HIPAA Compliance for Medical Practices
67.5K views | +11 today
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...

A Doctors Guide to HIPAA Compliance in 2017

A Doctors Guide to HIPAA Compliance in 2017 | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA Compliance in 2017 is a key issue that many doctors are focussed on.

Since 1996, the The Health Insurance Portability and Accountability Act has been in place, giving physicians and their teams reasons to guard their patient privacy closely.

Depending upon the type of the breach, physicians can be liable for between $100 to $50,000 for each violation. The maximum HIPAA Violation is $1.5 million for identical provisions during a calendar year. Some HIPAA violations can lead to imprisonment in extreme circumstances. This is why HIPAA compliance in 2017 is such an important factor for doctors.

To ensure that your practice has effective HIPAA compliance in 2017, here are 5 steps to follow:

1) Correct Sharing of Patient Information

If your staff discuss patients’ names, addresses and or insurance plans at check-in, you are technically breaching patient confidentiality. Make sure patients and office staff have a way to discuss insurance or change of address in private. Also, create a quiet place for phone calls to occur. Even if you’re just calling a patient to setup or confirm an appointment, it is better to do this in a private area if possible.

2) Secured Paper Files

While paper charts are slowly becoming a relic, it is important that past files are stored securely.  Doctors who have moved to using an EHR for all patient records may still have old patient files that need to be transferred. Once converting from paper documents to electronic format is complete, be sure to shred any patient records before you dispose of them.

If your medical practice still uses paper documents, be sure not to leave them in unsecured or unattended areas. This includes charts, paperwork and forms that patients bring in from other practices that they are filed and stored securely.

3) Encrypted Emails

Never underestimate the importance of email encryption, even for seemingly innocent files. The use of non-encrypted email services, such as gmail, outlook, yahoo and other well known email services can cause a risk of hackers being able to access your information. For this reason, you should consider an encrypted email or file sharing service for pertinent patient information.

When sending bulk emails to patients, or many emails in a row, it is easy to overlook the address it is being sent to. You can put patients at risk and you can lose their trust, simply because you didn’t double-check your recipient address or an email attachment.

This is one of those areas where slow, steady careful checking pays off.

4) HIPAA Secured Patient Portals

If you use or are considering creating a patient portal, ensure it has secure login compliance. Any personal patient information should not be easily accessible without a username and password.

If sharing information with family members of patients, be sure to get written authorization from the patient first. A good practice is to require identity verification for password reminders. You can also remind patients to access their patient portal when they have a secure internet connection (i.e. not in public places).

5) Ensure your Telemedicine platform is HIPAA compliant

Some doctors have considered using Skype or Facetime to communicate with patients. While they are great free platforms for video chat, the reality is the weren’t designed to be HIPAA-compliant.

The challenge is that even though a doctor can ensure their Internet connection is secure, there is very little they can do to make sure everything is secure on the the patient’s receiving end.

Another alternative is to ensure the is a Business Associate Agreement in place. The same issues arise with security for text messaging, so be sure to use HIPAA compliant texting tools here as well. The solution here is to ideally use a HIPAA compliant application designed for Telemedicine.

Doctors may have several HIPAA violations without getting fined, but that doesn’t mean it isn’t a negative for your practice. Having HIPAA Compliance in 2017 is as important as it has been for the past 20 years.

When doctors treating patient information caution they can and enjoy the peace of mind that comes with being HIPAA compliant.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004

No comment yet.

Why HIPAA Compliance Need Security Risk Analysis?

Why HIPAA Compliance Need Security Risk Analysis? | HIPAA Compliance for Medical Practices | Scoop.it

There are many important elements to implementing an effective HIPAA Program, but none are more important than completing a security risk analysis. Conducting a risk analysis will give your practice an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of your electronic protected health information.

Completing a security risk analysis is a required element. This means that most specifications must be evaluated and if applicable, implemented, in order to achieve compliance with the Security Rule. It is important to remember that certain specifications in the risk analysis are considered addressable, meaning it is up to the covered entity to determine (in writing) if the specification is a “reasonable and appropriate” safeguard for its environment, taking into consideration how it will protect ePHI.

According to the Security Rule, your security risk analysis should be broken down into the implementation of 3 categories of electronic protected health information safeguards: Administrative, Physical and Technical. The following is an overview of each category, including differentiation between those specifications that are required and those that are addressable.


Administrative safeguards are administrative actions and functions to manage the security measures in place that protect electronic protected health information. Administrative safeguards must state how the covered entity will conduct oversight and management of staff members who have access to, and handle ePHI. Administrative safeguards include:

  • Risk Assessment (R)
  • Sanctions Policy (R)
  • Information System Activity Review (R)
  • Security Officer Assignment (R)
  • Security Awareness and Training (A)
  • Security Incident Procedures (R)
  • Disaster Recovery and Data Backup Plan (R)
  • Periodic Security Evaluations (R)
  • Business Associate Contracts (R)



Physical safeguards are the mechanisms required to protect electronic systems, equipment, and the data they hold from threats, environmental hazards and unauthorized intrusion. It includes restricted access to ePHI and retaining off-site computer backups. Applying physical safeguards means establishing:

  • Facility Access Controls (A)
  • Workstation Use and Controls (R)
  • Device and Media Controls (R)




Technical safeguards are the automated processes used to protect and control access to data. They include using authentication controls to verify that the person signing onto a computer is authorized to access that ePHI, or encrypting and decrypting data as it is being stored and/or transmitted. Technical Safeguards are:

  • Unique User Login (R)
  • Emergency Access Procedures (R)
  • Automatic Logoff (A)
  • Encryption and Decryption (A)
  • Audit Controls (R)
  • Authentication of Integrity of ePHI (A)
  • Authentication of Person or Entity (R)
  • Transmission Security (A)

Completing your security risk analysis is not only an essential component of your HIPAA program, but it will enable you to identify and rectify any risks and vulnerabilities to the access and confidentiality of your electronic protected health information. The results of your risk analysis will be used to determine the appropriate security measures to be taken. Be sure and revaluate your risk analysis periodically, especially if there have been any known or suspected threats to your security program.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004

No comment yet.

