HIPAA Compliance for Medical Practices
63.7K views | +25 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

Phase 2 HIPAA Audits Will Continue in 2017

Phase 2 HIPAA Audits Will Continue in 2017 | HIPAA Compliance for Medical Practices | Scoop.it

Phase 2 HIPAA Audits are targeting random health care practices and organizations around the country. Having an effective HIPAA compliance program is the easiest way to pass your audit–read on to find out what you can to protect your behavioral health practice!

Upcoming Phase 2 Audit Protocols

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) first announced this new round of random audits in 2016. Phase 2 is the second time in OCR’s history that it has instituted a random audit program. Phase 1 HIPAA Audits were rolled out in 2011 and affected a similar number of health care providers across the country.

OCR has designed these Phase 2 audits to target a broad selection of HIPAA-beholden health care organizations. That includes both Covered Entities (CEs) and Business Associates (BAs).

HIPAA defines a Covered Entity is any health care provider, including Behavioral Health specialists, who create protected health information (PHI). PHI is any health data that can be used to identify a patient (including name, date of birth, social security number, address, medical data, etc.). HIPAA defines a Business Associate as any organization that encounters PHI over the course of the work it has been hired to do (examples include billing firms, cloud storage providers, faxing, shredding, copying, and IT providers, to name a few).

So how do you know if your behavioral health organization has been selected for a Phase 2 HIPAA audit?

OCR will reach out to your organization via email if you have been randomly selected for an audit. You should look out for emails from “OSOCRAudit@hhs.gov“.

Once you’ve been contacted for an audit, you will have 10 days to respond to OCR’s request for information. If your organization does not respond for any reason, federal investigators will continue to contact your organization until they receive a response–this includes finding publically available information to call or contact you.

One of the first things federal investigators will ask for is a complete list of your organization’s business associates, with contact information for each. Identify your business associates now so that you’re prepared for these upcoming HIPAA audits.

Additionally, your organization must have a HIPAA compliance program in place with full documentation that can be provided for OCR investigators.

Desk Audits vs. Onsite Audits

Phase 2 HIPAA Audits consist of a number of different stages.

The first stage is desk audits, which are a series of remote audits. OCR investigators will contact your organization via email and you’ll be prompted to send the appropriate information. Investigators will not come to your physical location, but you’ll still be required to comply with the investigation.

Onsite audits are another means of investigation that OCR is set to pursue in 2017.  Onsite Phase 2 HIPAA Audits will require federal OCR investigators to come onsite to inspect your organization. They will be checking your level of compliance with HIPAA regulation.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

States ramp up data security laws

States ramp up data security laws | HIPAA Compliance for Medical Practices | Scoop.it

Healthcare organizations not only must heed federal data security laws; they also have state laws to keep in mind. And a growing trend has states making these regulations tougher than ever. One state that currently has no laws requiring organizations to implement certain data security protections has proposed legislation that would hold entities fully responsible for failing to safeguard consumer data.  

 
As businesses continue to demonstrate grievous security failings, New York state has decided to join a growing number of states that have chosen to ramp up their data security laws. The announcement last week from the state's Attorney General Eric T. Schneiderman comes on the heels of a reportlast year, finding that nearly 23 million New Yorkers have had their personal records compromised since 2006. 
 
New York entities are only required to notify individuals of a data security breach if "private information" has been compromised. Private information, as state officials pointed out, has a very narrow definition and does not include email addresses and passwords; medical data and health insurance data, among other items. 
 
The proposed law would broaden the definition of private information to include email addresses, security questions and medical and health insurance data. The law would also establish a safe harbor rule for companies that implement specific data security plans and standards that officials say would minimize the chance of a breach. 
 
In 2013 – a "record-setting" breach year for New York – these data security breaches cost organizations a whopping $1.37 billion statewide. Some 40 percent of those breaches were hacking related, according to a 2014 N.Y. Attorney General report
 
What's more, healthcare organizations proved to be the biggest offenders, with healthcare data breaches being responsible for compromising the largest number of records of New Yorkers since 2006. "As the healthcare industry moves toward increasing digitization, it has become a repository for large troves of sensitive information, making the industry uniquely susceptible to data loss, particularly through lost or stolen electronic storage equipment," Schneiderman wrote in the report.  
 
"With some of the largest-ever data breaches occurring in just the last year, it's long past time we updated our data security laws and expanded protections for consumers," said Schneiderman in a Jan. 15 press release. "We must also remind ourselves that companies can be victims, and that those who take responsible steps to safeguard customer data deserve recognition and protection."
 
One of the state's biggest data breaches ever reported was announced by the New York City Health & Hospitals Corporation's North Bronx Healthcare Network, which compromised the health records of some 1.7 millionemployees, vendors and patients. 
 
In light of the increase in scope and frequency of these data security breaches, just last month, Oregon's AG Ellen Rosenblum called on the state's legislature to update and toughen Oregon's data breach law, which does not protect medical or health insurance data. Indiana's AG also in December proposed similar legislation that would tighten data security laws in the state. 


more...
No comment yet.
Scoop.it!

How To HIPAA-proof Your Smartphone

How To HIPAA-proof Your Smartphone | HIPAA Compliance for Medical Practices | Scoop.it
Healthcare individuals and organisations can often find themselves the prime target for security breaches, and for that reason they need to do their utmost in protecting the privacy of patient records and information. To that end, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 was introduced to set the standards required for protecting sensitive information, including saving, transmitting and accessing patient data and electronic files.

IT security has in recent years become a high priority for hospitals and other healthcare providers, as online attacks have risen. HIPAA has always been there to define the baseline for securing patient information from the cyber-criminals that target the healthcare industry. But, in January of last year, the department of Health and Human Services released an Omnibus Final Rule, which modified the HIPAA standards and placed new liabilities on individuals working in the healthcare profession.
Omnibus Final Rule Polices

These include:

Healthcare organisations (including business subcontractors and associates) being directly liable for compliance, as well as for penalties for all violations.
Risk assessment now must focus not on the harm to the patient but simply whether information has been compromised.
In the event of a security breach, patients, HHS and media must be notified within 60 days.
Breaches of limited data sets (i.e. data that does not contain birth dates or location information) are no longer to be treated as an exception, and must be treated in the same manner that all breaches of information are treated.

The result has led to a surge in regulatory and HIPAA privacy claims, with many involving nefarious acts by unhappy employees and disgruntled patients.

In one case, it is reported that a physician’s smartphone was compromised and over 30 unauthorized security breaches were recorded over the space of just a single four-hour period. The practice was required to notify hundreds of patients warning them of the potential leakage of their medical information, as well as reporting the incident to the press and the relevant government authorities as per HIPAA regulations.
Smartphones Extremely Vulnerable To Theft And Loss

Because of their portability and small size, mobile devices are particularly vulnerable to theft and loss, which indeed accounts for the majority of security breaches. Catherine Barrett of the Federal Working Group reports of a survey of 600 US hospital workers, which found that 66% of reported data breaches were as a result of a mobile device being lost or stolen.

Any unauthorised access to sensitive information on your smartphone or any other device constitutes as a violation to HIPAA privacy rulings. Even if you lose your phone, you are potentially putting that information at risk and you may well find yourself liable. If anyone other than you manages to access those files that are protected under HIPAA – even if the person who finds the phone has no malicious intent and is just being a bit nosy before handing the phone into the authorities – you are still in violation of HIPAA and are susceptible to punishment. Under the Omnibus Final Rule a breach is a breach, and there is no wiggle room when you find yourself in court.

HIPAA

The cost of a breach is a real one too. Although it is true that certain data breaches may well be covered by your insurance, the cost to your reputation (especially considering that you have no choice under HIPAA but to make public the infraction) is difficult to measure, and the time you and your staff will have to devote to addressing the issue is certainly not negligible.
How To HIPAA-Proof Your Smartphone

First and foremost you will of course want to HIPAA-proof your desktop and office systems, and something like PA File Sight is certainly something to consider – the software allows managers to view exactly who is accessing, reading from and editing any important and sensitive files on the system.

Once you have done this it is time to HIPAA-proof your smartphone and any other mobile devices.

