HIPAA Compliance for Medical Practices
59.9K views | +9 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

Suits pile up after U.S. reveals data breach affected millions

Suits pile up after U.S. reveals data breach affected millions | HIPAA Compliance for Medical Practices | Scoop.it

On Friday, Labaton Sucharow filed a class action on behalf of about 21.5 million (!) federal employees, contractors and job applicants whose personal information was exposed in an epic breach of security at the U.S. Office of Personnel Management, which screens applicants for federal government jobs and conducts security clearance on employees and contractors. Labaton’s complaint is at least the seventh class action against OPM and its private contractor, KeyPoint Government Solutions, including two suits by government employee unions and one with a federal administrative law judge as the lead plaintiff.

Although there is some variation in the alleged causes of action, the suits mostly assert violations of the Privacy Act and the Administrative Procedures Act, as well as negligence against KeyPoint. Late last month, the Justice Department asked the Judicial Panel on Multidistrict Litigation to consolidate the cases and transfer all of them to U.S. District JudgeAmy Jackson of Washington, D.C., who is already presiding over the American Federation of Government Employees’ class action against OPM and KeyPoint.

The JPML said Friday that it would hear oral arguments on Oct. 1 on the government’s motion. Briefs are due before Sept. 14.

It certainly seems likely that the JPML will consolidate the suits, but where they end up transferring them could make a big difference in how this case turns out. The threshold question in data breach suits, as I’ve written many times, is constitutional standing: Can plaintiffs whose personal information has been stolen allege an actual or “certainly impending” threat of injury? That is the standard the U.S. Supreme Court set out in its 2013 decision in Clapper v. Amnesty International, and data breach defendants have since used the Clapper definition to knock out at least 10 class actions by plaintiffs who claimed – like the plaintiffs in the OPM suits – that they have been injured by the increased risk their personal information will be misused.

One of the cases that foundered under Clapper was In re Science Applications International Corp (SAIC) Backup Tape Data Theft Litigation, an MDL consolidated for pretrial proceedings in federal district court in the District of Columbia. The case involved the theft of SAIC data tapes containing personal information, including Social Security numbers, on about 4.7 million members of the U.S. military and their families. U.S. District Judge James Boasberg of Washington concluded in May 2014 that under the Supreme Court’s ruling in Clapper, plaintiffs do not meet constitutional standing requirements when their only alleged injury is the loss of their data and the risk it will be misused.

He did hold plaintiffs had standing when they could plausibly allege their personal information was stolen and misused – one plaintiff, for instance, asserted he had received letters from a credit card company thanking him for a loan application he said he never filed – but Judge Boasberg’s dismissal opinion gutted the case. Plaintiffs ended up voluntarily dismissing what remained.

Plaintiffs’ lawyers have gotten savvier about pleading data breach cases after the initial wave of Clapper dismissals, framing complaints around class members who can show that their information has been misused or that their bank accounts or credit ratings have been impacted by the data theft. But cases redrawn to satisfy standing requirements present cramped damages theories, as we’ve seen in the Target and Sony data breach cases, if the only plaintiffs who can recover are those whose injury is more concrete than the mere loss of personal data and risk that it will be exploited. You can see why the Justice Department wants the OPM case litigated in a district skeptical of standing based on the risk of data misuse.

In one jurisdiction, however, all 21.5 million alleged victims of the OPM data breach may have standing. Last month, a three-judge panel of the 7th Circuit ruled in a data breach case against Neiman Marcus that plaintiffs have standing if they can show they incurred reasonable costs or spent considerable time to mitigate a “substantial risk” of harm. Under the 7th Circuit’s decision, just about anyone whose data has been stolen by hackers can sue because their information may be misappropriated.

Neiman Marcus’ lawyers at Sidley Austin filed a petition for rehearing earlier this month, but unless and until the 7th Circuit grants its motion, the panel’s ruling is the only post-Clapper federal appellate decision on standing in a data breach class action. It’s binding on trial judges in Illinois, Wisconsin and Indiana.

So far, none of the OPM class actions have been filed in those states. Two were brought in Washington, D.C., which, as the Justice Department pointed out in its request for consolidation in that court, is the district of universal venue for the Privacy Act claim at the heart of the OPM suits. Two other plaintiffs filed in California. Others sued in Idaho, Colorado and Kansas. It’s going to be very interesting to see which court plaintiffs ask the JPML to send the OPM litigation to.

more...
No comment yet.
Scoop.it!

What Closing the HIPAA Gaps Means for the Future of Healthcare Privacy

What Closing the HIPAA Gaps Means for the Future of Healthcare Privacy | HIPAA Compliance for Medical Practices | Scoop.it

By now, most people have felt the effects of the HIPAA Privacy Rule (from the Health Insurance Portability and Accountability Act). HIPAA has set the primary standard for the privacy of healthcare information in the United States since the rule went into effect in 2003. It’s an important rule that creates significant baseline privacy protections for healthcare information across the country.


Yet, from the beginning, important gaps have existed in HIPAA – the most significant involving its “scope.” The rule was driven by congressional decisions having little to do with privacy, but focused more on the portability of health insurance coverage and the transmission of standardized electronic transactions.


Because of the way the HIPAA law was crafted, the U.S. Department of Health and Human Services (HHS) could only write a privacy rule focused on HIPAA “covered entities” like healthcare providers and health insurers. This left certain segments of related industries that regularly use or create healthcare information—such as life insurers or workers compensation carriers— beyond the reach of the HIPAA rules. Therefore, the HIPAA has always had a limited scope that did not provide full protection for all medical privacy.


So why do we care about this now?


While the initial gaps in HIPAA were modest, in the past decade, we’ve seen a dramatic increase in the range of entities that create, use, and disclose healthcare information and an explosion in the creation of healthcare data that falls outside HIPAA.


For example, commercial websites like Web MD and patient support groups regularly gather and distribute healthcare information. We’ve also seen a significant expansion in mobile applications directed to healthcare data or offered in connection with health information. There’s a new range of “wearable” products that gather your health data. Virtually none of this information is covered by HIPAA.


At the same time, the growing popularity of Big Data is also spreading the potential impact from this unprotected healthcare data. A recent White House report found that Big Data analytics have the potential to eclipse longstanding civil rights protections in how personal information is used in many areas including healthcare. The report also stated that the privacy frameworks that currently cover healthcare information may not be well suited to address these developments. There is no indication that this explosion is slowing down.


We’ve reached (and passed) a tipping point on this issue, creating enormous concern over how the privacy interests of individuals are being protected (if at all) for this “non-HIPAA” healthcare data. So, what can be done to address this problem?


Debating the solutions


Healthcare leaders have called for broader controls to afford some level of privacy to all health information, regardless of its source. For example, FTC commissioner Julie Brill asks whether we should be “breaking down the legal silos to better protect that same health information when it is generated elsewhere.”


These risks also intersect with the goal of “patient engagement,” which has become an important theme of healthcare reform. There’s increased concern about how patients view this use of data, and whether there are meaningful ways for patients to understand how their data is being used. The complexity of the regulatory structure (where protections depend on sources of data rather than “kinds” of data), and the determining data sources (which is often difficult, if not impossible), has led to an increased call for broader but simplified regulation of healthcare data overall. This likely will call into question the lines that were drawn by the HIPAA statute, and easily could lead to a re-evaluation of the overall HIPAA framework.


Three options are being discussed on how to address non-HIPAA healthcare data:


  • Establishing a specific set of principles applicable only to “non-HIPAA healthcare data” (with an obvious ambiguity about what “healthcare data” would mean)
  • Developing a set of principles (through an amendment to the scope of HIPAA or otherwise) that would apply to all healthcare data
  • Creating a broader general privacy law that would apply to all personal data (with or without a carve-out for data currently covered by the HIPAA rules).


Conclusions


It’s clear that the debate and policymaking “noise” on this issue will be ongoing and extensive. Affected groups will make proposals, regulators will opine, and legislative hearings will be held. Industry groups may develop guidelines or standards to forestall federal legislation. We’re a long way from any agreement on defining new rules, despite the growing consensus that something must be done.

Therefore, companies that create, gather, use, or disclose any kind of healthcare data should evaluate how this debate might affect them and how their behavior might need to change in the future. The challenge for your company is to understand these issues, think carefully and strategically about your role in the debate, and anticipate how they could affect your business going forward.

more...
No comment yet.
Scoop.it!

Mega-Mergers: The Security, Privacy Concerns

Mega-Mergers: The Security, Privacy Concerns | HIPAA Compliance for Medical Practices | Scoop.it

Mergers and acquisitions, such as two pending mega-deals in the health insurance sector, pose security and privacy risks that need to be addressed before the transactions are completed, during the integration process and over the long haul.


In recent weeks, Anthem Inc. announced plans to buy rival Cigna for $48 billion, and Aetna unveiled a proposed $37 billion purchase of Humana.


"I can't speak specifically to these mergers, but in general they share the same challenges as others going through M&As," says Mac McMillan, CEO of the security consulting firm CynergisTek. Interoperability of systems, consolidation or merging of databases, differing architectures, disparate platforms, consolidation of accounts and accesses conversion of users are among the potential hurdles these companies face, he notes.


"For organizations this large, there is nothing trivial about integrating their networks, systems or controls," McMillan says. "The biggest issues are always disparate systems, controls and interoperability and the privacy and security issues those challenges can create."


When it comes to mergers, privacy and security attorney Stephen Wu of the law firm Silicon Valley Law Group notes, "I'm most worried about companies not doing enough diligence about security when these acquisitions are being considered. ... It's becoming increasingly complex to integrate two companies IT infrastructures, and those transitions create new vulnerabilities."


Concerning Anthem's proposed purchase of Cigna, Wu says Anthem's recent hacker attack, which affected nearly 80 million individuals, "shouldn't be downplayed, but I'd be more concerned about Cigna and whether that company also potentially had a breach that perhaps hasn't been discovered yet."


Privacy attorney Kirk Nahra of the law firm Wiley Rein LLP notes that the transition period after two companies merge presents new risks. "Because of the tremendous concerns about data security and cybersecurity breaches, integration of overall security is a particular challenge," he says. "It is easier to attack a hybrid, half-integrated company than two separate companies."


Anthem's proposed acquisition of Cigna comes "at a time where Anthem is under a lot of pressure with respect to its information security, [and] the acquisition of another large insurer represents a lot more to add to its plate," notes privacy attorney Adam Greene of the law firm Davis Wright Tremaine.


"It will need to integrate its information security processes into a host of new systems, with each new, potentially unfamiliar system bringing new risks if not properly integrated," he says.

Critical Decisions

When mergers and acquisition are completed, a big challenge is picking and choosing whoseinformation security program will dominate after the transaction is completed.


"Often times, the information security program of the larger entity takes over the smaller," Greene notes. "In good situations, each entity learns from the other and the overall information security is improved, after a painful integration process. But sometimes the reverse happens, and good information security practices are abandoned because they are not practiced by the larger entity."


McMillan says merging organizations should "take an inventory of which set of controls, processes,technologies, etc. are either the most mature or the best overall." Then they can consider merging the programs, "the same way they merge organizations - capitalizing on the best of both."


While that best-of-breed-themed approach might work well in some mergers and acquisitions, typically things don't end up going that smoothly, Nahra contends.


"There are two kinds of challenges - inconsistencies in practices, either involving data security or privacy, and then operational implications of these inconsistencies, where one of the entities tries to apply its process or practices to the differing practices or operations of the other," Nahra says. "These challenges are exacerbated when there hasn't been a lot of due diligence on privacy/data security issues."

Access Control

One issue that's frequently overlooked during the blending IT networks of merging companies is access control, says Rebecca Herold, partner and co-founder of SIMBUS Security and Privacy Services.


When an organization is undergoing a merger, some employees typically lose their jobs because their role duplicates another's role, Herold says. "But the company keeps them on for a certain amount of time because they are training another person or finishing up on a project," she says. "However, during this time, I've seen disgruntled insiders who have access to information or administrative controls and have tried to sabotage the company that fired them."


Often executives don't have insight into all the risks that are involved with blending computer networks, says Herold, who's served as an adviser to merged organizations.


"They want to join or connect the networks in some way, but there are huge risks. When you start connecting one huge network with another one, and start sharing data without proper planning, there are new vulnerabilities and risks that emerge," she says.


