HIPAA Compliance for Medical Practices
65.0K views | +0 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

Six Potential HIPAA Threats for PHOs and Super Groups

Six Potential HIPAA Threats for PHOs and Super Groups | HIPAA Compliance for Medical Practices | Scoop.it

Physician Hospital Organizations (PHOs) and super groups are on the rise. About 40 percent of physicians either work for a hospital or a practice group owned by a hospital, or they ban together to form a super group. Individual practices share operations, billing, and other administrative functions, gain leverage with insurance companies, add specialist resources and increase referrals, improve patient outcomes with a cohesive care plan, and more. The benefits are plentiful.

But just like a negative restaurant review on Yelp can hurt customer patronage and the restaurant's reputation, one practice that commits a HIPAA violation can affect the entire group, and result in an expensive fine, cause distrust among patients, and in extreme cases, the data breach can lead to medical identity theft.


For PHOs and super groups, adherence to HIPAA rules becomes more complicated when compliance isn't consistent among the group's practices, and a compliance officer isn't on board to manage risks and respond to violations.


At a minimum, the group should identify the potential sources for exposure of electronic protected health information (ePHI) and take measures to avert them. For example:


Super groups include smaller practices that struggle with HIPAA compliance and associated time and costs. Although PHOs or super groups may be abundant in physicians, employees, and offices, these assets could come from a majority of smaller organizations. Historically smaller practices struggle with resources to comply with HIPAA and hiring expensive compliance consultants could be prohibitive at the individual practice level.


Each practice uses a different EHR, or the EHR is centralized but the ePHI is stored on different devices. It becomes difficult to assess HIPAA compliance as well as how patient data is being protected when there are various EHRs implemented across multiple practices. Some EHRs may be cloud based while other systems reside in an individual practice's office. Getting an accurate inventory of where ePHI is stored or accessed can be challenging.


Hospitals can't conduct thorough security risk assessments for each practice in the group. A PHO could have 20 or more individual practices and the time required to perform individual security risk assessments could be daunting. These risk assessments are labor intensive and could strain the resources of hospital compliance staff.


Meaningful use drives HIPAA compliance and grants from HHS could be significant, especially with a large number of providers. Along with these funds comes responsibility to comply with meaningful use objectives. One of the most frequent causes of failing a meaningful use audit is ignoring a HIPAA security risk assessment. If one practice fails an audit, it could open the door to other practices in the group being audited, which could result in a domino effect and a significant portion of EHR incentive funds having to be returned.


For physician groups that share patient information the security is only as strong as the weakest link — one practice or even one employee. A breach at one practice could expose patient information for many or all other practices. Security is then defined by the weakest link or the practice that has the weakest security implemented.


Untrained employees in the front office unwittingly violate HIPAA and a patient's right to privacy. An employee could fall for a phishing scam that gives criminals access to a practice's network, and compromises the security of many or all practices within the PHO or super group.


The best way to avoid a HIPAA violation and a patient data breach is to create a group policy that requires each practice to:


• Perform regular HIPAA security risk assessments;

 •Inventory location of patient information;

• Assess common threats;

• Identify additional security needs;

• Set up policies and procedures;

• Stay up to date on patient privacy rules and requisite patient forms; and

• Properly train employees in protecting both the privacy and security of ePHI.


Make sure every practice in the group treats HIPAA compliance with the same care as a patient's medical condition.

more...
Roger Steven's comment, July 10, 2015 6:34 AM
nice article www.mentorhealth.com
Scoop.it!

Health Providers Beware: HIPAA Breaches May Give Rise To Negligence Actions

Health Providers Beware: HIPAA Breaches May Give Rise To Negligence Actions | HIPAA Compliance for Medical Practices | Scoop.it

Electronic medical records provide a multitude of benefits for providers and patients by promoting efficient record access, cost savings and better patient care.  So what's the down side?


Well, for starters, these records are ripe for hacking and inadvertent disclosures. As mentioned in a previous post, health care fraud has reached new heights by and through the theft of personal and medical information.  Left in the wrong hands, the sensitive information contained in these computerized records could unleash a fraud firestorm.


Historically, medical providers have successfully defended against claims brought by plaintiffs whose information was hacked or otherwise improperly accessed by relying upon the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") which expressly provides that there is no private right of action under HIPAA.  This success may be short lived as the number of hackers has increased and some courts, like Connecticut's Supreme Court,  have indicated a willingness to allow plaintiffs to bring claims for negligence and privacy violations against providers under state law.

HIPAA Standard of Care

In Byrne v. Avery Ctr. For Obstetrics & Gynecology, 314 Conn. 433 (2013), a health center produced a patient's protected health information (PHI) in response to a subpoena without notifying the patient and without taking any steps to protect it from disclosure in violation of HIPAA's guidelines.  The aggrieved patient filed an action against the provider for breach of contract, negligence, and negligent infliction of emotional distress.


While noting HIPAA's language with regard to private rights of action, the Court did not find that limitation dispositive of the negligence claim brought by the patient.  The Court hinted that a  violation of the standards promulgated under HIPAA may support a deviation from the standard of care required for a negligence claim.

Will New Jersey Follow Connecticut?

Given the proliferation of electronic medical records and the overwhelming amount of paperwork that healthcare providers deal with on a daily basis, the odds of falling victim to a HIPAA breach have markedly increased.  New Jersey health care providers should be mindful of the Connecticut case because New Jersey may follow this trend of reviewing HIPAA guidelines as a standard of care that may be considered to support a negligence action.

Problem Prevention
  1. Review and update HIPAA policies.
  2. Educate staff on the significance of the policies and demand 100% compliance.
  3. Develop a process to deal with subpoenas to ensure that the practice is in compliance with all applicable standards under federal and state law.


more...
No comment yet.
Scoop.it!

Is your doctor's office the most dangerous place for data?

Is your doctor's office the most dangerous place for data? | HIPAA Compliance for Medical Practices | Scoop.it
Everyone worries about stolen credit cards or hacked bank accounts, but just visiting the doctor may put you at greater risk for identity fraud.

Those medical forms you give the receptionist and send to your health insurer provide fertile ground for criminals looking to steal your identity, since health care businesses can lag far behind banks and credit card companies in protecting sensitive information. The names, birthdates and — most importantly — Social Security numbers detailed on those forms can help hackers open fake credit lines, file false tax returns and create fake medical records.

"It's an entire profile of who you are," said Cynthia Larose, chair of the privacy and security practice at the law firm Mintz Levin in Boston. "It essentially allows someone to become you."

Social Security numbers were created to track the earnings history of workers in order to determine government benefits. Now, health care companies are, in some cases, required to collect the numbers by government agencies. They also use them because they are unique to every individual and more universal than other forms of identification like driver's licenses, said Dr. Ross Koppel, a University of Pennsylvania professor who researches health care information technology.

But once someone creates a stolen identity with a Social Security number, it can be hard to fix the damage. A person can call a bank to shut down a stolen credit card, but it's not as easy of a process when it comes to Social Security numbers.

"There is no such mechanism with Social Security numbers and our identity," said Avivah Litan, a cybersecurity analyst at the research firm Gartner. "You can't just call the bank and say, 'Give me all the money they stole from my identity.' There's no one to call."

So being that the data is so vital to protect, health care companies are taking every precaution to defend against hackers, right?

Not necessarily. The FBI warned health care companies a year ago that their industry was not doing enough to resist cyberattacks, especially compared with companies in the financial and retail sectors, according to Christopher Budd of security software company Trend Micro. The warning came in a government bulletin to U.S. companies that cited research by a nonprofit security institute, he said.

Last year, more than 10 million people in the U.S. were affected by health care data breaches — including hacking or accidents that exposed personal information, such as lost laptops — according to a government database that tracks incidents affecting at least 500 people. That was the worst year for health care hacking since 2011.

Litan estimates that the health care industry is generally about 10 years behind the financial services sector in terms of protecting consumer information. She figures that it may be twice as easy for hackers to get sensitive financial information out of a health care company compared with a bank. Banks, for instance, are more likely to encrypt personal data, which can garble the information if a hacker gets ahold of it. They also are much more likely to use advanced statistical models and behavior analytics programs that can spot when someone's credit card use suddenly spikes, says Litan, who studies fraud-detection technology. That's a sign of possible fraud that may be worth investigating.

