the subject, “[A]s presented in one of the class action lawsuits just recently filed against it,” the language of that suit “contains the seeds of what could evolve into a functional legal standard on what will be required for health plans—and providers—to avoid being hit with multi-million-dollar judgments in breach cases.”


As I further stated in that blog, “I think one of the key causes in the above complaint [lawsuits were filed against Anthem within a few days of the breach] is this one: ‘the imminent and certainly impending injury flowing from potential fraud and identity theft posed by their personal and financial information being placed in the hands of hackers; damages to and diminution in value of their personal and financial information entrusted to Anthem for the sole purpose of obtaining health insurance from Anthem and with the mutual understanding that Anthem would safeguard Plaintiff’s and Class members’ data against theft and not allow access and misuse of their data by others.’ In other words, simply by signing up, or being signed up by their employers, with Anthem, for health insurance, health plan members are relying on Anthem to fully safeguard their data, and a significant data breach is essentially what is known in the law as a tort.”


Now, I am not a torts or personal injury lawyer, and I don’t even play one on TV. But I can see where, soon, the failure to encrypt core PHI within EHRs may soon become a legal liability.


Per that, just consider a March 20 op-ed column in The Washington Post by Andrea Peterson, with the quite-compelling headline, “2015 is already the year of the health-care hack—and it’s going to get worse.” In it, Peterson,  who, according to her authoring information at the close of the column, “covers technology policy for The Washington Post, with an emphasis on cybersecurity, consumer privacy, transparency, surveillance and open government,” notes that “Last year, the fallout from a string of breaches at major retailers like Target and Home Depot had consumers on edge. But 2015 is shaping up to be the year consumers should be taking a closer look at who is guarding their health information.” Indeed, she notes, “Data about more than 120 million people has been compromised in more than 1,100 separate breaches at organizations handling protected health data since 2009, according to Department of Health and Human Services data reviewed by The Washington Post.” Well, at this point, that figure would now be about 124.5 million, if the UCLA Health breach turns out to be as bad as one imagines it might be.


Indeed, Peterson writes, “Most breaches of data from health organizations are small and don't involve hackers breaking into a company's computer system. Some involve a stolen laptop or the inappropriate disposal of paper records, for example -- and not all necessarily involve medical information. But hacking-related incidents disclosed this year have dramatically driven up the number of people exposed by breaches in this sector. When Anthem, the nation's second-largest health insurer, announced in February that hackers broke into a database containing the personal information of nearly 80 million records related to consumers, that one incident more than doubled the number of people affected by breaches in the health industry since the agency started publicly reporting on the issue in 2009.”


And she quotes Rachel Seeger, a spokesperson for the Office for Civil Rights in the Department of Health and Human Services, as saying in a statement, following the Anthem breach, “These incidents have the potential to affect very large numbers of health care consumers, as evidenced by the recent Anthem and Premera breaches."


So this latest breach is big, and it is scary. And it might be easy (and lazy blogging and journalism) to describe this UCLA Health data breach as a “wake-up call”; but honestly, we’ve already had a series of wake-up calls in the U.S. healthcare industry over the past year or so. How many “wake-up calls” do we need before hospitals and other patient care organizations move to impose strong encryption regimens on their core sensitive data? The mind boggles at the prospects for the next 12 months in healthcare—truly.

more...
No comment yet.
Scoop.it!

CFO Gets Prison Time for HITECH Fraud

CFO Gets Prison Time for HITECH Fraud | HIPAA Compliance for Medical Practices | Scoop.it

A former Texas hospital CFO has been sentenced to 23 months in federal prison for submitting false documents so a medical center could receive payments under the HITECH Act electronic health records financial incentive program.


In addition to his prison sentence, Joe White, former CFO of the now-shuttered Shelby Regional Medical Center in East Texas, was ordered to pay restitution of nearly $4.5 million to the HITECH incentive payment program.


Court documents indicate that to help pay the restitution, White has been ordered to liquidate an IRA account and an annuity, which as of November 2014, had respective balances of about $115,000 and $2,500.


White, 68, of Cameron, Texas, pleaded guilty on Nov. 12, 2014, to making false statements in November 2012 to the Centers for Medicare and Medicaid Services that Shelby Regional Medical Center was a meaningful user of EHRs, when the hospital actually was primarily using paper records, according to the Department of Justice.


To obtain financial incentives from Medicare or Medicaid under the HITECH Act, hospitals and physicians must submit detailed documents that attest to meeting the requirements for the program, including conducting a HIPAAsecurity risk assessment.

Case Details

In a statement issued by the FBI on June 18, U.S. attorney John Bales said, "The EHR incentive program was designed to enhance the delivery of excellent medical care to all Americans and especially for those citizens who live in underserved, rural areas like Shelby County. There is no doubt that Mr. White understood that purpose and yet, he intentionally decided to steal taxpayer monies and in the process, undermine and abuse this important program."


According to information presented in court, White was CFO for Shelby Regional as well as other hospitals owned and operated by Tariq Mahmood, M.D., of Cedar Hill, Texas.


The 54-bed Shelby Regional closed last year amidst legal issues involving Mahmood, who was indicted by a federal grand jury on April 11, 2013. He was charged with conspiracy to commit healthcare fraud and seven counts of healthcare fraud.


Court documents indicate that Mahmood was sentenced on April 14 to 135 months in federal prison, and also ordered to pay restitution totaling nearly $100,000 to CMS, the Texas Department of Health and Human Services and Blue Cross Blue Shield.


White oversaw the implementation of EHRs for Shelby Regional and was responsible for attesting to the meaningful use of the EHRs to qualify to receive HITECH incentive payments from Medicare, according to the FBI.


As a result of White's false attestation, Shelby Regional Medical Center received nearly $786,000 from Medicare, the FBI statement says. In total, hospitals owned by Mahmood were paid more than $16 million under the Medicare and Medicaid EHR incentive program, the FBI says.


A Justice Department spokeswoman tells Information Security Media Group that the $4.5 million restitution that White was ordered to pay represents the EHR incentive money Shelby Regional received from CMS under false attestation, as well as EHR incentive money that other hospitals owned by Mahmood, for which White was also CFO, received from CMS. While White did not personally receive the incentive money from CMS, "restitution is mandatory pursuant to the Mandatory Victim Restitution Act of 1996," she explains, citing 18 USC 3663A(a)(1), which says, "Notwithstanding any other provision of law, when sentencing a defendant convicted of an offense described in subsection (c), the court shall order, in addition to...any other penalty authorized by law, that the defendant make restitution to the victim of the offense. ..."

More Cases to Come?

Healthcare attorney Brad Rostolsky of the law firm Reed Smith says that although most healthcare professionals and organizations participating in the HITECH meaningful use incentive program are trying to play by the rules, federal regulators must be on the look-out for potential fraudsters, considering the billions of dollars in incentives being paid.


"My sense is that the large majority of institutional and small/solo practice providers appreciate the context in which these meaningful use attestations are being made, and they focus on ensuring that the attestations are true and accurate," he says. "That said, in situations where the facts are as they are [in the Joe White case], it would not surprise me if the government continues to be aggressive in its enforcement."


Attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek, says he expects federal authorities will file more HITECH criminal cases. "The sense we have gotten from public statements by OIG and others involved in prosecuting healthcare fraud violations is that there are a number of investigations ongoing to determine if there has been fraud in obtaining funds through the EHR incentive payment program," he says.


Holtzman suggests that those organizations that have received HITECH incentives must keep thorough documentation to prove they met all the requirements.


"The key is to keep detailed documentation of the information that was used to support the representations in the attestation for seven years," he says. "An individual or organization can avoid criminal culpability through showing that a reasonable effort was made to support a belief that the provider or hospital had met the meaningful use requirements and was therefore eligible for receiving EHR incentive payments."

HITECH Audits

While criminal cases related to the HITECH Act EHR incentive program have been rare, federal regulators have been ratcheting up their audits of healthcare entities attesting to "meaningful use" of EHRs.


Among those selected was Temple University Health System in Philadelphia, which recently passed an audit for meaningful use compliance at one of its hospitals, says CISO Mitch Parker. The area of attestation most closely scrutinized by CMS auditors was Temple's HIPAA security risk assessment, he says.


"You can't skimp on the risk assessment. That's the first and foremost item that they look for," he says. "And it can't be one of those cut-and-dry ones. You have to be very detailed about it. We had about 300 categories in ours."

more...
No comment yet.
Scoop.it!

EHR Vendor Target of Latest Hack

EHR Vendor Target of Latest Hack | HIPAA Compliance for Medical Practices | Scoop.it

Web-based electronic health record vendor Medical Informatics Engineering, and its personal health records subsidiary, NoMoreClipBoard, say a cyber-attack has resulted in a data breach affecting some healthcare clients and an undisclosed number of patients.


In a statement, Medical Informatics Engineering says that on May 26, it discovered suspicious activity on one of its servers.


A forensics investigation by the company's internal team and an independent forensics expert determined that a "sophisticated cyber-attack" involving unauthorized access to its network began on May 7. The breach resulted in the compromise of protected health information relating to certain patients affiliated with certain clients, the company says.


"We emphasize that the patients of only certain clients of Medical Informatics Engineering were affected by this compromise and those clients have all been notified," the company says. Clients include: Concentra, a nationwide chain of healthcare clinics; Fort Wayne (Ind.) Neurological Center; Franciscan St. Francis Health Indianapolis; Gynecology Center, Inc. Fort Wayne; and Rochester Medical Group, Rochester Hills, Mich.


Information exposed in the breach affecting the Web-basedEHR system includes patient's name, mailing address, email address, date of birth, and for some patients a Social Security number, lab results, dictated reports and medical conditions. "No financial or credit card information has been compromised, as we do not collect or store this information," the company says.