If the companies involved in the latest wave of healthcare sector mergers and acquisitions get the regulatory and shareholder approval needed to complete their transactions, they need to keep a few security tips in mind, McMillan says.


"The biggest tip is common sense: Don't undo anything that is currently in place to ensure continuity until what's new is in place and backed up," he says.

more...
No comment yet.
Scoop.it!

Avoid this little-known but costly HIPAA trap

Avoid this little-known but costly HIPAA trap | HIPAA Compliance for Medical Practices | Scoop.it

Healthcare providers who call patients or send automated calls or text messages may be running afoul of federal law.


The law in question, the Telephone Consumer Protection Act (TCPA), was enacted in the 1990s to protect consumers against unwanted automated calls sent to residences or cellphones. The Federal Communications Commission recently established an exemption for healthcare messages that are regulated through HIPAA.


The problem? According to Christine Reilly, co-chair of the TCPA Compliance and Class Action Defense group at the law firm of Manatt, Phelps & Philips, HIPAA doesn't specifically define a "healthcare message."


"There really is not a lot there about those requirements," she told mHealth News. "It is not exactly a model of clarity."


The TCPA, Reilly says, was designed primarily to eliminate unwanted solicitations, and gave birth to the more-well-known Do Not Call Registry in 2003. But how does that translate to a healthcare message that may or may not be selling the provider's services – such as reminders for screenings or appointments, prescription refills and general health and wellness information?


"Those are a little bit more hybrid," Reilly said. "TCPA might consider it marketing, but with a healthcare message it likely falls under HIPAA."

Healthcare providers risk falling into the "TCPA trap," Reilly says, if they enable these types of messages without examining the legal implications. And those are costly – fines of between $500 and $1,500 per message.


Reilly, who will be presenting a webinar in July 30 on the TCPA, suggests healthcare providers check with legal counsel on whether their messaging protocols conform to TCPA or fall under HIPAA.

"Providers want to know what, in fact, qualifies as a healthcare message and what qualifies as an exemption," Reilly says. "A lot of the questions we're getting are about how this works in practical terms."

more...
Gerard Dab's curator insight, July 16, 2015 8:03 PM

Technology still meets resistance!

Scoop.it!

Hospital Slammed With $218,000 HIPAA Fine

Hospital Slammed With $218,000 HIPAA Fine | HIPAA Compliance for Medical Practices | Scoop.it

Federal regulators have slapped a Boston area hospital with a $218,000 HIPAA penalty after an investigation following two security incidents. One involved staff members using an Internet site to share documents containing patient data without first assessing risks. The other involved the theft of a worker's personally owned unencrypted laptop and storage device.


The Department of Health and Human Services' Office for Civil Rights says it has entered a resolution agreement with St. Elizabeth's Medical Center that also includes a "robust" corrective action plan to correct deficiencies in the hospital's HIPAA compliance program.

The Brighton, Mass.-based medical center is part of Steward Health Care System.


Privacy and security experts say the OCR settlement offers a number of valuable lessons, including the importance of the workforce knowing how to report security issues internally, as well as the need to have strong policies and procedures for safeguarding PHI in the cloud.

Complaint Filed

On Nov. 16, 2012, OCR received a complaint alleging noncompliance with the HIPAA by medical center workforce members. "Specifically, the complaint alleged that workforce members used an Internet-based document sharing application to store documents containing electronic protected health information of at least 498 individuals without having analyzed the risks associated with such a practice," the OCR statement says.


OCR's subsequent investigation determined that the medical center "failed to timely identify and respond to the known security incident, mitigate the harmful effects of the security incident and document the security incident and its outcome."


"Organizations must pay particular attention to HIPAA's requirements when using internet-based document sharing applications," says Jocelyn Samuels, OCR director in the statement. "In order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner."


Separately, on Aug. 25, 2014, St. Elizabeth's Medical Center submitted notification to OCR regarding a breach involving unencrypted ePHI stored on a former hospital workforce member's personal laptop and USB flash drive, affecting 595 individuals. The OCR "wall of shame" website of health data breaches impacting 500 or more individuals says the incident involved a theft.

Corrective Action Plan

In addition to the financial penalty - which OCR says takes into consideration the circumstances of the complaint and breach, the size of the entity, and the type of PHI disclosed - the agreement includes a corrective action plan "to cure gaps in the organization's HIPAA compliance program raised by both the complaint and the breach."

The plan calls for the medical center to:


  • Conduct a "self-assessment" of workforce members' familiarity and compliance with the hospital's policies and procedures that address issues including transmission and storage of ePHI;
  • Review and revise policies and procedures related to ePHI; and
  • Revise workforce training related to HIPAA and protection of PHI.


Lessons Learned

Other healthcare organizations and their business associates need to heed some lessons from OCR's latest HIPAA enforcement action, two compliance experts say.


Privacy attorney Adam Greene of the law firm Davis Wright Tremaine notes: "The settlement indicates that OCR first learned of alleged noncompliance through complaints by the covered entity's workforce members. Entities should consider whether their employees know how to report HIPAA issues internally to the privacy and security officers and ensure that any concerns are adequately addressed. Otherwise, the employees' next stop may be complaining to the government."

The settlement also highlights the importance of having a cloud computing strategy, Greene points out. That strategy, he says, should include "policies, training and potential technical safeguards to keep PHI off of unauthorized online file-sharing services."


The enforcement action spotlights the continuing challenge of preventing unencrypted PHI from ending up on personal devices, where it may become the subject of a breach, he notes.


The case also sheds light on how OCR evaluates compliance issues, he says. "The settlement highlights that OCR will look at multiple HIPAA incidents together, as it is not clear that OCR would have entered into a settlement agreement if there had only been the incident involving online file sharing software, but took action after an unrelated second incident involving PHI ending up on personal devices."


Privacy attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek, says the settlement "serves as an important reminder that a covered entity or a business associate must make sure that the organization's risk assessment takes into account any relationship where PHI has been disclosed to a contractor or vendor so as to ensure that appropriate safeguards to protect the data are in place."


The alleged violations involving the document sharing vendor, he says, "involve failure to have a BA agreement in place prior to disclosing PHI to the vendor, as well as failing to have appropriate security management processes in place to evaluate when a BA agreement is needed when bringing on a new contractor that will handle PHI."

St. Elizabeth's Medical Center did not immediately respond to an Information Security Media Group request for comment.

Previous Settlements

The settlement with the Boston-area medical center is the second HIPAA resolution agreement signed by OCR so far this year. In April, the agency OK'd an agreement with Cornell Prescription Pharmacyfor an incident related to unsecure disposal of paper records containing PHI. In that agreement, Cornell was fined $125,000 and also adopted a corrective action plan to correct deficiencies in its HIPAA compliance program.


The settlement with St. Elizabeth is OCR's 25th HIPAA enforcement action involving a financial penalty and/or resolution agreement that OCR has taken since 2008.


But privacy advocate Deborah Peel, M.D., founder of Patient Privacy Rights, says OCR isn't doing enough to crack down on organizations involved in HIPAA privacy breaches.


"Assessing penalties that low - St. Elizabeth will pay $218,400 - guarantees that virtually no organizations will fix their destructive practices," she says. "Industry views low fines as simply a cost of doing business. They'll take their chances and see if they're caught."

The largest HIPAA financial penalty to date issued by OCR was a $4.8 million settlement with New York-Presbyterian Hospital and Columbia University for incidents tied to the same 2010 breach that affected about 6,800 patients. The incidents involved unsecured patient data on a network.

more...
No comment yet.
Scoop.it!

Premera Blue Cross Data Breach Results in Several Lawsuits, Class Actions

Premera Blue Cross Data Breach Results in Several Lawsuits, Class Actions | HIPAA Compliance for Medical Practices | Scoop.it

Premera is the third largest health insurer in Washington State, and was hit with a cyber attack initiated on May 5 of last year. The Premera attack exposed the personal information of as many as 11 million current and former clients of Premera across the US. While Premera noted on January 29 of this year - the day the data breach was discovered - that according to best information none of the personal data had been used surreptitiously, the fact remains that the data mined by cyber attackers is exactly the kind of information useful for perpetrating identity theft.

To that end, it has been reported that the cyber attackers targeted sensitive personal information such as names, dates of birth, Social Security numbers, mailing addresses, e-mail addresses, phone numbers, member identification numbers, bank account information, and claims and clinical information.

As for why the attack was not discovered for some eight months, Premera has said little. However, the breadth of the attack - affecting some 11 million people - and the delay in discovering the breach (initiated May 5, 2014 and revealed January 29, 2015) will likely provide much fodder for Premera cyber attack lawsuits.

According to the Puget Sound Business Journal, the New York Times had suggested the Premera cyber attack may have been perpetrated by the same China-based hackers who are suspected of breaching the federal Office of Personal Management (OPM) last month. However, the VP for communications at Premera, Eric Earling, notes there is no certainty the attack originated in China.

“We don’t have definitive evidence on the source of the attack and have not commented on that,” he said. “It continues to be under investigation by the FBI [Federal Bureau of Investigation] and we would leave the speculation to others.”

That said, it has been reported that the US government has traced all of these attacks to China.

Recent data breach attacks, including the Vivacity data breach and Connexion data breach, are reflective of a shift in targets, according to cyber attack experts. The attacks to the data systems of the federal OPM notwithstanding, it seems apparent that hackers are increasingly shifting their targets to health insurers in part due to the breadth of information available from the health records of clients.

The goal of cyber attackers in recent months, according to claims appearing in the New York Times, is to amass a huge trove of data on Americans.

Given such a headline as “Premera Blue Cross Reports Data Breach of 11 Million Accounts,” it appears they have a good start. While it might be a “win” for the hackers involved acquiring such data surreptitiously and illegally, it remains a huge loss in both privacy and peace of mind for millions of Americans who entrust their personal information to insurance providers, who, in turn, require such information in order to provide service. Consumers and clients also have historically assumed that such providers have taken steps to ensure their personal information is secure.

When it isn’t - and it takes eight months for a cyber attack to be identified - consumers have little recourse than to launch a Premera cyber attack lawsuit in order to achieve compensation for the breach, and as a hedge for the possibility of ample frustration down the road were the breach to evolve in a full-blown identity theft.

To that end, five class-action data breach lawsuits have been filed in US District Court for the District of Seattle. According to reports, two of the five lawsuits allege that Premera was warned in an April 2014 draft audit by the OPM that its IT systems “were vulnerable to attack because of inadequate severity precautions,” according to the text of the lawsuits.

Tennielle Cossey et al. vs. Premera asserts that the audit in question, “identified… vulnerabilities related to Premera’s failure to implement critical security patches and software updates, and warned that ‘failure to promptly install important updates increases the risk that vulnerabilities will not be.’

“If the [OPM] audit were not enough, the events of 2014 alone should have placed Premera on notice of the need to improve its cyber security systems.”

Moving forward, Premera Blue Cross data breach lawsuits are being consolidated into multidistrict litigation, given the number of Americans affected and their various locations across the country. An initial case management conference has been scheduled for August 7.

more...
No comment yet.
Scoop.it!

Shoring Up HealthCare.gov Security

Shoring Up HealthCare.gov Security | HIPAA Compliance for Medical Practices | Scoop.it

The future of Obamacare seems more certain now that the Supreme Court has upheld subsidies for consumers who purchase policies on the federal health insurance exchange. As a result, it's more critical than ever for the federal government to ensure that personally identifiable information is adequately safeguarded on the HealthCare.gov website for the program, as well as state insurance exchanges, as they gear up for open enrollment in the fall.


In recent months, hackers have increasingly focused their attacks on government and healthcare systems. Targets of attacks have included the U.S. Office of Personnel Management and the Internal Revenue Service, as well as health insurers Anthem Inc. and Premera Blue Cross


That's why many security experts are calling attention to the need to make certain that systems supporting the Affordable Care Act, or Obamacare, programs are secure.


"Affordable Care Act insurance exchanges are a hodgepodge of programs operated by states and the federal governments," notes privacy attorney David Holtzman, vice president of compliance at the security consulting firm CynergisTek. "With the recent news of discovery of coordinated, highly sophisticated attacks on large government operated databases, as well as incidents involving large health insurers, it stands to reason that the information systems serving as the backbone to the health insurance marketplaces are an attractive target because of their size and the sensitivity of the information they hold."


