HIPAA Compliance for Medical Practices
65.0K views | +1 today
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...

Medical Staff Resistance to HIPAA Compliance

Medical Staff Resistance to HIPAA Compliance | HIPAA Compliance for Medical Practices | Scoop.it

Recently, while reading a 2013 article in Information Week, "Doctors Push Back Against Health ITs Workflow Demands," I thought about various scenarios individuals have brought to my attention. It is indisputable that both the healthcare industry and physicians have been dealing with a dramatic shift in the landscape and, in turn, having to adapt to and implement a variety of new processes. In the article, the authors say, "There's a powerful force working against the spread of health IT: physician anger, as doctors resist adopting workflows that can feel to them more like manufacturing than traditional treatment." There are several reasons for this: uncertainty in reimbursement, the transition to ICD-10, and compliance requirements related to HIPAA and the Affordable Care Act.

Some of the situations that have been brought to my attention include: entities refusing to sign a Business Associate Agreement (BAA), refusing to choose a vendor because a password is required to be utilized and periodically changed in order to text message, and giving a username/password to other members of the care team to change or augment the electronic health record. Needless to say, all of these scenarios are problematic for several reasons. First and foremost, they violate the legal standards set forth in HIPAA, the HITECH Act, and the 2013 Final Omnibus Rule. Second, engaging in these practices makes the person more vulnerable. Lastly, refusing to utilize a password in order to optimize both IT security and compliance is foolish.

At its core, a Business Associate Agreement is required between parties who create, receive, maintain, or transmit protected health information (PHI) on behalf of or for a covered entity. The phrase "on behalf of or for" is crucial because it extends beyond the relationship between the covered entity and a single business associate. This is the requirement of federal HIPAA. States may, and in fact do, have more stringent requirements.

One of the greatest areas of vulnerability is texting sensitive data using smartphones. Hence, it is crucial to make sure that the iPhone App is encrypted and requires a password (ideally, this would be a two-factor identification method). Yet, I have heard stories where physicians belligerently refuse to adopt a technology because of the requirement.

Lastly, providing a nurse or PA with access to a medical record utilizing the physician's user name and password is absurd. Think of the Ebola case in Dallas, Texas, where the nurses left notes in one section that the physicians did not read. What if both individuals had used the same user ID and password? How easy would it be to look at the audit log and determine who made the entry? The level of legal liability associated with this practice is exponential.

Given that these scenarios really do happen, what steps can be taken by physicians and other entities? Here are a few suggestions:

• Adopt a "no tolerance" policy and sanctions for non-compliance from the medical staff in relation to HIPAA compliance. Many organizations have these in place.

• Get your Business Associate Agreements in order and keep a log of all the vendors, business associates, and other entities that need to have one — along with the date they were executed.

• Never give your user id/password to anyone; the system administrator has it.

No comment yet.

Health Providers Beware: HIPAA Breaches May Give Rise To Negligence Actions

Health Providers Beware: HIPAA Breaches May Give Rise To Negligence Actions | HIPAA Compliance for Medical Practices | Scoop.it

Electronic medical records provide a multitude of benefits for providers and patients by promoting efficient record access, cost savings and better patient care.  So what's the down side?

Well, for starters, these records are ripe for hacking and inadvertent disclosures. As mentioned in a previous post, health care fraud has reached new heights by and through the theft of personal and medical information.  Left in the wrong hands, the sensitive information contained in these computerized records could unleash a fraud firestorm.

Historically, medical providers have successfully defended against claims brought by plaintiffs whose information was hacked or otherwise improperly accessed by relying upon the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") which expressly provides that there is no private right of action under HIPAA.  This success may be short lived as the number of hackers has increased and some courts, like Connecticut's Supreme Court,  have indicated a willingness to allow plaintiffs to bring claims for negligence and privacy violations against providers under state law.

HIPAA Standard of Care

In Byrne v. Avery Ctr. For Obstetrics & Gynecology, 314 Conn. 433 (2013), a health center produced a patient's protected health information (PHI) in response to a subpoena without notifying the patient and without taking any steps to protect it from disclosure in violation of HIPAA's guidelines.  The aggrieved patient filed an action against the provider for breach of contract, negligence, and negligent infliction of emotional distress.

While noting HIPAA's language with regard to private rights of action, the Court did not find that limitation dispositive of the negligence claim brought by the patient.  The Court hinted that a  violation of the standards promulgated under HIPAA may support a deviation from the standard of care required for a negligence claim.

Will New Jersey Follow Connecticut?

Given the proliferation of electronic medical records and the overwhelming amount of paperwork that healthcare providers deal with on a daily basis, the odds of falling victim to a HIPAA breach have markedly increased.  New Jersey health care providers should be mindful of the Connecticut case because New Jersey may follow this trend of reviewing HIPAA guidelines as a standard of care that may be considered to support a negligence action.

Problem Prevention
  1. Review and update HIPAA policies.
  2. Educate staff on the significance of the policies and demand 100% compliance.
  3. Develop a process to deal with subpoenas to ensure that the practice is in compliance with all applicable standards under federal and state law.

No comment yet.

Key Factors for the HIPAA Privacy Rule in Emergencies

Key Factors for the HIPAA Privacy Rule in Emergencies | HIPAA Compliance for Medical Practices | Scoop.it

The HIPAA Privacy Rule was designed to help keep protected health information (PHI) from becoming exposed or easily accessible to the public. But what happens in an emergency situation? When does the public’s safety trump the privacy of one individual?

That debate is currently underway in Texas, as a nurse who worked at Texas Health Presbyterian Hospital Dallas is now suing her former employer for allegedly violating her patient privacy, as well as not properly training her for emergency situations. Specifically, Nina Pham told the Dallas Morning News that the hospital “failed her” and her colleagues when a patient diagnosed with the Ebola virus was admitted back in Oct. 2014.

In terms of patient privacy violations, though, did the hospital actually do anything that went against HIPAA guidelines? While the impending court case will make the final decision, HealthITSecurity.com will break down the finer points of the HIPAA Privacy Rule, and discuss exactly what should happen in an emergency situation.

HIPAA privacy and patient consent

According to the HIPAA Privacy Rule, a covered entity is permitted – but required – to use and disclose PHI without the patient’s consent in certain situations:

  • To the Individual (unless required for access or accounting of disclosures);
  • Treatment, Payment, and Health Care Operations;
  • Opportunity to Agree or Object;
  • Incident to an otherwise permitted use and disclosure;
  • Public Interest and Benefit Activities;
  • Limited Data Set for the purposes of research, public health or health care operations.

Moreover, there are instances where covered entities need to obtain written consent from individuals. This is for what are referred to as “authorized uses and disclosures.” For example, a covered entity must get written consent to disclose psychotherapy notes and for marketing purposes. This includes “any communication about a product or service that encourages recipients to purchase or use the product or service.”

“A covered entity must obtain an authorization to use or disclose protected health information for marketing, except for face-to-face marketing communications between a covered entity and an individual, and for a covered entity’s provision of promotional gifts of nominal value,” according to HHS.

Additionally, it must be revealed immediately if the marketing involves a covered entity’s receipt of direct or indirect remuneration from a third-party. Essentially, for certain disclosures of information, a healthcare provider or hospital needs to have a patient’s written consent to reveal their PHI. However, there are several instances where written consent is not required. This is where emergency situations fall into play.

Extra guidance from the OCR

When Ebola was making headlines in the US last fall, partly due to what was happening at the Texas hospital, the Office for Civil Rights (OCR) released its own guidelines. These were meant to further clarify the HIPAA Privacy Rule, and ensure that the public and covered entities understood exactly what was allowed and why it was allowed.

“The HIPAA Privacy Rule protects the privacy of patients’ health information (protected health information) but is balanced to ensure that appropriate uses and disclosures of the information still may be made when necessary to treat a patient, to protect the nation’s public health, and for other critical purposes,” according to the OCR.

Moreover, it is important for public health authorities and facilities responsible for ensuring public health and safety to have access to PHI that helps them fulfill their mission to keep the public safe. For example, the Centers for Disease Control (CDC) or state health departments could be given that information. Along similar lines, a foreign government agency that is working with a public health authority can be privy to certain information.

Finally, notification can also be given to individuals who are at risk of contracting or spreading a disease. This will help dangerous diseases from spreading.

Even so, it is essential that the “minimum necessary” is kept, according to the OCR. Only the minimum amount of information necessary should be disclosed.

“For example, a covered entity may rely on representations from the CDC that the protected health information requested by the CDC about all patients exposed to or suspected or confirmed to have Ebola virus disease is the minimum 3 necessary for the public health purpose. Internally, covered entities should continue to apply their role-based access policies to limit access to protected health information to only those workforce members who need it to carry out their duties.”

A key point to the HIPAA Privacy Rule discussed by the OCR is that a covered entity can share information about a patient “as necessary to identify, locate, and notify family members, guardians, or anyone else responsible for the patient’s care, of the patient’s location, general condition, or death.” This could even include the police, the press, and the general public.

That being said, the healthcare organization must still try and receive verbal permission from the patient. If the individual is deemed to be incapacitated, then a covered entity can disclose certain information if they decide that it is in the best interest of the patient.

Finding the right balance

HIPAA is meant to protect sensitive data from being public knowledge. However, covered entities need to also prevent serious or imminent threats to the health and safety of the public. It is not going to be easy to strike that perfect balance between patient privacy and public safety. Having current and comprehensive administrative, physical, and technical safeguards are key, as are having staff members fully educated on HIPAA rules. It is unlikely that a data breach or patient privacy violation will never occur, but covered entities must remain diligent in prevention.

No comment yet.

