HIPAA Compliance for Medical Practices
61.1K views | +2 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

HIPAAChat: secure messaging and telemedicine platform

HIPAAChat: secure messaging and telemedicine platform | HIPAA Compliance for Medical Practices | Scoop.it

To provide the best care for our patients, physicians and healthcare workers must communicate constantly.  For many of us, text messaging, push-to-talk messages, and video calling have become the preferred method of contact.


However, SMS, FaceTime, Skype, and iMessage are not technically HIPAA-compliant platforms. Even though some like FaceTime may meet data security standards that could make them HIPAA compliant, they don’t necessarily commit to it.


We have seen an influx of HIPAA-compliant secure messaging apps over the past few years like AthenaTextDoximityTigerText, and others. HIPAAChat enters into this market as an easy to use app with an intuitive format and some pretty unique features that make it stand out. Following the acquisition by Everbridge, a world leader in cloud-based, unified critical communications, HIPAAChat also incorporates advanced Enterprise utility and interoperability. Secure text, group chat, image transfer – check. Dictate/audio transfer/push-to-talk – check. Real-time, live video calling? You bet! HIPAAChat provides all these features packaged in an app that is as easy to use as iMessage and FaceTime.


User Interface


After downloading the HIPAAChat app, setup was extremely simple and only required input of your name, email, and phone number. Optional information included a photo upload and a 4-digit pin setup if your phone isn’t fingerprint or password protected. In order to connect with colleagues, both parties must have the app on their smartphone. However, within the app, you can select people from your existing contacts or enter a phone number or email and an invitation will be sent prompting them to download the app to begin HIPAA-compliant communication.


HIPAAChat is available for both Android and iPhone devices. As a result, the app facilitates secure messaging between all members of the care team, including physicians, nurses, social workers, consultants, etc. One of the main features that kept me using the HIPAAChat app is the simple, clean, and intuitive interface. I have been using this app to answer questions about patients from residents and referring doctors. Despite a busy clinical and surgical volume, the app allows for minimal disruption in my current routine.


Functions


Messaging


The messaging features are standard and work the same as SMS or iMessage. The interface shows when a message was read and also displays when a message is being typed. A nice feature of this and other secure messaging apps is the ability to group text with users. The Enterprise software allows for additional features, including the creation of group distribution lists via active directory/ADAM and LDAP synchronization. This would be particularly useful for alerting specialized medical teams, such as a Stroke Team, Code Team, Trauma Team, etc. In our practice, we have been using HIPAAChat to relay information on surgical or clinic add-ons, questions on patient management, and consultations from other doctors. 


Photos


In ophthalmology, as with many other medical specialties, we heavily rely on imaging for patient care. A picture is often worth a thousand words. HIPAAChat allows for secure transmission of photos with a simple tap of the camera icon. Users can choose to take a new photo or choose an existing photo, without leaving the app interface. One feature missing in the current version is the ability to transmit saved videos asynchronously.


Touch-to-talk/Talk-to-text


Walkie-talkie or push-to-talk allows recording voice messages with the touch of a button. This feature actually plays the audio message instead of converting to text. However, the audio message is played back over the speaker, so you must be cognizant of people around as they will hear the message. In addition to touch-to-talk, the app also allows talk-to-text, making it extremely easy to dictate text messages on the fly. With the release of smart watches like the Apple Watch, these features could open the door to efficient audio messaging on your wrist since these devices won’t allow texting on the screens. Message alerts show up on the Apple Watch, but the current version will not display actual messages. Although future versions are likely to incorporate the use of the smart watches.


Audio/Video calling


A main distinguishing feature of HIPAAChat from several competitors is the ability for real-time audio and video calling. As a result, the HIPAAChat app can also serve as a telemedicine platform. The video calling has a similar interface as FaceTime or Skype, again contributing to the ease-of-use and intuitive nature of the app. Call clarity and picture quality was very good, without any significant delays or picture freezes when I used it on our Wifi network.


Security


With maximum fines of $50,000 per violation and up to $1.5 million annually for repeat violations, secure messaging of PHI is imperative. HIPAAChat allows for secure, encrypted transmission of messages as part of the Everbridge platform. The app meets all the administrative, technical, and physical safeguards.


Enterprise


I have been using the basic HIPAAChat lite, which is free for download and offers the core secure communication features. The Enterprise-level adds an IT administrator console for managing users and devices, an Active Directory sync, archiving and data retention, auditing, reporting, and analytics. Additionally, the Enterprise version facilitates system integration with EHRs, labs, admissions/discharge/transfer systems, and nurse call/intercom systems. For institutions wanting custom integration, fully documented APIs are available and based on specific needs.


Telemedicine


The live video calling feature of the HIPAAChat app sets it apart from other secure messaging apps that I have used. Whereas two systems are usually needed for secure messaging and telemedicine, HIPAAChat combines the two in one platform. Additionally, unlike many telemedicine platforms, the physician can access secure video on their smartphone or tablet, making it truly portable.


The HIPAAChat platform enables physicians to communicate virtually with other medical staff, consultants, and even patients from anywhere. I have found that the video consultations can be very useful in the emergency room setting, often preventing unneeded transfers, follow-up, or unnecessary treatment. Everbridge also offers an iCart that serves as a mobile telemedicine platform, ideally suited for the emergency room. The iCart is a mobile cart on wheels with the attachment of a tablet. The housing of the tablet allows for attachment of video lights, a Wood’s lamp, and macro lenses specifically for ophthalmology and dermatology.

more...
Lyfe Media's curator insight, June 19, 2015 1:48 PM

Technology is quickly coming to the medical fields rescue by improving processes and cutting costs. HIPAACHAT is just one of the tools doing exactly that. This article explains the different features the app has and how it's making incredible improvements to a necessary industry. LyfeNews

Scoop.it!

What Happens in HIPAA Audits: Breaking Down HIPAA Rules

What Happens in HIPAA Audits: Breaking Down HIPAA Rules | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA audits are something that covered entities of all sizes must be prepared to potentially go through. As technology continues to evolve, facilities need to ensure that they are maintaining PHI security and understand how best to keep sensitive information secure.


The Department of Health & Human Services (HHS) Office for Civil Rights (OCR) had originally scheduled its second round of HIPAA audits for the fall of 2014, yet as of this publication, round two is still waiting to be scheduled. Regardless, HIPAA audits are an essential aspect to the HIPAA Privacy and Security Rules.


We’ll break down the finer points of the audit process and why it is important, while also highlighting tips for facilities in case they are selected for an OCR HIPAA audit.


What are the HIPAA audits?


The OCR HIPAA audit program was designed to analyze the processes, controls, and policies that selected covered entities have in place in relation to the HITECH Act audit mandate, according to the HHS website.

OCR established a comprehensive audit protocol that contains the requirements to be assessed through these performance audits. The entire audit protocol is organized around modules, representing separate elements of privacy, security, and breach notification. The combination of these multiple requirements may vary based on the type of covered entity selected for review.

The HIPAA audits also are designed to cover HIPAA Privacy Rule requirements in seven areas:

  • Notice of privacy practices for PHI
  • Rights to request privacy protection for PHI
  • Access of individuals to PHI
  • Administrative requirements
  • Uses and disclosures of PHI
  • Amendment of PHI
  • Accounting of disclosures.


Why are the HIPAA audits important?


HIPAA audits are not just a way for OCR to ensure that covered entities are keeping themselves HIPAA compliant. Having periodic reviews of audit logs can help healthcare facilities not only detect unauthorized access to patient information, but also provide forensic evidence during security investigations. Auditing also helps organizations track PHI disclosures, learn about new threats and intrusion attempts, and even help to determine the organization’s overall effectiveness of policies and user education.


In FY 2014 alone, the OCR resolved more than 15,000 complaints of alleged HIPAA violations, according to the national FY 2016 budget request proposal report.


“OCR conducted a pilot program to ensure that its audit functions could be performed in the most efficient and effective way, and in FY 2015 will continue designing, testing, and implementing its audit function to measure compliance with privacy, security, and breach notification requirements,” the report authors explained. “Audits are a proactive approach to evaluating and ensuring HIPAA privacy and security compliance.”


The HIPAA audits are important because they help incentivize covered entities to remain HIPAA compliant, but they are also an opportunity to strengthen up organization’s security measures and find any weak spots in their approach to security.


What if I am selected for the HIPAA audit program?


As previously mentioned, there is not yet an exact date for when the next round of HIPAA audits will take place, there have been several reports that preliminary surveys have been sent to covered entities that may be selected for audits.


According to a report in The National Law Review, OCR will audit approximately 150 of the 350 selected covered entities and 50 of the selected business associates for compliance with the Security Standards. Furthermore, OCR will audit 100 covered entities for compliance with the Privacy Standards and 100 covered entities for Breach Notification Standards compliance.


Whether your organization received one of those surveys or not, it’s important for entities to have at least a basic plan in place for potential audits. Healthcare organizations should not rely on a false sense of security, and they need to ensure that when their data systems and safeguards are being reviewed, that facilities try and keep in mind what the OCR would be looking for so no areas are missed.


Current physical safeguards, administrative safeguards, and technical safeguards are not only required by the Security Rule, but they work together to protect health information. In addition to those areas, here are a few key things for covered entities to maintain, as they may play a role in the HIPAA audit process:


  • Perform comprehensive and periodic risk analyses
  • Keep thorough inventories of business associates and their contracts or BAAs.
  • Maintain thorough accounts of where ePHI is stored, this includes but is not necessarily limited to internal databases, mobile devices and paper documents.
  • Thorough records of all security training that has taken place.
  • Documented evidence of the facility’s encryption capabilities.


If covered entities have performed a proper risk assessment, preparing for the HIPAA audits will not be as daunting. For further discussion on the legal implications of risk assessments and analyses.


Maintain compliance and stay prepared


Perhaps one of the best ways to prepare for a potential OCR HIPAA audit is to keep all three safeguards current, ensuring to adjust them as necessary as technology evolves.


It is also essential for covered entities to know their BAs, and have all appropriate contracts and business associate agreements in place and up to date.


Conducting periodic risk analysis will also be beneficial, and covered entities should be sure to be able to provide evidence of compliance. This can include documentation of policies and procedures being in place. For example, instances where a facility has sanctioned people and whether it was consistent with its sanctions policy will be beneficial if an audit takes place that looks at the sanction process.


Without a risk analysis, it is much more difficult for healthcare organizations to know where they are in terms of security. This can be detrimental not only for HIPAA audits, but also in maintaining comprehensive data security. Periodic reviews will help facilities continue to work toward maintaining HIPAA compliance and keeping sensitive data as secure as possible.

more...
No comment yet.
Scoop.it!

HIPAA Violation Leads to Probation for Radiologist

HIPAA Violation Leads to Probation for Radiologist | HIPAA Compliance for Medical Practices | Scoop.it

An Ohio radiologist is facing disciplinary actions from the state medical board after she reportedly committed a HIPAA violation.

Dr. Aimee Hawley unlawfully accessed a colleague’s medical record, according to a DOTmed News article, and her medical license is now on probation. However, Hawley will still be able to practice medicine during her probation period.


“No one can access a patient’s medical records unless they are a treating or consulting physician or have permission from the patient,” Joan Wehrle, education & outreach program manager at the State Medical Board of Ohio, told the news source, adding that this is a learning opportunity for all caregivers.


Wehrle added that the source of the complaint is protected and confidential.


Hawley is required under the consent agreement to comply with a reprimand and probationary punishment, according to DOTmed. The agreement states that Hawley  “intentionally accessed the electronic medical records of a physician colleague (and) further admits that she was not a treating physician, nor was she asked to consult, or provide diagnostic service.”