Lee Tien, a senior staff attorney at the Electronic Frontier Foundation, a civil liberties group, notes: "All large collections of sensitive personal data are at risk." When it comes to potential fraud, "healthcare data is considered more valuable on the open market," he says. "Obviously it matters how well they're protected."

Under Scrutiny

Certainly, security of the federal HealthCare.gov health insurance exchange, which facilitates the electronic health insurance marketplaces for 34 states, has been under intense scrutiny since its rollout in the fall of 2013 during the first open enrollment season for Obamacare.


Congress, as well as government watchdog agencies, including the Government Accountability Office and the Department of Health and Human Services' Office of Inspector General, have examined whether the federal health insurance exchanges - and the 16 state-operated health insurance exchanges - have in place the processes and technology to prevent breaches involving consumers' personal information, including Social Security numbers.


For instance, in April, the OIG issued a report reviewing California's health insurance exchange - Covered California - and the security controls that were in place as of June 2014. The OIG found that California had implemented security controls for its website and databases for its health insurance exchange, but the watchdog agency said more improvements were needed.


OIG determined that California had not performed a vulnerability scan in accordance with federal requirements. Also, the GAO said that Covered California's security plan did not meet some of the Centers for Medicare and Medicaid Services' minimum requirements for protection of marketplace systems, and that Covered California did not have security settings for some user accounts. California officials, in their response to the report, said they planned to implement the OIG's recommendations related to vulnerability scans, security plans and user account settings.


A September 2014 GAO report examining HealthCare.gov security found that CMS - the Department of Health and Human Services unit responsible for the federal insurance exchange - had not always required or enforced strong password controls, adequately restricted systems supporting HealthCare.gov from accessing the Internet, consistently implemented software patches and properly configured an administrative network.


In addition to the HealthCare.gov exchange, another related potential target for hackers is HHS' Multidimensional Insurance Data Analytics System, or MIDAS, which a federal IT budget planning document describes as a "perpetual central repository for capturing, aggregating and analyzing information on health insurance coverage."

The GAO noted in its September 2014 report that MIDAS is intended to create summary reporting and performance metrics related to the federally facilitated marketplace and otherHealthCare.gov-related systems by aggregating data, including PII, collected during the plan enrollment process. GAO found, however, that at the time of its review, CMS hadn't yet approved an impact analysis of MIDAS privacy risks "to demonstrate that it has assessed the potential for PII to be displayed to users, among other risks, and taken steps to ensure that the privacy of that data is protected."


In a recent report, the Associated Press noted a variety of concerns about MIDAS, including current plans for data to be retained indefinitely. "Despite [a] poor track record on protecting the private information of Americans, [the Obama administration] continues to use systems without adequately assessing these critical components," said Sen. Orrin Hatch, R-Utah.


CMS did not immediately respond to an Information Security Media Group request for an update on the security of the MIDAS system.

Data Risks

Health insurers, as well as health insurance exchanges and their related databases, are a potential target for hackers because "any collection of data that includes Social Security numbers is particularly vulnerable," notes security expert Tom Walsh, founder of the consulting firm tw-Security.


"Healthcare was doing a good job of eliminating Social Security numbers from our systems. In the old days, the SSN was a person's member number for their insurance. It was finally getting to the point where SSNs were less frequently collected and used in healthcare," he says.


However, under Obamacare, sensitive consumer data, including Social Security numbers and income information, is used on the insurance exchanges to help individuals enroll in insurance plans and qualify for subsidies, Walsh notes. "So healthcare is back in the SSN game again - especially insurance companies."


Ray Biondo, chief information security officer at insurer Health Care Services Corp. says that the federal government has been taking action to address cyberthreats.


"We have been partnering with the Department of Homeland Security and the FBI and sharing threat information," Biondo says. "They've been collaborative and cooperative and helping us in that space."

Still, all players in the healthcare arena are anxious about potential attacks, he admits. "Everyone is worried about being next."

Playing Politics

Holtzman, the consultant, says it's important that politics don't get in the way of government agencies making the investments that are needed to shore up the security of health insurance exchange data.

"Everyone agrees that the federal and state governments should take decisive action to test existing information security safeguards on the systems that support the health insurance marketplace, and to take appropriate measures to ensure that the data, wherever it is held, is secured from the cybersecurity threat," he says.


"What concerns me is that in the long-running political debate over ACA, Congress has said that the HHS may not spend federal funds to support the development and implementation of the ACA. Perhaps it would be in the public interest to ensure that the fight over whether ACA is good policy does not prevent critical funds needed for investment in protecting the government information systems holding the personal information of millions of Americans from the cybersecurity threat."


Walsh says that protecting the health insurance exchanges also comes down to basics. "I was surprised when I read that the OPM did not encrypt data at rest. The government should lead by example and implement better security practices."


Tien of the Electronic Frontier Foundation, sums up his concerns: "The OPM example shows how pathetically lax information security can be. [The government] needs to make defense a priority and spend money on it."

more...
No comment yet.
Scoop.it!

243 arrested in 10 states for healthcare fraud, false claims, kickbacks, medical ID theft

243 arrested in 10 states for healthcare fraud, false claims, kickbacks, medical ID theft | HIPAA Compliance for Medical Practices | Scoop.it
The Medicare Fraud Strike Force swept through 10 states and arrested 243 people—46 of them physicians, nurses, and other licensed medical professionals—for allegedly defrauding the government out of $712 million in false Medicare and Medicaid billings, federal officials announced June 18. In addition to targeting instances of false claims and kickbacks, the strike force also uncovered evidence of medical identity theft.
Among the defendants is Mariamma Viju of Garland, Texas, an RN and the co-owner and nursing director for Dallas Home Health, Inc. A federal indictment accuses Viju and a co-conspirator of stealing patient information from Dallas-area hospitals in order to then solicit those patients for her business, as well as submitting false Medicare and Medicaid claims, and paying out cash kickbacks to beneficiaries.
In total, the scheme netted Viju $2.5 million in fraudulently obtained payments between 2008 and 2013. She was arrested June 16 and charged with one count of conspiracy to commit healthcare fraud, five counts of healthcare fraud, and one count of wrongful disclosure of individually identifiable health information.
The indictment says Viju allegedly took patient information from Baylor University Medical Center at Dallas, where she worked as a nurse until she was fired in 2012. Dallas Home Health then billed Medicare and Texas Medicaid for home health services on behalf of beneficiaries who were not homebound or otherwise eligible for covered home health services.
Viju also allegedly falsified and exaggerated patients’ health conditions to increase the amounts billed to Medicare and Medicaid, and thereby boost payments to Dallas Home Health. The indictment says she paid kickbacks to Medicare beneficiaries as well to recruit and retain them as patients of Dallas Home Health.
Viju’s co-conspirator—a co-owner of Dallas Home Health—wasn’t named in the indictment, but in a news release from the U.S. Attorney’s Office for the Northern District of Texas, that person was identified as her husband Viju Mathew. He’s a former registration specialist at Parkland Hospital in Dallas and pleaded guilty in November 2014 to one count of fraud and related activity in connection with identity theft.
Prosecutors say he used his position to obtain PHI, including names, phone numbers, birthdates, Medicare information, and government-issued health insurance claim numbers, so he could use it to contact prospective patients for his home health care business. He is due to be sentenced in August 2015.
In another case in Maryland, Harry Crawford—owner of RX Resources and Solutions—and two of his employees—Elma Myles and Matthew Hightower—are all charged with aggravated identity theft in addition to healthcare fraud and conspiracy to commit healthcare fraud.
An indictment from a federal grand jury accuses Crawford, Myles, and Hightower of fraudulently using actual names, addresses, and unique insurance identification numbers of numerous Medicaid beneficiaries to submit fraudulent claims totaling approximately $900,000 between 2010 and 2014.
The alleged scheme used Crawford’s durable medical equipment and disposable medical supply company to bill insurers for equipment and supplies that were never provided to beneficiaries, bill for amounts far in excess of the services delivered, and bill for supplies that weren’t needed and were never prescribed by a physician.
These are just two examples of the criminal fraud uncovered by the strike force.
In other cases, defendants face similar fraud and conspiracy charges for fraudulent billing schemes as well as charges for cash kickbacks, and money laundering, according to the Department of Justice (DOJ). The DOJ says more than 40 defendants are accused of defrauding the Medicare prescription drug program.
This was the largest coordinated takedown, in terms of defendants and money, in the history of the Medicare Fraud Strike Force, according to the DOJ. CMS also suspended licenses for several healthcare providers with authority granted to the agency under the Affordable Care Act.
more...
No comment yet.
Scoop.it!

CFO Gets Prison Time for HITECH Fraud

CFO Gets Prison Time for HITECH Fraud | HIPAA Compliance for Medical Practices | Scoop.it

A former Texas hospital CFO has been sentenced to 23 months in federal prison for submitting false documents so a medical center could receive payments under the HITECH Act electronic health records financial incentive program.


In addition to his prison sentence, Joe White, former CFO of the now-shuttered Shelby Regional Medical Center in East Texas, was ordered to pay restitution of nearly $4.5 million to the HITECH incentive payment program.


Court documents indicate that to help pay the restitution, White has been ordered to liquidate an IRA account and an annuity, which as of November 2014, had respective balances of about $115,000 and $2,500.


White, 68, of Cameron, Texas, pleaded guilty on Nov. 12, 2014, to making false statements in November 2012 to the Centers for Medicare and Medicaid Services that Shelby Regional Medical Center was a meaningful user of EHRs, when the hospital actually was primarily using paper records, according to the Department of Justice.


To obtain financial incentives from Medicare or Medicaid under the HITECH Act, hospitals and physicians must submit detailed documents that attest to meeting the requirements for the program, including conducting a HIPAAsecurity risk assessment.

Case Details

In a statement issued by the FBI on June 18, U.S. attorney John Bales said, "The EHR incentive program was designed to enhance the delivery of excellent medical care to all Americans and especially for those citizens who live in underserved, rural areas like Shelby County. There is no doubt that Mr. White understood that purpose and yet, he intentionally decided to steal taxpayer monies and in the process, undermine and abuse this important program."


According to information presented in court, White was CFO for Shelby Regional as well as other hospitals owned and operated by Tariq Mahmood, M.D., of Cedar Hill, Texas.


The 54-bed Shelby Regional closed last year amidst legal issues involving Mahmood, who was indicted by a federal grand jury on April 11, 2013. He was charged with conspiracy to commit healthcare fraud and seven counts of healthcare fraud.


Court documents indicate that Mahmood was sentenced on April 14 to 135 months in federal prison, and also ordered to pay restitution totaling nearly $100,000 to CMS, the Texas Department of Health and Human Services and Blue Cross Blue Shield.


White oversaw the implementation of EHRs for Shelby Regional and was responsible for attesting to the meaningful use of the EHRs to qualify to receive HITECH incentive payments from Medicare, according to the FBI.


As a result of White's false attestation, Shelby Regional Medical Center received nearly $786,000 from Medicare, the FBI statement says. In total, hospitals owned by Mahmood were paid more than $16 million under the Medicare and Medicaid EHR incentive program, the FBI says.


A Justice Department spokeswoman tells Information Security Media Group that the $4.5 million restitution that White was ordered to pay represents the EHR incentive money Shelby Regional received from CMS under false attestation, as well as EHR incentive money that other hospitals owned by Mahmood, for which White was also CFO, received from CMS. While White did not personally receive the incentive money from CMS, "restitution is mandatory pursuant to the Mandatory Victim Restitution Act of 1996," she explains, citing 18 USC 3663A(a)(1), which says, "Notwithstanding any other provision of law, when sentencing a defendant convicted of an offense described in subsection (c), the court shall order, in addition to...any other penalty authorized by law, that the defendant make restitution to the victim of the offense. ..."

More Cases to Come?

Healthcare attorney Brad Rostolsky of the law firm Reed Smith says that although most healthcare professionals and organizations participating in the HITECH meaningful use incentive program are trying to play by the rules, federal regulators must be on the look-out for potential fraudsters, considering the billions of dollars in incentives being paid.


