HIPAA Compliance for Medical Practices
63.1K views | +5 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

HIPAA Hurdles in 2015 | HIPAA, HITECH & HIT

HIPAA Hurdles in 2015 | HIPAA, HITECH & HIT | HIPAA Compliance for Medical Practices | Scoop.it

Nearly a year ago, as described in an earlier blog post, one of my favorite health industry journalists, Marla Durben Hirsh, published an article in Medical Practice Compliance Alert predicting physician practice compliance trends for 2014.  Marla quoted Michael Kline’s prescient prediction that HIPAA would increasingly be used as “best practice” in actions brought in state court:  “People will [learn] that they can sue [for privacy and security] breaches,” despite the lack of a private right of action under HIPAA itself.  Now, peering ahead into 2015 and hoping to surpass Michael’s status as Fox Rothschild’s HIPAA soothsayer, I thought I would take a stab at predicting a few HIPAA hurdles that covered entities, business associates, and their advisors are likely to face in 2015.

1.         More sophisticated and detailed (and more frequently negotiated) Business Associate Agreement (BAA) terms.   For example, covered entities may require business associates to implement very specific security controls (which may relate to particular circumstances, such as limitations on the ability to use or disclose protected health information (PHI) outside of the U.S. and/or the use of cloud servers), comply with a specific state’s (or states’) law privacy and security requirements, limit the creation or use of de-identified data derived from the covered entity’s PHI, or purchase cybersecurity insurance.  The BAA may describe the types of security incidents that do not require per-incident notification (such as pings or attempted firewall attacks), but also identify or imply the many types of incidents, short of breaches, that do.  In short, the BAA will increasingly be seen as the net (holes, tangles, snags and all) through which the underlying business deal must flow.  As a matter of fact, the financial risks that can flow from a HIPAA breach can easily dwarf the value of the deal itself.

2.         More HIPAA complaints – and investigations.  As the number and scope of hacking and breach incidents increases, so will individual concerns about the proper use and disclosure of their PHI.  Use of the Office for Civil Rights (OCR) online complaint system will continue to increase (helping to justify the $2 million budgeted increase for OCR for FY 2015), resulting in an increase in OCR compliance investigations, audits, and enforcement actions.

3.         More PHI-Avoidance Efforts.  Entities and individuals who do not absolutely require PHI in order to do business will avoid it like the plague (or transmissible disease of the day), and business partners that in the past might have signed a BAA in the quick hand-shake spirit of cooperation will question whether it is necessary and prudent to do so in the future.  “I’m Not Your Business Associate” or “We Do Not Create, Receive, Maintain or Transmit PHI” notification letters may be sent and “Information You Provide is not HIPAA-Protected” warnings may appear on “Terms of Use” websites or applications.

The overall creation, receipt, maintenance and transmission of data will continue to grow exponentially and globally, and efforts to protect the privacy and security of one small subset of that data, PHI, will undoubtedly slip and sputter, tangle and trip.  But we will also undoubtedly repair and recast the HIPAA privacy and security net (and blog about it) many times in 2015.

Have a Happy and Healthy HIPAA New Year!


more...
No comment yet.
Scoop.it!

HIPAA rules on privacy taken too far

HIPAA rules on privacy taken too far | HIPAA Compliance for Medical Practices | Scoop.it

Recently, I was told by a court official in Outagamie County that federal law prohibited the release of the name of a man I had just heard speak in open court.

He was a participant in the county's Drug and Alcohol Treatment Court. He had been charged with driving while intoxicated as a fourth offense, but was offered a chance to go through a treatment program instead of serving jail time.

I attended the proceeding as a reporter for The Post-Crescent, working on a story for Gannett Wisconsin Media's statewide probe into repeat drunken drivers. The man had made a point about the costs of the program and I wanted to verify his charge history.

But when I asked for his name, the court official said it could not be released, citing the federal Health Insurance Portability and Accountability Act of 1996. That law, commonly called HIPAA, protects private health information.

It also, as this episode attests, is often misapplied.

In this case, there was no valid reason for withholding the man's name, and after a discussion with the circuit judge, I was able to obtain it. I ended up using his comment but not naming him in my story.

This was a public program, run by publicly paid officials, involving criminal defendants serving court-ordered sentences. The decision of whether to use this person's name should be up to the media, not the court official.

