HIPAA Compliance for Medical Practices
63.1K views | +5 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

HIPAA Guidance For Small To Mid-Size Medical Practices

HIPAA Guidance For Small To Mid-Size Medical Practices | HIPAA Compliance for Medical Practices | Scoop.it

For small and mid-size medical practices, HIPAA compliance has long been a small problem. After all, it wasn’t very long ago that all but the largest practices could rest relatively easy, knowing their very smallness made them unappealing targets for regulators looking for bigger fish to fry.

 

As long as they didn’t blatantly, repeatedly or intentionally violate HIPAA’s strictures, they rarely rated government action beyond (at most) a warning letter.

 

Those days are now over. The federal government is cracking down harder on practices that violate HIPAA privacy and security regulations by scheduling more frequent audits and issuing stiffer fines. And practices are being forced to respond with more rigorous compliance plans. The same federal stimulus law that offered incentives for practices to purchase electronic health records (EHR) systems also beefed up HIPAA’s privacy and security regulations. If your practice hasn’t reviewed and updated your HIPAA policy recently, then now’s the time.

 

It’s been 12 years since the April 14, 2003, compliance date for the HIPAA Privacy Rule, so most, if not all, physician practices should know better than to post protected health information (PHI) in a public forum such as Google Docs or Dropbox.

 

Here are some simple common sense tips for keeping your practice on the right side of the law:

 

Train your staff. HIPAA requires that you have a training program in place regarding the proper handling of PHI. All staff members must know what they are authorized to view, how to manage computer passwords, what they may and may not say in front of patients, and so on. Providing an annual refresher on this type of training is highly recommended. Make sure everyone, including physicians, receives the training. Document it.

 

Establish written protocols for information access. Staff should have access to the portions of patients’ PHI that are necessary to perform their jobs — and that’s all. This should be perfectly clear and in writing. And your protocols should include examples of the specific types of information that different staff members are authorized to view, based on job function.

 

Use discretion in the reception area. Don’t use public sign-in sheets. Don’t make any mention of the reason for a patient’s appointment until you’re both out of earshot of the waiting room. Make sure computer screens aren’t visible to non-staff members in any public areas of the office.

 

Plan for breaches. What would happen if there were an accidental breach of patient information? Say, someone mistakenly includes patient information in an email attachment, and the attached document includes patient names and Social Security numbers? Or how would you handle an intentional breach? You should prepare a specific response for scenarios like these because they do happen.

 

Use computer passwords correctly. If you have any centralized computer terminals that get used by more than one staffer, make sure everyone logs out whenever they’re finished. To be safe, set up those computers so a login is required after brief periods of inactivity, say two or three minutes. Even if you don’t have centralized computer stations (and most small practices don’t), you should require your employees to change their own passwords every few months.

 

If necessary, hire a consultant to help you comply with HIPAA’s security provisions, which are far more technical than the Privacy Rule. Alas, mere common sense won’t help you determine whether your computer network is properly encrypted. Get help. What’s new is that the government is no longer limiting its enforcement actions to hospitals and the biggest practices.

 

But since most private practices should have been following HIPAA plans for at least 10 years now, it’s likely they’ll need to do little more than review, update, and continue to implement their plan, assuming of course you have a HIPAA compliance plan currently in place.

 

 

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

5 Steps for Implementing a Successful HIPAA Compliance Plan

5 Steps for Implementing a Successful HIPAA Compliance Plan | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA Compliance Plan

First, why do you need a HIPAA Compliance Plan? This Plan will tell your employees, Business Associates and patients how you secure Protected Health Information (PHI). Just as important is effectively communicating the plan to your staff.  

 

So, where do you begin? The purpose of this blog is to highlight what goes into making your plan. 

Five Key StepsStep 1 – Choose a Privacy and Security Officer

For a smaller practice, your Privacy and Security Officer may be the same person. For larger practices, these duties will probably be split between two people. These are the folks who are going to be spearheading your Compliance Plan.  If you don’t have someone designated to fill this role, you are not compliant.

Step 2 – Risk Assessment

This step requires you to review your workplace and electronic devices to assess the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic Protected Health Information (ePHI) held by the Covered Entity or Business Associate. According to Atlanta healthcare attorney Daniel Brown, “a Risk Assessment extends not only to the accessibility of ePHI -- such as passwords -- but also to threats to your access of ePHI caused by natural risks, such as hurricanes and tornadoes, and even human risks, such as malicious hacking.”

 

You can perform the Assessment yourself or hire an outside contractor to come in and complete the process for you. If you're thinking about performing the assessment yourself, HHS has developed a Risk Assessment tool to help you get started.

The first option is obviously the cheapest and the second can be costly, or you can use a combination of the two. The key is to be very detailed and identify where all your potential Privacy and Security issues may lie. This will include listing all computing and mobile devices, where paper files are stored, how you will secure your offices when you are closed, etc. This is not a one-time event and will change over time as technology and risks change. You will want to revisit your Risk Assessment anytime you have a Breach, theft, or major change in hardware or software, but at a minimum every 2-3 years.

Step 3 – Privacy and Security Policies and Procedures

After completing your Risk Assessment, it’s time to create your blueprint for achieving HIPAA Compliance. The Compliance Plan should include Policies and Procedures - ensuring the Privacy of Protected Health Information and the Security of such information. The Security Policies and Procedures deal with ePHI (electronic PHI) and how you will protect that information.

 

Policies and Procedures need to be updated regularly and any changes need to be clearly notated and communicated to your staff. As you saw in the Penalties Section of our last blog, “I didn’t know” isn’t an acceptable defense!

Step 4 – Business Associate Agreements

Most of you use vendors or contractors to help run your practice or business. Under HIPAA, persons or entities outside your workforce who use or have access to your patient’s PHI or ePHI in performing service on your behalf are “Business Associates” and hold special status in the Privacy equation. Some examples of Business Associatesinclude third party billing agents, attorneys, laboratories, cloud storage companies, IT vendors, email encryption companies, web hosts, etc. This list can get pretty long, and should be documented in your Risk Assessment.

 

Make sure you do an audit of your Business Associates before you accept a signed Agreement from them. We’ve seen a lot of folks sign these Agreements, and have no clue what they’ve agreed to. Auditing means looking at their Compliance Plan. They have to have one, or you can’t do business with them. Your legal counsel should have an Agreement you can use, or you can use a third party Agreement from a HIPAA compliance company.

Step 5 – Training Employees

You’ve got your Risk Assessment, Privacy and Security Policies and Procedures and Business Associate Agreements in hand. You’re all good, right? NO! Employees are many times your weakest link.

 

You need to annually train your employees on the HIPAA Rule and communicate information about your Privacy and Security Policies and Procedures that you’ve worked so hard to create. What good is all the work you’ve done on a Compliance Plan when no one knows about it, or how to use it? Train employees both on the HIPAA Law and your specific plan. In addition, you must keep records that they have been trained.

 

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

Why Physicians Should Note Recent HIPAA Guidelines For Apps ?

Why Physicians Should Note Recent HIPAA Guidelines For Apps ? | HIPAA Compliance for Medical Practices | Scoop.it

Although the department of Health and Human Services (HHS) has provided guidance for app developers working with providers, there may still be some confusion surrounding the issue. The uses of apps and the extent to which they must adhere to HIPAA vary widely.

 

For example, simple calorie and activity trackers for patients who would like to lose weight are not required to be HIPAA compliant.  The same is true for apps that help patients remember when to take medications.

 

However, things become more complex when an app performs a calculation to determine what dosage of medication a patient should take, or when information the app collects is recorded in the patient’s electronic health record (EHR). Physicians should evaluate the apps they recommend to patients to determine whether or not they must comply with HIPAA regulations, and when working directly with developers, physicians must ascertain how whether or not the developer understands HIPAA requirements.

 

The questions to ask will vary, depending on the situation. In cases of recommending an off-the-shelf app, the evaluation process should be fairly simple. If the data collected is for the patient’s personal use and will not be transmitted to their EHR, there are no worries.

 

If a physician decides to work directly with a developer to create an app for a specific patient population, the necessity for HIPAA compliance is greater. A good place to start is with the recent guidance from HHS. Whether or not the developer is familiar with it may serve as a sort of gauge as to whether or not the developer is a professional working within the healthcare space.

 

“I think the first question a physician should ask is whether the developer has taken the recent [HHS Office of Civil Rights (OCR)] guidance into account,” says Scott Chase, an attorney who is board certified in health law in Texas, with Farrow-Gillespie & Heath, LLP. If the developer has not taken the guidance into consideration, “the physician may want to re-think the professionalism of the developer,” he adds.

 

Whether or not any app must be HIPAA compliant hinges on how personal health information (PHI),is used. According to HHS, PHI is defined as “individually identifiable health information that is transmitted or maintained in any form or medium (electronic, oral, or paper) by a covered entity or its business associates, excluding certain educational and employment records.”

 

Regardless of the intended use of the app in question, Chase adds that encryption should be part of the conversation. If a developer or physician makes a mistake in determining whether or not an app should comply with HIPAA, he says “HIPAA-compliant encryption could save them from a HIPAA complaint, in case of a breach of PHI.”

 

In other words, regardless of whether or not the developer has taken HIPAA into consideration in the process of creating an app, if patients’ PHI is properly encrypted, the physician who suggests patients use the app has a layer of protection in the event of a complaint.