"There's a need for that everywhere now," she said.

Health care companies do have security to protect sensitive patient information. Anthem, the nation's second-largest health insurer, said last week that hackers broke into a database storing information on 80 million people, including Social Security numbers. The company had "multiple layers of security" in place before the attack, said David Damato, managing director at FireEye, the security company hired by Anthem to investigate the breach.

But the stolen data was not encrypted. An Anthem spokeswoman said encryption wouldn't have helped, because the intruder used high-level security credentials to get into the company's system.

Still, several experts say encryption does help.

Encryption programs can be tuned so that even authorized users can view only one person's account, or a portion of an account record, at a time, said Martin Walter, senior director at cybersecurity firm RedSeal Networks. That makes it harder for an outsider to view or copy a whole stockpile of records.

Even if Anthem's security had proved invulnerable, the health care system offers several other inviting targets with varying levels of security. Hospitals, labs, clinics and doctor's offices all can be attacked. Cybersecurity experts say they expect even more health care hacking problems in the future as those layers of the health care system shift their paper files to electronic medical records, a push that has been boosted by federal funding in recent years.

"A lot of businesses that didn't place a premium on security are now placing this incredibly valuable information online," noted Al Pascual, director of fraud and security at the consulting firm Javelin Strategy & Research.

The experience of a big company like Anthem does not bode well for the broader health care industry, said Budd at Trend Micro.

"They have resources to throw at cyber security," he said. "And if someone with nearly unlimited resources can be breached like this, then it raises serious questions as to what's at risk."

Beth Knutsen still worries about someone using her Social Security number more than a year after she was told that some old patient files of hers had been taken from a doctor's office in Chicago. The 39-year-old New York resident visited that doctor nearly 20 years ago.

She's seen no signs of fraud yet, and she still provides her Social Security number when a doctor's office asks for it — but only because it seems to be required for insurance and billing.

"It's so scary," she said. "Who knows what can happen with that information?"
more...
No comment yet.
Scoop.it!

Five common mistakes and how to avoid them for 2015 HIPAA audits

Five common mistakes and how to avoid them for 2015 HIPAA audits | HIPAA Compliance for Medical Practices | Scoop.it

2014 saw a rise in data breaches and HIPAA compliance failures within the healthcare industry. The Office for Civil Rights (OCR) takes privacy and security seriously, and more organizations have been fined for failure to comply with the Health Insurance Portability and Accountability Act (HIPAA). This year, the OCR will use the HIPAA audit program to randomly assess healthcare entities and business associates for compliance with the HIPAA privacy, security and breach notification rules. Here are five mistakes to avoid:  

  1. Failure to keep up with regulatory requirements

Gain a better understanding of specifications for standards as “required” versus “addressable.” Some covered entities must comply with every Security Rule standard. Covered entities must determine if the addressable section is reasonable after a risk assessment, and, if not, the Security Rule allows them to adopt an alternative measure. Be sure to document everything, particularly since the OCR may look at encryption with audits this year.  

  1. No documented security program

The OCR wants to know how you implement a security risk assessment program, so be sure your organization has a documented security awareness program. Once you know the requirements, assess your environment and your users. Does your organization have a security and compliance program in place? How well is it implemented? Who is involved? How often do you communicate? Everyone in your organization should be held responsible for ensuring the safety of data and following proper procedures. Have a plan and a point person in place, and ensure your compliance and security teams talk to each other. Create a committee with stakeholders and clear responsibility, and make sure the plan is documented, communicated and enforced across the organization.

  1. A reactive approach to audits

Once you establish a security program, proactively monitor security and performance indicators, as OCR audits will focus heavily on breach plans and the controls you have in place to protect them. Auditors will look for access to critical group memberships, so make sure you’re auditing and reporting on user activity – including your privileged users. Auditors are increasingly more interested in this area, due to the recent increase in insider incidents.

  1. Assumptions regarding business associates agreements

Contractors and subcontractors who process health insurance claims are liable for the protection of private patient information. Make sure you have an updated business associate agreement in place, and ensure the chain of responsibility is documented, agreed upon, and reviewed frequently by both parties. You can find sample contracts offered by the OCR to help you through this process. 

  1. A checkbox approach to compliance

Regulators want to discontinue the checkbox approach to compliance in favor of a risk-based security approach. Compliance and security must go hand-in-hand, and organizations will benefit from incorporating this mindset across both teams. Strong security measures make it easier to meet compliance regulations. By adopting an organizational self-discovery approach, you will have a higher level of visibility and awareness of internal issues, and achieve a more resilient business process and the next level of organizational maturity.


more...
No comment yet.
Scoop.it!

How to Prepare for the Risk Assessment HIPAA Requires

How to Prepare for the Risk Assessment HIPAA Requires | HIPAA Compliance for Medical Practices | Scoop.it
My brother-in-law retired a few years ago after more than three decades in private practice. He ran his busy office the old fashioned way — without computers. His patients’ records were kept in manila folders filed in a wall of shelves. In longhand, his office manager recorded appointments in a big black book and kept track of accounts in a ledger tucked into a backroom drawer.

Today when I sat down to blog here about how to prepare for a risk analysis/risk assessment (the terms are interchangeable), I couldn’t help but think about my brother-in-law’s healthcare office and how its methods of dealing with patient information differed from most modern practices. I bring this up only to bring home an important point to keep in mind when setting out to do a risk assessment: Namely, no two healthcare practices have exactly the same information-system components, nor do they manage the flow of information in exactly the same way.

Performing a risk assessment regularly is a required component for HIPAA compliance — a do-it-yourself method of understanding where your healthcare practice might be vulnerable when it comes to keeping Protected Health Information (PHI and ePHI) safe. An intended by-product of a risk assessment is the development of plans and strategies within your office to prioritize and address those vulnerabilities.

Start here

It’s probably safe to say that, unlike my brother-in-law, you run an office that relies on information technology in a variety of ways. To prepare for a risk assessment, here’s what I suggest for you or whoever serves as the Security Officer in your practice: Catalogue the information-system components in the office that come in contact with PHI and ePHI and that play a role in either storing patient health information or transmitting it. Begin by listing:

Hardware – Computers at the front desk, tablets in clinical areas, printers, servers, scanners, modems, PDAs, and smartphones

Software — Operating systems; browsers; software for practice management, billing, EHR, email, and database and office productivity

Network components – Dedicated phone or cable lines, routers and hubs, firewall software and firewall hardware, wireless systems

Charting a course to HIPAA compliance

The next step is to create a simple chart to diagram and better understand how all that stuff works together in collecting, storing, and transmitting patient information. An at-a-glance depiction of the flow of information at your office.

This step is important because HIPAA requires that your assessment of risk be specific to your practice. A chart like this communicates, “This is how we do things here.” It’s also an effective way to get a handle on what needs to be updated and the places and intersections where breaches could occur.

Ready? Set? Assess!

With that flow chart in hand, you’ll have a head start on a thorough risk assessment. And here’s why that’s a good thing. In an online conversation at heathcarefosecurity.com, Verne Rinker, health information privacy specialist at the Office of Civil Rights (OCR), said this about the importance of risk assessment in healthcare practices:

“The number-one suggestion is risk analysis, and risk analysis needs to be comprehensive. It needs to look at all the systems because these are constantly changing as organizations change their IT infrastructure. It needs to be ongoing, which also catches not only the new systems that are coming online, but also catches changes in the existing systems and the existing business lines of entities. And it needs to be a regular part of their business. It needs to be on their corporate radar and in their culture of compliance.”

The topic of risk analysis/risk assessment is so important to HIPAA compliance, it deserves more than one blog. Stay tuned!
more...
No comment yet.
Scoop.it!

IT Maintenance Crucial for HIPAA Compliance

The Department of Health and Human Services' (HHS) Office for Civil Rights (OCR) recently announced an agreement with a medical center to settle charges stemming from the center’s failure to prevent malware from infecting its computers. The malicious programming breached the electronic protected health information (ePHI) of 2,743 individuals in violation of the Health Insurance Portability and Accountability Act (HIPAA).

The medical center was fined $150,000 and agreed to implement a corrective action plan for violating the mandates of HIPAA’s Security Rule. Under the Security Rule, covered entities and business associates must implement appropriate administrative, physical and technical safeguards to protect the confidentiality, integrity and security of ePHI.