Hawley must also agree to certain terms under the consent agreement:


  • Quarterly declarations to confirm compliance
  • Face-to-face meetings as requested by the medical board
  • Attend medical ethics training, including submitting a written report on what she learned
  • Write a letter of apology to her physician colleague


Employees inappropriately accessing patient records is unfortunately not a new scenario. Toward the end of last year, an Indiana Court of Appeals upheld the ruling that Walgreens can be held liable for its employee being part of HIPAA violations.


In that case, a Walgreens pharmacist allegedly inappropriately accessed a woman’s prescription data and exposed it to her husband. A six-person Indiana jury awarded the woman $1.44 million from that health data breach. The plaintiff argued that Walgreens hadn’t done enough to properly train and supervise its employee on protecting patient data and that the employee hadn’t done her job to secure that data.


“By choosing to appeal, Walgreen has now created a precedent,” according to prosecuting attorney Neal Eggeson Jr. “Confirming that privacy breach victims may hold employers accountable for the HIPAA violations of their employees.”


In a February interview with HealthITSecurity.com, Marty Edwards, MS, CHC, CHPC, Compliance Officer at Dell Services Healthcare and Life Science division, also touched on this topic. Edwards explained that “the human factor” is critical for any healthcare organization, and that a lack of knowledge about HIPAA could be harmful.


“You have to keep in mind that all the users that have access to that data have a role or responsibility, and are using that information for a specific purpose,” Edwards said. “So it’s up to those users to make sure that they follow the necessary processes, procedures and policies in place for the disclosure of that information.”


Facilities must ensure that all employees understand what the Privacy and Security Rules are about, and also understand their obligations as staff members. Moreover, covered entities should teach employees how to tie those obligations back to existing practices within the organization.

more...
No comment yet.
Scoop.it!

Health Research Bill Would Alter HIPAA

Health Research Bill Would Alter HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

Some privacy experts are concerned that a bipartisan 21st Century Cures bill, as drafted, would weaken HIPAA privacy protections for patient information. The measure, among other things, is designed to help the medical community speed up the development of new drugs and treatments.


A discussion draft unveiled on April 29 proposes that the Secretary of the Department of Health and Human Services would "revise or clarify" the HIPAA Privacy Rule's provisions on the use and disclosure of protected health information for research purposes.


Under the current HIPAA Privacy Rule, PHI is allowed be used or disclosed by a covered entity for healthcare treatment, payment and operations without authorization by the patient. If a proposed provision in the draft legislation is signed into law, patient authorization would not be required for PHI use or disclosure for research purposes if covered entities or business associates, as defined under HIPAA, are involved.

The draft was jointly issued by Fred Upton, R-Mich., chairman of the House Energy and Commerce Committee, Rep. Diana DeGette, D-Col., ranking member of the Oversight and Investigations Subcommittee, and several other Republican and Democratic House members. Work on the legislation began a year ago, and a markup version of the bill, which covers a broad range of topics, is expected this week.

"Most significantly, the bill would require HHS to revise the HIPAA regulations so that uses and disclosures for research are treated the same as uses and disclosures for a covered entity's own healthcare operations, as long as any disclosures go to a HIPAA covered entity or business associate," says privacy attorney Adam Greene of the law firm Davis Wright Tremaine.


"This seems to mean that such research uses and disclosures could occur without an individual's authorization or an Institutional Review Board's or Privacy Board's waiver of authorization," he says. Essentially, research uses and disclosures would only be restricted by the 'minimum necessary' standard, he says. The HIPAA Privacy Rule generally requires covered entities to take reasonable steps to limit the use or disclosure of, and requests for, PHI to the "minimum necessary" to accomplish the intended purpose.

Easing Research

Backers of the bill say it's needed because it has the potential of helping to knock down barriers to advancing medical innovation and treatment, including tapping breakthroughs in molecular medicine, genomics and related health technologies.


"For the first time ever, we in Congress are going to take a comprehensive look at what steps we can take to accelerate the pace of cures in America," DeGette says in a statement. We are looking at the full arc of this process - from the discovery of clues in basic science, to streamlining the drug and device development process, to unleashing the power of digital medicine and social media at the treatment delivery phase."


A source at the Energy and Commerce Committee say the markup of the bill is expected on May 14. "We are very careful to limit the potential to use PHI for research purposes only to covered entities and business associates working for covered entities - trusted organizations that have a relationship with the individual and that are already allowed to use PHI to improve care," the source says. "The committee wants those covered entities to not only improve care in their own institution, but be able to publish the findings of their research - without disclosing any identifiable PHI, of course. The bill ensures that PHI used for research is fully covered by the protections of the HIPAA privacy, security and breach reporting rules."


But some privacy experts say the bill goes too far in potentially removing patient privacy protections when it comes to the use of PHI for research.


The privacy provisions, as they appear in the draft bill, "roll back essential protections of the control that patients have over how their information is used and disclosed," says privacy attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek. "Because PHI used for research could involve genetic information, the [research exemption] could potentially provide [use and disclosure] of information on the genetic traits of family members. Once that data is out, you can't get it back."

Other Privacy Provisions

The bill also proposes providing individuals with one-time authorization that would allow the use and disclosure of their PHI for future research purposes.


"In cases where the covered entity or business associate needs an authorization, it would require HHS to put its interpretation into regulation that an authorization can encompass future research studies," Greene says. The bill's proposals appear to further expand the authority to use and disclose protected health information for research and codify in regulation a recent HHS interpretation allowing an advanced authorization for future research."


While HHS indicated in the HIPAA Omnibus Rule commentary that an authorization may authorize uses and disclosures of protected health information for future research studies, Greene says, "this bill would require HHS to put this into the HIPAA regulations themselves."

Deborah C. Peel, M.D., founder of Patient Privacy Rights, an advocacy group, tells Information Security Media Group the future-research proposal is "a very bad idea," adding "no data should ever be used except for a single purpose. It's especially bad because today we have no 'chain of custody' for our health data. It's impossible to know where in the world it is or how it's being used. The risks of today's ubiquitous data surveillance and collection systems are unknown. When has it ever been smart to agree to something you have no understanding of?"


Another provision in the draft bill would give researchers remote access to PHI maintained by a covered entity if ''appropriate security and privacy safeguards are maintained by the covered entity and the researcher, and the protected health information is not copied or otherwise retained by the researcher."


Greene says that in cases where the disclosure of PHI is to a researcher that is not a covered entity or business associate, "the statute would broaden the permission for disclosing protected health information preparatory to research, allowing a covered entity to grant remote access to the researcher, rather than requiring that the review occurs at the facility."


Additionally the bill would make changes regarding PHI used in paid research. "The proposed bill appears to also allow covered entities and business associates to receive remuneration, such as payments, in exchange for disclosing protected health information for research," Greene notes. "Currently, such payment would be limited to the reasonable cost for preparation and transmittal of the protected health information."


The remuneration proposal also diminishes patients' control over how their PHI is used for paid research, Holtzman says. "The proposals remove key reforms in the HITECH Act [HIPAA Omnibus final rule] that require specific [patient] authorization for disclosures of information when money is changing hands," Holtzman says. "That [HITECH provision] is to give an individual a choice when there is remuneration involved. The proposal would roll back important rights requiring patient permission when their health information is disclosed in exchange for payment."

More Scrutiny Needed

Holtzman says he hopes the provisions in the draft bill are thoroughly vetted before the legislation progresses further. "This document appears to be in the early stages. I trust that the privacy community would undergo exhaustive debate and review of this document at it develops."


Greene predicts that the proposal "may garner strong views from both the research community and privacy advocates, with researchers perhaps indicating that HIPAA is standing in the way of good research and that these changes are necessary, while some privacy advocates may claim that these changes go too far in allowing uses and disclosures without an individual's consent or authorization.

Peel, the consumer advocate, contends: "These new provisions are really out-of-date and clearly designed for paper consents - a total nightmare."


Under the current language in the bill, HHS would be required to make the changes to HIPAA "not later than 12 months after the date of the enactment of the Act."


more...
No comment yet.
Scoop.it!

Data breaches focus of proposed Illinois law

Data breaches focus of proposed Illinois law | HIPAA Compliance for Medical Practices | Scoop.it

April 25--A bill that would strengthen the state's data breach notification law has passed the Senate by a vote of 35-13.

S.B. 1833, sponsored by state Sen. Dan Biss of Evanston, was quickly praised by Illinois Attorney General Lisa Madigan.

"The growing frequency and scope of data breaches has necessitated an overhaul of Illinois' notification law," Madigan said in a news release. "This measure will ensure that people receive timely information when a breach occurs so they can work to limit their exposure to identity theft."

Madigan drafted the bill to strengthen the state's Personal Information Protection Act. The original act was passed in 2005, at Madigan's behest. It made Illinois among the first states nationwide to require businesses and other entities that suffer a data breach to notify Illinois residents if the breached information included residents' drivers' license numbers, social security numbers, or financial account information.

Since then, the amount of sensitive information collected about consumers has expanded, and the threat of data breaches has increased significantly.

"Between computers, phones and tablets, information is almost always at our fingertips. But the downside to that connectivity is that there are new ways for individuals to access personal information," Biss said in a news release.

The bill was endorsed by Citizen Action Illinois and the Heartland Alliance, among others. It would expand the type of information that triggers a breach notification to consumers, including medical information outside of federal privacy laws, biometric data, geological location information, sensitive consumer marketing data, contact information when combined with identifying information, and login credentials for online accounts.

The bill would also require entities holding sensitive information to take reasonable steps to protect the information, to post a privacy policy describing their data collection practices, and to notify Madigan's office when breaches occur.

The Illinois Attorney General's office is creating a website that will list every data breach that affects Illinois residents in an effort to increase their awareness.

Edwardsville police reported Thursday that they have taken 129 such incident reports in 2015, compared to just 9 in 2014.

Edwardsville resident Joe Baird said Thursday that the joint income tax that he and his wife filed this year was rejected recently because someone had stolen his wife's social security number and used it to collect a refund. "We had to go in and sign affidavits and all kinds of paperwork and then send it back to the government," Baird said.

The return, he said, had been filed electronically. The refund would be relatively small, he said. Still, Baird says he's hoping to find out who got the original refund, and how much they received.

"In this day of computers, it seems like nobody's safe anymore."

With its passage this week, SB 1833 now goes to the House for consideration.

more...
Jan Vajda's curator insight, April 30, 2015 7:24 AM

Přidejte svůj pohled ...

Scoop.it!

Researchers examine balancing privacy risk, utility of de-identified health data

Researchers examine balancing privacy risk, utility of de-identified health data | HIPAA Compliance for Medical Practices | Scoop.it

Researchers have shown how easy it is to re-identify patients in de-identified data, yet de-identified data can lose its value as more identifying factors are stripped out.


In a study published in the Journal of the American Medical Informatics Association, researchers from Vanderbilt University and elsewhere extended an algorithm to explore policy options that balance risk of violating a patient's privacy vs. the use of data for society.

The Safe Harbor model defined by HIPAA is one policy that specifies 18 rules, including suppression of explicit identifiers such as names, and generalization of "quasi-identifiers," such as date of birth, requiring recording the age of all patients over 90 as 90+. This rigid rule-based policy might not be ideal for sharing every data set, such as studies on dementia patients.


So the law allows alternatives, provided the risk of re-identification is appropriately measured and mitigated. A Centers for Medicare & Medicaid Services dataset, for instance, published on the Internet would carry a high risk because the system is completely open and the users unknown. Health data to be used by a trusted party with a data-use agreement and strong information security practices could be allowed a policy that favors utility over risk.


The researchers used the Sublattice Heuristic Search algorithm with U.S. census data from 10 states to show it can be applied to recommended rule-based de-identification policy alternatives for patient-level datasets with less risk and more utility than Safe Harbor and other models.


Harvard researchers have shown that patients can be re-identified with just their Zip code, date of birth and gender, along with other publicly available data such as voter rolls.


