HIPAA Compliance for Medical Practices
62.2K views | +12 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

4 Steps to Assess a Possible HIPAA Data Breach

4 Steps to Assess a Possible HIPAA Data Breach | HIPAA Compliance for Medical Practices | Scoop.it


The HIPAA Omnibus Rules dramatically elevated your risk of data breaches. From lowering the breach standard to requiring documentation on why you think that you didn’t commit a breach, your practice needs to diligently work to avoid problems and properly handle a breach. An event that compromises the security or privacy of Protected Health Information (PHI) is considered an impermissible use or disclosure of PHI. Impermissible use or disclosure is a breach unless you can show that there was a low probability that the PHI was compromised. This is not an academic discussion since you are required to properly notify patients and the Department of Health and Human Services (HHS) about breaches, and you are subject to fines for breaches. For example, mailing patient information to the wrong party, and unauthorised access to your electronically stored patient records are breaches unless you can show that there is low probability that PHI was compromised.

There are three exceptions to the breach trigger: unintentional acquisition, access, or use of PHI while employees are performing their jobs, inadvertent disclosure to someone authorised to access PHI, and situations where you have a good faith belief that the recipient will not be able to retain the information. For example, a fleeting view of some PHI on a computer screen may not be considered a relevant incident. Using a “good faith evaluation” and “reasonable conclusion”, you evaluate the incident based on four factors:

  1. PHI Nature and Extent: The sensitivity of the information and ability to identify the patient as well as presentation options are factors in determining the probability. Deidentifying PHI is not easy or straightforward. In addition to name and phone numbers, a picture of a face or a free form text note about the patient could easily lead to identifying the patient. For example, a list of dated deidentified lab results with a separate list of patient appointments for the day of the lab would not present a low probability of compromise. On the other hand, loss of electronically stored diagnostic data that requires special software from the device manufacturer may present a low probability of compromise. This answer would be different if the lost information was PHI contained in an unsecured PDF file.
  2. Unauthorised Person Received or Used PHI: The status of the recipient of the PHI may offer a reasonable way to avoid a breach. For example, sending the patient report to the wrong doctor may lead to a low probability of compromise since the receiving doctor has been properly trained in HIPAA Privacy and Security.
  3. Actual Acquisition or Viewing of PHI: If your organization quickly uncovered the incident, you may be able to prevent the viewing or even possession of the PHI. For example, contacting the receiving party and recovering the information before the other people open the information may present a low probability of compromise. Similarly, if an envelope with PHI was lost, but upon recovery, you determine that the envelope was never opened, you may have a low probability of disclosure or use.
  4. Mitigation Factors: In the final step of your evaluation, you can determine if there were mitigating issues that lead you to a good faith and reasonable conclusion that the information was not disclosed. For example, a thumb drive containing PHI on a patient lost in a healthcare facility but recovered in a nonpublic area may present a mitigating factor.

If you determine that the probability of compromised PHI is low, you do not have a problem. Otherwise, you have a breach and have to respond according to the breach notification requirements. If you have encountered a breach, within 60 days of discovery of the breach, you have to:

  • Contact the Patients: You have to mail a letter to the last known address of the affected patients. If you cannot contact more than 10 patients, your website or public media with an 800 number should be publically presented for 90 days.
  • Inform HHS: You have to maintain a log of breaches to send to HHS annually. If a breach involves over 500 patients, you have to directly contact the Office of Civil Rights.
Technical Dr. Inc.'s insight:
Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

Make Sure Business Associates Don’t Violate HIPAA

Make Sure Business Associates Don’t Violate HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

A violation of HIPAA by a practice’s business associate underscores the importance for conducting adequate due diligence, having business associate agreements (BAAs) in place, and ensuring that the level of encryption is adequate.


The U.S. Federal Trade Commission (FTC) recently released a statement indicating that a business associate, Henry Schein Practice Solutions, Inc. (“Schein”), a dental practice software company, will pay the government $250,000 for false advertising associated with what was relayed to the public and what was actually used in its products in relation to the level of encryption. While the fine is not considered large by any means, the implications for medical professionals, business associates, and subcontractors alike, are significant. 


The ramifications to the company, in relation to the issuance of the administrative complaint and the consent agreement are:


• Pay a $250,000 fine;

• Prohibition on “misleading customers about the extent to which its products use industry-standard encryption or how its products are used to ensure regulatory compliance”;

• Prohibition on claims that patient data was protected; and

• Schein needs notify all of its clients who purchased during the period when the material misstatements were made; and

• That the consent agreement will be published in the Federal Register.


Of equal or greater significance is the “NOTE” on the FTC’s press release, which states:


NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions for twenty years. Each violation of such an order may result in a civil penalty of up to $16,000.


The takeaways for providers and business associates alike are significant. All government agencies are taking a hard look at material misrepresentations related to HIPAA compliance. The potential implications are significant and underscore the importance of not cutting corners in relation to risk assessments and compliance.

more...
No comment yet.
Scoop.it!

HIPAA Compliance is a Business Risk

HIPAA Compliance is a Business Risk | HIPAA Compliance for Medical Practices | Scoop.it

Medicine is Risky


The practice of medicine is a risky business. There is always the risk that a certain treatment will fail to help a patient. There is a risk of being accused of malpractice. There is a risk of being accused of incorrectly billing a patient, insurance company or government agency. There is a risk of being sued by an employee or ex-employee for HR related issues. The list of risks goes on and on.


Healthcare is not unique when it comes to risk. Lawyers, accountants, architects and engineers all have associated business risk. In fact, it can be argued that every business has associated risk. The risk of a business failing is with every business no matter what vertical that business operates in. Just ask Enron and RadioShack and Joe’s pizza.


Manage Risk


The key to business risk is how an organization manages the risk. Healthcare organizations have malpractice insurance which usually comes with a malpractice risk management program. The program identifies areas of risk, provides steps to reduce risk and defines steps to minimize impact of losses when they occur 


Risk management refers to strategies that reduce and minimize the possibility of an adverse outcome, harm, or a loss. The systematic gathering and utilization of data are essential to loss prevention. Good risk management techniques improve the quality of patient care and reduce the probability of an adverse outcome or a medical malpractice claim. This core curriculum outlines the attitudes, knowledge, and skills currently recommended for residents in the area of risk management. The primary goal of a successful risk management is to reduce untoward events to patients. Risk management programs are designed to reduce the risk to patients and resulting liability to the health care provider. Standard of care is the foundation for risk management. The main factors in risk management include the following.


Nonmedical and medical risk management is a three-step process which involves: 1) identifying risk; 2) avoiding or minimizing the risk of loss; and 3) reducing the impact of losses when they occur. Medical risk management focuses on risk reduction through improvement of patient care.


Patient Data Risk


The practice of creating, storing and accessing electronic patient data brings with it new risks to healthcare organizations. Sure in the past there was a risk of someone breaking into an office and stealing patients’ paper charts but the risk exponentially increases now that a majority of new patient data is electronic. All this data is spread across electronic health records (EHRs), patient portals, digital x-ray machines, email, desktops, laptops, USB drives, smartphones and tablets. There are risks of an employee mistake like losing a laptop with patient information or falling for a fake email that tricks them into giving up information that thieves can use to access and steal patient data.


Like any other business risk, the risk to patient data needs to be properly managed. Just like with a malpractice risk management program, the risk to patient data needs to be addresses with 3 steps:


  1. Identifying Risk – it is critical that organizations understand what risks are associated with electronic patient data. Where is the data stored or accessed? As mentioned previously, the data could be stored on servers in an office, in a cloud-based EHR, on laptops or mobile devices. It is critical to get a thorough inventory of all patient data that is created, stored or accessed. The next step is understanding the risk to all of this patient data. The risk to data stored on a digital ultrasound machine is much different than data stored on laptops that leave an office.
  2. Minimize Risk – once the various risks are identified to patient data, it is critical to take steps to reduce the risk. Implementing the proper safeguards such as security policies and procedures and employee training can go a long way to lower the risk to patient data.
  3. Reduce the Impact – unfortunately it is very difficult to eliminate the risk to patient data. Steps can be taken to lower the risk but the amount of patient data is increasing every day and the risk of employee mistakes or criminals stealing the data increases as well. Organizations need to have a plan in place to respond to a patient data breach. That plan may include a breach response program that defines the steps the organization will take if there is a breach, or ensuring that an organization’s IT department or company is prepared to respond and/or stop a suspected data breach. Reducing the impact of a patient data breach might include cyber insurance that will provide financial resources to help the organization in the event of a data breach.


Don’t Hate HIPAA


Many people I talk to tell me they hate HIPAA regulations. I don’t blame them. Most people don’t like forced government regulations that have the threat of audits and fines. But HIPAA regulations are really just a risk management program for patient data. HIPAA calls for organizations to take inventory of where patient information is created, stored or accessed. It requires organizations to identify and manage associated risk to patient data. And it calls for organizations to be prepared to respond and lower the impact if patient data is lost, stolen or breached. When compared to a malpractice risk management program, the HIPAA risk management program is very similar.


When I talk to people about HIPAA I make it clear that the risk of a random HIPAA audit is very low. But the risk that patient data is lost, stolen or breached is increasing every day. Patient data needs to be thought of as a business risk that needs to be properly managed.

more...
No comment yet.
Scoop.it!

OCR launches new HIPAA resource on mobile app development

OCR launches new HIPAA resource on mobile app development | HIPAA Compliance for Medical Practices | Scoop.it

The Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS) recently launched a new resource: a platform for mobile health developers and “others interested in the intersection of health information technology and HIPAA privacy protection.”


In the announcement of this platform, OCR noted that there has been an “explosion” of technology using data regarding the health of individuals in innovative ways to improve health outcomes. However, OCR said that “many mHealth developers are not familiar with the HIPAA Rules and how the rules would apply to their products,” and that “[b]uilding privacy and security protections into technology products enhances their value by providing some assurance to users that the information is safe and secure and will be used and disclosed only as approved or expected.”


The OCR platform for mobile app developers has its own website. Anyone – not just mobile app developers – may browse and use the website. Users may submit questions, offer comments on other submissions and vote on a topic's relevance. OCR noted that to do so users will need to sign in using their email address, “but their identities and addresses will be anonymous to OCR.” 


OCR asked stakeholders to provide input on the following issues related to mobile app development: What topics should we address in guidance? What current provisions leave you scratching your heads? How should this guidance look in order to make it more understandable and more accessible?


Users can also submit questions about HIPAA or use cases through this website. OCR explained that, “we cannot respond individually to questions, we will try to post links to existing relevant resources when we can.” Finally, in the announcement OCR stated that posting or commenting on a question on this website, “will not subject anyone to enforcement action.” 

more...
No comment yet.
Scoop.it!

Suits pile up after U.S. reveals data breach affected millions

Suits pile up after U.S. reveals data breach affected millions | HIPAA Compliance for Medical Practices | Scoop.it

On Friday, Labaton Sucharow filed a class action on behalf of about 21.5 million (!) federal employees, contractors and job applicants whose personal information was exposed in an epic breach of security at the U.S. Office of Personnel Management, which screens applicants for federal government jobs and conducts security clearance on employees and contractors. Labaton’s complaint is at least the seventh class action against OPM and its private contractor, KeyPoint Government Solutions, including two suits by government employee unions and one with a federal administrative law judge as the lead plaintiff.

Although there is some variation in the alleged causes of action, the suits mostly assert violations of the Privacy Act and the Administrative Procedures Act, as well as negligence against KeyPoint. Late last month, the Justice Department asked the Judicial Panel on Multidistrict Litigation to consolidate the cases and transfer all of them to U.S. District JudgeAmy Jackson of Washington, D.C., who is already presiding over the American Federation of Government Employees’ class action against OPM and KeyPoint.

The JPML said Friday that it would hear oral arguments on Oct. 1 on the government’s motion. Briefs are due before Sept. 14.

It certainly seems likely that the JPML will consolidate the suits, but where they end up transferring them could make a big difference in how this case turns out. The threshold question in data breach suits, as I’ve written many times, is constitutional standing: Can plaintiffs whose personal information has been stolen allege an actual or “certainly impending” threat of injury? That is the standard the U.S. Supreme Court set out in its 2013 decision in Clapper v. Amnesty International, and data breach defendants have since used the Clapper definition to knock out at least 10 class actions by plaintiffs who claimed – like the plaintiffs in the OPM suits – that they have been injured by the increased risk their personal information will be misused.