PHR Also Breached

Medical Informatics Engineering says it also determined that the cyber-attack compromised PHI of its NoMoreClipboard subsidiary, which serves patients who assemble personal health records. A separate notice was issued for affected clients and patients. Information exposed for individuals who use a NoMoreClipboard portal/personal health record, includes name, home address, username, hashed password, security question and answer, email address, date of birth, health information and Social Security number.


"We strongly encourage all NoMoreClipboard users to change their passwords," the company says in its statement. "We also strongly encourage everyone to use different passwords for each of their various accounts. Do not use the same password twice. The next time a NoMoreClipboard user logs in, we will prompt a password change."

As part of the password change process, the company says it will send a five-digit PIN code to a cell phone, via an automated phone call, or to an email address already associated with the NoMoreClipboard account. "Users will have to enter this five-digit code to reset their password," the company says. "We are also emailing NoMoreClipboard users to encourage this password change."


Medical Informatics Engineering says the breach has been reported to law enforcement, including the FBI, and the company is cooperating with the investigation. Upon discovering the breach, the company says it "immediately began an investigation to identify and remediate any identified security vulnerability."


Medical Informatics Engineering and its NoMoreClipBoard subsidary are offering affected individuals free credit monitoring and identity protection services for the next 24 months.


The company did not immediately reply to a request for comment.

Going After Patient Data

This incident shows that any healthcare-related company or business associate is a target for attackers, says security and privacy expert Kate Borten, founder and CEO of The Marblehead Group consultancy.

"Assuming the attack was targeted, this is just another example of going after a big chunk of patient data," she says. "I don't think it matters to an attacker whether the company is a health plan/insurer or a health information exchange, or a provider. It's just an organization with a significant volume of PHI."

more...
No comment yet.
Scoop.it!

Kareo Announces Apple Watch App To Improve Medical Practice Efficiency

Kareo Announces Apple Watch App To Improve Medical Practice Efficiency | HIPAA Compliance for Medical Practices | Scoop.it

Kareo, the leading provider of cloud-based medical office software for independent medical practices, today announced the launch of its Apple Watch App. Kareo’s most recent innovation extends the functionality of the company’s EHR to Apple Watch, streamlining care delivery and enhancing the patient experience by improving communications, reducing patient wait times, and increasing practice efficiency.


Kareo is launching this new Apple Watch App in response to the growing demands on physicians to increase their focus on all aspects of patient engagement. “Physicians are on their feet attending to the needs of patients for the majority of the day, leaving little time to check their schedules and prepare for the next appointment,” said Dr. Tom Giannulli, CMIO of Kareo. “Recognizing this demanding care delivery environment, Kareo’s Apple Watch App will help doctors better manage their schedule while enabling enhanced communication throughout the day, improving their ability to deliver a great patient experience.”

Kareo’s Apple Watch App provides the most relevant, practice-oriented information necessary to improve care and increase practice efficiency. Key functionalities of the App include:


  • Secure messaging that allows the user to send, reply, and read messages via dictation. Messages can be sent to staff or patients using Kareo’s secure messaging system, improving overall patient engagement and practice communication.
  • An agenda that allows the provider to quickly reference their schedule and see the status of appointments checked-in, no show, late, checked out, etc., helping reduce wait times and improve practice efficiency.
  • Appointment reminders that can be sent five minutes before the next scheduled appointment. The notification subtly vibrates the watch, indicating that the doctor has an impending appointment.
  • Appointment information that is accessible within a notification or through the agenda, allowing the provider to review details such as the patient’s name, time of appointment, visit type, and reason for the visit.
  • “I’m Running Late” pre-set messages that allow the doctor inform other staff members when they are running behind and how much longer they expect to be. This improves practice communication and enables the front desk to give patients a more accurate wait time estimate.
  • Apple “Glances” that provide a quick overview of key practice metrics, including how many patients are scheduled throughout the day, how many patients are waiting to be seen, and which patients are currently waiting in an exam room.


All features of Kareo’s Apple Watch App are HIPAA compliant and secure, ensuring all data are private, yet easily accessible.

“Independent physicians need new tools to grow strong, patient-centered practices, and Kareo’s Apple Watch App is another example of Kareo’s focus on helping physicians leverage innovative technology to drive their success,” said Dan Rodrigues, founder and CEO of Kareo. “With key practice and patient information accessible on their wrists, physicians are able to discreetly and efficiently provide updates to staff while staying focused on what matters most – the patient.”


more...
No comment yet.
Scoop.it!

Health Research Bill Would Alter HIPAA

Health Research Bill Would Alter HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

Some privacy experts are concerned that a bipartisan 21st Century Cures bill, as drafted, would weaken HIPAA privacy protections for patient information. The measure, among other things, is designed to help the medical community speed up the development of new drugs and treatments.


A discussion draft unveiled on April 29 proposes that the Secretary of the Department of Health and Human Services would "revise or clarify" the HIPAA Privacy Rule's provisions on the use and disclosure of protected health information for research purposes.


Under the current HIPAA Privacy Rule, PHI is allowed be used or disclosed by a covered entity for healthcare treatment, payment and operations without authorization by the patient. If a proposed provision in the draft legislation is signed into law, patient authorization would not be required for PHI use or disclosure for research purposes if covered entities or business associates, as defined under HIPAA, are involved.

The draft was jointly issued by Fred Upton, R-Mich., chairman of the House Energy and Commerce Committee, Rep. Diana DeGette, D-Col., ranking member of the Oversight and Investigations Subcommittee, and several other Republican and Democratic House members. Work on the legislation began a year ago, and a markup version of the bill, which covers a broad range of topics, is expected this week.

"Most significantly, the bill would require HHS to revise the HIPAA regulations so that uses and disclosures for research are treated the same as uses and disclosures for a covered entity's own healthcare operations, as long as any disclosures go to a HIPAA covered entity or business associate," says privacy attorney Adam Greene of the law firm Davis Wright Tremaine.


"This seems to mean that such research uses and disclosures could occur without an individual's authorization or an Institutional Review Board's or Privacy Board's waiver of authorization," he says. Essentially, research uses and disclosures would only be restricted by the 'minimum necessary' standard, he says. The HIPAA Privacy Rule generally requires covered entities to take reasonable steps to limit the use or disclosure of, and requests for, PHI to the "minimum necessary" to accomplish the intended purpose.

Easing Research

Backers of the bill say it's needed because it has the potential of helping to knock down barriers to advancing medical innovation and treatment, including tapping breakthroughs in molecular medicine, genomics and related health technologies.


"For the first time ever, we in Congress are going to take a comprehensive look at what steps we can take to accelerate the pace of cures in America," DeGette says in a statement. We are looking at the full arc of this process - from the discovery of clues in basic science, to streamlining the drug and device development process, to unleashing the power of digital medicine and social media at the treatment delivery phase."


A source at the Energy and Commerce Committee say the markup of the bill is expected on May 14. "We are very careful to limit the potential to use PHI for research purposes only to covered entities and business associates working for covered entities - trusted organizations that have a relationship with the individual and that are already allowed to use PHI to improve care," the source says. "The committee wants those covered entities to not only improve care in their own institution, but be able to publish the findings of their research - without disclosing any identifiable PHI, of course. The bill ensures that PHI used for research is fully covered by the protections of the HIPAA privacy, security and breach reporting rules."


But some privacy experts say the bill goes too far in potentially removing patient privacy protections when it comes to the use of PHI for research.


The privacy provisions, as they appear in the draft bill, "roll back essential protections of the control that patients have over how their information is used and disclosed," says privacy attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek. "Because PHI used for research could involve genetic information, the [research exemption] could potentially provide [use and disclosure] of information on the genetic traits of family members. Once that data is out, you can't get it back."

Other Privacy Provisions

The bill also proposes providing individuals with one-time authorization that would allow the use and disclosure of their PHI for future research purposes.


"In cases where the covered entity or business associate needs an authorization, it would require HHS to put its interpretation into regulation that an authorization can encompass future research studies," Greene says. The bill's proposals appear to further expand the authority to use and disclose protected health information for research and codify in regulation a recent HHS interpretation allowing an advanced authorization for future research."


While HHS indicated in the HIPAA Omnibus Rule commentary that an authorization may authorize uses and disclosures of protected health information for future research studies, Greene says, "this bill would require HHS to put this into the HIPAA regulations themselves."

Deborah C. Peel, M.D., founder of Patient Privacy Rights, an advocacy group, tells Information Security Media Group the future-research proposal is "a very bad idea," adding "no data should ever be used except for a single purpose. It's especially bad because today we have no 'chain of custody' for our health data. It's impossible to know where in the world it is or how it's being used. The risks of today's ubiquitous data surveillance and collection systems are unknown. When has it ever been smart to agree to something you have no understanding of?"


Another provision in the draft bill would give researchers remote access to PHI maintained by a covered entity if ''appropriate security and privacy safeguards are maintained by the covered entity and the researcher, and the protected health information is not copied or otherwise retained by the researcher."


Greene says that in cases where the disclosure of PHI is to a researcher that is not a covered entity or business associate, "the statute would broaden the permission for disclosing protected health information preparatory to research, allowing a covered entity to grant remote access to the researcher, rather than requiring that the review occurs at the facility."


Additionally the bill would make changes regarding PHI used in paid research. "The proposed bill appears to also allow covered entities and business associates to receive remuneration, such as payments, in exchange for disclosing protected health information for research," Greene notes. "Currently, such payment would be limited to the reasonable cost for preparation and transmittal of the protected health information."


The remuneration proposal also diminishes patients' control over how their PHI is used for paid research, Holtzman says. "The proposals remove key reforms in the HITECH Act [HIPAA Omnibus final rule] that require specific [patient] authorization for disclosures of information when money is changing hands," Holtzman says. "That [HITECH provision] is to give an individual a choice when there is remuneration involved. The proposal would roll back important rights requiring patient permission when their health information is disclosed in exchange for payment."