The Health Information Trust Alliance recently released a new framework for de-identification of sensitive patient information as part of a risk-management strategy.


more...
No comment yet.
Scoop.it!

Pharmacy Fined $125,000 for Breach

Pharmacy Fined $125,000 for Breach | HIPAA Compliance for Medical Practices | Scoop.it

A small Denver compounding pharmacy has been slammed with a $125,000 federal penalty for a 2012 breach involving improper disposal of paper patient records. It's the second such HIPAA enforcement action within a year by federal regulators tied to an incident involving records dumping by a covered entity.


In an April 27 statement, the Department of Health and Human Services' Office for Civil Rights says Cornell Prescription Pharmacy has agreed to a HIPAA settlement that includes the $125,000 penalty and calls for adopting a corrective action plan to correct deficiencies in its compliance program.


Cornell is a single-location pharmacy that specializes in compounded medications and related services for hospice care agencies in the region.

Proper PHI Disposal

"Regardless of size, organizations cannot abandon protected health information or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons," says OCR Director Jocelyn Samuels. "Even in our increasingly electronic world, it is critical that policies and procedures be in place for secure disposal of patient information, whether that information is in electronic form or on paper."


OCR launched a compliance review and investigation in February 2012 after the agency received notification from a Denver news outlet regarding the disposal of unshredded documents containing the protected health information of 1,610 patients in an unlocked, open container on Cornell's premises.


OCR's investigation determined Cornell failed to implement any written policies and procedures as required by the HIPAA Privacy Rule. The pharmacy also failed to provide training on policies and procedures to its workforce as required by HIPAA, OCR says.

Similar Cases

OCR last June approved an $800,000 HIPAA settlement with Parkview Health System, an Indiana-based community health system, tied to an incident involving paper records dumping. In that case, the organization was cited for leaving 71 cardboard boxes of medical records on thousands of patients unattended and accessible to unauthorized persons on the driveway of a retiring physician's home.


An in addition to the Parkview case, OCR has issued hefty settlements for several other breaches involving improper disposal of PHI.

"The latest OCR settlement is almost identical to 2009 and 2010 settlements against CVS and Rite Aid over the pharmacies allegedly dumping protected health information in publicly-accessible waste containers," says privacy attorney Adam Greene of law firm Davis Wright Tremaine.


"In both of those cases, as in the current case with Cornell Prescription Pharmacy, the OCR investigation was triggered by a local television news report identifying the issue at local pharmacies," Greene notes. "In response to the CVS and Rite Aid cases, OCR issued specific guidance on properly disposing of protected health information. Apparently, when OCR learned of a news report indicating that a pharmacy was not heeding this guidance, OCR determined that an additional settlement was needed."


Covered entities and business associates should closely track OCR settlement agreements "and ensure that any similar issues are addressed within your own organization," Greene stresses.

Attorney David Holtzman, vice president of compliance at the security consulting firm CynergisTek, says he's surprised there haven't been even more such enforcement actions by OCR for these kinds of improper disposal cases.


There have been approximately 30 large breaches since April 2011 that have involved covered entities or business associates that failed to make paper or printed PHI unreadable or indecipherable, "such as by shredding into itty-bitty pieces," says Holtzman, who was a senior adviser at OCR prior to joining CynergisTek in 2013. "This [latest] case represents a drop in the bucket."

Corrective Action Plan

As part of its resolution agreement with OCR, Cornell has agreed to implement a corrective action plan that includes developing, maintaining and revising, as necessary, written policies and procedures to comply with the HIPAA Privacy Rule and submitting documentation of those policies and procedures to OCR for its review and approval.

The policies and procedures must include administrative and physical safeguards for the disposal of all non-electronic PHI, including those records being "shredded, burned, pulped or pulverized so that the PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed."


The pharmacy also agreed to distribute those policies and procedures to all members of its workforce within 30 days of OCR approving them and to also issue those policies and procedures to new members of the workforce within 30 days of their beginning of service.


In addition, the pharmacy agreed to provide its workforce HIPAA privacy training and to report violations of its privacy policies and procedures by its workforce to OCR.

More Settlements Soon?

Some privacy and security experts believe the resolution agreement with Cornell could be the first of several additional enforcement actions in the works at OCR for 2015, including cases involving other examples of HIPAA non-compliance.


"This is likely the beginning of a more active phase of OCR enforcement that we have been anticipating," Holtzman says. "I believe that OCR has been investigating a number significant investigations and compliance reviews, many resulting from breaches reported to HHS."


Holtzman adds: "I do not believe that OCR limits itself to reserving its enforcement resources to a predetermined checklist or agenda prioritizing one type of incident over another."

In a recent interview with Information Security Media Group, Greene also predicted that OCR will likely announce a number of eye-popping financial settlements for HIPAA violations later this year.


more...
No comment yet.
Scoop.it!

Health system sees 7th HIPAA data breach

Health system sees 7th HIPAA data breach | HIPAA Compliance for Medical Practices | Scoop.it

How many breaches, how many compromises of patients' confidential medical information does it take before there are some questions asked of an organization and its security policies? One health system recently announced its seventh large HIPAA breach.

 
The 20-hospital St. Vincent health system in Indianapolis, part of Ascension Health, most recently notified 760 of its medical group patients that their Social Security numbers and clinicaldata was compromised in an email phishing incident. The breach, which was discovered by hospital officials back in December 2014, marked the seventh breach for the health system in a less than five years.
 
It wasn't until March 12, 2015, that officials said they discovered which patients were impacted by the breach, which involved the compromise of an employee's network username and password. 
 
"St.Vincent Medical Group sincerely apologizes for any inconvenience this unfortunate incident may cause," St. Vincent officials wrote in the patient notification letter. 
 
According to data from the Office for Civil Rights, which keeps track of HIPAA breaches involving 500 people or more, St. Vincent health system has been a repeat HIPAA offender. Its most recent breach, reported in July 2014, compromised the health data of 63,325 patients after a clerical error sent patients letters to the wrong patients. 
 
The health system has also reported two breaches involving the theft of unencrypted laptops, which collectively compromised the health data of 2,341 patients. 


more...
No comment yet.
Scoop.it!

OIG to CMS: Make EHR fraud prevention efforts a priority

OIG to CMS: Make EHR fraud prevention efforts a priority | HIPAA Compliance for Medical Practices | Scoop.it

The Office of Inspector General is once again calling out CMSfor failing to adequately address fraud vulnerabilities in electronic health records. Despite submitting recommendations back in 2013, a new OIG report underscored that the agency is still dragging its feet with implementing EHR fraud safeguards.  

 
Part of the Office of Inspector General's role is to audit and evaluate HHSprocesses and procedures and put forth recommendations based on deficiencies or abuses identified. Turns out, a lot of these recommendations are ignored, disagreed upon or unimplemented, according to OIG's new Compendium of Unimplemented Recommendations report. And EHR fraud is on that list. 
 
"HHS must do more to ensure that all hospitals' EHRs contain safeguards and that hospitals use them to protect against electronically enabled healthcare fraud," OIG officials wrote in the report. 
 
Specifically, audit logs should actually be operational when an EHR is available. And CMS should also develop concrete guidelines around the use of copy-and-paste functions in an electronic health record. According to OIG data, most hospitals using EHRs had RTI International audit functions in place, but they were significantly underutilized. What's more, only some 25 percent of hospitals even had policies in place regarding copy-and-paste functions. 
 
These recommendations have come up repeatedly in recent OIG reports, and despite CMS officials agreeing with the outlined recommendations, the agency is still not making it enough of a priority.  
In a January 2014 report, OIG also called out CMS for failing to make EHR fraud a priority. Specifically, OIG said, the CMS neglected to provide adequate guidance to its contractors tasked with identifying said EHR fraud, citing the fact that the majority of these contractors reviewed paper records in the same manner they reviewed EHRs, disregarding the differences. Moreover, only three out of 18 Medicarecontractors were found to have used EHR audit data in their review process. 
 
When it came to identifying copy-and-paste usage or over documentation, many contractors reported they were unable to do so. Considering some 74 percent to 90 percent of physicians use the copy/paste feature daily, according to a recent AHIMA report, the implications are significant. 
 
As Diana Warner, director of HIM practice excellence at AHIMA, recounted back at the October 2013 MGMA conference, that dueto copy-and-paste usage, they had a patient at her previous medical practice who went from having a family history of breast cancer to having a history of breast cancer. The error was caught by the insurance company, which thought the patient had lied, was poised to change her healthcare coverage. "We had to work for months to get that cleared up with the insurance company so her coverage would not be dropped," Warner said. "We had to then find all the records that it got copy and pasted into" incorrectly and then track down the locations the data was sent to.


more...
No comment yet.
Scoop.it!

Hattiesburg Clinic issues statement regarding HIPAA breach

A viewer reached out to WDAM with concerns of a possible security breach at Hattiesburg Clinic. The clinic responded to WDAM after we inquired about the breach.


The statement is as followed: 


"In January 2015, Hattiesburg Clinic became aware of unauthorized access to medical records by an optometry provider who left clinic employment. The investigation revealed that he obtained patient demographic information. It was determined that he used the information to mail letters in order to inform patients of his new employer. All information obtained by the provider has been retrieved and Hattiesburg Clinic has not received any indication that the information accessed was for reasons other than sending the letters. Patients affected by the breach were notified and the matter has been addressed as the law requires. We are not aware of any damages caused.


Hattiesburg Clinic is committed to protecting your personal information and we want to assure you that we have policies in place to protect your privacy."


This incident spurs from a letter sent from Scott Paladichuk, OD to patients. According to the letter, Paladichuk was reaching out to patients to introduce himself as a new doctor to the community. 

On March 20, The Hattiesburg Clinic notified its patients that there was unauthorized access to medical records by Paladichuk. 


The Hattiesburg Clinic letter states that it is possible while Paladichuk was copying demographic information for his letter, that he may have also viewed medical information. 


The letter says that the clinic has not received any indication that the information accessed by Paladichuk was used for anything other than sending announcement letters. 


Paladichuk is no longer in possession of any medical information and also no longer works for Hattiesburg Clinic. 


Hattiesburg Clinic issued an apology to patients, and urged that all necessary steps were taken to rectify the situation, including formally notifying the U.S. Department of Health and Human Services.


more...
No comment yet.
Scoop.it!

Cyber Risk Q&A: Is Your Medical Practice Protected?

Cyber Risk Q&A: Is Your Medical Practice Protected? | HIPAA Compliance for Medical Practices | Scoop.it

The threat of data breaches and cyber threats is not news to any of us. However, Anthem’s recent 80 million-record data breach was an attention-getter — or it should have been for all of us in the healthcare industry.

But it all became very personal for me the morning after the Anthem news when I opened my local newspaper to a Page 2 story with the headline, “Is your doctor’s office the most dangerous place for your data?” This AP story outlined what all of us should be concerned about. That is, a healthcare practice will face a PR nightmare if a data breach occurs involving patient records.

It is no coincidence that healthcare leads all other industries in the number of data breaches, the total amount of compromised records, and the costs associated with such breaches. Healthcare databases are the pot of gold at the end of the rainbow for cyber criminals. There are three categories of protected health information (PHI) that cyber criminals target: personally identifiable information (PII), such as name, birthdate, and social security number; personal credit information (PCI), including credit card numbers; and PHI, including medical records. Healthcare providers and insurers collect all three types of information and store it electronically.

Data breach statistics and costs related to the healthcare industry are eye-opening. Crittenden Research suggests that annual number of healthcare breaches increased from 160 to 333 between 2010 and 2014. The number of records exposed increased from 1,874,360 to 8,277,991 in the same timeframe. The Ponemon Institute reports that the per-record data breach cost is now $201 averaged across all industries. But the eye-popping number for healthcare is $359! These costs include notification, credit-monitoring, forensic accounting, public relations, legal, and losses related to customer/patient loss and re-acquisition.