One of the cases that foundered under Clapper was In re Science Applications International Corp (SAIC) Backup Tape Data Theft Litigation, an MDL consolidated for pretrial proceedings in federal district court in the District of Columbia. The case involved the theft of SAIC data tapes containing personal information, including Social Security numbers, on about 4.7 million members of the U.S. military and their families. U.S. District Judge James Boasberg of Washington concluded in May 2014 that under the Supreme Court’s ruling in Clapper, plaintiffs do not meet constitutional standing requirements when their only alleged injury is the loss of their data and the risk it will be misused.

He did hold plaintiffs had standing when they could plausibly allege their personal information was stolen and misused – one plaintiff, for instance, asserted he had received letters from a credit card company thanking him for a loan application he said he never filed – but Judge Boasberg’s dismissal opinion gutted the case. Plaintiffs ended up voluntarily dismissing what remained.

Plaintiffs’ lawyers have gotten savvier about pleading data breach cases after the initial wave of Clapper dismissals, framing complaints around class members who can show that their information has been misused or that their bank accounts or credit ratings have been impacted by the data theft. But cases redrawn to satisfy standing requirements present cramped damages theories, as we’ve seen in the Target and Sony data breach cases, if the only plaintiffs who can recover are those whose injury is more concrete than the mere loss of personal data and risk that it will be exploited. You can see why the Justice Department wants the OPM case litigated in a district skeptical of standing based on the risk of data misuse.

In one jurisdiction, however, all 21.5 million alleged victims of the OPM data breach may have standing. Last month, a three-judge panel of the 7th Circuit ruled in a data breach case against Neiman Marcus that plaintiffs have standing if they can show they incurred reasonable costs or spent considerable time to mitigate a “substantial risk” of harm. Under the 7th Circuit’s decision, just about anyone whose data has been stolen by hackers can sue because their information may be misappropriated.

Neiman Marcus’ lawyers at Sidley Austin filed a petition for rehearing earlier this month, but unless and until the 7th Circuit grants its motion, the panel’s ruling is the only post-Clapper federal appellate decision on standing in a data breach class action. It’s binding on trial judges in Illinois, Wisconsin and Indiana.

So far, none of the OPM class actions have been filed in those states. Two were brought in Washington, D.C., which, as the Justice Department pointed out in its request for consolidation in that court, is the district of universal venue for the Privacy Act claim at the heart of the OPM suits. Two other plaintiffs filed in California. Others sued in Idaho, Colorado and Kansas. It’s going to be very interesting to see which court plaintiffs ask the JPML to send the OPM litigation to.

more...
No comment yet.
Scoop.it!

Data Breaches Expose Nearly 140 Million Records

Data Breaches Expose Nearly 140 Million Records | HIPAA Compliance for Medical Practices | Scoop.it

The latest report from the Identity Theft Resource Center (ITRC) reveals that there has been a total of 472 data breaches recorded through August 11, 2015, and more than 139 million records have been exposed. The annual total includes 21.5 million records exposed in the attack on the U.S. Office of Personnel Management in June and 78.8 million health care customer records exposed at Anthem in February.

A June report by cybersecurity firm Trustwave said that of the 574 hacking incidents and data breaches the company was asked to investigate in 2014, 43% came in the retail industry, 13% came from the food and beverage industry and 12% from the hospitality industry. More striking, perhaps: 81% of victims did not discover on their own that they had been hacked. In cases where a company discovers the attack on its own, it takes about two weeks to stop it. When companies do not run their own security programs, it takes more than five months to contain the breach.


E-commerce sites were compromised in 42% of attacks and point-of-sales systems were hit in 40%. The totals were up 7% and 13%, respectively, from 2013.


The total number of data breaches increased by six in the week, according to the ITRC. The business sector accounts for about 645,000 exposed records in 184 incidents so far in 2015. That represents 39% of the incidents, but just 0.5% of the exposed records.


The medical/health care sector posted the second-largest percentage of the total breaches so far this year, 35.6% (168) out of the total of 472. The number of records exposed in these breaches totaled 109.5 million, or 78.6% of the total so far in 2015.


The number of banking/credit/financial breaches totals 45 for the year to date and involves more than 411,000 records, some 9.7% of the total number of breaches and 0.3% of the records exposed. These numbers are unchanged from the prior week.


The government/military sector has suffered 36 data breaches so far this year, just 7.7% of the total, but about 20% of the total number of records exposed. These numbers were also unchanged from the prior week.


The educational sector has seen 39 data breaches in 2015, accounting for 8.3% of all breaches for the year. Nearly 740,000 records have been exposed, about 0.5% of the total so far in 2015.

In all of 2014, ITRC tracked an annual record number of 783 data breaches, up 27.5% year over year. The previous high was 662 breaches in 2010. Since beginning to track data breaches in 2005, ITRC had counted 5,497 breaches through August 11, 2015, involving more than 818 million records. Compared with 2014, the number of data breaches is about 2.3% lower to date in 2015.

more...
No comment yet.
Scoop.it!

Reminders for HIPAA Compliance with Business Associates

Reminders for HIPAA Compliance with Business Associates | HIPAA Compliance for Medical Practices | Scoop.it

Maintaining HIPAA compliance is clearly a top priority for covered entities. With technology evolving, third-party partnerships are also becoming more common, which means that more healthcare organizations are likely working with business associates.


Whether a covered entity is working with a cloud services provider, or a company to assist in handling their financials, it is critical that HIPAA compliance stays a top priority. The HIPAA Omnibus Rule even changed how business associates can be held liable for potential HIPAA violations. All parties should have a thorough understanding of their relationship, and how they are expected to maintain patient data security.


This week, HealthITSecurity.com will discuss the intricacies of the relationship between a coverd entity and a business associate. Moreover, the importance of a comprehensive business associate agreement will be explained, and examples will be given of what the consequences could be should either entity violate HIPAA.

What is a business associate?


A business associate could be any organization that works on behalf of, or for, a covered entity. For example, if a hospital employs a company to assist with its claims processing, then that third-party becomes a business associate. Or, an attorney who is working for a healthcare provider and has access to patients’ PHI, would also be considered a business associate.


“Covered entities may disclose protected health information to an entity in its role as a business associate only to help the covered entity carry out its health care functions – not for the business associate’s independent use or purposes, except as needed for the proper management and administration of the business associate,” according to the Department of Health and Human Services (HHS).


The business associate agreement must also include the following information, according to HHS:


  • Describe the permitted and required PHI uses by the business associate
  • Provide that the business associate will not use or further disclose PHI other than as permitted or required by the contract or as required by law;
  • Require the business associate to use appropriate safeguards to prevent inappropriate PHI use or disclosure


Essentially, business associates are also responsible for the protection of PHI. As previously mentioned, the HIPAA Omnibus Rule made this a federal requirement. Let’s go back to the example of a claims processing firm. The business associate agreement between that firm and a hospital should outline requirements for how the claims processing firm is expected to keep PHI secure while it is working with the hospital. Should a health data breach occur, the claims processing firm could face serious consequences if it is determined that it violated the business associate agreement.


Not only does the business associate agreement dictate how and when PHI could be disclosed, it also outlines the potential consequences should sensitive information be exposed:


“A business associate may use or disclose protected health information only as permitted or required by its business associate contract or as required by law. A business associate is directly liable under the HIPAA Rules and subject to civil and, in some cases, criminal penalties for making uses and disclosures of protected health information that are not authorized by its contract or required by law. A business associate also is directly liable and subject to civil penalties for failing to safeguard electronic protected health information in accordance with the HIPAA Security Rule.”


The contract between a covered entity and business associate can also have a termination date. For example, perhaps a medical transcriptionist was hired for six months. At the end of that six month period, the business associate agreement can require that any PHI that had been received in that time to be destroyed.


Moreover, the covered entity can require that medical transcriptionist to make “internal practices, books, and records relating to the use and disclosure” of received PHI available to HHS to ensure that the covered entity is HIPAA compliant. It is also important to note that any contract can be terminated if the business associate is found to have violated “a material term.”


What happens if a business associate exposes PHI?


When a covered entity experiences a health data breach, it will likely have to deal with a federal and state investigation, as well as potential public backlash. There may even be potential fines due to possible HIPAA violations. Business associates will go through the same process should they suffer from their own data breach that potentially puts patients’ PHI at risk.


For example, in June 2015, Medical Informatics Engineering (MIE) announced that it had been the victim of a “sophisticated cyber attack,” and some of its clients may be affected. Affected clients included Concentra, Fort Wayne Neurological Center, Franciscan St. Francis Health Indianapolis, Gynecology Center, Inc. Fort Wayne, and Rochester Medical Group.


Possibly exposed information included patient names, mailing addresses, email addresses, and dates of birth. Some patients may have also had Social Security numbers, lab results, dictated reports, and medical conditions exposed.


Not long after, a class action lawsuit was filed against MIE, alleging that MIE failed “to take adequate and reasonable measures to ensure its data systems were protected,” and also failed “to take available steps to prevent and stop the breach from ever happening.”


Similarly, third party facility Medical Management LLC reported that approximately 2,200 patients at one of its healthcare providers may have had their records exposed by a Medical Management employee. Medical Management handles the billing for numerous healthcare providers across the country, and organizations in several states notified patients of the incident.


The data breach occurred when a now former Medical Management employee copied individuals’ personal information from the billing system over the past two years. That former employee then illegally disclosed that information to a third party.


“MML takes this matter very seriously and terminated this employee after being informed of this criminal investigation,” Medical Management said in a statement. “MML is cooperating with federal law enforcement authorities in their criminal investigation.”


Covered entities and business associates must be able to work together when it comes to patient PHI security. Health data breaches can happen at any organization, regardless of size. By keeping health data security policies current, and regularly reviewing them, both types of facilities have a better chance of detecting potential weaknesses. Having comprehensive business associate agreements in place will also ensure that all parties understand how they are required to keep PHI secure.

more...
No comment yet.
Scoop.it!

What Closing the HIPAA Gaps Means for the Future of Healthcare Privacy

What Closing the HIPAA Gaps Means for the Future of Healthcare Privacy | HIPAA Compliance for Medical Practices | Scoop.it

By now, most people have felt the effects of the HIPAA Privacy Rule (from the Health Insurance Portability and Accountability Act). HIPAA has set the primary standard for the privacy of healthcare information in the United States since the rule went into effect in 2003. It’s an important rule that creates significant baseline privacy protections for healthcare information across the country.


Yet, from the beginning, important gaps have existed in HIPAA – the most significant involving its “scope.” The rule was driven by congressional decisions having little to do with privacy, but focused more on the portability of health insurance coverage and the transmission of standardized electronic transactions.


Because of the way the HIPAA law was crafted, the U.S. Department of Health and Human Services (HHS) could only write a privacy rule focused on HIPAA “covered entities” like healthcare providers and health insurers. This left certain segments of related industries that regularly use or create healthcare information—such as life insurers or workers compensation carriers— beyond the reach of the HIPAA rules. Therefore, the HIPAA has always had a limited scope that did not provide full protection for all medical privacy.


So why do we care about this now?


While the initial gaps in HIPAA were modest, in the past decade, we’ve seen a dramatic increase in the range of entities that create, use, and disclose healthcare information and an explosion in the creation of healthcare data that falls outside HIPAA.


For example, commercial websites like Web MD and patient support groups regularly gather and distribute healthcare information. We’ve also seen a significant expansion in mobile applications directed to healthcare data or offered in connection with health information. There’s a new range of “wearable” products that gather your health data. Virtually none of this information is covered by HIPAA.


At the same time, the growing popularity of Big Data is also spreading the potential impact from this unprotected healthcare data. A recent White House report found that Big Data analytics have the potential to eclipse longstanding civil rights protections in how personal information is used in many areas including healthcare. The report also stated that the privacy frameworks that currently cover healthcare information may not be well suited to address these developments. There is no indication that this explosion is slowing down.


We’ve reached (and passed) a tipping point on this issue, creating enormous concern over how the privacy interests of individuals are being protected (if at all) for this “non-HIPAA” healthcare data. So, what can be done to address this problem?


Debating the solutions


Healthcare leaders have called for broader controls to afford some level of privacy to all health information, regardless of its source. For example, FTC commissioner Julie Brill asks whether we should be “breaking down the legal silos to better protect that same health information when it is generated elsewhere.”