More Scrutiny Needed

Holtzman says he hopes the provisions in the draft bill are thoroughly vetted before the legislation progresses further. "This document appears to be in the early stages. I trust that the privacy community would undergo exhaustive debate and review of this document at it develops."


Greene predicts that the proposal "may garner strong views from both the research community and privacy advocates, with researchers perhaps indicating that HIPAA is standing in the way of good research and that these changes are necessary, while some privacy advocates may claim that these changes go too far in allowing uses and disclosures without an individual's consent or authorization.

Peel, the consumer advocate, contends: "These new provisions are really out-of-date and clearly designed for paper consents - a total nightmare."


Under the current language in the bill, HHS would be required to make the changes to HIPAA "not later than 12 months after the date of the enactment of the Act."


more...
No comment yet.
Scoop.it!

Stage 3 Meaningful Use: Breaking Down HIPAA Rules

Stage 3 Meaningful Use: Breaking Down HIPAA Rules | HIPAA Compliance for Medical Practices | Scoop.it

CMS released its Stage 3 Meaningful Use proposal last month, with numerous aspects that covered entities (CEs) need to be aware of and pay attention to. While the proposal has a large focus on EHR interoperability, it continues to build on the previously established frameworks in Stage 1 and Stage 2 – including keeping patient information secure.


HIPAA rules and regulations cannot be thrown out the window as CEs work toward meeting meaningful use requirements. We’ll break down the finer points of Stage 3 Meaningful Use as it relates to data security, and how organizations can remain HIPAA compliant while also make progress in the Meaningful Use program.


Stage 3 further protects patient information


One of the top objectives for Stage 3 Meaningful Use is to protect patient information. New technical, physical, and administrative safeguards are recommended that provide more strict and narrow requirements for keeping patient data secure.


The new proposal addresses how the encryption of patient electronic health information continues to be essential for the EHR Incentive Programs. Moreover, it explains that relevant entities will need to conduct risk analysis and risk management processes, as well as develop contingency plans and training programs.


In order to receive EHR incentive payments, covered entities must perform a security risk analysis. However, these analyses must go beyond just reviewing the data that is stored in an organization’s EHR. CEs need to address all electronic protected health information they maintain.


It is also important to remember that installing a certified EHR does not fulfill the Meaningful Use security analysis requirement. This security aspect ensures that all ePHI maintained by an organization is reviewed.  For example, any electronic device – tablets, laptops, mobile phones – that store, capture or modify ePHI need to be examined for security.

“Review all electronic devices that store, capture, or modify electronic protected health information,” states the ONC website. “Include your EHR hardware and software and devices that can access your EHR data (e.g., your tablet computer, your practice manager’s mobile phone). Remember that copiers also store data.”


It is also important to regularly review the existing security infrastructure, identify potential threats, and then prioritize the discovered risks. For example, a risk analysis could reveal that an organization needs to update its system software, change the workflow processes or storage methods, review and modify policies and procedures, schedule additional training for your staff, or take other necessary corrective action to eliminate identified security deficiency.

A security risk analysis does not necessarily need to be done every year. CEs only need to conduct one when they adopt an EHR. When a facility changes its setup or makes alterations to its electronic systems, for example, then it is time to review and make updates for any subsequent changes in risk.


Stage 3 works with HIPAA regulations


In terms of patient data security, it is important to understand that the Stage 3 Meaningful Use rule works with HIPAA – the two are able to compliment one another.


“Consistent with HIPAA and its implementing regulations, and as we stated under both the Stage 1 and Stage 2 final rules (75 FR 44368 through 44369 and 77 FR 54002 through 54003), protecting ePHI remains essential to all aspects of meaningful use under the EHR Incentive Programs,” CMS wrote in its proposal. “We remain cognizant that unintended or unlawful disclosures of ePHI could diminish consumer confidence in EHRs and the overall exchange of ePHI.”

As EHRs become more common, CMS explained that protecting ePHI becomes more instrumental in the EHR Incentive Program succeeding. However, CMS acknowledged that there had been some confusion in the previous rules when it came to HIPAA requirements and requirements for the meaningful use core objective:


For the proposed Stage 3 objective, we have added language to the security requirements for the implementation of appropriate technical, administrative, and physical safeguards. We propose to include administrative and physical safeguards because an entity would require technical, administrative, and physical safeguards to enable it to implement risk management security measures to reduce the risks and vulnerabilities identified.


CMS added that even as it worked to clarify security requirements under Stage 3, their proposal was not designed “to supersede or satisfy the broader, separate requirements under the HIPAA Security Rule and other rulemaking.”


For example, the CMS proposal narrows the requirements for a security risk analysis in terms of meaningful use requirements. Stage 3 states that the analysis must be done when CEHRT is installed or when a facility upgrades to a new certified EHR technology edition. From there, providers need to review the CEHRT security risk analysis, as well as the implemented safeguards, “as necessary, but at least once per EHR reporting period.”


However, CMS points out that HIPAA requirements “must assess the potential risks and vulnerabilities to the confidentiality, availability, and integrity of all ePHI that an organization creates, receives, maintains, or transmits” in all electronic forms.


Working toward exchange securely


The Stage 3 Meaningful Use proposal encourages CEs to work toward health information exchange and to focus on better health outcomes for patients. As healthcare facilities work toward both of these goals, it is essential that health data security still remains a priority and that PHI stays safe.


While HIPAA compliance ensures that CEs avoid any federal fines, it also ensures that those facilities are keeping patient information out of the wrong hands. The right balance needs to be found between health information security and health information exchange.


more...
No comment yet.
Scoop.it!

ONC releases updated privacy and security guide

ONC releases updated privacy and security guide | HIPAA Compliance for Medical Practices | Scoop.it

The Office of the National Coordinator (ONC) released the revised “Guide to Privacy and Security of Electronic Health Information”April 13 to help organizations integrate federal health information privacy and security requirements.

The guide is geared toward HIPAA covered entities and Medicare eligible professionals from smaller organizations. The updated version features information about compliance with the privacy and security requirements of CMS’ Electronic Health Record (EHR) Incentive Programs as well as compliance with HIPAA Privacy, Security, and Breach Notification Rules.

The guide covers such topics as:

  • Increasing patient trust through privacy and security
  • Provider responsibilities under HIPAA
  • Health information rights of patients
  • Security patient information in EHRs
  • Meaningful Use core objectives that address privacy and security
  • A seven-step approach for implementing a security management process
  • Breach notification and HIPAA enforcement



more...
No comment yet.
Scoop.it!

Don't confuse EHR HIPAA compliance with total HIPAA compliance

Don't confuse EHR HIPAA compliance with total HIPAA compliance | HIPAA Compliance for Medical Practices | Scoop.it

Electronic health records (EHR) systems are revolutionizing the collection and standardization of patient medical information. Never before has it been so easy for healthcare practitioners to have patient information so readily available, allowing for more efficient and accurate care.


Unfortunately, what many organizations today don’t realize is, just because their EHR system is compliant with HIPAA security standards, their entity as a whole may not be fully compliant.

Every healthcare organization under HIPAA is responsible for the protection of patient data, regardless of whether they use a vendor to process or store their patient records. If your EHR vendor claims you don’t have to worry about HIPAA compliance, don’t believe them – it’s just not true.


Privacy and security are much more than simply having a HIPAA compliant EHR. It is truly frightening when I hear a healthcare company, or even worse, an EHR vendor, claim their EHR system covers all of a healthcare company’s HIPAA requirements. Even for cloud-based EHR systems, this simply is not the case.

Maintaining a secure EHR system

The newly revised HIPAA Security Rule requires providers to assess the security of their databases, applications, and systems that contain patient data against a list of 75 specific security controls. These controls include specific safeguards to be in place for the purpose of protecting PHI.


In our ever-changing digital environment, it’s critical that healthcare organizations regularly assess their security programs as a whole to ensure they have the policies, procedures, and security measures in place to better protect patient information and avoid costly regulatory enforcements.


Unfortunately, addressing risks to electronic patient data is not always a top priority.


We need to get the message out that HIPAA compliance (and the protection of patient data) cannot be relegated to simply checking a box (i.e., my EHR system is compliant, therefore, my practice is compliant, too). HIPAA compliance must, instead, be addressed across an organization wherever patient data is present.

Understand current security measures

The ongoing responsibility of managing patient data throughout an organization requires an organized, well-thought-out approach to risk management. No matter how small or long established, it’s critical for healthcare entities to understand what they are doing to protect patient data, what they are not doing, and what they should be doing in the future.


While some EHR systems and their related equipment have security features built into or provided as part of a service, they are not always configured or enabled properly. In addition, medical equipment is often web-enabled (can connect remotely to send information to a server), but that equipment may not be checked for proper security.

As the guardian of patient health information, it is up to each healthcare organization to learn and understand the basic features of their IT assets and medical devices, what security mechanisms are in place, and how to use them.


There are a number of actions an entity can take to make sure that their EHR systems and IT assets are secure. Such measures leverage an integrated use of data loss prevention tools, intrusion prevention, anti-malware, file integrity monitoring, robust identity management and authentication programs, role-based access and data security solutions.

The road to HIPAA compliance

Creating adequate safeguards does not happen overnight. While it may seem overwhelming and time-consuming at first (due to HIPAA’s complex nature), the biggest obstacle to overcome is actually getting the entire process started.


Begin by carving out a regular, weekly routine – perhaps starting at 30 minutes per week when your staff members who are responsible for HIPAA compliance can meet to discuss the privacy and security of patient data.