 

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

Medical Staff Resistance to HIPAA Compliance

Medical Staff Resistance to HIPAA Compliance | HIPAA Compliance for Medical Practices | Scoop.it

Recently, while reading a 2013 article in Information Week, "Doctors Push Back Against Health ITs Workflow Demands," I thought about various scenarios individuals have brought to my attention. It is indisputable that both the healthcare industry and physicians have been dealing with a dramatic shift in the landscape and, in turn, having to adapt to and implement a variety of new processes. In the article, the authors say, "There's a powerful force working against the spread of health IT: physician anger, as doctors resist adopting workflows that can feel to them more like manufacturing than traditional treatment." There are several reasons for this: uncertainty in reimbursement, the transition to ICD-10, and compliance requirements related to HIPAA and the Affordable Care Act.

 

Some of the situations that have been brought to my attention include: entities refusing to sign a Business Associate Agreement (BAA), refusing to choose a vendor because a password is required to be utilized and periodically changed in order to text message, and giving a username/password to other members of the care team to change or augment the electronic health record. Needless to say, all of these scenarios are problematic for several reasons. First and foremost, they violate the legal standards set forth in HIPAA, the HITECH Act, and the 2013 Final Omnibus Rule. Second, engaging in these practices makes the person more vulnerable. Lastly, refusing to utilize a password in order to optimize both IT security and compliance is foolish. 

 

At its core, a Business Associate Agreement is required between parties who create, receive, maintain, or transmit protected health information (PHI) on behalf of or for a covered entity. The phrase "on behalf of or for" is crucial because it extends beyond the relationship between the covered entity and a single business associate. This is the requirement of federal HIPAA. States may, and in fact do, have more stringent requirements.

 

One of the greatest areas of vulnerability is texting sensitive data using smartphones. Hence, it is crucial to make sure that the iPhone App is encrypted and requires a password (ideally, this would be a two-factor identification method). Yet, I have heard stories where physicians belligerently refuse to adopt a technology because of the requirement.

 

Lastly, providing a nurse or PA with access to a medical record utilizing the physician's user name and password is absurd. Think of the Ebola case in Dallas, Texas, where the nurses left notes in one section that the physicians did not read. What if both individuals had used the same user ID and password? How easy would it be to look at the audit log and determine who made the entry? The level of legal liability associated with this practice is exponential. 

 

Given that these scenarios really do happen, what steps can be taken by physicians and other entities? Here are a few suggestions:

 

• Adopt a "no tolerance" policy and sanctions for non-compliance from the medical staff in relation to HIPAA compliance. Many organizations have these in place.

 

• Get your Business Associate Agreements in order and keep a log of all the vendors, business associates, and other entities that need to have one — along with the date they were executed.

 

• Never give your user id/password to anyone; the system administrator has it.

 

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

Shoring Up HealthCare.gov Security

Shoring Up HealthCare.gov Security | HIPAA Compliance for Medical Practices | Scoop.it

The future of Obamacare seems more certain now that the Supreme Court has upheld subsidies for consumers who purchase policies on the federal health insurance exchange. As a result, it's more critical than ever for the federal government to ensure that personally identifiable information is adequately safeguarded on the HealthCare.gov website for the program, as well as state insurance exchanges, as they gear up for open enrollment in the fall.


In recent months, hackers have increasingly focused their attacks on government and healthcare systems. Targets of attacks have included the U.S. Office of Personnel Management and the Internal Revenue Service, as well as health insurers Anthem Inc. and Premera Blue Cross


That's why many security experts are calling attention to the need to make certain that systems supporting the Affordable Care Act, or Obamacare, programs are secure.


"Affordable Care Act insurance exchanges are a hodgepodge of programs operated by states and the federal governments," notes privacy attorney David Holtzman, vice president of compliance at the security consulting firm CynergisTek. "With the recent news of discovery of coordinated, highly sophisticated attacks on large government operated databases, as well as incidents involving large health insurers, it stands to reason that the information systems serving as the backbone to the health insurance marketplaces are an attractive target because of their size and the sensitivity of the information they hold."


Lee Tien, a senior staff attorney at the Electronic Frontier Foundation, a civil liberties group, notes: "All large collections of sensitive personal data are at risk." When it comes to potential fraud, "healthcare data is considered more valuable on the open market," he says. "Obviously it matters how well they're protected."

Under Scrutiny

Certainly, security of the federal HealthCare.gov health insurance exchange, which facilitates the electronic health insurance marketplaces for 34 states, has been under intense scrutiny since its rollout in the fall of 2013 during the first open enrollment season for Obamacare.


Congress, as well as government watchdog agencies, including the Government Accountability Office and the Department of Health and Human Services' Office of Inspector General, have examined whether the federal health insurance exchanges - and the 16 state-operated health insurance exchanges - have in place the processes and technology to prevent breaches involving consumers' personal information, including Social Security numbers.


For instance, in April, the OIG issued a report reviewing California's health insurance exchange - Covered California - and the security controls that were in place as of June 2014. The OIG found that California had implemented security controls for its website and databases for its health insurance exchange, but the watchdog agency said more improvements were needed.


OIG determined that California had not performed a vulnerability scan in accordance with federal requirements. Also, the GAO said that Covered California's security plan did not meet some of the Centers for Medicare and Medicaid Services' minimum requirements for protection of marketplace systems, and that Covered California did not have security settings for some user accounts. California officials, in their response to the report, said they planned to implement the OIG's recommendations related to vulnerability scans, security plans and user account settings.


A September 2014 GAO report examining HealthCare.gov security found that CMS - the Department of Health and Human Services unit responsible for the federal insurance exchange - had not always required or enforced strong password controls, adequately restricted systems supporting HealthCare.gov from accessing the Internet, consistently implemented software patches and properly configured an administrative network.


In addition to the HealthCare.gov exchange, another related potential target for hackers is HHS' Multidimensional Insurance Data Analytics System, or MIDAS, which a federal IT budget planning document describes as a "perpetual central repository for capturing, aggregating and analyzing information on health insurance coverage."

The GAO noted in its September 2014 report that MIDAS is intended to create summary reporting and performance metrics related to the federally facilitated marketplace and otherHealthCare.gov-related systems by aggregating data, including PII, collected during the plan enrollment process. GAO found, however, that at the time of its review, CMS hadn't yet approved an impact analysis of MIDAS privacy risks "to demonstrate that it has assessed the potential for PII to be displayed to users, among other risks, and taken steps to ensure that the privacy of that data is protected."


In a recent report, the Associated Press noted a variety of concerns about MIDAS, including current plans for data to be retained indefinitely. "Despite [a] poor track record on protecting the private information of Americans, [the Obama administration] continues to use systems without adequately assessing these critical components," said Sen. Orrin Hatch, R-Utah.


CMS did not immediately respond to an Information Security Media Group request for an update on the security of the MIDAS system.

Data Risks

Health insurers, as well as health insurance exchanges and their related databases, are a potential target for hackers because "any collection of data that includes Social Security numbers is particularly vulnerable," notes security expert Tom Walsh, founder of the consulting firm tw-Security.


"Healthcare was doing a good job of eliminating Social Security numbers from our systems. In the old days, the SSN was a person's member number for their insurance. It was finally getting to the point where SSNs were less frequently collected and used in healthcare," he says.


However, under Obamacare, sensitive consumer data, including Social Security numbers and income information, is used on the insurance exchanges to help individuals enroll in insurance plans and qualify for subsidies, Walsh notes. "So healthcare is back in the SSN game again - especially insurance companies."


Ray Biondo, chief information security officer at insurer Health Care Services Corp. says that the federal government has been taking action to address cyberthreats.


"We have been partnering with the Department of Homeland Security and the FBI and sharing threat information," Biondo says. "They've been collaborative and cooperative and helping us in that space."

Still, all players in the healthcare arena are anxious about potential attacks, he admits. "Everyone is worried about being next."

Playing Politics

Holtzman, the consultant, says it's important that politics don't get in the way of government agencies making the investments that are needed to shore up the security of health insurance exchange data.

"Everyone agrees that the federal and state governments should take decisive action to test existing information security safeguards on the systems that support the health insurance marketplace, and to take appropriate measures to ensure that the data, wherever it is held, is secured from the cybersecurity threat," he says.


"What concerns me is that in the long-running political debate over ACA, Congress has said that the HHS may not spend federal funds to support the development and implementation of the ACA. Perhaps it would be in the public interest to ensure that the fight over whether ACA is good policy does not prevent critical funds needed for investment in protecting the government information systems holding the personal information of millions of Americans from the cybersecurity threat."


Walsh says that protecting the health insurance exchanges also comes down to basics. "I was surprised when I read that the OPM did not encrypt data at rest. The government should lead by example and implement better security practices."


Tien of the Electronic Frontier Foundation, sums up his concerns: "The OPM example shows how pathetically lax information security can be. [The government] needs to make defense a priority and spend money on it."

more...
No comment yet.
Scoop.it!

Breaking Down the HIPAA Risk Assessment

Breaking Down the HIPAA Risk Assessment | HIPAA Compliance for Medical Practices | Scoop.it

Conducting a HIPAA risk assessment is something that every covered entity must do to ensure that they are properly monitoring potential weak spots in their data security. At the time of publication, the Office for Civil Rights (OCR) had not yet chosen a date for its second round of HIPAA audits, but the looming threat of an OCR visit cannot be the only reason for CEs to think about HIPAA risk assessments.


Following up with last week’s discussion on the details in a potential HIPAA audit, HealthITSecurity.com will now break down the important aspects of the actual HIPAA risk assessment. We’ll cover the basics of the risk assessment process, as well as what common mistakes organizations might make and why a thorough risk assessment is essential for all CEs.


What is a HIPAA risk assessment?


The HIPAA risk assessment is meant to help healthcare organizations properly analyze potential risks and pinpoint where PHI may be vulnerable. This is also part of the administrative safeguard requirement that all CEs must adhere to, and have the necessary regulations in place to best monitor risk.


“Risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to e-PHI and detect security incidents, periodically evaluates the effectiveness of security measures put in place, and regularly reevaluates potential risks to e-PHI,” according to the Department of Health and Human Services (HHS) website.


HHS adds that a proper risk analysis should include, but not necessarily be limited to the following activities conducted by CEs:


  • Evaluate the likelihood and impact of potential risks to e-PHI
  • Implement appropriate security measures to address the risks identified in the risk analysis
  • Document the chosen security measures and, where required, the rationale for adopting those measures
  • Maintain continuous, reasonable, and appropriate security protections.


Under the HIPAA Security Rule, CEs need to ensure that all ePHI it creates, receives, maintains or transmits is protected. The risk assessment is an important part of this process. For example, a healthcare provider can start its own analysis by tracking where it stores PHI. This can be in databases, mobile devices, and even in the cloud. From there, the organization needs to determine how that information is secured. Are the devices encrypted? Are they password protected? Who has access to the databases?


Understanding the HIPAA risk assessment will also be easier when organizations remember the four factors that HHS will use to determine the likelihood that PHI was inappropriately used or disclosed:


  • What is the nature of the information involved?
  • Who is the authorized person responsible?
  • Was PHI actually acquired or viewed?
  • To what extent has the risk to PHI been mitigated?


Overlooking even one area could lead to data security issues, as that could be where a data breach occurs or the OCR could discover that something is left unsecured.


How to avoid potential mistakes


As is the case with health data security in general, there are numerous ways that a healthcare organization could overlook an area and then experience a data breach. With the HIPAA risk assessment, it’s important to not assume that one analysis is all that is needed. Technology will continue to evolve, and facilities will likely integrate new systems to keep pace. A periodic assessment will not only keep an organization HIPAA compliant, it will also ensure that as new tools are added, ePHI remains secure.


For example, let’s say that a practice begins to use secure messaging for the first time. Doctors, nurses, technicians, and other employees are now able to send text messages to one another and maybe even patients. But, those mobile devices may not have been in an original risk analysis, and they are now potentially storing PHI. Not including those devices in a HIPAA risk assessment would not be good for the facility.


It is also important to actually follow up with the initial risk assessment. A CE can’t just conduct an analysis and then say, “That’s it!” It’s necessary for healthcare organizations to verify that they’re actually doing what they said that they were going to do in terms of keeping PHI secure. If any changes or adjustments needed to be made, the entity actually needs to follow through and do it.


Another potential mistake to watch out for is assuming that the risk assessment has to be done single-handedly. There are numerous agencies that have developed guides and tools to help CEs conduct thorough HIPAA risk assessments that are properly catered to their workflow. For example, theNational Institute of Standards and Technology (NIST) and the Office of the National Coordinator (ONC) have comprehensive guidelines and assisting tools.

Lowering the odds of a data breach


By taking the time to develop and implement security measures that apply to your daily operations, as well as ones that meet federal requirements, your odds of experiencing a security breach will be lessened. While this does not guarantee that a health data breach will never occur, it will help your facility better protect its data.


CEs and their business associates must remain alert and thoroughly evaluate what will constitute an inappropriate use or disclosure of PHI, as well as what they are doing to ensure that appropriate policies and procedures are in place to avoid inquiries and reprimands from government agencies.


Organizations must understand where PHI is being stored, who is being granted authority to access PHI, how the data is actually being viewed and used, and how CEs and BAs are handling risk. The HIPAA risk assessment is not a quick process, but it is a necessary one that will help facilities of all sizes better understand their workflow and how sensitive information is being kept secure.

more...
No comment yet.
Scoop.it!

HIPAA audits to resume soon

HIPAA audits to resume soon | HIPAA Compliance for Medical Practices | Scoop.it

Long-term care providers should get ready for the second round of HIPAA compliance audits this year, but the agency in charge of them is keeping mum about the exact date.

And while Health & Human Services' Office for Civil Rights (OCR) expects to single out only around 110 providers, long-term care facilities are being urged to begin preparations as soon as possible, Kelly McLendon, managing director of CompliancePro Solutions, said during a recent Health Care Compliance Association webinar. That includes performing security and risk analyses, updating privacy and security incident response plans and automating privacy and security investigation, tracking and management protocols, according to published reports.

The agency has not announced specifics yet, but the coming round of audits could focus heavily on HIPAA security and privacy risk management, breach notification and Notice of Privacy practices.

OCR was scheduled to do the audits last year but went idle because of funding problems. Providers are advised not to rely on audit protocols issued in 2012, the last time OCR performed audits, and watch for phase two protocols to be posted on the OCR website. Audits will likely begin about 90 days after posting, McLendon said.

The news will do little to help a Denver-area pharmacy that specializes in compounded medications for area hospice agencies, according to published reports. The business will have to pay $125,000 and take corrective measures after local media notified the OCR it allegedly disposed of unsecured documents in an unlocked, open container. The documents reportedly contained private health data on more than 1,600 patients.


more...
No comment yet.
Scoop.it!

How responsible are employees for data breaches and how do you stop them?

How responsible are employees for data breaches and how do you stop them? | HIPAA Compliance for Medical Practices | Scoop.it

Data breaches have very quickly climbed the information security agenda and that includes the data breach threat posed by employees and IT professionals.

Now a new report says the insider problem is far worse than we had previously imagined. The Verizon Data Breach investigations report claims that 14% of breaches are due to insiders and that’s not counting the further 12% of breaches that come from IT itself.

Examining the motives of employees with malicious intent, the Verizon report identified two main reasons insiders choose to cause so much trouble:

  1. They are looking for financial gain, perhaps via selling confidential data; or
  2. It’s an act of revenge by disgruntled workers or angry ex-employees who still have network privileges.


On the other hand, CompTIA, an association representing the interests of IT resellers and managed service providers, has a far different point of view. It says more than half of all breaches – some 52% – are due to human error or malice, and the rest arise from technology mistakes. Research from the SANS Institute reaches the same conclusion – employee negligence is a huge source of data breaches. Social engineering is one such element, so this once again shows the importance of training employees in basic IT security.

According to CompTIA, technical solutions are not enough. IT vigilance is always necessary as too many organisations don’t even know there is an insider threat. Resigning yourself to the fact that the human error factor is a problem with no solution is neglectful, especially when it accounts for such a high percentage of breaches. Ultimately, employees are the strongest security layer. Of course, it is just as important to make sure all updates and patches are installed, firewalls are turned on and anti-malware is up to date.

Organisations also need to consider adding tools that can spot and stop data leakage amongst other breaches. Email security too is a top measure to take as many breaches and leaks come through or from the employee’s inbox.

What precautions can you take?

But what should an organisation do when users, whose roles require access to sensitive data, misuse that access? What precautions can they take to reduce both the risk of this happening, and the damage that can result from insider activity?

There is no single answer to these questions, and there is no silver bullet that can solve the problem. A layered approach that includes policy, procedure and technical solutions is the right approach to take. GFI Software has identified 10 precautions in particular that organisations should consider.

1.Background checks

Background checks should be carried out on every employee joining the organisation, even more so if those employees will have access to privileged data. While not foolproof (Edward Snowden had security clearance) they can help to identify potential employees who may have a criminal record or had financial problems in the past. They may also uncover some details of their employment history that bear closer inspection and further checks.

2.Acceptable Use

Acceptable Use Policies (AUP) do more than simply define what users should and should not do on the Internet. They also define what is acceptable and unacceptable when using customer and business proprietary data. While it will not stop those with clear intent, it will warn employees that there are consequences if they are caught including disciplinary action and possibly dismissal.

3.Least Privilege

The principal of least privilege states that users should only be granted the minimum amount of access necessary to complete their jobs. This should include both administrative privileges and access to data. By limiting access, the amount of damage an insider can cause is limited.

4.Review of Privileges

Users’ access to systems and data should be reviewed regularly to ensure that such access is appropriate and is also still required. As users change roles and responsibilities, any access they no longer need should be revoked.

5.Separation of Duties

When possible, administrative duties should be divided up so that at least two users are required for key access or administrative functions. When two users must be involved, any malicious or inappropriate access requires collusion, reducing the likelihood of inappropriate actions and increasing the likelihood of detection.

6.Job Rotation

Many insider threats develop over time and may go undetected for months or years. Often boredom is a cause. One way to counter both problems and at the same time improve the skills and value of key employees, is to rotate users through different roles. Job rotation also increases the likelihood that inappropriate activities will be detected as the new role holder must by definition examine what the previous role holder was doing.

7.Mandatory Time Away

All users need a holiday, a break and time away to recharge. This is not only good for users, it’s good for the organisation. Just like job rotation, when a privileged user is on leave, another person must cover their duties and has the opportunity to review what has been done.

8.Auditing and Log Review

Auditing is imperative. All actions and access must be audited, both for successes and failures. You will want to investigate failures as they may indicate attempts to access data, but you will also want to review successes and ensure that they are in support of appropriate actions, rather than inappropriate ones. While log review only detects things “after the fact”, they can detect repetitive or chronic actions early, and hopefully before too much damage is done.

9.Data Loss Protection

Data Loss Protection (DLP) technologies cannot prevent a determined attacker from taking data, but it can prevent many of the accidental data leakages that can occur.

10.Endpoint Protection

Endpoint protection technologies can greatly reduce the risk of data loss and also detect inappropriate activities by privileged users. Endpoint protection can help you secure BYOD devices, and search files for key data like account numbers. The technology also helps to enforce policies that restrict users from transferring data to unapproved USB devices and encrypt those devices that are approved.

Insider threats can be prevented if a detailed and layered strategy is adopted. Every organisation needs HR, legal and IT to work together to cast a protective net that will proactively identify threats or at least minimise the impact of insider threat. No organisation is safe but we can all lower the risk by acknowledging that the problem exists and taking a range of simple precautions.


more...
No comment yet.
Scoop.it!