Bill Altering HIPAA Privacy Rule Advances

Bill Altering HIPAA Privacy Rule Advances | HIPAA Compliance for Medical Practices | Scoop.it

An amended version of the bipartisan 21st Century Cure bill, which aims to advance medical innovation, has passed its first Congressional hurdle without any revisions to controversial provisions that propose to make significant changes to the HIPAA Privacy Rule.

In addition to the privacy provisions, the bill calls for penalizing vendors of electronic health records and other health IT systems that fail to meet standards for interoperable and secure information exchange. Plus, the bill also contains provisions for potential civil monetary penalties against healthcare entities that inappropriately block information sharing.

The House Energy and Commerce's health subcommittee on May 14 approved a 302-page "markup," or amended, version of the 21st Century Cure bill that was first unveiled on April 29 and forwarded it to the full committee for the next round of work on the legislation. The full committee is expected to prepare its markup of the bill next week.

The version of the bill approved by the subcommittee proposes that the Secretary of Health and Human Services would "revise or clarify" the HIPAA Privacy Rule's provisions on the use and disclosure of protected health information for research purposes.

Under the current HIPAA Privacy Rule, PHI is allowed be used or disclosed by a covered entity for healthcare treatment, payment and operations without authorization by the patient. If the proposed provision in the draft legislation is signed into law, patient authorization would not be required for PHI use or disclosure for research purposes if covered entities or business associates, as defined under HIPAA, are involved.

That provision - as well as many others in the bill - aim to help fuel more speedy research development and availability to patients of promising medical treatments and devices, in part, by removing barriers. But some privacy advocates are opposed to the HIPAA-related provisions because of the potential of watering down patient control over how sensitive health information is used or disclosed.

"This legislation will bring into the public forum the question of whether the road to developing the 21st century advances in healthcare requires removing individual choice and control in how health information is disclosed and whether [individuals] have a say when their treatment information is sold by healthcare providers, insurers or the business associates who have access to this information," says privacy attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek.

If the legislation is signed into law with the existing proposals related to the use and disclosure of PHI for research purposes, healthcare entities and business associates would need to change their policies related to how they handle PHI.

"If the bill is enacted, it will not place additional responsibilities on covered entities and business associates. Rather, it will provide them with greater flexibility to use and disclose protected health information for research," says privacy attorney Adam Greene, partner at law firm Davis Wright Tremaine. "Covered entities and business associates who seek to take advantage of these changes would need to revise their policies and procedures accordingly." For instance, some covered entities also may need to revise their notices of privacy practices if their notices get into great detail on research, Greene notes.

New Burdens?

Legislation that requires significant changes to the HIPAA privacy regulations could result in "significant administrative hurdles and burdens," Holtzman says.

"For example, if there would be significant changes to when healthcare providers and health plans can use or disclose PHI, they would be required under existing regulations to update their notices of privacy practices," he says. "As we saw with the implementation of the Omnibus Rule in 2013, there are significant costs in developing and distributing the notices."

If the legislation is approved, it could take some time for the privacy changes to affect healthcare providers and business associates.

"If the bill is passed into law - always a big if - it provides HHS with a year to implement the law through regulations," Greene notes. "Realistically, though, it may take far longer before HHS is able to publish a final rule."

Info Exchange Blocking Provisions

In addition to proposing less restrictive rules for healthcare entities to use or disclose PHI for research purposes, as part of the aim to remove various barriers to medical innovation, the 21st Century Cures legislation also promotes electronic health record interoperability and secure data transfer and discourages so-called "information blocking" that prevents patient data from being shared.

The bill calls for the Department of Health and Human Services to develop methods to measure whether EHRs and other health information technology are interoperable, and authorizes HHS to penalize EHR vendors with decertification of their products if their software fails to meet interoperability requirements.

Under the HITECH Act financial incentive program for "meaningful use" of EHRs, participating healthcare providers must attest to using software that has been certified as meeting ONC's criteria. Under the proposed bill, HHS would be able to "decertify" software that fails to meet interoperability requirements.

"Health information interoperability is fundamental to advancing healthcare," said Rep. Gene Green, D-Texas, during the May 14 house subcommittee markup hearing for the bill. The legislation provides HHS' Office of the National Coordinator for Health IT "the tools to hold EHR vendors accountable for interoperability," noted Rep. Doris Matsui, D-Calif.

But it's not just vendors that can be penalized under enforcement provisions of the bill. The measure also would allow HHS to impose civil monetary penalties on healthcare providers that engage in inappropriate blocking of information sharing.

ONC last month issued a report to Congress about information blocking by technology vendors and healthcare providers, noting that organizations sometimes intentionally and unreasonably block patient data from being shared. In some cases, the players are inappropriately invoking HIPAA privacy and security concerns, the report said.

