HIPAA Compliance for Medical Practices
59.2K views | +3 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

Fearing The Dreaded HIPAA Audit?

Fearing The Dreaded HIPAA Audit? | HIPAA Compliance for Medical Practices | Scoop.it

The HHS Office for Civil Rights plans to begin a random audit program this year to assess compliance with the HIPAA privacy, security and breach notification rules. David Holtzman, a former senior advisor at OCR and now vp of compliance services at security firm CynergisTek, offers the following outline of what providers selected for an audit can expect and how to prepare.

 

Red Flags

In a 2012 pilot audit program, security rule problems were seen twice as often as anticipated, so expect security issues addressed under a permanent audit program to be bumped up. OCR found through the pilot audits that many organizations had not conducted a security risk analysis or never updated an initial analysis-which signals that an organization is not taking HIPAA seriously. Other areas with significant deficiencies included access management, security incident procedures, contingency planning, audit controls, and movement and destruction of protected health information.

 

Getting Notified

OCR plans to send notification letters to 1,200 healthcare organizations to confirm their address, HIPAA officers, sizes and functions. This is not an audit notice, but the information will be used to build a list of those that will be audited. Organizations selected for audit by OCR will not receive email notification-they will receive a formal audit notification letter-so beware of scammers.

 

Desk Audits

About 200 covered entities and 300-400 business associates will receive notification of a "desk audit," which will include a request for submission of specific content and other documentation that demonstrates the scope and timeliness of an organization's efforts to comply with HIPAA rules. Focus areas for covered entities likely will include risk analysis and risk management, content and timeliness of breach notifications and notice of privacy practices updated to reflect changes in the HIPAA Omnibus rule implemented in 2013. The likely focus for breach audits will be risk analysis and risk management, and appropriate breach reporting to covered entities.

 

Follow Instructions

Under a desk audit, only documentation delivered on time will be reviewed. Send only the information required. Auditors likely will be looking for updated privacy practice notices, the ability of patients to get a copy of their health record and to access them electronically if desired, and how organizations treat requests to restrict access to sensitive treatment paid out-of-pocket. Desk audits, Holtzman says, are not an opportunity for a conversation or give-and-take. Auditors will not contact an organization again for clarifications or additional information; they will work only with what they get. Failure to respond to a desk audit notification likely will lead to a more formal compliance review. (Audit findings will not become a matter of public record.)

 

On-Site Audits

OCR this year and likely into 2016 will conduct on-site audits of an unspecified number of covered entities and business associates. This is more comprehensive than a desk audit, with a greater focus on privacy. Expect OCR in these on-site audits to look at security rule compliance in such areas as device and media controls, secure transmissions, encryption of data (including documented justification if you're not using encryption), facility access controls, administrative and physical safeguards, and workforce training. And expect an emphasis on training, as many organizations haven't trained since first required in 2003. "That really rubs [auditors] the wrong way," Holtzman says.

 

Plan Now

If your risk-analysis and risk-management plans are more than 2 years old, update now, Holtzman suggests. Select 10 focus areas covering both the privacy and security rules, and if vulnerabilities have not been addressed, address them. "The best process to prepare for an audit is to be prepared the day the letter arrives," Holtzman says. "Be honest with yourself. Don't paint a happy picture because you think you know what management wants to hear."


more...
No comment yet.
Scoop.it!

HIPAA breach leads to firstever neglect settlement for a healthcare provider

HIPAA breach leads to firstever neglect settlement for a healthcare provider | HIPAA Compliance for Medical Practices | Scoop.it

A recent, first-of-its-kind HIPAA settlement demonstrates that long-term care and other providers need to be vigilant about updating software and other basic security tasks, officials say.

Anchorage Community Mental Health Services in Alaska has agreed to a $150,000 settlement related to a data breach that the five-facility organization self-reported to the Department of Health and Human Services Office for Civil Rights, according to a recent bulletin from that agency. It is the first settlement related to “neglect” of systems, because the breach was traced to the provider's failure to “address basic risks,” such as running outdated software and failing to install patches.