Here are some specific actions your entity should take when working to protect patient information:

  • Have a designated HIPAA-assigned compliance officer or team member. Clearly and specifically lay out the roles of everyone in your organization involved with HIPAA compliance responsibilities.
  • Ensure that access to ePHI is restricted based on an individual’s job roles and/or responsibilities.
  • Conduct an annual HIPAA security risk analysis (specifically required under HIPAA rules.) This can involve regularly engaging with a trusted provider that can remotely monitor and maintain your network and devices to ensure ongoing security.
  • Mitigate and address any risks identified during your HIPAA risk analysis including deficient security, administrative and physical controls, access to environments where ePHI is stored, and a disaster recovery plan.
  • Make sure your policies and procedures match up to the requirements of HIPAA.
  • Require user authentication, such as passwords or PIN numbers that limit access to patient information to authorized-only individuals.
  • Encrypt patient information using a key known or made available only to authorized individuals.
  • Incorporate audit trails, which record who accessed your information, what changes were made, and when they were made, providing an additional layer of security.
  • Implement workstation security, which ensures the computer terminals that access individual health records cannot be used by unauthorized persons.


Privacy and security concerns are key when it comes to HIPAA, but it’s also important to ensure your enterprise as a whole is protected. With 75 different requirements that fall under the HIPAA Security Rule umbrella, it’s critical to ensure all systems where ePHI resides are protected. Otherwise, organizations are placing themselves and their patients at serious risk.


more...
No comment yet.
Scoop.it!

The Inadequacy of HIPAA Policies and Procedures

The Inadequacy of HIPAA Policies and Procedures | HIPAA Compliance for Medical Practices | Scoop.it

I am often amazed at the questions I receive and the scenarios that are presented either when I speak or advise on HIPAA. One item that never ceases to amaze me is the confusion over what content is required in HIPAA policies and procedures. I kid you not; some entities contend that having a binder with the Code of Federal Regulations (CFR) section is enough. Let's think about that — how is that a policy, what are the procedures for implementing it, and what are the sanctions in the event the policy is not followed? The answers to these questions are what auditors, government officials, and lawyers look for when bringing a case or assessing fines.

Case in point: "Employee Sacked After Snooping Patient EMR Records," a true story. Ohio-based University Hospitals notified approximately 700 patients after a single employee "snooped" and accessed protected health information. This scenario raises multiple issues:

• The employee accessed the records for nearly three years without the hospital's knowledge;

• It was not until a complaint was received did the hospital audit their EHR system;

• The information accessed included names, diagnoses, health insurance information, and other sensitive information; and

• There were inadequate policies, procedures, and training on HIPAA.

What are the best ways to thwart this type of behavior? First, compile and implement substantive policies and procedures. Second, audit the EHR system regularly and have alerts set up that notify the IT department when records are inappropriately accessed. Third, have sanctions in place for HIPAA offenses. Fourth, provide annual staff training. And, finally, recognize the importance of identifying both your internal and external data security threats to the organization.


more...
No comment yet.
Scoop.it!

Is your doctor's office the most dangerous place for data?

Is your doctor's office the most dangerous place for data? | HIPAA Compliance for Medical Practices | Scoop.it
Everyone worries about stolen credit cards or hacked bank accounts, but just visiting the doctor may put you at greater risk for identity fraud.

Those medical forms you give the receptionist and send to your health insurer provide fertile ground for criminals looking to steal your identity, since health care businesses can lag far behind banks and credit card companies in protecting sensitive information. The names, birthdates and — most importantly — Social Security numbers detailed on those forms can help hackers open fake credit lines, file false tax returns and create fake medical records.

"It's an entire profile of who you are," said Cynthia Larose, chair of the privacy and security practice at the law firm Mintz Levin in Boston. "It essentially allows someone to become you."

Social Security numbers were created to track the earnings history of workers in order to determine government benefits. Now, health care companies are, in some cases, required to collect the numbers by government agencies. They also use them because they are unique to every individual and more universal than other forms of identification like driver's licenses, said Dr. Ross Koppel, a University of Pennsylvania professor who researches health care information technology.

But once someone creates a stolen identity with a Social Security number, it can be hard to fix the damage. A person can call a bank to shut down a stolen credit card, but it's not as easy of a process when it comes to Social Security numbers.

"There is no such mechanism with Social Security numbers and our identity," said Avivah Litan, a cybersecurity analyst at the research firm Gartner. "You can't just call the bank and say, 'Give me all the money they stole from my identity.' There's no one to call."

So being that the data is so vital to protect, health care companies are taking every precaution to defend against hackers, right?

Not necessarily. The FBI warned health care companies a year ago that their industry was not doing enough to resist cyberattacks, especially compared with companies in the financial and retail sectors, according to Christopher Budd of security software company Trend Micro. The warning came in a government bulletin to U.S. companies that cited research by a nonprofit security institute, he said.

Last year, more than 10 million people in the U.S. were affected by health care data breaches — including hacking or accidents that exposed personal information, such as lost laptops — according to a government database that tracks incidents affecting at least 500 people. That was the worst year for health care hacking since 2011.

Litan estimates that the health care industry is generally about 10 years behind the financial services sector in terms of protecting consumer information. She figures that it may be twice as easy for hackers to get sensitive financial information out of a health care company compared with a bank. Banks, for instance, are more likely to encrypt personal data, which can garble the information if a hacker gets ahold of it. They also are much more likely to use advanced statistical models and behavior analytics programs that can spot when someone's credit card use suddenly spikes, says Litan, who studies fraud-detection technology. That's a sign of possible fraud that may be worth investigating.

"There's a need for that everywhere now," she said.

Health care companies do have security to protect sensitive patient information. Anthem, the nation's second-largest health insurer, said last week that hackers broke into a database storing information on 80 million people, including Social Security numbers. The company had "multiple layers of security" in place before the attack, said David Damato, managing director at FireEye, the security company hired by Anthem to investigate the breach.

But the stolen data was not encrypted. An Anthem spokeswoman said encryption wouldn't have helped, because the intruder used high-level security credentials to get into the company's system.

Still, several experts say encryption does help.

Encryption programs can be tuned so that even authorized users can view only one person's account, or a portion of an account record, at a time, said Martin Walter, senior director at cybersecurity firm RedSeal Networks. That makes it harder for an outsider to view or copy a whole stockpile of records.

Even if Anthem's security had proved invulnerable, the health care system offers several other inviting targets with varying levels of security. Hospitals, labs, clinics and doctor's offices all can be attacked. Cybersecurity experts say they expect even more health care hacking problems in the future as those layers of the health care system shift their paper files to electronic medical records, a push that has been boosted by federal funding in recent years.

"A lot of businesses that didn't place a premium on security are now placing this incredibly valuable information online," noted Al Pascual, director of fraud and security at the consulting firm Javelin Strategy & Research.

The experience of a big company like Anthem does not bode well for the broader health care industry, said Budd at Trend Micro.

"They have resources to throw at cyber security," he said. "And if someone with nearly unlimited resources can be breached like this, then it raises serious questions as to what's at risk."

Beth Knutsen still worries about someone using her Social Security number more than a year after she was told that some old patient files of hers had been taken from a doctor's office in Chicago. The 39-year-old New York resident visited that doctor nearly 20 years ago.

She's seen no signs of fraud yet, and she still provides her Social Security number when a doctor's office asks for it — but only because it seems to be required for insurance and billing.

"It's so scary," she said. "Who knows what can happen with that information?"
more...
No comment yet.
Scoop.it!

Report Suggests Ways To Improve Clinical Documentation in EHRs

Report Suggests Ways To Improve Clinical Documentation in EHRs | HIPAA Compliance for Medical Practices | Scoop.it

On Tuesday, the American College of Physicians released a report that details how to improve electronic health record clinical documentation and how to use technology to enhance patient care, EHR Intelligence reports (Reardon, EHR Intelligence, 1/13).

Details of Report

The authors compiled the report with input from ACP constituencies and non-member experts, as well as a literature review, according to Health Data Management.

In the report, the authors noted that "computers and EHRs can facilitate and even improve clinical documentation" (Slabodkin, Health Data Management, 1/13).

However, they also wrote that the use of technology could increase "inappropriate or even fraudulent documentation." In addition, they wrote that "many physicians and other health care professionals have argued that the quality of the systems being used for clinical documentation is inadequate" (Walsh, Clinical Innovation & Technology, 1/13).

Recommendations

To address such concerns, the authors outlined seven policy recommendations related to clinical documentation within EHRs:

  • Patient care support and improvement of clinical outcomes should be the primary focus of clinical documentation software;
  • Providers should define professional standards for clinical documentation practices within their organizations;
  • EHR systems should serve to improve care outcomes while contributing to data collection as value-based and accountable care models become more prevalent;
  • Structured data should be captured only where they are useful in care delivery or necessary for quality assessment and reporting;
  • Prior authorizations should no longer be unique in their data content and format requirements;
  • Giving patients access to their medical records, including progress notes, would improve patient engagement and care quality; and
  • Further research should be done to identify best practices for clinical documentation, develop automated tools, improve medical education related to EHR documentation and determine the most effective ways to disseminate professional standards for clinical documentation.

The authors also outlined five policy recommendations related to EHR design:

  • EHR developers should optimize systems for care delivery over time, as well as for care that involves teams of clinicians and patients;
  • Clinical documentation within EHR systems should be intuitive for clinicians;
  • EHRs should support a "write once, reuse many times" approach and use embedded tags to identify the original source of data;
  • EHR systems should not require clinicians to indicate whether an action has been taken if the data in the record already substantiate the action; and
  • EHR systems should enable the integration of patient-generated data (Kuhn et al., Annals of Internal Medicine, 1/13).


more...
No comment yet.
Scoop.it!