These risks also intersect with the goal of “patient engagement,” which has become an important theme of healthcare reform. There’s increased concern about how patients view this use of data, and whether there are meaningful ways for patients to understand how their data is being used. The complexity of the regulatory structure (where protections depend on sources of data rather than “kinds” of data), and the determining data sources (which is often difficult, if not impossible), has led to an increased call for broader but simplified regulation of healthcare data overall. This likely will call into question the lines that were drawn by the HIPAA statute, and easily could lead to a re-evaluation of the overall HIPAA framework.


Three options are being discussed on how to address non-HIPAA healthcare data:


  • Establishing a specific set of principles applicable only to “non-HIPAA healthcare data” (with an obvious ambiguity about what “healthcare data” would mean)
  • Developing a set of principles (through an amendment to the scope of HIPAA or otherwise) that would apply to all healthcare data
  • Creating a broader general privacy law that would apply to all personal data (with or without a carve-out for data currently covered by the HIPAA rules).


Conclusions


It’s clear that the debate and policymaking “noise” on this issue will be ongoing and extensive. Affected groups will make proposals, regulators will opine, and legislative hearings will be held. Industry groups may develop guidelines or standards to forestall federal legislation. We’re a long way from any agreement on defining new rules, despite the growing consensus that something must be done.

Therefore, companies that create, gather, use, or disclose any kind of healthcare data should evaluate how this debate might affect them and how their behavior might need to change in the future. The challenge for your company is to understand these issues, think carefully and strategically about your role in the debate, and anticipate how they could affect your business going forward.

more...
No comment yet.
Scoop.it!

How Do HIPAA Regulations Affect Judicial Proceedings?

How Do HIPAA Regulations Affect Judicial Proceedings? | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA regulations are designed to keep healthcare organizations compliant, ensuring that sensitive data - such as patient PHI - stays secure. Should a healthcare data breach occur, covered entities or their business associates will be held accountable, and will likely need to make adjustments to their data security approach to prevent the same type of incident from happening again.


However, there are often questions and concerns in how HIPAA regulations tie into certain judicial or administrative proceedings. For example, if there is a subpoena or search warrant issued to a hospital, is that organization obligated to supply the information? What if the information being sought qualifies as PHI? Can covered entities be held accountable if they release certain information, and then that data falls into unauthorized individuals’ control?


This week, HealthITSecurity.com will break down how judicial proceedings, and other types of legal action, could potentially be impacted by HIPAA regulations. We will discuss how PHI could possibly be disclosed, and review cases where search warrants and similar issues were affected by HIPAA.


What does HIPAA say about searches and legal inquiries?

The HIPAA Privacy Rule states that there are several permitted uses and disclosures of PHI. This does not mean that covered entities are required to disclose PHI without an individual’s permission, but healthcare organizations are permitted to do so under certain circumstances.


“Covered entities may rely on professional ethics and best judgments in deciding which of these permissive uses and disclosures to make,” the Privacy Rule explains.


The six examples of permitted uses and disclosures are the following:

  • To the Individual (unless required for access or accounting of disclosures)
  • Treatment, Payment, and Health Care Operations
  • Opportunity to Agree or Object
  • Incident to an otherwise permitted use and disclosure
  • Public Interest and Benefit Activities
  • Limited Data Set for the purposes of research, public health or health care operations.


Under the public interest and benefit activities, the Privacy Rule dictates that there are “important uses made of health information outside of the healthcare context.” Moreover, a balance must be found between individual privacy and the interest of the public.

There are several examples that relate to disclosing PHI due to types of legal action:


  • Required by law
  • Judicial and administrative proceedings
  • Law enforcement purposes


Covered entities and their business associates are permitted to disclose PHI as required by statute, regulation or court orders.

“Such information may also be disclosed in response to a subpoena or other lawful process if certain assurances regarding notice to the individual or a protective order are provided,” according to the HHS website.


For “law enforcement purposes” HIPAA regulations state that PHI can also be disclosed to help identify or locate a suspect, fugitive, material witness, or missing person. Law enforcement can also make requests for information if they are trying to learn more information about a victim - or suspected victim. Another important aspect to understand is that a covered entity can can disclose sensitive information if it believes that PHI is evidence of a crime that took place on the premises. Even if the organization does not think that a crime took place on its property, HIPAA regulations state that PHI can disclosed “when necessary to inform law enforcement about the commission and nature of a crime, the location of the crime or crime victims, and the perpetrator of the crime.”


Essentially, covered entities and business associates must use their own judgement when determining if it is an appropriate situation to release PHI without an individual’s knowledge. For example, if local law enforcement want more information from a hospital about a former patient whom they believe is dangerous, it is up to the hospital to weigh the options of releasing the information.

How have HIPAA regulations affected court rulings?

There have been several court rulings in the last year discussing HIPAA regulations and how covered entities are allowed to release PHI.


Connecticut: The Connecticut Supreme Court ruled in November 2014 that patients can sue a medical office for HIPAA negligence if it violates regulations that dictate how healthcare organizations must maintain patient confidentiality. In that case, a patient found out that she was pregnant in 2004 and asked her medical facility to not release the medical information to the child’s father. However, the organization released the patient’s information when it received a subpoena. The case claimed that the medical office was negligent in releasing the information, and that the child’s father used the information  for “a campaign of harm, ridicule, embarrassment and extortion” against the patient.


Florida: Just one month earlier, a Florida federal appeals court ruled that it is not a HIPAA violationfor physician defendants to have equal access to plaintiffs’ health information. In this case, a patient sued his doctor for medical negligence. Florida law states that the plaintiff must provide a health history, including copies of all medical records the plaintiff’s experts relied upon in forming their opinions and an “executed authorization form” permitting the release of medical information. However, the plaintiff claimed the move would violate his privacy. The appeals court ruled that two instances applied in this case where HIPAA regulations state that covered entities are permitted to release PHI.


As demonstrated in these two court cases, it is not always easy for covered entities to necessarily determine on their own when they are compromising patient privacy and when they are adhering to a court order. However, by seeking appropriate counsel, healthcare organizations can work on finding a solution that meets the needs of all parties involved.

more...
No comment yet.
Scoop.it!

Data Breaches, Lawsuits Inescapable, but Liability Can Be Mitigated

Data Breaches, Lawsuits Inescapable, but Liability Can Be Mitigated | HIPAA Compliance for Medical Practices | Scoop.it

If your organization experiences a data breach—an increasingly likely scenario—and PHI is exposed, chances are you will be hit with a lawsuit in short order.

There's not much you can do about that, just like it's impossible to prevent every criminal attack. What you can do, though, is take steps to minimize the likelihood of being found liable for damages in court, says Reece Hirsch, Esq., a partner and regulatory attorney at Morgan Lewis in San Francisco, and a BOH editorial advisory board member.

Hirsch says companies should have two things in place as part of standard policy and procedure: an evolving breach response plan and an incident response team that meets on a regular basis. While class-action suits haven't gained much traction with judges yet—except in cases of clear financial damage to consumers—most of the claims boil down to some form of alleged negligence, he says.

"Given the increasingly sophisticated cyberthreats that companies face … you cannot have perfect security and you cannot completely insulate yourself from these types of events, but what you can do is show you acted reasonably and took reasonable measures to prevent a breach and not make yourself a target," Hirsch says.

Organizations demonstrate this with a good breach response plan to show they've identified the problem, mitigated damage, notified victims, and taken further action as necessary, he says. The team should represent each department that might be affected by a breach or that has to be mobilized to interact with the public, including legal, human resources, privacy, security, IT, communications, and investor relations. Part of the team's role is to analyze risks to data, data flow, and worst-case scenarios.

"Everything needs to be encrypted, data at rest as well as data in transit, which is something HIPAA specifically points out," says Jan McDavid, Esq., the compliance officer and general legal counsel at HealthPort, an Atlanta-based healthcare services firm. McDavid, who is a regular speaker on this subject, agrees that it's essential to have proper security policies as well as dedicated staff to regularly review systems and respond to incidents.

Comprehensive risk analyses, which HIPAA requires, should not just be done after a breach to assess the extent of damages after private data is "let out the door," she says, but up front as well to identify the risks. Inevitably, though, healthcare organizations with large electronic databases will likely experience a data breach.


"Once [companies] are put on notice that something has happened, they need to immediately stop the bleeding," McDavid says. Even though public breach notification may not be required on day one, the company should immediately shut off or fix whatever happened so it can't occur again, she says.

One of the issues she sees often is that as healthcare organizations struggle to keep pace with technology, security is affected too. In the rush to automation and interoperability with limited funds available, parts of older systems and databases may get upgraded and replaced, but in the process, new vulnerabilities may be created, McDavid says. It seems organizations don't always realize how their systems interact, leading them to overlook peripheral connections that may allow access to protected systems, she adds.

Federal legislation that called for providers to implement EHRs didn't contain the funding to help facilities make the switch—those incentives came later. Many of the hospitals McDavid works with have a hodgepodge of computer systems that were installed piecemeal as the hospitals received technology funding, and that may inadvertently lead to vulnerabilities.

Taking proactive measures to have strong security policies, plans, and personnel in place goes a long way toward mitigating company liability in a class-action suit, Hirsch and McDavid say.

Lawsuits may be unavoidable


"If people are going to sue you, they're going to sue you," Hirsch says. "But [proactive preparation] will position the company much better to defend the lawsuit." And even more importantly, he adds, it may deflect some of the greatest damage to a company's reputation and image, which occurs in the "court of public opinion" and in news media reports.

McDavid agrees. "Their name becomes mud when the news is out that they've had a major breach," she says, although she believes the public has become oversaturated with the plethora of recent breaches in the news to the point that such incidents are no longer viewed as alarming or unusual.

Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Oregon, and a BOH editorial advisory board member, says the breach announced by Anthem, Inc., in February 2015 actually offers a good example of how to take the right approach to a data breach.

Apgar doesn't believe the health insurer took a big hit to its reputation because it acted relatively quickly to put security experts on the case and notify consumers and law enforcement authorities about the breach as required by HIPAA security regulations. In addition, he says, Anthem had relatively good security protections; however, those protections could only slow down a sufficiently skilled hacker, not stop the breach from occurring.


By comparison, Apgar says the class-action suits against Community Health Systems, Inc., are for actual negligence in responding to a known security vulnerability. The Franklin, Tennessee-based company announced hackers accessed data of 4.5 million individuals who were referred to or received care from physicians affiliated with its system over the last five years, according to an August 18, 2015, filing with the U.S. Securities and Exchange Commission.


Anthem disclosed on February 4 that it uncovered a massive breach affecting 80 million people that had occurred two months earlier. Less than 12 hours later, an Indianapolis attorney was already filing a class-action suit against the health insurer for failure to secure customers' data, negligence, breach of contract, and failure to notify victims in a timely manner.

In the days and weeks that followed, the class-action suits started to pile up across the country—dozens of complaints argued Anthem was lax in securing members' personal data, which wasn't encrypted. Plaintiffs argued Anthem only implemented reasonable security measures after it discovered the breach January 29—more than a month after the incident occurred.

Even if it were eventually proven in court that Anthem didn't follow industry best practices to secure data or that the breach was due to negligence, the bigger question is whether the plaintiffs can demonstrate harm as a result, Apgar says.

Building up case law


Currently, legal precedent favors the defendants, but that's an evolving process too.

McDavid explains there is no established federal law that stipulates companies are liable for damages just because they experienced a data breach that exposed clients' or patients' personal information.

That's where class-action attorneys enter the picture, she says. They're trying to make case law by obtaining favorable court opinions to set a legal precedent, but it's an uphill battle, she says. Under many federal and state laws, victims have to prove they were harmed in order to win damages.

"In the majority of cases now, the courts are ruling that you cannot certify a class unless you can prove the class has damages," McDavid says. "What that means is that even if you've breached 2 million records, if you don't have any notice that any of that [data] has been misused, then in most courts right now you have no damages."

In April, a federal judge dismissed a class-action suit against Horizon Blue Cross Blue Shield of New Jersey, ruling the plaintiffs didn't demonstrate they suffered financial harm. Two company laptop computers were stolen in 2013 from the health insurer's Newark headquarters, and nearly 840,000 customers' personal information was potentially exposed.


McDavid also points to a May Pennsylvania case where a county judge dismissed a suit from 62,000 employees of the University of Pittsburgh Medical Center following a criminal breach of the hospital's payroll database. Several hundred employees were victims of tax fraud, but the judge ruled the plaintiffs didn't prove that they were all financially harmed, that the medical center was negligent in its actions, or that there was any contract holding the university liable for security breaches.