HIPAA privacy and public health emergency situations

HIPAA privacy and public health emergency situations | HIPAA Compliance for Medical Practices | Scoop.it

In light of the Ebola outbreak, the U.S. Department of Health and Human Services (HHS), Office of Civil Rights (OCR) has issued a bulletin reminding health care providers that the protections under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule are not set aside during an emergency.  OCR reminds covered entities that “the protections of the Privacy Rule are not set aside during an emergency.”  OCR cautions that in an emergency situation, covered entities must continue to implement reasonable safeguards to protect patient information against impermissible uses and disclosures.  Thus, covered entities and their business associates should review the HIPAA Privacy Rule to ensure that uses and disclosures in emergency situations are appropriate, as well as provide training and reminders to employees.

HIPAA recognizes that under certain circumstances it may be necessary to share patient information without authorization.  OCR’s bulletin notes that covered entities may disclose protected health information without a patient’s authorization as necessary to treat the patient or a different patient.  HIPAA also allows covered entities to release patient information without authorization for certain public health activities.  A covered entity may disclose protected health information to a public health authority that is authorized by law to collect or receive the information for the purpose of preventing or controlling disease, injury, or disability.  Information may also be shared at the direction of a public health authority to a foreign government that is acting in collaboration with the public health authority.   In addition, health information may be shared with persons at risk of contracting or spreading a disease or condition if authorized by law.  Finally, health care providers may share patient information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public consistent with applicable law and ethical standards.

There are additional circumstances that allow the disclosure of protected health information.  A covered entity may disclose protected health information to a patient’s family members, relatives, friends, or other persons who the patient identifies as being involved in the patient’s care and disaster relief organizations.  Covered entities should review the specific circumstances that allow the release of this information.

Covered entities should also review whether the minimum necessary requirement applies.  For most disclosures, but notably not disclosures to health care providers for treatment purposes, a covered entity must make reasonable efforts to limit the information disclosed to the “minimum necessary” to accomplish the purpose.

Although the media has reported many details about Ebola patients, HIPAA is not suspended when providing information to the media about Ebola or other public health emergencies.  Therefore, covered entities should carefully review the rules surrounding disclosures to the media or others not involved in the care of the patient.  If the media requests information about a particular patient by name, a health care facility may release limited facility directory information to acknowledge that the individual is a patient and provide basic information about the patient’s condition in general terms, if the patient has not objected or restricted the release of this information, but information about an incapacitated patient may only be released if the disclosure is believed to be in the patient’s best interest and is consistent with the patient’s prior expressed preferences.   General information about a patient’s condition includes critical or stable, deceased, or treated and released.  OCR cautions that affirmative reporting or disclosure to the media or the public at large about an identifiable patient or  specific information may not be done without the patient’s or an authorized personal representative’s written authorization, unless one of the limited circumstances described elsewhere in OCR’s bulletin is applicable.

Although HIPAA is not suspended during a public health or other emergency, the HHS Secretary may waive certain provisions under the Project Bioshield Act of 2004 and section 1135(b)(7) of the Social Security Act.  The limited waiver applies to certain sanctions and penalties of the Privacy Rule if the President declares an emergency or disaster and the HHS Secretary declares a public emergency.  The waiver only applies in the emergency area and for the emergency period identified; to hospitals that have instituted a disaster protocol; and for up to 72 hours after the hospital implements its disaster protocol.  Once the Presidential or Secretarial declaration ends, a hospital must comply with the entire Privacy Rule, even if less than 72 hours have elapsed since the hospital implemented its disaster protocol.

No comment yet.

Survey: Charging patients for EHR access may violate HIPAA

Survey: Charging patients for EHR access may violate HIPAA | HIPAA Compliance for Medical Practices | Scoop.it
Dive Brief:
  • A survey of healthcare providers has revealed that as much as 25% of those who charge patients for EHRs may be violating HIPAA rules by doing so, according to a report released by the American Health Information Management Association.
  • While it is permitted to charge patients a "reasonable, cost-based fee" to access their electronic medical records, the survey revealed that many providers simply mimic their individual state's photocopy policy for public records requests, charging around $1 per page. Because the fee being charged to the patient is not related to the cost of providing the record, it constitutes a violation of HIPAA policy, the report stated.
  • "Regarding charges for electronic and paper copies of records, more than half (52.6%) of respondents indicated that they charge patients for electronic copies of their medical records, and nearly two-thirds (64.7%) reported that they charge patients for paper copies of their medical records," the report stated. "Charges for electronic copies varied from a flat fee for a device to per-page fees or some combination of the two, and charges for paper copies were generally by page, with 65% reporting that they charged less than $1.00 per page. Nearly one in four respondents (23.6%) commented that they follow their state's rates for copies. Following the state rates would suggest that the fees are not uniquely based on the cost to the facility. This finding would appear to be inconsistent with HIPAA and HITECH requirements that patients may only be charged a 'reasonable cost-based fee' for copies of their medical records."
Dive Insight:

There is no doubt that the implementation of EHRs is one of the most expensive projects to hit the healthcare industry since its inception, and it's obvious that the cost of implementation is going to eventually be picked up by the consumer. Taxpayers are already footing the bill for the $28 billion already appropriated by Congress to facilitate EHR implementation through its meaningful use program, but that still doesn't cover all of their EHR expenses.

All that being said, what's at issue here is a patient's right to obtain his or her medical records. The whole point of the paperless revolution is to streamline health information and reduce costs associated with paper-only records. By that logic, HIPAA requirements are reasonable. They simply state that providers don't have the right to charge patients unreasonably to get electronic copies of their records.

Now, $1 a page (or even less) may not sound unreasonable on the surface, but with medical advances transforming many fatal conditions into chronic conditions, patients are living longer with proper treatment. It's not uncommon for a cancer patient in remission to have hundreds of pages in their medical records. And in the age of the ACA, many patients are changing doctors and plans, necessitating transfer of the EHRs. Is it fair to charge several hundred dollars for a process that is equivalent in many cases to pointing, clicking and sending an email?

No comment yet.

Expect more, bigger healthcare breaches | Healthcare IT News

Expect more, bigger healthcare breaches | Healthcare IT News | HIPAA Compliance for Medical Practices | Scoop.it

The potential cost of breaches for the healthcare industry could be as much as $5.6 billion annually, according to a new report from Experian, a global information services firm. The report is Experian's second annual data breach forecast across industries.

For healthcare, the forecast is stormy.

Expect persistent and growing threats, Experian warns.

The report points as catalysts, the expanding number of access points to protected health information, or PHI, and other sensitive data via electronic medical records and the growing popularity of wearable technology makes the healthcare industry a vulnerable and attractive target for cybercriminals.

"We expect healthcare breaches will increase – both due to potential economic gain and digitization of records. Increased movement to electronic medical records and the introduction of wearable technologies introduced millions of individuals into the healthcare system, and, in return increased, the potential for data breaches," the report notes.

"Healthcare organizations face the challenge of securing a significant amount of sensitive information stored on their network, which combined with the value of a medical identity string makes them an attractive target for cybercriminals," the authors add. "The problem is further exasperated by the fact that many doctors' offices, clinics and hospitals may not have enough resources to safeguard their patients' PHI. In fact, an individual's Medicare card – often carried in wallets for doctors' visits – contains valuable information like a person’s Social Security number that can be used for fraud if in the wrong hands. Currently, we are not aware of any federal or law enforcement agency which tracks data on SSN theft from Medicare cards, but the problem is widely acknowledged."

This year, Reuters reported that the FBI released a private notice to the healthcare industry warning providers that their cybersecurity systems are lax compared to other sectors.

According to the Ponemon Institute, 72 percent of healthcare organizations say they are only somewhat confident (32 percent) or not confident (40 percent) in the security and privacy of patient data shared on HIEs.

The takeaway? "Healthcare organizations will need to step up their security posture and data breach preparedness or face the potential for scrutiny from federal regulators. Reported incidents may continue to rise as electronic medical records and consumer-generated data adds vulnerability and complexity to security considerations for the industry.

No comment yet.

Biggest Health Data Breaches in 2014

Biggest Health Data Breaches in 2014 | HIPAA Compliance for Medical Practices | Scoop.it

The five biggest 2014 health data breaches listed on the federal tally so far demonstrate that security incidents are stemming from a variety of causes, from hacker attacks to missteps by business associates.

The top breaches offer important lessons that go beyond the usual message about the importance of encrypting laptops and other computing devices to prevent breaches involving lost or stolen devices, still the most common cause of incidents. They also highlight the need to bolster protection of networks and to carefully monitor the security practices of business associates.

The Department of Health and Human Services' Office for Civil Rights adds breaches to its "wall of shame" tally of incidents affecting 500 or more individuals as it confirms the details. A snapshot of the federal tally on Dec. 22 shows that 1,186 major breaches impacting a total of nearly 41.3 million individuals have occurred since the HIPAA breach notification rule went into effect in September 2009.

According to the tally, the top five health data breaches in 2014 affected a combined total of nearly 7.4 million individuals.

The largest breach in 2014 was the hacking attack on Community Health System, which affected 4.5 million individuals. In that incident, forensic experts believe an advanced persistent threat group originating from China used highly sophisticated malware and technology to attack the hospital chain's systems.

The Community Health Systems incident is also the second largest health data breach since the enactment of the HIPAA data breach notification rule in 2009. The largest breach is a 2011 incident involving TRICARE, the military health program, and its contractor, Science Applications International Corp., which affected 4.9 million individuals.

Business Associate Troubles

The second largest HIPAA incident in 2014 implicated a business associate. That breach, affecting 2 million individuals, involved an ongoing legal dispute between the Texas Health and Human Services Commission and its former contractor, Xerox, which had provided administrative services for the Texas Medicaid program. The breach arose when the state ended its contract with Xerox. The vendor allegedly failed to turn over to the state computer equipment, as well as paper records, containing Medicaid and health information for 2 million individuals.

Another top five health data breach in 2014 involved both a business associate and a more familiar culprit - stolen unencrypted computing devices. That Feb. 5 incident involved a vendor that provided patient billing and collection services to the Los Angeles County departments of health services and public health. The theft of eight unencrypted desktop computers from an office of Sutherland Healthcare Services - L.A. County's vendor - affected more than 342,000 individuals, the federal tally shows. Initially, that breach was believed to have impacted about 168,000 individuals, but the figure was subsequently revised.