So, what is a healthcare practice supposed to do? I have two suggestions.
1. Have a cyber-risk review done of your practice and implement the recommendations. Many of the common threats are easily addressed.
2. Purchase cyber-liability insurance.  Please know this is objective advice. I do not sell cyber-liability insurance. But I certainly buy it!

Our healthcare clients routinely ask us about cyber liability insurance, even though we don’t offer this coverage on a standalone basis. Here are our responses to a few of the more common questions:

How does cyber-liability insurance work?
The real value of cyber liability insurance is the bundling of breach response services. When a data breach occurs, the policyholder works with a data-breach coach who coordinates a rapid response. Forensic accounting, public relations, client notifications, credit monitoring, and legal advice are all included. Some policies also cover fines and penalties and protection from third-party lawsuits. But these are rare if a rapid response is well coordinated. The policyholder can purchase varying coverage limits.

Doesn’t my medical-malpractice coverage already cover this?
Most medical-malpractice policies include modest levels of cyber liability coverage. My concern is that the coverage limit is typically in the $50,000 to $100,000 range. This is much too low. Do your own math. How many records does your practice store? Multiply this by the $359 per-record data breach cost figure. Yep, not enough coverage there. Standalone policies with sufficient limits are plentiful and relatively affordable.

Is cyber insurance worth the cost?
I mentioned above I purchase this for our business. We invest heavily in our data security. I’ve never been one to try to beat the odds. The same Ponemon study cited earlier estimates that the probability of a healthcare entity experiencing a breach involving 10,000 or fewer records is 19.2 percent. That’s a one-in-five chance you will be a victim. I don’t know about you, but I don’t like those odds without plenty of protection.

If our business experiences a data breach, I want a rapid response with proper client notification, credit monitoring, and whatever protection our clients need. Our clients’ trust and confidence in us is our biggest asset.

For a physician, the patient-doctor trust relationship is paramount — not something to chance damaging through the malicious actions of an anonymous cyber thief.

So, yes, I think it’s an obvious choice financially. You need to evaluate your own needs regarding your business.

Cyber liability is a growing threat to all of us involved with the healthcare industry. But proper risk management and insurance protection are solid steps any of us can take to fight back.

Happy computing!


more...
No comment yet.
Scoop.it!

Lawmakers to rethink requiring encryption in HIPAA

Lawmakers to rethink requiring encryption in HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

In light of the cyberattack against Anthem, federal officials plan to review whether HIPAA should require encryption, according tothe Associated Press.

The Senate Health, Education, Labor and Pensions committee on Friday said it will take up the matter as part of a bipartisan review of health information security.

"We need a whole new look at HIPAA," David Kibbe, CEO of DirectTrust, a nonprofit working to create a national framework for secure electronic exchange of personal health information, told the AP.

Information on up to 80 million consumers--including names, birth dates, addresses, email addresses, employment information and Social Security/member identification numbers--were compromised in the attack on Anthem. That information reportedly was not encrypted.

However, Anthem spokeswoman Kristin Binns told the AP that the hacker also had a system administrator's ID and password, which would have made encryption a moot point. Binns said the company normally encrypts data that it exports.

Some security experts, however, say a stolen credential by itself shouldn't be a key to the whole data kingdom, and that information should be encrypted wherever it resides, whether in transit; sitting in a database, as Anthem's was; or on a mobile device.

When the HITECH Act promoting computerized medical records was passed in 2009, it seemed to be a reasonable balance, creating incentives for encryption without imposing a one-size-fits-all solution, Indiana University law professor Nicolas Terry told the AP. Now he's concerned that events may have shown the compromise is unworkable.

Only slightly more than half of healthcare employees (59 percent) use full-disk encryption or file-level encryption on computing devices at work, a Forrester research report published last September found.

There have been various calls to review HIPAA based on the security and privacy risks for consumers posed by the Internet of Things and for research, among other reasons.

Mac McMillan, current chair of the HIMSS Privacy and Security Policy Task Force, however, has said he doesn't see much happening before the next presidential election.


more...
No comment yet.
Scoop.it!

States ramp up data security laws

States ramp up data security laws | HIPAA Compliance for Medical Practices | Scoop.it

Healthcare organizations not only must heed federal data security laws; they also have state laws to keep in mind. And a growing trend has states making these regulations tougher than ever. One state that currently has no laws requiring organizations to implement certain data security protections has proposed legislation that would hold entities fully responsible for failing to safeguard consumer data.  

 
As businesses continue to demonstrate grievous security failings, New York state has decided to join a growing number of states that have chosen to ramp up their data security laws. The announcement last week from the state's Attorney General Eric T. Schneiderman comes on the heels of a reportlast year, finding that nearly 23 million New Yorkers have had their personal records compromised since 2006. 
 
New York entities are only required to notify individuals of a data security breach if "private information" has been compromised. Private information, as state officials pointed out, has a very narrow definition and does not include email addresses and passwords; medical data and health insurance data, among other items. 
 
The proposed law would broaden the definition of private information to include email addresses, security questions and medical and health insurance data. The law would also establish a safe harbor rule for companies that implement specific data security plans and standards that officials say would minimize the chance of a breach. 
 
In 2013 – a "record-setting" breach year for New York – these data security breaches cost organizations a whopping $1.37 billion statewide. Some 40 percent of those breaches were hacking related, according to a 2014 N.Y. Attorney General report
 
What's more, healthcare organizations proved to be the biggest offenders, with healthcare data breaches being responsible for compromising the largest number of records of New Yorkers since 2006. "As the healthcare industry moves toward increasing digitization, it has become a repository for large troves of sensitive information, making the industry uniquely susceptible to data loss, particularly through lost or stolen electronic storage equipment," Schneiderman wrote in the report.  
 
"With some of the largest-ever data breaches occurring in just the last year, it's long past time we updated our data security laws and expanded protections for consumers," said Schneiderman in a Jan. 15 press release. "We must also remind ourselves that companies can be victims, and that those who take responsible steps to safeguard customer data deserve recognition and protection."
 
One of the state's biggest data breaches ever reported was announced by the New York City Health & Hospitals Corporation's North Bronx Healthcare Network, which compromised the health records of some 1.7 millionemployees, vendors and patients. 
 
In light of the increase in scope and frequency of these data security breaches, just last month, Oregon's AG Ellen Rosenblum called on the state's legislature to update and toughen Oregon's data breach law, which does not protect medical or health insurance data. Indiana's AG also in December proposed similar legislation that would tighten data security laws in the state. 


more...
No comment yet.
Scoop.it!

Think Your Practice is HIPAA Compliant? Think Again.

Think Your Practice is HIPAA Compliant? Think Again. | HIPAA Compliance for Medical Practices | Scoop.it

You may think you know HIPAA inside and out, but experts say many practices and physicians are making mistakes regarding protected health information (PHI) that could get them into big trouble with the law. Here are nine of the most common compliance missteps they say practices and physicians are making.

1. TEXTING UNENCRYPTED PHI

For most physicians, texting is an easy, convenient, and efficient way to communicate with patients and colleagues. But if a text contains unencrypted PHI, that could raise serious HIPAA problems.


"One of the big things people are doing these days is texting PHI, and people seem to be ignoring the fact that text messages can be read by anyone, they can be forwarded to anyone, [and] they're not encrypted in any fashion when they reside on a telecommunications provider's server," says Jim Hook, director of consulting services at healthcare consulting firm The Fox Group, LLC. "People really need to understand that [short message service (SMS)] text messaging is inherently nonsecure, and it's noncompliant with HIPAA."


That's not to say that texting PHI is never appropriate, it just means that physicians must find a way to do so securely. While the privacy and security rules don't provide explicit text messaging guidelines, they do state that covered entities must have "reasonable and appropriate safeguards to protect the confidentiality, availability, and integrity of protected health information," says Michelle Caswell, senior director, legal and compliance, at healthcare risk-management consulting firm Clearwater Compliance, LLC. As a result, Caswell, who formerly worked for HHS' Office for Civil Rights, says physicians must consider, "What would I put on my [smart] phone to reasonably and appropriately safeguard that information?" Most likely, the answer will be a secure messaging service with encryption, she says, adding that many inexpensive solutions are available to providers.


2. E-MAILING UNENCRYPTED PHI

Similar to text messaging, many physicians are e-mailing unencrypted PHI to patients and colleagues. As Robert Tennant, senior policy adviser of government affairs for the Medical Group Management Association says, e-mailing is becoming ubiquitous in our society, and healthcare is no exception.


If your providers are e-mailing PHI, consider implementing a secure e-mail application; for instance, one that recognizes when content included in the e-mail contains sensitive information and therefore automatically encrypts the e-mail. Your practice could use the application to specify certain circumstances in which e-mails should be encrypted; such as the inclusion of social security numbers or credit card numbers. The application would then filter e-mails for that specified content, and when it finds that content, encrypt those e-mails automatically, says Caswell.


Another option is to use a secure e-mail application to set up filters to automatically encrypt e-mails sent with attachments, or encrypt e-mails when senders include a word like "sensitive" or "encrypt" in the subject line, she says. An added benefit of encrypting e-mail is if a potential breach occurs, like the theft of a laptop containing e-mails with PHI, that is not considered a reportable breach if the e-mails stored on the laptop are encrypted, says Tennant. "You don't need to go through all of the rigmarole in terms of reporting the breach to the affected individual, and ultimately, to the government," he says. "So it's sort of a get out of jail free card in that sense."


If your practice would rather prohibit the use of e-mail altogether, a great alternative might be a patient portal that enables secure messaging.


Finally, if patients insist on having PHI e-mailed to them despite the risks, get their permission in writing for you to send and receive their e-mails, says Tennant.


3. FAILING TO CONDUCT A RISK ANALYSIS

If your practice has not conducted a security risk analysis — and about 31 percent of you have not, according to our 2014 Technology Survey, Sponsored by Kareo — it is violating HIPAA. The security rule requires any covered entity creating or storing PHI electronically to perform one. Essentially, this means practices must go through a series of steps to assess potential risks and vulnerabilities to the confidentiality, integrity, and availability of their electronic protected health information (ePHI).


Though the security risk analysis requirement has been in place since the security rule was formally adopted in 2003, it's been pretty widely ignored by practices, says Hook. Part of the reason, he says, is lack of enforcement of the requirement until recently. Since conducting a security risk analysis is now an attestation requirement in the EHR incentive program, auditors are increasingly noting whether practices are in compliance.


4. FAILING TO UPDATE THE NPP

If your practice has not updated its Notice of Privacy Practices (NPP) recently, it could be violating HIPAA. The HIPAA Omnibus Rule requires practices to update these policies and take additional steps to ensure patients are aware of them, says Tennant.

Some of the required updates to the NPP include:


• Information regarding uses and disclosures that require authorization;

• Information about an individual's right to restrict certain disclosures of PHI to a health plan; and

• Information regarding an affected individual's right to be notified following a privacy or security breach.


In addition to updating the NPP, a practice must post it prominently in its facility and on the website, and have new patients sign it and offer a copy to them, says Tennant. "I'd say of every 10 practices, hospitals, dental offices I go into, nine of them don't have their privacy notice in the waiting room," he says.


5. IGNORING RECORD AMMENDMENT REQUESTS

Don't hesitate to take action when patients request an amendment to information in their medical records, cautions Cindy Winn, deputy director of consulting services at The Fox Group, LLC. Under the HIPAA Privacy Rule, patients have the right to request a change to their records, and providers must act on those requests within 60 days, she says.


If you disagree with a patient's requested change, you must explain, in writing, why you are not making the requested change, says Hook. Then, share that reasoning with the patient and store a copy of it in the patient's medical record, as well as a copy of the patient's written request for the amendment.