“Successful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ePHI [electronic personal health information] on a regular basis,” stated OCR Director Jocelyn Samuels. “This includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.”

The breach was caused by malware and affected the information of more than 2,700 people, according to the OCR. The healthcare provider was cooperative with the investigation and has agreed to a corrective action plan, according to authorities.



more...
No comment yet.
Scoop.it!

Latest HIPAA settlement emphasizes need to regularly address software vulnerabilities | Lexology

Latest HIPAA settlement emphasizes need to regularly address software vulnerabilities | Lexology | HIPAA Compliance for Medical Practices | Scoop.it

On December 2, the Department of Health and Human Services, Office for Civil Rights (OCR) announced a $150,000 settlement with Anchorage Community Mental Health Services, Inc. (ACMHS) for alleged violations of the HIPAA Security Rule. The announcement followed an OCR investigation into a breach of unsecured electronic protected health information (ePHI) affecting 2,743 individuals. OCR highlighted three Security Rule violations in its resolution agreement: (1) failure to conduct an accurate and thorough risk analysis; (2) failure to implement security policies and procedures; and (3) failure to have reasonable firewalls in place, as well as supported and patched IT resources. In a press release regarding the settlement, OCR Director Jocelyn Samuels noted that “successful HIPAA compliance . . . . includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.”

OCR began its investigation after ACMHS reported a malware-related breach of unsecured ePHI on March 12, 2012. OCR stated that the breach was the direct result of ACMHS’ failure to “identify and address basic risks” to the security and confidentiality of ePHI in its custody. ACMHS adopted sample Security Rule policies and procedures in 2005, but apparently did not implement them until OCR’s investigation began in 2012. OCR’s review of the ACMHS IT infrastructure revealed critical shortcomings including unpatched systems running outdated or unsupported software, and inadequate firewalls with insufficient threat identification monitoring of inbound and outbound traffic.

The ACMHS settlement emphasizes three key takeaways for HIPAA covered entities and business associates:

  • Tailor Security Rule compliance programs. Although the HIPAA Security Rule provides flexibility to entities in choosing the most appropriate compliance strategies, each organization must (1) conduct an accurate and thorough assessment of the particular risks facing ePHI held by the entity and (2) tailor its policies and procedures to adequately address those risks. This settlement demonstrates that a “one size fits all” approach based on template policies and procedures will not suffice for Security Rule compliance.
  • Conduct regular and thorough risk assessments. As OCR and NIST emphasized in a September conference on safeguarding health information, comprehensive risk analysis and risk management are two cornerstones of an effective IT security program. In its press release regarding the ACMHS settlement, OCR highlighted its Security Rule Risk Assessment Toolreleased in March 2014, which was developed to assist small- to medium-size providers with conducting risk assessments.
  • Regularly patch and update software. The OCR investigation determined that the breach suffered by ACMHS may have been preventable had its employees regularly patched known vulnerabilities and kept software up to date. OCR also identified the need for entities to maintain threat identification monitoring, which is significant given the dynamic and evolving cybersecurity threat landscape.

In addition to the monetary payment, the settlement agreement imposes a two-year corrective action plan. The ACMHS settlement follows a series of enforcement actions in which OCR has entered into resolution agreements and corrective action plans with HIPAA covered entities for alleged violations of the Privacy, Security, and Breach Notification Rules. In the past two years, OCR has entered into twelve HIPAA resolution agreements, with settlements totaling over $11.7 million. As OCR prepares to roll out the next phase of its audit program, which will be used as an enforcement tool and may lead to full-scale compliance reviews, HIPAA-regulated entities should examine their security practices to ensure they are appropriately managing risks to ePHI—which includes reviewing systems and applications for unpatched vulnerabilities or unsupported software.



more...
No comment yet.
Scoop.it!

What Will HIPAA Enforcer Do in 2015?