Doximity launching app for the Apple Watch

Doximity launching app for the Apple Watch | HIPAA Compliance for Medical Practices | Scoop.it

Doximity announced today that they are launching an app for the Apple Watch, which hits the shelves later this month.


Many physicians will be familiar with Doximity, now that more than half of us have become registered users. Designed as a social network for physicians, Doximity includes a number of features that physicians will find useful for a lot more than just staying in touch with colleagues. In the recent rush of registrations on Doximity related to their partnership with US News and World Report, we wrote a quick guide on those key features. Included was secure HIPAA compliant messaging as well as an e-fax number and a journal feed.


Doximity’s Apple Watch app will bring some of these key features to your wrist. In particular, you’ll be able to read messages sent to you and dictate messages to other – without taking out your phone or pager, jumping on a computer, or spending endless minutes on hold trying to reach a colleague. You can also get notifications when you have a new fax come in – you can automatically view the fax on your iPhone using the Handoff functionality.

This hits on one the key functionalities we put on our wish list of apps for the Apple Watch – HIPAA compliant messaging. There are some limitations here worth noting. In particular, Doximity is limited to physicians so this won’t help with communication among a multi-disciplinary healthcare team, such as in a hospital or clinic. I wouldn’t be able to let a nurse know about a new medication or a social worker about an at-risk patient. Other platforms, like TigerText, will hopefully step in to bring that functionality to wearables like Apple Watch. That being said, the ability to send messages more easily to colleagues both inside and outside my own institution can be incredibly helpful.


We’re excited to see big players in the digital health space like Doximity embracing the Apple Watch. One natural question that frequently comes up is “what about Android devices?” Well, as Doximity points out, 85% of their mobile traffic is from iPhones & iPads. Its well recognized that physicians have largely embraced Apple devices and so medical app developers are going to go there first. So while many solid options have been available for Android, we expect the Apple Watch to be a catalyst in the development of new tools for clinicians.

Doximity’s app is just the start.


more...
No comment yet.
Scoop.it!

5 Breach Lawsuits Filed Against Premera

5 Breach Lawsuits Filed Against Premera | HIPAA Compliance for Medical Practices | Scoop.it

Five class action lawsuits have been filed in federal court against Premera Blue Cross in the wake of a data breach that affected 11 million individuals across the country. Meanwhile, its CEO has provided answers to questions from a U.S. senator regarding the hacker attack.

The five lawsuits filed last week in the U.S. District Court in Seattle make similar allegations - that the company failed to protect customers' confidential information, putting those affected at risk for identity theft. Among the complaints' allegations is that the data breach resulted from Premera's alleged "failures to follow HIPAA."


Two of the suits also note that Premera was warned in an April 2014 draft audit report by the U.S. Office of Personnel Management that its IT systems "were vulnerable to attack because of inadequate security precautions".

"That audit identified ... vulnerabilities related to Premera's failure to implement critical security patches and software updates, and warned that 'failure to promptly install important updates increases the risk that vulnerabilities will not be remediated and sensitive data could be breached,'" notes one lawsuit, Tennielle Cossey, et al vs. Premera.

That suit also states, "If the [OPM] audit were not enough, the events of 2014 alone should have placed Premera on notice of the need to improve its cyber security systems." The complaint notes that Community Health Systems in August 2014 also revealed a hacker breach that affected 4.5 million patients. "This prompted a 'flash warning' by the FBI to entities in the healthcare industry that it had observed 'malicious actors targeting health care related systems,'" the suit says.

The suits are seeking unspecified damages, both "actual and statutory." Among the allegations in some of the suits are violations of the Washington Consumer Protection Act.

A Premera spokeswoman declined to comment about the suits. She noted, however, that Premera "expected there would be class action lawsuits filed" against the company in the wake of the breach "because that's typically what happens."

Attorney John Yanchunis of the Tampa-based law firm Morgan & Morgan, which is representing plaintiffs in one of the Premera class action suits, says he expects that the cases eventually will be consolidated into one case in the federal court. The Premera breach "is more egregious than the Home Depot or Target breaches because those [credit] cards can be cancelled," he says. "Unlike those other breaches, the information involved in the Premera breach can be used to file fraudulent tax returns and fraudulently secure healthcare in someone else's name."

Congressional Scrutiny

In addition to the lawsuits, Premera is also dealing with Congressional scrutiny in the wake of the breach.

A March 20 letter to Premera CEO Jeffrey Roe, Sen. Patty Murray, D-Wash., on behalf of the Senate Committee on Health, Education, Labor and Pensions, asked the company to answer 15 questions related to the breach and the company's information security practices. Those questions range from why Premera waited six weeks to publicly announce the breach after its discovery, to whether the hacking incident is related to the Anthem Inc. hacking breach, to steps Premera is taking to bolster its information security in the wake of the incident.

In the March 27 response letter to Murray, which Premera provided to Information Security Media Group, Roe says the public announcement of the breach was delayed based on advice from Mandiant, a consulting firm it had hired to assist in the forensic investigation of the incident.

"Mandiant warned Premera about the dangers of making any public announcement about the attack until the following steps could be taken: 1) Mandiant completed scanning all servers and workstations for areas of infection to identify all attack vectors; 2) systems were remediated in a concentrated time to lock the attackers out of system; and, 3) remediation was followed by scanning to verify that the all backdoors were eliminated," the letter states.

Roe also describes in the letter some details about the breach: "Upon penetration of Premera's network, the attackers gained access to log-in credentials and then deployed other tools and tactics to gain broad access to Premera's network." He adds: "Mandiant's investigation to date has identified only intrusion but no exfiltration of information from Premera's systems. Mandiant has not conclusively determined the initial vector of compromise. That is, the [company doesn't] know if the malware came from a phishing email, a contaminated website, or another source of intrusion.

The letter also notes that Mandiant "found no evidence that the cyberattack on Premera was the result of, or was related to, any of the items identified in the [2014] OPM [audit] report." Plus, Roe notes: "Premera is not in a position to opine about whether the Premera and Anthem attacks were connected or which attack occurred first. Because these attacks are the subject of active FBI investigations, Premera encourages your office to contact the FBI for additional information."

Premera is implementing several Mandiant recommendations to bolster security moving forward, Roe says in the letter. In addition to removing all malware and backdoors from its IT systems in response to this cyberattack, Roe says Premera has implemented a number of system enhancements, including, among others:

  • Deploying multiple-factor authentication for remote access to Premera's network;
  • Scanning servers, desktops and laptops as a requirement for continued use of devices on the network;
  • Installing enhanced monitoring tools to provide reports of any new attacks on our computer networks;
  • Enhancing and expanding security and system event logging capabilities; and
  • Engaging a service provider for advanced monitoring services.
State Scrutiny

Besides the lawsuits and the Congressional scrutiny, Premera is also facing a probe from insurance officials in three states - Washington, Oregon and Alaska.

Washington Insurance Commissioner Michael Kreidler said that the states will conduct a "market conduct examination" of Premera related to the breach. The examination will include on-site reviews of the insurer's financial books, records, transactions and how they relate to its activities in the marketplace, Kreidler explained in a statement.


more...
Jan Vajda's curator insight, April 5, 2015 3:26 PM

Přidejte svůj pohled ...

Scoop.it!

Step Up Compliance in 2015: 6 Tips for Practices

Step Up Compliance in 2015: 6 Tips for Practices | HIPAA Compliance for Medical Practices | Scoop.it

Achieving physician buy-in for a compliance program can be daunting. Compliance comes at a cost, consuming resources (time, attention, and money) that are already stretched thin. But, if physicians and staff fail to pay for compliance, up front, practices run the risk of implementing a compliance program reactively, at an even higher cost.

In other words, compliance is a lot like insurance. You may hate to pay for it, but if you need it and if don’t have it, you could be setting yourself up for a financial disaster.


Be assured: If you are not monitoring your productivity bell curves, documentation, coding, medical necessity, utilization; and if you are not auditing revenue integrity, someone else is.


Current data analytics make it easy to identify an outlier physician profile, and the government has very sophisticated techniques for data mining. Whistleblower cases also have skyrocketed in recent years, with huge settlements awarded to individuals who bring cases to, or on behalf of, the government.


Failure to implement compliance programs proactively creates additional opportunities for regulatory and law enforcement scrutiny, as well as potential False Claims Act liability. And, failure to prevent or identify improper federal healthcare program claims and payments comes with a big price. The amount of federal audit recoveries in the first six months of 2014 was $3.1 billion.


1. Implement the seven core elements
Corporate integrity agreements (CIAs) do not discriminate, and no one is exempt. The cost associated with compliance program implementation under a CIA vs. proactive implementation is staggering. Both require implementation of the seven core elements of the Office of Inspector General compliance guidance roadmap; however, under the CIA there are additional fees associated with legal representation and independent review organizations (IROs), frequent mandated audits, reporting requirements, and many times, consulting fees, as well.

2. Conduct regular audits
Compliance is not just insurance: It is preventative medicine for your practice. Make sure that your practice has annual and ongoing check ups. Assessing your practice for risks, and determining the likelihood and severity of impact, will help determine the most important areas to focus on, and should drive your audit work plan. Highest risk areas should be addressed, first.

Perform benchmark audits to review small samples of data and set the baseline for all future audits. If a benchmark audit results in areas of concern, conduct an expanded audit. When a “diagnosis” of the problem is established, develop a plan of corrective action. Don't forget to follow up. This is a critical step in determining if corrective action plan is effective and working. Continually monitor and audit.

