HIPAA Compliance for Medical Practices
63.7K views | +25 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

OIG to CMS: Make EHR fraud prevention efforts a priority

OIG to CMS: Make EHR fraud prevention efforts a priority | HIPAA Compliance for Medical Practices | Scoop.it

The Office of Inspector General is once again calling out CMSfor failing to adequately address fraud vulnerabilities in electronic health records. Despite submitting recommendations back in 2013, a new OIG report underscored that the agency is still dragging its feet with implementing EHR fraud safeguards.  

 
Part of the Office of Inspector General's role is to audit and evaluate HHSprocesses and procedures and put forth recommendations based on deficiencies or abuses identified. Turns out, a lot of these recommendations are ignored, disagreed upon or unimplemented, according to OIG's new Compendium of Unimplemented Recommendations report. And EHR fraud is on that list. 
 
"HHS must do more to ensure that all hospitals' EHRs contain safeguards and that hospitals use them to protect against electronically enabled healthcare fraud," OIG officials wrote in the report. 
 
Specifically, audit logs should actually be operational when an EHR is available. And CMS should also develop concrete guidelines around the use of copy-and-paste functions in an electronic health record. According to OIG data, most hospitals using EHRs had RTI International audit functions in place, but they were significantly underutilized. What's more, only some 25 percent of hospitals even had policies in place regarding copy-and-paste functions. 
 
These recommendations have come up repeatedly in recent OIG reports, and despite CMS officials agreeing with the outlined recommendations, the agency is still not making it enough of a priority.  
In a January 2014 report, OIG also called out CMS for failing to make EHR fraud a priority. Specifically, OIG said, the CMS neglected to provide adequate guidance to its contractors tasked with identifying said EHR fraud, citing the fact that the majority of these contractors reviewed paper records in the same manner they reviewed EHRs, disregarding the differences. Moreover, only three out of 18 Medicarecontractors were found to have used EHR audit data in their review process. 
 
When it came to identifying copy-and-paste usage or over documentation, many contractors reported they were unable to do so. Considering some 74 percent to 90 percent of physicians use the copy/paste feature daily, according to a recent AHIMA report, the implications are significant. 
 
As Diana Warner, director of HIM practice excellence at AHIMA, recounted back at the October 2013 MGMA conference, that dueto copy-and-paste usage, they had a patient at her previous medical practice who went from having a family history of breast cancer to having a history of breast cancer. The error was caught by the insurance company, which thought the patient had lied, was poised to change her healthcare coverage. "We had to work for months to get that cleared up with the insurance company so her coverage would not be dropped," Warner said. "We had to then find all the records that it got copy and pasted into" incorrectly and then track down the locations the data was sent to.


more...
No comment yet.
Scoop.it!

The Black Market For Stolen Health Care Data

The Black Market For Stolen Health Care Data | HIPAA Compliance for Medical Practices | Scoop.it

President Obama is at Stanford University today, hosting a cybersecurity summit. He and about a thousand guests are trying to figure out how to protect consumers online from hacks and data breaches.

Meanwhile, in the cyber underworld, criminals are trying to figure out how to turn every piece of our digital life into cash. The newest frontier: health records.

I grab a chair and sit down with Greg Virgin, CEO of the security firm RedJack.

"There are a lot of sites that have this information, and it's tough to tell the health records from the financial records," he says.

We're visiting sites that you can't find in a Google search. They have names that end with .su and .so, instead of the more familiar .com and .org.

After poking around for about an hour, we come across an advertisement by someone selling Medicare IDs.

We're not revealing the site address or name because we don't want the dealer to know we're watching.

According to the online rating system — similar to Yelp, but for criminal sales — the dealer delivers what's promised and gets 5 out of 5 stars. "He definitely seems legit" — to the underworld, Virgin says.

The dealer is selling a value pack that includes 10 people's Medicare numbers – only it's not cheap. It costs 22 bitcoin — about $4,700 according to today's exchange rate.