A Congressional source tells Information Security Media Group that the bill doesn't specify dollar figures for the potential civil monetary penalties. Rather, the amounts would follow "current parameters" for other enforcement activities at HHS' Centers for Medicare and Medicaid Services and Office of Inspector General.

No comment yet.

How Rush Medical Stays HIPAA Compliant, Uses Cybersecurity

How Rush Medical Stays HIPAA Compliant, Uses Cybersecurity | HIPAA Compliance for Medical Practices | Scoop.it

Staying HIPAA compliant is not always an easy task, especially as new technological options develop, such as cloud computing, mobile devices, and EMRs.

Rush University Medical Center has altered its cybersecurity measures over the last few years in order to keep pace with changing technologies. However, Rush VP of IT Operations and Associate CIO Jaime Parent told HealthITSecurity.com that even with new systems, the facility works hard to stay HIPAA compliant and keep all employees educated.

HealthITSecurity.com: Tell me a little about Rush Medical’s approach to cybersecurity. What steps have been taken over the last few years to ensure patient data security?

Jaime Parent: Over the last several years our threat protection has moved from reactive to proactive. Gone are the days where a standard firewall, anti-viral software, and anti-spam software, offer adequate protection. Today’s threats are much more sophisticated and now include ransomware and network exploits. Organizations must be agile, dynamic, flexible and adaptable. With the onset of zero day viruses and latency threats such as Heartbleed, new threats require new ways of thinking in cybersecurity.

I would say the only thing that’s consistent with protection strategies used five years ago would be the continuing need for end user education. Social engineering is still the largest vulnerability for any organization.

HITS.com: That ties into employee education as well, right?

JP: Employee education and awareness is a vital part of any comprehensive cybersecurity plan.  At Rush, we have patients, staff, faculty, students and visitors – a very difficult environment to manage and protect. We have to be cognizant of the security parameters that need to be in place to protect the network, even though we may have non-Rush assets on our public network. Our awareness campaign is called “ICARE/IProtect,” and it is both comprehensive and easy to understand. Making everyone vigilant goes a long way.

HITS.com: Have mobile devices been one of the greater challenges in staying HIPAA compliant?

JP: In addressing mobile device security, we take into account the user experience. Rush’s systems are configured in a way that promotes centralize storage and discourages local data storage. We also moved to encrypted USB drives and laptops.

Nobody wants to be the victim of a breach, but with the proper tools and awareness, users know how to protect their data and they learn to avoid phishing scheme. Preventing that click is extremely important.

HITS.com: How do large-scale data breaches, like Anthem and Premera, affect your privacy and security measures, if at all?

JP: We try to learn from these experiences. After these events, the question I get asked most often is – could this thing happen to us? And the short answer is that there really is no 100 percent ironclad way to keep all threats out. But, if you remember to address the basics, the latest anti-viral updates, patch management, user education, etc., you have the best combination in place to avoid being a victim.

HITS.com: What are some of the key privacy and security focal points for providers in 2015?

JP: Be proactive rather than reactive. Invest in smart technologies that work best for your organization. Patch aggressively. Deploy the latest updates. Finally, educate your users who continue to be vulnerable in this dynamic environment.

HITS.com: In terms of privacy and security, what do you think the current outlook is for the healthcare industry?

JP: In my personal opinion, the bad guys are winning right now. The digital age is here and not everyone thinks about security. Breaches are on the rise. It wasn’t too long ago that medical records were locked in the basement somewhere relatively inaccessible. Now, this information is at your fingertips on devices where some users may not even use a password. The genie is out of the bottle and it’s going to stay out of the bottle for a long time. Healthcare will continue to be a target.

HITS.com: After the Anthem data breach in particular, many people were upset over the notification process. In your opinion, how important is the aftermath of a data breach?

JP: Our first thoughts are always with the patient. That’s just our approach. Organizations should always take the appropriate steps to notify patients as soon as possible. At Rush, we cherish our patients and the relationships we have throughout the city of Chicago. Patient care and safety are at the core of what we do – our patients deserve nothing less.

Quensetta Adams's curator insight, April 28, 2015 9:55 PM

Hipaa needs loud computing, mobile devices, and EMRs; let's add IoT!


Stage 3 Meaningful Use: Breaking Down HIPAA Rules

Stage 3 Meaningful Use: Breaking Down HIPAA Rules | HIPAA Compliance for Medical Practices | Scoop.it

CMS released its Stage 3 Meaningful Use proposal last month, with numerous aspects that covered entities (CEs) need to be aware of and pay attention to. While the proposal has a large focus on EHR interoperability, it continues to build on the previously established frameworks in Stage 1 and Stage 2 – including keeping patient information secure.

HIPAA rules and regulations cannot be thrown out the window as CEs work toward meeting meaningful use requirements. We’ll break down the finer points of Stage 3 Meaningful Use as it relates to data security, and how organizations can remain HIPAA compliant while also make progress in the Meaningful Use program.

Stage 3 further protects patient information

One of the top objectives for Stage 3 Meaningful Use is to protect patient information. New technical, physical, and administrative safeguards are recommended that provide more strict and narrow requirements for keeping patient data secure.

The new proposal addresses how the encryption of patient electronic health information continues to be essential for the EHR Incentive Programs. Moreover, it explains that relevant entities will need to conduct risk analysis and risk management processes, as well as develop contingency plans and training programs.

In order to receive EHR incentive payments, covered entities must perform a security risk analysis. However, these analyses must go beyond just reviewing the data that is stored in an organization’s EHR. CEs need to address all electronic protected health information they maintain.