3. Disclose payment errors
Don’t forget: If your practice identifies payments that it was not entitled to, it must pay them back by adhering to the CMS self-disclosure requirements.

4. Know the laws
Section 6401(a) of the Affordable Care Act made a significant change to the status quo by requiring all providers and suppliers to establish a compliance program that contains certain “core elements” as a condition of enrollment in Medicare, Medicaid, and CHIP. New York State and Arkansas have mandatory compliance program certification requirements for Medicaid providers who meet certain criteria.

5. Identify a compliance leader
Compliance is a cost of doing business, and must be a priority for all provider practices. If you haven’t already done so, designate an individual to lead your compliance program, and start performing risk assessment and self-audits.

If your risk assessments are not identifying any issues, you probably aren’t looking in the right places. No practice is perfect. The point of having a compliance program is to help identify areas of weaknesses and potential issues, early, so that you can correct them.

6. Secure staff buy-in and training
A culture of compliance starts at the top. Treating compliance as a partnership, instead of a police action, will help to obtain buy-in from the staff. Train employees on your code of conduct, how to identify fraud and abuse, and how to report it. They also need job specific training to avoid errors and assure revenue integrity. All staff should understand that everyone is responsible for compliance, and that it is a condition of employment.


Enact a policy that whoever reports a potential violation, in good faith, will not be retaliated against. Have open lines of communication, and a way for employees to report incidents anonymously. If you find problems, correct them immediately and going forward. Whether you consider compliance to be insurance or preventive medicine, it’s a necessary investment.


more...
No comment yet.
Scoop.it!

OCR delays phase two HIPAA audits

OCR delays phase two HIPAA audits | HIPAA Compliance for Medical Practices | Scoop.it

OCR Director Jocelyn Samuels recently stated that audit procedures for phase two HIPAA audits have yet to be finalized, delaying the start date of the audits, according to lexology.com. OCR originally planned to begin phase two audits in fall 2014.

Unlike phase one, the second phase of HIPAA privacy, security, and breach notification audits will likely be desk-based, which means OCR will not conduct on-site audits of covered entities (CE) and business associates (BA) unless resources are available. OCR representatives confirmed during a panel at the 2014 AHIMA Convention and Exhibit September 30, 2014, that the agency had begun its process of randomly selecting CE for the next round of audits, but had not sent notifications to facilities yet. At minimum, it will include large and small hospitals, dental practices, health insurance companies, and health plans in its pool of organizations that may be selected for an audit. BA audits are expected to begin after CE audits are underway, according to the panel.


more...
No comment yet.
Scoop.it!

HIPAA Compliance and Windows Server 2003 | EMR and HIPAA

HIPAA Compliance and Windows Server 2003 | EMR and HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

Last year, Microsoft stopped updating Windows XP and so we wrote about how Windows XP would no longer be HIPAA compliant. If you’re still using Windows XP to access PHI, you’re a braver person that I. That’s just asking for a HIPAA violation.

It turns out that Windows Server 2003 is 5 months away from Microsoft stopping to update it as well. This could be an issue for many practices who have a local EHR install on Windows Server 2003. I’d be surprised if an EHR vendor or practice management vendor was running a SaaS EHR on Windows Server 2003 still, but I guess it’s possible.

However, Microsoft just recently announced another critical vulnerability in Windows Server 2003 that uses active directory. Here are the details:

Microsoft just patched a 15-year-old bug that in some cases allows attackers to take complete control of PCs running all supported versions of Windows. The critical vulnerability will remain unpatched in Windows Server 2003, leaving that version wide open for the remaining five months Microsoft pledged to continue supporting it.

There are a lot more technical details at the link above. However, I find it really interesting that Microsoft has chosen not to fix this issue in Windows Server 2003. The article above says “This Windows vulnerability isn’t as simple as most to fix because it affects the design of core Windows functions rather than implementations of that design.” I assume this is why they’re not planning to do an update.

This lack of an update to a critical vulnerability has me asking if that means that Windows Server 2003 is not HIPAA compliant anymore. I think the answer is yes. Unsupported systems or systems with known vulnerabilities are an issue under HIPAA as I understand it. Hard to say how many healthcare organizations are still using Windows Server 2003, but this vulnerability should give them a good reason to upgrade ASAP.


more...
No comment yet.
Scoop.it!

Six Tips For Providers To Reduce The Risk Of Obtaining Unreliable HIPAA Compliance & Protection Software

Six Tips For Providers To Reduce The Risk Of Obtaining Unreliable HIPAA Compliance & Protection Software | HIPAA Compliance for Medical Practices | Scoop.it

Our partner Elizabeth Litten and I had a recent conversation with our good friend Marla Durben Hirsch who quoted us in her Medical Practice Compliance Alert article, “Beware False Promises From Software Vendors Regarding HIPAA Compliance.” Full text can be found in the February, 2016, issue, but some excerpts regarding 6 tips to reduce the risk of obtaining unreliable HIPAA compliance and protection software from vendors are summarized below.

 

As the backdrop for her article, Marla used the $250,000 settlement of the Federal Trade Commission (the “FTC”) with Henry Schein Practice Solutions, Inc. (“Henry Schein”) for alleged false advertising that the software it marketed to dental practices provided “industry-standard encryption of sensitive patient information” and “would protect patient data” as required by HIPAA. Elizabeth has already posted a blog entry on aspects of the Henry Schein matter that may be found here.

 

“This type of problem risk of using unreliable HIPAA software vendors is going to increase as more physi­cians and health care professionals adopt EHR systems, practice management systems, patient portals and other health IT.”

 

The six tips listed by Marla are summarized as follows:

 

  1. Litten and Kline:"Vet the software vendor regarding the statements it’s making to secure and protect your data. If the vendor is claiming to provide NIST-standard encryption, ask for proof. See what it’s saying in its marketing brochures. Check references, Google the company for lawsuits or other bad press, and ask whether it suffered a security breach and if so, how the vendor responded.

 

  1. Kline: Make sure that you have a valid business associate agreement that protects your interests when the software vendor is a business associate.” However, a provider must be cautious to determine first whether the vendor is actually a business associate before entering into a business associate agreement.

 

  1. Litten: “Check whether your cyberinsurance covers this type of contingency. It’s possible that it doesn’t cover misrepresentations, and you should know where you stand.”

 

  1. Litten and Kline: See what protections a software vendor contract may provide you.”   For instance, if a problem occurs with the software or it’s not as advertised, if the vendor is not obligated to provide you with remedies, you might want to add such protections, using the Henry Schein settlement as leverage.

 

  1. Litten and Kline: Don’t market or advertise that you provide a level of HIPAA protection or compliance on your web-site, Notice of Privacy Practices or elsewhere unless you’re absolutely sure that you do so.” The FTC is greatly increasing its enforcement activity.

 

  1. Kline:Look at your legal options if you find yourself defrauded.” For instance, the dentists who purchased the software [from Henry Schein] under allegedly false pretenses have grounds for legal action.

 

The primary responsibility for compliance with healthcare data privacy and security standards rests with the covered entity. It must show reasonable due diligence in selecting, contracting with, and monitoring performance of, software vendors to avoid liability for the foibles of its vendors.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

Why HIPAA Compliance is the Key For Preventing Cyber Attacks

Why HIPAA Compliance is the Key For Preventing Cyber Attacks | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA compliance is required in order to avoid large fines from the federal government, but there is another issue you can address when you implement HIPAA compliance – strengthening your practice’s network security.

 

Your patients’ data is worth a lot of money on the black market, and hacks of medical practices and hospitals are on the rise with the latest trend in cyber-attacks being ransomware. This is malware that restricts access to your computer system and demands that the you pay a ransom to access your data. If you are not prepared for these attacks, your practice could be destroyed.

 

Most medical practices don’t have a plan for regular backups, or a disaster recovery plan, and choose to pay the ransom to hackers in order to regain access to the data that is vital for their day-to-day operations. In March 2016 alone, more than a dozen medical facilities were attacked. Hollywood Presbyterian Medical Center is one location that decided to pay the ransom of 40 Bitcoin, almost $17,000, in order to restore their systems. The FBI recommends businesses not pay the ransom, because there is no guarantee that the hackers will unlock your systems, and simply decrypting files does not mean the malware infection has been removed from the system.

 

According to a recent Washington Post article, Sinan Eren, who has worked incybersecurity for government and healthcare organizations said, “Medical facilities are vulnerable to these attacks in part because they don’t properly train their employees on how to avoid being hacked.”

 

The threat is not going away anytime soon. March 2016, the US and Canada issued a rare joint cyber alert warning about the recent surge in ransomware attacks. A report from Intel Corp.’s McAfee Labs, predicts ransomware will remain a major and rapidly growing threat in 2016, and will expand to new industry sectors including financial institutions and local government. These groups will want to quickly pay ransoms to restore their critical operations – stimulating more attacks.

 

 

How Do I Protect My Data?


HIPAA compliance may be your best bet. The guidelines set forth by HIPAA serve as an excellent road map to protect your information.

 

Here’s how it works. There are three parts to the HIPAA compliance process:

 

  1. Documentation,
  2. Training, and
  3. Implementation

 

 

Documentation

 

The first step in the HIPAA documentation process is to conduct a Risk Assessment. The Risk Assessment gathers information about the use of electronic devices in your practice, how you handle and safeguard data, and what procedures your employees must follow. Once the Risk Assessment is completed, you’ll have the foundation for your Privacy and Security Policies and Procedures. You’ll have identified what improvements need to be made in your systems and what procedures to follow to keep them safe. Additional required HIPAA documents can also be completed from data collected in the Risk Assessment.