Security experts say health data is showing up in the black market more and more. While prices vary, this data is more expensive than stolen credit card numbers which, they say, typically go for a few quarters or dollars.

Health fraud is more complex. Records that contain your Social Security number or mother's maiden name are used for identity theft. Virgin predicts hackers could be using them for corporate extortion.

"A breach happens at one of these companies. The hackers go direct to that company and say, 'I have your data.' The cost of keeping this a secret is X dollars and the companies make the problems go away that way," he says.

Health care companies saw a 72 percent increase in cyberattacks from 2013 to 2014, according to the security firm Symantec. Companies are required to publicly disclose big health data breaches. And there have been more than 270 such disclosures in the last two years.

Jeanie Larson, a health care security expert, says cyber-standards are too low for hospitals, labs and insurers. "They don't have the internal cybersecurity operations."

Companies subject to federal HIPAA rules, which were designed to protect privacy, choose to interpret them loosely — in a way that gets around the basics, like encryption.

"A lot of health care organizations that I've talked to do not encrypt data within their own networks, in their internal networks," she says.

They assume, incorrectly, that the walls around the network are safe.

Larson is part of the industry group National Health ISAC which is trying to raise the bar and make hospitals more like banks when it comes to investing in security.

"The financial sector has done a lot with automating and creating fraud detection type technologies, and the health care industry's just not there," she says.

Orion Hindawi with Tanium, a firm that monitors computer networks, says health care providers are far from there. They've been racing to grow, to digitize health records, to make mobile apps, to acquire other companies — all this without having a basic handle on how big their networks even are.

"I was working with a customer recently, and I asked them how many computers they had. And they told me between 300,00 and 500,000 computers," Hindawi says.

Meaning his client basically didn't know.

"We see that often when we walk into a customer [office]," Hindawi says.

He wasn't surprised to hear that the health care company Anthem suffered a major cyberattack. Anthem revealed last week that as many as 80 million people's records may have been stolen. Hindawi says he expects to see many more Anthems.


more...
No comment yet.
Scoop.it!

HIPAA Compliant Technology and the Importance of Encryption

The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for protecting sensitive patient data. This means that any covered entity (CE) or business associate (BA) that deals with protected health information (PHI) must ensure that all the required physical, network, and process security measures are in place and followed. The HIPAA Privacy Rule addresses the storage, accessing and sharing of PHI, whereas the HIPAA Security Rule outlines the security standards which protect health data created, received, maintained or transmitted electronically; known as electronic protected health information (ePHI).

The Health Information Technology for Economic and Clinical Health (HITECH) Act was passed as a supplemental act in 2009, and was formed in response to the improvements and increase in health technology development, and the increased use of ePHI.  Transmission Security is required of HIPAA compliant hosts to protect against unauthorized public access of ePHI; however, both authentication and encryption are stated to be addressable, rather than required. This concerns all methods of transmitting data, whether it be email, Internet, or even over a private network, such as a private cloud.

Confusion around some of the items classified as addressable within these technical standards, especially around encryption, increases the risk of fines for organizations that choose not to address these standards. Fines are very likely to be handed to organizations should they experience a data breach as a result of not using encryption, even if a risk assessment is in place. Encryption is expected to be one of the key areas OCR focus on when conducting phase 2 HIPAA audits later this year.

Using Technology to Comply with HIPAA

Mechanisms exist to meet the requirements of the HIPAA safeguards, starting with use of a HIPAA compliant network hosting provider.  HIPAA compliant networks must have robust firewalls in place to protect an organization’s network from hackers or data thieves. Secure platforms are required for all organizations that transmit ePHI. These platforms should deploy encryption when transmitting ePHI, and have administrative controls to safeguard the integrity of ePHI. These platforms should also have the capacity to retract messages in the event of a breach risk and be able to remotely remove a mobile device from the system if it is lost by its owner, stolen or otherwise disposed of. In addition to this, all devices used to store or transmit ePHI, such as laptops and mobile devices, should be password protected and encrypted.