Step 1. Activate Your Phone Passcode: Although this seems like a no-brainer, it is surprising how many people don’t even take this first very easy step. You will need to choose a four-digit passcode to access your phone, and it cannot be something that is easy to guess. No birthdays, addresses, phone numbers or special dates that are in any way related to you, as these can all be Googled. Your phone may have a special setting that will wipe all information from the phone if the incorrect passcode is entered more than a set number of times. Set this to, say, 5, and turn this setting on.

Step 2. Never Use Email: Email accounts are very easily hacked, especially if you are using your smartphone to transfer information. If a HIPAA Privacy claim was ever filed against you or your practice and it was discovered that you were sending sensitive information via email, you will not have a defensive leg to stand on. The problem is that regular email communications are not usually encrypted, so if you are using this method you need to stop immediately and switch to a cloud-based encryption service or use a virtual private network (VPN) only.

Step 3. Set A ‘Required Login’ For Accessing Apps: Although it is obviously very convenient to leave yourself logged in to your apps on your smartphone, you must never ever do so with any that deliver HIPAA sensitive information to your device. If someone were to gain access to your phone and you had left all of your apps open, then the person will have access to every file you have. Login each time – it might be inconvenient, but that’s just tough.

Step 4. Install an Encryption App: This is one sure-fire way to ensure that all files being transferred from and to your device remain protected should your device be compromised. Encryption apps will also protect the information that resides on your phone itself. There are many encryption apps available for both Apple and Android devices, some of which are so sophisticated that they even meet FBI standards. Though it is unlikely that you will need such a powerful (not to mention expensive) one, you will nonetheless be much better protected if your files are secured by some sort of encryption app on your phone. The apps can of course be configured to encrypt all of your phone’s data, or just the sensitive information that you select.

By following the above steps you will be slowing any hacker down considerably. Although these barriers could all be hacked by a serious or determined individual, it is much more likely that they will instead look to move onto the next unprotected device, which hopefully will be one that doesn’t contain any HIPAA sensitive data. Either way, if the information on your phone is securely protected, you should be able to avoid any HIPAA violations should your device become lost or stolen.
more...
No comment yet.
Scoop.it!

Five Common HIPAA Compliance Issues to Avoid

Five Common HIPAA Compliance Issues to Avoid | HIPAA Compliance for Medical Practices | Scoop.it

In the news recently was a story about surgeons in China who were punished after taking group photos next to apparently unconscious patients.  In the photo, doctors and nurses in scrubs pose with a supposedly unconscious patient on the operating table in the operating room.  Of course, you cannot see the patient and, but for the headline, you could not tell from the photo whether it was even real or staged.  The public apparently found the #surgeryselfie unacceptable and the surgeons and nurses are now facing unknown consequences.

Violation of patient privacy rights is nothing new in the U.S.  If you look at some of the true stories that are listed on www.patientprivacyrights.org, you would be shocked at HIPAA violations that occur:

• In Florida, Walgreens Co. mailed free samples of Prozac Weekly to patients who were taking Prozac Daily.
• A Fort Lauderdale physician gave his fishing buddy, a drug company representative, a list of patients suffering from depression and the salesman arranged to send trial packages of Prozac Weekly to their homes without the patients’ knowledge or permission.
• A Pakistani woman threatened to post the entire medical files of over 300,000 patients of UC Medical Center (San Francisco) if she wasn’t paid for her medical transcribing services. The hospital was surprised to learn that the company awarded the job of transcribing the medical records had sub-contracted all those records to a company outside of the United States.
• A hospital employee easily viewed and stole Tammy Wynette’s medical records from the hospital’s databases and sold the information to the National Enquirer and Star.
• A banker who also served on his county’s health board cross-referenced customer accounts with patient information. He then called due the mortgages of anyone suffering from cancer.

Although these examples may be shocking, they are but a few of the routine HIPAA violations that occur daily across the country.   According to the Office for Civil Rights (OCR), since the compliance date of the Privacy Rule in April 2003, OCR has received over 105,960 HIPAA complaints and has initiated over 1,157 compliance reviews. 

Most HIPAA cases (23,181) have been resolved by requiring changes in privacy practices and corrective actions by, or providing technical assistance to, HIPAA covered entities and their business associates. 

OCR has investigated complaints against many different types of entities including: national pharmacy chains, major medical centers, group health plans, hospital chains, and small provider offices.

Based on OCR’s report, the compliance issues investigated most (in order of frequency) were:
1. Impermissible uses and disclosures of protected health information;
2. Lack of safeguards of protected health information;
3. Lack of patient access to their protected health information;
4. Lack of administrative safeguards of electronic protected health information; and
5. Use or disclosure of more than the minimum necessary protected health information.

Although most HIPAA cases appear to be resolved by the OCR, 540 referrals were made by the OCR to the Department of Justice for criminal investigation.  This would be for cases that involved the knowing disclosure or obtaining of protected health information in violation of the rules.

Finally, the most common types of covered entities that have been required to take corrective action to achieve voluntary compliance are, in order of frequency:
1. Private practices;
2. General hospitals;
3. Outpatient facilities;
4. Pharmacies; and
5. Health plans (group health plans and health insurance issuers).

As you will note, private practice are at the top of that list!  

As we head into 2015, among the many items to consider is whether your practice’s operations are compliant with HIPAA.   Although many groups complete required training, too many have become disinterested in HIPAA over time.  It’s a good idea to remind your staff of the consequences of violating HIPAA and to emphasize that comments on Twitter about patients, posting #surgeryselfies, or otherwise allowing curiosity to lead to inappropriate records review, will not be tolerated. 

In smaller physician offices, staff can become quite lax about password access and too casual about the use of e-mail, messaging and other types of patient interactions that are not HIPAA compliant. 

All of these areas are ones that should be revisited in the New Year. Make a resolution to revisit your practice’s commitment to HIPAA in 2015!


more...
No comment yet.
Scoop.it!

HIPAA Security Evaluation – HIPAA Risk Analysis – Explained -

HIPAA Security Evaluation – HIPAA Risk Analysis – Explained - | HIPAA Compliance for Medical Practices | Scoop.it

Compliance assessment? Security Evaluation? Risk Assessment? Risk Analysis? Compliance Analysis? Huh?

Lots of confusion continues to swirl around the difference between a HIPAA Security Evaluation versus HIPAA Security Risk Analysis.No wonder, the terms are often used interchangeably.

Let’s end the confusion…


Technically, one might argue when it comes to regulatory compliance of any type, three types of assessments can be completed:

1.Compliance Assessments (Evaluation, in HIPAA Security Final Rule parlance) answer questions like: “Where do we stand with respect to the regulations?” and “How well are we achieving ongoing compliance?”

2.Risk Assessments (Analysis, in HIPAA Security Final Rule parlance) answer questions like: “What is our risk exposure to information assets (e.g., PHI)?” and “What do we need to do to mitigate risks?”

3.Readiness Assessments answer questions like “Have we implemented adequate privacy safeguards?”, “Have we implemented adequate security safeguards?” and are we ready for audit.

We focus on the first two in this post because these are the ones you must complete.Both are Required by the HIPAA Security Final Rule.

A thorough HIPAA Security Compliance Evaluation broadly covers all aspects of the law including all 18 Standards and 42 Implementation specifications that comprise the Administrative, Physical and Technical Safeguards (CFR 164.308, 310, 312) in the HIPAA Security Final Rule.Additionally, this evaluation must cover CFR 164.314 and 316 related to Organizational Requirements, Policies and Procedures and Documentation.

As indicated above, completing this HIPAA Security Compliance Evaluation is required by every Covered Entity and Business Associate. The language of the law is in 45 C.F.R. § 164.308(a)(8):

Standard: Evaluation. Perform a periodic technical and non-technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, which establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart.

This type of assessment is a critical step and should be completed whether one is just starting a HIPAA Security Compliance program, rejuvenating an existing program and maintaining an existing program.The output of the evaluation establishes a baseline against which overall progress can be measured by the executive team, compliance or risk officer, audit committee or board.Think FOREST view. At the end of such an evaluation, one would have a Summary Compliance Indicator such as the one shown in the following Security Evaluation Compliance Summary:

A HIPAA Security Risk Analysis (§164.308(a)(1)(ii)(A)) is also required by law to be performed by every Covered Entity and Business Associate.Additionally, completion of the Risk Analysis is a core requirement to meet Meaningful Use objectives.Section 164.308(a)(1)(ii)(A) of the HIPAA Security Final Rule states:

RISK ANALYSIS (Required).

Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].

As required by The HITECH Act, the Office of Civil Rights, within the Department of Health and Human Services (HHS), has issued final “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”.This guidance was published on July 8, 2010.No specific methodology was indicated.However, the guidance describes nine (9) essential elements a Risk Analysis must incorporate, regardless of the risk analysis methodology employed.We have designed a Risk Analysis methodology and ToolKit around these elements while using industry best practices.

As an example, upon evaluation of each information asset that creates, receives, maintains or transmits electronic Protected Health Information (ePHI), one would have an asset-by-asset evaluation of risk, along with mitigation actions involving new safeguards or controls:

Upon completion of the Risk Analysis for all information assets, an overall Risk Analysis Project Tracking tool would be used to ensure ongoing project management of the implementation of safeguards:

So, when it comes to HIPAA Security Compliance Evaluation, think:

  • Forest-level view
  • Overall compliance with the HIPAA Security Final Rule
  • Establishing baseline evaluation score for measuring progress
  • Asking: Have we documented appropriate policies and procedures, etc?
  • Asking: Are we performing against our policies and procedures?

When it comes to HIPAA Security Risk Analysis, think:

  • Trees/Weeds-level view of each information asset with PHI
  • Meeting a specific step in the overall compliance process
  • Understanding current safeguards and controls in place
  • Asking: What are our specific risks and exposures to information assets?
  • Asking: What do we need to do to mitigate these risks?

Both the HIPAA Security Compliance Evaluation and the HIPAA Security Risk Analysis are, required by law and important and necessary steps on your HIPAA HITECH Security compliance journey.


more...
No comment yet.
Scoop.it!

What Constitutes a HIPAA Violation? | HealthITSecurity.com

What Constitutes a HIPAA Violation? | HealthITSecurity.com | HIPAA Compliance for Medical Practices | Scoop.it

No individual wants his or her protected health information (PHI) to be unnecessarily made public. Not only is the information personal, but if it fell into the wrong hands, it could lead to many issues – personal and even medical – for the patient in question.

As technology continues to evolve, it also seems that the number of healthcare data breaches is on the rise. Rightfully so, more people are becoming aware of how their information is shared electronically. But are all concerns over electronic data sharing warranted? Is everything considered a HIPAA violation?

That concern is one reason why some hospitals are reportedly abandoning a long-held tradition: announcing the first birth of the new year. Community Health Systems recently ordered its facilities nationwide to stop publicizing the first baby born in the year, according to the Associated Press.

“We know the birth of the new year baby is a joyous and exciting event, but protecting patient safety and privacy is our most important responsibility,” Community Health spokeswoman Tomi Galin told the news source.

Galin added that the move was a preventative measure, and not because of specific threats or abduction attempts. Moreover, the National Center for Missing & Exploited Children cautions healthcare providers how much information they give to the media, Galin said. For example, home addresses or other personally identifiable information does not need to be released.

Community Health made headlines last year when it reported that Chinese cyber criminals hacked into its database, compromising the information of 4.5 million patients. The data included names, addresses, birth dates, telephone numbers and Social Security numbers. However, no credit card or medical data were involved.

Another surprising area where a HIPAA violation concern arose was in Major League Baseball. Matt Kemp played for the Los Angeles Dodgers, and was involved in a trade deal that would send him to the San Diego Padres. However, there were concerns over Kemp’s physical condition, according to a Yahoo Sports story. Specifically, a USA Today article reported that Kemp’s physical showed severe arthritis in his hips.

Yahoo Sports quoted a tweet from Ken Rosenthal, which said it would not be good if the Padres had leaked the medical information.

“Information damages Kemp in public realm. Gives appearance of #Padres trying to leverage medical information. And is a violation of HIPAA,” read the tweet.

But what exactly constitutes a HIPAA violation? According to the Department of Health and Human Services (HHS), organizations defined as a HIPAA covered entity need to comply with the rule’s requirements to protect patients’ privacy and security.

“If a covered entity engages a business associate to help it carry out its health care activities and functions, the covered entity must have a written business associate contract or other arrangement with the business associate that establishes specifically what the business associate has been engaged to do and requires the business associate to comply with the Rules’ requirements to protect the privacy and security of protected health information,” according to HHS.

Something that is seemingly innocent, such as announcing the first baby born in a new year, will not always lead to things such as identity theft. However, too much personal information, or information that is given without written parental consent, might be enough for a criminal to take advantage of the situation.

In terms of professional athletes, their information is often in the public eye. But covered entities must remain diligent in keeping PHI safe, regardless of who the data belongs to. Neither of these situations is necessarily a HIPAA violation, but it is important for healthcare organizations – and their patients – to remain current on all regulations to best protect sensitive information.


more...
No comment yet.
Scoop.it!

Fearing The Dreaded HIPAA Audit?

Fearing The Dreaded HIPAA Audit? | HIPAA Compliance for Medical Practices | Scoop.it

The HHS Office for Civil Rights plans to begin a random audit program this year to assess compliance with the HIPAA privacy, security and breach notification rules. David Holtzman, a former senior advisor at OCR and now vp of compliance services at security firm CynergisTek, offers the following outline of what providers selected for an audit can expect and how to prepare.

 

Red Flags

In a 2012 pilot audit program, security rule problems were seen twice as often as anticipated, so expect security issues addressed under a permanent audit program to be bumped up. OCR found through the pilot audits that many organizations had not conducted a security risk analysis or never updated an initial analysis-which signals that an organization is not taking HIPAA seriously. Other areas with significant deficiencies included access management, security incident procedures, contingency planning, audit controls, and movement and destruction of protected health information.

 

Getting Notified

OCR plans to send notification letters to 1,200 healthcare organizations to confirm their address, HIPAA officers, sizes and functions. This is not an audit notice, but the information will be used to build a list of those that will be audited. Organizations selected for audit by OCR will not receive email notification-they will receive a formal audit notification letter-so beware of scammers.

 

Desk Audits

About 200 covered entities and 300-400 business associates will receive notification of a "desk audit," which will include a request for submission of specific content and other documentation that demonstrates the scope and timeliness of an organization's efforts to comply with HIPAA rules. Focus areas for covered entities likely will include risk analysis and risk management, content and timeliness of breach notifications and notice of privacy practices updated to reflect changes in the HIPAA Omnibus rule implemented in 2013. The likely focus for breach audits will be risk analysis and risk management, and appropriate breach reporting to covered entities.

 

Follow Instructions

Under a desk audit, only documentation delivered on time will be reviewed. Send only the information required. Auditors likely will be looking for updated privacy practice notices, the ability of patients to get a copy of their health record and to access them electronically if desired, and how organizations treat requests to restrict access to sensitive treatment paid out-of-pocket. Desk audits, Holtzman says, are not an opportunity for a conversation or give-and-take. Auditors will not contact an organization again for clarifications or additional information; they will work only with what they get. Failure to respond to a desk audit notification likely will lead to a more formal compliance review. (Audit findings will not become a matter of public record.)

 

On-Site Audits

OCR this year and likely into 2016 will conduct on-site audits of an unspecified number of covered entities and business associates. This is more comprehensive than a desk audit, with a greater focus on privacy. Expect OCR in these on-site audits to look at security rule compliance in such areas as device and media controls, secure transmissions, encryption of data (including documented justification if you're not using encryption), facility access controls, administrative and physical safeguards, and workforce training. And expect an emphasis on training, as many organizations haven't trained since first required in 2003. "That really rubs [auditors] the wrong way," Holtzman says.

 

Plan Now

If your risk-analysis and risk-management plans are more than 2 years old, update now, Holtzman suggests. Select 10 focus areas covering both the privacy and security rules, and if vulnerabilities have not been addressed, address them. "The best process to prepare for an audit is to be prepared the day the letter arrives," Holtzman says. "Be honest with yourself. Don't paint a happy picture because you think you know what management wants to hear."


more...
No comment yet.
Scoop.it!

Health System’s Good Deed Leads To Data Breach

Health System’s Good Deed Leads To Data Breach | HIPAA Compliance for Medical Practices | Scoop.it

Philanthropy is a good thing, but if you’re not careful it can land you in hot water. This was the lesson learned by the Virginia Commonwealth University Health System when it recently found itself facing a breach of PHI when it donated a series of CDs to an art program for children, according to PHIprivacy.net.