It is also important to remember that installing a certified EHR does not fulfill the Meaningful Use security analysis requirement. This security aspect ensures that all ePHI maintained by an organization is reviewed.  For example, any electronic device – tablets, laptops, mobile phones – that store, capture or modify ePHI need to be examined for security.

“Review all electronic devices that store, capture, or modify electronic protected health information,” states the ONC website. “Include your EHR hardware and software and devices that can access your EHR data (e.g., your tablet computer, your practice manager’s mobile phone). Remember that copiers also store data.”

It is also important to regularly review the existing security infrastructure, identify potential threats, and then prioritize the discovered risks. For example, a risk analysis could reveal that an organization needs to update its system software, change the workflow processes or storage methods, review and modify policies and procedures, schedule additional training for your staff, or take other necessary corrective action to eliminate identified security deficiency.

A security risk analysis does not necessarily need to be done every year. CEs only need to conduct one when they adopt an EHR. When a facility changes its setup or makes alterations to its electronic systems, for example, then it is time to review and make updates for any subsequent changes in risk.

Stage 3 works with HIPAA regulations

In terms of patient data security, it is important to understand that the Stage 3 Meaningful Use rule works with HIPAA – the two are able to compliment one another.

“Consistent with HIPAA and its implementing regulations, and as we stated under both the Stage 1 and Stage 2 final rules (75 FR 44368 through 44369 and 77 FR 54002 through 54003), protecting ePHI remains essential to all aspects of meaningful use under the EHR Incentive Programs,” CMS wrote in its proposal. “We remain cognizant that unintended or unlawful disclosures of ePHI could diminish consumer confidence in EHRs and the overall exchange of ePHI.”

As EHRs become more common, CMS explained that protecting ePHI becomes more instrumental in the EHR Incentive Program succeeding. However, CMS acknowledged that there had been some confusion in the previous rules when it came to HIPAA requirements and requirements for the meaningful use core objective:

For the proposed Stage 3 objective, we have added language to the security requirements for the implementation of appropriate technical, administrative, and physical safeguards. We propose to include administrative and physical safeguards because an entity would require technical, administrative, and physical safeguards to enable it to implement risk management security measures to reduce the risks and vulnerabilities identified.

CMS added that even as it worked to clarify security requirements under Stage 3, their proposal was not designed “to supersede or satisfy the broader, separate requirements under the HIPAA Security Rule and other rulemaking.”

For example, the CMS proposal narrows the requirements for a security risk analysis in terms of meaningful use requirements. Stage 3 states that the analysis must be done when CEHRT is installed or when a facility upgrades to a new certified EHR technology edition. From there, providers need to review the CEHRT security risk analysis, as well as the implemented safeguards, “as necessary, but at least once per EHR reporting period.”

However, CMS points out that HIPAA requirements “must assess the potential risks and vulnerabilities to the confidentiality, availability, and integrity of all ePHI that an organization creates, receives, maintains, or transmits” in all electronic forms.

Working toward exchange securely

The Stage 3 Meaningful Use proposal encourages CEs to work toward health information exchange and to focus on better health outcomes for patients. As healthcare facilities work toward both of these goals, it is essential that health data security still remains a priority and that PHI stays safe.

While HIPAA compliance ensures that CEs avoid any federal fines, it also ensures that those facilities are keeping patient information out of the wrong hands. The right balance needs to be found between health information security and health information exchange.

No comment yet.

ONC Updates its Privacy and Security Guide

ONC Updates its Privacy and Security Guide | HIPAA Compliance for Medical Practices | Scoop.it

Last week during the annual Healthcare Information and Management Systems Society (HIMSS) conference, the Office of the National Coordinator for Health IT (ONC) published a revised version of its “Guide to Privacy and Security of Electronic Health Information.”

In the foreword of the guide, ONC says that its intent is to help healthcare providers ―especially Health Insurance Portability and Accountability Act (HIPAA) covered entities (CEs) and Medicare eligible professionals (EPs) from smaller organizations―better understand how to integrate federal health information privacy and security requirements into their practices. The new version of the guide provides updated information about compliance with the Medicare and Medicaid Electronic Health Record (EHR) Incentive Programs’ privacy and security requirements as well as the HIPAA Privacy, security, and breach notification rules, says ONC.

In a blog post from Lucia Savage, chief privacy officer, ONC, she says that this is the first step towards fulfilling the commitment the federal agency made in its Interoperability Roadmap— helping individuals, providers, and the health and health IT community better understand how existing federal law, HIPAA, supports interoperable exchange of information for health.

According to Savage’s post, “the guide includes practical information on issues like cybersecurity, patient access through certified electronic health record technology (CEHRT), and other EHR technology features available under the 2014 Edition Certification rule. The guide also includes new, practical examples of the HIPAA privacy and security rules in action, to help everyone understand how those rules may impact their businesses and the people they serve.”

The guide additionally offers: many scenarios for anyone who has struggled to understand when someone is or is not a business associate; provides information about when a provider (or any HIPAA-covered entity) is permitted to exchange information about an individual for treatment, payment, or healthcare operations without being required to have the individual sign a piece of paper before the exchange occurs; and provides practical tips and information about security, Savage said.

No comment yet.

Is the HIPAA Security Rule Doing Enough for Healthcare?

Is the HIPAA Security Rule Doing Enough for Healthcare? | HIPAA Compliance for Medical Practices | Scoop.it
The HIPAA Security Rule created a national set of security standards designed to protect certain health information, either held or transferred in electronic form. However, technology has continued to evolve, and one healthcare security expert claims that a complete reboot of the Security Rule might be necessary to ensure the protection of sensitive healthcare data.