"My sense is that the large majority of institutional and small/solo practice providers appreciate the context in which these meaningful use attestations are being made, and they focus on ensuring that the attestations are true and accurate," he says. "That said, in situations where the facts are as they are [in the Joe White case], it would not surprise me if the government continues to be aggressive in its enforcement."


Attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek, says he expects federal authorities will file more HITECH criminal cases. "The sense we have gotten from public statements by OIG and others involved in prosecuting healthcare fraud violations is that there are a number of investigations ongoing to determine if there has been fraud in obtaining funds through the EHR incentive payment program," he says.


Holtzman suggests that those organizations that have received HITECH incentives must keep thorough documentation to prove they met all the requirements.


"The key is to keep detailed documentation of the information that was used to support the representations in the attestation for seven years," he says. "An individual or organization can avoid criminal culpability through showing that a reasonable effort was made to support a belief that the provider or hospital had met the meaningful use requirements and was therefore eligible for receiving EHR incentive payments."

HITECH Audits

While criminal cases related to the HITECH Act EHR incentive program have been rare, federal regulators have been ratcheting up their audits of healthcare entities attesting to "meaningful use" of EHRs.


Among those selected was Temple University Health System in Philadelphia, which recently passed an audit for meaningful use compliance at one of its hospitals, says CISO Mitch Parker. The area of attestation most closely scrutinized by CMS auditors was Temple's HIPAA security risk assessment, he says.


"You can't skimp on the risk assessment. That's the first and foremost item that they look for," he says. "And it can't be one of those cut-and-dry ones. You have to be very detailed about it. We had about 300 categories in ours."

more...
No comment yet.
Scoop.it!

HIPAA Could Hurt, Not Help, Data Privacy and Security

HIPAA Could Hurt, Not Help, Data Privacy and Security | HIPAA Compliance for Medical Practices | Scoop.it

By now, you have probably heard about the theft of more than 14 million dossiers on federal employees and the theft of the personal health information (PHI) of 80 million people from Anthem-Blue Cross. You may not have heard about many of the other computer security flaws and breaches that are reported almost daily.

Here are a few from the last couple of weeks:


• A vulnerability in Samsung's Android keyboard installed on over 600m devices worldwide could allow hackers to take full control of the smartphone or tablet.


• Security researchers have uncovered a flaw in the way thousands of popular mobile applications store data online, leaving users' personal information, including passwords, addresses, door codes, and location data, vulnerable to hackers.


• Macs older than a year are vulnerable to exploits that remotely overwrite the firmware that boots up the machine, a feat that allows attackers to control vulnerable devices from the very first instruction.


• Professor Phil Koopman , an expert who testified at one of the Toyota "sticking throttle" trials, detailed a myriad of defects in the software of the throttle control system and in Toyota's software development process. Michael Barr, another expert, cited a heavily redacted report that suggests the presence of at least 243 violations of the " Power of 10—Rules for Developing Safety Critical Code," published in IEEE Computer in 2006 by NASA team member Gerard Holzmann.


• The Boeing 787 aircraft's electrical power control units shut down if powered without interruption for 248 days. As a result, the FAA is telling the airlines they have to do a maintenance reboot of their planes every 120 days.


I've always assumed, as I imagine that you have, that, if any organizations could be expected to use "best practices" and thereby avoid flaws and breaches, it would be Anthem, the feds, Google, Samsung, Apple, Boeing, and Toyota. The only reasonable conclusion is that impenetrable, flaw-free systems are simply not possible and this will not change any time soon. Keep that in mind during the upcoming discussion.


The government, at the behest of lawmakers, loves to tell people what to do. Feasibility and relevance are annoying details =best dispensed with. Even vocal conservatives and libertarians, who should be staying out of other people's business on principle, love to tell people what to do. These folks got together in 1996 and enacted HIPAA (in full disclosure, I testified before a congressional subcommittee on this bill before it was enacted).


Among other things HIPAA tells people what to do about privacy and security of patient data, but without much evidence that they needed telling.


I always wondered:


1. Were privacy and security a huge, out-of-control problem before HIPAA?


2. What was the evidence that existing laws regarding inappropriate release of PHI were not sufficient to induce people to exercise due diligence? If they were adequate, were they being enforced? If they were inadequate could they not have been strengthened?


3. Has HIPAA helped?


4. Do billions of signed statements acknowledging privacy policies actually protect anyone's privacy?


5. If there was an incremental improvement as a result of HIPAA, was it worth the billions that have been spent?


6. Do the penalties reduce the chances of a breach?


7.  And finally, is there any chance that the technical measures that are demanded will be effective, given the state of the art.


The approach to the first six questions has basically been one of "don't ask, don't tell," so we will never be able to judge whether the whole thing was worth the trouble or not. The answer to the last question, based on the material presented in the introduction, is: No. The technical expectations embodied in HIPAA are little more than someone's dream. There is no evidence that even the most capable, best resourced organizations in the country are capable of satisfying them (that doesn't mean they shouldn't try). A great deal of time and money could be saved or redirected to patient care if a more realistic approach was taken toward privacy and security. The magnitude and prevalence of breaches has been growing steadily. As it stands, HIPAA may actually harmful because it distracts attention and diverts resources away from those actions that might actually improve privacy and security.

more...
No comment yet.
Scoop.it!

Chip-powered credit cards to challenge providers this fall

Chip-powered credit cards to challenge providers this fall | HIPAA Compliance for Medical Practices | Scoop.it

In an effort to improve security, America's banks and credit-card issuers will switch in the next few months from strip-based to microchip-based cards. That means healthcare providers will face another significant financial-systems conversion, in addition to the looming ICD-10 switchover

More than half a billion of these “EMV” cards, so-named for the initials of the major card issuers that developed them—Europay, MasterCard and Visa—are expected to be issued and in use by the end of 2015.

The cards already are in use in Europe and Canada. Canada started a slow rollout of EMV cards in 2006, and now about 95% of Canadian merchants have converted to chip card readers, said Karen Cox, vice president of payments and retail solutions for Moneris Solutions, a Toronto-based provider of financial processing systems, owned by Canada's two largest banks, Royal Bank of Canada and Bank of Montreal. 

According to research estimates, by October, 63% of U.S. cards and 47% of terminals used across all industries to process transactions will be converted to EMV technology, she said.

Unlike the planned, industry-wide and federally mandated Oct. 1 upgrade to ICD-10 diagnostic and procedural codes, which is creating a big lift for everyone in the healthcare claims stream, there is no federal requirement that any U.S. business, including hospitals and office-based physician practices, switch to EMV cards. 

But efforts to reduce fraud will drive the conversion to chip cards, Cox said. 

In the U.S., a shift in financial liability for fraudulent charges will drive merchant adoption of chip-card technology, or at least that's the intention, Cox said. The change in liability will be enforceable by the credit-card issuers through their agreements with businesses that accept credit card payments, Cox said. 

“After October, if someone (a fraudster) with a chip card would hit a chip terminal, the merchant is protected from charge back,” by the card issuer, Cox said. But if the merchant, hospital or medical practice is still using an older magnetic strip reader, the liability for charge-backs falls on the business still using the older technology. 

Cox says providers shouldn't worry about the expense of new card readers.

“Your typical countertop terminal is $200 to $300 for one that does everything,” Cox said. The rub more likely will come with software conversions for hospital financial and office-practice management systems, she said.

Cox says not all vendors are ready for the conversion and no one should take on the task of writing EMV interface themselves.

The Electronic Health Records Association, a trade group for EHR developers, many of which also have financial systems, declined to comment. 

The linchpin for chip-card technology adoption going forward—as it has been in the past—remains with the banks, not the vendors, said Robert Tennant, senior policy advisor with the Medical Group Management Association, who recently received a smart-chipped American Express card in the mail. “The vendor's argument is, 'Why should we build in the technology when the financial vendors haven't switched over?' ” he said.

According to Tennant, the switch to chip-based technology will be “an enormous change” for the retail sector, and a somewhat of a lift for medical groups, who will have to buy and reconfigure their credit-card processing equipment and software at their pay windows. But there could be long-term benefits, too. 

“Nothing is ever foolproof, but as far as it goes, I think it's significantly more security than what we have now,” Tennant said.

The MGMA also is part of a 40-member industry collaboration formed last year, and led by the Workgroup for Electronic Data Interchange, to automate the patient registration and intake process. The group is hoping to hammer out an industry consensus around the component parts of a so-called “digital clipboard”containing basic patient demographic and payer or payment information used at registration. 

“On the healthcare side, it opens up a lot more opportunities for data movement,” Tennant said. “If we're going to be moving to this technology, it's a very short step toward using that technology for other purposes.”

Hopes for using smart-card technology in healthcare have risen and fallen several times over the past decade. Last month, the Government Accountability Office recommended that Medicare ought to consider issuing smart cards to beneficiaries to speed patient identification and eligibility verification.

more...
No comment yet.
Scoop.it!

Privacy Workgroup Prepares ‘Big Data’ Recommendations

Privacy Workgroup Prepares ‘Big Data’ Recommendations | HIPAA Compliance for Medical Practices | Scoop.it
The Privacy and Security Workgroup of the Health IT Policy Committee is preparing a set of recommendations about how the Office of the National Coordinator for Health IT should approach “big data” issues for both HIPAA-covered entities as well as for the marketplace outside the HIPAA sphere. 
 
At a June 8 meeting, Deven McGraw, a partner in the healthcare practice of Manatt, Phelps & Phillips, LLP and the workgroup’s chair, led a discussion of draft recommendations to identify gaps in law and regulation around issues including data de-identification and security as well as areas for further inquiry.
 
McGraw noted that outside the HIPAA-covered space, there is not a clearly defined right for patients to access data collected about them. She said there has been a debate with respect to medical devices, such as one patient who made a public argument that he had the right to access data from his pacemaker. The workgroup proposes to remind ONC that outside the HIPAA space, voluntarily adopted codes of conduct can be enforced by the Federal Trade Commission, and many of those codes are under development. 
 
During the meeting there was discussion of, but not agreement about, what it would mean to ask for greater transparency about the algorithms healthcare organizations use to make decisions about individuals and populations, and whether provisions of the Federal Credit Reporting Act could be applied to give consumers more access and help promote trust. Several committee members mentioned that the algorithms themselves could be accurate and valid, yet still be used for discriminating against specific populations or individuals. They also said there would be resistance to opening up proprietary analytics systems for inspection. 
 
“All of this rests on a presumption of data quality,” said Gil Kuperman, director of interoperability informatics at New York-Presbyterian Hospital. “If you have poor quality data, your model could be wrong. Or the model could be good, but if the input data is wrong, you get a poor prediction. To me the quality of the data is still a challenge around ‘big data’ approaches.”
 
McGraw admitted the workgroup has more questions than obvious answers and no consensus about areas of potential harm to consumers. She said there is a need for more inquiry to understand the scope of the issue and where there are gaps in legal protections. There was a general reluctance among workgroup members to suggest that Congress act, given its questionable track record legislating about complex health IT issues. 
 
The workgroup is drafting language to call on the HHS Office for Civil Rights to be a better “steward” of HIPAA de-identification standards and conduct ongoing review of the methodologies and policies and seek assistance from third-party experts, such as NIST. But it is still not clear how big a problem data re-identification is. Noting that the workgroup was not made aware of any HIPAA de-identified data set that has been re-identified, McGraw said, “It is never good to regulate a problem that doesn’t exist yet.”
more...
No comment yet.
Scoop.it!

Four Common HIPAA Misconceptions

Four Common HIPAA Misconceptions | HIPAA Compliance for Medical Practices | Scoop.it

While practices must work hard to comply with HIPAA, some are taking HIPAA compliance efforts a bit too far. That's according to risk management experts, who say there are some common compliance misconceptions that are costing practices unnecessary time and resources.

Here's what they say many practices are avoiding that they don't necessarily need to avoid, and some extra steps they say practices are taking that they don't necessarily need to take.


1. Avoiding leaving phone messages

While it's true that a phone message from your practice to a patient could be overheard by the wrong party, phone messages that contain protected health information (PHI) don't need to be strictly off limits at your practice, says Jim Hook, director of consulting services at healthcare consulting firm The Fox Group, LLC."Many offices adopt a blanket policy of, well, 'We can't leave you any phone messages because HIPAA says we can't,' and, that's really not true," he says. "You can always get consent from a patient on how they want to be communicated with."