 

 

Training


As the Washington Post article highlighted, a lack of or inadequate employee training makes an organization vulnerable to attacks. HIPAA requires employees be trained annually, not only on the HIPAA law, but specifically on your organization’s security policies and procedures. Developing the two training programs on your own would be daunting; however, when you partner with a compliance company like Total HIPAA the training on the law is already developed for you. We also summarize your practice’s key points – saving you both time and money.

 

 

Implementation


What good is a plan and training without rolling it out to your entire practice? Your HIPAA Compliance Plan isn’t a document that just sits on the shelf and only gets dusted off once a year. Once you have a plan everyone on your Compliance Team can agree on, it’s time to put that plan into action!

Cyber attacks can cost you thousands of dollars when you notify staff or patients of a breach. In addition to these costs, HIPAA fines and penalties as high as $50,000 per violation can be added to your final bill. When you examine the option of implementing HIPAA or waiting until something happens, the choice is clear – meeting HIPAA compliance is only a fraction of the costs you will face if you are hacked. Protect your practice today.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

HIPAA-compliant file sharing tools for the medical practice 

HIPAA-compliant file sharing tools for the medical practice  | HIPAA Compliance for Medical Practices | Scoop.it

The same formula that birthed Napster and re-defined the music industry is slowly taking on medicine — and small practitioners stand to be the prime beneficiaries.

 

“HIPAA is driving a lot of small healthcare providers to look for solutions for securing data,” according to Asaf Cidon, the inventor of a secure file-sharing tool called Sookasa. “Medical information is extremely private, and regulation is becoming tighter, enforcement is becoming tighter.”

 

 

Emerging offerings


Sookasa, the application that CEO Cidon helped to create two years ago, takes a popular layperson’s platform, DropBox, and transforms it into a tool that providers can use to adhere to HIPAA in a way that Cidon claims is inexpensive. At least relatively speaking.

 

“Doctors used to hire a full-time admin to be faxing, scanning and shredding all day long. With something like DropBox, you can just write the bill on your computer, put it in a folder and then it appears in your medical billing company's folder and there’s a record for it,” Cidon explained. “There’s no paper and you’re done.”

Other file-sharing technologies with healthcare connections include Clincate, a service that allows clinicians to share medical files and videos with colleagues and patients; Box, which allows doctors, researchers and administrators to quickly swap PHI files; and kiteworks from Accellion, which offers file sharing via any mobile devices in an organization.  

 

Most file-sharing platforms offer a free personal-use membership, but as more storage and members accumulate, price increases. For Box, 10GB of secure storage is free while the starter package is $5 per user/per month (up to 10 users allowed) with 100GB of storage. Meanwhile, Clincate charges $195 per year for 25GB of storage per user. Sookasa charges $100 per user/per year for an unlimited number of devices and files.

 

 

Untapped potential


HIPAA-compliant file-sharing software tools — if they gain widespread purchase — also promise to ease small practices interoperability burden in interesting, if incomplete, ways.

“EHR systems, while I think they’re better than paper, they have this one glaring problem — they can’t communicate with each other,” Sookasa’s Cidon said. “EHR systems are very closed.”

The ability to take, say a radiological image, and put that in a HIPAA-compliant DropBox folder from which another authorized doctor at a separate facility can access it could make for a compelling option in some cases. 

 

Similarly, the ability to share that image with a patient at the tap of a folder is also an intriguing perk. 

 

Cidon has even seen physician customers practically move their entire EHRs onto the Sookasa platform to curb expenses and be more interoperable across devices in a HIPAA-complaint fashion.

This emerging crop of file sharing tools won’t solve the ongoing and ubiquitous EHR interoperability problem facing the entire healthcare industry, of course, but particularly for doctors who need to access patients medical records from multiple locations one or more of the tools may be an attractive option.

 

“Especially in the healthcare industry,” Cidon concluded, “it can change your entire workflow.”

 

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

Five Common HIPAA Compliance Issues to Avoid | Physicians Practice

Five Common HIPAA Compliance Issues to Avoid | Physicians Practice | HIPAA Compliance for Medical Practices | Scoop.it

In the news recently was a story about surgeons in China who were punished after taking group photos next to apparently unconscious patients.  In the photo, doctors and nurses in scrubs pose with a supposedly unconscious patient on the operating table in the operating room.  Of course, you cannot see the patient and, but for the headline, you could not tell from the photo whether it was even real or staged.  The public apparently found the #surgeryselfie unacceptable and the surgeons and nurses are now facing unknown consequences.

 

• In Florida, Walgreens Co. mailed free samples of Prozac Weekly to patients who were taking Prozac Daily.
• A Fort Lauderdale physician gave his fishing buddy, a drug company representative, a list of patients suffering from depression and the salesman arranged to send trial packages of Prozac Weekly to their homes without the patients’ knowledge or permission.
• A Pakistani woman threatened to post the entire medical files of over 300,000 patients of UC Medical Center (San Francisco) if she wasn’t paid for her medical transcribing services. The hospital was surprised to learn that the company awarded the job of transcribing the medical records had sub-contracted all those records to a company outside of the United States.


• A hospital employee easily viewed and stole Tammy Wynette’s medical records from the hospital’s databases and sold the information to the National Enquirer and Star.

 

• A banker who also served on his county’s health board cross-referenced customer accounts with patient information. He then called due the mortgages of anyone suffering from cancer.

Although these examples may be shocking, they are but a few of the routine HIPAA violations that occur daily across the country.   According to the Office for Civil Rights (OCR), since the compliance date of the Privacy Rule in April 2003, OCR has received over 105,960 HIPAA complaints and has initiated over 1,157 compliance reviews. 

 

Most HIPAA cases (23,181) have been resolved by requiring changes in privacy practices and corrective actions by, or providing technical assistance to, HIPAA covered entities and their business associates. 

 

OCR has investigated complaints against many different types of entities including: national pharmacy chains, major medical centers, group health plans, hospital chains, and small provider offices.

 

Based on OCR’s report, the compliance issues investigated most (in order of frequency) were:


1. Impermissible uses and disclosures of protected health information;
2. Lack of safeguards of protected health information;
3. Lack of patient access to their protected health information;
4. Lack of administrative safeguards of electronic protected health information; and
5. Use or disclosure of more than the minimum necessary protected health information.

 

Although most HIPAA cases appear to be resolved by the OCR, 540 referrals were made by the OCR to the Department of Justice for criminal investigation.  This would be for cases that involved the knowing disclosure or obtaining of protected health information in violation of the rules.

 

Finally, the most common types of covered entities that have been required to take corrective action to achieve voluntary compliance are, in order of frequency:

1. Private practices;
2. General hospitals;
3. Outpatient facilities;
4. Pharmacies; and
5. Health plans (group health plans and health insurance issuers).

 

As you will note, private practice are at the top of that list!  

As we head into 2015, among the many items to consider is whether your practice’s operations are compliant with HIPAA.   Although many groups complete required training, too many have become disinterested in HIPAA over time.  It’s a good idea to remind your staff of the consequences of violating HIPAA and to emphasize that comments on Twitter about patients, posting #surgeryselfies, or otherwise allowing curiosity to lead to inappropriate records review, will not be tolerated. 

 

 

 

 

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

5 Tips to Avoid Violation of HIPAA Laws

5 Tips to Avoid Violation of HIPAA Laws | HIPAA Compliance for Medical Practices | Scoop.it

Although The Health Insurance Portability and Accountability Act (HIPAA) has been around since 1996, it's only become a more familiar term in the healthcare industry since the implementation of the Privacy Rule in 2001. The Privacy Rule was designed to specifically address the protection of an individual's personal health information. It is important for the vitality of your medical office to maintain HIPAA compliance.

Any organization that accesses patient health information is considered a covered entity and is required by law to comply with HIPAA provisions or face civil and/or criminal penalties. It is imperative that medical records remain confidential and cannot be accessed by people that do not have proper authorization. Disclosures made regarding a patient's protected health information (PHI) without their authorization is considered a violation of the Privacy Rule.


All healthcare providers have a responsibility to keep their staff trained and informed regarding HIPAA compliance. Whether intentional or accidental, unauthorized disclosure of PHI is considered a violation of HIPAA. Here are 5 tips to avoid violating HIPAA:


  1. Routine Conversation. Healthcare professionals should be very careful to refrain from disclosing information through routine conversation. This can easily be done by mentioning to a third party something seemingly insignificant as saying that John Smith had an office visit today.
  1. Public Areas. Discussing patient information in waiting areas, hallways or elevators should be strictly off limits. Sensitive information can be overheard by visitors or other patients. Also be sure to keep patient records out of areas that are accessible to the public. 
    • Check-in desks and nurses stations are out in the open where anyone can see protected health information. Go the extra mile for your patient's privacy with a HIPAA compliant privacy screen
    • Chart holders should be mounted and the front panel covered according to HIPAA standards.  Choose between a large variety of chart holders based on your facilities particular needs. 
  2. Trash. PHI should never be disposed of in the trash can. Any document thrown in the trash is open to the public and therefore a breach of information. There are a wide range of HIPAA compliant paper shredders to choose from depending on the needs of your Medical Office.There are a wide range of HIPAA compliant paper shredders to choose from depending on the needs of your Medical Office. 
  3. Gossip. Gossip is particularly hard to control. That is why it is important that access to information be strictly limited to employees whose jobs require that information. This type of violation can be particularly damaging to the reputation of your organization especially in small communities where "everybody knows everybody."
  4. Marketing. Selling patient lists or disclosing PHI to third parties for marketing purposes is strictly prohibited without prior authorization from the patient. Remember that disclosure of patient information should only be accessed for the purpose of providing quality care.
more...
No comment yet.
Scoop.it!