Unsecure Files

The fourth largest 2014 breach on the federal tally involved Touchstone Medical Imaging, a Brentwood, Tenn.-based provider of diagnostic imaging services, which became aware in May "that a seldom-used folder containing patient billing information relating to dates prior to August 2012 had inadvertently been left accessible via the Internet. The breach affected more than 307,000 patients.

The fifth largest breach of the year occurred at the Indian Health Services, an HHS agency. That incident, which affected 214,000 individuals, involved an unauthorized access or disclosure involving a laptop computer, according to the tally.

Shifting Trends

The largest health data breaches in 2014 highlight some shifting trends compared with previous years.

"In our opinion, hacker attacks are likely to increase in frequency over the next few years," says Dan Berger, CEO of security services firm Redspin. "Personal health records are high value targets for cybercriminals as they can be exploited for identity theft, insurance fraud, stolen prescriptions, and dangerous hoaxes." That trend puts a spotlight in the need to do comprehensive penetration testing, as well as taking other steps to bolster security, he says. "If I was a hospital executive ... I'd want to know the most likely means by which a hacker can break in."

Nonetheless, while incidents involving hackers in the healthcare sector appear to be on an uptick, insiders still pose the biggest threat to most entities, says Michael Bruemmer, vice president of Experian Data Breach Resolutions.

"Of all the incidents we service, regardless of the vertical [market], 80 percent of the root cause is employee negligence," he says. That includes such mistakes as losing laptops or clicking on a phishing e-mails. "Employees are still the weakest link," he says in a recent interview with Information Security Media Group, calling for the ramping up job-specific privacy and security training.

Meanwhile, incidents such as the Texas Medicaid/Xerox breach also highlight the need for organizations to bring more scrutiny to their business associate relationships. Business associates, as well as their subcontractors, are directly liable for HIPAA compliance under the HIPAA Omnibus Rule that went into effect in 2013.

The breach tally also illustrates the need for HIPAA covered entities and business associates alike to strengthen their security risk management programs.

"The data tells us that a HIPAA security risk analysis, while mandatory, is necessary but not sufficient. The remediation plan is even more important," Berger says.

"Too often healthcare organizations do not allocate enough resources to fix the problems identified in the risk analysis. We also see a need for more frequent vulnerability analysis, Web application assessments and social engineering testing. Stated another way, the healthcare information security programs need to mature."

No comment yet.

Latest HIPAA settlement emphasizes need to regularly address software vulnerabilities | Lexology

Latest HIPAA settlement emphasizes need to regularly address software vulnerabilities | Lexology | HIPAA Compliance for Medical Practices | Scoop.it

On December 2, the Department of Health and Human Services, Office for Civil Rights (OCR) announced a $150,000 settlement with Anchorage Community Mental Health Services, Inc. (ACMHS) for alleged violations of the HIPAA Security Rule. The announcement followed an OCR investigation into a breach of unsecured electronic protected health information (ePHI) affecting 2,743 individuals. OCR highlighted three Security Rule violations in its resolution agreement: (1) failure to conduct an accurate and thorough risk analysis; (2) failure to implement security policies and procedures; and (3) failure to have reasonable firewalls in place, as well as supported and patched IT resources. In a press release regarding the settlement, OCR Director Jocelyn Samuels noted that “successful HIPAA compliance . . . . includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.”

OCR began its investigation after ACMHS reported a malware-related breach of unsecured ePHI on March 12, 2012. OCR stated that the breach was the direct result of ACMHS’ failure to “identify and address basic risks” to the security and confidentiality of ePHI in its custody. ACMHS adopted sample Security Rule policies and procedures in 2005, but apparently did not implement them until OCR’s investigation began in 2012. OCR’s review of the ACMHS IT infrastructure revealed critical shortcomings including unpatched systems running outdated or unsupported software, and inadequate firewalls with insufficient threat identification monitoring of inbound and outbound traffic.

The ACMHS settlement emphasizes three key takeaways for HIPAA covered entities and business associates:

  • Tailor Security Rule compliance programs. Although the HIPAA Security Rule provides flexibility to entities in choosing the most appropriate compliance strategies, each organization must (1) conduct an accurate and thorough assessment of the particular risks facing ePHI held by the entity and (2) tailor its policies and procedures to adequately address those risks. This settlement demonstrates that a “one size fits all” approach based on template policies and procedures will not suffice for Security Rule compliance.
  • Conduct regular and thorough risk assessments. As OCR and NIST emphasized in a September conference on safeguarding health information, comprehensive risk analysis and risk management are two cornerstones of an effective IT security program. In its press release regarding the ACMHS settlement, OCR highlighted its Security Rule Risk Assessment Toolreleased in March 2014, which was developed to assist small- to medium-size providers with conducting risk assessments.
  • Regularly patch and update software. The OCR investigation determined that the breach suffered by ACMHS may have been preventable had its employees regularly patched known vulnerabilities and kept software up to date. OCR also identified the need for entities to maintain threat identification monitoring, which is significant given the dynamic and evolving cybersecurity threat landscape.

In addition to the monetary payment, the settlement agreement imposes a two-year corrective action plan. The ACMHS settlement follows a series of enforcement actions in which OCR has entered into resolution agreements and corrective action plans with HIPAA covered entities for alleged violations of the Privacy, Security, and Breach Notification Rules. In the past two years, OCR has entered into twelve HIPAA resolution agreements, with settlements totaling over $11.7 million. As OCR prepares to roll out the next phase of its audit program, which will be used as an enforcement tool and may lead to full-scale compliance reviews, HIPAA-regulated entities should examine their security practices to ensure they are appropriately managing risks to ePHI—which includes reviewing systems and applications for unpatched vulnerabilities or unsupported software.

No comment yet.

OCR fines behavioral health service $150,000 | HIPAA Update

OCR fines behavioral health service $150,000 | HIPAA Update | HIPAA Compliance for Medical Practices | Scoop.it

The Office for Civil Rights (OCR) announced December 8 that it fined an Alaska behavioral health service $150,000 for potential HIPAA violations, according to a press release. 

OCR entered into a resolution agreement with Anchorage Community Mental Health Services (ACMHS), a nonprofit behavioral healthcare service. On March 12, 2012, ACMHS notified OCR of a breach affecting 2,743 individuals. The breach was the result of malware that compromised the security systems of the behavioral healthcare provider, according to OCR.

The resolution agreement states that ACMHS failed to:

  • Conduct an accurate and thorough risk assessment of ePHI from April 21, 2005, through March 12, 2012
  • Implement security policies and procedures to reduce risks and vulnerabilities to ePHI from April 21, 2005, through March 12, 2012
  • Implement technical security measures to safeguard against unauthorized access to ePHI by failing to ensure firewalls were in place and that information technology resources were supported and updated with patches from January 1, 2008, through March 29, 2012

In addition to the monetary settlement, as part of the corrective action plan with OCR, ACMHS agreed to:

  • Provide an updated version of its security policies and procedures
  • Adopt a revised version of OCR-approved security policies and procedures
  • Distribute revised security policies and procedures to workforce members who work with ePHI and provide security awareness training
  • Obtain signed written or electronic initial compliance certification from all workforce members stating that they read, understand, and will abide by security policies and procedures


Are You Ready for a HIPAA Audit?

Are You Ready for a HIPAA Audit? | HIPAA Compliance for Medical Practices | Scoop.it

CynergisTek, a health information technology security consultancy, is offering a full-scale mock audit for HIPAA privacy, security and breach notification compliance to prepare covered entities for real audits from the HHS Office for Civil Rights.

The mock audit will apply OCR timeliness and follow the government’s process starting with receiving an audit notification letter. Other areas covered include complying required documentation and reviewing them for deficiencies, onsite interviews with staff, draft and final audit reports, a workshop of findings and lessons learned, and a performance evaluation presentation with senior executives.

“CynergisTek will hold your staff to OCR standards when assessing your organization’s ability to demonstrate HIPAA compliance and will identify your organization’s readiness and ability to respond,” according to information from the company. The audit may be disruptive to normal operations, as would a real one, it warns.

No comment yet.

Is It Possible to be HIPAA Compliant? -

Is It Possible to be HIPAA Compliant? - | HIPAA Compliance for Medical Practices | Scoop.it

A recent article on Forbes by Dan Munro asked the question whether anyone is really HIPAA compliant in healthcare. As recognized in the article, answering this question is not a simple and direct matter. From one perspective, many entities are compliant with HIPAA requirements, others are clearly not compliant, and then some organizations may not even need to comply. Getting a clearer answer to this question will be necessary sooner rather than later though.

As has been well documented, the Office for Civil Rights at the Department of Health and Human Services has been issuing fines against organizations breaching their HIPAA requirements. The fines have been levied in a variety of circumstances and are often being used to provide lessons to healthcare entities. For example, one entity was fined for not implementing a breach notification policy, many for not encrypting mobile devices and others for not performing a risk analysis.

Another element impacting the ability to be HIPAA compliant is the expanding universe of where protected health information can be found. The growth of mobile applications and portable devices has exponentially increased the number of places where protected health information is both developed and stored. The numerous number of locations places compliance obligations not a similar variety of organizations from health care providers to app developers to data storage companies and others. A major issue is that not everyone is aware of what it takes to comply with HIPAA or claim to be certified when no such certification exists from the government.

However, instead of focusing on whether it is possible to be HIPAA compliant, it may be more appropriate to ask what does it mean to be HIPAA compliant. Determining what it means to be HIPAA compliant requires , in particular the Privacy Rule, the Security Rule and the Breach Notification Rule. These rules provide a framework to guide covered entities, business associates and others who may be swept under the ambit of HIPAA in establishing policies and procedures.