What usually happens, Hirsch explains, is that the parties reach a settlement outside of court, and that's where many of the large payouts to affected consumers or patients happen.

Finding other ways in


It's becoming increasingly common, however, for class-action attorneys to file suit for violations of state privacy and security laws or various other federal statutes, which may contain stronger protections than HIPAA, McDavid says. Arguments under those laws have been more successful at convincing courts that the victims still have legal standing to sue even if they haven't experienced actual harm.

Apgar notes that 2010 contained an early example of this, when the Connecticut Attorney General's office sued Health Net of Connecticut in federal court for violations of HIPAA and state privacy protections regarding personal data. The attorney general's office alleged the health insurer failed to secure PHI and financial information prior to a 2009 data breach in which a computer disk drive was lost that contained unencrypted records on more than 500,000 Connecticut residents and 1.5 million consumers nationwide. Health Net also allegedly delayed notifying plan members and law enforcement authorities until several months after it discovered the breach.

Ultimately, the company agreed to a settlement that included the following:

  • Extended credit monitoring for affected plan members
  • Increased identity theft insurance and reimbursement for security freezes
  • An internal corrective action plan for stronger security measures
  • A $250,000 state fine
  • A $500,000 contingent payment to the state if it was established that affected individuals later became victims of identity theft or fraud


This was the first legal action taken by an attorney general since the HITECH Act in 2009 authorized state attorney generals to enforce violations of HIPAA.

Federal laws, such as the Fair Credit Reporting Act (FCRA), are also becoming an avenue for class-action attorneys. Hirsch says although it's not related to healthcare, one case winding its way through the U.S. Supreme Court—Spokeo, Inc. v. Robins—could change the legal landscape if the nation's highest court issues an opinion against the online company.

In February 2014, federal appellate judges for the 9th Circuit reversed a district court ruling that had originally dismissed plaintiff Thomas Robins' class-action suit alleging willful violations of the FCRA. He claimed Spokeo, an online information gathering service, published and marketed inaccurate personal information about him on its website, which he had no control over. While not claiming actual financial damages, he argued that since he was unsuccessful in securing employment, he was concerned the inaccurate report was affecting his ability to obtain employment, insurance, credit, etc.

The appellate panel found Robins did have constitutional standing to sue under the FCRA. This speaks to the same issues that are raised by victims of healthcare data breaches, who worry they will suffer financial harm from the exposure of their PHI, Hirsch says. Large technology companies urged the Supreme Court to take up an appeal of the 2014 decision, fearing it could cripple the industry by paving the way for billions of dollars in damages to consumers, he says.

In addition, there's another federal healthcare data breach suit—Smith, et al. v. Triad of Alabama—making a case for violations under the FCRA that will have big implications if the court finds the plaintiffs have legal standing for a class-action suit, McDavid says.

"They can keep it in court if the judge buys into their theory that they don't have to have damages in order to sue," she says.

more...
Jan Vajda's curator insight, August 13, 2015 9:44 AM

přidejte svůj pohled ...

Scoop.it!

Mega-Mergers: The Security, Privacy Concerns

Mega-Mergers: The Security, Privacy Concerns | HIPAA Compliance for Medical Practices | Scoop.it

Mergers and acquisitions, such as two pending mega-deals in the health insurance sector, pose security and privacy risks that need to be addressed before the transactions are completed, during the integration process and over the long haul.


In recent weeks, Anthem Inc. announced plans to buy rival Cigna for $48 billion, and Aetna unveiled a proposed $37 billion purchase of Humana.


"I can't speak specifically to these mergers, but in general they share the same challenges as others going through M&As," says Mac McMillan, CEO of the security consulting firm CynergisTek. Interoperability of systems, consolidation or merging of databases, differing architectures, disparate platforms, consolidation of accounts and accesses conversion of users are among the potential hurdles these companies face, he notes.


"For organizations this large, there is nothing trivial about integrating their networks, systems or controls," McMillan says. "The biggest issues are always disparate systems, controls and interoperability and the privacy and security issues those challenges can create."


When it comes to mergers, privacy and security attorney Stephen Wu of the law firm Silicon Valley Law Group notes, "I'm most worried about companies not doing enough diligence about security when these acquisitions are being considered. ... It's becoming increasingly complex to integrate two companies IT infrastructures, and those transitions create new vulnerabilities."


Concerning Anthem's proposed purchase of Cigna, Wu says Anthem's recent hacker attack, which affected nearly 80 million individuals, "shouldn't be downplayed, but I'd be more concerned about Cigna and whether that company also potentially had a breach that perhaps hasn't been discovered yet."


Privacy attorney Kirk Nahra of the law firm Wiley Rein LLP notes that the transition period after two companies merge presents new risks. "Because of the tremendous concerns about data security and cybersecurity breaches, integration of overall security is a particular challenge," he says. "It is easier to attack a hybrid, half-integrated company than two separate companies."


Anthem's proposed acquisition of Cigna comes "at a time where Anthem is under a lot of pressure with respect to its information security, [and] the acquisition of another large insurer represents a lot more to add to its plate," notes privacy attorney Adam Greene of the law firm Davis Wright Tremaine.


"It will need to integrate its information security processes into a host of new systems, with each new, potentially unfamiliar system bringing new risks if not properly integrated," he says.

Critical Decisions

When mergers and acquisition are completed, a big challenge is picking and choosing whoseinformation security program will dominate after the transaction is completed.


"Often times, the information security program of the larger entity takes over the smaller," Greene notes. "In good situations, each entity learns from the other and the overall information security is improved, after a painful integration process. But sometimes the reverse happens, and good information security practices are abandoned because they are not practiced by the larger entity."


McMillan says merging organizations should "take an inventory of which set of controls, processes,technologies, etc. are either the most mature or the best overall." Then they can consider merging the programs, "the same way they merge organizations - capitalizing on the best of both."


While that best-of-breed-themed approach might work well in some mergers and acquisitions, typically things don't end up going that smoothly, Nahra contends.


"There are two kinds of challenges - inconsistencies in practices, either involving data security or privacy, and then operational implications of these inconsistencies, where one of the entities tries to apply its process or practices to the differing practices or operations of the other," Nahra says. "These challenges are exacerbated when there hasn't been a lot of due diligence on privacy/data security issues."

Access Control

One issue that's frequently overlooked during the blending IT networks of merging companies is access control, says Rebecca Herold, partner and co-founder of SIMBUS Security and Privacy Services.


When an organization is undergoing a merger, some employees typically lose their jobs because their role duplicates another's role, Herold says. "But the company keeps them on for a certain amount of time because they are training another person or finishing up on a project," she says. "However, during this time, I've seen disgruntled insiders who have access to information or administrative controls and have tried to sabotage the company that fired them."


Often executives don't have insight into all the risks that are involved with blending computer networks, says Herold, who's served as an adviser to merged organizations.


"They want to join or connect the networks in some way, but there are huge risks. When you start connecting one huge network with another one, and start sharing data without proper planning, there are new vulnerabilities and risks that emerge," she says.


If the companies involved in the latest wave of healthcare sector mergers and acquisitions get the regulatory and shareholder approval needed to complete their transactions, they need to keep a few security tips in mind, McMillan says.


"The biggest tip is common sense: Don't undo anything that is currently in place to ensure continuity until what's new is in place and backed up," he says.

more...
No comment yet.
Scoop.it!

Three Steps to Preventing Data Breaches in Your Practice

Three Steps to Preventing Data Breaches in Your Practice | HIPAA Compliance for Medical Practices | Scoop.it

Every few weeks, there’s a headline about a healthcare organization that’s been victimized by a hacker or a disgruntled employee. What is your practice doing to protect its data against theft? It can be a balancing act for physician practices that want to provide access to patient information in the EHR and elsewhere, while preventing data breaches. Here are a few steps that can help practices avoid those unfortunate headlines:


Know where your data is


First, you have to know where your data is, said Jim Kelton, managing principal at Costa Mesa, Calif,-based Altius Information Technologies. If you don’t know where your data is transmitted or where it’s stored, you can’t provide the layers of protection that are needed.


 "You have to know where [your data is] transmitted and where it’s stored," he said. Part of this exercise includes determining the practice’s EHR and other clinical information systems—and whether that software is hosted on the cloud. It can also be as mundane as making sure that printed e-mails from patients aren’t sitting around the office.


"There are 18 forms of protected health information, even an e-mail address can identify someone and needs to be protected,” he said.


Know what assets provide access to your data


Once this is done, you need to determine the assets that provide access to the practice’s data. This could be in the doctor’s office, within computer systems, on a server, or in the EHR and other clinical applications themselves. There are often multiple threats to consider, said Kelton. For example, the threat with a laptop is it’s portable and it’s vulnerable because it contains protected patient information.


Having a BYODT – or Bring Your Own Device and Technology – policy is very important, he said. This requires surveying your staff and doing an inventory of the types of technology you’re using to run the practice. It’s during this step that you should determine whether your employees are using smart phones and tablets, cloud storage, flash drives, or external hard drives. It’s also important to keep in mind any data sharing with external contractors doing software development for the practice. "For smaller practices that outsource a lot of services, they need to make sure their business agreements [with vendors and consultants] are solid,” said Kelton.


Identify threats to those assets and build in controls


Those threats could be physical, such as someone entering the practice and stealing a laptop. They could also mean your practice is the intended victim of hackers or viruses, which can infiltrate the EHR and other clinical systems. Some practices even need to be prepared for the actions of a disgruntled employee who sends your client list to their future employer, an action that puts your practice at risk, Kelton said.


Password protection for laptops is a pretty simple solution that works. Also to consider is encrypting the laptop’s hard drive. This action will mean that the hacker won’t be able to access protected patient data on the EHR and other information about your practice, Kelton said

HIPAA requires that each practice identify a security official to develop and implement security policies, implement procedures, and oversee and protect protected health information. According to Kelton, putting together a plan in advance is the most cost-effective way to ensure that data breaches don’t occur.

more...
No comment yet.
Scoop.it!

Hospital to pay $218,400 for HIPAA violations

Hospital to pay $218,400 for HIPAA violations | HIPAA Compliance for Medical Practices | Scoop.it

St. Elizabeth's Medical Center must pay $218,400 for HIPAA violations through an agreement with the Department of Health and Human Services' Office for Civil Rights.


In 2012, the OCR received a complaint alleging that the Brighton, Massachusetts-based health center did not analyze the risks of an Internet-based document sharing app, which stored protected health information for almost 500 individuals, according to anannouncement from OCR.


During its investigation, OCR found that the health center "failed to timely identify and respond to the known security incident, mitigate the harmful effects of the security incident, and document the security incident and its outcome." In addition, St. Elizabeth's in 2014 submitted notification to OCR that a laptop and USB drive had been breached, putting unsecured protected health information for 595 consumers at risk.

OCR also is requiring that St. Elizabeth's adopt a corrective action plan to correct deficiencies in its HIPAA compliance program.


"Organizations must pay particular attention to HIPAA's requirements when using Internet-based document sharing applications," OCR Director Jocelyn Samuels said in an announcement. "In order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner."


A recent report from application security vendor Veracode found that the healthcare industry fares poorly compared to other industries in reducing application security risk.


Healthcare also is near the bottom of the pack when it comes to addressing remediation, with only 43 percent of known vulnerabilities being remediated.


While Phase II of the federal HIPAA audit program remains "under development,"Samuels reiterated in March that OCR is "committed to implementing a robust audit program," FierceHealthIT previously reported.

more...
No comment yet.
Scoop.it!

HIPAA Survey Reveals A Reportable Benchmarking Breaches

HIPAA Survey Reveals A Reportable Benchmarking Breaches | HIPAA Compliance for Medical Practices | Scoop.it

In early, HCPro’s Medical Records Briefing (MRB)newsletter conducted a HIPAA benchmarking survey to gauge compliance with the HIPAA Omnibus Rule shortly after its September 23, implementation date. This year, MRBasked healthcare professionals to give us an update on their HIPAA compliance more than one year after implementation.

 

With the March 1 deadline for reporting breaches of PHI to HHS just around the corner, it seemed appropriate to ask respondents about breach notification. The percentage of respondents that said their organizations experienced a HIPAA breach in the past two years remained at 55% .However, more than half of respondents (54%) said their organizations have not experienced an increase in reportable breaches and do not anticipate an increase.