According to OCR, the medical center adopted policies to comply with the HIPAA Security Rule, but failed to follow them after putting them to paper. The medical center did not perform an accurate or thorough risk assessment for ePHI, nor did it implement the necessary policies, procedures or technical security measures to prevent unauthorized access to ePHI. Specifically, OCR maintains that the medical center’s failure to identify and address basic risks — e.g., not regularly updating firewalls and running outdated, unsupported software — was the direct cause of the introduction of malicious software into its systems.

In addition to the monetary fine, the medical center agreed to implement a two-year corrective action plan requiring it to —

  • Revise, adopt and distribute updated Security Rule policies and procedures approved by OCR;
  • Develop and provide updated security awareness training — based on training materials approved by OCR — to employees, and update and repeat such training annually;
  • Conduct annual assessments of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI in its possession and document the security measures implemented to address those risks and vulnerabilities;
  • Investigate and report to OCR any violations of its Security Rule policies and procedures by employees; and
  • Submit annual reports to OCR describing its compliance with the corrective action plan.
  • OCR used its announcement to highlight the fact that HIPAA compliance is a continuous process and requires more than establishing initial policies, procedures and systems. Rather, covered entities and business associates will only be able to avoid expensive HIPAA fines and penalties by conducting regular ePHI risk assessments, addressing identified security vulnerabilities and regularly updating HIPAA policies and procedures.

Although technological safeguards are vital to keeping ePHI secure, human error is also a significant threat to patient data security and privacy, making a knowledgeable workforce crucial to HIPAA compliance. Covered entities and business associates can ensure HIPAA compliance with Thomson Reuters’ online training courses on HIPAA Privacy and Security and U.S. Data Privacy and Security. Our online compliance training courses explain the essential principles of HIPAA requirements and of safeguarding individuals’ personal information.


more...
No comment yet.
Scoop.it!

N.J. Law Requires Insurers to Encrypt

N.J. Law Requires Insurers to Encrypt | HIPAA Compliance for Medical Practices | Scoop.it

A New Jersey law that will go into effect in July requires health insurers in the state to encrypt personal information that they store in their computers - a stronger requirement than what's included in HIPAA .

The new law, signed by N.J. governor Chris Christie last week, was triggered by a number of health data breaches in the state, including the 2013 Horizon Blue Cross Blue Shield of New Jersey breach affecting 840,000 individuals. That breach involved the theft of two unencrypted laptops.


The new law states: "Health insurance carriers shall not compile or maintain computerized records that include personal information, unless that information is secured by encryption or by any other method or technology rendering the information unreadable, undecipherable, or otherwise unusable by an unauthorized person.

The law applies to "end user computer systems" and computerized records transmitted across public networks. It notes that end-user computer systems include, for example, desktop computers, laptop computers, tablets or other mobile devices, or removable media.

Personal information covered by the encryption mandate includes individual's first name or first initial and last name linked with any one or more of the following data elements: Social Security number; driver's license number or State identification card number; address; and identifiable health information.

Different than HIPAA

"The New Jersey law differs from HIPAA in that it mandates implementing encryption, whereas HIPAA mandates addressing encryption," privacy attorney Adam Greene of law firm Davis Wright Tremaine says.

The Department of Health and Human Services offers this explanation of the HIPAA encryption requirement on its website: "The encryption implementation specification is addressable, and must therefore be implemented if, after a risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of electronic PHI.

"If the entity decides that the addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate. If the standard can otherwise be met, the covered entity may choose to not implement the implementation specification or any equivalent alternative measure and document the rationale for this decision."

Greene points out that because the new state law is tougher than HIPAA, "A New Jersey health plan could determine that some of its protected health information does not require encryption under HIPAA, but they will nevertheless be required to encrypt the information under the New Jersey law."


more...
No comment yet.
Scoop.it!

Indiana Attorney General Enforces HIPAA For First Time – Another Lesson for Small Business | The National Law Review

Indiana Attorney General Enforces HIPAA For First Time – Another Lesson for Small Business | The National Law Review | HIPAA Compliance for Medical Practices | Scoop.it

As we reported, state Attorneys General have authority to enforce the privacy and security regulations under the Health Insurance Portability and Accountability Act (HIPAA), pursuant to the authority granted under the Health Information Technology for Clinical and Economic Health (HITECH) Act. Shortly after announcing plans to seek legislation requiring stronger protections for personal and financial information, Indiana Attorney General Greg Zoeller reached a settlement with a dentist in his state, Joseph Beck, for improperly dumping patient records in violation of state law and HIPAA. The dentist agreed to pay $12,000 in fines.

According to news reports, over 60 boxes containing years of dental records pertaining to over 5,600 patients, and including very sensitive personal information, were found in a dumpster. Apparently, the dentist hired a third party vendor to dispose of the records; that vendor likely was a business associate under HIPAA and, if so, also subject to the HIPAA privacy and security rules.

For small medical or dental practices, as for other professional service businesses such as lawyers, accountants, and insurance brokers, data security can be both daunting and expensive if there is a breach. Like many businesses, small businesses rely on third party vendors to perform certain activities. When those activities involve personal information of the business’ customers, the business owner should be paying more attention. Ask the vendor about what steps it has in place to protect information, does it have a written information security plan, it is licensed, does it have insurance in the event of a breach, does it train employees about data security, and, yes, how does it dispose the records and data it is being asked to handle. In many states, businesses are required to have language in the service agreements with vendors about data security when the vendors are going to handle personal information. There is a similar provision under HIPAA for business associates.

It is troubling to see that sensitive records are still being found in dumpsters even after the many widely-publicized data breaches. But, as here, the owner of the records may not be able to avoid responsibility by shifting it to the vendor.


more...
No comment yet.
Scoop.it!

How to create a hospital cybersecurity framework

How to create a hospital cybersecurity framework | HIPAA Compliance for Medical Practices | Scoop.it

As cybertattacks on the healthcare industry increase in intensity, hospitals and healthcare providers must establish a cybercentric framework.

For providers who don't have such a framework in place, Christopher Paidhrin, security administration and integrity manager in the compliance division of Pacific Northwest-based PeaceHealth, says it is important to do two things: Create a spreadsheet that can stimulate ideas and don't forget about business associates and vendors, including the flow of information into and out of the organization is imperative.

A good security risk template to consider is the National Institute of Standards and Technology's cybersecurity framework, he writes at HealthcareInfoSecurity.

Through his experience with cybersecurity, Paidhrin says he learned that being agile and proactive is very important, as is having early detection of threats and rapid response to attacks.

Providers, according to Paidhrin, should also start small: "Do something today that makes a difference tomorrow," he says.

In addition, he says organizations should communicate and pool their information to better help one another prepare for and prevent attacks.

NIST, in November, created draft guidelines to help organizations share information during and after a cyberattack.

"By sharing cyberthreat information, organizations can gain valuable insights about their adversaries," Christopher Johnson, lead author of the guidelines, says in an announcement. "They can learn the types of systems and information being targeted, the techniques used to gain access and indicators of compromise."

In addition,, the Health Information Trust Alliance says it will include privacy controls in version seven of its Common Security Framework.


more...
No comment yet.
Scoop.it!

HIPAA Security Evaluation – HIPAA Risk Analysis – Explained -

HIPAA Security Evaluation – HIPAA Risk Analysis – Explained - | HIPAA Compliance for Medical Practices | Scoop.it

Compliance assessment? Security Evaluation? Risk Assessment? Risk Analysis? Compliance Analysis? Huh?

Lots of confusion continues to swirl around the difference between a HIPAA Security Evaluation versus HIPAA Security Risk Analysis.No wonder, the terms are often used interchangeably.

Let’s end the confusion…


Technically, one might argue when it comes to regulatory compliance of any type, three types of assessments can be completed:

1.Compliance Assessments (Evaluation, in HIPAA Security Final Rule parlance) answer questions like: “Where do we stand with respect to the regulations?” and “How well are we achieving ongoing compliance?”

2.Risk Assessments (Analysis, in HIPAA Security Final Rule parlance) answer questions like: “What is our risk exposure to information assets (e.g., PHI)?” and “What do we need to do to mitigate risks?”