The Privacy Rule is designed to set standards for the protection of protected health information. Privacy is determined by controlling the use and disclosure of protected health information. Under the Privacy Rule, protected health information can only be used with an authorization in certain circumstances, after the individual received the opportunity to object and then without any need for authorization or objection in certain clearly defined instances. The Privacy Rule also affords individuals with certain qualified rights to access, amend or receiving accountings related to the use of their protected health information. As initially stated, the basic purpose is to protect the integrity of the data and limit how the information may be used.

From the compliance perspective, the Privacy Rule sets forth clear policies that must be put into place. When preparing policies, it is actually reasonable to take the language right from the regulations, to an extent. In somewhat of a rarity in the healthcare regulatory context, the Privacy Rule is relatively clear cut.

The second aspect of HIPAA compliance is satisfying the requirements of the Security Rule. Much like the Privacy Rule, the Security Rule is intended to protect the safety of protected health information. The Security Rule includes administrative, physical and technical safeguards. As such, while it primarily covers electronic information, there are aspects impacting physical information as well. Digging deeper into the Security Rule, its requirements are broken into two categories: required elements and addressable elements. As a result, it may not be necessary to implement a policy or procedure for every single element of the Security Rule.

From the compliance perspective, the Security Rule is meant to flexible and scalable. A large hospital system will need much different security policies and procedures than a physician’s offices with four providers. However, an essential first step is to perform a risk analysis. A risk analysis will reveal an entity’s vulnerabilities when it comes to the confidentiality, integrity and availability of protected health information. Once a risk analysis is performed, an entity can then take the results to formulate which policies and procedures it needs. Additionally, for those elements that are addressable, the risk analysis can help supply the support necessary to decide whether or not to implement that policy.

The third and last major component necessary under HIPAA now is to implement a breach notification policy. A breach notification policy is necessary to ensure a proper response when the privacy or security of protected health information is not maintained. Having a policy in place will help mitigate adverse effects and aid an entity in organizing a quick and appropriate response. In the event of a breach, a policy will guide the response, including determining who must be notified. Awareness of notification obligations may also aid in creating more safeguards.

Going back to my initial question, what does it mean to be HIPAA compliant, it means understanding what HIPAA requires and then conscientiously implementing those requirements. Every organization is human, and while the government may not admit the following statement, and as such cannot be fully compliant all of the time. The factors that will influence the outcome are what the entity has done to help reduce risks ahead of time and how it responds. With the prevalence of electronic information and the value placed upon medical records by hackers and others, in reality it is only a matter of time before every healthcare organization experiences a breach of some sort. But, if an entity has implemented a robust HIPAA compliance policy by reading and understanding the Privacy Rule, Security Rule and Breach Notification Rule, then it will be better able to re-secure information and reduce potential penalties from the government.

No comment yet.

HIPAA Compliance within Revenue Cycle Management

HIPAA Compliance within Revenue Cycle Management | HIPAA Compliance for Medical Practices | Scoop.it
The inclusion of HIPAA transactions intends to reduce administrative costs, but to do so, medical practices will need to strengthen their revenue cycle management processes.

The healthcare industry is constantly striving to prevent fraud and abuse within the system, and emphasize compliance and accuracy. Revenue cycle management (RCM), the process that include claims management processing, payment, and revenue generation, is a hospitals first line of defense against these issues. Still, the revenue cycle process could be flawed, causing further problems if not suitably standardized.

The HIPAA Security Rule, which was enacted on April 14, 2001, specifically focuses on the safeguarding of electronic protected health information. HIPAA started because of congressional concern about the portability and continuity of health coverage. Congress passed legislature, “In order to increase the efficiency, effectiveness, and cost savings through the use of electronic data interchange in the healthcare industry,”

HIPAA “requires all healthcare providers, healthcare clearinghouses, and health plans to implement and utilize standardized formats when transmitting electronic data.” The inclusion of HIPAA transactions intends to reduce administrative costs, but to do so, medical practices will need to strengthen their RCM processes.

The RCM process starts with patient scheduling. The key to this step is in gathering the most vital patient information as possible. Medical practices should ensure that any protected health information (PHI) is stored and catalogued appropriately. As required by the HIPAA law, practices must “Identify assets and information systems that create, receive, transmit, or maintain” PHI. Hardware in which PHI is stored or shared must be catalogued as required.

In addition to identifying these devices, a practice should have hardware and software firewalls in place and should maintain updates to these programs as needed. Data encryption is also an important way for a practice to remain HIPAA compliant within its RCM process. The following are examples of information that must be encrypted to assure HIPAA compliance:

  • Billing information
  • Case management data
  • Lab and clinical data
  • Patient reports and transcripts
  • Emails between patients and doctors, and between referral doctors

Once the patient is scheduled and appears for their appointment, medical documentation must take place. Maintaining clear and detailed patient files is an important part of a practice’s RCM. Without well-maintained documentation, services rendered to a patient may come into doubt as well as payments received. To prevent missing information and to remain HIPAA compliant, a practice should put a written set of standards in place to maintain accurate documentation.

A practice should then run a risk assessment of these standards and practices to confirm that they “are reasonable and appropriate to provide adequate protection against reasonably anticipated threats or hazards to the confidentiality, integrity, or availability” of PHI. If the risk assessment confirms the suitability of the standards, then they should be implemented.

After the patient’s medical data is recorded and the services are rendered, it’s time for a provider to be reimbursed. Yet, often claims can be denied, and bills go unpaid. To prevent this, a practice should implement additional standards to prevent revenue loss.

An example of revenue loss due to denied claims isn’t difficult to find, and each one leaves unhappy customers in its wake. In New York, a health insurance subcontractor allegedly mishandled the protected health information (PHI) data of approximately 500 patients, causing denial letters to be sent to the wrong members. The resolution required additional notification to be sent and cost valuable company time and money.

It’s not enough just for a practice to have these processes in place in order to be HIPAA compliant in their RCM. These processes need to be checked and re-checked regularly in order to ensure HIPPA compliance standards are maintained at all times. As the HIPAA law is being changed and amended regularly, a practice that fails to stay on top of these changes can suddenly find itself no longer HIPAA compliant.

The penalties for a practice not meeting HIPAA compliance standards can be fiscally damaging. A practice that violates HIPAA rules will be fined, with a cost ranging from $100 to $50,000 per violation (or per record), up to a maximum of $1.5 million per year and can carry criminal charges which could result in jail time.

These fines and charges are measured, and broken down into two different categories: Reasonable Cause and Willful Neglect. Reasonable Cause fines imposed upon a practice can range from $100 to $50,000 per incident (release of 500 medical records) and does not involve jail time. However, Willful Neglect fines on a practice range from $10,000 to $50,000 for each incident and can result in criminal charges and jail time.

With full patient records selling for about $500 on the black market, it’s not difficult to see why medical information is considered valuable to modern-day criminals. Along with the unpleasant possibility of steep fines and jail time, this is all the more incentive for medical providers to buckle down on their HIPAA compliance.

Remaining HIPAA compliant in their RCM will not only prevent a practice from the harsh penalties of non-compliance, but will also protect their patients from losing their personal information in a possible cybersecurity breach. In the long run, keeping HIPAA its RCM HIPAA complaint will increase a practice’s efficiency, and save them valuable time and cost.

No comment yet.

Does Walgreens Loss Set a Precedent for Employer Liability for HIPAA Violations? | AIS Health

Does Walgreens Loss Set a Precedent for Employer Liability for HIPAA Violations? | AIS Health | HIPAA Compliance for Medical Practices | Scoop.it

When the Indiana Court of Appeals released its decision upholding the $1.44 million jury verdict against Walgreens for privacy violations by an employee pharmacist, the press and blogosphere started buzzing about the precedent it was setting — an employer could be held liable for the HIPAA violations of an employee. This was the view espoused by the plaintiff’s attorney, Neal F. Eggeson, in a statement to the Indianapolis Star on Friday, Nov. 14, the date of the decision.

The plaintiff, Abigail Hinchy, had sued Walgreens and its pharmacist, Audra Withers, for viewing her prescription records without authorization and then disclosing the information to her husband, who was a former boyfriend of Hinchy’s and the father of her child, who threatened to use the information in a paternity lawsuit. After contacting the company, Walgreens acknowledged the HIPAA violation to Hinchy and said that it had given Withers a written warning and required her to retake a HIPAA computer training program.

Hinchy sued both Walgreens and the pharmacist. In her complaint, Hinchy alleged negligence and professional malpractice, invasion of privacy and public disclosure of private facts, and invasion of privacy/intrusion against Withers. She alleged the same causes of action against Walgreens, under the theory of “respondeat superior,” under which an employer is held responsible for the actions of employees performed within the scope of their employment. Walgreens argued that an employer should not be held liable for acts of an employee who knowingly violated company policy, in this case, HIPAA policies and procedures.

In its decision, the court of appeals cited a number of Indiana cases to explain the concept of respondeat superior. In particular, it focused on when an employee is “acting within the scope of employment when performing work assigned by the employer or engaging in a course of conduct subject to the employer’s control.” After reviewing the case law, the court concluded that “Wither’s actions were of the same general nature as those authorized, or incident to the actions that were authorized, by Walgreens.... Hinchy belonged to the same general category of individuals to whom Withers owed a duty of privacy protection by virtue of her employment as a pharmacist.”

The court also explained that for respondeat superior liability to attach “there must also be underlying liability of the acting party,” in this case, Withers. Hinchy sued Withers on two theories of direct liability — professional malpractice and public disclosure of private facts. The court did not express an opinion on whether Indiana recognized the tort of public disclosure of private facts, which could encompass a HIPAA violation, because Walgreens had not appealed the trial court’s denial of summary judgment on the claim of privacy invasion. Instead, it considered whether Withers committed “the tort of negligence by virtue of professional malpractice of a pharmacist.” It found that under Indiana law, Withers had a duty of confidentiality to Hinchy and that she had breached that duty when she examined Hinchy’s prescription records without authorization and subsequently disclosed the information. “Under these circumstances,” the court said, “we find that the jury verdict can be affirmed based upon the respondeat superior liability of Walgreens, which attaches via the liability of Withers for her negligence/professional malpractice.”