 

Some of this may be related to how organizations define a breach. In fact, one respondent said that his or her facility struggled most with determining whether an incident is a reportable breach.

 

The HIPAA Omnibus Rule eliminated the harm threshold and expanded the definition of a breach to include all PHI that is compromised, which some industry experts predicted would lead to an increase in reportable breaches.

 

The expansion of the definition of a breach may explain why some respondents say they have not experienced a breach in the last two years, says Chris Simons, MS, RHIA, HIM director and privacy officer at Cheshire Medical Center in Keene, New Hampshire. “I suspect they are not using the Omnibus standard for determining a breach, but instead relying on the old assessment of potential harm,” Simons says.

 

This year, 42% of respondents were HIM directors or managers, 30% were privacy officers, and 19% were compliance officers or managers. Based on this data, an increased number of HIM directors or managers appear to be serving as privacy officers at their facility. More specifically, 65% of HIM directors and managers responding to the survey also serve as the privacy officer.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

Did Doctor Violate HIPAA for Political Campaign?

Did Doctor Violate HIPAA for Political Campaign? | HIPAA Compliance for Medical Practices | Scoop.it

Federal regulators are reportedly investigating whether a physician in Richmond, Va., violatedHIPAA privacy regulations by using patient information to help her campaign for the state senate.


The Philadelphia office of the Department of Health and Human Services' Office for Civil Rights is investigating potential HIPAA violations by Siobhan Dunnavant, M.D., a Republican state senate candidate, after a complaint alleged the obstetrician-gynecologist used her patients' protected health information - including names and addresses - to solicit contributions, volunteers and votes, according to an NBC news report.


Conservative blogger Thomas White tells Information Security Media Group that he reported to HHS earlier this year that letters and emails about Dunnavant's candidacy were sent to her patients prior to the June primary race in the state's 12th district, which includes western Hanover County. White says he notified HHS after receiving a copy of a letter from a Dunnavant patient who was annoyed at receiving the campaign-related communications from her doctor.


"I would love for you to be involved," Dunnavant wrote to patients, also reassuring them that their care would not be impacted if she's elected, according to a copy of a campaign letter posted on the NBC website."You can connect and get information on my website. There you can sign up to get information, a bumper sticker or yard sign and volunteer," the posted letter states. Other campaign-related material included emails sent to patients that were signed by "Friends of Siobhan Dunnavant," NBC reports and White confirmed, citing reports from patients.


The physician is one of three candidates seeking the state senate seat in the Nov. 3 election.

Patient Confidentiality

A spokeswoman for Dunnavant's medical practice declined to confirm to Information Security Media Group whether OCR is investigating Dunnavant for alleged HIPAA privacyviolations. However, in a statement, the spokeswoman said, "We are aware of concerns regarding patient communication, and we are reviewing the issue with the highest rigor and diligence. Please be assured we hold confidentiality of patient information of paramount importance, and thank patients for entrusting us with their care."


A spokeswoman in OCR's Washington headquarters also declined to comment on the situation. "As a matter of policy, the Office for Civil Rights does not release information about current or potential investigations, nor can we opine on this case," she says.


White, editor of varight.com, says he first received a copy of one of Dunnavant's campaign letters in May, and that he was the first to report on the issues raised by the letters. He tells ISMG he filed a complaint with the federal government after he confirmed that the use of patient information for campaign purposes was a potential violation of privacy laws.


Nearly four months later, an investigator in OCR's regional office in Philadelphia, which is responsible for Virginia, on Sept. 29 responded to White's complaint, indicating the doctor's actions would be examined. White says he also confirmed again in a call to OCR on Oct. 28 that the case is still under investigation.


"You allege that Dr. Dunnavant impermissibly used the protected health information of her patients. We have carefully reviewed your allegation and are initiating an investigation to determine if there has been a failure to comply with the requirements of the applicable regulation," OCR wrote to White, according to a copy of the OCR letter that appears on White's website.

HIPAA Regulations

Privacy attorney Adam Greene of the law firm Davis Wright Tremaine says Dunnavant's alleged use of patient information raises several HIPAA compliance concerns.


"HHS interprets HIPAA to cover demographic information held by a HIPAA-covered healthcare provider if it is in a context that indicates that the individuals are patients of the provider," he notes. "Healthcare providers must be careful when using patient contact information to mail anything to the patient - even if no specific diagnostic or payment information is used. If a patient's address is used to send marketing communications or other communications unrelated to treatment, payment, or healthcare operations without the patient's authorization, then this may be an impermissible use of protected health information under HIPAA."


If patient contact information is shared with someone else, such as a political campaign, that also could be a HIPAA violation, Greene adds. "The same information that can be found in a phone book - to the extent anyone uses phone books - may be restricted in the hands of healthcare providers."


Privacy attorney David Holtzman, vice president of compliance at the security consulting firm CynergisTek, notes that the HIPAA Privacy Rule has "a blanket prohibition" on a HIPAA covered entity disclosing the protected health information of their patients without first seeking authorization of the individual - except where specifically permitted or required by the rule.


"There is no provision in the privacy rule where a healthcare provider who is a HIPAA covered entity can disclose patient information to a political campaign," he points out.


Because of those restrictions, federal regulators will carefully scrutinize the case, Holtzman predicts. "It is likely that OCR will look closely at the doctor's correspondence for its communication about her candidacy for political office, how to contact the campaign or obtain campaign products as well as the statement that the letter was paid for and authorized by the campaign organization."


An OCR investigation into the alleged violations of the HIPAA Privacy Rule could result in HHS imposing a civil monetary penalty, Holtzman notes. "There are criminal penalties under the HIPAA statute for 'knowingly obtaining or disclosing identifiable health information in violation of the HIPAA statute,'" he adds.

Potential Penalties

Offenses committed with the intent to view, transfer or use individually identifiable health information for commercial advantage, personal gain or malicious harm are punishable by a fine of up to $250,000 and imprisonment for up to 10 years, Holtzman notes.


"The Department of Justice is responsible for investigating and prosecuting criminal violations of the HIPAA statute," he says. "And changes in the HITECH Act clarified that a covered entity can face both civil penalties for violations of the privacy rule and criminal prosecution for the same incident involving the prohibited disclosure of patient health information."


The U.S. Department of Justice did not respond to ISMG's request for comment on whether it's planning to investigate the Dunnavant case.

more...
No comment yet.
Scoop.it!

HIPAA Compliance and EHR Access

HIPAA Compliance and EHR Access | HIPAA Compliance for Medical Practices | Scoop.it

In light of the recent massive security breaches at UCLA Medical Center and Anthem Blue Cross, keeping your EHR secure has become all the more important. However, as organizations work to prevent data breaches, it can be difficult to find a balance between improving security and maintaining accessibility. To that end, HIPAA Chat host Steve Spearman addresses digital access controls, common authentication problems, and how authentication meets HIPAA compliance and helps ensure the integrity of your EHR, even after multiple revisions.


Q: What are access controls?


A: Access controls are mechanisms that appropriately limit access to resources. This includes both physical controls in a building, such as security guards, and digital controls in information systems, such as firewalls. Having and maintaining access controls are a critical and required aspect of HIPAA compliance, and is the first technical HIPAA Security Standard.


Q: What’s the most common form of digital access control we see in healthcare?


A: The username and password is the most common form of access control by far. The Access Control Standard requires covered entities to give each user a distinct and unique user ID and password in order to access protected information. These unique credentials for each employee enable covered entities to confirm (“authenticate”) the identity of users and to track and audit information access.


Q: What are the most common problems with access controls and use of passwords in healthcare?


A: The most common problem is that covered entities often use multiple systems which each may require its own set of usernames and passwords along with varying requirements for these credentials, such as minimum character length or use of capital letters. Memorizing multiple sets of passwords and usernames for multiple systems is difficult for most people. In addition, there is a conundrum between password complexity and memorization. Complex passwords (longer with multiple required character types) are better for security but much harder to memorize. This is the conundrum.


Q: Are stricter password policies always more secure?


A: No, if passwords requirement are too strict, users then use coping mechanisms such as writing them down or re-using the same password over and over and across multiple systems. This compromises security rather than enhancing it. For example, a policy that required 14 digit passwords and required, lower-case, upper-case, numbers and symbols and expired every 30 days would create huge problems for most organizations. With these policies, staff would simply write down their passwords. But this compromises security. If a bad person gets a hold of a written list of passwords they have the “keys to the kingdom”, the ability to access the accounts on that written list. So passwords should not be written down.

In addition, overly strict password policies tend to overwhelm technical support staff with password reset requests.

So passwords should be sufficiently complex to make them hard to crack which also makes them hard to memorize.


Q: This sounds like a big problem. Do you have any suggestions to make things better?


A: At a minimum, organizations need to provide training to staff on straightforward techniques to create memorable but complex passwords. I have an exquisitely terrible memory. But I have great passwords using one particular technique. Just google “create good memorable passwords” and you can find dozens of videos demonstrating how to do it. But, of course, our favorite is the video featuring our very own, Gypsy, the InfoSec Wonderdog.


Enterprises should seriously consider additional technical solutions such as two factor authentication with single sign on (2FA/SSO).


Q: What is a good, reasonable password policy?


A: I recommend a policy that:


  • Requires a minimum of 8 characters
  • Requires two or three of the options of lower-case, upper-case, numbers and symbols
  • Expire every 3 to 6 months
  • And limit limit use of historical passwords so that the previous two cannot be used.


Q: You mentioned authentication before. What is that? What is two-factor or multi-factor authentication?


A: Authentication is the process of confirming the identity of a person before granting access to a resource. Computer geeks refer to the three factors of authentication:


  • What a user has (an ID badge or phone).
  • What a user knows (a PIN number)
  • Who a user is (biometrics)


For example, ATMs use two-factor authentication:

  1. What the user has: an ATM card and
  2. What they know: a PIN.


One of my favorite tools for two factor authentication is Google Authenticator which runs as an app on my mobile phone. Another common form of two factor authentication is text codes. With this method, the website or app, after entering a correct username and password, sends a text with a numeric code that expires after a few minutes to your phone that is entered into another field in the website before access is granted.


Everyone should enable two factor authentication on their most essential systems such as to online banking and to email accounts such as gmail.


In healthcare, there is a growing trend toward biometric authentication, the use of fingerprint readers or palm readers, etc. to authenticate into systems. Biometric authentication is generally very secure and is also very easy to use since there is nothing to memorize.


Q: What is SSO?


A: Single sign-on (SSO) lets users access multiple applications through one authentication event. In other words, one password allows access to multiple systems. It enhances security because users only have to remember one password. And because it is just one, it is commonly a good complex password. Once entered, it will allow access to all the core systems (if enabled) without having to re-authenticate.


Single sign-on combined with two factor authentication or biometrics work great together in tandem and are often sold together by vendors. The leading SSO/2FA vendor in healthcare is Imprivata, but there are other vendors making great in-roads into healthcare such as Duo Security2FA.com and Secureauth.com.


Q: What do you mean by “integrity” and what does it have to do with access control and authentication?


A: Integrity in System Standards is the practices used to track and verify all changes made to a health record. It is a condition that allows us to prevent editing or deleting of records without proper authorization.


Authentication and access controls are the primary means we use to preserve integrity of a record. If the information system is programmed to track its users’ activity, then it’s possible to track who made changes to a record and how they changed it.


This is why users should never share usernames and passwords with other users. Integrity becomes impossible if a username does not signify the same user every time it appears.


Q: Any final thoughts?


A: Finding that balance between HIPAA compliance, security and accessibility can be tricky. We recommend reducing digital access controls to a single multi-factor authentication or biometrics event. This single, secure method of authentication could be the balance between security and efficiency needed to keep your EHR secure and yet accessible. In addition to improving accessibility to your system, an MFA or biometrics sign-in method could help improve your organization’s EHR integrity.

more...
No comment yet.
Scoop.it!

5 keys to managing a data breach

5 keys to managing a data breach | HIPAA Compliance for Medical Practices | Scoop.it

Unfortunately, data breaches have become an extremely common occurrence. Not all of them have the high-profile of a Target, Ashley Madison, Home Depot or Anthem breach, but the damage to a company and its reputation is very real.


While companies can purchase cyber insurance to help manage the risks associated with a breach, there are also steps a business can take to maximize the relationship with their breach team and minimize the fallout following the cyber event.