3.Readiness Assessments answer questions like “Have we implemented adequate privacy safeguards?”, “Have we implemented adequate security safeguards?” and are we ready for audit.

We focus on the first two in this post because these are the ones you must complete.Both are Required by the HIPAA Security Final Rule.

A thorough HIPAA Security Compliance Evaluation broadly covers all aspects of the law including all 18 Standards and 42 Implementation specifications that comprise the Administrative, Physical and Technical Safeguards (CFR 164.308, 310, 312) in the HIPAA Security Final Rule.Additionally, this evaluation must cover CFR 164.314 and 316 related to Organizational Requirements, Policies and Procedures and Documentation.

As indicated above, completing this HIPAA Security Compliance Evaluation is required by every Covered Entity and Business Associate. The language of the law is in 45 C.F.R. § 164.308(a)(8):

Standard: Evaluation. Perform a periodic technical and non-technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, which establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart.

This type of assessment is a critical step and should be completed whether one is just starting a HIPAA Security Compliance program, rejuvenating an existing program and maintaining an existing program.The output of the evaluation establishes a baseline against which overall progress can be measured by the executive team, compliance or risk officer, audit committee or board.Think FOREST view. At the end of such an evaluation, one would have a Summary Compliance Indicator such as the one shown in the following Security Evaluation Compliance Summary:

A HIPAA Security Risk Analysis (§164.308(a)(1)(ii)(A)) is also required by law to be performed by every Covered Entity and Business Associate.Additionally, completion of the Risk Analysis is a core requirement to meet Meaningful Use objectives.Section 164.308(a)(1)(ii)(A) of the HIPAA Security Final Rule states:

RISK ANALYSIS (Required).

Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].

As required by The HITECH Act, the Office of Civil Rights, within the Department of Health and Human Services (HHS), has issued final “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”.This guidance was published on July 8, 2010.No specific methodology was indicated.However, the guidance describes nine (9) essential elements a Risk Analysis must incorporate, regardless of the risk analysis methodology employed.We have designed a Risk Analysis methodology and ToolKit around these elements while using industry best practices.

As an example, upon evaluation of each information asset that creates, receives, maintains or transmits electronic Protected Health Information (ePHI), one would have an asset-by-asset evaluation of risk, along with mitigation actions involving new safeguards or controls:

Upon completion of the Risk Analysis for all information assets, an overall Risk Analysis Project Tracking tool would be used to ensure ongoing project management of the implementation of safeguards:

So, when it comes to HIPAA Security Compliance Evaluation, think:

  • Forest-level view
  • Overall compliance with the HIPAA Security Final Rule
  • Establishing baseline evaluation score for measuring progress
  • Asking: Have we documented appropriate policies and procedures, etc?
  • Asking: Are we performing against our policies and procedures?

When it comes to HIPAA Security Risk Analysis, think:

  • Trees/Weeds-level view of each information asset with PHI
  • Meeting a specific step in the overall compliance process
  • Understanding current safeguards and controls in place
  • Asking: What are our specific risks and exposures to information assets?
  • Asking: What do we need to do to mitigate these risks?

Both the HIPAA Security Compliance Evaluation and the HIPAA Security Risk Analysis are, required by law and important and necessary steps on your HIPAA HITECH Security compliance journey.


more...
No comment yet.
Scoop.it!

BA agreements likely a bigger target of 2015 OCR enforcement, attorneys say

BA agreements likely a bigger target of 2015 OCR enforcement, attorneys say | HIPAA Compliance for Medical Practices | Scoop.it

The $150,000 fine that U.S. Department of Health and Human Services' Office for Civil Rights levied against an Alaska mental health organization last month could be a sign that OCR is settling in after a wave of leadership changes in 2014 and gearing up to aggressively investigate HIPAA compliance complaints, according to a former federal attorney.

Ex-OCR lawyer David Holtzman notes that there are more than 6,000 HIPAA privacy and security rule complaints and compliance reviews under investigation in an article at HealthcareInfoSecurity. He predicts more high-profile enforcement actions in 2015.

Holtzman echoes a warning from Jerome B. Meites, OCR chief regional counsel for the Chicago area, who told an American Bar Association conference last summer that the whopping fines levied over the past year will "pale in comparison" to those expected to come.

Meanwhile, privacy and healthcare attorneys Alisa Chestler and Donna Fraiche of law firm Baker Donelson, in an interview with HealthcareInfoSecurity, urge healthcare organizations to conduct their own mock audits to determine any exposures and to do their best to fix those problems.

They also recommend keeping all such documentation in one place--including all records of HIPAA education programs conducted with staff, and evidence that they've reviewed all business associate agreements--and ensuring that it's up to date. Chestler and Fraiche foresee BA agreements being a bigger target of OCR enforcement actions in 2015.

In particular, Chestler and Fraiche say, organizations need to re-examine all bring-your-own-device policies and make sure they address any issues that have arisen since those policies were last reviewed.

In September, OCR announced it was delaying the start of the second round of audits in order get a web portal up an running through which entities could submit information. A specific start date has not been announced, only that the new audits will begin in early 2015.

Brett Short, chief compliance officer at the University of Kentucky HealthCare in Lexington, Kentucky, spoke with FierceHealthIT about receiving a call from an auditor when the organization had never received a letter saying it had 10 days to submit required documents.


more...
No comment yet.
Scoop.it!

Stolen Patient Information Prompts Data Breach Warning from Shoreview Company

Stolen Patient Information Prompts Data Breach Warning from Shoreview Company | HIPAA Compliance for Medical Practices | Scoop.it

An alert about a data breach involving an orthopedic medical device company in Shoreview affects not only Minnesotans, but others across the country as well.

A contractor for the company DJO Global went inside a coffee shop in Roseville on Nov. 7 and left a laptop containing private patient information in a backpack on the backseat of his car. A thief saw the backpack, smashed the window and stole it.

DJO Global notified patients in a letter that their private information stored on the computer had been stolen. The data included patients names, phone numbers, diagnosis code, surgery dates, health insurer, and clinic and doctor names. A handful of social security numbers were swiped, too. 

Worried individuals have contacted police.

"We received hundreds upon hundreds of phone calls from all over the country," Lt. Lorne Rosand with the Roseville Police Department said.

A spokesman for DJO told 5 EYEWITNESS News via email that no credit card information was taken. The information was in limbo from Nov. 7-21.

"If someone is able to glean information, name, dates, birth, social security information — that's a gold mine," Rosand said.

DJO says the laptop had password protection in place but wasn't encrypted. There were firewalls, tracking and remote software intact that allowed the data to eventually be erased remotely. DJO says it's doing an internal investigation and security assessment.  

Roseville police call this situation a reminder for everyone.

"When people leave valuables in vehicles such as laptops, there's only a piece of glass between the bad guy and your property; that glass can be shattered," Rosand said.

If you received a letter from DJO or believe your information might be at risk, you can set up a fraud alert with the three credit reporting agencies as a precaution. 

The thief has not been caught.


more...
No comment yet.
Scoop.it!

What Happens in HIPAA Audits: Breaking Down HIPAA Rules

What Happens in HIPAA Audits: Breaking Down HIPAA Rules | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA audits are something that covered entities of all sizes must be prepared to potentially go through. As technology continues to evolve, facilities need to ensure that they are maintaining PHI security and understand how best to keep sensitive information secure.


The Department of Health & Human Services (HHS) Office for Civil Rights (OCR) had originally scheduled its second round of HIPAA audits for the fall of 2014, yet as of this publication, round two is still waiting to be scheduled. Regardless, HIPAA audits are an essential aspect to the HIPAA Privacy and Security Rules.


We’ll break down the finer points of the audit process and why it is important, while also highlighting tips for facilities in case they are selected for an OCR HIPAA audit.


What are the HIPAA audits?


The OCR HIPAA audit program was designed to analyze the processes, controls, and policies that selected covered entities have in place in relation to the HITECH Act audit mandate, according to the HHS website.

OCR established a comprehensive audit protocol that contains the requirements to be assessed through these performance audits. The entire audit protocol is organized around modules, representing separate elements of privacy, security, and breach notification. The combination of these multiple requirements may vary based on the type of covered entity selected for review.