Hook recommends asking all of your patients to sign a form indicating in what manner you are permitted to communicate with them, such as by mail, e-mail, text, and phone message. "If the patient says, 'Yes, you can call and leave me phone messages at this phone number I'm giving you,' then it's not a HIPAA violation to use that method of communication," he says.


2. Avoiding discussing PHI

It's important to safeguard PHI as much as possible, but some practices are taking unnecessary precautions, says Michelle Caswell, senior director, legal and compliance, at healthcare risk-management consulting firm Clearwater Compliance, LLC.


"I think there's still a fear among small providers ... that they can't discuss protected health information anywhere in the [practice]," she says. "They feel that they have to almost build soundproof walls and put up bulletproof glass or soundproof glass to prevent any sort of disclosure of protected health information, and that's not what HIPAA requires at all. HIPAA allows for incidental disclosures, [which] are disclosures that happen [incidentally] around your job. So if you've got a nurse and a doctor talking, maybe at the nurses' station, and someone overhears that Mr. Smith has blood work today, that probably wouldn't be a violation because it's incidental to the job. Where else are the doctors and nurses going to talk?"


As long as you are applying "reasonable and appropriate" safeguards, Caswell says you should be in the clear.


3. Requiring unnecessary business associate agreements

HIPAA requires practices to have written agreements, often referred to as business associate agreements (BAAs), with other entities that receive or work with their PHI. Essentially, the agreements state that the business associates will appropriately safeguard the PHI they receive or create on behalf of the practice.


Still, some practices take unnecessary precautions when it comes to BAAs, says Robert Tennant, senior policy adviser of government affairs for the Medical Group Management Association. "A lot of practices are very concerned about people like janitorial services [and] plant maintenance folks, and they have them sign business associate agreements, but those folks are not business associates for the most part," says Tennant. "You may want to have them sign confidentiality agreements basically saying, 'If you do come across any information of a medical nature, protected health information, you are not permitted to look at it, copy it, keep it ...,' But, you do not need to sign a business associate agreement with anybody other than those folks that you actually give PHI to for a specific reason, like if you've got a law office or accounting office or a shredding company that is coming in to pick up PHI to destroy it."


4. Requiring unnecessary patient authorizations

While it's critical to comply with HIPAA's requirement that only those who have a valid reason to access a patient's medical record, such as treatment purposes, payment purposes, or healthcare operations, have access to it — some practices are misconstruing that rule, says Tennant. "They demand patient authorization before they transfer data to another provider for treatment purposes," he says. "I understand why they do it, but it's one of those things that … can cause delays and confusion, and even some acrimony between the patient and the provider. If it's for treatment purposes specifically, you do not need a patient authorization."

more...
No comment yet.
Scoop.it!

Moving in Front of Healthcare’s Connectivity Curve

Moving in Front of Healthcare’s Connectivity Curve | HIPAA Compliance for Medical Practices | Scoop.it

As a clinician, technology is a significant interest in my life. I have always felt that one way in which to stay young is to embrace technology, and to understand how technology integrates into our professional and personal lives.


This past April, I was intrigued by the announcement of ResearchKit by Apple.. The first research apps developed covered five areas of study: Asthma, breast cancer, cardiovascular disease, diabetes, and Parkinson’s disease. However, the number of commercial and institutional research organizations using the open-source platform of ResearchKit is expanding daily.


More than 75,000 people have enrolled in ongoing health studies using ResearchKit apps to gather health data. Smartphones and wearable technology, with their microphones, cameras, motion sensors, and GPS devices, have unique advantages for gathering health data, and, in some cases, can serve as a valuable addition to regular care from a provider.


The possibilities for benefiting the body of health knowledge are endless. However, it is important for patients to be mindful and use these tools wisely in this modern world of connectivity.

More than a few people are commenting on the possible risks of gathering data in this way. As always in our modern society, available technology is way ahead of regulations. For example, we have strong laws and regulations regarding patient confidentiality enshrined in medical tradition and HIPAA.


Recognizing this vulnerability, Apple added the following to their app store submission guidelines: “All studies conducted via ResearchKit must obtain prior approval from an independent ethics review board.” Meaning, all studies must obtain Institutional Review Baords (IRB) approval. This is a good step in the right direction, but much more care is needed to gather data with the expanding number of ResearchKit apps, to ensure that personal health data is protected and that this technology is used in an ethical, and lawful, way.


Regardless of the all the caveats, I remain intrigued and hopeful that leveraging technology via tools such as smartphones and software like ResearchKit will be a great boon to the understanding of disease and treatments around the world.


I would recommend the following to put us ahead of the curve with these new tools:


  1. Ethical guidelines and procedures need to be developed by the research community in the U.S. to ensure that use of technology in research data gathering is done with the greatest protection of the patients’ individual health data.
  2. Laws and regulations need to be considered to ensure the integrity of the data as well as the protection of personal health information.
  3. Companies like Apple, who are leading the roll out of this technology, should not wait for state and federal governmental entities to regulate the use of technology in research and should be leaders in the ethical, responsible use of apps to gather and use health research data.


Technology in medicine is constantly evolving. We have to try to evolve with it, however, and recognize that the law of unintended consequences is always present, and will always present challenges as the vast universe of technology expands with every increasing speed in medicine and every other area of life.

more...
No comment yet.
Scoop.it!

How Do HIPAA Regulations Affect Judicial Proceedings?

How Do HIPAA Regulations Affect Judicial Proceedings? | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA regulations are designed to keep healthcare organizations compliant, ensuring that sensitive data - such as patient PHI - stays secure. Should a healthcare data breach occur, covered entities or their business associates will be held accountable, and will likely need to make adjustments to their data security approach to prevent the same type of incident from happening again.


However, there are often questions and concerns in how HIPAA regulations tie into certain judicial or administrative proceedings. For example, if there is a subpoena or search warrant issued to a hospital, is that organization obligated to supply the information? What if the information being sought qualifies as PHI? Can covered entities be held accountable if they release certain information, and then that data falls into unauthorized individuals’ control?


This week, HealthITSecurity.com will break down how judicial proceedings, and other types of legal action, could potentially be impacted by HIPAA regulations. We will discuss how PHI could possibly be disclosed, and review cases where search warrants and similar issues were affected by HIPAA.


What does HIPAA say about searches and legal inquiries?

The HIPAA Privacy Rule states that there are several permitted uses and disclosures of PHI. This does not mean that covered entities are required to disclose PHI without an individual’s permission, but healthcare organizations are permitted to do so under certain circumstances.


“Covered entities may rely on professional ethics and best judgments in deciding which of these permissive uses and disclosures to make,” the Privacy Rule explains.


The six examples of permitted uses and disclosures are the following:

  • To the Individual (unless required for access or accounting of disclosures)
  • Treatment, Payment, and Health Care Operations
  • Opportunity to Agree or Object
  • Incident to an otherwise permitted use and disclosure
  • Public Interest and Benefit Activities
  • Limited Data Set for the purposes of research, public health or health care operations.


Under the public interest and benefit activities, the Privacy Rule dictates that there are “important uses made of health information outside of the healthcare context.” Moreover, a balance must be found between individual privacy and the interest of the public.

There are several examples that relate to disclosing PHI due to types of legal action:


  • Required by law
  • Judicial and administrative proceedings
  • Law enforcement purposes


Covered entities and their business associates are permitted to disclose PHI as required by statute, regulation or court orders.

“Such information may also be disclosed in response to a subpoena or other lawful process if certain assurances regarding notice to the individual or a protective order are provided,” according to the HHS website.


For “law enforcement purposes” HIPAA regulations state that PHI can also be disclosed to help identify or locate a suspect, fugitive, material witness, or missing person. Law enforcement can also make requests for information if they are trying to learn more information about a victim - or suspected victim. Another important aspect to understand is that a covered entity can can disclose sensitive information if it believes that PHI is evidence of a crime that took place on the premises. Even if the organization does not think that a crime took place on its property, HIPAA regulations state that PHI can disclosed “when necessary to inform law enforcement about the commission and nature of a crime, the location of the crime or crime victims, and the perpetrator of the crime.”


Essentially, covered entities and business associates must use their own judgement when determining if it is an appropriate situation to release PHI without an individual’s knowledge. For example, if local law enforcement want more information from a hospital about a former patient whom they believe is dangerous, it is up to the hospital to weigh the options of releasing the information.

How have HIPAA regulations affected court rulings?

There have been several court rulings in the last year discussing HIPAA regulations and how covered entities are allowed to release PHI.


Connecticut: The Connecticut Supreme Court ruled in November 2014 that patients can sue a medical office for HIPAA negligence if it violates regulations that dictate how healthcare organizations must maintain patient confidentiality. In that case, a patient found out that she was pregnant in 2004 and asked her medical facility to not release the medical information to the child’s father. However, the organization released the patient’s information when it received a subpoena. The case claimed that the medical office was negligent in releasing the information, and that the child’s father used the information  for “a campaign of harm, ridicule, embarrassment and extortion” against the patient.


Florida: Just one month earlier, a Florida federal appeals court ruled that it is not a HIPAA violationfor physician defendants to have equal access to plaintiffs’ health information. In this case, a patient sued his doctor for medical negligence. Florida law states that the plaintiff must provide a health history, including copies of all medical records the plaintiff’s experts relied upon in forming their opinions and an “executed authorization form” permitting the release of medical information. However, the plaintiff claimed the move would violate his privacy. The appeals court ruled that two instances applied in this case where HIPAA regulations state that covered entities are permitted to release PHI.


As demonstrated in these two court cases, it is not always easy for covered entities to necessarily determine on their own when they are compromising patient privacy and when they are adhering to a court order. However, by seeking appropriate counsel, healthcare organizations can work on finding a solution that meets the needs of all parties involved.

more...
No comment yet.
Scoop.it!

The UCLA Health System Data Breach: How Bad Could It Be…?

The UCLA Health System Data Breach: How Bad Could It Be…? | HIPAA Compliance for Medical Practices | Scoop.it

Just hours ago, a Los Angeles Times report broke the news that hackers had broken into the UCLA Health System, creating a data breach that may affect 4.5 million people. This may turn out to be one of the biggest breaches of its kind in a single patient care organization to date, in the U.S. healthcare system. And it follows by only a few months the enormous data breach at Anthem, one of the nation’s largest commercial health insurers, a breach that has potentially compromised the data of 4.5 million Americans.


The L.A. Times report, by Chad Terhune, noted that “The university said there was no evidence yet that patient data were taken, but it can't rule out that possibility while the investigation continues. And it quoted Dr. James Atkinson, interim president of the UCLA Hospital System, as saying “We take this attack on our systems extremely seriously. For patients that entrust us with their care, their privacy is our highest priority we deeply regret this has happened.”


But Terhune also was able to report a truly damning  fact. He writes, “The revelation that UCLA hadn't taken the basic step of encrypting this patient data drew swift criticism from security experts and patient advocates, particularly at a time when cybercriminals are targeting so many big players in healthcare, retail and government.” And he quotes Dr. Deborah Peel, founder of Patient Privacy Rights in Austin, Texas, as saying, “These breaches will keep happening because the healthcare industry has built so many systems with thousands of weak links.”


What’s startling is that the breach at the Indianapolis-based Anthem, revealed on Feb. 5, and which compromised the data of up to 80 million health plan members, shared two very important characteristics with the UCLA Health breach, so far as we know at this moment, hours after the UCLA breach. Both were created by hackers; and both involved unencrypted data. That’s right—according to the L.A. Times report, UCLA Health’s data was also unencrypted.


Unencrypted? Yes, really. And the reality is that, even though the majority of patient care organizations do not yet encrypt their core, identifiable, protected health information (PHI) within their electronic health records (EHRs) when not being clinically exchanged, this breach speaks to a transition that patient care organizations should consider making soon. That is particularly so in light of the Anthem case. Indeed, as I noted in a Feb. 9 blog on the subject, “[A]s presented in one of the class action lawsuits just recently filed against it,” the language of that suit “contains the seeds of what could evolve into a functional legal standard on what will be required for health plans—and providers—to avoid being hit with multi-million-dollar judgments in breach cases.”