6. NOT PROVIDING ENOUGH TRAINING

The privacy and security rules require formal HIPAA education and training of staff. Though the rules don't provide detailed guidance regarding what training is required, Hook recommends training all the members of your workforce on policies and procedures that address privacy and security at the time of hire, and at least annually thereafter.


The HIPAA Security Rule also requires practices to provide "periodic security reminders" to staff, says Caswell, adding that many practices are unaware of this. Actions that might satisfy this requirement include sending e-mails to staff when privacy and security issues come up in the news, such as information about a recent malware outbreak; or inserting a regular "security awareness" column in staff e-newsletters.

Finally, be sure to document any HIPAA training provided to staff.


7. OVERCHARING FOR RECORD COPIES

With few exceptions, the privacy rule requires practices to provide patients with copies of their medical records when requested. It also requires you to provide access to the record in the form requested by the individual, if it is readily producible in that manner.


While practices can charge for copies of records, some practices may be getting into trouble due to the fee they are charging, says Tennant. "HIPAA is pretty clear that you can only charge a cost-based fee and most of those are set by the state, so most states have [limits such as] 50 cents a page up to maybe $1 a page ... but you can't charge a $50 handling fee or processing fee; at least it's highly discouraged," says Tennant.


To ensure you are following the appropriate guidelines when dealing with record copy requests, review your state's regulations and consult an attorney. Also, keep in mind that though the privacy rule requires practices to provide copies within 30 days of the request, some states require even shorter timeframes.


8. BEING TOO OPEN WITH ACCESS

If your practice does not have security controls in place regarding who can access what medical records and in what situations, it's setting itself up for a HIPAA violation. The privacy rule requires that only those who have a valid reason to access a patient's record — treatment purposes, payment purposes, or healthcare operations — should do so, says Caswell. "If none of those things exist, then a person shouldn't [access] an individual's chart."


Caswell says practices need to take steps to ensure that staff members do not participate in "record snooping" — inappropriately accessing a neighbor's record, a family member's record, or even their own record.


She recommends practices take the following precautions:


• Train staff on appropriate record access;

• Implement policies related to appropriate record access; and

• Run EHR audits regularly to determine whether inappropriate access is occurring.


9. RELEASING TOO MUCH INFORMATION

Similar to providing too much access to staff, some practices provide too much access to outside entities, says Caswell. For instance, they release too much PHI when responding to requests such as subpoenas for medical records, requests for immunization information from schools, or requests for information from a payer.


"If there's, say, for instance, litigation going on and an attorney says, 'I need the record from December 2012 to February 2014,' it is your responsibility to only send that amount of information and not send anything else, so sort of applying what's called the minimum necessary standard," says Caswell. "When you receive outside requests for PHI, pay close attention to the dates for which information is requested, as well as the specific information requested."

more...
No comment yet.
Scoop.it!

Is your cloud provider HIPAA compliant? An 11 point checklist

Is your cloud provider HIPAA compliant? An 11 point checklist | HIPAA Compliance for Medical Practices | Scoop.it

Healthcare organisations frequently turn to managed service providers (MSPs) to deploy and manage private, hybrid or public cloud solutions. MSPs play a crucial role in ensuring that healthcare organisations maintain secure and HIPAA compliant infrastructure.


Although most MSPs offer the same basic services – cloud design, migration, and maintenance – the MSP’s security expertise and their ability to build compliant solutions on both private and public clouds can vary widely.


Hospitals, healthcare ISVs and SaaS providers need an MSP that meets and exceeds the administrative, technical, and physical safeguards established in HIPAA Security Rule. The following criteria either must or should be met by an MSP:


1. Must offer business associate agreements


An MSP must offer a Business Associate Agreement (BAA) if it hopes to attract healthcare business. When a Business Associate is under a BAA, they are subject to audits by the Office for Civil Rights (OCR) and could be accountable for a data breach and fined for noncompliance.

According to HHS, covered entities are not required to monitor or oversee how their Business Associates carry out privacy safeguards, or in what ways MSPs abide by the privacy requirements of the contract. Furthermore, HHS has stated that a healthcare organisation is not liable for the actions of an MSP under BAA unless otherwise specified.


An MSP should be able to provide a detailed responsibility matrix that outlines which aspects of compliance are the responsibility of whom. Overall, while an MSP allows healthcare organisations to outsource a significant amount of both the technical effort and the risk of HIPAA compliance, organisations should still play an active role in monitoring MSPs. After all, an OCR fine is often the least of an organisation’s worries in the event of a security breach; negative publicity is potentially even more damaging.


2. Should maintain credentials


There is no “seal of approval” for HIPAA compliance that an MSP can earn. The OCR grants no such qualifications. However, any hosting provider offering HIPAA compliant hosting should have had their offering audited by a reputable auditor against the HIPAA requirements as defined by HHS.


In addition, the presence of other certifications can assist healthcare organisations in choosing an MSP that takes security and compliance concerns very seriously. A well-qualified MSP will maintain the following certifications:

  •      SSAE-16
  •      SAS70 Type II
  •      SOX Compliance
  •      PCI DSS Compliance


While these certifications are by no means required for HIPAA compliance, the ability to earn such qualifications indicates a high level of security and compliance expertise. They require extensive (and expensive) investigations by 3rd party auditors of physical infrastructure and team practices.


3. Should offer guaranteed response times


Providers should indicate guaranteed response times within their Service Level Agreement. While 24/7/365 NOC support is crucial, the mere existence of a NOC team is not sufficient for mission-critical applications; healthcare organisations need a guarantee that the MSP’s NOC and security teams will respond to routine changes and to security threats in a timely manner.  Every enterprise should have guaranteed response times for non-critical additions and changes, as well.


How such changes and threats are prioritized and what response is appropriate for each should be the subject of intense scrutiny by healthcare organisations, who also have HIPAA-regulated obligations in notifying authorities of security breaches.


4. Must meet data encryption standards


The right MSP will create infrastructure that is highly secure by default, meaning that the highest security measures should be applied to any component where such measures do not interfere with the function of the application. In the case of data encryption, while HIPAA’s Security Rule only requires encryption for data in transit, data should reasonable be encrypted everywhere by default, including at rest and in transit.


When MSPs and healthcare organisations encrypt PHI, they are within the “encryption safe harbor.” Unauthorised disclosure will not be considered a breach and will not necessitate a breach notification if the disclosed PHI is encrypted.


Strong encryption policies are particularly important in public cloud deployments. The MSP should be familiar with best practices for encrypting data both within the AWS environment and in transit between AWS and on-site back-ups or co-location facilities. We discuss data encryption best practices for HIPAA compliant hosting on AWS here.


It is important to note that not all encryption is created equal; look for an MSP that guarantees at least AES-256 Encryption, the level enforced by federal agencies. It is useful to note that AWS’ check-box encryption of EBS volumes meets this standard.


5. Should have “traditional IT” and cloud expertise


Major healthcare organisations have begun to explore public cloud solutions. However, maintaining security in public clouds and in hybrid environments across on-premises and cloud infrastructure is a specialty few MSPs have learned. “Born in the Cloud” providers, whose businesses started recently and are made up exclusively of cloud experts, are quite simply lacking the necessary experience in complex, traditional database and networking that would enable them to migrate legacy healthcare applications and aging EHR systems onto the public cloud without either a) over-provisioning or b) exposing not-fully-understood components to security threats.


No matter the marketing hype around “Born in the Cloud” providers, it certainly is possible to have best-in-classDevOps and cloud security expertise and a strong background in traditional database and networking. In fact, this is what any enterprise with legacy applications should expect.


Hiring an MSP that provides private cloud, bare metal hosting, database migrations, legacy application hosting, and also has a dedicated senior cloud team is optimal. This ensures that the team is aware of the unique features of the custom hardware that currently supports the infrastructure, and will not expose the application to security risks by running the application using their “standard” instance configuration.


6. Must provide ongoing auditing and reporting


HIPAA Security Rule requires that the covered entity “regularly” audit their own environment for security threats. It does not, however, define “regularly,” so healthcare organisations should request the following from their MSPs:


  • Monthly or quarterly engineering reviews, both for security concerns and cost effectiveness
  • Annual 3rd party audits
  • Regular IAM reports. A credential report can be generated every four hours; it lists all of the organisations users and access keys.
  • Monthly re-certification of staff’s IAM roles
  • Weekly or daily reports from 3rd party security providers, like Alert Logic or New Relic


7. Must maintain compliant staffers and staffing procedures


HIPAA requires organisations to provide training for new workforce members as well as periodic reminder training. As a business associate, the MSP has certain obligations for training their own technical and non-technical staff in HIPAA compliance. There are also certain staff controls and procedures that must be in place and others that are strongly advisable. A covered entity should ask the MSP the following questions:


  • What formal sanctions exist against employees who fail to comply with security procedures?
  • What supervision exists of employees who deal with PHI?
  • What is the approval process for internal collaboration software or cloud technologies?
  • How do employees gain access to your office? Is a FOB required?
  • What is your email encryption policy?
  • How will your staff inform our internal IT staff of newly deployed instances/servers? How will keys be communicated, if necessary?
  • Is there a central authorisation hub such as Active Directory for the rapid decommissioning of employees?
  • Can you provide us with your staff’s HIPAA training documents?
  • Do you provide security threat updates to staff?
  • What are internal policies for password rotation?
  • (For Public Cloud) How are root account keys stored?
  • (For Public Cloud) How many staff members have Administrative access to our account?
  • (For Public Cloud) What logging is in place for employee access to the account? Is it distinct by employee, and if federated access is employed, where is this information logged?


While the answers to certain of these questions do not confirm or deny an MSP’s degree of HIPAA compliance, they may help distinguish a new company that just wants to attract lucrative healthcare business versus a company already well versed in such procedures.


8. Must secure physical access to servers


In the case of a public cloud MSP, the MSP should be able to communicate why their cloud platform of choice maintains physical data centres that meet HIPAA standards. To review AWS’s physical data centre security measures, see their white paper on the subject. If a hybrid or private cloud is also maintained with the MSP, they should provide a list of global security standards for their data centres, including ISO 27001, SOC, FIPS 140-2, FISMA, and DoD CSM Levels 1-5, among others. The specific best practices for physical data centre security that healthcare organisations should look out for is well covered in ISO 27001 documentation.


9. Should conduct risk analysis in accordance with NIST guidelines


The National Institute of Standards and Technology, or NIST, is a non-regulatory federal agency under the Department of Commerce. NIST develops information security standards that set the minimum requirements for any information technology system used by the federal government.


NIST produces Standard Reference Materials (SRMs) that outline the security practices, and their most recent Guide for Conducting Risk Assessments provides guidance on how to prepare for, conduct, communicate, and maintain a risk assessment as well as how to identify and monitor specific risk factors. NIST-800 has become a foundational document for service providers and organisations in the information systems industry.


An MSP should be able to provide a report that communicates the results of the most recent risk assessment, as well as the procedure by which the assessment was accomplished and the frequency of risk assessments.


Organisations can also obtain NIST 800-53 Certification from NIST as a further qualification of security procedures. While again this is not required of HIPAA Business Associates, it indicates a sophisticated risk management procedure — and is a much more powerful piece of evidence than standard marketing material around disaster recovery and security auditing.


10. Must develop a disaster recovery plan and business continuity plan


The HIPAA Contingency Plan standard requires the implementation of a disaster recovery plan. This plan must anticipate how natural disasters, security attacks, and other events could impact systems that contain PHI and develops policies and procedures for responding to such situations.

An MSP must be able to provide their disaster recovery plan to a healthcare organisation, which should include answers to questions like these:

  • Where is backup data hosted? What procedure maintains retrievable copies of ePHI?
  • What procedures identify suspected security incidents?
  • Who must be notified in the event of a security incident? How are such incidents documented?
  • What procedure documents and restores the loss of ePHI?
  • What is the business continuity plan for maintaining operations during a security incident?
  • How often is the disaster recovery plan tested?