What Will HIPAA Enforcer Do in 2015? | HIPAA Compliance for Medical Practices | Scoop.it

Time to rub the dust off my crystal ball to predict what we might see from the Office for Civil Rights' in 2015 when it comes to regulatory activities and enforcement of the HIPAA privacy, security and breach notification rules.

But first, note that 2014 represented a year of significant changes in leadership and approach for OCR, the unit of the Department of Health and Human Services that's responsible for HIPAA enforcement. Jocelyn Samuels joined OCR as its director in July. She was tapped to lead the agency by HHS Secretary Sylvia Mathews Burwell when Leon Rodriquez was confirmed as director of the U.S. Citizenship and Immigration Services.

 I expect the agency will launch more high-profile enforcement actions in 2015. 


Additionally, OCR's health information privacy division is being led by an acting deputy director following the retirement of Susan McAndrew.

The OCR division responsible for overseeing the work of its regional offices, including enforcement efforts, is also being led by an acting deputy director. In addition to the leadership changes in Washington, three of the 10 managers leading OCR's regional offices were newly appointed this year. That's a lot of leadership change in a short period.

Enforcement Actions

The recent OCR settlement in which an Alaska mental health organization paid a $150,000 fine and agreed to a corrective action plan over shortcomings in their security rule compliance program is the first since director Samuels took over the agency.

This resolution agreement could signal that OCR is regaining its footing after the transition to a new leadership team and will be moving ahead more aggressively to reach settlement agreements in cases where the agency finds serious violations of the privacy and security rules. According to OCR's website, there are more than 6,000 HIPAA privacy and security rule complaints and compliance reviews being investigated. I expect the agency will announce more high-profile enforcement actions in 2015.

Through the 2009 HITECH Act, Congress mandated HHS to make a number of significant changes to the privacy regulations, expanding the jurisdiction oversight to business associates, and encouraging the development of new tools for enhanced regulatory enforcement.

The tools include self-funding HIPAA enforcement authority from fines and penalties collected by OCR and an audit program to measure industry compliance. However, significant provisions of the HITECH Act have not been adopted or are in some stage of development. What are the prospects for the remaining provisions of HITECH to be enacted in 2015?

Accounting of Disclosures

The HITECH Act mandated an expansion of the HIPAA Privacy Rule's current standard for covered entities to provide individuals an accounting of unauthorized disclosures, which exempts disclosures made for purposes of treatment, payment or healthcare operations, or TPO. Congress called on HHS to revamp the standard by requiring accounting for disclosures to include TPO disclosures by covered entities and businesses using electronic health records.

In its 2011 proposed rulemaking, HHS sought to give individuals an accounting of uses in addition to expanding the disclosures to be reported. Under intense pressure to scale back the scope of the proposed rule, HHS had its panel of outside experts, the Privacy and Security Tiger Team, made recommendations in December 2013. The team has since disbanded with HHS taking no action on their recommendations. Nor does publication of a final rule appear to be in the offing anytime soon.

Monetary Settlements

Under HITECH, Congress called for HHS to develop a methodology to distribute a percentage of monetary settlements collected by OCR to individuals affected by breaches.

The first step was for the Government Accountability Office to make recommendations to HHS on a methodology to share a percentage of the proceeds from fines and penalties with consumers harmed by the unlawful uses or disclosures resolved through OCR's investigation. Although the GAO apparently has delivered its recommendations, the HHS regulatory agenda does not include a proposal under development or being reviewed.

With continuing pressures on federal spending restricting the growth of agency budgets and resources to support OCR's expansive mission, it seems unlikely that the office will aggressively pursue an initiative that would result in the sharing with consumers the proceeds from its monetary settlements from HIPAA enforcement actions.

HIPAA Audits

The HITECH Act also called on OCR to perform periodic audits of covered entities and business associates' compliance with the HIPAA rules. With funding provided through HITECH, OCR developed and implemented a pilot audit program through which 115 audits of covered entities were conducted.