As I further stated in that blog, “I think one of the key causes in the above complaint [lawsuits were filed against Anthem within a few days of the breach] is this one: ‘the imminent and certainly impending injury flowing from potential fraud and identity theft posed by their personal and financial information being placed in the hands of hackers; damages to and diminution in value of their personal and financial information entrusted to Anthem for the sole purpose of obtaining health insurance from Anthem and with the mutual understanding that Anthem would safeguard Plaintiff’s and Class members’ data against theft and not allow access and misuse of their data by others.’ In other words, simply by signing up, or being signed up by their employers, with Anthem, for health insurance, health plan members are relying on Anthem to fully safeguard their data, and a significant data breach is essentially what is known in the law as a tort.”


Now, I am not a torts or personal injury lawyer, and I don’t even play one on TV. But I can see where, soon, the failure to encrypt core PHI within EHRs may soon become a legal liability.


Per that, just consider a March 20 op-ed column in The Washington Post by Andrea Peterson, with the quite-compelling headline, “2015 is already the year of the health-care hack—and it’s going to get worse.” In it, Peterson,  who, according to her authoring information at the close of the column, “covers technology policy for The Washington Post, with an emphasis on cybersecurity, consumer privacy, transparency, surveillance and open government,” notes that “Last year, the fallout from a string of breaches at major retailers like Target and Home Depot had consumers on edge. But 2015 is shaping up to be the year consumers should be taking a closer look at who is guarding their health information.” Indeed, she notes, “Data about more than 120 million people has been compromised in more than 1,100 separate breaches at organizations handling protected health data since 2009, according to Department of Health and Human Services data reviewed by The Washington Post.” Well, at this point, that figure would now be about 124.5 million, if the UCLA Health breach turns out to be as bad as one imagines it might be.


Indeed, Peterson writes, “Most breaches of data from health organizations are small and don't involve hackers breaking into a company's computer system. Some involve a stolen laptop or the inappropriate disposal of paper records, for example -- and not all necessarily involve medical information. But hacking-related incidents disclosed this year have dramatically driven up the number of people exposed by breaches in this sector. When Anthem, the nation's second-largest health insurer, announced in February that hackers broke into a database containing the personal information of nearly 80 million records related to consumers, that one incident more than doubled the number of people affected by breaches in the health industry since the agency started publicly reporting on the issue in 2009.”


And she quotes Rachel Seeger, a spokesperson for the Office for Civil Rights in the Department of Health and Human Services, as saying in a statement, following the Anthem breach, “These incidents have the potential to affect very large numbers of health care consumers, as evidenced by the recent Anthem and Premera breaches."


So this latest breach is big, and it is scary. And it might be easy (and lazy blogging and journalism) to describe this UCLA Health data breach as a “wake-up call”; but honestly, we’ve already had a series of wake-up calls in the U.S. healthcare industry over the past year or so. How many “wake-up calls” do we need before hospitals and other patient care organizations move to impose strong encryption regimens on their core sensitive data? The mind boggles at the prospects for the next 12 months in healthcare—truly.

more...
No comment yet.
Scoop.it!

Hospital with repeat security failures hit with $218K HIPAA fine

Hospital with repeat security failures hit with $218K HIPAA fine | HIPAA Compliance for Medical Practices | Scoop.it

Does your hospital permit employees to use a file-sharing app to store patients' protected health information? Better think again. A Massachusetts hospital is paying up and reevaluating its privacy and security policies after a file-sharing complaint and following a HIPAA breach. 


St. Elizabeth's Medical Center in Brighton, Mass. – a member hospital of Steward Health Care system – will pay $218,400 to the Office for Civil Rights for alleged HIPAA violations. The settlement resulted from a 2012 complaint filed by hospital employees, stating that the medical center was using a Web-based document-sharing application to store data containing protected health information. Without adequately analyzing the security risks of this application, it put the PHI of nearly 500 patients at risk.


"Organizations must pay particular attention to HIPAA's requirements when using Internet-based document sharing applications," said Jocelyn Samuels, OCR director, in a July 10 statement announcing the settlement. "In order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner."


It wasn't just the complaint that got St. Elizabeth's in hot water, however. A HIPAA breach reported by the medical center in 2014 also called attention to the lack of adequate security policies. The hospital notified OCR in August of last year of a breach involving unsecured PHI stored on the personal laptop and USB drive of a former hospital employee. The breach ultimately impacted 595 patients, according to a July 10 OCR bulletin.


As part of the settlement, St. Elizabeth's will also be required to "cure the gaps in the organization's HIPAA compliance program," OCR officials wrote in the bulletin. More specifically, this includes conducting a self-assessment of its employees' awareness and compliance with hospital privacy and security policies. Part of this assessment will involve "unannounced visits" to various hospital departments to assess policy implementations. Officials will also interview a total of 15 "randomly selected" employees with access to PHI. Additionally, at least three portable devices across each department with access to PHI will be inspected.


Then there's the policies and training piece part of the settlement. With this, St. Elizabeth's based on the assessment, will submit revised policies and training to HHS for approval.


In addition to the filed complaint and the 2014 breach, the medical center also reported an earlier HIPAA breach in 2012when paper records containing billing data, credit card numbers and security codes of nearly 7,000 patients were not properly shredded by the hospital. Some of the files containing the data were reportedly found blowing in a field nearby.


To date, OCR has levied nearly $26.4 million from covered entities and business associates found to have violated HIPAA privacy, security and breach notification rules.


The largest settlement to date was the whopping $4.8 million fine paid by New York Presbyterian Hospital and Columbia University Medical Center after a single physician accidentally deactivated an entire computer server, resulting in ePHI being posted on Internet search engines. 

more...
Gerard Dab's curator insight, July 16, 2015 8:05 PM

Security! Security! Security!

#medicoolhc #medicoollifeprotector

Scoop.it!

State AGs clash with Congress over data breach laws

State AGs clash with Congress over data breach laws | HIPAA Compliance for Medical Practices | Scoop.it

Attorneys general from all 47 states with data breach notification laws are urging Congress not to preempt local rules with a federal standard.

“Any additional protections afforded consumers by a federal law must not diminish the important role states already play protecting consumers from data breaches and identity theft,” they wrote in a letter sent to congressional leaders on Tuesday.

Lawmakers have been weighing a number of measures that would create nationwide guidelines for notifying customers in the wake of a hack that exposes sensitive information. Industry groups have argued that complying with the patchwork set of rules in each state is burdensome and costly.


The rapidly rising number of breaches at retailers, banks and government agencies has only raised pressure on Congress to pass legislation.

While the concept of a federal standard has bipartisan appeal, the two parties have split over whether to totally preempt state laws.

Democrats fear a nationwide rubric that preempts state law could weaken standards in states that have moved aggressively on data breach laws. Republicans fear that an overly strict federal standard could empower overzealous government regulators.

Lawmakers also disagree on what type of breaches should trigger a notification.

The differing views have spawned a cavalcade of bills on Capitol Hill, many of which would preempt state laws.

“Given the almost constant stream of data security breaches, state attorneys general must be able to continue our robust enforcement of data breach laws,” said Virginia Attorney General William Sorrell, who oversees a law that requires companies to notify officials within 14 days of discovering a breach, in a statement. “A federal law is desirable, but only if it maintains the strong consumer protection provisions in place in many states.”

Many state attorneys general, including Sorrell, favor a Senate data breach offering from Sen. Patrick Leahy (D-Vt.) and co-sponsored by five other Democrats.

Notably the bill does not preempt state laws that are stricter than the standard delineated in Leahy’s bill.

It also provides a broad definition of what type of information would constitute a notification-worthy breach. It includes photos and videos in addition to more traditional sensitive data such as Social Security numbers or financial account information.

But most important for states is retaining their ability to set their own standards.

“States should also be assured continued flexibility to adapt their state laws to respond to changes in technology and data collection,” the letter said. “As we have seen over the past decade, states are better equipped to quickly adjust to the challenges presented by a data-driven economy.”

more...
No comment yet.
Scoop.it!

Six Potential HIPAA Threats for PHOs and Super Groups

Six Potential HIPAA Threats for PHOs and Super Groups | HIPAA Compliance for Medical Practices | Scoop.it

Physician Hospital Organizations (PHOs) and super groups are on the rise. About 40 percent of physicians either work for a hospital or a practice group owned by a hospital, or they ban together to form a super group. Individual practices share operations, billing, and other administrative functions, gain leverage with insurance companies, add specialist resources and increase referrals, improve patient outcomes with a cohesive care plan, and more. The benefits are plentiful.

But just like a negative restaurant review on Yelp can hurt customer patronage and the restaurant's reputation, one practice that commits a HIPAA violation can affect the entire group, and result in an expensive fine, cause distrust among patients, and in extreme cases, the data breach can lead to medical identity theft.


For PHOs and super groups, adherence to HIPAA rules becomes more complicated when compliance isn't consistent among the group's practices, and a compliance officer isn't on board to manage risks and respond to violations.


At a minimum, the group should identify the potential sources for exposure of electronic protected health information (ePHI) and take measures to avert them. For example:


Super groups include smaller practices that struggle with HIPAA compliance and associated time and costs. Although PHOs or super groups may be abundant in physicians, employees, and offices, these assets could come from a majority of smaller organizations. Historically smaller practices struggle with resources to comply with HIPAA and hiring expensive compliance consultants could be prohibitive at the individual practice level.


Each practice uses a different EHR, or the EHR is centralized but the ePHI is stored on different devices. It becomes difficult to assess HIPAA compliance as well as how patient data is being protected when there are various EHRs implemented across multiple practices. Some EHRs may be cloud based while other systems reside in an individual practice's office. Getting an accurate inventory of where ePHI is stored or accessed can be challenging.


Hospitals can't conduct thorough security risk assessments for each practice in the group. A PHO could have 20 or more individual practices and the time required to perform individual security risk assessments could be daunting. These risk assessments are labor intensive and could strain the resources of hospital compliance staff.


Meaningful use drives HIPAA compliance and grants from HHS could be significant, especially with a large number of providers. Along with these funds comes responsibility to comply with meaningful use objectives. One of the most frequent causes of failing a meaningful use audit is ignoring a HIPAA security risk assessment. If one practice fails an audit, it could open the door to other practices in the group being audited, which could result in a domino effect and a significant portion of EHR incentive funds having to be returned.


For physician groups that share patient information the security is only as strong as the weakest link — one practice or even one employee. A breach at one practice could expose patient information for many or all other practices. Security is then defined by the weakest link or the practice that has the weakest security implemented.


Untrained employees in the front office unwittingly violate HIPAA and a patient's right to privacy. An employee could fall for a phishing scam that gives criminals access to a practice's network, and compromises the security of many or all practices within the PHO or super group.


The best way to avoid a HIPAA violation and a patient data breach is to create a group policy that requires each practice to:


• Perform regular HIPAA security risk assessments;

 •Inventory location of patient information;

• Assess common threats;

• Identify additional security needs;

• Set up policies and procedures;

• Stay up to date on patient privacy rules and requisite patient forms; and

• Properly train employees in protecting both the privacy and security of ePHI.


Make sure every practice in the group treats HIPAA compliance with the same care as a patient's medical condition.

more...
Roger Steven's comment, July 10, 2015 6:34 AM
nice article www.mentorhealth.com
Scoop.it!

Website Error Leads to Data Breach

Website Error Leads to Data Breach | HIPAA Compliance for Medical Practices | Scoop.it

An error in a coding upgrade for a Blue Shield of California website resulted in a breach affecting 843 individuals. The incident is a reminder to all organizations about the importance of sound systems development life cycle practices.


In a notification letter being mailed by Blue Shield of California to affected members, the insurer says the breach involved a secure website that group health benefit plan adminstrators and brokers use to manage information about their own plans' members. "As the unintended result of a computer code update Blue Shield made to the website on May 9," the letter states, three users who logged into their own website accounts simultaneously were able to view member information associated with the other users' accounts. The problem was reported to Blue Shield's privacy office on May 18.


Blue Shield of California tells Information Security Media Group that the site affected was the company's Blue Shield Employer Portal. "This issue did not impact Blue Shield's public/member website," the company says. When the issue was discovered, the website was promptly taken offline to identify and fix the problem, according to the insurer.


"The website was returned to service on May 19, 2015," according to the notification letter. The insurer is offering all impacted individuals free credit monitoring and identity theft resolution services for one year.