Is your cloud provider HIPAA compliant? An 11 point checklist

Is your cloud provider HIPAA compliant? An 11 point checklist | HIPAA Compliance for Medical Practices | Scoop.it

Healthcare organisations frequently turn to managed service providers (MSPs) to deploy and manage private, hybrid or public cloud solutions. MSPs play a crucial role in ensuring that healthcare organisations maintain secure and HIPAA compliant infrastructure.


Although most MSPs offer the same basic services – cloud design, migration, and maintenance – the MSP’s security expertise and their ability to build compliant solutions on both private and public clouds can vary widely.


Hospitals, healthcare ISVs and SaaS providers need an MSP that meets and exceeds the administrative, technical, and physical safeguards established in HIPAA Security Rule. The following criteria either must or should be met by an MSP:


1. Must offer business associate agreements


An MSP must offer a Business Associate Agreement (BAA) if it hopes to attract healthcare business. When a Business Associate is under a BAA, they are subject to audits by the Office for Civil Rights (OCR) and could be accountable for a data breach and fined for noncompliance.

According to HHS, covered entities are not required to monitor or oversee how their Business Associates carry out privacy safeguards, or in what ways MSPs abide by the privacy requirements of the contract. Furthermore, HHS has stated that a healthcare organisation is not liable for the actions of an MSP under BAA unless otherwise specified.


An MSP should be able to provide a detailed responsibility matrix that outlines which aspects of compliance are the responsibility of whom. Overall, while an MSP allows healthcare organisations to outsource a significant amount of both the technical effort and the risk of HIPAA compliance, organisations should still play an active role in monitoring MSPs. After all, an OCR fine is often the least of an organisation’s worries in the event of a security breach; negative publicity is potentially even more damaging.


2. Should maintain credentials


There is no “seal of approval” for HIPAA compliance that an MSP can earn. The OCR grants no such qualifications. However, any hosting provider offering HIPAA compliant hosting should have had their offering audited by a reputable auditor against the HIPAA requirements as defined by HHS.


In addition, the presence of other certifications can assist healthcare organisations in choosing an MSP that takes security and compliance concerns very seriously. A well-qualified MSP will maintain the following certifications:

  •      SSAE-16
  •      SAS70 Type II
  •      SOX Compliance
  •      PCI DSS Compliance


While these certifications are by no means required for HIPAA compliance, the ability to earn such qualifications indicates a high level of security and compliance expertise. They require extensive (and expensive) investigations by 3rd party auditors of physical infrastructure and team practices.


3. Should offer guaranteed response times


Providers should indicate guaranteed response times within their Service Level Agreement. While 24/7/365 NOC support is crucial, the mere existence of a NOC team is not sufficient for mission-critical applications; healthcare organisations need a guarantee that the MSP’s NOC and security teams will respond to routine changes and to security threats in a timely manner.  Every enterprise should have guaranteed response times for non-critical additions and changes, as well.


How such changes and threats are prioritized and what response is appropriate for each should be the subject of intense scrutiny by healthcare organisations, who also have HIPAA-regulated obligations in notifying authorities of security breaches.


4. Must meet data encryption standards


The right MSP will create infrastructure that is highly secure by default, meaning that the highest security measures should be applied to any component where such measures do not interfere with the function of the application. In the case of data encryption, while HIPAA’s Security Rule only requires encryption for data in transit, data should reasonable be encrypted everywhere by default, including at rest and in transit.


When MSPs and healthcare organisations encrypt PHI, they are within the “encryption safe harbor.” Unauthorised disclosure will not be considered a breach and will not necessitate a breach notification if the disclosed PHI is encrypted.


Strong encryption policies are particularly important in public cloud deployments. The MSP should be familiar with best practices for encrypting data both within the AWS environment and in transit between AWS and on-site back-ups or co-location facilities. We discuss data encryption best practices for HIPAA compliant hosting on AWS here.


It is important to note that not all encryption is created equal; look for an MSP that guarantees at least AES-256 Encryption, the level enforced by federal agencies. It is useful to note that AWS’ check-box encryption of EBS volumes meets this standard.


5. Should have “traditional IT” and cloud expertise


Major healthcare organisations have begun to explore public cloud solutions. However, maintaining security in public clouds and in hybrid environments across on-premises and cloud infrastructure is a specialty few MSPs have learned. “Born in the Cloud” providers, whose businesses started recently and are made up exclusively of cloud experts, are quite simply lacking the necessary experience in complex, traditional database and networking that would enable them to migrate legacy healthcare applications and aging EHR systems onto the public cloud without either a) over-provisioning or b) exposing not-fully-understood components to security threats.


No matter the marketing hype around “Born in the Cloud” providers, it certainly is possible to have best-in-classDevOps and cloud security expertise and a strong background in traditional database and networking. In fact, this is what any enterprise with legacy applications should expect.


Hiring an MSP that provides private cloud, bare metal hosting, database migrations, legacy application hosting, and also has a dedicated senior cloud team is optimal. This ensures that the team is aware of the unique features of the custom hardware that currently supports the infrastructure, and will not expose the application to security risks by running the application using their “standard” instance configuration.


6. Must provide ongoing auditing and reporting


HIPAA Security Rule requires that the covered entity “regularly” audit their own environment for security threats. It does not, however, define “regularly,” so healthcare organisations should request the following from their MSPs:


  • Monthly or quarterly engineering reviews, both for security concerns and cost effectiveness
  • Annual 3rd party audits
  • Regular IAM reports. A credential report can be generated every four hours; it lists all of the organisations users and access keys.
  • Monthly re-certification of staff’s IAM roles
  • Weekly or daily reports from 3rd party security providers, like Alert Logic or New Relic


7. Must maintain compliant staffers and staffing procedures


HIPAA requires organisations to provide training for new workforce members as well as periodic reminder training. As a business associate, the MSP has certain obligations for training their own technical and non-technical staff in HIPAA compliance. There are also certain staff controls and procedures that must be in place and others that are strongly advisable. A covered entity should ask the MSP the following questions:


  • What formal sanctions exist against employees who fail to comply with security procedures?
  • What supervision exists of employees who deal with PHI?
  • What is the approval process for internal collaboration software or cloud technologies?
  • How do employees gain access to your office? Is a FOB required?
  • What is your email encryption policy?
  • How will your staff inform our internal IT staff of newly deployed instances/servers? How will keys be communicated, if necessary?
  • Is there a central authorisation hub such as Active Directory for the rapid decommissioning of employees?
  • Can you provide us with your staff’s HIPAA training documents?
  • Do you provide security threat updates to staff?
  • What are internal policies for password rotation?
  • (For Public Cloud) How are root account keys stored?
  • (For Public Cloud) How many staff members have Administrative access to our account?
  • (For Public Cloud) What logging is in place for employee access to the account? Is it distinct by employee, and if federated access is employed, where is this information logged?


While the answers to certain of these questions do not confirm or deny an MSP’s degree of HIPAA compliance, they may help distinguish a new company that just wants to attract lucrative healthcare business versus a company already well versed in such procedures.


8. Must secure physical access to servers


In the case of a public cloud MSP, the MSP should be able to communicate why their cloud platform of choice maintains physical data centres that meet HIPAA standards. To review AWS’s physical data centre security measures, see their white paper on the subject. If a hybrid or private cloud is also maintained with the MSP, they should provide a list of global security standards for their data centres, including ISO 27001, SOC, FIPS 140-2, FISMA, and DoD CSM Levels 1-5, among others. The specific best practices for physical data centre security that healthcare organisations should look out for is well covered in ISO 27001 documentation.


9. Should conduct risk analysis in accordance with NIST guidelines


The National Institute of Standards and Technology, or NIST, is a non-regulatory federal agency under the Department of Commerce. NIST develops information security standards that set the minimum requirements for any information technology system used by the federal government.


NIST produces Standard Reference Materials (SRMs) that outline the security practices, and their most recent Guide for Conducting Risk Assessments provides guidance on how to prepare for, conduct, communicate, and maintain a risk assessment as well as how to identify and monitor specific risk factors. NIST-800 has become a foundational document for service providers and organisations in the information systems industry.


An MSP should be able to provide a report that communicates the results of the most recent risk assessment, as well as the procedure by which the assessment was accomplished and the frequency of risk assessments.


Organisations can also obtain NIST 800-53 Certification from NIST as a further qualification of security procedures. While again this is not required of HIPAA Business Associates, it indicates a sophisticated risk management procedure — and is a much more powerful piece of evidence than standard marketing material around disaster recovery and security auditing.


10. Must develop a disaster recovery plan and business continuity plan


The HIPAA Contingency Plan standard requires the implementation of a disaster recovery plan. This plan must anticipate how natural disasters, security attacks, and other events could impact systems that contain PHI and develops policies and procedures for responding to such situations.

An MSP must be able to provide their disaster recovery plan to a healthcare organisation, which should include answers to questions like these:

  • Where is backup data hosted? What procedure maintains retrievable copies of ePHI?
  • What procedures identify suspected security incidents?
  • Who must be notified in the event of a security incident? How are such incidents documented?
  • What procedure documents and restores the loss of ePHI?
  • What is the business continuity plan for maintaining operations during a security incident?
  • How often is the disaster recovery plan tested?


11. Should already provide service to large, complex healthcare clients


Although the qualifications listed above are more valuable evidence of HIPAA compliance, a roster of clients with large, complex, HIPAA-compliant deployments should provide extra assurance. This pedigree will be particularly useful in vendor decision discussions with non-technical business executives. The MSPs ability to maintain healthcare clients in the long-term (2-3+ years) is important to consider.

more...
No comment yet.
Scoop.it!