The HIPAA audits also are designed to cover HIPAA Privacy Rule requirements in seven areas:

  • Notice of privacy practices for PHI
  • Rights to request privacy protection for PHI
  • Access of individuals to PHI
  • Administrative requirements
  • Uses and disclosures of PHI
  • Amendment of PHI
  • Accounting of disclosures.


Why are the HIPAA audits important?


HIPAA audits are not just a way for OCR to ensure that covered entities are keeping themselves HIPAA compliant. Having periodic reviews of audit logs can help healthcare facilities not only detect unauthorized access to patient information, but also provide forensic evidence during security investigations. Auditing also helps organizations track PHI disclosures, learn about new threats and intrusion attempts, and even help to determine the organization’s overall effectiveness of policies and user education.


In FY 2014 alone, the OCR resolved more than 15,000 complaints of alleged HIPAA violations, according to the national FY 2016 budget request proposal report.


“OCR conducted a pilot program to ensure that its audit functions could be performed in the most efficient and effective way, and in FY 2015 will continue designing, testing, and implementing its audit function to measure compliance with privacy, security, and breach notification requirements,” the report authors explained. “Audits are a proactive approach to evaluating and ensuring HIPAA privacy and security compliance.”


The HIPAA audits are important because they help incentivize covered entities to remain HIPAA compliant, but they are also an opportunity to strengthen up organization’s security measures and find any weak spots in their approach to security.


What if I am selected for the HIPAA audit program?


As previously mentioned, there is not yet an exact date for when the next round of HIPAA audits will take place, there have been several reports that preliminary surveys have been sent to covered entities that may be selected for audits.


According to a report in The National Law Review, OCR will audit approximately 150 of the 350 selected covered entities and 50 of the selected business associates for compliance with the Security Standards. Furthermore, OCR will audit 100 covered entities for compliance with the Privacy Standards and 100 covered entities for Breach Notification Standards compliance.


Whether your organization received one of those surveys or not, it’s important for entities to have at least a basic plan in place for potential audits. Healthcare organizations should not rely on a false sense of security, and they need to ensure that when their data systems and safeguards are being reviewed, that facilities try and keep in mind what the OCR would be looking for so no areas are missed.


Current physical safeguards, administrative safeguards, and technical safeguards are not only required by the Security Rule, but they work together to protect health information. In addition to those areas, here are a few key things for covered entities to maintain, as they may play a role in the HIPAA audit process:


  • Perform comprehensive and periodic risk analyses
  • Keep thorough inventories of business associates and their contracts or BAAs.
  • Maintain thorough accounts of where ePHI is stored, this includes but is not necessarily limited to internal databases, mobile devices and paper documents.
  • Thorough records of all security training that has taken place.
  • Documented evidence of the facility’s encryption capabilities.


If covered entities have performed a proper risk assessment, preparing for the HIPAA audits will not be as daunting. For further discussion on the legal implications of risk assessments and analyses.


Maintain compliance and stay prepared


Perhaps one of the best ways to prepare for a potential OCR HIPAA audit is to keep all three safeguards current, ensuring to adjust them as necessary as technology evolves.


It is also essential for covered entities to know their BAs, and have all appropriate contracts and business associate agreements in place and up to date.


Conducting periodic risk analysis will also be beneficial, and covered entities should be sure to be able to provide evidence of compliance. This can include documentation of policies and procedures being in place. For example, instances where a facility has sanctioned people and whether it was consistent with its sanctions policy will be beneficial if an audit takes place that looks at the sanction process.


Without a risk analysis, it is much more difficult for healthcare organizations to know where they are in terms of security. This can be detrimental not only for HIPAA audits, but also in maintaining comprehensive data security. Periodic reviews will help facilities continue to work toward maintaining HIPAA compliance and keeping sensitive data as secure as possible.

more...
No comment yet.
Scoop.it!

HIPAA Regulations Create Communication Obstacle, Says Survey

HIPAA Regulations Create Communication Obstacle, Says Survey | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA regulations are a necessity for covered entities, but if a recent survey is any indication, they could also be creating issues for providers.


The majority of surveyed providers – 61 percent – stated that HIPAA regulations pose an obstacle to communication and collaboration within the care team, according to a PerfectServe survey. However, respondents also indicated that working to improve secure communications was a goal for their organization. Specifically, 83 percent said that secure communication was a top priority, while 69 percent stated that they already have several applications and technologies in place.


The survey was conducted online by the Harris Poll, on behalf of PerfectServe. A total of 955 doctors, nurses, case managers and healthcare administrators were interviewed, the majority of which – 65 percent – were in hospital-based practices. Thirty-five percent of respondents worked in an office-based organization or a private practice.

The survey also showed the provider-patient communication breakdown, finding that the majority of respondents use follow-up phone calls with patient and online patient portals to communicate with patients. The most common methods of communication are below:


  • 83 percent of respondents use follow-up patient calls
  • 74 percent of those surveyed utilize online patient portals
  • 46 percent use a unified communication platform
  • 41 percent of respondents use patient text reminders/updates
  • 39 percent engage in telemedicine


In terms of patient care, respondents stated that communication breakdowns often hinder their ability to properly care for patients. Seventy-one percent of physicians, specialists, and hospitalists said they either strongly agree or agree that they have wasted valuable time when trying to communicate with the broader care team. Moreover, 71 percent of nurses and case managers said that time is often wasted when they try to communicate with the right physician for a particular situation.


The majority of respondents – 69 percent – also stated that patient care is often delayed while waiting for important information about the patient, while 67 percent of those surveyed admitted that they often receive pages or calls that low priority and disrupt patient care.

A unified communication system could potentially be the answer to some of those issues, according to the survey. Of the 29 percent who stated that they are not satisfied with the secure technology utilized by their organization, 68 percent explained that the dissatisfaction largely arises because different members of the community use different technologies. Moreover, 55 percent of those who were dissatisfied said that not all team members have access to secure communication technology.


Similar results were found in a recent Peak10 survey, where C-level executives and information technology professionals were interviewed. In that report, 60 percent of respondents said that government mandates are having a negative effect on their industry, while 94 percent said complying with regulations influences IT strategy and decision-making.


Additionally, 70 percent of respondents said that in terms of healthcare security, they need partners to assist with those concerns, along with data privacy issues.


more...
No comment yet.
Scoop.it!

HIPAA breach puts blame on business associate

HIPAA breach puts blame on business associate | HIPAA Compliance for Medical Practices | Scoop.it

A New York healthcare provider is notifying its patients that their medical data has been compromised after one of its business associates reported the theft of an employee-owned laptop and unencrypted smartphone.    The New York-based Senior Health Partners, part of the Healthfirst health plan, has mailed out breach notification letters to 2,700 of its members after discovering that a laptop and mobile phone belonging to a registered nurse employed by its business associates were reported stolen.    Officials say the nurse's laptop, which was stolen back on Nov. 26, was encrypted, but the encryption key was in the laptop bag that was taken. The mobile phone stolen was neither encrypted nor password-protected. The nurse was employed by Senior Health Partners' business associated with Premier Home Health, which notified the long-term care provider on Dec. 10. Affected patients were mailed notification letters Jan. 30.    An investigation into the theft found that the privately-owned laptop included a "potentially accessible" email, containing patient names, demographics, Social Security numbers, Medicaid IDs, dates of birth, clinical diagnoses and treatment information and health insurance claim numbers. "Senior Health Partners sincerely regrets that this incident occurred," read a Jan. 30 press statement. "It takes the privacy and security of members' health information very seriously and expects its vendors to do the same. SHP values the trust its members have placed in it as their health plan, and it is SHP's priority to reassure its members that it is taking steps to ensure its members' information is protected."   Asked what Senior Health Partners' policy was around encryption and using privately owned devices for work purposes, Healthcare IT News did not receive a response before publication time.    To date, nearly 42 million individuals have had their protected health information compromised in a reportable HIPAA privacy or security breach, according to data from the Department of Health and Human Services.


more...
No comment yet.
Scoop.it!

Why Healthcare Providers Need to Take HIPAA Risk Assessments Seriously

Why Healthcare Providers Need to Take HIPAA Risk Assessments Seriously | HIPAA Compliance for Medical Practices | Scoop.it

Whether your organization falls under HIPAA, FISMA or PCI DSS you need to do a risk assessment. Yes it’s a good thing to do self-assessment but in order to prepare for a full compliance audit it’s important to get an independent outside consultant to perform this critical assessment.