VCUHS officials said notifications were being sent out to patients regarding the security of certain patient information. According to the notice, between January 2012 and October 2014, a series of compact discs that were no longer necessary for VCUHS services were donated for children’s art projects, and some of those CDs contained sensitive patient health information for approximately 1,000 medical records.

The CDs were ones that had been provided by patients who had been referred to VCU Health Systems for treatment, and included full names, medical diagnoses, medication information, and social security numbers for the involved patients.

Becker’s Hospital Review reports the CDs were accidentally donated by an employee. According to the Richmond Times-Dispatch, any potential disciplinary action involving the incident would remain confidential. VCU spokeswoman Anne Buckley asserted that no evidence of misuse of the PHI has been detected, and the notice was being sent out as a required precaution.

“The population that we are concerned about are folks that brought their information in the form of CDs that were referred to us,” John Duval, CEO of MCV Hospitals and Clinics told the Richmond Times-Dispatch. “Any breach of this type has to presume that there might be individual discs out there that are still readable, so we have the duty to both investigate this to the limits of our ability and then to notify the folks of the risk that their personal health information might have been compromised.”

“What began as a well-intentioned philanthropic effort by a staff member wanting to help turned into a serious mistake that we are working very hard to remedy,” Duval said in the press release. “This error brought to light a vulnerability in our system that developed over time and that we are working to correct, and we are deeply sorry for the inconvenience this may have caused some of our patients.”

According to Duval, rules regarding CDs and their disposal have been tightened to prevent any future breaches. “Large data breaches are happening across many industries, including health care, and are very concerning to all,” Duval said in the release. “The VCU Health System has revised its protocols regarding media destruction and will redouble its efforts to protect all sensitive information.”

more...
No comment yet.
Scoop.it!

Why health groups should make use of cyberthreat intelligence

Why health groups should make use of cyberthreat intelligence | HIPAA Compliance for Medical Practices | Scoop.it

As cyberattacks grow in number and organizations find more ways to access private data, the healthcare industry should make use of cyberthreat intelligence, according to Jeff Bell, HIMSS privacy and security committee chair.

Cyberthreat intelligence, Bell writes in a recent blog post, is actionable data about threats, malware and vulnerabilities that organizations can use to increase their security systems.

There are numerous sources for this kind of intelligence, including non-commercial entities like the U.S. Computer Emergency Readiness Team, the U.S. Department of Homeland Security National Cybersecurity and Communications Integration Center and the National Cyber-Forensics & Training Alliance, Bell says.

Vendors of security products also often have their own intelligence feeds, he adds.

This kind of intelligence is increasingly necessary as cyberattacks become more sophisticated, Bell says. Today there are advanced persistent threats, which he says are instances where hackers gain access to information without being detected for long periods of time. Operating system vulnerabilities, such as Shellshock and the Heartbleed bug, also are causing problems in the industry. 

"[H]ealthcare organizations should evaluate the effectiveness of their cybersecurity program and make improvements where appropriate," Bell writes. "Consider how cyberthreat intelligence can help your healthcare organization to improve the ability to prevent, detect, respond and recover from cyberattacks."

Throughout all industries, cyberattacks made headlines last year, with healthcare information one of the top targets.

One of the most recent attacks was on Sony Pictures, where documents obtained by the hackers include health information on dozens of employees, their children or spouses, FierceHealthIT previously reported.

For 2015, particular challenges to the healthcare industry could include an increase of phishing emails that try to lure recipients into giving out information such as usernames, passwords or credit card numbers. They also can give attackers ways to infiltrate the enterprise network.


more...
No comment yet.
Scoop.it!

Expect more, bigger healthcare breaches | Healthcare IT News

Expect more, bigger healthcare breaches | Healthcare IT News | HIPAA Compliance for Medical Practices | Scoop.it

The potential cost of breaches for the healthcare industry could be as much as $5.6 billion annually, according to a new report from Experian, a global information services firm. The report is Experian's second annual data breach forecast across industries.

For healthcare, the forecast is stormy.

Expect persistent and growing threats, Experian warns.

The report points as catalysts, the expanding number of access points to protected health information, or PHI, and other sensitive data via electronic medical records and the growing popularity of wearable technology makes the healthcare industry a vulnerable and attractive target for cybercriminals.

"We expect healthcare breaches will increase – both due to potential economic gain and digitization of records. Increased movement to electronic medical records and the introduction of wearable technologies introduced millions of individuals into the healthcare system, and, in return increased, the potential for data breaches," the report notes.

"Healthcare organizations face the challenge of securing a significant amount of sensitive information stored on their network, which combined with the value of a medical identity string makes them an attractive target for cybercriminals," the authors add. "The problem is further exasperated by the fact that many doctors' offices, clinics and hospitals may not have enough resources to safeguard their patients' PHI. In fact, an individual's Medicare card – often carried in wallets for doctors' visits – contains valuable information like a person’s Social Security number that can be used for fraud if in the wrong hands. Currently, we are not aware of any federal or law enforcement agency which tracks data on SSN theft from Medicare cards, but the problem is widely acknowledged."

This year, Reuters reported that the FBI released a private notice to the healthcare industry warning providers that their cybersecurity systems are lax compared to other sectors.

According to the Ponemon Institute, 72 percent of healthcare organizations say they are only somewhat confident (32 percent) or not confident (40 percent) in the security and privacy of patient data shared on HIEs.

The takeaway? "Healthcare organizations will need to step up their security posture and data breach preparedness or face the potential for scrutiny from federal regulators. Reported incidents may continue to rise as electronic medical records and consumer-generated data adds vulnerability and complexity to security considerations for the industry.


more...
No comment yet.
Scoop.it!

HIPAA Hurdles in 2015 | HIPAA, HITECH & HIT

HIPAA Hurdles in 2015 | HIPAA, HITECH & HIT | HIPAA Compliance for Medical Practices | Scoop.it

Nearly a year ago, as described in an earlier blog post, one of my favorite health industry journalists, Marla Durben Hirsh, published an article in Medical Practice Compliance Alert predicting physician practice compliance trends for 2014.  Marla quoted Michael Kline’s prescient prediction that HIPAA would increasingly be used as “best practice” in actions brought in state court:  “People will [learn] that they can sue [for privacy and security] breaches,” despite the lack of a private right of action under HIPAA itself.  Now, peering ahead into 2015 and hoping to surpass Michael’s status as Fox Rothschild’s HIPAA soothsayer, I thought I would take a stab at predicting a few HIPAA hurdles that covered entities, business associates, and their advisors are likely to face in 2015.

1.         More sophisticated and detailed (and more frequently negotiated) Business Associate Agreement (BAA) terms.   For example, covered entities may require business associates to implement very specific security controls (which may relate to particular circumstances, such as limitations on the ability to use or disclose protected health information (PHI) outside of the U.S. and/or the use of cloud servers), comply with a specific state’s (or states’) law privacy and security requirements, limit the creation or use of de-identified data derived from the covered entity’s PHI, or purchase cybersecurity insurance.  The BAA may describe the types of security incidents that do not require per-incident notification (such as pings or attempted firewall attacks), but also identify or imply the many types of incidents, short of breaches, that do.  In short, the BAA will increasingly be seen as the net (holes, tangles, snags and all) through which the underlying business deal must flow.  As a matter of fact, the financial risks that can flow from a HIPAA breach can easily dwarf the value of the deal itself.

2.         More HIPAA complaints – and investigations.  As the number and scope of hacking and breach incidents increases, so will individual concerns about the proper use and disclosure of their PHI.  Use of the Office for Civil Rights (OCR) online complaint system will continue to increase (helping to justify the $2 million budgeted increase for OCR for FY 2015), resulting in an increase in OCR compliance investigations, audits, and enforcement actions.

3.         More PHI-Avoidance Efforts.  Entities and individuals who do not absolutely require PHI in order to do business will avoid it like the plague (or transmissible disease of the day), and business partners that in the past might have signed a BAA in the quick hand-shake spirit of cooperation will question whether it is necessary and prudent to do so in the future.  “I’m Not Your Business Associate” or “We Do Not Create, Receive, Maintain or Transmit PHI” notification letters may be sent and “Information You Provide is not HIPAA-Protected” warnings may appear on “Terms of Use” websites or applications.