HIPAA Compliance and EHR Access

HIPAA Compliance and EHR Access | HIPAA Compliance for Medical Practices | Scoop.it

In light of the recent massive security breaches at UCLA Medical Center and Anthem Blue Cross, keeping your EHR secure has become all the more important. However, as organizations work to prevent data breaches, it can be difficult to find a balance between improving security and maintaining accessibility. To that end, HIPAA Chat host Steve Spearman addresses digital access controls, common authentication problems, and how authentication meets HIPAA compliance and helps ensure the integrity of your EHR, even after multiple revisions.


Q: What are access controls?


A: Access controls are mechanisms that appropriately limit access to resources. This includes both physical controls in a building, such as security guards, and digital controls in information systems, such as firewalls. Having and maintaining access controls are a critical and required aspect of HIPAA compliance, and is the first technical HIPAA Security Standard.


Q: What’s the most common form of digital access control we see in healthcare?


A: The username and password is the most common form of access control by far. The Access Control Standard requires covered entities to give each user a distinct and unique user ID and password in order to access protected information. These unique credentials for each employee enable covered entities to confirm (“authenticate”) the identity of users and to track and audit information access.


Q: What are the most common problems with access controls and use of passwords in healthcare?


A: The most common problem is that covered entities often use multiple systems which each may require its own set of usernames and passwords along with varying requirements for these credentials, such as minimum character length or use of capital letters. Memorizing multiple sets of passwords and usernames for multiple systems is difficult for most people. In addition, there is a conundrum between password complexity and memorization. Complex passwords (longer with multiple required character types) are better for security but much harder to memorize. This is the conundrum.


Q: Are stricter password policies always more secure?


A: No, if passwords requirement are too strict, users then use coping mechanisms such as writing them down or re-using the same password over and over and across multiple systems. This compromises security rather than enhancing it. For example, a policy that required 14 digit passwords and required, lower-case, upper-case, numbers and symbols and expired every 30 days would create huge problems for most organizations. With these policies, staff would simply write down their passwords. But this compromises security. If a bad person gets a hold of a written list of passwords they have the “keys to the kingdom”, the ability to access the accounts on that written list. So passwords should not be written down.

In addition, overly strict password policies tend to overwhelm technical support staff with password reset requests.

So passwords should be sufficiently complex to make them hard to crack which also makes them hard to memorize.


Q: This sounds like a big problem. Do you have any suggestions to make things better?


A: At a minimum, organizations need to provide training to staff on straightforward techniques to create memorable but complex passwords. I have an exquisitely terrible memory. But I have great passwords using one particular technique. Just google “create good memorable passwords” and you can find dozens of videos demonstrating how to do it. But, of course, our favorite is the video featuring our very own, Gypsy, the InfoSec Wonderdog.


Enterprises should seriously consider additional technical solutions such as two factor authentication with single sign on (2FA/SSO).


Q: What is a good, reasonable password policy?


A: I recommend a policy that:


  • Requires a minimum of 8 characters
  • Requires two or three of the options of lower-case, upper-case, numbers and symbols
  • Expire every 3 to 6 months
  • And limit limit use of historical passwords so that the previous two cannot be used.


Q: You mentioned authentication before. What is that? What is two-factor or multi-factor authentication?


A: Authentication is the process of confirming the identity of a person before granting access to a resource. Computer geeks refer to the three factors of authentication:


  • What a user has (an ID badge or phone).
  • What a user knows (a PIN number)
  • Who a user is (biometrics)


For example, ATMs use two-factor authentication:

  1. What the user has: an ATM card and
  2. What they know: a PIN.


One of my favorite tools for two factor authentication is Google Authenticator which runs as an app on my mobile phone. Another common form of two factor authentication is text codes. With this method, the website or app, after entering a correct username and password, sends a text with a numeric code that expires after a few minutes to your phone that is entered into another field in the website before access is granted.


Everyone should enable two factor authentication on their most essential systems such as to online banking and to email accounts such as gmail.


In healthcare, there is a growing trend toward biometric authentication, the use of fingerprint readers or palm readers, etc. to authenticate into systems. Biometric authentication is generally very secure and is also very easy to use since there is nothing to memorize.


Q: What is SSO?


A: Single sign-on (SSO) lets users access multiple applications through one authentication event. In other words, one password allows access to multiple systems. It enhances security because users only have to remember one password. And because it is just one, it is commonly a good complex password. Once entered, it will allow access to all the core systems (if enabled) without having to re-authenticate.


Single sign-on combined with two factor authentication or biometrics work great together in tandem and are often sold together by vendors. The leading SSO/2FA vendor in healthcare is Imprivata, but there are other vendors making great in-roads into healthcare such as Duo Security2FA.com and Secureauth.com.


Q: What do you mean by “integrity” and what does it have to do with access control and authentication?


A: Integrity in System Standards is the practices used to track and verify all changes made to a health record. It is a condition that allows us to prevent editing or deleting of records without proper authorization.


Authentication and access controls are the primary means we use to preserve integrity of a record. If the information system is programmed to track its users’ activity, then it’s possible to track who made changes to a record and how they changed it.


This is why users should never share usernames and passwords with other users. Integrity becomes impossible if a username does not signify the same user every time it appears.


Q: Any final thoughts?


A: Finding that balance between HIPAA compliance, security and accessibility can be tricky. We recommend reducing digital access controls to a single multi-factor authentication or biometrics event. This single, secure method of authentication could be the balance between security and efficiency needed to keep your EHR secure and yet accessible. In addition to improving accessibility to your system, an MFA or biometrics sign-in method could help improve your organization’s EHR integrity.

more...
No comment yet.
Scoop.it!

Six Potential HIPAA Threats for PHOs and Super Groups

Six Potential HIPAA Threats for PHOs and Super Groups | HIPAA Compliance for Medical Practices | Scoop.it

Physician Hospital Organizations (PHOs) and super groups are on the rise. About 40 percent of physicians either work for a hospital or a practice group owned by a hospital, or they ban together to form a super group. Individual practices share operations, billing, and other administrative functions, gain leverage with insurance companies, add specialist resources and increase referrals, improve patient outcomes with a cohesive care plan, and more. The benefits are plentiful.

But just like a negative restaurant review on Yelp can hurt customer patronage and the restaurant's reputation, one practice that commits a HIPAA violation can affect the entire group, and result in an expensive fine, cause distrust among patients, and in extreme cases, the data breach can lead to medical identity theft.


For PHOs and super groups, adherence to HIPAA rules becomes more complicated when compliance isn't consistent among the group's practices, and a compliance officer isn't on board to manage risks and respond to violations.


At a minimum, the group should identify the potential sources for exposure of electronic protected health information (ePHI) and take measures to avert them. For example:


Super groups include smaller practices that struggle with HIPAA compliance and associated time and costs. Although PHOs or super groups may be abundant in physicians, employees, and offices, these assets could come from a majority of smaller organizations. Historically smaller practices struggle with resources to comply with HIPAA and hiring expensive compliance consultants could be prohibitive at the individual practice level.


Each practice uses a different EHR, or the EHR is centralized but the ePHI is stored on different devices. It becomes difficult to assess HIPAA compliance as well as how patient data is being protected when there are various EHRs implemented across multiple practices. Some EHRs may be cloud based while other systems reside in an individual practice's office. Getting an accurate inventory of where ePHI is stored or accessed can be challenging.


Hospitals can't conduct thorough security risk assessments for each practice in the group. A PHO could have 20 or more individual practices and the time required to perform individual security risk assessments could be daunting. These risk assessments are labor intensive and could strain the resources of hospital compliance staff.


Meaningful use drives HIPAA compliance and grants from HHS could be significant, especially with a large number of providers. Along with these funds comes responsibility to comply with meaningful use objectives. One of the most frequent causes of failing a meaningful use audit is ignoring a HIPAA security risk assessment. If one practice fails an audit, it could open the door to other practices in the group being audited, which could result in a domino effect and a significant portion of EHR incentive funds having to be returned.


For physician groups that share patient information the security is only as strong as the weakest link — one practice or even one employee. A breach at one practice could expose patient information for many or all other practices. Security is then defined by the weakest link or the practice that has the weakest security implemented.


Untrained employees in the front office unwittingly violate HIPAA and a patient's right to privacy. An employee could fall for a phishing scam that gives criminals access to a practice's network, and compromises the security of many or all practices within the PHO or super group.


The best way to avoid a HIPAA violation and a patient data breach is to create a group policy that requires each practice to:


• Perform regular HIPAA security risk assessments;

 •Inventory location of patient information;

• Assess common threats;

• Identify additional security needs;

• Set up policies and procedures;

• Stay up to date on patient privacy rules and requisite patient forms; and

• Properly train employees in protecting both the privacy and security of ePHI.


Make sure every practice in the group treats HIPAA compliance with the same care as a patient's medical condition.

more...
Roger Steven's comment, July 10, 2015 6:34 AM
nice article www.mentorhealth.com
Scoop.it!

Chip-powered credit cards to challenge providers this fall

Chip-powered credit cards to challenge providers this fall | HIPAA Compliance for Medical Practices | Scoop.it

In an effort to improve security, America's banks and credit-card issuers will switch in the next few months from strip-based to microchip-based cards. That means healthcare providers will face another significant financial-systems conversion, in addition to the looming ICD-10 switchover

More than half a billion of these “EMV” cards, so-named for the initials of the major card issuers that developed them—Europay, MasterCard and Visa—are expected to be issued and in use by the end of 2015.

The cards already are in use in Europe and Canada. Canada started a slow rollout of EMV cards in 2006, and now about 95% of Canadian merchants have converted to chip card readers, said Karen Cox, vice president of payments and retail solutions for Moneris Solutions, a Toronto-based provider of financial processing systems, owned by Canada's two largest banks, Royal Bank of Canada and Bank of Montreal. 

According to research estimates, by October, 63% of U.S. cards and 47% of terminals used across all industries to process transactions will be converted to EMV technology, she said.