Beginning in early 2015, OCR plans to audit 200 covered entities, including healthcare providers and group health plans, to measure their compliance with the HIPAA privacy, security and breach notification rules requirements. These audits of covered entities will be followed by up to 400 audits of business associates to measure their compliance with the security rule and how they intend to approach their obligations under the privacy and breach notification rules.

In comments at the the September 2014 HIPAA security conference hosted by OCR and the National Institute of Standards and Technology, OCR's Iliana Peters said it was the agency's intention to use the audit findings as a tool in the enforcement arsenal. Covered entities found to have significant gaps in their HIPAA compliance will be ripe for follow-up compliance reviews and could face penalties.

With millions of dollars of monetary penalties collected from covered entities since adoption of the HITECH Act changes, this is the one OCR initiative that seems on track. Don't wait for your notice from OCR to prepare for your HIPAA compliance audit. Take action now by going through the steps to ready your organization if it were to be randomly selected for one of those audits.


more...
No comment yet.
Scoop.it!

BOSTON: Children's Hospital settles over data breach | Technology | The Bellingham Herald

BOSTON: Children's Hospital settles over data breach | Technology | The Bellingham Herald | HIPAA Compliance for Medical Practices | Scoop.it

Boston Children's Hospital has agreed to pay $40,000 and bolster its patient data security following a data breach that compromised the personal information of more than 2,100 patients, the state attorney general's office announced Friday.

The judgment, entered in Suffolk Superior Court, alleges the hospital failed to protect the health information of the patients, about 1,700 of whom were children.

The data — including names, birthdates, diagnoses and surgery dates — was on a hospital-issued unencrypted laptop stolen from a doctor on official business in Argentina in May 2012. The information had been sent in an email from a colleague.

Under the terms of the consent judgment, the hospital will pay a $30,000 civil penalty and a payment of $10,000 to a fund administered by the attorney general's office for educational programs concerning protected health information.

"Today's settlement will put in place and enforce important technological and physical security measures at Boston Children's Hospital to help prevent a breach like this from happening again," Attorney General Martha Coakley said.

The hospital said it has already toughened security protocols.

"After this incident, we worked closely with the federal and state governments, as well as security industry experts, to ensure that Boston Children's security policies and technologies are state-of-the-art," the hospital said in a statement. "Every device that is issued by Boston Children's is encrypted before it is used, and every employee must attest on an annual basis that his or her personal devices are also encrypted."


more...
No comment yet.
Scoop.it!

Health Care Industry To See Phishing, Malware Attacks Intensify in 2015 -

Health Care Industry To See Phishing, Malware Attacks Intensify in 2015 - | HIPAA Compliance for Medical Practices | Scoop.it

That’s the analysis of industry executives who contend the information security threats facing health care institutions will only intensify in 2015. They say attackers believe hospitals and health systems hold a wealth of data, from credit card information to demographic details to insurance beneficiary data. The notion that health care trails other industries in IT security may encourage attempts to seize those data.

But while attacks are on the rise, health care budgets aren’t quite as buoyant.

Phyllis Teater, CIO and associate vice president of health services at the Ohio State University’s Wexner Medical Center, said, “The threats continue to mount … at a time when all of health care is looking to reduce the cost of delivering care.”

Earlier this month, Art Coviello — executive chair of RSA, the security division of EMC — predicted that “well-organized cyber criminals” will ramp up their efforts to steal personal information from health care providers. Coviello, in what has become his annual security outlook letter, described health care information as “very lucrative to monetize” and “largely held by organizations without the means to defend against sophisticated attacks.”