HIPAA Settlement Follows Unsecured Paper Records Disposal

HIPAA Settlement Follows Unsecured Paper Records Disposal | HIPAA Compliance for Medical Practices | Scoop.it

A small Denver pharmacy agreed to a $125,000 settlement with the U.S. Department of Health and Human Services (HHS) after HHS alleged that the pharmacy failed to dispose of paper records that contained patient information in accordance with HIPAA.

According to the Resolution Agreement, the HHS Office for Civil Rights (OCR) received a report from a local news station that the pharmacy disposed of paper records with protected health information (PHI) in a dumpster that was accessible to the public.  The Resolution Agreement also alleges that the pharmacy failed to implement written policies and procedures to comply with HIPAA, nor did the pharmacy train its workforce as to proper HIPAA protocols and procedures for handling of PHI.

The settlement illustrates the need for covered entities and business associates to ensure that records and documents, both paper and electronic, are maintained and disposed of in a secure manner.  HIPAA requires covered entities and business associates to protect the privacy and security of PHI in any form, including by implementing reasonable physical, administrative, and technical safeguards.  In a Frequently Asked Questions document about disposal of information, HHS notes that, while HIPAA does not mandate any particular method of disposal, “covered entities are not permitted to simply abandon PHI or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons.”

Furthermore, the settlement should remind covered entities and business associates of all sizes of the importance of implementing proper written policies and workforce training in compliance with HIPAA.



more...
No comment yet.
Scoop.it!

Misplaced USB drive leads to county health department breach

Misplaced USB drive leads to county health department breach | HIPAA Compliance for Medical Practices | Scoop.it

The Denton County (Texas) Health Department began notifying tuberculosis (TB) clinic patients of a breach that occurred in February when a health department employee left a USB drive containing PHI at a printing store, according to a press release.


The USB drive contained the names, dates of birth, addresses, and test results of 874 patients seen at a TB clinic associated with the county health department. The employee left the USB drive unattended at the printing store for approximately one hour, according to the press release.


The department launched an internal investigation after the employee voluntarily reported the potential breach. The press release states that the department does not believe the records were accessed during the time the USB drive was left unattended. However, it is notifying affected patients by mail and recommending that they obtain a credit report and monitor financial statements.


more...
No comment yet.
Scoop.it!

Cybersecurity must be faced by industry head on

Cybersecurity must be faced by industry head on | HIPAA Compliance for Medical Practices | Scoop.it

Less than a quarter of the way through 2015, tens of millions of healthcare consumers already have seen their personal information compromised--the most notable hacks so far being on health insurance providers Anthem and Premera.


The Anthem attack, announced in February, sent the industry reeling, with the unencrypted information of more than 78 million individuals compromised after hackers broke into a database.


Weeks later, it was revealed that at Premera Blue Cross, hackers gained access to the personal information of 11 million customers. The attack initially occurred May 5, 2014, but it was not detected by the Mountlake Terrace, Washington-based insurer until Jan. 29 of this year, Premera said on a website it set up to inform members about the incident.


Many in healthcare have said threats have to be taken seriously from the top all the way down--from the C-suite to the workforce.

"The C-suite must care, the workforce must be aware. This is a very simple recipe, and if you follow this recipe, it will be tremendous improvement on protecting privacy and data security," Daniel Solove, the John Marshall Harlan Research Professor of Law at the George Washington University Law School said during the HIPAA Summit in the District of Columbia last month. "Data protection must be felt in the bones of an organization, it must be part of the organization's culture. It can't be something that's an afterthought or tacked on."


With all the trouble these kinds of breaches and attacks are causing healthcare organizations, it's no surprise that the Healthcare Information and Management Systems Society's conference in Chicago next week will be chock full of panels and events on the growing issue.


Educational sessions will address cybersecurity aspects that include upcoming HIPAA audits (though no date has been announced for when those will begin), data security and enforcement trends, and how to protect patients by staying ahead of such threats.



more...
No comment yet.
Scoop.it!

Is Your Medical Practice's Social Media Policy Adequate?

Is Your Medical Practice's Social Media Policy Adequate? | HIPAA Compliance for Medical Practices | Scoop.it

By now every physician should be aware of the benefits that can be bestowed upon their practice as a result of social media. Indeed many practices are engaging in one or more social media platforms on a regular basis. Moreover, staff members are most definitely active in social media, and probably use it while at work.

Physicians and practice managers must be smart about training employees on what they should and should not share online. Staff in your practice could incur liability on behalf of your practice as a result of their comments on social media. Because of the confidentiality rules in HIPAA, staff training is important. You should constantly remind employees that they are representatives of the practice.

You should also have some sort of social media policy in place. Here are a few key items your policy should include:

1. Guidelines and expectations. Your policy should set clear expectations for how team members (as representatives of your practice) must conduct themselves online.

Your policy should clearly state that there will be no posting of protected health information (PHI) and that employees are not allowed to use social media in work areas near patients. Be specific in training your employees and inform them to avoid identifying patients in any way on social media — this includes names, unique characteristics, etc.

Some practices do not allow employees to use social media for personal reasons on work time. While that is fine as a policy, it does not circumvent the need to appropriately train your staff. Moreover, it can be hard to police.

It is advisable to discourage team members from engaging with patients on social media. If they do engage patients, they certainly should not be discussing patient-related matters.

Lastly, someone (most likely the practice administrator) should be designated as the spokesperson responsible for answering questions about your practice on social media.

2. Penalties and consequences. Penalties for data breaches increased under the American Recovery and Reinvestment Act so your policy should make it clear to employees about the consequences of their actions on social media sites.

An individual claiming he did not know he violated HIPAA is subject to a minimum of $100 per violation. A HIPAA violation due to reasonable cause and not due to willful neglect carries a minimum fine of $1,000 per violation. A HIPAA violation that is due to willful neglect (but corrected in short order) is subject to a minimum of $10,000 per violation. Lastly, a HIPAA violation that is due to willful neglect and not corrected carries a minimum fine of $50,000 per violation. The maximum fine for each of these four categories is $50,000 per violation.

3. Explanations of rules and regulations. The social media policy should outline what is illegal, what is considered confidential information of the practice, and what is protected health information.

It’s not enough to have a social media policy — employers should put in just as much time and effort in training their employees on the ins and outs of the policy. Make it a separate document from the employee handbook.

more...
No comment yet.
Scoop.it!

The Inadequacy of HIPAA Policies and Procedures

The Inadequacy of HIPAA Policies and Procedures | HIPAA Compliance for Medical Practices | Scoop.it

I am often amazed at the questions I receive and the scenarios that are presented either when I speak or advise on HIPAA. One item that never ceases to amaze me is the confusion over what content is required in HIPAA policies and procedures. I kid you not; some entities contend that having a binder with the Code of Federal Regulations (CFR) section is enough. Let's think about that — how is that a policy, what are the procedures for implementing it, and what are the sanctions in the event the policy is not followed? The answers to these questions are what auditors, government officials, and lawyers look for when bringing a case or assessing fines.

Case in point: "Employee Sacked After Snooping Patient EMR Records," a true story. Ohio-based University Hospitals notified approximately 700 patients after a single employee "snooped" and accessed protected health information. This scenario raises multiple issues:

• The employee accessed the records for nearly three years without the hospital's knowledge;

• It was not until a complaint was received did the hospital audit their EHR system;

• The information accessed included names, diagnoses, health insurance information, and other sensitive information; and

• There were inadequate policies, procedures, and training on HIPAA.

What are the best ways to thwart this type of behavior? First, compile and implement substantive policies and procedures. Second, audit the EHR system regularly and have alerts set up that notify the IT department when records are inappropriately accessed. Third, have sanctions in place for HIPAA offenses. Fourth, provide annual staff training. And, finally, recognize the importance of identifying both your internal and external data security threats to the organization.


more...
No comment yet.
Scoop.it!

When HIPAA Applies to Patient Assistance Programs (and When It Doesn’t)

When HIPAA Applies to Patient Assistance Programs (and When It Doesn’t) | HIPAA Compliance for Medical Practices | Scoop.it

Patient Assistance Programs (PAPs) have proliferated in recent years, despite the fact that many commonly-prescribed medications have lost patent protection and the Affordable Care Act (ACA) has attempted to eliminate pre-existing condition discrimination by insurance companies.  Still, drug costs remain unaffordable to many patients, particularly those with high-cost, chronic conditions, even when patients have insurance coverage.  An article published recently in the New England Journal of Medicine suggests that the ACA has increased insurance coverage for an estimated 10 million previously uninsured individuals in 2014, some insurers are structuring drug formularies in a manner that discriminates against (and discourages enrollment of) patients suffering from particular high-cost conditions.

Regardless of the cause, the need for and utilization of PAPs raises interesting questions related to privacy and security of protected health information (PHI).  I had the opportunity to co-present a workshop session on HIPAA at CBI’s 16th Annual Patient Assistance and Access Programs Conference in Baltimore, MD this week with Paula Stannard, Esq. of Alston & Bird.  The conference was well-attended, and Paula and I were asked a number of questions during and after our workshop that showed interest in HIPAA compliance by PAP entities, as well as confusion regarding it.

Paula and I crafted a scenario in which a PAP’s data system is hacked, and the hacker gains access to individually identifiable health information stored on the system.  Both Patient A and Patient B have insurance, but suffer from a condition requiring a medication not on their carriers’ formularies.  Patient A put his own information into the PAP system after learning about the PAP from TV ad.  Patient B let his physician put her information into the PAP system, after the physician explained that the hospital at which the physician works has an arrangement with the PAP whereby the PAP will help with getting insurance coverage.

We asked the audience whether the hacker’s access to Patient A’s and Patient B’s information in the PAP was a HIPAA breach.  A follow up to this blog will discuss the factors relevant to deciding when HIPAA applies to PAPs (and individually identifiable information they maintain) and when it doesn’t.


more...
No comment yet.