Unlike the planned, industry-wide and federally mandated Oct. 1 upgrade to ICD-10 diagnostic and procedural codes, which is creating a big lift for everyone in the healthcare claims stream, there is no federal requirement that any U.S. business, including hospitals and office-based physician practices, switch to EMV cards. 

But efforts to reduce fraud will drive the conversion to chip cards, Cox said. 

In the U.S., a shift in financial liability for fraudulent charges will drive merchant adoption of chip-card technology, or at least that's the intention, Cox said. The change in liability will be enforceable by the credit-card issuers through their agreements with businesses that accept credit card payments, Cox said. 

“After October, if someone (a fraudster) with a chip card would hit a chip terminal, the merchant is protected from charge back,” by the card issuer, Cox said. But if the merchant, hospital or medical practice is still using an older magnetic strip reader, the liability for charge-backs falls on the business still using the older technology. 

Cox says providers shouldn't worry about the expense of new card readers.

“Your typical countertop terminal is $200 to $300 for one that does everything,” Cox said. The rub more likely will come with software conversions for hospital financial and office-practice management systems, she said.

Cox says not all vendors are ready for the conversion and no one should take on the task of writing EMV interface themselves.

The Electronic Health Records Association, a trade group for EHR developers, many of which also have financial systems, declined to comment. 

The linchpin for chip-card technology adoption going forward—as it has been in the past—remains with the banks, not the vendors, said Robert Tennant, senior policy advisor with the Medical Group Management Association, who recently received a smart-chipped American Express card in the mail. “The vendor's argument is, 'Why should we build in the technology when the financial vendors haven't switched over?' ” he said.

According to Tennant, the switch to chip-based technology will be “an enormous change” for the retail sector, and a somewhat of a lift for medical groups, who will have to buy and reconfigure their credit-card processing equipment and software at their pay windows. But there could be long-term benefits, too. 

“Nothing is ever foolproof, but as far as it goes, I think it's significantly more security than what we have now,” Tennant said.

The MGMA also is part of a 40-member industry collaboration formed last year, and led by the Workgroup for Electronic Data Interchange, to automate the patient registration and intake process. The group is hoping to hammer out an industry consensus around the component parts of a so-called “digital clipboard”containing basic patient demographic and payer or payment information used at registration. 

“On the healthcare side, it opens up a lot more opportunities for data movement,” Tennant said. “If we're going to be moving to this technology, it's a very short step toward using that technology for other purposes.”

Hopes for using smart-card technology in healthcare have risen and fallen several times over the past decade. Last month, the Government Accountability Office recommended that Medicare ought to consider issuing smart cards to beneficiaries to speed patient identification and eligibility verification.

more...
No comment yet.
Scoop.it!

HITECH Act Stage 3: Security Concerns

HITECH Act Stage 3: Security Concerns | HIPAA Compliance for Medical Practices | Scoop.it

Some healthcare associations, including those representing IT and security leaders, are seeking more clarity from federal regulators about proposed security and privacy requirements for Stage 3 of the HITECH Act "meaningful use" incentive program for electronic health records. Among the concerns raised were issues related to EHR risk assessments and patients' electronic access to their health information.


Stage 3 of the HITECH Act incentive program is slated to begin in 2017 or 2018. Beginning in January 2018, healthcare providers lacking a certified EHR system will begin to face financial penalties.

The concerns cited by the various healthcare associations echoed some of the worries expressed by security and privacy experts shortly after the proposed rules were issued in March.


May 29 was the deadline for public comment on proposed rulemaking by the Department of Health and Human Services. On March 20, HHS' Centers for Medicare and Medicaid Services issued a notice of proposed rulemaking for Stage 3 of the Medicare and Medicaid EHR incentive program. Meanwhile, HHS' Office of the National Coordinator for Health IT issued a proposed rule spelling out updated requirements for EHR software that qualifies for the incentive program: 2015 Edition Health Information Technology Certification Criteria.

Security Assessment Concerns

Under Stage 3 of the HITECH incentive program, which already has provided nearly $30 billion in incentives to eligible hospitals and healthcare professionals for "meaningfully" using EHRs, these healthcare providers can qualify to receive additional incentives by achieving a proposed new list of objectives. One of those proposed requirements deals with risk assessments.


While healthcare providers are still expected to conduct a broader HIPAA security risk analysis, the Stage 3 proposal states that healthcare providers must conduct an assessment that specifically looks at risks to information maintained by the certified EHR technology.


Here's the language in the HHS proposal, which some commenters found confusing, or even unnecessary, in light of existing HIPAA requirements: "The requirement of this proposed measure is limited to annually conducting or reviewing a security risk analysis to assess whether the technical, administrative and physical safeguards and risk management strategies are sufficient to reduce the potential risks and vulnerabilities to the confidentiality, availability and integrity of ePHI created by or maintained in [the certified EHR technology]."


The College of Healthcare Information Management Executives, an association of healthcare CIOs and other IT leaders, in its comments to HHS called the risk assessment proposal "superfluous, given the fact that the HIPAA privacy and security requirements already apply to providers and we see no need to impose any additional requirements through the EHR meaningful use program."


But CHIME added in its comments to HHS: "We understand and agree with the need to protect electronic personal health information. As such, our concern is that providers may be confused over the timing of required assessments or reviews."


To clarify and simplify the objective, CHIME suggested HHS rework the proposal to state that eligible healthcare providers must conduct the security risk analysis upon initial installation of certified EHR technology or upon upgrade to a new edition of certified EHR technology.


CHIMS contends that this clarification "will help providers understand their responsibilities vis-à-vis this objective and avoid any possible misunderstanding that reviews be required every time a provider receives a patch or other update to their EHR from a vendor."

Guidance Sought

Meanwhile, another association of health IT professionals, the Healthcare Information and Systems Management Systems Society, said it generally supports the government's risk assessment proposal, but that more guidance is still needed by many healthcare sector organizations on how to conduct a risk analysis.


"HIMSS observes that providers today likely need to increase the frequency of their security risk analysis," the organization says in its feedback. "However, merely doing the security risk analysis without addressing the risks may not lead to adequate safeguarding of the ePHI. Accordingly, risk management should be done as well, and providers need to be educated on how to manage risk in today's electronic environment."


HIMSS recommends the proposed requirement for Stage 3 be modified "so that providers not only do the security risk analysis, but also address the risks themselves." HIMSS also recommends that providers receive guidance on where to obtain security updates and how to correct deficiencies. "HIMSS recommends that providers need guidance on what an acceptable baseline is for a security risk analysis - without such guidance, some providers may conduct [minimal] security risk analysis, expending only a handful of hours to do such a task."

Other Concerns

Some healthcare associations also wrote in their feedback that they were concerned about a Stage 3 proposal regarding providing patients with access electronic access to their records.


Under the HHS proposal, patients may either be provided access to view online, download, and transmit their health information through a patient Web portal or provided access to an application program interface certified by ONC. Those APIs can be used by third-party applications or devices.


In its comments, CHIME says it opposes the API provision. "There is tremendous uncertainty regarding APIs, including potential security and authentication issues, and even whether they will be readily available in [technology] vendor products by 2018."


Similarly, the American Hospital Association wrote in its comments: "Stage 3 proposals, such as relying on third-party applications to access sensitive patient data in EHRs, may be a successful mechanism for the exchange of patient data information, but they raise important questions about patient privacy and information security that must be carefully considered."


An HHS spokesman tells Information Security Media Group that ONC and CMS "are now reconciling and beginning to review all of the comments. We don't yet have a total count of the number of comments, nor have we had time to separate them by issue. We are now beginning the process to get us to the issuance of the final rules, which we expect to be later this summer."

more...
No comment yet.
Scoop.it!

Don’t Forget the Paper: Records and Policies

Don’t Forget the Paper: Records and Policies | HIPAA Compliance for Medical Practices | Scoop.it

Another HIPAA breach settlement announcement and another lesson from the Department of Health and Human Services Office for Civil Rights (“OCR”). Cornell Prescription Pharmacy (“Cornell”) is a single location pharmacy located in Colorado that will pay OCR $125,000 to resolve allegations of a variety of HIPAA violations. When the facts of the circumstances are described, it will likely raise questions as to why the settlement was so low.


The issues at Cornell were revealed to OCR by a local new station. The news station found paper-based protected health information disposed of in unsecure dumpster generally accessible to the public. After receiving the report, OCR investigated Cornell. OCR’s investigation revealed that Cornell had no written policies in place to implement the HIPAA Privacy Rule, no training regarding Privacy Rule requirements was conducted, and protected health information was not reasonably safeguarded.


Despite all of these findings, as indicated above, Cornell only faces a $125,000 settlement amount in addition to the usual requirement to enter into a corrective action plan. It is interesting to note that on April 27, 2015 when the settlement was announced, the first Resolution Agreement posted showed a resolution payment of $767,520. No information has been provided to explain the reduction. One possible answer is that Cornell is a very small entity and may not have been able to afford the higher resolution amount. It would be beneficial to monitor for more information on this account.


As set forth in the settlement announcement, OCR wants every entity to know that it may be subject to HIPAA enforcement, including fines and penalties. A quote from OCR Director Jocelyn Samuels says it all: “Regardless of size, organizations cannot abandon protected health information or dispose of it in dumpsters or other container that are accessible by . . .unauthorized persons.” It is incumbent upon all organizations to implement appropriate policies and procedures to satisfy HIPAA requirements.


One of the more stunning aspects of the Cornell settlement was the revelation that Cornell had no written policies or procedures to comply with the Privacy Rule. This is slightly different from other settlements where OCR found inadequate or non-existent security policies. Arguably, privacy policies are easier to implement because the Privacy Rule provides a pretty comprehensive and clearcut guide with regard to what policies and procedures need to be put into place. Additionally, there is not a need to do an equivalent of a risk analysis to determine what security policies to put into place.