Exposed information included names, Social Security numbers, Blue Shield identification numbers, dates of birth and home addresses. "None of your financial information was made available as a result of this incident," the notification letter says. "The users who had unauthorized access to PHI as a result of this incident have confirmed that they did not retain copies, they did not use or further disclose your PHI, and that they have deleted, returned to Blue Shield, and/or securely destroyed all records of the PHI they accessed without authorization."


The Blue Shield of California notification letter also notes that the company's investigation revealed that the breach "was the result of human error on the part of Blue Shield staff members, and the matter was not reported to law enforcement authorities for further investigation."

Similar Incidents

The coding error at Blue Shield of California that led to the users being able to view other individuals' information isn't a first in terms of programming mistakes on a healthcare-sector website leading to privacy concerns.


For example, in the early weeks of the launch of HealthCare.gov in the fall of 2013, a software glitch allowed a North Carolina consumer to access personal information of a South Carolina man. The Department of Health and Human Services' Centers for Medicare and Medicaid Services said at the time that the mistake was "immediately" fixed once the problem was reported. Still, the incident raised more concerns about the overall security of the Affordable Care Act health information exchange site.


Software design and coding mistakes that leave PHI viewable on websites led to at least one healthcare entity paying a financial penalty to HHS' Office for Civil Rights.


An OCR investigation of Phoenix Cardiac Surgery P.C., with offices in Phoenix and Prescott, began in February 2009, following a report that the practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible.

The investigation determined the practice had implemented few policies and procedures to comply with the HIPAA privacy and security rules and had limited safeguards in place to protect patients' information, according to an HHS statement. The investigation led to the healthcare practice signing an OCR resolution agreement, which included a corrective action plan and a $100,000 financial penalty.


The corrective action plan required the physicians practice, among other measures, to conduct arisk assessment and implement appropriate policies and procedures.

Measures to Take

Security and privacy expert Andrew Hicks, director and healthcare practice lead at the risk management consulting firm Coalfire, says that to avoid website-related mistakes that can lead toprivacy breaches, it's important that entities implement appropriate controls as well as follow the right systems development steps.


"Organizations should have a sound systems development life cycle - SDLC - in place to assess all systems in a production environment, especially those that are externally facing," he says. "Components of a mature SDLC would include code reviews, user acceptance testing, change management, systems analysis, penetration testing, and application validation testing."


Healthcare entities and business associates need to strive for more than just HIPAA compliance to avoid similar mishaps, he notes.

"Organizations that are solely seeking HIPAA compliance - rather than a comprehensive information security program - will never have the assurance that website vulnerabilities have been mitigated through the implementation of appropriate controls," he says. "In other words, HIPAA does not explicitly require penetration testing, secure code reviews, change management, and patch management, to name a few. These concepts are fundamental to IT security, but absent from any OCR regulation, including HIPAA."

Earlier Blue Shield Breach

About a year ago, Blue Shield of California reported a data breach involving several spreadsheet reports that inadvertently contained the Social Security numbers of 18,000 physicians and other healthcare providers.


The spreadsheets submitted by the plan were released 10 times by the state's Department of Managed Health Care. In California, health plans electronically submit monthly to the state agency a roster of all physicians and other medical providers who have contracts with the insurers. Those rosters are supposed to contain the healthcare providers' names, business addresses, business phones, medical groups and practice areas - but not Social Security numbers. DMHC makes those rosters available to the public, upon request.

more...
No comment yet.
Scoop.it!

243 Charged in Medicare Fraud Schemes

243 Charged in Medicare Fraud Schemes | HIPAA Compliance for Medical Practices | Scoop.it

Federal authorities announced their largest national Medicare fraud takedown to date, involving criminal charges against 243 individuals allegedly responsible for false billing totaling approximately $712 million.


In a June 18 joint announcement, officials at the Department of Health and Human Services, Department of Justice and FBI said a "nationwide sweep" led by the Medicare Fraud Strike Force in 17 districts has resulted in charging 243 individuals, including 46 physicians, nurses and other licensed medical professionals, for their alleged participation in Medicare fraud schemes. As of June 18, 184 defendants had been taken into custody, a DOJ spokesman says.


Officials called "the coordinated takedown" the largest in strike force history, both in terms of the number of defendants charged and the loss amount.


The sweep also resulted the Centers for Medicare and Medicaid Services using its authority under the Affordable Care Act to suspend a number of healthcare providers from participating in the Medicare program.

Variety of Charges

The defendants in the takedown are charged with various healthcare fraud-related crimes, including conspiracy to commit healthcare fraud, violations of the anti-kickback statutes, money laundering and aggravated identity theft. The charges are based on a variety of alleged fraud schemes involving various medical treatments and services, including home healthcare, psychotherapy, physical and occupational therapy, durable medical equipment and pharmacy fraud.

More than 44 of the defendants are charged with fraud related to the Medicare prescription drug benefit program known as Part D, which regulators say is the fastest-growing component of the Medicare program.


"This takedown adds to the hundreds of millions we have saved through fraud prevention since the Affordable Care Act was passed," said HHS Secretary Sylvia Mathews Burwell. "With increased resources that have allowed the Strike Force to expand and new tools, like enhanced screening and enrollment requirements, tough new rules and sentences for criminals, and advanced predictive modeling technology, we have managed to better find and fight fraud as well as stop it before it starts."


The Medicare Fraud Strike Force, a multi-agency team of federal, state and local investigators and prosecutors designed to combat Medicare fraud through the use of Medicare data analysis techniques, coordinated the investigation. Since the program's inception in March 2007, Strike Force operations in nine locations have charged more than 2,300 defendants who collectively are alleged to have falsely billed the Medicare program for more than $7 billion, according to federal authorities.


Among the large Medicare busts was the May 2014 arrest of 90 individuals in six states who were allegedly tied to Medicare fraud schemes responsible for $260 million worth of false billings. Also, in October 2012, federal authorities announced a Medicare fraud crackdown that involved charges against 91 individuals in fraud schemes allegedly involving approximately $492 million in false billing.

A Wake-Up Call

Security expert Mac McMillan, CEO of the consultancy CynergisTek, says the magnitude of the most recent Medicare takedown is significant. "This should be a wake-up call to those healthcare professionals who think it is OK to fudge around the edges, or in some cases just outright steal from the system, that their days are numbered and the feds are serious about curbing this very important problem," he says. "Hopefully it will have some impact, but frankly, right now, it seems like someone declared open season on healthcare between this [type of fraud] and the hacks we've seen lately."


Healthcare entities can help in the battle against fraud by monitoring for criminal behavior within their own organizations, he says. "One of the simplest ways is to perform periodic audits of what workforce members involved in preparing or handling claims are doing, as well as audits of patients receiving discharge summaries and bills."


Additionally, more commercial health insurers should follow CMS's lead and implement analytical tools that can help detect suspicious activities, he says. "They are the only really effective tools for proactive monitoring and detection," he says. "Those committing fraud may not cause a compliance trigger to be activated, but generally fraud requires an abnormal event to occur. Monitor for those, and you have a better chance of detecting inappropriate behavior."

Fraud Scams Busted

Among those charged in the latest Medicare fraud takedown were individuals in six states:


  • Seventy-three defendants in Miami were charged with offenses relating to their alleged participation in various fraud schemes involving approximately $263 million in false billings for home healthcare, mental health services and pharmacy fraud. In one case, administrators in a mental health center billed close to $64 million between 2006 and 2012 for purported intensive mental health treatment to beneficiaries and allegedly paid kickbacks to patient recruiters and assisted living facility owners. Medicare paid approximately half of the claimed amount.
  • Twenty-two individuals in Houston and McAllen, Texas, were charged in cases involving more than $38 million in alleged fraud. One of these defendants allegedly coached beneficiaries on what to tell doctors to make them appear eligible for Medicare services and treatments and then received payment for those who qualified. The company that paid the defendant for recruiting patients to bill for medically unnecessary services submitted close to $16 million in claims to Medicare, more than $4 million of which was paid.
  • Seven people in Dallas were charged in connection with home healthcare schemes. In one scheme, six owners and operators of a physician house call company allegedly submitted nearly $43 million in billings under the name of a single doctor, regardless of who actually provided the service. The company also allegedly significantly exaggerated the length of physician visits, often billing for 90 minutes or more for an appointment that lasted only 15 or 20 minutes.
  • Eight individuals in Los Angeles were charged for their alleged roles in schemes to defraud Medicare of approximately $66 million. For example, a physician is charged with causing almost $23 million in losses to Medicare through his own fraudulent billing and referrals for durable medical equipment, including more than 1,000 power wheelchairs and home health services that were not medically necessary and often not provided.
  • Sixteen defendants in Detroit were charged for their alleged roles in fraud, kickback and money laundering schemes involving approximately $122 million in false claims for services that were medically unnecessary or never rendered, including home healthcare, physician visits and psychotherapy, as well as pharmaceuticals that were billed but not dispensed. Among those charged are three owners of a hospice service who allegedly paid kickbacks for referrals made by two doctors who defrauded Medicare Part D by issuing medically unnecessary prescriptions.
  • Five individuals in Tampa were charged with participating in a variety of alleged scams, ranging from fraudulent physical therapy billings to a scheme involving millions of dollars worth of clams for physician services and tests that never were provided. In one case, a licensed pain management physician sought reimbursement for nerve conduction studies and other services that he allegedly never performed. Medicare paid the defendant more than $1 million for these purported services.
  • Nine individuals in Brooklyn, N.Y., were charged in two separate criminal schemes allegedly involving physical and occupational therapy. Three of those defendants face charges for their roles in a previously charged $50 million physical therapy scheme.
  • Eleven people in New Orleans were charged in connection with $110 million worth of alleged home healthcare and psychotherapy schemes. In one case, four individuals who operated two companies - one in Louisiana and one in California - that mass-marketed talking glucose monitors across the country allegedly sent the devices to Medicare beneficiaries regardless of whether they were needed or requested. The companies billed Medicare approximately $38 million for the devices, and Medicare paid the companies more than $22 million.
more...
No comment yet.
Scoop.it!

Hospital ID Theft Leads to Fraud

Hospital ID Theft Leads to Fraud | HIPAA Compliance for Medical Practices | Scoop.it

Eight alleged members of an identity theft ring, including a former assistant clerk at Montefiore Medical Center in New York, have been indicted on a variety of charges stemming from using stolen information on nearly 13,000 patients to make purchases at retailers.


Ann Patterson, senior vice president and program director of the Medical Identity Fraud Alliance, says that the incident points to the need for ongoing vigilance by healthcare organizations to prevent and detect ID theft and other related crimes.


Manhattan District Attorney Cyrus Vance Jr. alleges in a statement that members of the ID theft ring made up to $50,000 in purchases at retailers in Manhattan by opening up store credit card accounts using patient information stolen by former hospital worker, Monique Walker, 32.


Walker was an assistant clerk at Montefiore Medical Center, where her position gave her access to patients' names, dates of birth, Social Security numbers, and other personal information, Vance says.

Between 2012 and 2013, Walker allegedly printed thousands of patients' records on a near daily basis and supplied them to a co-defendant, Fernando Salazar, 28, according to Vance's statement.

Salazar is accused of acting as the ringleader of the operation. He allegedly purchased at least 250 items personal identifying information from Walker for as little as $3 per record, Vance says.


The stolen information was then allegedly provided to other defendants to open credit card accounts that were used for purchasing gift cards and merchandize at retailers, including Barneys New York, Macy's, Victoria's Secret, Zales, Bergdorf Goodman and Lord & Taylor.

Walker is charged with one count of felony grand larceny and one count of felony unlawful possession of personal identification information. The other defendants are charged with varying counts of grand larceny, identity theft and criminal possession of a forged instrument, among other charges.


All of the defendants have been arrested and arraigned in criminal court, and have various dates pending for their next court appearances.


"Case after case, we've seen how theft by a single company insider, who is often working with identity thieves on the outside, can rapidly victimize a business and thousands of its customers," Vance says. "Motivated by greed, profit and a complete disregard for their victims, identity thieves often feed stolen information to larger criminal operations, which then go on to defraud additional businesses and victims. In this case, a hospital employee privy to confidential patient records allegedly sold financial information for as little $3 per record."