Here are five factors to consider when it comes to managing a company’s cyber attack or data breach.


 1. Assess the risk

So how does a company prepare for such an eventuality and what steps should be taken after a breach occurs?


“Start with what you will face if a breach occurs,” advises Anthony Roman, president of Roman & Associates, a global investigation, risk management and computer security consultation firm. “Corporations of all sizes that hold any information that can be deemed private or personal are going to face a number of very serious hurtles in a breach that will encourage them to have a breach plan.”


Roman says this includes class action suits for the “undue release or allowing the release of personal and private information. The average class action suit is settling for $2.9 to $3 million.” He estimates the legal costs to defend a company in a class action suit will range anywhere from several hundred thousand dollars to well over one million.


“You may face government sanctions for local, state, federal or legal violations, some of which are criminal in nature and some which are civil in nature,” he explains. Criminal violations can pierce the corporate veil and involve specific individuals within the corporation.


There could also be regulatory sanctions if the company violated any Federal Communications Commission (FCC) regulations or any other regulatory agency’s regulations regarding cyber security. “That should be a wonderful motivator for anyone to have a robust and compliant breach program,” he adds.


Roman recommends that companies work with their brokers to craft coverage that will reduce their risk, review the policy exclusions, and ensure that they are insured to cover the types of information that will be affected and the resulting exposures from a breach.


2. Avoid these mistakes

The saying goes, “Fail to plan and plan to fail,” and nowhere is that more true than with cyberattacks and breaches. “Not having a well thought out and documented roadmap for the ‘what, when, where, who and how’ of responding to a suspected data breach is a recipe for disaster,” says Paul Nikhinson, Esq., privacy breach response services manager for Beazley.


Related: Many businesses unprepared for cyber attacks

“Most post-incident mistakes could be avoided or mitigated by implementing appropriate pre-incident prevention and response plans,” adds Kevin Kalinich at Aon. He says that some of the major mistakes companies make include:


  • Internal company denial regarding the potential magnitude of the incident. Appropriate resources and attention must be allocated immediately to determine the magnitude of the incident. The financial impact of cyber incidents is not always directly correlated with the size of the incident, but the financial statement impact is often correlated to the effectiveness of the response.
  • Automatically characterizing an “incident” (no immediate legal liability connotations) as a “breach” (immediate legal liability connotations under various laws, regulations and insurance policies).
  • Passing the buck rather than developing a comprehensive coordinated response.
  • Defensive reaction to regulators rather than an open and frank dialogue.
  • Failure to timely notify any and all potentially applicable insurance carriers.


Overreacting or underreacting to the event can also be a problem says Nikhinson. “Where there’s smoke, there’s fire; however, not every bit of smoke necessarily means a five-alarm fire. Going too quickly to the media and clients without an adequate command of the facts often causes far more harm than good.”


He also says that a company can’t just put its “head in the sand and hope for the best. This isn’t just an ‘IT’ problem. It’s something that could result in catastrophic financial and reputational damage to the company.”


Other problems include not having a plan at all, not following the established plan, not engaging a breach coach or team, and having poor communication between breach team members.


3. Working effectively with your breach team

After a company experiences a breach is not the time to be pulling together a team to address the problem. Assuming that a company already has a highly qualified team in place involving legal, IT, security, human resources, risk management and public relations professionals, experts recommend notifying legal counsel as soon as a cyber incident is discovered. “Counsel should handle retaining outside experts to maintain privilege, which puts the company in the best defensible position possible,” counsels Bob Parisi, Marsh’s cyber product leader

.

Kalinich concurs. “Legal counsel should be involved as soon as a cyber incident is identified for a variety of risk mitigation, contractual liability, privacy liability, legal compliance and financial statement impact reduction reasons. Thereafter, depending upon the nature of the incident, the chief information security officer (CISO), IT security, privacy officer and management responsible for cyber incident response should be simultaneously notified. Outside parties such as customers, partners, vendors, suppliers, etc. need not be notified until the entity understands what happened (subject to notification laws, of course).”


Roman recommends activating the company’s internal breach team as soon as a breach is revealed since most breaches occur way before they are discovered. “As you’re noticing it happened, it probably occurred earlier and they are sucking you dry of confidential information, client information, individuals’ personal information, corporate secrets and information that may be sensitive from a public relations perspective.”


There should also be a designated team leader and decision-maker says Roman, “Someone who can take all of the advice and says this is what we will do and has the authority to do it.” He also recommends that executives resist the urge to micromanage the problem. “They should assess the decisions made by the professionals and act accordingly.”


Communication between team members is critical to successfully managing the breach. “Do your best to break down internal information silos,” recommends Beazley’s Nikhinson. “Does legal know what IT/IS is investigating and how it is being documented? Does IS know that risk purchased a cyber-insurance policy and that it has certain reporting requirements? At what point do you bring in corporate communications? Coordination between all of the internal stakeholders is essential, and having someone akin to a project manager to facilitate that coordination can make all the difference in the world.”


4. Experience matters

Insurance brokers, legal counsel, public relations professionals and other vendors on the breach team should have extensive experience in cyber attacks and breaches. An experienced insurance broker can help a client find a cyber policy that best matches their needs and risks says Parisi. “The broker should have assisted the client in fully understanding coverage as well as the value-added services that are part of today’s cyber coverage. By doing that the client will be able to fully utilize the benefits of the coverage when a breach or event happens.”


Clients should report a breach to their broker or agent as soon as it occurs. According to Aon’s Kalinich, an experienced cyber broker will be able to:


  • Identify the applicable insurance policies.
  • Provide the insured with the required insurance notice requirements.
  • Detail any specific insurance policy requirements (i.e., third-party forensic experts must be selected from the insurance company panel in order to be covered by the insurance policy).
  • Arrange a call between insurance broker legal cyber incident claims specialist and the insured.
  • Determine whether, and in what manner, notice is required to insurers.
  • Describe past cyber incident best practices that reduce the total cost of risk.
  • Maintain consistent and timely communications between the insured and the insurers.


5. Practice makes perfect

Roman recommends that companies hold periodic breach rehearsals, which can be conducted by a firm outside of the business. “Surprise your team. Tell them this is a drill and there is a breach,” he advises. This gives executives an opportunity to see how quickly the breach team can be pulled together and how they will react to a real breach. It also gives them an opportunity to role play some of the critical elements of the plan.


Brokers can assist their clients by ensuring they have the right coverage for their business exposures as well as “a proactive relationship with their carrier’s breach response team so their first meeting doesn’t occur in the middle of a firefight,” adds Nikhinson.

Waiting until after a cyber breach occurs is too late to begin managing its effects, and can have dire consequences to a company’s reputation and its bottom line. Being proactive will help mitigate some of the damage and give the company a roadmap for successfully managing the breach.

more...
No comment yet.
Scoop.it!

Moving in Front of Healthcare’s Connectivity Curve

Moving in Front of Healthcare’s Connectivity Curve | HIPAA Compliance for Medical Practices | Scoop.it

As a clinician, technology is a significant interest in my life. I have always felt that one way in which to stay young is to embrace technology, and to understand how technology integrates into our professional and personal lives.


This past April, I was intrigued by the announcement of ResearchKit by Apple.. The first research apps developed covered five areas of study: Asthma, breast cancer, cardiovascular disease, diabetes, and Parkinson’s disease. However, the number of commercial and institutional research organizations using the open-source platform of ResearchKit is expanding daily.


More than 75,000 people have enrolled in ongoing health studies using ResearchKit apps to gather health data. Smartphones and wearable technology, with their microphones, cameras, motion sensors, and GPS devices, have unique advantages for gathering health data, and, in some cases, can serve as a valuable addition to regular care from a provider.


The possibilities for benefiting the body of health knowledge are endless. However, it is important for patients to be mindful and use these tools wisely in this modern world of connectivity.

More than a few people are commenting on the possible risks of gathering data in this way. As always in our modern society, available technology is way ahead of regulations. For example, we have strong laws and regulations regarding patient confidentiality enshrined in medical tradition and HIPAA.


Recognizing this vulnerability, Apple added the following to their app store submission guidelines: “All studies conducted via ResearchKit must obtain prior approval from an independent ethics review board.” Meaning, all studies must obtain Institutional Review Baords (IRB) approval. This is a good step in the right direction, but much more care is needed to gather data with the expanding number of ResearchKit apps, to ensure that personal health data is protected and that this technology is used in an ethical, and lawful, way.


Regardless of the all the caveats, I remain intrigued and hopeful that leveraging technology via tools such as smartphones and software like ResearchKit will be a great boon to the understanding of disease and treatments around the world.


I would recommend the following to put us ahead of the curve with these new tools:


  1. Ethical guidelines and procedures need to be developed by the research community in the U.S. to ensure that use of technology in research data gathering is done with the greatest protection of the patients’ individual health data.
  2. Laws and regulations need to be considered to ensure the integrity of the data as well as the protection of personal health information.
  3. Companies like Apple, who are leading the roll out of this technology, should not wait for state and federal governmental entities to regulate the use of technology in research and should be leaders in the ethical, responsible use of apps to gather and use health research data.


Technology in medicine is constantly evolving. We have to try to evolve with it, however, and recognize that the law of unintended consequences is always present, and will always present challenges as the vast universe of technology expands with every increasing speed in medicine and every other area of life.

more...
No comment yet.
Scoop.it!

Millions Potentially Affected by Premera Data Breach

Millions Potentially Affected by Premera Data Breach | HIPAA Compliance for Medical Practices | Scoop.it
With so many data breach lawsuits in the news lately, a person would think that companies that have access to private consumer or patient information would take cyber security seriously. Unfortunately, every day there seems to be more news about companies that have been hit by hackers and have allowed customer information to be made vulnerable. One of the more recent of the data breaches is the Premera data breach, in which approximately millions of patients had their private information compromised.

Lawsuits have followed, with plaintiffs alleging Premera Blue Cross did not properly or adequately secure customer information. The lawsuits allege negligence on Premera’s part. As of July 15, 2015, the number of lawsuits consolidated for pretrial proceedings sits at around 35, according to court documents. But the multidistrict litigation (MDL Number 2633) was only just approved, and more lawsuits could certainly be filed, given the massive number of patients affected by the cyber attack.

Reports indicate that up to 11 million customers may have had their information compromised, although some reports put that number affected at around 4.5 million. Still, for those whose information was accessed, the results can be disatrous.

That’s because information stored by companies such as Premera could be used to commit identity theft, where thieves file for credit or tax refunds under someone else’s name. That puts the victim at risk of having his or her credit negatively affected and having lenders come after the victim for bogus mortgages and lines of credit, not to mention the trouble he or she could face for a fraudulent tax return.

Even those who aren’t victims of large-scale identity theft face the time and hassle of sorting out the consequences of having credit

READ MORE PREMERA BLUE CROSS REPORTS DATA BREACH LEGAL NEWS
Premera Data Breach Lawyer: Companies Must Face Consequences for Failing to Protect Identifying Information
Premera Blue Cross Data Breach Results in Several Lawsuits, Class Actions
Patient health information is protected under the Health Insurance Portability and Accountability Act (HIPAA). HIPAA also requires timely notification of information breaches, which critics say was violated here. According to some attorneys, Premera allegedly knew about issues in its security systems from an audit, but did not adequately address those issues, leaving patient information vulnerable.

Furthermore, the data breach allegedly started back in May 2014, but Premera reportedly didn’t warn customers until March 2015. Patients were notified by a letter that their personal information might have been accessed.
more...
No comment yet.
Scoop.it!

HIPAA’s demands on the IT industry

HIPAA’s demands on the IT industry | HIPAA Compliance for Medical Practices | Scoop.it

We’re familiar with signing our lives away at the doctor’s office on HIPAA paperwork, but how is this policy affecting the IT industry?

Since the mid ’90s, the Health Insurance Portability and Accountability Act has regulated health insurance coverage and health care transactions. HIPAA protects patient privacy to ensure safekeeping of all medical information the patient may not wish to disclose. Long story short: HIPAA creates a higher standard to protect patient privacy and confidentiality. HIPAA holds institutions, organizations and offices responsible for protecting private patient information — and provides a framework for punishment when violators unlawfully access or share protected information.


In the past, HIPAA primarily affected hospital procedures. However, a large shift in policy created a ripple that stretched out to the IT industry. The Health Information Technology for Economic and Clinical Health Act of 2009 added technology and financial associates to the list of regulated parties. Things changed even more in 2013 when lawmakers added the Final Omnibus Rule, which significantly expanded the act's Protected Health Information regulations. This ruling greatly changed the relationship between HIPAA and the IT industry.