Employer Liability for Employees Is Not New

According to Jeff Drummond, a partner in the Dallas office of Jackson Walker LLP, employer liability for employee actions when acting within the scope of employment has been around forever, and to conclude that the appeal confirmed that privacy breach victims may hold employers responsible is an “overreach.” The issue in the Walgreens case was whether the employee was acting in the scope of her employment when the employee breached HIPAA and violated company policy. In this case, the jury decided that the employee was, and the appellate court declined to overturn that decision. But, according to Drummond, “in this particular case, the appellate court gave too much credence to the fact that the employee’s wrongdoing (looking at medical records she shouldn’t have looked at) was very similar to activities the employee would take in the performance of her legitimate duties (looking at medical records she should look at); if that’s the case, a waiter stealing a customer’s credit card number would be attributable to the restaurant owner, which doesn’t seem fair.”

Walgreens also argued that the $1.44 million jury verdict was excessive and based on improper factors. The court cited evidence admitted at trial regarding the damages and dismissed Walgreens’ arguments because they amounted to a request to reweigh the evidence, which, the court said, it does not do when evaluating a damages award. It found the evidence presented sufficient to support the award.

Privacy attorney Adam Greene of the law firm of Davis Wright Tremaine points out, “Even if a plaintiff can demonstrate a violation of HIPAA, a challenge has been showing damages. What remains to be seen is whether the $1.4 million verdict in the Walgreens case leads to similar findings of harm in other state cases, or whether this was a particularly unique fact pattern.”

Drummond points out that “while the pharmacist definitely ‘used’ PHI improperly by accessing PHI she should not have accessed, the plaintiff’s damages came not from that use, but from a further ‘disclosure’ of the data” to Withers’ husband, the father of Hinchy’s child. While the pharmacist’s improper use of the PHI closely tracked the pharmacist’s proper uses of PHI, any disclosure (which would be required for the damages to occur) would not be within the pharmacist’s normal employment activities and might provide a good argument that the actions of the pharmacist were outside the scope of employment.”

Walgreens plans to appeal the court of appeal’s decision.

What Is the Impact on Other State Cases?

So how much impact will this decision have on other state cases alleging privacy violations using HIPAA as the standard of care? Are employers now more likely to be held liable for employees who violate HIPAA while on the job?

According to Drummond, “I don’t think there were too many plaintiffs sitting on the sidelines, not making legitimate state-law claims because they know there’s no private cause of action under HIPAA. I’ve thought all along that, while clearly you can’t sue for a HIPAA violation, you could still sue for a state law violation. These cases may make plaintiffs’ lawyers more interested in bringing marginal cases, where there’s no clear state law allowing a breach of confidentiality claim. But where there’s a clear state law right to sue, I don’t think HIPAA’s ‘no private cause of action’ standard has been much of an impediment,” even before the Walgreens case.

Covered entities, Drummond says, should “have strong, consistent, and enforced policies and procedures. Draft clear data use and disclosure rules and information pathways, and constantly remind your employees of their duties and obligations. Regularly audit your employees and their data access/use/disclosure activities, and encourage your employees to keep tabs on each other (to positively reinforce data rules, but also to report suspicious activities). Promptly correct errors and mistakes, and punish employees who willfully or carelessly violate policies and procedures. Covered entity employers must take visible steps to place HIPAA-violating activities outside the ‘scope of duties’ of their employees in any way they can.”

No comment yet.

OCR addresses application of HIPAA privacy rule to Workplace Wellness Programs

OCR addresses application of HIPAA privacy rule to Workplace Wellness Programs | HIPAA Compliance for Medical Practices | Scoop.it

Healthcare providers are accustomed to the privacy and security rules contained within the Health Insurance Portability and Accountability Act (“HIPAA” or the “Act”) – particularly as they apply to the careful management of patient information. On April 24, 2015, the Health and Human Services Office for Civil Rights (OCR) issued important guidance regarding HIPAA’s application to employee health and wellness programs. OCR is responsible for enforcing the Act’s privacy and security rules.

The HIPAA privacy and security rules generally apply to “covered entities” – defined as (1) A health plan; (2) A health care clearinghouse; or (3) A health care provider who transmits any health information in electronic. The rules also apply to “business associates.” The Act is most often associated with medical records generated by a health care provider. An employer – solely by hiring and paying an employee – is not impacted by the obligations of the Act. In general, the Act does not apply to an employee’s employment records.

OCR’s recent guidance addresses two important issues: 1) when does the Act extend to an employer’s health and wellness program; and 2) when may a health plan provide a sponsor employer with access to a participant’s protected health information (PHI).

The recent guidance makes clear that the application of the Act depends upon the structure of the employer’s health and wellness plan. Note that a health plan is a “covered entity” and is subject to the Act. OCR noted that a health and wellness program that is offered to employees as part of the employer’s health plan benefit is covered by the Act and its rules. A health and wellness program that is not part of a health plan is not covered by the Act and its rules – though other federal and state laws may apply to protect the confidential nature of such information.

In many instances, an employer (as the health plan’s sponsor) may administer the health and wellness program (among other elements of the plan). A health plan (a “covered entity” and subject to the Act) may provide an employer-sponsor access to an employee’s health information under limited circumstances where the employer-sponsor is involved in administering the program. In particular, the employer-sponsor may provide access to the employee’s PHI only to permit the employer-sponsor to perform its administrative functions and agree to modify its plan documents and certify that it will:

  1. Establish adequate separation between employees who perform plan administration functions and those who do not;
  2. Not use or disclose PHI for employment-related actions or other purposes not permitted by the Privacy Rule;
  3. Where electronic PHI is involved, implement reasonable and appropriate administrative, technical, and physical safeguards to protect the information, including by ensuring that there are firewalls or other security measures in place to support the required separation between plan administration and employment functions; and report to the group health plan any unauthorized use or disclosure, or other security incident, of which it becomes aware.

Health plans and employers (particularly those within the health care industry where HIPAA awareness is already high) should be prepared to proactively address the protection of and access afforded to an employee-participants’ PHI. In addition, since the health plan (as a “covered entity”) has specific obligations related to any PHI breach, health plan and employer-sponsor should carefully and thoroughly review the privacy and security protection provided to all employee-participant PHI.

If an employee-sponsor does not perform administrative functions on behalf of the health plan, access to an employee-participant’s PHI is further limited. In particular, in such instances, the health plan may only disclose: 1) information on which individuals are participating in the plan or enrolled in the health insurance issuer or HMO offered by the plan; and 2) summary health information to the extent requested for purposes of modifying the plan or obtaining premium bids for coverage under the plan.

No comment yet.

De-Identifcation of Data: Breaking Down HIPAA Rules

De-Identifcation of Data: Breaking Down HIPAA Rules | HIPAA Compliance for Medical Practices | Scoop.it

The de-identification of data is an important part of healthcare technology, especially as the use of EHRs and HIEs becomes more prominent. The HIPAA Privacy Rule states that once data has been de-identified, covered entities can use or disclose it without any limitation. The information is no longer considered PHI, and does not fall under the same regulations and restrictions as PHI.

But why would a facility need to de-identify data? What are the potential benefits of the de-identification of data? HealthITSecurity.com decided to dissect this aspect of HIPAA regulations, and explain what the de-identifcation process entails and how covered entities could benefit from the practice.

What is de-identification?

The de-identification of data is where identifiers are removed from PHI, which helps mitigate privacy risks to individuals. Moreover, the medical information can then be used in areas such as research, policy assessment, and comparative effectiveness studies. As explained by the Department of Health & Human Services (HHS), the Privacy Rule has two de-identification methods:

  • A formal determination by a qualified expert;
  • The removal of specified individual identifiers as well as absence of actual knowledge by the covered entity that the remaining information could be used alone or in combination with other information to identify the individual.

Even so, HHS cautions that once the de-identification process has taken place, there is still a small chance that the data could be linked back its corresponding individual.

“Regardless of the method by which de-identification is achieved, the Privacy Rule does not restrict the use or disclosure of de-identified health information, as it is no longer considered protected health information,” according to HHS.

What are the different types of de-identification?

The first type of de-identification is done through expert determination. A person “with appropriate knowledge of and experience” in rendering data unidentifiable will apply the necessary methods to determine that the risk to the data is small. From there, that individual will document the methods and results, proving how he or she came to the determination that the data had been de-identified.

The second method is called the “Safe Harbor” method. In this approach, a CE is permitted to consider data to be de-identified if it removes 18 types of identifiers. Some of the types of identifiers include:

  • Names
  • Telephone numbers
  • Email addresses
  • Social Security numbers
  • Medical record numbers

The next stipulation in the Safe Harbor method is that the CE does not have any knowledge that the data could be used alone or in combination with other information to determine an individual’s identification from it.

“De-identified health information created following these methods is no longer protected by the Privacy Rule because it does not fall within the definition of PHI,” HHS stated. “Of course, de-identification leads to information loss which may limit the usefulness of the resulting health information in certain circumstances.”

Can you re-identify the data?

The data can go through a re-identification process. This requires a unique code be assigned to the set of de-identified health information. From there, two provisions must occur:

Derivation – The code or other means of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual; and

Security – The covered entity does not use or disclose the code or other means of record identification for any other purpose, and does not disclose the mechanism for re-identification.

Why would a CE de-identify data?

As mentioned earlier, there are several reasons why a CE would want to de-identify certain information. By removing certain personal identifiers, the data is no longer considered PHI, and can therefore be used in many other situations. For example, certain types of research or comparative studies could benefit from medical information. But to ensure the identify of individuals remains hidden, specific pieces of information could be removed.

The examples below show how an individual expert could de-identify data. The first table shows PHI and the second has had some identifiers removed.

The second table shows suppressed patient values. Suppression can be used on individual records if they are deemed too risky to share, or if a particular record is found to be distinguishable. For example, an individual in a specific zip code who makes $200,000 per year could be easily identifiable, especially if the majority of other residents make significantly less.