The Ramifications of Failing to Encrypt

Since 2012, the U.S. Department of Health and Human Services (HHS) has issued large monetary fines for violations of the HIPAA Privacy Rule following the introduction of HITECH. Some of its biggest fines have been due to lost or stolen laptops which were unencrypted.  In April 2014, Concentra Health Services were fined $1,725,220 to settle HIPAA Privacy violations which occurred after an unencrypted laptop was stolen from one its offices.  Some organizations may wrongly conclude that encryption is technically not required in all cases under the HIPAA Security Rule, as it is an “addressable” standard under HIPAA, meaning that it is required only where reasonable and appropriate based on a risk assessment.  However, these fines raise the question of how encryption of mobile devices containing ePHI is viewed. It is clear from the Concentra Health Service settlement that conducting risk assessments is not enough to avoid penalties under HIPAA. Rather, the risks identified in the assessment must be addressed completely and consistently.  Using encryption of ePHI during transmission is another important consideration organizations need to assess when completing risk assessments. When transmitting data between devices, it is crucial that organizations select a vendor that is HIPAA compliant – without doing so, there is potential to expose organizations to enormous risk of data breaches.


more...
No comment yet.
Scoop.it!

HIPAA needs a makeover | mHealthNews

HIPAA needs a makeover | mHealthNews | HIPAA Compliance for Medical Practices | Scoop.it

The pace of mHealth innovation shows no signs of slowing down. New technologies are not only improving the lives of patients, but also empowering clinicians. However, healthcare is a highly regulated space dominated by major vendors, and it is vital that the regulatory environment keep up with the changing world. Specifically, it’s time for the Department of Health and Human Services to take a fresh look at the Health Insurance Portability and Accountability Act (HIPAA) to ensure it better fits today’s mobile world.

Current HIPAA guidelines – while critical – need to be revised to support smaller companies that can transform the space. Leading app developers across the industry are working together to seek clearer guidelines that will encourage innovation. The App Association recently joined with AirStrip, CareSync and other mHealth companies urging government representatives to look at this issue so we can better align our practices with theirs and together work towards the goal of improved patient care.

We recommend:

1. Make existing regulation more accessible for tech companies

Information on HIPAA is still mired in a Washington, D.C. mindset that revolves around reading the Federal Register or hiring expert consultants to "explain" what should be clear in the regulation itself. Not surprisingly, app makers do not find the Federal Register to be an effective resource when developing health apps.

Additionally, there are limited user-friendly resources available for app developers, who are mostly solo inventors or small groups of designers, not large companies with the resources to easily hire counsel or consultants who can help through the regulatory process.

Proposed solution: HHS must provide HIPAA information in a manner that is accessible and useful to the community who needs it. The agency should draft new FAQs that directly address mobile developer concerns.

2. Improve and update guidance from OCR on acceptable implementations

The current technical safeguards documentation available on the hhs.gov website is significantly out of date. Without new documentation that speaks to more modern uses, it will be difficult for developers to understand how to implement HIPAA in an effective way for patients.

Proposed solution: HHS and the OCR must update the "Security Rule Guidance Material" and provide better guidance regarding mobile implementations and standards – or examples of standard implementations that would not trigger an enforcement action – instead of leaving app makers to learn about these through an audit.

3. Improve outreach to new entrants in the healthcare space

Some of the most innovative new products in the mobile health space are coming from companies outside the traditional healthcare marketplace. Yet HHS appears attached to ‘traditional’ healthcare communities.

Proposed solution: In order to ensure the expansion of innovative new technologies, it is essential that HHS, the OCR and others expand their outreach to the communities that are driving innovation.

These issues are critical to the mobile health economy. By working more closely together, we can create a regulatory environment that encourages innovation in this life-changing marketplace.


more...
No comment yet.