The rule’s provisions allowed HIPAA to administer new regulations on modern technology and the IT industry. The Final Omnibus Rule paid special attention to cloud storage, mobile devices and remote technologies that offer new ways to access patient information — and, consequently, provide more opportunities for privacy and security breaches. Formerly, a security breach was only considered a breach if the information contained birthdates or ZIP codes. Under the Final Omnibus Rule, all breaches of limited data must be handled the same, regardless of their content.


So, where does this leave the IT industry? When a cloud database administrator or independent IT consultant works directly with protected health information, the person or company automatically becomes a business associate who is subject to the rules and penalties of HIPAA. Since health care providers and their system administrators already know HIPAA regulations well, the IT industry and service providers are now playing catch-up. This means the IT industry has to learn the new regulations quickly and thoroughly to ensure the rules are being followed accordingly. For those still playing catch-up, or those that need a refresher course, allow us to summarize the rules of Title II:


The Privacy Rule  —Gives patients more control and protection over their confidential information.


The Transactions and Code Sets Rule — Keeps transactions standard throughout the industry.


The Security Rule — Updated to accommodate for the technological advances and thus the new forms of security breaches.


The Unique Identifiers Rule — Standardizes and protects the communication between health care providers and insurers.


The Enforcement Rule — Includes harsh penalties for HIPAA violations.


For people working with medical and patient data on a daily basis, HIPAA's privacy and security rules directly affect both the hardware and the software used to store and send data. According to the U.S. Department of Health & Human Services, everything from Drug Enforcement Administration numbers to vendor finances to patient identities can be subject to security breaches in health care databases. With so much at risk, the IT industry must be aware of the new regulations and be prepared to provide counsel on security and backup plans.


IT companies have come up with several solutions for security and backup that are HIPAA compliant, due to an increased need after 2013. Cloud computing offers ease of access, reliable backups and streamlined communication. Additional private cloud options were created with HIPAA regulations in mind — making sure all operations are secure, smart and compliant. With a private cloud, data is separate, safe and in an identifiable location. Only the particular client has access to the data in private clouds, perfectly complying with HIPAA policy.


New regulations are always a headache for database administrators, but HIPAA might settle the score with its new rules by preventing many more problems in the future. Hopefully, stricter privacy regulations and more defensive systems will emphasize the importance of innovative, up-to-date storage centers and solutions.

more...
No comment yet.
Scoop.it!

Patients suing Fort Wayne medical company over data breach

Patients suing Fort Wayne medical company over data breach | HIPAA Compliance for Medical Practices | Scoop.it

Two lawsuits have been filed in federal court in Fort Wayne seeking class action status on behalf of patients who have had their data compromised by Medical Informatics Engineering.


The Fort Wayne-based medical software company has reported that the private information of 3.9 million people nationwide was exposed when its networks were hacked earlier this year. The compromised information includes patients' names, Social Security numbers, birth dates and addresses, The (Fort Wayne) Journal Gazette (http://bit.ly/1W3PLHO ) reported.


The company contacted the FBI to report the data breach in May and began issuing letters to patients, letting them know which provider's information was hacked and offering them credit monitoring services, in mid-July.


The first lawsuit was filed last week by one patient, while the second lawsuit was filed Tuesday by three other patients.


Both lawsuits are similar and accuse the company of negligence. The plaintiffs argue that the company should've realized the risks associated with collecting and storing patients' personal information, and that the company had a responsibility to protect their data, according to court documents.


The lawsuits allege that Medical Informatics Engineering failed to take steps to prevent and stop the data breach, failed to comply with industry standards for safeguarding such data, and failed to properly implement technical systems or security practices, the documents said.

"Given the risk involved and the amount of data at issue, MIE's breach of its duties was entirely unreasonable," the attorneys wrote in the lawsuit.


In addition to class action status, all four patients also are seeking damages and expenses.


Eric Jones, co-founder and CEO of Medical Informatics Engineering, confirmed to the Associated Press Thursday that the company is aware of the two pending lawsuits.


"Our primary focus at this time is on responding to requests for information to those affected and helping them to enroll in credit monitoring and identity protection services," he said.

more...
No comment yet.
Scoop.it!

Reminders on HIPAA Enforcement: Breaking Down HIPAA Rules

Reminders on HIPAA Enforcement: Breaking Down HIPAA Rules | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA enforcement is an important aspect of The HIPAA Privacy Rule, and also one that no covered entity actually wants to be a part of. However, it is essential that healthcare organizations of all sizes understand the implications of an audit from the Office for Civil Rights (OCR), and how they can best prepare.


This week, HealthITSecurity.com is breaking down the major aspects of OCR HIPAA enforcement, and what healthcare organizations and their business associates need to understand to guarantee that they keep patient data secure. Additionally, we’ll review some recent cases where the OCR fined organizations because of HIPAA violations.


What is the enforcement process?


OCR enforces HIPAA compliance by investigating any filed complaints and will conduct compliance reviews to determine if covered entities are in compliance. Additionally, OCR performs education and outreach to further underline the importance of HIPAA compliance. The Department of Justice (DOJ) also works with OCR in criminal HIPAA violation cases.


“If OCR accepts a complaint for investigation, OCR will notify the person who filed the complaint and the covered entity named in it,”according to HHS’ website. “Then the complainant and the covered entity are asked to present information about the incident or problem described in the complaint. OCR may request specific information from each to get an understanding of the facts. Covered entities are required by law to cooperate with complaint investigations.”


Sometimes OCR determines that HIPAA Privacy or Security requirements were not violated. However, when violations are found, OCR will need to obtain voluntary compliance, corrective action, and/or a resolution agreement with the covered entity:


“If the covered entity does not take action to resolve the matter in a way that is satisfactory, OCR may decide to impose civil money penalties (CMPs) on the covered entity. If CMPs are imposed, the covered entity may request a hearing in which an HHS administrative law judge decides if the penalties are supported by the evidence in the case. Complainants do not receive a portion of CMPs collected from covered entities; the penalties are deposited in the U.S. Treasury.”


During the intake and review process, OCR considers several conditions. For example, the alleged action must have taken place after the dates the Rules took effect. In the case of the Privacy Rule, the alleged incident will need to have taken place after April 14, 2003, whereas compliance with the Security Rule was not required until April 20, 2005.


The complaint must also be filed against a covered entity, and a complaint must allege an activity that, if proven true, would violate the Privacy or Security Rule. Finally, complaints must be filed within 180 days of “when the person submitting the complaint knew or should have known about the alleged violation.”


Recent cases of OCR HIPAA fines


One of the more recent examples of HIPAA enforcement took place in Massachusetts, when the OCR fined St. Elizabeth’s Medical Center (SEMC) $218,400 after potential HIPAA violations stemming from 2012.


The original complaint alleged that SEMC employees had used an internet-based document sharing application to store documents containing ePHI of nearly 500 individuals. OCR claimed that this was done without having analyzed the risks associated with the practice.

“OCR’s investigation determined that SEMC failed to timely identify and respond to the known security incident, mitigate the harmful effects of the security incident, and document the security incident and its outcome,” OCR explained in its report. “Separately, on August 25, 2014, SEMC submitted notification to HHS OCR regarding a breach of unsecured ePHI stored on a former SEMC workforce member’s personal laptop and USB flash drive, affecting 595 individuals.”


OCR Director Jocelyn Samuels reiterated the importance of all employees ensuring that they maintain HIPAA compliance, regardless of the types of applications they use. Staff at all levels “must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner,” she stated.


In April of 2015, the OCR also agreed to a $125,000 settlement fine with Cornell Prescription Pharmacy (Cornell) after allegations that also took place in 2012. In that case, Cornell was accused of improperly disposing of PHI documents. Papers with information on approximately 1,600 individuals were found in an unlocked, open container on Cornell’s property.


“Regardless of size, organizations cannot abandon protected health information or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons,” OCR Director Samuels said in a statement, referring to the fact that Cornell is a small, single-location pharmacy in Colorado. “Even in our increasingly electronic world, it is critical that policies and procedures be in place for secure disposal of patient information, whether that information is in electronic form or on paper.”


However, not all OCR HIPAA settlements stay in the thousand dollar range. In 2014, OCR fined New York and Presbyterian Hospital (NYP) and Columbia University (CU) $4.8 million from a joint breach report that was filed in September 2010.


NYP and CU were found to have violated HIPAA by exposing 6,800 patients’ ePHI when an application developer for the organizations tried to deactivate a personally-owned computer server on the network that held NYP patient ePHI. Once the server was deactivated, ePHI became accessible on internet search engines.


“In addition to the impermissible disclosure of ePHI on the internet, OCR’s investigation found that neither NYP nor CU made efforts prior to the breach to assure that the server was secure and that it contained appropriate software protections,” OCR explained in its statement. “Moreover, OCR determined that neither entity had conducted an accurate and thorough risk analysis that identified all systems that access NYP ePHI.”


Regardless of an organization’s size, HIPAA compliance is essential. Regular risk analysis and comprehensive employee training are critical to keeping covered entities up to date and patient data secure. By reviewing federal, state and local laws, healthcare organizations can work on taking the necessary steps to make changes and improve their data security measures.

more...
No comment yet.
Scoop.it!

Hospital Slammed With $218,000 HIPAA Fine

Hospital Slammed With $218,000 HIPAA Fine | HIPAA Compliance for Medical Practices | Scoop.it

Federal regulators have slapped a Boston area hospital with a $218,000 HIPAA penalty after an investigation following two security incidents. One involved staff members using an Internet site to share documents containing patient data without first assessing risks. The other involved the theft of a worker's personally owned unencrypted laptop and storage device.


The Department of Health and Human Services' Office for Civil Rights says it has entered a resolution agreement with St. Elizabeth's Medical Center that also includes a "robust" corrective action plan to correct deficiencies in the hospital's HIPAA compliance program.

The Brighton, Mass.-based medical center is part of Steward Health Care System.


Privacy and security experts say the OCR settlement offers a number of valuable lessons, including the importance of the workforce knowing how to report security issues internally, as well as the need to have strong policies and procedures for safeguarding PHI in the cloud.

Complaint Filed

On Nov. 16, 2012, OCR received a complaint alleging noncompliance with the HIPAA by medical center workforce members. "Specifically, the complaint alleged that workforce members used an Internet-based document sharing application to store documents containing electronic protected health information of at least 498 individuals without having analyzed the risks associated with such a practice," the OCR statement says.


OCR's subsequent investigation determined that the medical center "failed to timely identify and respond to the known security incident, mitigate the harmful effects of the security incident and document the security incident and its outcome."


"Organizations must pay particular attention to HIPAA's requirements when using internet-based document sharing applications," says Jocelyn Samuels, OCR director in the statement. "In order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner."


Separately, on Aug. 25, 2014, St. Elizabeth's Medical Center submitted notification to OCR regarding abreach involving unencrypted ePHI stored on a former hospital workforce member's personal laptop and USB flash drive, affecting 595 individuals. The OCR "wall of shame" website of health data breaches impacting 500 or more individuals says the incident involved a theft.

Corrective Action Plan

In addition to the financial penalty - which OCR says takes into consideration the circumstances of the complaint and breach, the size of the entity, and the type of PHI disclosed - the agreement includes a corrective action plan "to cure gaps in the organization's HIPAA compliance program raised by both the complaint and the breach."

The plan calls for the medical center to:


  • Conduct a "self-assessment" of workforce members' familiarity and compliance with the hospital's policies and procedures that address issues including transmission and storage of ePHI;
  • Review and revise policies and procedures related to ePHI; and
  • Revise workforce training related to HIPAA and protection of PHI.
Lessons Learned

Other healthcare organizations and their business associates need to heed some lessons from OCR's latest HIPAA enforcement action, two compliance experts say.


Privacy attorney Adam Greene of the law firm Davis Wright Tremaine notes: "The settlement indicates that OCR first learned of alleged noncompliance through complaints by the covered entity's workforce members. Entities should consider whether their employees know how to report HIPAA issues internally to the privacy and security officers and ensure that any concerns are adequately addressed. Otherwise, the employees' next stop may be complaining to the government."

The settlement also highlights the importance of having a cloud computing strategy, Greene points out. That strategy, he says, should include "policies, training and potential technical safeguards to keep PHI off of unauthorized online file-sharing services."