11. Should already provide service to large, complex healthcare clients


Although the qualifications listed above are more valuable evidence of HIPAA compliance, a roster of clients with large, complex, HIPAA-compliant deployments should provide extra assurance. This pedigree will be particularly useful in vendor decision discussions with non-technical business executives. The MSPs ability to maintain healthcare clients in the long-term (2-3+ years) is important to consider.

more...
No comment yet.
Scoop.it!

Drug kingpin imprisoned on numerous charges, including HIPAA violations

Drug kingpin imprisoned on numerous charges, including HIPAA violations | HIPAA Compliance for Medical Practices | Scoop.it

Drug kingpin Stuart Seugasala was just convicted and sentenced on a string of federal charges that includes HIPAA violations in the course of running a violent drug trafficking ring in Alaska. Authorities said the trafficking ring imported and distributed illicit drugs, perpetrated armed home invasions, drive-by shootings, kidnappings, and sexual assaults.

The Alaska U.S. Attorney’s Office said it was the state’s first HIPAA conviction and one of only a few such cases nationwide.


Seugasala, 40, was sentenced May 15 to three life terms in prison following his conviction on drug trafficking and kidnapping charges earlier this year, but separate from that sentence was another 20 years for unauthorized access to medical records of two victims he hospitalized in 2013.


On March 13, 2013, Seugasala and his associates kidnapped, tortured, and sexually assaulted two men with a hot curling iron because one of the men owed them a large, past due debt on heroin, according to prosecutors. They said Seugasala ordered the rape to be videotaped so he could use the footage to intimidate other debtors.

One of the victims was so badly injured after three hours of torture that he was admitted to Providence Hospital in Anchorage. Two days later, Seugasala shot and wounded another man in an unrelated incident. That man also checked himself in to the hospital.


At that point, Seugasala contacted a friend who worked at the hospital–Stacy Laulu–and asked her via a text message to find out the extent of the men’s injuries and whether they were cooperating with police, prosecutors said.


They said Laulu, who was then employed as a financial counselor, accessed both men’s medical files and reported back to Seugasala, violating the men’s privacy rights.


According to prosecutors, Laulu’s husband, who was in jail on unrelated murder charges, was a close associate of Seugasala and the couple was receiving drug money from Seugasala.


Laulu was also convicted in January on the HIPAA felony violations and is scheduled for sentencing May 29. The maximum sentence is 10 years for each of those convictions. Three other members of the drug ring have also been sentenced or are due for sentencing in June.


more...
No comment yet.
Scoop.it!

Partners HealthCare Reports Breach

Partners HealthCare Reports Breach | HIPAA Compliance for Medical Practices | Scoop.it

Partners HealthCare System is the latest healthcare organization hit by a data breach attributed to a phishing attack.

The Boston-based integrated health delivery network, which operates several hospitals, including Massachusetts General, says it is notifying 3,300 individuals that their protected health information may have been compromised by a phishing attack late last year.


In a statement, Partners says on Nov. 25, 2014, it learned that a group of its workforce members had received phishing emails and provided information in response to the email, believing the messages were legitimate.


Partners says it conducted a comprehensive review of the affected email accounts and determined that some of the emails contained patient demographic information, such as names, addresses, dates of birth, telephone numbers and, in some instances, Social Security numbers, and some of its patients' clinical information, such as diagnosis, treatment received, medical record numbers, medical diagnosis codes, or health insurance information.


However, the organization's electronic health records system was not compromised by the attack. Upon learning of the phishing scheme, Partners says it took steps to secure the email accounts and contacted law enforcement. Partners also began an investigation into the phishing attack on the organization, including working with an expert computer forensic firm.


"To date, Partners HealthCare has no evidence that any patient information in the emails has been misused," the organization says. However, as a precaution, Partners is recommends that affected patients regularly review the explanation of benefits statement that they receive from their health insurers. If patients identify services listed on their explanation of benefits that they 1did not receive, they should immediately contact their insurer.

Rise in Phishing Attacks

The official federal tally of major health data breaches also shows that the healthcare sector continues to be a growing target for hackers, including those waging phishing attacks.


As of April 29, the Department of Health and Human Service's "wall of shame" website of breaches affecting 500 or more individuals shows 1,211 incidents affecting more than 133.2 million individuals since September 2009, when the HIPAA breach notification rule went into effect. One incident, the recent hacking attack against health insurer Anthem Inc., accounts for 78.8 million of those victims.


Among the breaches most recently added to the list is an incident involving phishing email targeted at employees of St. Agnes Health Care Inc. in Baltimore, which affected nearly 25,000 individuals.

Also, recently added to the federal tally was a phishing incident at Seton Family of Hospitals in Texas. The healthcare organization revealed last week that a phishing attack that occured in December, but discovered in February, affected 39,000 individuals.


Other healthcare entities have also been defending against a spike in phishing schemes. Over the past six months, the University of Vermont Medical Center has seen an uptick in phishing attempts, including those "laced with malware in an attempt to steal credentials," says CISO Heather Roszkowski in a recent interview with Information Security Media Group.


"I've really been trying to increase user awareness training around phishing to avoid those credentials from being exploited," she says. This extra vigilance in defense of phishing comes in the wake of massive hacking attacks in the healthcare sector, including those affecting Anthem, Premera Blue Cross and Community Health System.

VA Under Attack

During a media briefing on April 30, Steph Warren, CIO of the VA, says the VA also has seen "a rampant increase" in malware and intrusion attempts in recent months.


Last November, the VA blocked 15 million intrusion attempts in one month. By March, that number had climbed to 350 million, he says.

As for malware, the VA blocked or contained about 300 million malicious software last November, but by March, that monthly number had exploded to 1.2 billion.


"It's something that concerns us. If we're not able to knock this back, as some point we'll be overwhelmed."


more...
No comment yet.
Scoop.it!

Medicare smart cards would bring benefits, challenges

Medicare smart cards would bring benefits, challenges | HIPAA Compliance for Medical Practices | Scoop.it

The use of electronically readable cards in Medicare could help with the administrative process, but would have a limited impact on eliminating fraud, according to a report publicly released April 24 by the Government Accountability Office.


Much of the success of using such technology would depend on how it compares to the costs and benefits of current paper card systems. Participation by providers would also be a boon or challenge to a new program, the report says.


The GAO looked at the functions of electronic cards, the benefits and limitations to using them and what steps the Centers for Medicare & Medicaid Services and providers would need to take to use the tools.

Some of the ways in which the cards could show promise include:


  • Authentication of beneficiary and provider presence at the point of care
  • Electronic exchange of beneficiary medical information
  • Electronic conveyance of beneficiary identity and insurance information to providers


However, the report's authors add that while some in support of the cards say that fraud reduction could be a benefit of the new system as well, that might not be true.


The federal government puts Social Security numbers on Medicare identification cards, which raises the odds of identity theft and fraudulent billing.


Still, electronic cards could have a limited impact in this area because "CMS officials stated that Medicare would continue to pay claims regardless of whether a card was used due to legitimate reasons why a card may not be present," the report says.


GAO adds that storing medical data on the cards in addition to electronic health record systems could lead to problems with ensuring information is synchronized and current.


To implement electronically readable cards would also be a time and resource consuming endeavor, the report's authors say. They evaluated the success of such programs in France and Germany, which proved a readable card system could be implemented, but only after many years of work.


more...
No comment yet.
Scoop.it!

HIPAA Rules and Procedures in the Event of a Data Breach, Part One

HIPAA Rules and Procedures in the Event of a Data Breach, Part One | HIPAA Compliance for Medical Practices | Scoop.it

As discussed in my prior post, recent massive data breaches at major retailers and health insurance providers paint a bleak picture of modern data and emphasize the importance of strong security safeguards and plans for handling suspected security breaches for electronic protected health information (“ePHI”). In the healthcare context, a security breach of a covered entity or a Business Associate’s (BA) data security system triggers the Security Rule and can trigger certain breach notification requirements under Health Insurance Portability and Accountability Act (“HIPAA”) and Health Information Technology for Economic and Clinical Health Act (“HITECH”). This post will discuss the investigation needed to determine whether a breach has taken place, while the next post will discuss the necessary notifications in the event of a breach.

Determining Whether an Actionable Breach Has Taken Place

HIPAA defines a security breach as “the acquisition, access, use, or disclosure of protected health information in a manner not permitted…which compromises the security or privacy of the protected health information.” Pursuant to this definition, the first thing a CE must do is investigate the breach and determine whether unsecured PHI has been compromised. Data is compromised when there is “a significant risk of financial, reputational, or other harm to the individual.”

PHI is unsecured when the PHI “is not … unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary…” Thus, PHI is secure when the data is either encrypted to certain technology standards or the ePHI has been destroyed, which means breach notification is not required. However, encrypted PHI is only secure if the key to decrypt the data is secure and remains confidential.

If ePHI is not encrypted or the decryption key is no longer secure, the data is not secure and data breach will trigger breach notification.

Thus, the best compliance practice is to encrypt all ePHI, whenever practicable, to take advantage of this regulatory safe harbor. Because breach notification can cause irreparable harm to an entity’s reputation and financial status, encryption is an important means to mitigate damages and risks of a data security breach.

In the case of a suspected security breach, covered entities need to take steps to thoroughly investigate the incident, determine if a security breach of unsecured PHI occurred, and determine the extent of the security breach or leak of information and the amount of PHI breached before the covered entity can take steps to stop the leak of PHI and reduce the damage caused by the security breach.

In 2013, the Omnibus Final Rule (“Final Rule”) released by the Department of Health and Human Services (“HHS”) redefined what was considered a security breach. Now, a security breach is presumed unless the entity can demonstrate that there is a low probability that any unsecured ePHI has been compromised.

The only way to show a low probability of compromise is by conducting a risk assessment to consider at least four significant factors:

(i) The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;

(ii) The unauthorized person who used the protected health information or to whom the disclosure was made;

(iii) Whether the protected health information was actually acquired or viewed; and

(iv) The extent to which the risk to the protected health information has been mitigated.

If a covered entity cannot identify a low probability that unsecured ePHI has been compromised, breach notification is triggered.


more...
No comment yet.
Scoop.it!

As Health Apps Hop On The Apple Watch, Privacy Will Be Key

As Health Apps Hop On The Apple Watch, Privacy Will Be Key | HIPAA Compliance for Medical Practices | Scoop.it

One day soon, you may be waiting in line for a coffee, eyeing a pastry, when your smart watch buzzes with a warning.


Flashing on the tiny screen of your Apple Watch is a message from an app called Lark, suggesting that you lay off the carbs for today. Speak into the Apple Watch's built-in mic about your food, sleep and exercise, and the app will send helpful tips back to you.


The notion of receiving nutrition advice from artificial intelligence on your wrist may seem like science fiction. But health developers like Lark are making a bet that Apple's first wearable device, the Apple Watch, will fly off the shelves and this kind of behavior will become the norm.

Lark is just one of over a dozen health developers with new apps for the Apple Watch, which ships to consumers this week. These apps range from medication management to a button that provides instant, virtual access to a doctor.


Apple has made no secret of its health and fitness plans for the Apple Watch. And in recent months, it has recruited medical experts to work on services like ResearchKit and HealthKit, which aim to open up the flow of health data between consumers, mobile developers and medical researchers.


But is Apple doing enough to protect the privacy of your sensitive health data?


In advance of the Apple Watch's release, the company has taken some steps to put you in control of how your data is shared. You can choose to share health information with third-party apps like Lark via Apple's Health app, which comes with the device. Your health data, collected via the Apple Watch or the iPhone, is stored on Apple's HealthKit.