The overall creation, receipt, maintenance and transmission of data will continue to grow exponentially and globally, and efforts to protect the privacy and security of one small subset of that data, PHI, will undoubtedly slip and sputter, tangle and trip.  But we will also undoubtedly repair and recast the HIPAA privacy and security net (and blog about it) many times in 2015.

Have a Happy and Healthy HIPAA New Year!


more...
No comment yet.
Scoop.it!

Old fashioned data breach: Independence Blue Cross paper records tossed in trash

Old fashioned data breach: Independence Blue Cross paper records tossed in trash | HIPAA Compliance for Medical Practices | Scoop.it

Independence Blue Cross on Friday disclosed a data breach affecting 12,500 of its more than 2.5 million members.

Unlike most high-profile cases of personal data loss, such as the one at Target stores last year affecting 70 million people, the IBC case did not involve computers.

The incident happened in October, when maintenance workers threw out four boxes of member records that were supposed to be moved from one floor to another at IBC's offices, the company said Friday in a legal notice.

The improperly discarded reports contained the names, addresses, member identification numbers, health care plans, and group numbers for members in Southeastern Pennsylvania and in New Jersey, where IBC operates AmeriHealth New Jersey.

IBC, which is based in Center City, said it had received no reports that the information was misused. As a precaution, however, IBC is offering one year of free credit monitoring to 8,800 members whose Social Security numbers were included in the reports, spokeswoman Liz Williams said in a statement. "To reduce the risk of another such incident, we no longer allow our maintenance team to dispose of full boxes in the trash," Williams said.

IBC's data loss followed July's theft of an unencrypted computer containing personal information on 3,780 patients from Temple University Health System during a break-in.


more...
No comment yet.
Scoop.it!

Will 2015 be worst year yet for data breaches? | Government Health IT

Will 2015 be worst year yet for data breaches? | Government Health IT | HIPAA Compliance for Medical Practices | Scoop.it

This past year the FBI warned the entire healthcare realm that security practices are not keeping pace with other industries. And a new report is suggesting that healthcare organizations should expect even more data breaches in the New Year.

Indeed, that means bigger and more costly violations. Global information services firm Experian, in its second annual data breach forecast, cites the growing potential entry points to protected health information, wearables and other mobile devices as among the new technologies making healthcare vulnerable — while other studies in 2014 pointed to healthcare organizations’ widespread lack of confidence in securing PHI. 

Experian is not the only firm saying data privacy and security will get worse in healthcare.

Consultancy IDC’s Health Insights unit, in fact, included two interesting points in its yearly top 10 predictions for healthcare: First, healthcare entities will have experienced at least one and as many as five cyber attacks in the previous 12 months, with one-third of those considered successful, and, second, by 2020 approximately half of all digital health data will be unprotected.


At the same time, attacks will not only grow more sophisticated but, in some ways, be easier to pull off moving forward.

“From 2015 onward, we will see attackers use social media to hunt for high-value targets. They will no longer limit themselves to instigating watering-hole attacks and using spear-phishing emails,” security specialist Trend Micro wrote in its predictions. “They will dramatically expand the attack surface to include Wi-Fi-enabled wearable devices running vulnerable firmware.”

Such vulnerable firmware, it’s worth pointing out, resides in many medical devices of all sorts, not just wearables. 

Symantec, meanwhile, explained the growth in popularity of “crimeware-as-a-service,” on the black market.

“Attackers can easily rent the entire infrastructure needed to run a botnet or any other online scams,” Symantec wrote in a December blog post. “This makes cybercrime easily accessible for budding criminals who do not have the technical skills to run an attack campaign on their own.” 

Security vendor Websense, which focuses on a range of industries, laid down its own prognostications for 2015. The first one: “Call the IT doctor. My hospital is under attack – again!”

“The healthcare industry is a prime target for cybercriminals,” Carl Leonard, principal analyst of Websense Security Labs, said in a report. “With millions of patient records now in digital form, healthcare’s biggest security challenge in 2015 will be keeping personally identifiable information from falling through security cracks and into the hands of hackers.”


more...
No comment yet.
Scoop.it!

HIPAA Compliant Data Backup Service

HIPAA Compliant Data Backup Service | HIPAA Compliance for Medical Practices | Scoop.it
How to find a HIPAA compliant Data Backup Service

Nowadays you have to make prudent decisions while purchasing a practice management system, a user-friendly EHR, and also while choosing the type of computer the practice staff will use. It is common for us to think of data backup in terms of a hard drive or an external storage. But it is important to note that you are dealing with sensitive personal health data and you should ensure that the data is not lost in case of an emergency. Since HIPAA compliant data backup is mandatory, it is a good idea to hire a data backup service.

 

First of all make sure the Data Backup Service Vendor is HIPAA compliant, which means they comply with HIPAA Security Rules. These rules require the vendor to have in place four safeguards.  As per the Office of the National Coordinator for ONC (Health Information Technology) these safeguards help the medical practice to prevent some of the common security gaps which could lead to data loss and cyber-attack. The four safeguards are detailed as follows:

 

  1. Physical Safeguards – These safeguards deal with infrastructure factors such as secure access areas, locks and protection against unauthorized entry into the ePHI (electronic protected health information) systems. It also provides security for the building that stores the information from environmental or natural hazards. Make sure your vendor has policies, procedures and technology to control access to ePHI.
  2. Administrative Safeguards – The policies, actions and procedures of administrative safeguards assist in the detection and prevention of security violations associated with any ePHI. These safeguards conduct security risk analysis and takes action to decrease identified risks.
  3. Organizational Standards – The vendor must be a “covered entity” with contracts or arrangement with other business associates that can access the ePHI when needed.
  4. Policies and Procedures – The vendor must maintain security policies and procedures in writing for at least six years (from the date of creation or the last effective date, whichever is later). The written policies and procedures must be reviewed and updated from time to time, as per the organizational or environmental changes that might impact the security of ePHI.This is mandated in the Office of the National Coordinator’s Guide to Privacy and Security of Electronic Health Information dated April 2015. You should also be aware that the U.S. Department of Health and Human Services made use of HITECH (Health Information Technology for Economic and Clinical Health Act) to support the HIPAA privacy and security rules.

 

Best Practices for Data Backup and Recovery

 

The data backup service should have a data backup plan, plan for emergency-mode operation and a disaster recovery plan to comply with HIPAA. The combination of these three plans would reassure the capabilities, policies and procedures of the provider to restore health information if an emergency occurs. This will give peace of mind to the medical practice and result in uninterrupted work.

 

How a Backup Service Provider can offer more help

 

A good HIPAA compliant vendor can offer additional benefits such as offsite data storage in case of power blackout, natural disaster or malware attack. The use of automatic data backup leaves you with no worries about backing up data periodically at your office. Several vendors also provide cloud based data systems to store different versions of files at different locations to provide additional protection in physical form and this is known as ‘data redundancy’.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

Five common mistakes and how to avoid them for 2015 HIPAA audits

Five common mistakes and how to avoid them for 2015 HIPAA audits | HIPAA Compliance for Medical Practices | Scoop.it

2014 saw a rise in data breaches and HIPAA compliance failures within the healthcare industry. The Office for Civil Rights (OCR) takes privacy and security seriously, and more organizations have been fined for failure to comply with the Health Insurance Portability and Accountability Act (HIPAA). This year, the OCR will use the HIPAA audit program to randomly assess healthcare entities and business associates for compliance with the HIPAA privacy, security and breach notification rules. Here are five mistakes to avoid:  

  1. Failure to keep up with regulatory requirements

Gain a better understanding of specifications for standards as “required” versus “addressable.” Some covered entities must comply with every Security Rule standard. Covered entities must determine if the addressable section is reasonable after a risk assessment, and, if not, the Security Rule allows them to adopt an alternative measure. Be sure to document everything, particularly since the OCR may look at encryption with audits this year.  

  1. No documented security program

The OCR wants to know how you implement a security risk assessment program, so be sure your organization has a documented security awareness program. Once you know the requirements, assess your environment and your users. Does your organization have a security and compliance program in place? How well is it implemented? Who is involved? How often do you communicate? Everyone in your organization should be held responsible for ensuring the safety of data and following proper procedures. Have a plan and a point person in place, and ensure your compliance and security teams talk to each other. Create a committee with stakeholders and clear responsibility, and make sure the plan is documented, communicated and enforced across the organization.