The enforcement action spotlights the continuing challenge of preventing unencrypted PHI from ending up on personal devices, where it may become the subject of a breach, he notes.

The case also sheds light on how OCR evaluates compliance issues, he says. "The settlement highlights that OCR will look at multiple HIPAA incidents together, as it is not clear that OCR would have entered into a settlement agreement if there had only been the incident involving online file sharing software, but took action after an unrelated second incident involving PHI ending up on personal devices."


Privacy attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek, says the settlement "serves as an important reminder that a covered entity or a business associate must make sure that the organization's risk assessment takes into account any relationship where PHI has been disclosed to a contractor or vendor so as to ensure that appropriate safeguards to protect the data are in place."


The alleged violations involving the document sharing vendor, he says, "involve failure to have a BA agreement in place prior to disclosing PHI to the vendor, as well as failing to have appropriate security management processes in place to evaluate when a BA agreement is needed when bringing on a new contractor that will handle PHI."

St. Elizabeth's Medical Center did not immediately respond to an Information Security Media Group request for comment.

Previous Settlements

The settlement with the Boston-area medical center is the second HIPAA resolution agreement signed by OCR so far this year. In April, the agency OK'd an agreement with Cornell Prescription Pharmacyfor an incident related to unsecure disposal of paper records containing PHI. In that agreement, Cornell was fined $125,000 and also adopted a corrective action plan to correct deficiencies in its HIPAA compliance program.


The settlement with St. Elizabeth is OCR's 25th HIPAA enforcement action involving a financial penalty and/or resolution agreement that OCR has taken since 2008.


But privacy advocate Deborah Peel, M.D., founder of Patient Privacy Rights, says OCR isn't doing enough to crack down on organizations involved in HIPAA privacy breaches.


"Assessing penalties that low - St. Elizabeth will pay $218,400 - guarantees that virtually no organizations will fix their destructive practices," she says. "Industry views low fines as simply a cost of doing business. They'll take their chances and see if they're caught."


The largest HIPAA financial penalty to date issued by OCR was a $4.8 million settlement with New York-Presbyterian Hospital and Columbia University for incidents tied to the same 2010 breach that affected about 6,800 patients. The incidents involved unsecured patient data on a network.

more...
No comment yet.
Scoop.it!

4 things to know before next data breach

4 things to know before next data breach | HIPAA Compliance for Medical Practices | Scoop.it

Data breaches are all over the news right now. Here's what you want to know.

Businesses of all kinds have been struck ranging from CVS and Costco — which last week had to take down site features amid investigations into whether consumer data was taken — to local entities like OhioHealth, which this week announced information on some patients was on a flash drive that went missing.

No one is above risk, cyber security professionals say, but what can be done to keep you out of hot water? I asked Dayton-area experts for their advice.

1. Make sure employees have rules


Employees need to know not to open suspicious e-mails and fall for scams via telephone, said Jon Gauder, president of Volo Technologies. Security policies in place often help keep employees from letting information fall into the wrong hands.

Lindsay Johnson, an attorney with Freund, Freeze & Arnold specializing in cyber security, said as employees use personal devices for more work purposes, they open up the company to risk. But it's easy to avoid.

"If you let employees have emails on their iPads and laptops, someones can get a hold of that and extrapolate data," Johnson said. "That data has to be encrypted and that can be done with minimal effort."

2. Keep your tech up to date

To protect internal assets, you want to have routers and firewalls put in place and configured to prevent intrusion attacks, Gauder said.

“Sometimes it’s a matter of having the right equipment in place, antivirus and updated security patches,” Gauder said. “There’s no 100 percent foolproof way, but sometimes it’s more responsive than preventative, but your programs have to be up to date.”

Network security audits help companies test security measures. For a Web site: if you don’t need to have data on the website, don’t store payment information on the site, Gauder said. You want to make sure you host the website with a trusted host that is respected and have a good security policy in place.

A lot of people use open source software to develop Web sites. That code is available to hackers but also means a patch to prevent piracy is going to come quicker.

"Open source software often have quick patches because more companies work off of them," Gauder said. "But people who have access to source code can still find things. Response time can be faster than proprietary software. Make sure software is up to date."

Because of that, he recommended monthly or quarterly updates to software.

3. Know who you need to tell


Reporting requirements can vary by industry, In a regulatory industry like banking and finance, reporting requirements are handled by federal law, Johnson said. For general businesses with no reporting requirements, the first thing is to make sure you know the extent of the breach and what was accessed.

Businesses are hesitant to report to legal authorities, but “it gives you credibility that you reported something to authorities right away, and they can take the efforts the need.”

Experts in law enforcement encourage businesses to report details, but businesses can be hesitant to do so. But if the safeguards are in place, you can save face to clients by having them know you reported the details right away.

Companies have had mixed reactions to breaches. Retailers like P.F. Chang's and Michael's gave the public specifics about potential data breaches, while others did not.

Johnson said it's ultimately a PR decision whether or not to make a breach public. But not doing so can risk your reputation. You should report to your clients right away and let them know the details.

"The more detail you give illustrates you are organized," Johnson said. "You’re able to identify quickly what happened, who was affected, how entry was achieved etc. If you don’t have a plan in place it will take you three times as long"

4. The law will want to know how you responded


If a lawsuit happens, it's going scrutinize what you knew about the breach and how you sought to prevent it.

The most high profile breaches, including Home Depot, have led to costly lawsuits, Johnson said. What makes a data breach potentially harmful — is if you've tried to stop it.

"In the event there was a breach, and a lawsuit, what we have seen is the courts are saying ‘you did not act commercially reasonable. You did not consider the information you let employees have on these devices.'" Johnson said. "You have to assume a data breach will happen. How they use emails, how they send data over email is an encrypted."

If the courts become involved, the big question will be what you know and when, if you acted reasonably.

When companies get sued, litigators make the case that they knew a data breach was a possibility and ignored it, and didn’t have policies and procedures to minimize attacks.

Cyber security insurance is becoming an industry standard. Companies are writing cyber security policies, Johnson said, adding it could soon be considered a standard of care.

more...
No comment yet.
Scoop.it!

Before a Medical Data Breach, Begin Your Response Plan

Before a Medical Data Breach, Begin Your Response Plan | HIPAA Compliance for Medical Practices | Scoop.it

In the last 18 months, there have been three massive data breaches involving the healthcare industry, scores of smaller breaches, and a growing trend of insider threats posed by employees who have sold protected health information (PHI) for their own personal gain. Unlike stolen credit card numbers that can be deactivated, the personal identifying information needed to commit identity-theft type crimes, such as name, address, Social Security number, and date of birth, cannot be changed easily, if at all. Because of the permanent nature of the information that they contain, health records are approximately 10 times more valuable than stolen credit card numbers on Internet black markets where they can be bought and sold in bulk.


Now more than ever, because of new threats posed by such cybercriminals, any organization that collects, uses, discloses, or stores PHI is a potential breach victim. Covered Entities and their Business Associates subject to HIPAA who suffer a data breach must act quickly and correctly in assessing the situation. They must thoroughly investigate and mitigate risks caused by the breach, attempt recovery of the lost information, and provide required notifications to affected individuals and others. Throughout this process, organizations experiencing a breach should strive to demonstrate publicly that the data loss is being handled responsibly and appropriately.


Defining a "Breach"


HIPAA defines a breach as the acquisition, access, use, or disclosure of PHI in a manner inconsistent with the Privacy Rule that compromises its security or privacy.  In most cases, a breach is presumed to have occurred unless it can be demonstrated that there is a "low probability" that the PHI has been compromised. When performing this initial inquiry, an organization must consider:


1. The nature and extent of the PHI involved, including the types of identifiers and likelihood of re-identification;


2. The unauthorized person who used the PHI or to whom the disclosure was made;


3. Whether the PHI was actually acquired or viewed; and


4. The extent to which the risk to the PHI has been mitigated.


Plan Ahead for Breach Notification



Leonardo M. Tamburello
Every Covered Entity and Business Associate that handles PHI should develop its own unique breach response plan, built upon its most recent Security Risk Assessment (SRA), itself a fundamental step in the development of a comprehensive HIPAA security program. This security program should include a complete inventory of all devices containing sensitive data and policies and procedures requiring the immediate reporting of any lost, stolen, or compromised devices or media.


Using the most critical vulnerabilities identified in the SRA as a blueprint, the "worst case" scenario should be used to develop a detailed response plan. This discussion and handling of the "crisis" in a benign environment should be memorialized and refined into a formal breach response plan that identifies clear lines of communication and responsibility, including what gets done, who does it, and when they are supposed to do it.  


Merely having a breach response plan on paper is not enough. Individuals who are expected to implement the plan must understand and be equipped to execute their responsibilities.  


Whether through a medical practice's in-house counsel or an outside law firm, there are important reasons to integrate counsel into a breach response plan. Privacy counsel with breach response experience can bring valuable insight and steadying presence to an unfamiliar and sometimes chaotic situation. In the event of a follow-up investigation by HHS' Office for Civil Rights (OCR) (which is mandated in breaches affecting 500 or more individuals) or civil litigation, an organization's deliberative processes and internal communications and/or actions involving their counsel regarding breach response may be kept confidential through these doctrines. Without the involvement of counsel, the entirety of an organization's actions and communications would be potentially discoverable in the now familiar class-action lawsuits that inevitably follow data breaches.


Activating the Breach Response Plan


If it is determined that a breach has occurred, an organization should immediately take all possible steps to minimize or limit the impact of the breach while documenting its efforts to do so. Mitigation often occurs parallel with an investigation, and its own document trail, into the cause of the breach. In some cases, such as when a device is physically lost or stolen, mitigation may be impossible unless there is a way to remotely wipe the data contained on it. If the breach involves media or paper that can be tracked or retrieved, every effort should be made to recover it.  Law enforcement should be contacted if criminal activity such as theft or intrusion is suspected.  


Like other aspects of breach response, a medical practice's internal investigation into a breach should be thoroughly documented. The Privacy Officer, in consultation with privacy counsel for the organization, should collect and preserve evidence in accordance with established policies and procedures. This information may include interviews, e-mails, chat logs, voicemails, cellular calling records, computer logs, and any other information regarding the data loss.


If the breach involves cyber intrusion, the Privacy Officer will likely require the assistance of IT vendors or others such as specially-trained law enforcement divisions. Expert forensic assistance from these individuals can be invaluable when investigating a possible breach or determining the scope of known breach.


Formal Notification to Individuals, HHS, and Others


Once a breach has been internally confirmed, HIPAA requires official notification to all affected individuals and the OCR. If the breach involves 500 or more individuals, media organizations in the area where the affected individuals live must also be notified. Most times, these notifications must occur within 60 days of when the breach actually was, or should have been, discovered.


This does not necessarily mean that the breach will remain private until further disclosure. In many instances, breaches become public knowledge long before formal notification is made. To prevent such situations from spiraling out of control, it is imperative that an organization's breach response team be prepared to make public limited information in which there is a high degree of confidence, while stressing that the investigation is ongoing and this information may evolve. Scrambling to figure out a breach response strategy while trying to investigate and mitigate the possible harm can easily lend to inaccurate and/or harmful information being disseminated. Responding with silence will only intensify the scrutiny in such situations. A breach response plan will help a practice follow a "script" through an otherwise unfamiliar and potentially high-stakes crisis.


Poor breach notifications can take many shapes. Some fail to acknowledge the seriousness of the situation. Others provide incomplete or incorrect information. Another poor "response strategy" is complete silence or other tone-deaf actions which demonstrate organizational discord or a misunderstanding of the severity of the situation. Any of these missteps can be severely damaging, not only from a reputational point of view, but also during later phases if there is a formal investigation by OCR.  


After the required notifications have been made, the organization should update its current risk management plan to reflect lessons learned and vulnerabilities addressed as a result of the breach.


Conclusion


Most cyber intrusions are not brutish acts of virtual "smash and grab" thuggery, but well-planned and strategic, with the hallmarks of stealth and patience. As data collection and information sharing among healthcare providers and their affiliates grows in the future, the threats to the security and integrity of this information will continue to increase.

Failing to prepare for a breach is the same as preparing to fail at responding to one. As electronic health information continues to multiply along with data sharing among multiple providers and affiliates, preparing for this threat must become an organizational priority for everyone.

more...
No comment yet.