Other methods in removing data are generalization and perturbation. Generalization is where data is abbreviated, such as removing numbers in a zip code or changing patient ages from a specific number to age ranges (i.e. 25 to 35 instead of 27 year-old).

Perturbation replaces specific values with new, also specific values. For example, a patient’s age could actually be 16, but after the de-identification it is within two years of that age. This approach is often used to maintain statistical properties about the original data, such as mean or variance, according to HHS.

“Using such methods, the expert will prove that the likelihood an undesirable event (e.g., future identification of an individual) will occur is very small,” HHS explained.

The future of de-identification

Health data sharing is becoming an increasingly popular topic. More companies want to further genetic research in order to find cures for diseases or new treatment methods. However, it is critical that CEs remain  HIPAA compliant throughout the entire process. Whether an organization wants to assist in research or compile comparative data for its own uses, the de-identification of data is essential in keeping patient information as secure as possible.

No comment yet.

Why HIPAA Risk Assessments are Only the Tip of the Iceberg

Why HIPAA Risk Assessments are Only the Tip of the Iceberg | HIPAA Compliance for Medical Practices | Scoop.it

Last year, several high profile security incidents occurred at healthcare organizations where a HIPAA Risk Assessment (HSRA) had previously been conducted. This should provoke some pointed questions: Was the HSRA comprehensive enough? Was the remediation plan implemented correctly and in a timely manner? Was an ongoing process of risk management adopted? In this webinar, attendees will learn why HSRA's are a necessary but not sufficient part of maintaining the security of protected health information (PHI).

  • What qualifies as a comprehensive HIPAA risk analysis?;
  • Learn why HIPAA Risk Assessments are necessary but not sufficient;
  • What are the elements of an ongoing security risk management program?
  • What else can be done to lower the risk of hacking incidents?.

HIPAA Risk Assessments are a valuable component of a healthcare organization's information security program. They fulfill a mandatory requirement of the HIPAA Security Rule, Omnibus Rule, and where applicable, the EHR Meaningful Use Incentive Program. Compliance, however, is not synonymous with security.

The purpose of an HSRA is to identify threats and vulnerabilities. But without a comprehensive remediation and ongoing risk management plan, the HSRA itself is of little value. Further, many HSRA's are too limited in scope, focusing only on policies or "low-hanging" fruit while ignoring more critical and complex risks.

From 2010-2013, the vast majority of breaches of PHI resulted from lost or stolen portable devices. In 2014, the landscape changed. Hackers went on the attack, attracted by high value of data stores of PHI. Millions of health records were stolen. Hackers typically exploit vulnerabilities in the network infrastructure or in web applications. In addition, individual credentials are often compromised through "phishing" email attacks. Were these risks identified in your HSRA?

In this webinar, attendees will learn how these critical risk factors can be reduced through penetration testing, web application assessments, social engineering testing, and security awareness training.

  • Learn why HIPAA compliance isn't everything;
  • Better understand the IT threat landscape;
  • Determine your organization's level of "security readiness"
  • Discover new security tactics for lowering your risk of PHI data breach.

No comment yet.

Employees could leave health systems vulnerable to hacks

Employees could leave health systems vulnerable to hacks | HIPAA Compliance for Medical Practices | Scoop.it

Healthcare organizations are vulnerable to cyberattacks in many ways, with a big threat being a company or hospital's own employees, according to Ari Baranoff, assistant special agent in charge for the U.S. Secret Service's Criminal Investigative Division.

"Your workforce is a potential vulnerability to your network," Baranoff tells Healthcare IT Security. "Constantly educating your workforce and testing your workforce on their cyberhygiene is very important."

Even if employees mean no harm, just by browsing the Internet or checking their email they can put networks at risk, Baranoff says. It's especially dangerous if these activities are done using the same system that houses electronic health records or other hospital information.

In addition, employee information is also something that often is at risk and can raise problems for hospitals. The Secret Service has seen growing interest in extortion and ransomware campaigns in the healthcare industry, according to Baranoff.

However, a great deal of the threats to health systems come from the outside world, he adds.

For instance, recent breach at Sony Pictures, the health information of employees was hacked, including a memo with treatment and diagnosis details about an employee's child with special needs, as well as a spreadsheet from a human resources folder containing birth dates, health conditions and medical costs.

Data breaches are expected to increase in 2015, with healthcare "a vulnerable and attractive target for cybercriminals," according to Experian's 2015 Data Breach Industry Forecast.

Electronic medical records and consumer-generated data from wearables and other devices will continue to add to the vulnerability and complexity in securing personal health information, according to the report.

No comment yet.

Why health groups should make use of cyberthreat intelligence

Why health groups should make use of cyberthreat intelligence | HIPAA Compliance for Medical Practices | Scoop.it

As cyberattacks grow in number and organizations find more ways to access private data, the healthcare industry should make use of cyberthreat intelligence, according to Jeff Bell, HIMSS privacy and security committee chair.

Cyberthreat intelligence, Bell writes in a recent blog post, is actionable data about threats, malware and vulnerabilities that organizations can use to increase their security systems.

There are numerous sources for this kind of intelligence, including non-commercial entities like the U.S. Computer Emergency Readiness Team, the U.S. Department of Homeland Security National Cybersecurity and Communications Integration Center and the National Cyber-Forensics & Training Alliance, Bell says.

Vendors of security products also often have their own intelligence feeds, he adds.

This kind of intelligence is increasingly necessary as cyberattacks become more sophisticated, Bell says. Today there are advanced persistent threats, which he says are instances where hackers gain access to information without being detected for long periods of time. Operating system vulnerabilities, such as Shellshock and the Heartbleed bug, also are causing problems in the industry. 

"[H]ealthcare organizations should evaluate the effectiveness of their cybersecurity program and make improvements where appropriate," Bell writes. "Consider how cyberthreat intelligence can help your healthcare organization to improve the ability to prevent, detect, respond and recover from cyberattacks."

Throughout all industries, cyberattacks made headlines last year, with healthcare information one of the top targets.

One of the most recent attacks was on Sony Pictures, where documents obtained by the hackers include health information on dozens of employees, their children or spouses, FierceHealthIT previously reported.

For 2015, particular challenges to the healthcare industry could include an increase of phishing emails that try to lure recipients into giving out information such as usernames, passwords or credit card numbers. They also can give attackers ways to infiltrate the enterprise network.

No comment yet.

Will 2015 be worst year yet for data breaches? | Government Health IT

Will 2015 be worst year yet for data breaches? | Government Health IT | HIPAA Compliance for Medical Practices | Scoop.it

This past year the FBI warned the entire healthcare realm that security practices are not keeping pace with other industries. And a new report is suggesting that healthcare organizations should expect even more data breaches in the New Year.

Indeed, that means bigger and more costly violations. Global information services firm Experian, in its second annual data breach forecast, cites the growing potential entry points to protected health information, wearables and other mobile devices as among the new technologies making healthcare vulnerable — while other studies in 2014 pointed to healthcare organizations’ widespread lack of confidence in securing PHI. 

Experian is not the only firm saying data privacy and security will get worse in healthcare.

Consultancy IDC’s Health Insights unit, in fact, included two interesting points in its yearly top 10 predictions for healthcare: First, healthcare entities will have experienced at least one and as many as five cyber attacks in the previous 12 months, with one-third of those considered successful, and, second, by 2020 approximately half of all digital health data will be unprotected.

At the same time, attacks will not only grow more sophisticated but, in some ways, be easier to pull off moving forward.

“From 2015 onward, we will see attackers use social media to hunt for high-value targets. They will no longer limit themselves to instigating watering-hole attacks and using spear-phishing emails,” security specialist Trend Micro wrote in its predictions. “They will dramatically expand the attack surface to include Wi-Fi-enabled wearable devices running vulnerable firmware.”

Such vulnerable firmware, it’s worth pointing out, resides in many medical devices of all sorts, not just wearables. 

Symantec, meanwhile, explained the growth in popularity of “crimeware-as-a-service,” on the black market.

“Attackers can easily rent the entire infrastructure needed to run a botnet or any other online scams,” Symantec wrote in a December blog post. “This makes cybercrime easily accessible for budding criminals who do not have the technical skills to run an attack campaign on their own.” 

Security vendor Websense, which focuses on a range of industries, laid down its own prognostications for 2015. The first one: “Call the IT doctor. My hospital is under attack – again!”

“The healthcare industry is a prime target for cybercriminals,” Carl Leonard, principal analyst of Websense Security Labs, said in a report. “With millions of patient records now in digital form, healthcare’s biggest security challenge in 2015 will be keeping personally identifiable information from falling through security cracks and into the hands of hackers.”

No comment yet.

AMIA’s Recent HIPAA Compliance Question: A Legal Perspective | HealthITSecurity.com

Last week an American Medical Informatics Association (AMIA) letter to state Representative Fred Upton was released. AMIA called for HIPAA compliance to be updated to allow for exemptions in terms of access to patient’s PHI, specifically for “observational or data research.”

Overall, many of the topics discussed in the letter are unlikely to cause too many disagreements in the healthcare industry, according to Brad Rostolsky, a partner at the Philadelphia-based law firm Reed Smith. Rostolsky specializes in healthcare regulatory and transactional law, and said in a recent interview with HealthITSecurity.com that the crux of the letter seems to be about asking to amend the definition of HIPAA operations to include data research.

With respect to that, the question that immediately comes to mind is “Do the patients get a say in whether their information is being used for this purpose?” Rostolsky said.

“There’s an implicit kind of assumed truth in this letter that uses for research purposes are necessary,” he explained. “All of the other uses that don’t require authorization, generally speaking, are things that the provider needs to do in order to be a provider.”

For example, healthcare providers need to do things for their own business purposes, such as engage billing companies, collection companies, and their EMR vendor. Patients’ information is likely to be involved in all of those scenarios. The AMIA letter is questioning whether or not research should be put into the group of things that HIPAA considers a necessary component of disclosure of information.