CynergisTek, Inc. co-founder and CEO Mac McMillan spoke with HealthITSecurity.com at HIMSS last week about the Security Rule, recent data breaches, and what healthcare organizations need to be prepared for in 2015.mac-mcmillan-photo

McMillan, who is also the Chair of the HIMSS Privacy & Security Policy Task Force, said that one of the big issues currently is vendor security management, and firms ensuring they have a strong grip on their vendors. It is also important for facilities to ensure that they have a handle on mobile devices, as well as the proliferation of devices between mobile, wearables, and other new technologies.

“If you’re a CIO today, you’ve got stuff coming to you from every direction,” McMillan said. “Everybody’s got a gadget, everybody has something they want to put on the network, and literally everything they have goes on the network or communicates with the network. And security and privacy are not always first and foremost in the developer’s mind when they’re developing the next greatest thing for some clinical purpose.”

Because of that, CIOs need to ensure that they implement things in a smart way, and stay ahead of the latest trends or they will be playing catch up instead.

Healthcare security, data breach prevention measures

Encrypting mobile media and mobile devices is also becoming more common, which McMillan says is definitely progress.

“More people are figuring out that if they’re going to let data go out there, they need to do a better job protecting that information,” he said.

More covered entities are also conducting risk assessments and takin the time to understand where their risk actually lies, McMillan added, which is a positive thing because “knowledge goes a long way.”

“We’re seeing more and more people begin to test their environments, which is also good,” McMillan said. “That means actually performing technical testing of their controls in the environment.”

Moreover, outsourcing security is also becoming more common. Facilities are becoming more aware of what privacy and security measures they’re capable of doing well, and also which measures they’re not capable of doing well, he said. Healthcare organization leaders realize that potentially solving certain security problems is not something they can always do on their own.

The push toward interoperability

There has been a large push recently toward interoperability, and the Office of the National Coordinator (ONC) also released an updated privacy and security guide on how covered entities can properly integrate the right privacy and security measures.

In general, McMillan said that he does not believe that security is an impediment for covered entities when it comes to information sharing. However, he added that it could be an issue in certain cases. For example, if a facility does not feel that another organization has security at a level that is equal to its own, then it might be reticent about sharing the data.

“In most cases, they have no clue what the other guy has with respect to security,” McMillan said. “Part of the reason for that is that we don’t have a common standard for what security means.”

Calling back to when he worked in various defense agencies, McMillan explained that the Department of Defense found itself in a similar situation in terms of sharing information. Different agencies were starting to connect together, and it was difficult to pinpoint what the security was like at another agency.

One of the things that had to happen was create “the definition of a trusted environment,” he said, meaning there was a certain level of security that everyone had to be able to demonstrate. That way, organizations knew that there were certain things other agencies had to do because it was the same things they had to undertake.

“In healthcare today, we don’t have that,” McMillan said. “There’s nothing in healthcare that says you have to maintain your environment at the same level of security controls respect that another facility uses to maintain theirs.”

Part of the interoperability program that the ONC should be promoting is addressing the fundamental baseline for security. That baseline then says that in order for an organization to have a truly interoperable system and connect to others in a trusted relationship, certain security features must be part of its architecture. However, McMillan said that trust is key before a facility feels good about sharing its information.

Key takeaways from large scale health data breaches

After the Anthem data breach and Premera data breach, healthcare privacy measures and the data breach notification process have been pushed into the public’s eye. McMillan was quick to say that neither organization is a “poster child for what somebody did wrong,” and that the issue wasn’t that they didn’t necessarily have adequate security. Rather, what happened to Anthem and Premera could have happened to anybody, especially in the healthcare industry.

“We need to do a better job of being able to detect and react to incidents,” McMillan said. “People should take away that even with all the money in the world, even large organizations that probably have large security budgets or spend a lot of money on security and are trying to do it right [can have problems].”

Moreover, the right cyber attacker who has the necessary knowledge, motivation, and right amount of time will succeed nine out of 10 times, he said, adding that that’s what happened to Anthem and Premera. Healthcare needs to do a better job of detecting what’s going on in the environment, and do a better job of monitoring what’s going on, he said.

“The bottom line that those incidents taught us is that we need to step our game up with respect to how we address security,” McMillan said. “Just approaching security from a HIPAA compliance perspective is no longer effective. It never was to begin with, but it’s even less today.”

McMillan added that the HIPAA Security Rule has not changed since its final version was produced in 2003. However, security frameworks, such as the one at the National Institute of Standards and Technology (NIST), continue to go through revisions.

“We’re behind,” McMillan said. “Basically what we really need to do is scrap the HIPAA Security Rule and just let organizations select the framework that they want to work with, whether it’s NIST, whether it’s ISO, but a legitimate framework. From there, they build their program and we hold them accountable for protecting the data.”

McMillan added that NIST has come out with guidelines for mobile devices and cloud security, among others. Neither of those topics were addressed in the HIPAA Security Rule, he said.

“The problem is HIPAA is antiquated,” McMillan said. “It’s behind the times and we need to take a new approach.”
No comment yet.

HIPAA Privacy and Security and Workplace Wellness Programs

HIPAA Privacy and Security and Workplace Wellness Programs | HIPAA Compliance for Medical Practices | Scoop.it

The Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules (the HIPAA Rules) protect individuals’ identifiable health information held by covered entities and their business associates (called “protected health information” or “PHI”).  Covered entities under HIPAA are health care clearinghouses, health plans, and most health care providers.  Business associates generally are persons or entities (other than members of the workforce of a covered entity) that perform functions or activities on behalf of, or provide certain services to, a covered entity that involve access to PHI.