While the statement about no policies being in place should be shocking, multiple surveys recently have found that a lack of knowledge about HIPAA is still fairly widespread. HIPAA in its original form has been around for almost 20 years at this point. Why is it that organizations still do not know what they need to do to comply? Is it unintentional lack of awareness or something more deliberate? No matter the reason, the government is clearly monitoring and looking for organizations that are not in compliance. The resolution amounts remain wildly unpredictable, but many statements have suggested that recent fines will pale in comparison to fines that will be levied in the future. It is better for organizations to get their houses in order at this point rather than having an audit uncover deficiencies. It will be a safe bet that any problems found in an audit will result in higher fines being assessed.


more...
No comment yet.
Scoop.it!

How Rush Medical Stays HIPAA Compliant, Uses Cybersecurity

How Rush Medical Stays HIPAA Compliant, Uses Cybersecurity | HIPAA Compliance for Medical Practices | Scoop.it

Staying HIPAA compliant is not always an easy task, especially as new technological options develop, such as cloud computing, mobile devices, and EMRs.


Rush University Medical Center has altered its cybersecurity measures over the last few years in order to keep pace with changing technologies. However, Rush VP of IT Operations and Associate CIO Jaime Parent told HealthITSecurity.com that even with new systems, the facility works hard to stay HIPAA compliant and keep all employees educated.


HealthITSecurity.com: Tell me a little about Rush Medical’s approach to cybersecurity. What steps have been taken over the last few years to ensure patient data security?


Jaime Parent: Over the last several years our threat protection has moved from reactive to proactive. Gone are the days where a standard firewall, anti-viral software, and anti-spam software, offer adequate protection. Today’s threats are much more sophisticated and now include ransomware and network exploits. Organizations must be agile, dynamic, flexible and adaptable. With the onset of zero day viruses and latency threats such as Heartbleed, new threats require new ways of thinking in cybersecurity.


I would say the only thing that’s consistent with protection strategies used five years ago would be the continuing need for end user education. Social engineering is still the largest vulnerability for any organization.


HITS.com: That ties into employee education as well, right?


JP: Employee education and awareness is a vital part of any comprehensive cybersecurity plan.  At Rush, we have patients, staff, faculty, students and visitors – a very difficult environment to manage and protect. We have to be cognizant of the security parameters that need to be in place to protect the network, even though we may have non-Rush assets on our public network. Our awareness campaign is called “ICARE/IProtect,” and it is both comprehensive and easy to understand. Making everyone vigilant goes a long way.


HITS.com: Have mobile devices been one of the greater challenges in staying HIPAA compliant?


JP: In addressing mobile device security, we take into account the user experience. Rush’s systems are configured in a way that promotes centralize storage and discourages local data storage. We also moved to encrypted USB drives and laptops.


Nobody wants to be the victim of a breach, but with the proper tools and awareness, users know how to protect their data and they learn to avoid phishing scheme. Preventing that click is extremely important.

HITS.com: How do large-scale data breaches, like Anthem and Premera, affect your privacy and security measures, if at all?


JP: We try to learn from these experiences. After these events, the question I get asked most often is – could this thing happen to us? And the short answer is that there really is no 100 percent ironclad way to keep all threats out. But, if you remember to address the basics, the latest anti-viral updates, patch management, user education, etc., you have the best combination in place to avoid being a victim.


HITS.com: What are some of the key privacy and security focal points for providers in 2015?


JP: Be proactive rather than reactive. Invest in smart technologies that work best for your organization. Patch aggressively. Deploy the latest updates. Finally, educate your users who continue to be vulnerable in this dynamic environment.


HITS.com: In terms of privacy and security, what do you think the current outlook is for the healthcare industry?


JP: In my personal opinion, the bad guys are winning right now. The digital age is here and not everyone thinks about security. Breaches are on the rise. It wasn’t too long ago that medical records were locked in the basement somewhere relatively inaccessible. Now, this information is at your fingertips on devices where some users may not even use a password. The genie is out of the bottle and it’s going to stay out of the bottle for a long time. Healthcare will continue to be a target.


HITS.com: After the Anthem data breach in particular, many people were upset over the notification process. In your opinion, how important is the aftermath of a data breach?


JP: Our first thoughts are always with the patient. That’s just our approach. Organizations should always take the appropriate steps to notify patients as soon as possible. At Rush, we cherish our patients and the relationships we have throughout the city of Chicago. Patient care and safety are at the core of what we do – our patients deserve nothing less.


more...
Quensetta Adams's curator insight, April 28, 2015 9:55 PM

Hipaa needs loud computing, mobile devices, and EMRs; let's add IoT!

Scoop.it!

ONC Updates its Privacy and Security Guide

ONC Updates its Privacy and Security Guide | HIPAA Compliance for Medical Practices | Scoop.it

Last week during the annual Healthcare Information and Management Systems Society (HIMSS) conference, the Office of the National Coordinator for Health IT (ONC) published a revised version of its “Guide to Privacy and Security of Electronic Health Information.”

In the foreword of the guide, ONC says that its intent is to help healthcare providers ―especially Health Insurance Portability and Accountability Act (HIPAA) covered entities (CEs) and Medicare eligible professionals (EPs) from smaller organizations―better understand how to integrate federal health information privacy and security requirements into their practices. The new version of the guide provides updated information about compliance with the Medicare and Medicaid Electronic Health Record (EHR) Incentive Programs’ privacy and security requirements as well as the HIPAA Privacy, security, and breach notification rules, says ONC.


In a blog post from Lucia Savage, chief privacy officer, ONC, she says that this is the first step towards fulfilling the commitment the federal agency made in its Interoperability Roadmap— helping individuals, providers, and the health and health IT community better understand how existing federal law, HIPAA, supports interoperable exchange of information for health.


According to Savage’s post, “the guide includes practical information on issues like cybersecurity, patient access through certified electronic health record technology (CEHRT), and other EHR technology features available under the 2014 Edition Certification rule. The guide also includes new, practical examples of the HIPAA privacy and security rules in action, to help everyone understand how those rules may impact their businesses and the people they serve.”


The guide additionally offers: many scenarios for anyone who has struggled to understand when someone is or is not a business associate; provides information about when a provider (or any HIPAA-covered entity) is permitted to exchange information about an individual for treatment, payment, or healthcare operations without being required to have the individual sign a piece of paper before the exchange occurs; and provides practical tips and information about security, Savage said.


more...
No comment yet.
Scoop.it!

OIG to CMS: Make EHR fraud prevention efforts a priority

OIG to CMS: Make EHR fraud prevention efforts a priority | HIPAA Compliance for Medical Practices | Scoop.it

The Office of Inspector General is once again calling out CMSfor failing to adequately address fraud vulnerabilities in electronic health records. Despite submitting recommendations back in 2013, a new OIG report underscored that the agency is still dragging its feet with implementing EHR fraud safeguards.  

 
Part of the Office of Inspector General's role is to audit and evaluate HHSprocesses and procedures and put forth recommendations based on deficiencies or abuses identified. Turns out, a lot of these recommendations are ignored, disagreed upon or unimplemented, according to OIG's new Compendium of Unimplemented Recommendations report. And EHR fraud is on that list. 
 
"HHS must do more to ensure that all hospitals' EHRs contain safeguards and that hospitals use them to protect against electronically enabled healthcare fraud," OIG officials wrote in the report. 
 
Specifically, audit logs should actually be operational when an EHR is available. And CMS should also develop concrete guidelines around the use of copy-and-paste functions in an electronic health record. According to OIG data, most hospitals using EHRs had RTI International audit functions in place, but they were significantly underutilized. What's more, only some 25 percent of hospitals even had policies in place regarding copy-and-paste functions. 
 
These recommendations have come up repeatedly in recent OIG reports, and despite CMS officials agreeing with the outlined recommendations, the agency is still not making it enough of a priority.  
In a January 2014 report, OIG also called out CMS for failing to make EHR fraud a priority. Specifically, OIG said, the CMS neglected to provide adequate guidance to its contractors tasked with identifying said EHR fraud, citing the fact that the majority of these contractors reviewed paper records in the same manner they reviewed EHRs, disregarding the differences. Moreover, only three out of 18 Medicarecontractors were found to have used EHR audit data in their review process. 
 
When it came to identifying copy-and-paste usage or over documentation, many contractors reported they were unable to do so. Considering some 74 percent to 90 percent of physicians use the copy/paste feature daily, according to a recent AHIMA report, the implications are significant. 
 
As Diana Warner, director of HIM practice excellence at AHIMA, recounted back at the October 2013 MGMA conference, that dueto copy-and-paste usage, they had a patient at her previous medical practice who went from having a family history of breast cancer to having a history of breast cancer. The error was caught by the insurance company, which thought the patient had lied, was poised to change her healthcare coverage. "We had to work for months to get that cleared up with the insurance company so her coverage would not be dropped," Warner said. "We had to then find all the records that it got copy and pasted into" incorrectly and then track down the locations the data was sent to.


more...
No comment yet.
Scoop.it!

Individuals worry EHRs, data exchanges worsen privacy, security

Individuals worry EHRs, data exchanges worsen privacy, security | HIPAA Compliance for Medical Practices | Scoop.it

Healthcare organizations must address consumers' concerns about individual control and privacy of their information to make health information exchanges (HIEs) and distributed research networks work, according to new research published this week in the Journal of the American Medical Informatics Association.


For the study, researchers from the University of California, Davis and the University of California, San Diego polled 800 randomly selected Californians in early 2013 to gather their views about the privacy and security of an electronic HIE, a research network and whether attitudes differed between the two. More than three-quarters of respondents, who were contacted by phone, rated security and privacy the most important factor in their willingness to participate.