“To facilitate the discovery, development and delivery of new treatments and cures, AMIA believes that we must develop a ‘learning health system’ in which the data and information generated during routine delivery of health care is leveraged across clinics, hospitals and integrated networks…” the letter stated.

Moreover, AMIA recommended that Congress should convene a multi-stakeholder “HIPAA Barriers” working group to discuss the elimination of barriers that prevent data movement. A Health IT Safety Center could also be beneficial, so event reporting, education, data aggregation, and the creation of best practices could improve patient safety and the effective use of health IT, AMIA stated.

Few people will likely have a problem with a task force or working group to discuss certain healthcare issues, like HIPAA barriers, Rostolsky said. In fact, he said that it would be a good idea. However, he added that there are definitely going to be privacy concerns.

“I do think that some patients don’t want their information being used in that way,” Rostolsky said. “People can be private and, ultimately, I think the concern from a patient perspective would be whether or not there would be any unintended reaction by the patient if they’re aware of this to not be as likely to go to the physician or for [the organization] to be as forthright about things.”

It will likely come down to patient rights versus the benefits of research, according to Rostolsky. At a minimum, it’s certainly good that folks are talking about the issue and forcing the various stakeholders to ask questions, he said.

“Clearly people should have the right to largely control what happens with their information, outside of things necessary to provide them with a service,” Rostolsky said. “But at the same time, I think that everyone would hopefully agree that doing research to further medical advancements is a very important thing that could benefit everyone.”

While it’s difficult to predict how this would – and could – play out, Rostolsky explained that it will still be critical for healthcare organizations to remain vigilant in terms of keeping patient data secure.

“The more people who touch information and have the ability to access it uninhibited, the more likely a problem could occur,” he said, adding that the letter did speak to the importance of still adhering to all HIPAA data breach notification regulations.

No comment yet.

Are You Ready for a HIPAA Security Risk Assessment? | HealthITSecurity.com

There are numerous aspects of a HIPAA security risk assessment that healthcare organizations must keep in mind.

Even though the Department of Health and Human Services’ (HHS) HIPAA security risk assessment tool has not even had a full year of existence, experts in the industry have stated that it’s a great way for healthcare organizations to improve their risk analyses. Healthcare regulatory compliance is important for facilities for numerous reasons. Not only do providers want to avoid hefty fines for HIPAA violations, they also want to reassure patients that their electronic protected health information (ePHI) will remain secure.

But even with the HHS tool, do healthcare organizations understand what must be done to be fully prepared for a HIPAA security risk assessment? HealthITSecurity.com decided to pull together important points for facilities to keep in mind, ensuring that they are ready for a risk assessment.

Identify all ePHI

A risk assessment helps your organization ensure it is compliant with HIPAA’s administrative, physical, and technical safeguards. These overviews can also reveal areas where ePHI could be at risk. This is why it’s important for healthcare organizations to identify all ePHI that they create, maintain or transmit.

For example, are there any vendors or consultants that have access to ePHI? If so, what is their process? Covered entities must ensure that they understand how patients’ data is not only used, but how it is transmitted. Failing to account for one storage area could lead to regulatory fines.

Moreover, healthcare facilities need to account for all types of threats to the ePHI during a HIPAA security risk assessment. This includes human, natural, and environmental threats to information systems.

“All e-PHI created, received, maintained or transmitted by an organization is subject to the Security Rule,” according to HHS. “The Security Rule requires entities to evaluate risks and vulnerabilities in their environments and to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of ePHI. Risk analysis is the first step in that process.”

Specifically, the HIPAA Security Rule requires organizations to create and implement policies that “prevent, detect, contain, and correct security violations.” This process will be much easier after healthcare facilities know where all ePHI is located.

Identify threats, assess security measures

When all assets, including ePHI, have been identified, healthcare facilities should pinpoint any potential threats or security risks. From there, organizations can benefit from ranking those risks in terms of severity of impact and likelihood of occurrence. Cybersecurity might have a greater chance of affecting your facility, but a disgruntled employee could also pose an internal risk. No possibility should be ignored.

Moreover, healthcare facilities should review the types of protections currently in place. Is there up-to-date data encryption, firewalls or anti-malware protection? If not, are there areas that could benefit from such protections?

If any gaps are discovered, they must be immediately addressed. Should any data breaches occur, and it is proven that a facility did not properly assess its risks, heavy penalties could follow.

“An organization must assess the magnitude of the potential impact resulting from a threat triggering or exploiting a specific vulnerability,” according to HHS’ “Guidance on Risk Analysis. “An entity may use either a qualitative or quantitative method or a combination of the two methods to measure the impact on the organization.”

Conduct periodic reviews

A crucial aspect that can be overlooked is that healthcare organizations need to update their risk analyses. Technology continues to evolve, and as such, so can the potential security risks. An ongoing risk analysis procedure will be much more helpful, and further decrease the likelihood of an area being overlooked.

“A truly integrated risk analysis and management process is performed as new technologies and business operations are planned, thus reducing the effort required to address risks identified after implementation,” HHS stated on its website.

Any of the following could be a reason for a new analysis:

  • The organization experienced a security incident
  • There is new ownership
  • A facility sees turnover in upper management or other key roles
  • New technology is introduced

“If it is determined that existing security measures are not sufficient to protect against the risks associated with the evolving threats or vulnerabilities, a changing business environment, or the introduction of new technology, then the entity must determine if additional security measures are needed,” according to HHS.

A risk analysis is a vital first step for proper healthcare security management. Organizations need to not only understand potential risks, but also be aware of what steps they can take to mitigate those risks. Moreover, it’s important to understand that different types of assessments will benefit different organizations. Methods can vary depending on facility size, along with its complexity and capabilities. For example, a small healthcare provider might not have ePHI stored with a third-party vendor. Instead, it is located within the main building. However, this does not mean that their ePHI servers are more or less secure than that of a large provider.

It cannot be guaranteed that a data breach will never occur at a facility, but by adhering to HIPAA security risk assessment requirements, the odds will be lower.

No comment yet.

Prison Term for ID Theft at Hospital

Prison Term for ID Theft at Hospital | HIPAA Compliance for Medical Practices | Scoop.it

A former Alabama hospital worker has been sentenced to serve two years in prison for his role in an identity theft case that led to federal tax refund fraud. The case also has resulted in a class action lawsuit.

The breach at 235-bed Flowers Hospital in Dothan, Ala., spotlights that "insider threats are a large challenge," says privacy attorney Adam Greene, of law firm Davis Wright Tremaine, who is not involved in the case. "Policies, procedures and training can influence good employees, but may have little impact on employees who are considering using information for criminal purposes," he says.

"Some good ways to reduce the risk include thorough background checks of employees, reducing the use of Social Security numbers and other risky information within the organization where possible, minimizing the types of employees who have access to such information, reviewing system activity to identify patterns that may demonstrate abuse of access, and considering technologies such as data loss prevention to reduce the risk of information leaving the network," the attorney adds.

But Greene notes that even with all the right controls in place, "it is virtually impossible to completely eliminate the threat of insiders abusing their access to information systems."

Restitution Required

The U.S. Department of Justice, in a Dec. 12 statement, said that in addition to his prison sentence, former hospital lab technician, Kamarian D. Millender was also ordered to pay about $19,000 in restitution after pleading guilty in July to one count of aggravated identity theft.

Flowers Hospital, where Millender formerly worked, is part of the Community Health Systems chain. But the breach involving Millender was unrelated to a larger hacker attack on Community Health Systems earlier this year that affected 4.5 million patients.

The Alabama hospital incident is listed on the Department of Health and Human Services' "wall of shame" list of major breaches as a theft of paper records occurring from June 2013 to February 2014 and affecting 629 individuals.

Fraud Scheme

In the criminal case against Millender, federal prosecutors say he and others stole patient medical records that contained personal identification information, which was then used to file more than 100 false tax returns, victimizing approximately 73 individuals. Prosecutors say the false tax returns attempted to defraud an estimated $536,000 from the IRS. However, "the IRS was able to stop the vast majority of the falsely claimed refunds, but approximately $18,915 in refunds were issued," according to the prosecutors' statement.

Meanwhile, the class action lawsuit filed against Flowers Hospital in May alleges that the breach affected "thousands" of plaintiffs.

"Flowers [Hospital] flagrantly disregarded plaintiffs' ... privacy rights by intentionally, willfully, recklessly and/or negligently failing to take the necessary precautions required to safeguard and protect their PII/PHI from unauthorized disclosure," the suit alleges. The suit claims the plaintiffs' personal information "was improperly handled and stored, and was otherwise not kept in accordance with applicable and appropriate security protocols, policies and procedures," which led to the theft.

The class action suit alleges that patient information affected by the breach includes names, addresses, dates of birth, Social Security numbers, treating physician and/or departments for each individual, medical diagnoses, medical record numbers, medical service codes, and health insurance information.

"There is a high likelihood that significant identity theft and/or identity fraud has not yet been discovered or reported and a high probability that criminals who may now possess plaintiffs' PII and PHI, but will do so later, or re-sell it," the lawsuit states. It alleges the hospital violated the Fair Credit Reporting Act and contains allegations of negligence and invasion of privacy by public disclosure of private facts. It seeks unspecified damages as well as reimbursement for legal expenses.

A Flowers Hospital spokeswoman declined to comment on the criminal case involving the former lab worker or the class action lawsuit.

An attorney representing the plaintiffs in the class action suit against Flowers did not reply to Information Security Media Group's request for comment. Federal prosecutors involved with the Millender criminal case also did not respond to ISMG's request for comment.

Preventing ID Theft

Privacy and information security expert Rebecca Herold points out that a big hurdle with preventing insider breaches is that, "many organizations don't want to accept that their employees would ever take information from patients or insureds and commit a crime with them, especially within healthcare provider settings, where the focus is on patient health and well-being."