The Privacy Rule, among other things, regulates the uses and disclosures that a covered entity or business associate may make of PHI.  The Security Rule requires covered entities and business associates to implement administrative, physical, and technical safeguards to secure electronic PHI.  The Breach Notification Rule requires covered entities to notify affected individuals, the Department of Health and Human Services (HHS), and, in some cases, the media (and business associates to notify covered entities), of breaches of unsecured PHI.

Q1: Do the HIPAA Rules apply to workplace wellness programs?

A1: Since the HIPAA Rules apply only to covered entities and business associates – and not to employers in their capacity as employers -- the application of the HIPAA Rules to workplace wellness programs depends on the way in which those programs are structured.  Some employers may offer a workplace wellness program as part of a group health plan for employees.  For example, some employers may offer certain incentives or rewards related to group health plan benefits, such as reductions in premiums or cost-sharing amounts, in exchange for participation in a wellness program.  Other employers may offer workplace wellness programs directly and not in connection with a group health plan.

Where a workplace wellness program is offered as part of a group health plan, the individually identifiable health information collected from or created about participants in the wellness program is PHI and protected by the HIPAA Rules.  While the HIPAA Rules do not directly apply to the employer, a group health plan sponsored by the employer is a covered entity under HIPAA,[1] and HIPAA protects the individually identifiable health information held by the group health plan (or its business associates).  HIPAA also protects PHI that is held by the employer as plan sponsor on the plan’s behalf when the plan sponsor is administering aspects of the plan, including wellness program benefits offered through the plan.[2]

Where a workplace wellness program is offered by an employer directly and not as part of a group health plan, the health information that is collected from employees by the employer is not protected by the HIPAA Rules.  However, other Federal or state laws may apply and regulate the collection and/or use of the information.

Q2: Where a workplace wellness program is offered through a group health plan, what protections are in place under HIPAA with respect to access by the employer as plan sponsor to individually identifiable health information about participants in the program?

A2. The HIPAA Privacy and Security Rules place restrictions on the circumstances under which a group health plan may allow an employer as plan sponsor access to PHI, including PHI about participants in a wellness program offered through the plan, without the written authorization of the individual.  Often, the employer as plan sponsor will be involved in administering certain aspects of the group health plan, which may include administering wellness program benefits offered through the plan.  Where this is the case, and absent written authorization from the individual to disclose the information, the group health plan may provide the employer as plan sponsor with access to the PHI necessary to perform its plan administration functions, but only if the employer as plan sponsor amends the plan documents and certifies to the group health plan that it agrees to, among other things:

    Establish adequate separation between employees who perform plan administration functions and those who do not;
    Not use or disclose PHI for employment-related actions or other purposes not permitted by the Privacy Rule;
    Where electronic PHI is involved, implement reasonable and appropriate administrative, technical, and physical safeguards to protect the information, including by ensuring that there are firewalls or other security measures in place to support the required separation between plan administration and employment functions; and Report to the group health plan any unauthorized use or disclosure, or other security incident, of which it becomes aware.

Further, where a group health plan has knowledge of a breach of unsecured PHI at the plan sponsor (i.e., an unauthorized use or disclosure that compromises the privacy or security of the PHI), the group health plan, as a covered entity under the HIPAA Rules, must notify the affected individuals, HHS, and if applicable, the media, of the breach, in accordance with the requirements of the Breach Notification Rule.

Where the employer as plan sponsor does not perform plan administration functions on behalf of the group health plan, access to PHI by the plan sponsor without the written authorization of the individual is much more circumscribed.  In these cases, the Privacy Rule generally would permit the group health plan to disclose to the plan sponsor only: (1) information on which individuals are participating in the group health plan or enrolled in the health insurance issuer or HMO offered by the plan; and/or (2) summary health information if requested for purposes of modifying the plan or obtaining premium bids for coverage under the plan.

No comment yet.

HIPAA Crackdown on Security Hacks

HIPAA Crackdown on Security Hacks | HIPAA Compliance for Medical Practices | Scoop.it

Health care security breaches are on the rise with headline-making hacks at insurer Anthem Inc. and NewYork-Presbyterian Hospital, giving employers reason to be concerned.

This year, the Department of Health & Human Services’ Office for Civil Rights is conducting Health Insurance Portability and Accountability Act, or HIPAA, compliance audits, and HR departments need to prepare, according to Gordon Rapkin, CEO of Archive Systems Inc., an HR document manager based in Fairfield, New Jersey. The office hasn’t announced when audits will commence. 

“Employers need to know that they are obligated to protect this information, they must show that they are capable of protecting this information and prove that their employees have been trained to do so,” Rapkin said. “You must be able to prove all that in a very short window of time if you’re unfortunate enough to be selected for an audit.”

In 2011 and 2012, the HHS conducted a pilot phase of the audits selecting 150 “covered entities,” which include providers and health plans, including employers that sponsor them, according to the HHS. Those chosen have 10 business days to provide supporting documents, Rapkin said.

“You don’t want to be in a situation where you are tagged for an audit and can’t respond in a timely fashion,” he said. “That triggers fines, and the fines have been hefty. It’s like a disaster plan. It’s incumbent on organizations to have one in place.”