"Apple is leaving your HealthKit data on the device and not collecting it," said Morgan Reed, executive director at The App Association, a Washington, D.C., nonprofit that works with patient advocates and app developers.


According to Reed, this prevents third-party app developers from selling your health data without your consent.

"It also means that if an employer wants access to your health care information, they would have to demand that you give it to them," he said.


But it's still early days for the Apple Watch, and it remains to be seen whether health developers will follow Apple's privacy guidelines.

"We haven't had a developer ecosystem for a product like a smart watch," said Ben Bajarin, who specializes in consumer technology for Creative Strategies, a consulting firm. "This is [uncharted] territory."


A Message On The Wrist


Health app developers hope the Apple Watch will improve how doctors and patients communicate.


Imagine a doctor receiving a buzz on the wrist for an e-prescription request, which could be approved with a few taps. A patient could receive a similar alert when test results are available.


Developers are exploring these possibilities and more.

"We are predisposed to small changes on the skin. It was not that long ago — and is still the case in parts of the world — that mosquitoes used to kill us with a light touch," said Ron Gutman, chief executive of HealthTap, a website and mobile app for secure video calls with a doctor.


"It is so easy to turn off a notification from a website, but you can't ignore what's on your wrist," he said.

Gutman was so intrigued by Apple's smart watch that he developed three apps: one to help you manage your meds; another that connects you to a doctor with the touch of a button; and a third, which helps physicians reach new patients.


"Be prepared to take charge of your health information, and feel free to say no to sharing data with apps."

- Morgan Reed, executive director at The App Association

Managing Medications

For patients who are juggling a variety of meds — all with different dose requirements — an Apple Watch app that sends alerts to the wrist could prove useful.


WebMD, used by millions of people to check their medical symptoms, tossed around a bunch of ideas before settling on medication adherence.


"All we wanted is for the user to be reminded that it's time to take their medication, and then quickly tell us whether they plan to take it or skip it or snooze," said Ben Greenberg, who heads up WebMD's mobile products. "That interaction demands so little." The app also instructs people whether to take their medication with food, or at a certain time of day.


Other companies that are developing medication adherence apps for the Apple Watch include MangoHealth, which can also tell you how well you've managed your prescriptions over time, and pharmacy giant Walgreens.


Appealing To Doctors


Some app developers hope that doctors will flock to buy the Apple Watch to help them manage an overload of patient information.

"Doctors are finally getting amazing hardware that just works, and they're willing to pay a premium for it," said Daniel Kivatinos, cofounder of Drchrono, an electronic medical record company.


Using Drchrono's app for the watch, a doctor can receive alerts, such as when a patient has arrived at their office.


The watch could prove useful in helping doctors communicate with each other about tricky medical cases. Doximity, the Facebook for doctors, has developed a secure app that care providers can use to dictate notes, send messages and receive notifications that a fax has arrived.


But the Apple Watch's appeal may be limited to certain specialties, such as family physicians and dermatologists. Surgeons routinely remove their rings and watches before procedures, to ensure their hands stay sterile.


Moreover, doctors will need to do the work to ensure that apps they use are taking adequate steps to protect patient data. Apps may say that they are meeting privacy requirements, but most aren't properly vetted. The government has long been concerned about the proliferation of mobile health apps that make false or misleading medical claims.


Opportunities And Challenges


Privacy experts and policymakers have been worried about developers that collect and sell personal health information.


The U.S. Federal Trade Commission concluded in a recent study that developers of 12 mobile health and fitness apps were sharing user information with 76 different parties, such as advertisers.


Apple has responded to some of these fears by barring developers from selling health data that it collects via Apple devices to advertisers. After some high-profile hacks to celebrities' accounts, Apple also forbade developers to store sensitive health information in iCloud.

"Apple has clear privacy rules, but consumers should still be on guard," said Reed from the App Association. "Be prepared to take charge of your health information, and feel free to say no to sharing data with apps."


more...
No comment yet.
Scoop.it!

Former Therapist Charged in HIPAA Case

Former Therapist Charged in HIPAA Case | HIPAA Compliance for Medical Practices | Scoop.it

A former respiratory therapist at an Ohio hospital has been indicted for HIPAA violations in connection with alleged inappropriate access to the records of nearly 600 patients.


The indictment of Jamie Knapp, who had formerly worked at ProMedica Bay Park Hospital in Oregon, Ohio, is one of only a handful of criminal prosecutions of individuals for HIPAA violations.


"Overall, criminal prosecutions under HIPAA have not been that common, although we have seen an increase in recent years," says privacy attorney Scot Ganow of the law firm Faruki Ireland & Cox PLL. "I do expect us to see more prosecutions as the interest in healthcare information increases for a variety of purposes, including identity theft, cyberstalking, public shaming and celebrity watching."


According to indictment documents filed this month in a federal court in Ohio, a grand jury indicted Knapp for unlawfully obtaining identifiable health information of 596 patients in violation of HIPAA. The grand jury also charged Knapp with unauthorized access of a protected computer, in violation of federal laws.


"In her capacity as a respiratory therapist, Knapp was authorized to access individually identifiable health information and protected health information of certain respiratory patients," according to the indictment. "Knapp was not authorized to access the individually identifiable health information and protected health information of other hospital patients."

Federal prosecutors involved in the case did not immediately respond to Information Security Media Group's request for more details about the alleged HIPAA violations.


Accessing protected health information without authorization and the disclosure of this information to a third party carries a jail term of up to 10 years in addition to a maximum fine of $500,000 if the disclosure is made for personal gain, Ganow says.


On May 28, 2014, ProMedica, the parent company of the 72-bed hospital where Knapp worked, began notifying the affected patients that their records were inappropriately accessed between April 1, 2013, and April 1, 2014. The breach was also reported to the U.S. Department of Health and Human Services, which has listed the incident on its "wall of shame" website of major breaches as an unauthorized access/disclosure incident involving electronic medical records and a network server.

Other HIPAA Cases

There have been only a handful of other HIPAA-related indictments of individuals that have resulted in convictions and prison sentences.

"Most recently, we saw the criminal conviction of hospital employee Joshua Hippler in Texas for wrongful disclosure of individually identifiable health information for personal gain," Ganow notes. In February, Hippler was sentenced to serve 18 months in prison after pleading guilty on Aug. 28, 2014, to wrongful disclosure of individually identifiable health information.


Federal prosecutors say that from December 2012 through January 2013, Hippler was an employee of an unidentified East Texas hospital, where he obtained protected health information with the intent to use it for personal gain.


In another case in October 2013, Denetria Barnes, a former nursing assistant at a Florida assisted living facility, was sentenced to 37 months in prison after pleading guilty to several federal offenses, including conspiracy to defraud the U.S. government and wrongful disclosure of HIPAA protected information.


Ganow predicts prosecutors will pursue more of these criminal HIPAA cases. "As long as the healthcare industry continues to actively use Social Security numbers and not take steps to redact them or commit to a minimum use policy, we will see increased criminal activity and related prosecutions," he says. "Because healthcare records have names, dates of births and SSNs, they are a tempting target for one-stop shop identity thieves. "


Still, there are steps that healthcare entities can take to minimize insider breaches.


"It's not enough to have your policies, procedures and safeguards in place. You have to continually assess your security posture for new threats or new risks as a result of a new use of information," he says.

"In some instances, such as transactions under the Affordable Care Act, SSNs are required and a necessary evil because of tax implications. That said, healthcare entities would do well to isolate SSNs from other data, encrypt or redact SSNs whenever possible, and embrace the 'minimum necessary' use principle under HIPAA to mitigate risks to SSN's and all PHI," Ganow suggests.


"Technology can only do so much. Data governance still comes down to people," he adds. "Train employees well and audit their compliance. We stress to clients that data privacy and security is everyone's business. You will always have bad actors, but you can prevent their bad acts or mitigate resulting harms from such bad acts with solid policies, procedures, training and oversight."


more...
No comment yet.
Scoop.it!

Don't confuse EHR HIPAA compliance with total HIPAA compliance

Don't confuse EHR HIPAA compliance with total HIPAA compliance | HIPAA Compliance for Medical Practices | Scoop.it

Electronic health records (EHR) systems are revolutionizing the collection and standardization of patient medical information. Never before has it been so easy for healthcare practitioners to have patient information so readily available, allowing for more efficient and accurate care.


Unfortunately, what many organizations today don’t realize is, just because their EHR system is compliant with HIPAA security standards, their entity as a whole may not be fully compliant.

Every healthcare organization under HIPAA is responsible for the protection of patient data, regardless of whether they use a vendor to process or store their patient records. If your EHR vendor claims you don’t have to worry about HIPAA compliance, don’t believe them – it’s just not true.


Privacy and security are much more than simply having a HIPAA compliant EHR. It is truly frightening when I hear a healthcare company, or even worse, an EHR vendor, claim their EHR system covers all of a healthcare company’s HIPAA requirements. Even for cloud-based EHR systems, this simply is not the case.

Maintaining a secure EHR system

The newly revised HIPAA Security Rule requires providers to assess the security of their databases, applications, and systems that contain patient data against a list of 75 specific security controls. These controls include specific safeguards to be in place for the purpose of protecting PHI.


In our ever-changing digital environment, it’s critical that healthcare organizations regularly assess their security programs as a whole to ensure they have the policies, procedures, and security measures in place to better protect patient information and avoid costly regulatory enforcements.


Unfortunately, addressing risks to electronic patient data is not always a top priority.


We need to get the message out that HIPAA compliance (and the protection of patient data) cannot be relegated to simply checking a box (i.e., my EHR system is compliant, therefore, my practice is compliant, too). HIPAA compliance must, instead, be addressed across an organization wherever patient data is present.

Understand current security measures

The ongoing responsibility of managing patient data throughout an organization requires an organized, well-thought-out approach to risk management. No matter how small or long established, it’s critical for healthcare entities to understand what they are doing to protect patient data, what they are not doing, and what they should be doing in the future.


While some EHR systems and their related equipment have security features built into or provided as part of a service, they are not always configured or enabled properly. In addition, medical equipment is often web-enabled (can connect remotely to send information to a server), but that equipment may not be checked for proper security.

As the guardian of patient health information, it is up to each healthcare organization to learn and understand the basic features of their IT assets and medical devices, what security mechanisms are in place, and how to use them.


There are a number of actions an entity can take to make sure that their EHR systems and IT assets are secure. Such measures leverage an integrated use of data loss prevention tools, intrusion prevention, anti-malware, file integrity monitoring, robust identity management and authentication programs, role-based access and data security solutions.

The road to HIPAA compliance

Creating adequate safeguards does not happen overnight. While it may seem overwhelming and time-consuming at first (due to HIPAA’s complex nature), the biggest obstacle to overcome is actually getting the entire process started.


Begin by carving out a regular, weekly routine – perhaps starting at 30 minutes per week when your staff members who are responsible for HIPAA compliance can meet to discuss the privacy and security of patient data.


Here are some specific actions your entity should take when working to protect patient information:

  • Have a designated HIPAA-assigned compliance officer or team member. Clearly and specifically lay out the roles of everyone in your organization involved with HIPAA compliance responsibilities.
  • Ensure that access to ePHI is restricted based on an individual’s job roles and/or responsibilities.
  • Conduct an annual HIPAA security risk analysis (specifically required under HIPAA rules.) This can involve regularly engaging with a trusted provider that can remotely monitor and maintain your network and devices to ensure ongoing security.
  • Mitigate and address any risks identified during your HIPAA risk analysis including deficient security, administrative and physical controls, access to environments where ePHI is stored, and a disaster recovery plan.
  • Make sure your policies and procedures match up to the requirements of HIPAA.
  • Require user authentication, such as passwords or PIN numbers that limit access to patient information to authorized-only individuals.
  • Encrypt patient information using a key known or made available only to authorized individuals.
  • Incorporate audit trails, which record who accessed your information, what changes were made, and when they were made, providing an additional layer of security.
  • Implement workstation security, which ensures the computer terminals that access individual health records cannot be used by unauthorized persons.