I have worked in and audited many organizations that all too often wanted to do the minimum and were completely unaware of their full responsibility to meet their compliance. They also in many cases did not have the internal staff or expertise to do a high quality assessment.

[ Three simple steps to determine risk tolerance ]

To begin, let’s look at HIPAA. From hhs.gov, The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information. To fulfill this requirement, HHS published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule.

The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information. The Security Rule still focuses on individual’s health records but specifically focuses on ePHI, Electronic protected health Information. Under the Security Rule, covered entities are required to evaluate risks and vulnerabilities in their environments and to implement security controls to address those risks and vulnerabilities.

Let’s define compliance vs security. As I recently stated in a quote I made in the Nov 17 issue of Fortune, “How Frank Blake kept his legacy from being hacked”, “Compliance is backward-looking and static, security is forward-looking, dynamic, and intelligent.” Compliance is the foundation for security, it’s the minimum.

You can’t be secure if you are not compliant! A risk assessment will achieve compliance and actually make your organization more secure. The HIPAA Risk Assessment is required by law for HIPAA compliance, it’s not optional.
NIST 800-66 Appendix E Risk Assessment Guidelines

Scope the assessment. Where is the ePHI? Servers, Workstations, smartphones, Laptops, backups, cloud backup?
Gather information. The conditions which ePHI is created, received, maintained, processed or transmitted.
Identify realistic threats.
Identify potential vulnerabilities. Save
Assess current security controls.
Determine the likelihood and the impact of a threat exercising a given vulnerability.
Determine the level of Risk.
Recommend security controls.
Document the risk assessment results.

I have worked in many technical roles as well as performed many compliance audits as a consultant; we keep seeing many of the same things. No physical access controls, no vulnerability management, no PEN testing, no data loss prevention on mobile devices, no backups or backups not tested or not encrypted, account management issues, weak passwords or no separation of duties just to name a few. Just take a look at the Verizon data breach investigations report, it states most attacks are not highly difficult. Why? Because they involve the things required by compliance and too many organizations are weak on compliance. Besides the HIPAA law, why do we need to do risk assessments?
The HIPAA Risk Assessment

From hhs.gov RISK ANALYSIS Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].

The following questions adapted from NIST Special Publication (SP) 800-66 are examples organizations could consider as part of a risk analysis. These sample questions are not prescriptive and merely identify issues an organization may wish to consider in implementing the Security Rule:

Have you identified the e-PHI within your organization? This includes e-PHI that you create, receive, maintain or transmit.
What are the external sources of e-PHI? For example, do vendors or consultants create, receive, maintain or transmit e-PHI?
What are the human, natural, and environmental threats to information systems that contain e-PHI?


Notice they leave some room for reality by stating the sample questions are not prescriptive but rather issues an organization might consider in implementing the Security Rule.

NIST 800-66 states it this way:

Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of EPHI held by the covered entity.

A risk assessment methodology, based on NIST SP 800-30, is included in Appendix E of this document.
Are there any prior risk assessments, audit comments, security requirements, and/or security test results?
Is there intelligence available from agencies, the Office of the Inspector General (OIG), the US-CERT, virus alerts, and/or vendors?
What are the current and planned controls?
Is the facility located in a region prone to any natural disasters, such as earthquakes, floods, or fires?
Has responsibility been assigned to check all hardware and software, including hardware and software used for remote access, to determine whether selected security settings are enabled?
Is there an analysis of current safeguards and their effectiveness relative to the identified risks?
Have all processes involving EPHI been considered, including creating, receiving, maintaining, and transmitting it?

There are too many documents and rules and regulations, so sorting it all out can be confusing, but to do the actual Risk Assessment you must look to NIST 800-66 Appendix E.

Summary

With the federal mandate to put more healthcare records online, data breach after data breach spanning healthcare, military, retailers, and universities have become common. One must ask the question, what’s the root cause?

According to Leon Rodriguez, Director Office Civil Rights, US department Health and Human Services, since the HITECH Act, HIPAA complaint traffic geometrically increased. In the last three years, there have been over 70,000 HIPAA violation complaints. Pre-HITECH, the maximum penalty per year per provision violated was $25,000. Now it’s $1.5 million.

Before the new rules, willful neglect had to be proven to pursue any type of penalty. Any lesser measure of culpability was not actionable through penalties. But consumers need confidence that there is an effective enforcement entity if they are going to feel comfortable being forthright in sharing sensitive health information. The HIPAA penalties applied were due to:

Failure to have adequate HIPAA compliance policies and procedures as administrative safeguards.
Failure to complete HIPAA security training for their staff.
Failure to implement access controls as physical safeguards.
Failure to encrypt the information on the device or an equivalent protection.

In 2009, the breach notification for unsecured protected health information was enacted, the U.S. Department of Health and Human Services' database of major breach reports (affecting 500 or more people) has tracked 944 incidents affecting personal information from about 30.1 million people. There are also many more incidents of smaller-scale breaches (less than 500 people per incident). In 2012, HHS received 21,194 reports of smaller breaches affecting 165,135 people, according to the department's most recent report to Congress. Similar numbers were reported in 2011. In all, data breaches cost the industry $5.6 billion each year, according to the Ponemon Institute.

It’s obvious that we are pushing more healthcare data out than we can possible safely secure. We see basic compliance failures across all industries. CEOs need to take the lead and put policies, and processes in place that assure that 100% of the compliance objectives are met, this includes the mandated HIPAA risk assessment (no matter how small the healthcare practice) and at that same time start focusing on proactive, intelligence driven security monitoring and response. We can no longer do some compliance or some security or work in silos, our adversaries are well organized and funded and will stop at nothing to take what we are unable to properly secure for their personal gain.

We must always remember that “we must think of every way our data can be compromised, while a cyber-criminal only needs to think of one!"

more...
No comment yet.
Scoop.it!

HIPAA Audits Are Still on Hold

HIPAA Audits Are Still on Hold | HIPAA Compliance for Medical Practices | Scoop.it

`The unit of the Department of Health and Human Services that enforces HIPAA still has plenty of work to do before it can launch its long-promised next round of HIPAA compliance audits, as planned for this year.

The HHS Office for Civil Rights has yet to develop a revised protocol for conducting the audits, OCR Director Jocelyn Samuels revealed during a Jan. 13 media briefing.


Samuels declined to offer a timeline for when OCR plans to resume its HIPAA audits, which Samuels says will include covered entities as well as business associates, who are now directly liable for HIPAA compliance under the HIPAA Omnibus Rule.

Early in 2014, OCR officials said the agency expected to resume compliance audits of covered entities in the fall of 2014, later expanding the program to include audits of business associates based on those vendors identified by covered entities in pre-audit surveys.

Then in September, OCR officials said the audit launch was stalled because of a delay in the rollout of technology to collect audit-related documents from covered entities and business associates.

In her comments Jan. 13, Samuels did not offer an explanation for the prolonged delay in resumption of HIPAA audits.

"OCR is committed to implementing an effective audit program, and audits will be an important compliance tool for OCR," Samuels said. The audits "will enable OCR to identify best practices and proactively uncover risks and vulnerabilities, like our other enforcement tools, such as complaints and compliance reviews; provide a proactive and systematic means to assess and improve industry compliance; enhance industry awareness of compliance obligations; and enable OCR to target its outreach and technical assistance to identified problems and to offer tools to the industry for self-evaluation and prevention. Organizations should continue to monitor the OCR website for future announcements on the program."

In 2012, OCR conducted a pilot HIPAA audit program for 115 covered entities that was carried out by a contractor, the consulting firm KPMG. It also issued an audit protocol offering a detailed breakdown of what was reviewed. OCR is revising the protocol to reflect changes brought by the HIPAA Omnibus Rule.

Rules In the Works

In addition to the pending audits, other HIPAA-related activities under way at OCR for 2015 include:

  • A final version of a proposed rule HHS issued last January to permit certain covered entities, including state agencies, to disclose to the National Instant Criminal Background Check System the identities of persons prohibited by federal law from possessing or receiving a firearm for reasons related to mental health;
  • An advanced notice of proposed rulemaking related to a HITECH Act mandate for HHS to develop a methodology to distribute a percentage of monetary settlements and penalties collected by OCR to individuals affected by breaches and other HIPAA violations;
  • A possible request for additional public input on OCR's proposed accounting of disclosures rule making. Samuels says OCR is still evaluating the comments it received on the proposed accounting of disclosures rule it issued in 2011, as well as recommendations from the HIT Policy Committee about refining the rule.