In 2014, Columbia University and NewYork-Presbyterian Hospital were fined a combined $4.8 million for failing to secure the health records of more than 6,000 patients. In 2013, Anthem Inc. (then known as WellPoint Inc.) was fined $1.7 million when the health records of more than 600,000 patients were made available to unauthorized users.

Rapkin urged employers that have not yet conducted a HIPAA risk assessment to do so as soon as possible.

He said employers should focus on training employees to understand HIPAA policies and procedures and take an inventory of safeguards to protect physical and electronic information. If a breach occurs, employers must be vigilant about notifying individuals whose information was compromised.

“In the past it was easier to sweep things under the rug,” he said. “You can’t hide by saying, ‘Well someone left a laptop at Dunkin’ Donuts, but we don’t know if it’s been breached.’ You must notify any individual affected even if you only have reason to believe that you’ve been breached.”

Initially HIPAA was about health information portability — the ability to take records from one vendor or provider to another, he said. “It advanced to be much more about security as requirements like the HITECH Act came into play.”

The HITECH, or Health Information Technology for Economic and Clinical Health Act of 2009, required that organizations publicly report breaches that involve more than 500 patients, increased fines for violations, mandated that the HHS conduct audits, and extended the rules to third parties that work with health care organizations.

No comment yet.

HIPAA Data Breaches on the Rise

HIPAA Data Breaches on the Rise | HIPAA Compliance for Medical Practices | Scoop.it

CHICAGO -- The number of health data breaches has been increasing in recent years, and the most frequent type was theft, Marion Jenkins, PhD, said here at the annual meeting of the Healthcare Information and Management Systems Society.

Since 2009, there have been 1,185 data breaches as defined by the Health Insurance Portability and Accountability Act (HIPAA), said Jenkins, who is chief strategy officer at 3t Systems, a healthcare consulting firm in Denver. And the pace is accelerating, with an increase of more than 50% in the last 12 months. Breaches have so far affected 133 million patient records.

The smallest reported breach was of 441 records at the Hospice of Northern Idaho. "You don't have to be a really large organization to end up on the list," Jenkins said. The largest breach involved 80 million records at the health insurer Anthem; the latter case, which involved hacking, was "particularly disturbing" because it involved both employee and patient data, he added.

Paper, Electronic Data Covered

HIPAA requires providers to "secure all electronic protected health information against accidental or intentional causes of: unauthorized access, theft, loss or destruction, from either internal or external sources," Jenkins explained. HIPAA security regulations govern electronic records, while HIPAA's privacy rules apply to paper records.

Healthcare providers should also be aware that in addition to regulating the privacy of paper records, HIPAA also covers data from all types of electronic media -- not just EHRs and data stored on laptops and computers, but also any data that winds up on memory sticks and cards, smartphones, and even fax machines and copiers, since most of them aren't just fax machines and copiers any more but also function as scanners and printers, which means they hold electronic data, Jenkins said.

The amounts of money involved can be astronomical, according to Jenkins, who noted that two companies with large breaches -- Sutter Health and SAIC -- are both facing multibillion-dollar class action lawsuits.

In terms of the cause of the breaches, thefts were the most common, at 55%, followed by unauthorized access (19%) and "loss" (12%). The rest of the breaches -- 14% -- were listed as "other," according to Jenkins, citing data from the Department of Health and Human Services.

The largest single source of data breaches has been laptops, accounting for 25% of breaches. That fact "begs the question: why is healthcare data on a laptop?" Jenkins said. Laptop theft is a particular problem: Stanford Children's Hospital in California is a five-time data breach offender, and at least three of the breaches involved laptops being stolen from physicians' cars.

Laptops were followed by paper records (23%), other portable electronic devices (12%), computers (11%), and servers (10%). Another 19% were listed as "other."

Making It Easier to Do the Right Thing

One reason people end up having protected health information on a laptop is that, in many cases, it takes so long to get into the EHR system that people think, "'By golly, when I get into the system, I'm going to download the data and put it on my local workstation so I can get some dang work done," Jenkins said. "As IT professionals, we have to design and implement systems that make the right way the easiest way.

"It won't work to try to make longer usernames and passwords, because they'll just put in the longer usernames and passwords and download the data so they can work on it locally; that drives them even more toward the behavior we don't want them to do. We need to have the cloud services [be] the fastest way rather than downloading the data so they can get their work done."

Some organizations say they don't have anything to worry about because they use an electronic health record (EHR) that is "HIPAA-certified." However, said Jenkins, there are two problems with that assertion; first, there is no such thing as a HIPAA-certified EHR. Second, "the EHR isn't the problem ... it's the user behavior when they're pulling reports, pulling data out of the EHR and then having a breach with that," he said.

Moving healthcare data to the cloud does not necessarily solve a problem with data breaches. Although some cloud services are HIPAA-compliant, "most public cloud services [such as Gmail and Hotmail] are not," Jenkins said. "And if you have poorly designed and poorly run IT, and you simply move it to the cloud, you just shifted your local problems to the cloud; you didn't solve them."

If, on the other hand, moving records to the cloud is done properly, "it's a heckuva lot better than having [the data] on a laptop," he added.

What's Missing From HIPAA

There are some things the HIPAA regulations don't address, Jenkins said, such as how long passwords have to be or how often they should be changed. Regulations also don't address timeout or logoff intervals or the type of encryption required for use with Wi-Fi -- technically, that means WEP encryption is HIPAA compliant, even though it's easily breached, he noted.

He said he was "shocked" that the words "laptop" and "smartphone" don't appear in the HIPAA regulations.