Hospital Fires Worker

A Montefiore spokeswoman tells Information Security Media Group that the medical center was informed by law enforcement on May 15 of Walker's alleged crimes dating back to 2012 and 2013. As a result, Walker, who worked for the hospital for about three years, was fired, the spokeswoman says. "Montefiore is fully cooperating with law enforcement, including the Manhattan's District Attorney's office," a hospital statement says.


Law enforcement discovered the connection to Montefiore patient information while investigators were working on the ID theft case, the Montefiore spokeswoman says.


Of the 12,000-plus patient records that were compromised, it's uncertain how many individuals are victims of ID theft crimes, she says. But as a precaution, Montefiore is offering all impacted patients free identity recovery services, 12 months of free credit monitoring and a $1 million insurance policy to protect against identity theft-related costs.


Montefiore has reported the breach to the Department of Health and Human Services Office for Civil Rights, the spokeswoman says. While that incident as of June 22 was not yet listed on HHS'"wall of shame" tally of health data breaches affecting 500 or more individuals, three other breaches at Montefiore Medical Center appear on the federal website.


Those incidents, all reported in 2010, involved the theft of unencrypted computers. That includes the theft of a laptop in March 2010 which resulted in a breach impacting 625; and two July 2010 thefts of desktop computers that impacted 16,820 and 23,753 individuals.

Breach Prevention Steps

In a statement, Montefiore says that following the alleged crimes committed by Walker that were discovered in May, the hospital has expanded both its technology monitoring capabilities and employee training on safeguarding an accessing patient records to further bolster its privacy safeguards.


"The employee involved in this case received significant privacy and security training and despite that training, chose to violate our policies," the statement notes. "In response to this incident, Montefiore is also adding additional technical safeguards to protect patient information from theft or similar criminal activity in the future."


A hospital spokeswoman says the hospital has rolled out "sophisticated technology" to monitor for improper access by employees to the hospital's electronic patient records


The hospital also says it performs criminal background checks on all employees and "has comprehensive policies and procedures, as well as a code of conduct, which prohibits employees from looking at patient records when there is not a work-related reason to do so."

Steps to Take

Dan Berger, CEO of security consulting firm RedSpin, says it's not surprising the breach went undetected for so long because insider attacks are difficult to uncover. It's unclear if the Montefiore hospital clerk had "good reason to access so many records" as part of her job, he notes.


Patterson of the Medical Identity Fraud Alliance notes: "In addition to proper vetting of employees, the continued evaluation of employee education and awareness training programs and of your internal fraud detection programs is necessary. It's not something you do once and are done. Employees who are properly vetted upon initial hire may have changing circumstances that change their work integrity later on in their employ."


Additionally, security measures often need tweaking as circumstances within an organization change, she says.


"Fraud detection processes that worked when a specific type of workflow procedure was in place may need to be adjusted as that workflow process changes. An emphasis on continued evaluation of all components - people, process, technologies - for fraud detection is good practice."


Workforce training is important not only for preventing breaches, including those involving ID crimes, but also to help detect those incidents, she says. "Each employee must understand their role in protecting PHI. Equally important is regular and continued evaluation of the training programs to make sure that employees are adhering to the policies put in place, and that the 'red flags' detection systems are keeping pace with changing technologies and workplace practices."

more...
No comment yet.
Scoop.it!

Four Common HIPAA Misconceptions

Four Common HIPAA Misconceptions | HIPAA Compliance for Medical Practices | Scoop.it

While practices must work hard to comply with HIPAA, some are taking HIPAA compliance efforts a bit too far. That's according to risk management experts, who say there are some common compliance misconceptions that are costing practices unnecessary time and resources.

Here's what they say many practices are avoiding that they don't necessarily need to avoid, and some extra steps they say practices are taking that they don't necessarily need to take.


1. Avoiding leaving phone messages


While it's true that a phone message from your practice to a patient could be overheard by the wrong party, phone messages that contain protected health information (PHI) don't need to be strictly off limits at your practice, says Jim Hook, director of consulting services at healthcare consulting firm The Fox Group, LLC."Many offices adopt a blanket policy of, well, 'We can't leave you any phone messages because HIPAA says we can't,' and, that's really not true," he says. "You can always get consent from a patient on how they want to be communicated with."


Hook recommends asking all of your patients to sign a form indicating in what manner you are permitted to communicate with them, such as by mail, e-mail, text, and phone message. "If the patient says, 'Yes, you can call and leave me phone messages at this phone number I'm giving you,' then it's not a HIPAA violation to use that method of communication," he says.


2. Avoiding discussing PHI


It's important to safeguard PHI as much as possible, but some practices are taking unnecessary precautions, says Michelle Caswell, senior director, legal and compliance, at healthcare risk-management consulting firm Clearwater Compliance, LLC.


"I think there's still a fear among small providers ... that they can't discuss protected health information anywhere in the [practice]," she says. "They feel that they have to almost build soundproof walls and put up bulletproof glass or soundproof glass to prevent any sort of disclosure of protected health information, and that's not what HIPAA requires at all. HIPAA allows for incidental disclosures, [which] are disclosures that happen [incidentally] around your job. So if you've got a nurse and a doctor talking, maybe at the nurses' station, and someone overhears that Mr. Smith has blood work today, that probably wouldn't be a violation because it's incidental to the job. Where else are the doctors and nurses going to talk?"


As long as you are applying "reasonable and appropriate" safeguards, Caswell says you should be in the clear.


3. Requiring unnecessary business associate agreements


HIPAA requires practices to have written agreements, often referred to as business associate agreements (BAAs), with other entities that receive or work with their PHI. Essentially, the agreements state that the business associates will appropriately safeguard the PHI they receive or create on behalf of the practice.


Still, some practices take unnecessary precautions when it comes to BAAs, says Robert Tennant, senior policy adviser of government affairs for the Medical Group Management Association. "A lot of practices are very concerned about people like janitorial services [and] plant maintenance folks, and they have them sign business associate agreements, but those folks are not business associates for the most part," says Tennant. "You may want to have them sign confidentiality agreements basically saying, 'If you do come across any information of a medical nature, protected health information, you are not permitted to look at it, copy it, keep it ...,' But, you do not need to sign a business associate agreement with anybody other than those folks that you actually give PHI to for a specific reason, like if you've got a law office or accounting office or a shredding company that is coming in to pick up PHI to destroy it."


4. Requiring unnecessary patient authorizations


While it's critical to comply with HIPAA's requirement that only those who have a valid reason to access a patient's medical record, such as treatment purposes, payment purposes, or healthcare operations, have access to it — some practices are misconstruing that rule, says Tennant. "They demand patient authorization before they transfer data to another provider for treatment purposes," he says. "I understand why they do it, but it's one of those things that … can cause delays and confusion, and even some acrimony between the patient and the provider. If it's for treatment purposes specifically, you do not need a patient authorization."

more...
No comment yet.
Scoop.it!

Physicians: Protect Your Data from Hackers in 5 Steps

Physicians: Protect Your Data from Hackers in 5 Steps | HIPAA Compliance for Medical Practices | Scoop.it

According to a recent CNBC report, hackers may have stolen personnel data and Social Security numbers for every single federal employee last December. If true, the cyberattack on federal employee data is far worse than the Obama administration has acknowledged.

J. David Cox, president of the American Federal of Government Employees Union, believes "hackers stole military records and veterans' status information, address, birth date, job and pay history, health insurance, life insurance, and pension information; [as well as] age, gender, race data," according to the report. This would be all that is needed for cybercriminals to steal identities of the employees, divert funds from one account to another, submit fake healthcare claims, and create fake accounts for everything from credit cards to in-store credit card purchases.


Although physicians maintain personal and professional data which is especially valuable to thieves, you are not the federal government. Make it hard enough on cybercriminals, and they will move on for lower-hanging fruit. Readers Digest offers good advice in five simple steps in its article, "Internet Security, How not to Get Hacked":


1. Be aware of what you share.


On Facebook, Twitter, or social media, avoid posting birth dates, graduation years, or your mother's maiden name — info often used to answer security questions to access your accounts online or over the phone.


2. Pick a strong password.


Hackers guess passwords using a computer. The longer your password and the more nonsensical characters it contains, the longer it takes the computer. The idea here is that longer, more complicated passwords could take a computer 1,000 years to guess. Give 'em a challenge


3. Use a two-step password if offered.


Facebook and Gmail have an optional security feature that, once activated, requires you to enter two passwords: your normal password plus a code that the companies text to your phone-to access your account. "The added step is a slight inconvenience that's worth the trouble when the alternative can be getting hacked,"  CNET tech writer Matt Elliot told Readers Digest. To set up the verification on Gmail, click on Account, then Security. On Facebook, log in, click on the down icon next to Home, and then click on Account Setting, Security, and finally Login Approvals.


4. Use Wi-Fi hot spots sparingly.


By now, you probably know that Internet cafés and free hotspots are not secure. You shouldn't be doing your online banking from these spots. However, the little button that turns off your laptops Wi-Fi so that your laptop cannot be accessed remotely is also handy. In Windows, right click on the wireless icon in the taskbar to it off. On a Mac, click the Wi-Fi icon in the menu bar to turn off Wi-Fi.


5. Back up your data.


Hackers can delete years' worth of e-mails, photos, documents, and music from your computer in minutes. Protect your digital files by using a simple and free backup system available on websites such as Crashplan and Dropbox


Take this basic instruction and build on it yourself. Google, for example offers advice expanding on the concept of "stong passwords." The worst thing you can do is use "dictionary words," the word "password," and sequential keystrokes, such as "1234" or "qwerty," because the hacker's computers will try these first. For e-mail, pick a phrase, such as "[m]y friends Tom and Jasmine send me a funny e-mail once a day" and then use numbers and letters to recreate it as a cryptic password. "MfT&Jsmafe1ad."

more...
No comment yet.
Scoop.it!

5 Tips to Avoid Violation of HIPAA Laws

5 Tips to Avoid Violation of HIPAA Laws | HIPAA Compliance for Medical Practices | Scoop.it

Although The Health Insurance Portability and Accountability Act (HIPAA) has been around since 1996, it's only become a more familiar term in the healthcare industry since the implementation of the Privacy Rule in 2001. The Privacy Rule was designed to specifically address the protection of an individual's personal health information. It is important for the vitality of your medical office to maintain HIPAA compliance.

Any organization that accesses patient health information is considered a covered entity and is required by law to comply with HIPAA provisions or face civil and/or criminal penalties. It is imperative that medical records remain confidential and cannot be accessed by people that do not have proper authorization. Disclosures made regarding a patient's protected health information (PHI) without their authorization is considered a violation of the Privacy Rule.


All healthcare providers have a responsibility to keep their staff trained and informed regarding HIPAA compliance. Whether intentional or accidental, unauthorized disclosure of PHI is considered a violation of HIPAA. Here are 5 tips to avoid violating HIPAA:


  1. Routine Conversation. Healthcare professionals should be very careful to refrain from disclosing information through routine conversation. This can easily be done by mentioning to a third party something seemingly insignificant as saying that John Smith had an office visit today.
  1. Public Areas. Discussing patient information in waiting areas, hallways or elevators should be strictly off limits. Sensitive information can be overheard by visitors or other patients. Also be sure to keep patient records out of areas that are accessible to the public. 
    • Check-in desks and nurses stations are out in the open where anyone can see protected health information. Go the extra mile for your patient's privacy with a HIPAA compliant privacy screen
    • Chart holders should be mounted and the front panel covered according to HIPAA standards.  Choose between a large variety of chart holders based on your facilities particular needs. 
  2. Trash. PHI should never be disposed of in the trash can. Any document thrown in the trash is open to the public and therefore a breach of information. There are a wide range of HIPAA compliant paper shredders to choose from depending on the needs of your Medical Office.There are a wide range of HIPAA compliant paper shredders to choose from depending on the needs of your Medical Office. 
  3. Gossip. Gossip is particularly hard to control. That is why it is important that access to information be strictly limited to employees whose jobs require that information. This type of violation can be particularly damaging to the reputation of your organization especially in small communities where "everybody knows everybody."
  4. Marketing. Selling patient lists or disclosing PHI to third parties for marketing purposes is strictly prohibited without prior authorization from the patient. Remember that disclosure of patient information should only be accessed for the purpose of providing quality care.
more...
No comment yet.