As the Reporters Committee for Freedom of the Press has noted, HIPAA remains a "prickly" obstacle for journalists. To help reduce conflicts and confusion, the group has sorted out just who and who isn't impacted.

Health care organizations like hospitals, life insurers, ambulance services and public health authorities are all subject to HIPAA rules. Firefighters, police, court officials, reporters and patients themselves are not.

Neither are public officials who have nothing to do with the delivery of health care services. And yet, in one instance, a Louisiana State University representative told reporters he couldn't discuss a player's knee injury.

"Due to these new medical laws, our hands are tied," the official said.

Often, the most valuable information available to reporters is found on health facility directories, which are not protected by HIPAA. Hospitals may release an individual's name, location in the facility and general condition.

HIPAA also doesn't bar reporters from interviewing patients in a waiting room.

Statistical information related to hospitals, including their billing data, is not covered by HIPAA. Much of this information can be released electronically without names attached.

The Association of Health Care Journalists has produced another useful list of what HIPAA does not protect, including police and fire incident reports, court records, birth and autopsy records.

Felice Freyer, the association's treasurer and a member of its Right to Know Committee, said HIPAA overreach is widespread.

"Often times, people are unsure about the law and can't be bothered to check so it's easier to say 'no' and refer to HIPAA," said Freyer, a health care reporter for the Boston Globe.

"Frequently, hospitals say they can't let you talk to a patient, but that's not true."

No one disputes that people have a right to privacy when it comes to personal medical matters. But that right should not be taken to absurd lengths, beyond what the law prescribes.


more...
No comment yet.
Scoop.it!

Google cloud gets on board with HIPAA | Healthcare IT News

Google cloud gets on board with HIPAA | Healthcare IT News | HIPAA Compliance for Medical Practices | Scoop.it

To all the developers building applications in the cloud that need to comply with HIPAA privacy rules: You've just gained a big ally.    Internet behemoth Google recently announced its cloud platform will now be HIPAA-friendly and will support business associate agreements going forward.    Google started inking business associate agreements back in 2013 when the HIPAA Final Omnibus Rule went into effect, making BAs accountable for violating certain HIPAA privacy and security rules.
This February, the company went one step further.    "To serve developers who want to build these applications on Google's infrastructure, we're announcing support for business associates agreements for our customers," wrote Google Cloud Platform Product Manager Matthew O'Connor, in a Feb. 5 company post. "We’re looking forward to supporting customers who are subject to HIPAA regulations on Google Cloud Platform."   The HIPAA final omnibus rule took effect September 2013, and it made BAs directly liable for violations of HIPAA rules. The rule also expanded the definition of a BA to include health information organizations, e-prescribing gateways, PHR providers, patient safety organizations and subcontractors with access to protected health information. Moreover, subcontractors are now defined as business associates.    After the rule went into effect, many covered entities reported having difficulties getting BAs to actually sign business associate agreements.    Healthcare IT News spoke with BakerHostetler's Privacy and Security Attorney Ted Kobus back in August 2013, right before the HIPAA final rule took effect. He said that, overall, BAs have been less prepared.

"We see them asking for help with compliance issues, business associate agreements, questions about cloud computing and general compliance questions," Kobus said.
  Lynn Sessions, healthcare privacy attorney, also with BakerHostetler, works with many of the more sophisticated BAs on updating their agreements; she said the ones dragging their feet with HIPAA are the cloud providers.

Organizations "new to the party, like cloud providers who thought they were never business associates in the first place, are having to play catch up," said Sessions.
 

Cloud computing in healthcare is poised for explosive growth. By the end of 2013, analysts estimated the global market would hit nearly $4 billion, representing more than 21 percent growth from 2012, according to the findings of a September 2013 Kalorama report. In comparison, health IT spending over the year was only projected to increase by nearly 11 percent.

"EMR is driving this market," said Bruce Carlson, publisher of Kalorama Information, in a Sep. 19 press statement. "Hospitals are building great systems for gathering electronic records, but they need solutions to store all of that data, and it can't be a new server wing that might compete with needed space for care."



more...
No comment yet.
Scoop.it!

VA Healthcare Data Breach Exposes Info of 7,000 Veterans | HealthITSecurity.com

The VA experienced a healthcare data breach after a third-party vendor allegedly had an online security flaw.