  1. A reactive approach to audits

Once you establish a security program, proactively monitor security and performance indicators, as OCR audits will focus heavily on breach plans and the controls you have in place to protect them. Auditors will look for access to critical group memberships, so make sure you’re auditing and reporting on user activity – including your privileged users. Auditors are increasingly more interested in this area, due to the recent increase in insider incidents.

  1. Assumptions regarding business associates agreements

Contractors and subcontractors who process health insurance claims are liable for the protection of private patient information. Make sure you have an updated business associate agreement in place, and ensure the chain of responsibility is documented, agreed upon, and reviewed frequently by both parties. You can find sample contracts offered by the OCR to help you through this process. 

  1. A checkbox approach to compliance

Regulators want to discontinue the checkbox approach to compliance in favor of a risk-based security approach. Compliance and security must go hand-in-hand, and organizations will benefit from incorporating this mindset across both teams. Strong security measures make it easier to meet compliance regulations. By adopting an organizational self-discovery approach, you will have a higher level of visibility and awareness of internal issues, and achieve a more resilient business process and the next level of organizational maturity.


more...
No comment yet.
Scoop.it!

HIPAA Audits Are Still on Hold

HIPAA Audits Are Still on Hold | HIPAA Compliance for Medical Practices | Scoop.it

`The unit of the Department of Health and Human Services that enforces HIPAA still has plenty of work to do before it can launch its long-promised next round of HIPAA compliance audits, as planned for this year.

The HHS Office for Civil Rights has yet to develop a revised protocol for conducting the audits, OCR Director Jocelyn Samuels revealed during a Jan. 13 media briefing.


Samuels declined to offer a timeline for when OCR plans to resume its HIPAA audits, which Samuels says will include covered entities as well as business associates, who are now directly liable for HIPAA compliance under the HIPAA Omnibus Rule.

Early in 2014, OCR officials said the agency expected to resume compliance audits of covered entities in the fall of 2014, later expanding the program to include audits of business associates based on those vendors identified by covered entities in pre-audit surveys.

Then in September, OCR officials said the audit launch was stalled because of a delay in the rollout of technology to collect audit-related documents from covered entities and business associates.

In her comments Jan. 13, Samuels did not offer an explanation for the prolonged delay in resumption of HIPAA audits.

"OCR is committed to implementing an effective audit program, and audits will be an important compliance tool for OCR," Samuels said. The audits "will enable OCR to identify best practices and proactively uncover risks and vulnerabilities, like our other enforcement tools, such as complaints and compliance reviews; provide a proactive and systematic means to assess and improve industry compliance; enhance industry awareness of compliance obligations; and enable OCR to target its outreach and technical assistance to identified problems and to offer tools to the industry for self-evaluation and prevention. Organizations should continue to monitor the OCR website for future announcements on the program."

In 2012, OCR conducted a pilot HIPAA audit program for 115 covered entities that was carried out by a contractor, the consulting firm KPMG. It also issued an audit protocol offering a detailed breakdown of what was reviewed. OCR is revising the protocol to reflect changes brought by the HIPAA Omnibus Rule.

Rules In the Works

In addition to the pending audits, other HIPAA-related activities under way at OCR for 2015 include:

  • A final version of a proposed rule HHS issued last January to permit certain covered entities, including state agencies, to disclose to the National Instant Criminal Background Check System the identities of persons prohibited by federal law from possessing or receiving a firearm for reasons related to mental health;
  • An advanced notice of proposed rulemaking related to a HITECH Act mandate for HHS to develop a methodology to distribute a percentage of monetary settlements and penalties collected by OCR to individuals affected by breaches and other HIPAA violations;
  • A possible request for additional public input on OCR's proposed accounting of disclosures rule making. Samuels says OCR is still evaluating the comments it received on the proposed accounting of disclosures rule it issued in 2011, as well as recommendations from the HIT Policy Committee about refining the rule.

In a statement provided to Information Security Media Group, Samuels noted, "The [accounting of disclosures] rulemaking is still listed as a long-term action on our last published regulatory agenda. We are exploring ways to further solicit public input on this important issue."

OCR in May 2011 issued a notice of proposed rulemaking for updating accounting of disclosures requirements under HIPAA. The proposal generated hundreds of complaints from healthcare providers and others. Many of the complaints were aimed at a controversial "access report" provision. As proposed, the access report would need to contain the date and time of access to electronic records, the name of the person or entity accessing protected health information, and a description of the information and user action, such as whether information was created, modified or deleted. The proposal would also provide patients with the right for an accounting of disclosures of electronic PHI made up to three years prior to the request.

Other Enforcement Activities

OCR also has a number of other enforcement activities planned for 2015, Samuels said in the Jan. 13 briefing.

"We will continue to identify and bring to resolution high impact cases that send strong enforcement messages to the industry about compliance," she said. "These types of cases can include the lack of a comprehensive risk analysis and risk management practices, ignoring identified threats and hazards to systems containing electronic protected health information, and insufficient policies and procedures, and training of workforce members."

OCR also expects to provide policy clarification for a variety of topics, including cloud computing and the "minimum necessary" rule, which HHS says is based on the premise that protected health information should only be used or disclosed if it is necessary to satisfy a particular purpose or carry out a function.

"We will also continue dialogues with our stakeholders about issues on which they would like additional interpretation," Samuels says.


more...
No comment yet.
Scoop.it!

HIPAA Privacy During Emergency Situations

A patient arrives at your facility with Ebola-like symptoms. After taking the necessary precautions, you run the requisite tests, conduct a patient interview, and determine that in fact the patient has contracted the Ebola virus. You also learn that the symptoms have been present for a couple of days, but like many people, the patient delayed seeking treatment until the symptoms got worse. After questioning the patient, you discover that since returning from West Africa one week earlier, the patient has returned to work, visited with family, attended church, and been shopping at the local mall, all while exhibiting symptoms. Thus, hundreds of people living in the community have potentially been exposed. What do you do? What information can you release to the public? Do you need the patient's consent to warn the public about the potential exposure?


The U.S. Department of Health and Human Services, Office for Civil Rights ("OCR"), the entity responsible for overseeing compliance with the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), recently issued guidance on how to address HIPAA privacy in emergency situations, such as the one described above. Importantly, while there are a number of ways in which protected health information can be shared in an emergency situation, you should keep in mind that theprotections of HIPAA are not set aside during an emergency. Thus, while it is important to alert the public to the potential exposure, it must be done in a manner that is compliant with HIPAA. HIPAA, however, does provide several mechanisms through which information may be released...


more...
No comment yet.
Scoop.it!

FTC's Edith Ramirez: Connected health devices create bevy of privacy risks

FTC's Edith Ramirez: Connected health devices create bevy of privacy risks | HIPAA Compliance for Medical Practices | Scoop.it

For much of 2014, the Federal Trade Commission made it a point to be a prominent voice regarding the protection of consumer health information. Last May, for instance, it published a report recommending that Congress force data brokers to be more transparent about how they use the personal information of consumers, including health information.

And in July, FTC Commissioner Julie Brill spoke about how consumers should be given more choices from developers when it comes to data sharing by smartphone apps gathering health information.

That trend continued Tuesday at the International Consumer Electronics Show in Las Vegas, where FTC Chairwoman Edith Ramirez spoke about privacy protection, including for health data. Ramirez noted, for instance, that while the Internet of Things has the potential to improve global health, the risks are massive.

"Connected devices that provide increased convenience and improve health services are also collecting, transmitting, storing and often sharing vast amounts of consumer data, some of it highly personal, thereby creating a number of privacy risks," Ramirez said. "These risks to privacy and security undermine consumer trust."

Ramirez outlined three challenges to consumer privacy presented by the Internet of Things:

  • Ubiquitous data collection
  • Unexpected data use resulting in adverse consequences
  • Increased security risks

Additionally, she said that technology developers must take three steps to ensure consumer privacy:

  • Adopt "security by design"
  • Engage in data minimization
  • Boost transparency and offer consumers choices for data usage

"[T]he risks that unauthorized access create intensify as we adopt more and more devices linked to our physical safety, such as our cars, medical care and homes," Ramirez said.