In a statement provided to Information Security Media Group, Samuels noted, "The [accounting of disclosures] rulemaking is still listed as a long-term action on our last published regulatory agenda. We are exploring ways to further solicit public input on this important issue."

OCR in May 2011 issued a notice of proposed rulemaking for updating accounting of disclosures requirements under HIPAA. The proposal generated hundreds of complaints from healthcare providers and others. Many of the complaints were aimed at a controversial "access report" provision. As proposed, the access report would need to contain the date and time of access to electronic records, the name of the person or entity accessing protected health information, and a description of the information and user action, such as whether information was created, modified or deleted. The proposal would also provide patients with the right for an accounting of disclosures of electronic PHI made up to three years prior to the request.

Other Enforcement Activities

OCR also has a number of other enforcement activities planned for 2015, Samuels said in the Jan. 13 briefing.

"We will continue to identify and bring to resolution high impact cases that send strong enforcement messages to the industry about compliance," she said. "These types of cases can include the lack of a comprehensive risk analysis and risk management practices, ignoring identified threats and hazards to systems containing electronic protected health information, and insufficient policies and procedures, and training of workforce members."

OCR also expects to provide policy clarification for a variety of topics, including cloud computing and the "minimum necessary" rule, which HHS says is based on the premise that protected health information should only be used or disclosed if it is necessary to satisfy a particular purpose or carry out a function.

"We will also continue dialogues with our stakeholders about issues on which they would like additional interpretation," Samuels says.


more...
No comment yet.
Scoop.it!

Employees could leave health systems vulnerable to hacks

Employees could leave health systems vulnerable to hacks | HIPAA Compliance for Medical Practices | Scoop.it

Healthcare organizations are vulnerable to cyberattacks in many ways, with a big threat being a company or hospital's own employees, according to Ari Baranoff, assistant special agent in charge for the U.S. Secret Service's Criminal Investigative Division.

"Your workforce is a potential vulnerability to your network," Baranoff tells Healthcare IT Security. "Constantly educating your workforce and testing your workforce on their cyberhygiene is very important."

Even if employees mean no harm, just by browsing the Internet or checking their email they can put networks at risk, Baranoff says. It's especially dangerous if these activities are done using the same system that houses electronic health records or other hospital information.

In addition, employee information is also something that often is at risk and can raise problems for hospitals. The Secret Service has seen growing interest in extortion and ransomware campaigns in the healthcare industry, according to Baranoff.

However, a great deal of the threats to health systems come from the outside world, he adds.

For instance, recent breach at Sony Pictures, the health information of employees was hacked, including a memo with treatment and diagnosis details about an employee's child with special needs, as well as a spreadsheet from a human resources folder containing birth dates, health conditions and medical costs.

Data breaches are expected to increase in 2015, with healthcare "a vulnerable and attractive target for cybercriminals," according to Experian's 2015 Data Breach Industry Forecast.

Electronic medical records and consumer-generated data from wearables and other devices will continue to add to the vulnerability and complexity in securing personal health information, according to the report.

more...
No comment yet.
Scoop.it!

Former Kokomo dentist agrees to fine for violating HIPAA

Former Kokomo dentist agrees to fine for violating HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

Former Kokomo dentist Joseph Beck agreed to pay the state $12,000 for disposing of patient files in an Indianapolis Dumpster, the Attorney General’s Office reported Friday.

The Attorney General’s Office sued Beck for failing to protect personal information and for improperly disposing of records containing personal information of Indiana residents, which violates state privacy laws as well as the federal Health Insurance Portability and Accountability Act (HIPAA). This is the first time Indiana has sued for a violation of HIPAA.

More than 60 boxes of patient records from Beck’s former Comfort Dental clinic in Kokomo were found discarded in an Indianapolis Dumpster in March of 2013. The files contained records from 2002-2007.

“In an era when online data breaches are top of mind, we may forget that hard-copy paper files, especially in a medical context, can contain highly sensitive information that is ripe for identity theft or other crimes,” Attorney General Greg Zoeller said in a news release.

“This file dump was an egregious violation of patient privacy and safety.”

Beck agreed to a consent judgment with the state, in which he will pay a $12,000 penalty for these violations. The order was signed this week in Marion County court.

In December of 2011, the Indiana Board of Dentistry permanently revoked Beck’s license to practice dentistry, following an investigation by the Attorney General’s Office that cited fraudulent billing and negligence, the news release stated.

In March of 2013, Beck hired private company Just the Connection, Inc. to retrieve and dispose of his patient records, which included names, medical records, phone numbers, birth dates, Social Security numbers, insurance cards, insurance information and state ID numbers.

The Attorney General said less than a week later, 63 boxes of patient records were found in a Dumpster at Olive Branch Christian Church on the south side of Indianapolis. The Attorney General’s Office recovered the files and fielded inquiries from individuals who were concerned that their records might be at risk. No identity theft was identified or reported.

Zoeller recently proposed new legislation that aims to prevent data breaches and identity theft, and reduce harm to potential victims. His proposed legislation would expand Indiana’s Disclosure of Security Breach Act to facilitate faster and more informative notification to consumers impacted by a breach. It also would add breaches of paper and handwritten records to the Act, as current law covers electronic records only.

Had the new legislation been in effect during this case, Beck could have faced increased penalties for improper data handling and disposal practices. It also would have enabled the state to hold Just the Connection, Inc. liable for the breach as well because Zoeller’s proposed legislation would cover “data collectors” in addition to “data owners.”

“The alarming rise in data breaches we’re experiencing on a global scale is putting countless Hoosiers at risk of identity theft, which can have absolutely devastating consequences,” Zoeller said. “Indiana’s laws must be updated to meet these crimes head on. The legislation I’ve proposed would close some loopholes in existing laws, and give the state more legal tools to combat irresponsible storage of personal or financial information, whether online or on paper."

more...
No comment yet.
Scoop.it!

Tips For Reducing HIPAA Violation Risks

Tips For Reducing HIPAA Violation Risks | HIPAA Compliance for Medical Practices | Scoop.it

The need to attend to data security in increasing exponentially as enforcement tightens and the risk of significant financial penalties for HIPAA violations looms. To that end, a new white paper by Core Security provides some guidance for keeping data safe and avoiding risks of compromised patient information.

As Health IT Outcomes earlier noted, PwC report investigating the state of healthcare compliance found there is still much progress to be made in healthcare compliance across the board, and HIPAA privacy and security remain the top compliance concerns. Penalties for violations are increasing and reputations can be damaged, not to mention the imminent start of privacy audits from the HHS Office for Civil Rights. Compliance officers are challenged to fill gaps in their policies and procedures and be ready to demonstrate compliance with HIPAA requirements.

The cost of breaches can be crippling for healthcare organizations. For example, the OCR fined two health organizations almost $2 million in the wake of the theft of laptops, while Parkview Health paid out $800,000 in HIPAA fines and agreed to institute a corrective plan of action after it was alleged that the institution was dumping sensitive records.

These types of violations aren’t going away, either. A Redspin Breach Report found there was a 138 percent rise in the number of healthcare records breached in 2013, affecting some eight million records.

The Core Security whitepaper, Attack Intelligence: The Key To Reducing Risk in Healthcare, is designed to help healthcare institutions avoid these costly incidents. As the study asserts, “HIPAA-covered entities need to both identify their risks and take steps to mitigate that risk once they become aware of it.”

And yet, recent research demonstrates few healthcare industry professionals have a solid understanding of their own risks. A survey conducted by Healthcare Information Security found OCR audits have resulted in an increase in risk assessments, but that those assessments are often not complete. The data revealed 63 percent of respondents reported a data breach in 2014, and almost 50 percent acknowledged a data breach affecting a business partner. One contributing factor to these figures was that fewer than half of the 200 healthcare organizations surveyed had a documented risk assessment and risk management strategy in place and only 40 percent said they had one in the works.