The Department of Veterans Affairs (VA) experienced yet another healthcare data breach, as it announced last week that approximately 7,000 veterans’ information was potentially exposed after a contractor’s database flaw.

The VA was notified of the incident on Nov. 4, and said that it was due to a potential flaw in a vendor’s system, according to Federal News Radio. The VA told the news source that the vendor was supposed to provide home telehealth services to veterans. More than 790,000 veterans reportedly took advantage of this program in 2014.

“An investigation was immediately initiated and security scans were conducted by VA, which confirmed the concern,” the spokesman said. “The contracted vendor has assured VA that only vendor staff and VA staff had accessed this information. The security flaw in the vendor database was immediately corrected and VA continues to closely monitor the application.”

Information that was potentially exposed via the internet includes names, addresses, dates of birth, phone numbers and VA patient identification numbers. Veterans who were possibly affected have been notified by the VA and are being offered complementary credit protection services.

The VA did not name the vendor that was involved. However, according to the third-party company, no data was actually exfiltrated through the security hole. Rather, the information was potentially seen after a database was inadvertently exposed online, according to the Federal Times.

This is just the latest in long line of cybersecurity issues for the VA. In November, the agency failed its annual cybersecurity audit for the 16th straight time. Full results were not released, but VA Chief Information Officer Stephen Warren presented the audit results at a House Veterans Affairs Committee hearing. According to Warren, the results were disappointing, especially since “significant time and effort” were put into 2014.

Even so, auditors told VA leaders that noticeable progress had been made from the year before. In 2013, the IG found 6,000 specific cybersecurity vulnerabilities and made 35 separate recommendations to close weaknesses. This year, the IG said the list of vulnerabilities had been cut by 21 percent.

The cybersecurity report followed a US Government Accountability Office (GAO) investigation that also said the VA was lacking in terms of cybersecurity. While the VA took action to fix problems that led to a 2012 breach, the GAO stated that weaknesses identified on VA workstations had not been corrected in a timely manner. This could increase the risk that sensitive data, such as veterans’ personal information, can be compromised.

“Specifically, by not keeping sufficient records of its incident response activities, VA lacks assurance that incidents have been effectively addressed and may be less able to effectively respond to future incidents,” the GAO report stated. “In addition, without fully addressing an underlying vulnerability that allowed a serious intrusion to occur, increased risk exists that such an incident could recur.”

These security issues demonstrate why healthcare organizations must not only maintain their own cybersecurity measures, but also ensure that all third-party companies have current protections in place. Creating business associate agreements (BAA) that account for cybersecurity issues are critical, and can help keep all parties accountable should a healthcare data breach occur. The contract will also clarify and limit how a business associate uses and discloses protected health information (PHI). Without a clear BAA, it can be more difficult to maintain patients’ privacy and mitigate a possible healthcare data breach.


more...
No comment yet.
Scoop.it!

What Can You Expect in 2015 Regarding HIPAA Enforcement? | The National Law Review

What Can You Expect in 2015 Regarding HIPAA Enforcement? | The National Law Review | HIPAA Compliance for Medical Practices | Scoop.it

As of earlier this month, 1,170 breaches involving 31 million records have been reported to the Department of Health and Human Services (HHS) since mandated reporting of breaches began in September 2009.  An increase in the number of breaches isn’t the only statistic on the rise.  Although 2014 data has not yet been released, the number of complaints in 2013 reached a new high (4,463).  It doesn’t take a crystal ball to predict that these numbers in 2015 will continue to rise.  We haven’t reached the apex yet.

The newly approved 2015 federal budget does not include an increase in funding for the federal agencies responsible for enforcing HIPAA, including the HHS Office of Civil Rights (OCR), but HHS isn’t viewing it as a setback.  Per an OCR spokeswoman “OCR’s strong enforcement of the HIPAA privacy, security, and breach notification rules, remains very much on track…”  Just a few weeks ago, HHS settled with the Alaska Department of Health and Humans Services for $1.7 million for potential HIPAA violations.

If enforcement efforts remain on track in 2015, so should compliance efforts next year.  Keep your HIPAA policies and procedures up to date and conduct regular risk assessments.  If your organization has not addressed security on mobile devices do so now.  Especially if you are contemplating a transaction in 2015, it’s time to take a deep dive regarding HIPAA compliance.


more...
No comment yet.