Some health care providers, however, plan to strengthen their defenses. Health care organizations’ expected security priorities for 2015 include:

  • Encryption and mobile device security;
  • Two-factor authentication;
  • Security risk analysis;
  • Advanced email gateway software;
  • Incident response management;
  • Expansion of IT security staff; and
  • Data loss prevention (DLP) tools.
Uptick in Attacks

Lynn Sessions, a partner with the law firm BakerHostetler, cited an uptick in cyber-attacks targeting health care. Sessions, who specializes in health care data security and breach response, said much of her firm’s activity once focused on unencrypted devices that were lost or stolen, unencrypted backup tapes and email delivered to the wrong recipient. Those incidents were typical of the years immediately following the passage of the HITECH Act, which in 2009 established a breach notification duty for HIPAA-covered entities. But since the beginning of 2014, the rise of hacking and malware attacks has become “very noticeable,” Sessions said.

That trend seems likely to carry over into 2015.

Scott Koller, a lawyer at BakerHostetler who focuses on data security, data breach response and compliance issues, said he believes two types of attacks will see increased prevalence next year:

  • Phishing; and
  • Ransomware.

Phishing attempts to convince users to give out information such as usernames and passwords or credit card numbers. In settings such as health care, phishing may also provide a stepping stone for more advanced attacks, Koller noted. For example, a user could open an attachment in a phishing email that installs malware on the user’s device. From that foothold, an attacker could then infiltrate the enterprise network.

“Phishing emails often provide the entry point,” Koller said.

Attackers, he added, have become adept at disguising their phishing emails.

“They are much more sophisticated in terms of crafting them and targeting them to users and making them more difficult to detect,” Koller explained.

Phishing emails can also serve as a vehicle for ransomware attacks, which encrypt the data on a computer’s hard drive. Cyber criminals demand payment from users before they will provide the means to unlock the data.

CryptoLocker and CryptoWall are examples of ransomware. In August, the Dell SecureWorks Counter Threat Unit research team reported that nearly 625,000 systems were infected with CryptoWall between mid-March and late August 2014. The researchers called CryptoWall “the largest and most destructive ransomware threat on the Internet” and one they expect will continue expanding.

To further complicate matters, ransom may be demanded in the form of bitcoin, a digital currency. The use of bitcoin makes the perpetrators a lot harder for law enforcement to track down, Koller said. He said he anticipates that ransomware will see greater prevalence and use in the future.

Tightening Security

Against the backdrop of increasing attacks, health care organizations are taking steps to boost their IT security.

Ohio State’s Wexner Medical Center, for example, plans to make staffing a focal point of next year’s IT security investment. It expects to fill three openings over the next few months.

“Much of our investment is in recruiting top talent and growing the team by adding” full-time employees, Teater said.

Technology adoption is also in the works.

“We are deploying a new mobile security tool that has better capabilities,” she said. “We are also starting down the road to deploy data loss prevention” in conjunction with the Ohio State University.

In addition, Ohio State’s medical center is looking at how to enable two-factor authentication for use cases such as remote/mobile access and e-prescribing, Teater noted.

Koller said two-factor authentication will rank among the top IT security measures health care organizations take on in 2015. Two-factor authentication typically involves a traditional credential, such as user name/password and adds a second component such as a security token or biometric identifier.

Two-factor authentication does a good job of counteracting phishing emails, Koller said. If an attacker obtains an employee’s username/password via phishing, it will still lack the additional authentication factor, he noted.

Koller also cited encryption as another security measure health care providers should look to deploy next year. He said that larger institutions already recognize encryption as an issue but that smaller practices still struggle to find ways to implement encryption for laptops and mobile devices.

“Encryption very much needs to be on everybody’s radar,” he said.

To date, it hasn’t been. Forrester Research in September reported that “only about half” of health care organizations secure endpoint data through technology such as full-disk encryption or file-level encryption.

Health care providers next year may also invest in incident response management, as well as prevention.

Mahmood Sher-Jan, vice president and general manager of the RADAR Product Unit at ID Experts, said most people accept that security incidents are a certainty, which places the emphasis on risk reduction and response. ID Experts provides software and services for managing incident response.

Chief information security officers and health care IT security personnel “recognize now that their success is going to be measured on how they manage incident response and minimize the impact on reputation and churn,” Sher-Jan said.



more...
No comment yet.