The researchers found that 40.3 percent of respondents think an HIE worsens privacy while 42.5 percent believe it worsens security. More than half of respondents (52.4 percent) believe EHRs worsen privacy and 42.7 percent believe EHRs worsen security.


The respondents placed roughly equal value on protecting individual privacy and societal benefit. However, 69.8 percent strongly or somewhat agreed that individual control is more important than societal benefit.


Organization type was an important factor for the respondents, as they were most likely to consent if asked by a hospital and least likely if asked by an insurance company.


The vast majority would require permission to share data for both healthcare and research (83.7 percent). However, respondents were more likely to agree to share deidentified information for research than to share identified information for healthcare.


A proposed new version of the Consumer Privacy Bill of Rights Act puts more emphasis on the collection of personal data, while HIPAA has been more concerned with the disclosure of information, Indiana University law professor Nicolas Terry writes in a Health Affairs blog post.


"Potentially, it may also clash with the ONC strategy of dramatically increasing data liquidity in order to promote interoperability," Terry says.


more...
No comment yet.
Scoop.it!

Protect Your Practice Data Against a Breach

Protect Your Practice Data Against a Breach | HIPAA Compliance for Medical Practices | Scoop.it

Technology has changed the face of patient care. But it has also opened a Pandora's Box of lurid and potentially expensive data breaches. Don't be lulled into a false sense of security because you may think your practice is too small to be a target for hackers. The lessons for large health systems are as relevant as those for small, independent practices. Data security can't be left to chance.

Ike Devji an Arizona-based asset protection and risk-management attorney works with physicians to help them develop policies to protect their practice data and minimize liability risk. He says most doctors suffer from what he calls "risk myopia," meaning that they are focused too intently on mitigating malpractice risk. But what about identity theft or HIPAA violations or securing patient financial data? "If [data breaches] could happen to the most sophisticated companies in the world, who have entire dedicated teams of IT security professionals, believe me, it can happen to your medical practice," cautions Devji.

So what should you do? There are many ways that your practice can protect itself against data breaches, even if your technology budget is slim. Here's how our experts say you should start.


TAKE DATA SECURITY SERIOUSLY


Even before you invest in software and support services to protect your patient data, you need to be clear about how your practice will approach data security. Too often, practice policies are absent or left up to individuals to haphazardly carry out. According to Devji, that is asking for trouble.

Devji's experience has taught him that practices often don't take cybersecurity seriously enough. He says that crimes happen most often when there is opportunity — it is easier for hackers to target a small practice and steal patient credit card numbers, than it is to, say, break into American Express.

Another concern for practices is making sure they are compliant with HIPAA regulations. In 2013, HHS released the HIPAA Omnibus Rule that strengthened the original provisions in HIPAA, bringing the total number of regulations up to 49, says Marion Jenkins, chief strategy officer at 3t Systems, a healthcare consulting company. He says the regulatory landscape is complex, and even a small practice could be looking at hundreds of thousands of dollars in fines for an unintentional HIPAA violation.

Devji says his firm makes sure that clients have an appropriate data security plan in place that includes HIPAA protections, limits staff access to protected health information (PHI), and also identifies the individual(s) who will be responsible for implementing and monitoring the plan. Here are five other key provisions that should be part of any data security plan.


FIND QUALIFIED IT SUPPORT


Because smaller practices don't generally have an IT support budget, they tend to gravitate to free tools and solutions, which can be problematic, says Boatner Blankenstein, senior director of solutions engineering for Bomgar, an enterprise technology solutions company. "Without having IT resources, there's just a lot of opportunity for misuse of technology. Scams and things — people calling and saying they're here to help you and they are really not," he says.

Jenkins says that the strongest leg of your risk-prevention strategy should be finding professional IT support that you can trust. "I have a three-question quiz that [practices] can give to an IT provider … The quiz has to be given orally, because the first question is 'How do you spell HIPAA?' The second question is 'What does it stand for?' and the third question is 'What is the difference between HIPAA security and HIPAA privacy?' If they can't answer those three questions, then you probably have a HIPAA problem waiting to happen," he says.

PROVIDE STAFF TRAINING AND EDUCATION

Your staff members are not able to learn your data security policies through osmosis. So, you must make data security a priority and teach them how to approach it. Devji says many times HIPAA violations occur through simple mistakes, like failing to lock computers and mobile devices with passwords, and copying sensitive data to an unencrypted USB drive.

Your staff training should cover at a minimum:

• The use of practice computers for personal e-mails and Internet surfing;

• Transporting data offsite using mobile devices;

• Protocols for departing staff members, e.g. changing passwords and network access;

• Educating staff on HIPAA requirements;

• The use of mobile devices at home and work; and

• Encrypting all patient data, regardless of the device.

INSTALL AND UPDATE ANTI-VIRUS SOFTWARE

In the course of a normal business day, practices are communicating electronically with multiple websites and healthcare networks, like CMS, third-party payers, and the CDC, for example. It is vital to have adequate virus and malware protection programs installed on all desk-top computers and mobile devices, especially if they are used to access the practice's EHR system.

"[Anti-malware, anti-virus protection, anti-spam] are absolutely required by HIPAA. One of the 49 requirements is you have to protect your systems from malicious software," says Jenkins.

But don't stop there. Your software must be updated on a continuous basis. How many times have you skipped over software updates for your computer because you are too busy to stop what you are doing? Unfortunately, when you do that, you are missing out on critical security patches. Devji says "many of those updates are security specific and are continually patching vulnerabilities that are found in those programs." Skipping updates just makes it that much easier for hackers to access your computer system.


ADOPT DATA ENCRYPTION


Protecting your patient data doesn't always require a sophisticated security solution. The safest thing a practice can do is guard against the loss or theft of mobile devices and make sure that all data is encrypted — both at rest and in motion. The Verizon 2014 Data Breach Investigations Report found that together, insider misuse, miscellaneous errors, and physical theft and loss accounted for 73 percent of security breaches in the healthcare industry.

The report recommends:

• Encrypting mobile devices, like laptops and USB drives;

• Backing up sensitive data; and

• Securing mobile devices with locks to immovable fixtures, like cabinets, when not in use.


CONDUCT SECURITY AUDITS


Many practices are not aware that conducting an internal risk assessment is required by HIPAA, says Jenkins. He says he has conducted over 100 HIPAA security assessments, and the number of practices that have passed is "less than 5 percent." He says that while there are templates available through the HHS Office of the National Coordinator for Health Information Technology's website, practices should consider soliciting professional help, as "some of [the assessment] is pretty technical."

Some key action points here are:

• Engage an IT security expert or EHR vendor to audit your networks, equipment, and processes.

• Make sure that software upgrades are current on all equipment and devices.

• Review your anti-virus software to make sure it provides adequate protection.

IN SUMMARY

Medical practice data security can't be left to chance; the stakes are just too high. Fortunately, after securing professional advice, there are simple things you can do to secure your information.

Take these steps to ward off loss of data and equipment:

• Create a practice data security plan

• Provide staff training on data security

• Install anti-virus and anti-malpractice software

• Adopt data encryption

• Conduct security audits


more...
No comment yet.
Scoop.it!

EHR audit catches snooping employee

EHR audit catches snooping employee | HIPAA Compliance for Medical Practices | Scoop.it

Electronic health records not only enable faster access to real-time patient data; they also make it a heck of a lot easier to catch snooping employees who inappropriately view patients' confidential information, as one California hospital has observed this past week.

Officials at the 785-bed California Pacific Medical Center in San Francisco – part of Sutter Health system – notified a total of 844 patients Jan. 23 after discovering a pharmacist employee had been inappropriately snooping on patients' medical data for an entire year.

The incident was discovered after the hospital conducted an EHR audit back in October 2014. when it was first discovered only 14 individuals had had their PHI compromised.

Following an "expanded investigation," hospital officials discovered the HIPAA breach was significantly larger than they had originally found, with 844 additional patients being identified as having there information inappropriately accessed. The staff member, whose employment has since been terminated, snooped on patient records from October 2013 to October 2014, including patient demographics, clinical diagnoses, prescription data and clinical notes.

As officials pointed out, the hospital has "reiterated to all staff that policy allows them to access patient information only when necessary to perform job duties and that violating this policy may result in loss of employment," they wrote in a Jan. 23 press notification.

The biggest way to avoid the employee snooping problem? Audit your users and the data, said Suzanne Widup, senior analyst on the Verizon RISK team, who spoke to Healthcare IT News in spring 2014 on Verizon's annual breach report. "You need to know who has the data, who has access the data, and you need to monitor it," Widup pointed out. "When you see organizations implement some sort of auditing scheme, suddenly they start finding a lot of stuff they couldn't see before."

This snooping incident at California Pacific Medical Center is far from an isolated event. As more hospitals conduct more regular EHR audits, cases like this are only increasing in number.

One of the more egregious incidents was reported by the five-hospital Riverside Health System back in December 2013. Following a random company audit, officials discovered an employee had unrestricted access to Social Security numbers and clinical data of close to 1,000 patients for a period of four years.

Then, of course, there was the HIPAA breach at University Hospitals just in December, where an employee had been reading confidential medical records of nearly 700 patients. What's more, the employee had unfettered access to the records for nearly three and a half years before being discovered and was only caught because the health system had received a snooping complaint.

This kind of employee behavior has long been on the minds of chief information officers nationwide.

In an interview with Texas Health Resources Chief Information Officer Ed Marx this past summer, he told us: "The biggest risk, as much as we talk about the hackers and people trying to get in and steal healthcare data, I think the biggest risk is still the individual employee who maybe forgot what the policy was and does something they shouldn't do."

Out of the nearly 42 million individuals that have had their protected health information compromised in reportable HIPAA privacy and security breaches, nearly 13 percent of them involve inappropriate access or disclosure of patient records, according to data from the Department of Health and Human Services.

more...
No comment yet.