Privacy and security concerns are key when it comes to HIPAA, but it’s also important to ensure your enterprise as a whole is protected. With 75 different requirements that fall under the HIPAA Security Rule umbrella, it’s critical to ensure all systems where ePHI resides are protected. Otherwise, organizations are placing themselves and their patients at serious risk.


more...
No comment yet.
Scoop.it!

Protect Your Practice Data Against a Breach

Protect Your Practice Data Against a Breach | HIPAA Compliance for Medical Practices | Scoop.it

Technology has changed the face of patient care. But it has also opened a Pandora's Box of lurid and potentially expensive data breaches. Don't be lulled into a false sense of security because you may think your practice is too small to be a target for hackers. The lessons for large health systems are as relevant as those for small, independent practices. Data security can't be left to chance.

Ike Devji an Arizona-based asset protection and risk-management attorney works with physicians to help them develop policies to protect their practice data and minimize liability risk. He says most doctors suffer from what he calls "risk myopia," meaning that they are focused too intently on mitigating malpractice risk. But what about identity theft or HIPAA violations or securing patient financial data? "If [data breaches] could happen to the most sophisticated companies in the world, who have entire dedicated teams of IT security professionals, believe me, it can happen to your medical practice," cautions Devji.

So what should you do? There are many ways that your practice can protect itself against data breaches, even if your technology budget is slim. Here's how our experts say you should start.

TAKE DATA SECURITY SERIOUSLY

Even before you invest in software and support services to protect your patient data, you need to be clear about how your practice will approach data security. Too often, practice policies are absent or left up to individuals to haphazardly carry out. According to Devji, that is asking for trouble.

Devji's experience has taught him that practices often don't take cybersecurity seriously enough. He says that crimes happen most often when there is opportunity — it is easier for hackers to target a small practice and steal patient credit card numbers, than it is to, say, break into American Express.

Another concern for practices is making sure they are compliant with HIPAA regulations. In 2013, HHS released the HIPAA Omnibus Rule that strengthened the original provisions in HIPAA, bringing the total number of regulations up to 49, says Marion Jenkins, chief strategy officer at 3t Systems, a healthcare consulting company. He says the regulatory landscape is complex, and even a small practice could be looking at hundreds of thousands of dollars in fines for an unintentional HIPAA violation.

Devji says his firm makes sure that clients have an appropriate data security plan in place that includes HIPAA protections, limits staff access to protected health information (PHI), and also identifies the individual(s) who will be responsible for implementing and monitoring the plan. Here are five other key provisions that should be part of any data security plan.


FIND QUALIFIED IT SUPPORT


Because smaller practices don't generally have an IT support budget, they tend to gravitate to free tools and solutions, which can be problematic, says Boatner Blankenstein, senior director of solutions engineering for Bomgar, an enterprise technology solutions company. "Without having IT resources, there's just a lot of opportunity for misuse of technology. Scams and things — people calling and saying they're here to help you and they are really not," he says.

Jenkins says that the strongest leg of your risk-prevention strategy should be finding professional IT support that you can trust. "I have a three-question quiz that [practices] can give to an IT provider … The quiz has to be given orally, because the first question is 'How do you spell HIPAA?' The second question is 'What does it stand for?' and the third question is 'What is the difference between HIPAA security and HIPAA privacy?' If they can't answer those three questions, then you probably have a HIPAA problem waiting to happen," he says.

PROVIDE STAFF TRAINING AND EDUCATION

Your staff members are not able to learn your data security policies through osmosis. So, you must make data security a priority and teach them how to approach it. Devji says many times HIPAA violations occur through simple mistakes, like failing to lock computers and mobile devices with passwords, and copying sensitive data to an unencrypted USB drive.

Your staff training should cover at a minimum:

• The use of practice computers for personal e-mails and Internet surfing;

• Transporting data offsite using mobile devices;

• Protocols for departing staff members, e.g. changing passwords and network access;

• Educating staff on HIPAA requirements;

• The use of mobile devices at home and work; and

• Encrypting all patient data, regardless of the device.

INSTALL AND UPDATE ANTI-VIRUS SOFTWARE

In the course of a normal business day, practices are communicating electronically with multiple websites and healthcare networks, like CMS, third-party payers, and the CDC, for example. It is vital to have adequate virus and malware protection programs installed on all desk-top computers and mobile devices, especially if they are used to access the practice's EHR system.

"[Anti-malware, anti-virus protection, anti-spam] are absolutely required by HIPAA. One of the 49 requirements is you have to protect your systems from malicious software," says Jenkins.

But don't stop there. Your software must be updated on a continuous basis. How many times have you skipped over software updates for your computer because you are too busy to stop what you are doing? Unfortunately, when you do that, you are missing out on critical security patches. Devji says "many of those updates are security specific and are continually patching vulnerabilities that are found in those programs." Skipping updates just makes it that much easier for hackers to access your computer system.


ADOPT DATA ENCRYPTION


Protecting your patient data doesn't always require a sophisticated security solution. The safest thing a practice can do is guard against the loss or theft of mobile devices and make sure that all data is encrypted — both at rest and in motion. The Verizon 2014 Data Breach Investigations Report found that together, insider misuse, miscellaneous errors, and physical theft and loss accounted for 73 percent of security breaches in the healthcare industry.

The report recommends:

• Encrypting mobile devices, like laptops and USB drives;

• Backing up sensitive data; and

• Securing mobile devices with locks to immovable fixtures, like cabinets, when not in use.


CONDUCT SECURITY AUDITS


Many practices are not aware that conducting an internal risk assessment is required by HIPAA, says Jenkins. He says he has conducted over 100 HIPAA security assessments, and the number of practices that have passed is "less than 5 percent." He says that while there are templates available through the HHS Office of the National Coordinator for Health Information Technology's website, practices should consider soliciting professional help, as "some of [the assessment] is pretty technical."

Some key action points here are:

• Engage an IT security expert or EHR vendor to audit your networks, equipment, and processes.

• Make sure that software upgrades are current on all equipment and devices.

• Review your anti-virus software to make sure it provides adequate protection.


IN SUMMARY


Medical practice data security can't be left to chance; the stakes are just too high. Fortunately, after securing professional advice, there are simple things you can do to secure your information.

Take these steps to ward off loss of data and equipment:

• Create a practice data security plan

• Provide staff training on data security

• Install anti-virus and anti-malpractice software

• Adopt data encryption

• Conduct security audits


more...
No comment yet.
Scoop.it!

Two More Health Insurers Report Data Breach

Two More Health Insurers Report Data Breach | HIPAA Compliance for Medical Practices | Scoop.it

Today, medical insurance providers LifeWise and Premera Blue Cross each reported, separately, that they had been the target of sophisticated cyberattacks, which initiated May 5, 2014. Premera will be notifying approximately 11 million affected customers; LifeWise 250,000. Neither organization has evidence that any customer data has been used fraudulently, and has not yet confirmed that any patient data has indeed been compromised.

They say attackers "may have gained unauthorized access to" members' information, including name, date of birth, Social Security number, mailing address, email address, telephone number, member identification number, bank account information, and claims information, including clinical information.

Individuals who do not have medical insurance through these companies, but do other business with them, might have had their email addresses, banking data, or Social Security numbers exposed.  

These attacks, when combined with the Anthem Healthcare breach reported last month and the Community Health Systems breach in the summer, clearly indicate that health insurance providers have become a popular new target -- and Chinese cyberespionage groups are being implicated.

Anthem first detected suspicious activity Jan. 27 and confirmed on Jan. 29 that an attack had occurred, over the course of several weeks in December 2014.

LifeWise and Premera also say they discovered their breaches Jan. 29 -- possibly as a result of Anthem sharing information about their own intrusion with HITRUST's Cyber Threat Intelligence and Incident Coordination Center. However, after investigations by Mandiant -- the same organization conducting the investigation at Anthem -- both Premera and LifeWise report that their first intrusions occurred several months earlier, in May.

Both Premera and LifeWise are providing two years of free credit monitoring and identity theft protection to affected individuals. More information is available at premeraupdate.com and lifewiseupdate.com.


more...
No comment yet.
Scoop.it!

Is Healthcare particularly vulnerable to Hacking?

Is Healthcare particularly vulnerable to Hacking? | HIPAA Compliance for Medical Practices | Scoop.it

There are a lot of people saying that; most of them stand to profit if you believe them (including me, in fact).  The Anthem breach gives an opportunity for a bunch of news articles on just this point.  Let's consider this for a moment.

Much hacking and phishing is aimed at access to quick-value money: credit card numbers that can be used right away (with the victim perhaps not knowing about the use until the bill comes, or perhaps not even noticing it when the bill comes), actual bank account or financial acount data so current funds can be withdrawn, phony checks written, etc.  In this type of hacking, the reward comes quickly to the hacker, but might be small change and is usually not a long-term proposition.

Some hacking is designed to allow for real identity theft: the hacker acquires a social security number and other information, impersonates the individual to obtain credit cards, car loans, even house loans, runs up big debts, and when the credit card company or bank tries to collect, the impostor is gone with the loot and the victim is left to try to prove that it wasn't him that got/used the credit card, loan, etc.  The reward takes longer, but can be much bigger than snatching a credit card number.

With regard to both of these types of hacks, the victim, the bank or credit card company, and the vendor at which the stolen credit card is used are all incentivized to prevent the hack, since all of them stand to suffer substantial harm: the victim's credit might be ruined (or he might pay for something he didn't get), and the bank, the credit card company, or the later vendor might be left with the bill.

Health records sometimes contain credit card numbers, but often don't, making them not particularly useful for the first type of hack.  On the other hand, health records usually contain social security numbers and other demographic data that can be useful for the second type of hack.  Thus, medical records might be useful for traditional identity theft schemes.

The much bigger risk, and what medical records are particularly well suited for, is medical identity theft.  This type of hack targets patients with good insurance, and allows someone to impersonate the insured and receive the insured's health benefits.  The impostor gets free or reduced cost healthcare, but unlike most other hacks, the "victim" (the person whose data was stolen) doesn't necessarily suffer (or at least doesn't suffer immediately); in fact, the victim might benefit, since the impostor might actually pay a part of the victim's annual deductible.  Additionally, the person whose data was stolen is not in a very good position to know it was stolen, unless he regularly checks his EOBs (frankly, even if he scrupulously checks his EOBs, they can be hard enough to understand that the medical identity theft might not even be noticed).  Rather, the immediate victim is the insurer, who pays for care for someone who did not buy insurance.  And if the insurer discovers the identity theft, the care provider becomes the victim, since the insurer may try to recover the funds paid to the provider for the imposter's care.

Unlike a stolen credit card number, which can be used to purchase almost anything (including cash cards), a stolen medical identity is not as easy to immediately monetize.  However, the lower level of vigilance by the potential victim makes medical identity theft easier to pull off.

More importantly, however, the risks of medical identity theft far outweigh the risk of credit card theft or regular identity theft.  An impostor who receives care while posing as the insured will leave behind a medical record that might be relied upon by some future healthcare provider.  Perhaps the impostor is not allergic to penicillin, but the insured is; the impostor receives care at a hospital and the medical record says the patient may have penicillin.  When the real insured shows up, tragedy might occur.  Thus, while regular identity theft might cause financial ruin to its victims, medical identity theft can kill.

Does the Anthem hack indicate that an epidemic of medical identity theft is on its way?  Most criminals are looking for quick cash, and medical identity theft doesn't offer as quick a reward as access to a bank account or credit card number.  However, given that there is profit to be made in medical identity theft, and the risks are much greater, healthcare providers, insurers, and patients should all be on high alert for signs of it, and be prepared to quickly respond.


more...
No comment yet.