While most healthcare organizations are cognizant of the need for basic security tools in assessing risk, the whitepaper asserts they do not provide the critical type of information necessary to manage risk – “actionable attack intelligence about sensitive IT assets like the medical record application servers or the backend databases that hold ePHI.”

“Healthcare organizations are familiar with risk management,” said Eric Cowperthwaite of Core Security, “But they aren’t necessarily thinking about how they’re going to be attacked. You may have a vulnerability management program. But the question is ‘How do you know which vulnerabilities matter? How do you know which possible attacks are likely – or not?’”


more...
No comment yet.
Scoop.it!

HIPAA Privacy During Emergency Situations

A patient arrives at your facility with Ebola-like symptoms. After taking the necessary precautions, you run the requisite tests, conduct a patient interview, and determine that in fact the patient has contracted the Ebola virus. You also learn that the symptoms have been present for a couple of days, but like many people, the patient delayed seeking treatment until the symptoms got worse. After questioning the patient, you discover that since returning from West Africa one week earlier, the patient has returned to work, visited with family, attended church, and been shopping at the local mall, all while exhibiting symptoms. Thus, hundreds of people living in the community have potentially been exposed. What do you do? What information can you release to the public? Do you need the patient's consent to warn the public about the potential exposure?


The U.S. Department of Health and Human Services, Office for Civil Rights ("OCR"), the entity responsible for overseeing compliance with the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), recently issued guidance on how to address HIPAA privacy in emergency situations, such as the one described above. Importantly, while there are a number of ways in which protected health information can be shared in an emergency situation, you should keep in mind that theprotections of HIPAA are not set aside during an emergency. Thus, while it is important to alert the public to the potential exposure, it must be done in a manner that is compliant with HIPAA. HIPAA, however, does provide several mechanisms through which information may be released...


more...
No comment yet.
Scoop.it!

FTC's Edith Ramirez: Connected health devices create bevy of privacy risks

FTC's Edith Ramirez: Connected health devices create bevy of privacy risks | HIPAA Compliance for Medical Practices | Scoop.it

For much of 2014, the Federal Trade Commission made it a point to be a prominent voice regarding the protection of consumer health information. Last May, for instance, it published a report recommending that Congress force data brokers to be more transparent about how they use the personal information of consumers, including health information.

And in July, FTC Commissioner Julie Brill spoke about how consumers should be given more choices from developers when it comes to data sharing by smartphone apps gathering health information.

That trend continued Tuesday at the International Consumer Electronics Show in Las Vegas, where FTC Chairwoman Edith Ramirez spoke about privacy protection, including for health data. Ramirez noted, for instance, that while the Internet of Things has the potential to improve global health, the risks are massive.

"Connected devices that provide increased convenience and improve health services are also collecting, transmitting, storing and often sharing vast amounts of consumer data, some of it highly personal, thereby creating a number of privacy risks," Ramirez said. "These risks to privacy and security undermine consumer trust."

Ramirez outlined three challenges to consumer privacy presented by the Internet of Things:

  • Ubiquitous data collection
  • Unexpected data use resulting in adverse consequences
  • Increased security risks

Additionally, she said that technology developers must take three steps to ensure consumer privacy:

  • Adopt "security by design"
  • Engage in data minimization
  • Boost transparency and offer consumers choices for data usage

"[T]he risks that unauthorized access create intensify as we adopt more and more devices linked to our physical safety, such as our cars, medical care and homes," Ramirez said.

Members of the House Committee on Oversight and Government Reform questioned the FTC's health data and cybersecurity authority at a hearing last summer. Committee Chairman Darrell Issa (R-Calif.) said that safeguards are needed to guide the FTC's processes in determining entities subject to security enforcement.

Last January, the agency ruled that entities covered under the Health Insurance Portability and Accountability Act may also be subject to security enforcement by the FTC.


more...
No comment yet.
Scoop.it!

Fearing The Dreaded HIPAA Audit?

Fearing The Dreaded HIPAA Audit? | HIPAA Compliance for Medical Practices | Scoop.it

The HHS Office for Civil Rights plans to begin a random audit program this year to assess compliance with the HIPAA privacy, security and breach notification rules. David Holtzman, a former senior advisor at OCR and now vp of compliance services at security firm CynergisTek, offers the following outline of what providers selected for an audit can expect and how to prepare.

 

Red Flags

In a 2012 pilot audit program, security rule problems were seen twice as often as anticipated, so expect security issues addressed under a permanent audit program to be bumped up. OCR found through the pilot audits that many organizations had not conducted a security risk analysis or never updated an initial analysis-which signals that an organization is not taking HIPAA seriously. Other areas with significant deficiencies included access management, security incident procedures, contingency planning, audit controls, and movement and destruction of protected health information.

 

Getting Notified

OCR plans to send notification letters to 1,200 healthcare organizations to confirm their address, HIPAA officers, sizes and functions. This is not an audit notice, but the information will be used to build a list of those that will be audited. Organizations selected for audit by OCR will not receive email notification-they will receive a formal audit notification letter-so beware of scammers.

 

Desk Audits

About 200 covered entities and 300-400 business associates will receive notification of a "desk audit," which will include a request for submission of specific content and other documentation that demonstrates the scope and timeliness of an organization's efforts to comply with HIPAA rules. Focus areas for covered entities likely will include risk analysis and risk management, content and timeliness of breach notifications and notice of privacy practices updated to reflect changes in the HIPAA Omnibus rule implemented in 2013. The likely focus for breach audits will be risk analysis and risk management, and appropriate breach reporting to covered entities.

 

Follow Instructions

Under a desk audit, only documentation delivered on time will be reviewed. Send only the information required. Auditors likely will be looking for updated privacy practice notices, the ability of patients to get a copy of their health record and to access them electronically if desired, and how organizations treat requests to restrict access to sensitive treatment paid out-of-pocket. Desk audits, Holtzman says, are not an opportunity for a conversation or give-and-take. Auditors will not contact an organization again for clarifications or additional information; they will work only with what they get. Failure to respond to a desk audit notification likely will lead to a more formal compliance review. (Audit findings will not become a matter of public record.)

 

On-Site Audits

OCR this year and likely into 2016 will conduct on-site audits of an unspecified number of covered entities and business associates. This is more comprehensive than a desk audit, with a greater focus on privacy. Expect OCR in these on-site audits to look at security rule compliance in such areas as device and media controls, secure transmissions, encryption of data (including documented justification if you're not using encryption), facility access controls, administrative and physical safeguards, and workforce training. And expect an emphasis on training, as many organizations haven't trained since first required in 2003. "That really rubs [auditors] the wrong way," Holtzman says.

 

Plan Now

If your risk-analysis and risk-management plans are more than 2 years old, update now, Holtzman suggests. Select 10 focus areas covering both the privacy and security rules, and if vulnerabilities have not been addressed, address them. "The best process to prepare for an audit is to be prepared the day the letter arrives," Holtzman says. "Be honest with yourself. Don't paint a happy picture because you think you know what management wants to hear."


more...
No comment yet.
Scoop.it!

Old fashioned data breach: Independence Blue Cross paper records tossed in trash

Old fashioned data breach: Independence Blue Cross paper records tossed in trash | HIPAA Compliance for Medical Practices | Scoop.it

Independence Blue Cross on Friday disclosed a data breach affecting 12,500 of its more than 2.5 million members.

Unlike most high-profile cases of personal data loss, such as the one at Target stores last year affecting 70 million people, the IBC case did not involve computers.

The incident happened in October, when maintenance workers threw out four boxes of member records that were supposed to be moved from one floor to another at IBC's offices, the company said Friday in a legal notice.

The improperly discarded reports contained the names, addresses, member identification numbers, health care plans, and group numbers for members in Southeastern Pennsylvania and in New Jersey, where IBC operates AmeriHealth New Jersey.

IBC, which is based in Center City, said it had received no reports that the information was misused. As a precaution, however, IBC is offering one year of free credit monitoring to 8,800 members whose Social Security numbers were included in the reports, spokeswoman Liz Williams said in a statement. "To reduce the risk of another such incident, we no longer allow our maintenance team to dispose of full boxes in the trash," Williams said.

IBC's data loss followed July's theft of an unencrypted computer containing personal information on 3,780 patients from Temple University Health System during a break-in.


more...
No comment yet.