Members of the House Committee on Oversight and Government Reform questioned the FTC's health data and cybersecurity authority at a hearing last summer. Committee Chairman Darrell Issa (R-Calif.) said that safeguards are needed to guide the FTC's processes in determining entities subject to security enforcement.

Last January, the agency ruled that entities covered under the Health Insurance Portability and Accountability Act may also be subject to security enforcement by the FTC.


more...
No comment yet.
Scoop.it!

BA agreements likely a bigger target of 2015 OCR enforcement, attorneys say

BA agreements likely a bigger target of 2015 OCR enforcement, attorneys say | HIPAA Compliance for Medical Practices | Scoop.it

The $150,000 fine that U.S. Department of Health and Human Services' Office for Civil Rights levied against an Alaska mental health organization last month could be a sign that OCR is settling in after a wave of leadership changes in 2014 and gearing up to aggressively investigate HIPAA compliance complaints, according to a former federal attorney.

Ex-OCR lawyer David Holtzman notes that there are more than 6,000 HIPAA privacy and security rule complaints and compliance reviews under investigation in an article at HealthcareInfoSecurity. He predicts more high-profile enforcement actions in 2015.

Holtzman echoes a warning from Jerome B. Meites, OCR chief regional counsel for the Chicago area, who told an American Bar Association conference last summer that the whopping fines levied over the past year will "pale in comparison" to those expected to come.

Meanwhile, privacy and healthcare attorneys Alisa Chestler and Donna Fraiche of law firm Baker Donelson, in an interview with HealthcareInfoSecurity, urge healthcare organizations to conduct their own mock audits to determine any exposures and to do their best to fix those problems.

They also recommend keeping all such documentation in one place--including all records of HIPAA education programs conducted with staff, and evidence that they've reviewed all business associate agreements--and ensuring that it's up to date. Chestler and Fraiche foresee BA agreements being a bigger target of OCR enforcement actions in 2015.

In particular, Chestler and Fraiche say, organizations need to re-examine all bring-your-own-device policies and make sure they address any issues that have arisen since those policies were last reviewed.

In September, OCR announced it was delaying the start of the second round of audits in order get a web portal up an running through which entities could submit information. A specific start date has not been announced, only that the new audits will begin in early 2015.

Brett Short, chief compliance officer at the University of Kentucky HealthCare in Lexington, Kentucky, spoke with FierceHealthIT about receiving a call from an auditor when the organization had never received a letter saying it had 10 days to submit required documents.


more...
No comment yet.
Scoop.it!

NYC businesses need to focus on HIPAA training in 2015

NYC businesses need to focus on HIPAA training in 2015 | HIPAA Compliance for Medical Practices | Scoop.it

As more people get health insurance in accordance with the current requirements, there will be an increased volume of medical records to process. Accuracy and timeliness are essential when dealing with patients' medical records. As a result of updated regulations, NYC businesses will need to focus on updated HIPAA training in 2015.

Facts About HIPAA

In 1996, Congress passed the Health Insurance Portability and Accountability Act (HIPAA). The act is meant to streamline procedures and ensure optimum protection for patient records. HIPPA makes it possible for American workers and their families to transfer and continue health insurance coverage when they lose or change their employment.

HIPAA also establishes standards for health care information on electronic billing and other process as well as minimizes fraud and abuse. Finally, it requires confidential handling of protected health info to protect patients' privacy. Health care providers, medical billing agencies and other health-related industries must be in compliance with HIPAA.

ACA, HIPAA and HITECH

In 2010, President Obama signed the Affordable Care Act (ACA). In 2013, the U.S. Health and Human Services' Office for Civil Rights released is final regulations pertaining to privacy rights for patients. As a result, there have been major changes related required of health care providers in accordance with two federal laws, HIPAA and the Health Information Technology for Economic and Clinical Health Act (HITECH), which was enacted in 2009.

Changes include direct regulation of subcontractors as well as health plans being prohibited from using generic information for underwriting, among many others. People have new rights to their health info and the government has a greater ability to enforce the law. As a result, NYC businesses need to ensure their staff is properly trained to fully understand the ramifications of these regulations.

Updated HIPAA Training

There are options when it comes to HIPAA training for employees. The U.S. Department of Health and Human Services Office of Civil Rights offers six educational programs for health care providers that cover various compliance aspects of HIPAA rules. Private providers, such as Global Learning Systems, offer updated HIPAA training to satisfy the mandatory HIPAA an HITECH training components for a business' staff. Learners are updated about security and privacy requirements mandated in Title II of HIPAA, HITECH amendments and the Final Omnibus Rule to provide enhanced privacy protection to patients.

Recently Renal & Urology News stated training is a cost-effective and easy HIPAA safeguard. As the workload increases in 2015, it creates a greater likelihood of errors being made. Organizations in NYC must consider staff training to ensure compliance, reduce the risk of costly mistakes and ensure the proper level of privacy for each patient.


more...
No comment yet.
Scoop.it!

Stolen Patient Information Prompts Data Breach Warning from Shoreview Company

Stolen Patient Information Prompts Data Breach Warning from Shoreview Company | HIPAA Compliance for Medical Practices | Scoop.it

An alert about a data breach involving an orthopedic medical device company in Shoreview affects not only Minnesotans, but others across the country as well.

A contractor for the company DJO Global went inside a coffee shop in Roseville on Nov. 7 and left a laptop containing private patient information in a backpack on the backseat of his car. A thief saw the backpack, smashed the window and stole it.

DJO Global notified patients in a letter that their private information stored on the computer had been stolen. The data included patients names, phone numbers, diagnosis code, surgery dates, health insurer, and clinic and doctor names. A handful of social security numbers were swiped, too. 

Worried individuals have contacted police.

"We received hundreds upon hundreds of phone calls from all over the country," Lt. Lorne Rosand with the Roseville Police Department said.

A spokesman for DJO told 5 EYEWITNESS News via email that no credit card information was taken. The information was in limbo from Nov. 7-21.

"If someone is able to glean information, name, dates, birth, social security information — that's a gold mine," Rosand said.

DJO says the laptop had password protection in place but wasn't encrypted. There were firewalls, tracking and remote software intact that allowed the data to eventually be erased remotely. DJO says it's doing an internal investigation and security assessment.  

Roseville police call this situation a reminder for everyone.

"When people leave valuables in vehicles such as laptops, there's only a piece of glass between the bad guy and your property; that glass can be shattered," Rosand said.

If you received a letter from DJO or believe your information might be at risk, you can set up a fraud alert with the three credit reporting agencies as a precaution. 

The thief has not been caught.


more...
No comment yet.
Scoop.it!

What Will HIPAA Enforcer Do in 2015?

What Will HIPAA Enforcer Do in 2015? | HIPAA Compliance for Medical Practices | Scoop.it

Time to rub the dust off my crystal ball to predict what we might see from the Office for Civil Rights' in 2015 when it comes to regulatory activities and enforcement of the HIPAA privacy, security and breach notification rules.

But first, note that 2014 represented a year of significant changes in leadership and approach for OCR, the unit of the Department of Health and Human Services that's responsible for HIPAA enforcement. Jocelyn Samuels joined OCR as its director in July. She was tapped to lead the agency by HHS Secretary Sylvia Mathews Burwell when Leon Rodriquez was confirmed as director of the U.S. Citizenship and Immigration Services.

 I expect the agency will launch more high-profile enforcement actions in 2015. 


Additionally, OCR's health information privacy division is being led by an acting deputy director following the retirement of Susan McAndrew.

The OCR division responsible for overseeing the work of its regional offices, including enforcement efforts, is also being led by an acting deputy director. In addition to the leadership changes in Washington, three of the 10 managers leading OCR's regional offices were newly appointed this year. That's a lot of leadership change in a short period.

Enforcement Actions

The recent OCR settlement in which an Alaska mental health organization paid a $150,000 fine and agreed to a corrective action plan over shortcomings in their security rule compliance program is the first since director Samuels took over the agency.

This resolution agreement could signal that OCR is regaining its footing after the transition to a new leadership team and will be moving ahead more aggressively to reach settlement agreements in cases where the agency finds serious violations of the privacy and security rules. According to OCR's website, there are more than 6,000 HIPAA privacy and security rule complaints and compliance reviews being investigated. I expect the agency will announce more high-profile enforcement actions in 2015.