Because of that trust, "organizations often do not have the policies, processes, training, awareness reminders, oversight and auditing in place to verify that employees truly are doing the right things and have not wandered off the path of compliance onto the criminal highway," says Herold, a co-owner of the consulting firm HIPAA Compliance Tools and CEO of The Privacy Professor.

While potential insider breaches will always pose a challenge for many healthcare related organizations, there is one key piece of advice that can go a long way in preventing these incidents, Herold says.

"It always starts from the top: there must be strong support for information security and privacy initiatives from the organization's top leader," she says. "Make sure all employees know that top management expects them to work in a legal and ethical manner, and that those violating the corporate policies, and applicable laws, will face appropriate sanctions, including the potential for termination and for legal actions and jail time."

No comment yet.

Failure to Follow HIPAA Policies Results in $150,000 Liability and Corrective Action Plan | JD Supra

The U.S. Department of Health and Human Services, Office for Civil Rights (HHS-OCR) has recently released information about another HIPAA settlement, emphasizing yet again the government's focus on the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. The settlement underscores that organizations cannot merely adopt HIPAA policies but that they must actually implement and follow those policies in practice.

On December 8, 2014, HHS-OCR issued a bulletin stating that Anchorage Community Mental Health Services (ACMHS), a nonprofit organization providing behavioral health care services in Anchorage, Alaska, agreed to settle potential violations of the HIPAA Security Rule. HHS-OCR opened an investigation upon receiving notification from ACMHS regarding a breach of unsecured electronic protected health information (ePHI). The breach was the result of a malware that compromised the security of ACMHS' information technology (IT) resources and affected 2,743 individuals. During its investigation, OCR-HHS found that ACMHS had adopted sample HIPAA Security Rule policies and procedures in 2005, but these policies and procedures were not followed. Significantly, ACMHS may have avoided the breach (and would not be subject to the HHS-OCR settlement agreement) if it had followed the policies and procedures it adopted and regularly updated its IT resources with available patches.

The settlement agreement requires ACMHS to pay $150,000 and adopt a corrective action plan to correct deficiencies in its HIPAA compliance program and to report to HHS-OCR on the state of its compliance for two years. The Resolution Agreement can be found on the OCR website.

The settlement with ACMHS is just one of a handful of recent settlements arising from an HHS-OCR investigation prompted by an organization self-reporting a breach of unsecured ePHI; however, HHS-OCR may also examine an organization's HIPAA compliance program after receiving a complaint or as part of its annual audit protocol. In every instance, HHS-OCR will expect an organization to have fully implemented its HIPAA compliance program and/or policies and procedures.

According to HHS-OCR, compliance with the HIPAA Security Rule requires organizations (among other things) to address risks to ePHI on a regular basis and to review systems for vulnerabilities and unsupported software. Organizations cannot simply adopt HIPAA policies and procedures and then place those documents on a shelf. HIPAA compliance programs must be dynamic and reviewed and updated on a regular basis to reflect changes within the organization, including discovered vulnerabilities and ever-evolving external threats. Threats to ePHI are real and can have a devastating impact on a business – and patients' privacy. All organizations subject to HIPAA, regardless of size, must devote the necessary resources to protect the organization's data from these threats.

No comment yet.

Don’t Forget to Update Your Software -

Don’t Forget to Update Your Software - | HIPAA Compliance for Medical Practices | Scoop.it

On Monday, December 8th, the Office for Civil Rights (“OCR”) at the Department of Health and Human Services announced another new HIPAA settlement. As with most recent settlements, the latest settlement is being used to set up an example of what not to do.

This time, Anchorage Community Mental Health Services (“ACMHS”) has agreed to pay $150,000 after failing to follow the requirements of the HIPAA Security Rule. The settlement is the result of a self-notification filed by ACMHS that malware infected its information technology systems, resulting in a breach impacting approximately 2,743 individuals. When OCR went to investigate, OCR found that ACMHS had implemented security policies. However, ACMHS did not tailor the policies to its own operations, nor did ACMHS actually follow the policies adopted. The lack of adherence resulted in ACMHS not identifying or addressing basic security risks, which deficiencies included not updated its technology resources. The lack of updates left the systems vulnerable to malware.

In addition to paying the fine, ACMHS is required to implement a corrective action plan as prepared by OCR. The corrective action plan last remains in place for 2 years, but should act as the baseline for a good HIPAA compliance plan going forward. The terms of the corrective action plan are fairly straightforward and do not contain any surprises. The requirements are essentially to comply with the HIPAA Privacy and Security Rules, which all covered entities and business associates should do anyway.

As indicated above, the breach in this case was caused by a failure to update software and install patches as necessary. This demonstrates the need to evaluate information technology systems to ensure that the system remains current and up to date. An organization cannot install a piece of software or hardware and expect that it will always serve its purposes. Attacks on systems and exploitation of vulnerabilities are always evolving, which means the systems being attacked must do the same thing.

With regard to the HIPAA Security Rule, organizations should remember that compliance is customizable. The Security Rule recognizes and acknowledges that all organizations are different. As such, certain elements are required and others are addressable. The required elements must be put into place and organizations need to make a case by case assessment on how to deal with the addressable items. A risk analysis is the essential first step as the analysis will identify areas of weakness for an organization.

It is not enough just to do a risk analysis once and then prepare and implement policies though. HIPAA Security Policies must be living, breathing documents that adapt to changing circumstances. An area of high vulnerability in the year of adoption can drop by the wayside a few years down the road while a new, unknown area at first becomes a major risk. The changing environment is why organizations must constantly monitor and evaluate policies to ensure good coverage.

Lastly, putting policies into place and not following them, as was done by ACMHS, is a big problem. When a breach or other instance of non-compliance arises, having unfollowed policies will be a major red flag for the government. If policies are adopted, then an organization is arguably aware of what it had to do in order to comply. Willful or negligent failure to follow the policies then could be ground for a higher fine and other pain being imposed. Education and awareness are essential. Compliance can take up time and it is not always easy to measure the return on investment, but the money that can be saved down the road is likely incalculable.

No comment yet.

$150K HIPAA Fine for Unpatched Software

$150K HIPAA Fine for Unpatched Software | HIPAA Compliance for Medical Practices | Scoop.it

Federal regulators are sending a powerful message about the importance of applying software patches by slapping an Alaska mental health services providers with a $150,000 HIPAA sanction.

The Department of Health and Human Services' Office for Civil Rights says Anchorage Community Mental Health Services' failure to apply software patches contributed to a 2012 malware-related breach affecting more than 2,700 individuals.

ACMHS is a five-facility, non-for-profit organization providing behavioral healthcare services to children, adults and families.

The HIPAA settlement in the Alaska case marks the first time OCR has levied a penalty tied to unpatched software, which is not specifically addressed in the HIPAA Security Rule.

Managing Risk

"Most of the previous [OCR] corrective action plans that I reviewed focused on policies, procedures and other forms of documentation," says security adviser Tom Walsh, president of Tom Walsh Consulting. "Many times, people are surprised to discover that there is nothing specifically written in the HIPAA Security Rule regarding vulnerability or patch management, firewalls, and monitoring of inbound and outbound traffic. However, it is difficult to manage risk appropriately without these prevailing security practices."

A meaningful risk analysis must include "looking beyond the minimum requirements in the HIPAA Security Rule and exercising proper due diligence to properly evaluate any risk factors that could affect patient information," Walsh stresses.

Independent HIPAA and healthcare attorney Susan A. Miller notes: "This is a wake-up call that people should be looking very closely at the security risk assessment tools available from ONC and OCR, as well as NIST [National Institute of Standards and Technology].

"The lesson here is that when a software patch or update is sent by a vendor, they should be applied immediately," Miller adds. "That includes operating systems, electronic health records, practice management - and any electronic tool containing PHI."

Malware Incident

OCR says it opened an investigation after receiving notification in June 2012 from ACMHS regarding a March 2012 incident involving malware compromising the security of the mental health provider's information technology resources.

OCR's investigation revealed that ACMHS had adopted sample HIPAA Security Rule policies and procedures in 2005, but these were not followed. The security incident was the direct result of ACMHS failing to identify and address basic risks, such as not regularly updating software with available patches and running outdated, unsupported software, OCR says.

"ACMHS failed to implement technical security measures to guard against unauthorized access to e-PHI that is transmitted over an electronic communications network by failing to ensure that firewalls were in place with threat identification monitoring of inbound and outbound traffic and that information technology resources were both supported and regularly updated with available patches," says the OCR resolution agreement with ACMHS.

In addition, OCR says that contributing to the incident was ACMHS' failure to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of e-PHI.

"Successful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ePHI on a regular basis," says OCR Director Jocelyn Samuels. "This includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks."

Corrective Actions

The corrective action plan with ACMHS calls for the mental health services provider to revise and distribute to all members of its workforce the organization's HIPAA Security Rule policies and procedures.

The plan also requires that ACMHS obtain a signed initial compliance certification from all members of its workforce, stating that they have read and agree to abide by the security rule policies and procedures. In addition, the plan requires ACMHS' workforce to attend HIPAA security training.

Also, the plan requires the organization to annually conduct a thorough risk assessment and document the security measures it implements to address the issues identified.

Other Settlements

The settlement with the Alaska provider is the third HIPAA resolution agreement issued by OCR in 2014. OCR announced a record $4.8 million settlement in May with New York-Presbyterian Hospital and Columbia University. That case involved a breach of unsecured patient data on a network, affecting about 6,800 patients. In that settlement, OCR cited, among other factors, the lack of a risk analysis and failure to implement appropriate security policies.

The other 2014 OCR resolution agreement was an $800,000 settlement with Parkview Health System, a not-for-profit organization serving northeast Indiana and northwest Ohio. The provider agreed to the settlement involving "potential violations" of the HIPAA Privacy Rule as a result of an incident in June 2009 involving the dumping of paper medical records of 5,000 to 8,000 patients.

No comment yet.