Through the 2009 HITECH Act, Congress mandated HHS to make a number of significant changes to the privacy regulations, expanding the jurisdiction oversight to business associates, and encouraging the development of new tools for enhanced regulatory enforcement.

The tools include self-funding HIPAA enforcement authority from fines and penalties collected by OCR and an audit program to measure industry compliance. However, significant provisions of the HITECH Act have not been adopted or are in some stage of development. What are the prospects for the remaining provisions of HITECH to be enacted in 2015?

Accounting of Disclosures

The HITECH Act mandated an expansion of the HIPAA Privacy Rule's current standard for covered entities to provide individuals an accounting of unauthorized disclosures, which exempts disclosures made for purposes of treatment, payment or healthcare operations, or TPO. Congress called on HHS to revamp the standard by requiring accounting for disclosures to include TPO disclosures by covered entities and businesses using electronic health records.

In its 2011 proposed rulemaking, HHS sought to give individuals an accounting of uses in addition to expanding the disclosures to be reported. Under intense pressure to scale back the scope of the proposed rule, HHS had its panel of outside experts, the Privacy and Security Tiger Team, made recommendations in December 2013. The team has since disbanded with HHS taking no action on their recommendations. Nor does publication of a final rule appear to be in the offing anytime soon.

Monetary Settlements

Under HITECH, Congress called for HHS to develop a methodology to distribute a percentage of monetary settlements collected by OCR to individuals affected by breaches.

The first step was for the Government Accountability Office to make recommendations to HHS on a methodology to share a percentage of the proceeds from fines and penalties with consumers harmed by the unlawful uses or disclosures resolved through OCR's investigation. Although the GAO apparently has delivered its recommendations, the HHS regulatory agenda does not include a proposal under development or being reviewed.

With continuing pressures on federal spending restricting the growth of agency budgets and resources to support OCR's expansive mission, it seems unlikely that the office will aggressively pursue an initiative that would result in the sharing with consumers the proceeds from its monetary settlements from HIPAA enforcement actions.

HIPAA Audits

The HITECH Act also called on OCR to perform periodic audits of covered entities and business associates' compliance with the HIPAA rules. With funding provided through HITECH, OCR developed and implemented a pilot audit program through which 115 audits of covered entities were conducted.

Beginning in early 2015, OCR plans to audit 200 covered entities, including healthcare providers and group health plans, to measure their compliance with the HIPAA privacy, security and breach notification rules requirements. These audits of covered entities will be followed by up to 400 audits of business associates to measure their compliance with the security rule and how they intend to approach their obligations under the privacy and breach notification rules.

In comments at the the September 2014 HIPAA security conference hosted by OCR and the National Institute of Standards and Technology, OCR's Iliana Peters said it was the agency's intention to use the audit findings as a tool in the enforcement arsenal. Covered entities found to have significant gaps in their HIPAA compliance will be ripe for follow-up compliance reviews and could face penalties.

With millions of dollars of monetary penalties collected from covered entities since adoption of the HITECH Act changes, this is the one OCR initiative that seems on track. Don't wait for your notice from OCR to prepare for your HIPAA compliance audit. Take action now by going through the steps to ready your organization if it were to be randomly selected for one of those audits.


more...
No comment yet.
Scoop.it!

No Pre-Existing Condition Exclusions Means HIPAA Certificates No Longer Required | JD Supra

Earlier this year, the Departments of Health and Human Services, Labor and the Treasury issued a final rule implementing the Affordable Care Act (ACA) and revising the requirements of other healthcare laws and regulations affected by the ACA. One of the most significant changes made was to prohibit group health plans and issuers from imposing pre-existing condition exclusions on any enrollees in plans beginning on or after January 1, 2014. Consequently, as of December 31, 2014, health plans and issuers will no longer be required to issue the Certificates of Creditable Coverage previously required under the Health Insurance Portability and Accountability Act (HIPAA).

HIPAA guarantees continuous healthcare coverage for employees who change policies or jobs, or who retire and take advantage of the Consolidated Omnibus Budget Reconciliation Act (COBRA). These portability provisions required health plan and COBRA administrators to ease the burden of transitioning between healthcare policies by providing a Certificate of Continuous Coverage 30 days before the expiration of the plan's coverage or before the insured leaves employment to helpoffset a preexisting condition exclusion period under a new health plan.

The ACA’s prohibition on pre-existing condition exclusions for plan years beginning on or after January 1, 2014 makes these HIPAA Certificates unnecessary — and are therefore no longer required — for plans beginning in 2015 and later. For plans beginning before January 1, 2014, plans and issuers may place limited exclusions on pre-existing conditions and must still automatically provide HIPAA Certificates to individuals when they lose coverage or upon request for a period of 24 months following termination of coverage.

This is only one of many obligations imposed on employers and health care organizations under a law aimed at protecting individual health information. HIPAA violations can have serious consequences, from employment discipline or termination for employees to criminal prosecution and civil penalties up to $250,000 for healthcare professionals. The most effective way to prevent such violations is to provide employees with HIPAA training to keep protected health information confidential and follow proper security practices when handling such information.


more...
No comment yet.
Scoop.it!

Don’t forget about HIPAA when addressing data security | Lexology

Don’t forget about HIPAA when addressing data security | Lexology | HIPAA Compliance for Medical Practices | Scoop.it

Among the many data security and breach laws that exist, covered health care providers and health plans must also contend with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). A recent settlement with the Department of Health and Human Services (HHS), Office for Civil Rights (OCR) emphasizes the importance of not only having a data security policy, but of following and updating such a policy. 

OCR recently opened an investigation after receiving notification from Anchorage Community Mental Health Services (ACMHS) regarding a breach of unsecured electronic protected health information (ePHI) affecting 2,743 individuals due to malware compromising the security of its information technology resources. OCR's investigation revealed that ACMHS had adopted sample Security Rule policies and procedures in 2005, but these were not followed. Moreover, the security incident was the direct result of ACMHS failing to identify and address basic risks, such as not regularly updating their IT resources with available patches and running outdated, unsupported software. 

ACMHS agreed to settle potential violations of the HIPAA Security Rule with HHS by paying $150,000 and adopting a corrective action plan to correct deficiencies in its HIPAA compliance program. "Successful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ePHI on a regular basis," said OCR Director Jocelyn Samuels. "This includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks." 

The ACMHS settlement is just the latest in a string of recent penalties and settlements stemming from alleged HIPAA privacy and security violations. These penalties and settlements should serve as a reminder of how important it is to comply with the HIPAA Privacy and Security Rules. Health care providers and health plan sponsors should review their existing policies and procedures and remain vigilant in their training of employees.


more...
No comment yet.
Scoop.it!

State law claims viable for violations of HIPAA | Lexology

State law claims viable for violations of HIPAA | Lexology | HIPAA Compliance for Medical Practices | Scoop.it

In a recent opinion, the Connecticut Supreme Court determined that state law claims based on violations of the Health Insurance Portability and Accountability Act (HIPAA) were viable.

The plaintiff in Byrne v. Avery Ctr. for Obstetrics & Gynecology, P.C., 314 Conn. 433 (Conn. 2014) was involved in a paternity suit and requested that the defendant, her medical provider, not produce any records to her former lover.  However, the defendant was served with a subpoena from the ex-lover, and produced the documents to the court without plaintiff’s knowledge.  See id. at 437.  The plaintiff sued the medical provider after she began experiencing harassment from her ex, who was able to review the medical records.  See id.  In the four-count complaint, the plaintiff alleged breach of contract, negligence, negligent misrepresentation, and negligent infliction of emotional distress.  See id. at 438-439.  In particular, she alleged that the defendant violated HIPAA by producing medical records without authorization.

The court determined that “the regulatory history of the HIPAA demonstrates that neither HIPAA nor its implementing regulations were intended to preempt tort actions under state law arising out of the unauthorized release of a plaintiff’s medical records.  As the plaintiff aptly notes, one commenter during the rulemaking process had raised the issue of whether a private right of action is a greater penalty, since the proposed federal rule has no comparable remedy.”  Id. at 453.  Accordingly, the court found that HIPAA did not preempt state law claims for alleged breaches of confidentiality.  See id. at 459.  However, the court declined to find, as a matter of law, whether the defendant was negligent in producing the medical documents, and remanded to the trial court for further proceedings. 


more...
No comment yet.