What are the biggest data breach threats to a healthcare organization? That depends on the amount of records being held. Those with 500,000 to 1 million records are attractive targets to hackers; but "in little organizations, the biggest threat is from an internal user," he said.

"Now that credit card companies can shut down cards quickly once they are stolen, credit card numbers aren't worth very much to hackers, maybe a dollar each on the open market," Jenkins said. "Health records are five to ten times more valuable [because] they can use them to do unauthorized or fraudulent Medicare or Medicaid billing; they set up a sweatshop where they can bill over and over again."

No comment yet.

Don't confuse EHR HIPAA compliance with total HIPAA compliance

Don't confuse EHR HIPAA compliance with total HIPAA compliance | HIPAA Compliance for Medical Practices | Scoop.it

Electronic health records (EHR) systems are revolutionizing the collection and standardization of patient medical information. Never before has it been so easy for healthcare practitioners to have patient information so readily available, allowing for more efficient and accurate care.

Unfortunately, what many organizations today don’t realize is, just because their EHR system is compliant with HIPAA security standards, their entity as a whole may not be fully compliant.

Every healthcare organization under HIPAA is responsible for the protection of patient data, regardless of whether they use a vendor to process or store their patient records. If your EHR vendor claims you don’t have to worry about HIPAA compliance, don’t believe them – it’s just not true.

Privacy and security are much more than simply having a HIPAA compliant EHR. It is truly frightening when I hear a healthcare company, or even worse, an EHR vendor, claim their EHR system covers all of a healthcare company’s HIPAA requirements. Even for cloud-based EHR systems, this simply is not the case.

Maintaining a secure EHR system

The newly revised HIPAA Security Rule requires providers to assess the security of their databases, applications, and systems that contain patient data against a list of 75 specific security controls. These controls include specific safeguards to be in place for the purpose of protecting PHI.

In our ever-changing digital environment, it’s critical that healthcare organizations regularly assess their security programs as a whole to ensure they have the policies, procedures, and security measures in place to better protect patient information and avoid costly regulatory enforcements.

Unfortunately, addressing risks to electronic patient data is not always a top priority.

We need to get the message out that HIPAA compliance (and the protection of patient data) cannot be relegated to simply checking a box (i.e., my EHR system is compliant, therefore, my practice is compliant, too). HIPAA compliance must, instead, be addressed across an organization wherever patient data is present.

Understand current security measures

The ongoing responsibility of managing patient data throughout an organization requires an organized, well-thought-out approach to risk management. No matter how small or long established, it’s critical for healthcare entities to understand what they are doing to protect patient data, what they are not doing, and what they should be doing in the future.

While some EHR systems and their related equipment have security features built into or provided as part of a service, they are not always configured or enabled properly. In addition, medical equipment is often web-enabled (can connect remotely to send information to a server), but that equipment may not be checked for proper security.

As the guardian of patient health information, it is up to each healthcare organization to learn and understand the basic features of their IT assets and medical devices, what security mechanisms are in place, and how to use them.

There are a number of actions an entity can take to make sure that their EHR systems and IT assets are secure. Such measures leverage an integrated use of data loss prevention tools, intrusion prevention, anti-malware, file integrity monitoring, robust identity management and authentication programs, role-based access and data security solutions.

The road to HIPAA compliance

Creating adequate safeguards does not happen overnight. While it may seem overwhelming and time-consuming at first (due to HIPAA’s complex nature), the biggest obstacle to overcome is actually getting the entire process started.

Begin by carving out a regular, weekly routine – perhaps starting at 30 minutes per week when your staff members who are responsible for HIPAA compliance can meet to discuss the privacy and security of patient data.

Here are some specific actions your entity should take when working to protect patient information:

  • Have a designated HIPAA-assigned compliance officer or team member. Clearly and specifically lay out the roles of everyone in your organization involved with HIPAA compliance responsibilities.
  • Ensure that access to ePHI is restricted based on an individual’s job roles and/or responsibilities.
  • Conduct an annual HIPAA security risk analysis (specifically required under HIPAA rules.) This can involve regularly engaging with a trusted provider that can remotely monitor and maintain your network and devices to ensure ongoing security.
  • Mitigate and address any risks identified during your HIPAA risk analysis including deficient security, administrative and physical controls, access to environments where ePHI is stored, and a disaster recovery plan.
  • Make sure your policies and procedures match up to the requirements of HIPAA.
  • Require user authentication, such as passwords or PIN numbers that limit access to patient information to authorized-only individuals.
  • Encrypt patient information using a key known or made available only to authorized individuals.
  • Incorporate audit trails, which record who accessed your information, what changes were made, and when they were made, providing an additional layer of security.
  • Implement workstation security, which ensures the computer terminals that access individual health records cannot be used by unauthorized persons.

Privacy and security concerns are key when it comes to HIPAA, but it’s also important to ensure your enterprise as a whole is protected. With 75 different requirements that fall under the HIPAA Security Rule umbrella, it’s critical to ensure all systems where ePHI resides are protected. Otherwise, organizations are placing themselves and their patients at serious risk.

No comment yet.

5 Breach Lawsuits Filed Against Premera

5 Breach Lawsuits Filed Against Premera | HIPAA Compliance for Medical Practices | Scoop.it

Five class action lawsuits have been filed in federal court against Premera Blue Cross in the wake of a data breach that affected 11 million individuals across the country. Meanwhile, its CEO has provided answers to questions from a U.S. senator regarding the hacker attack.

The five lawsuits filed last week in the U.S. District Court in Seattle make similar allegations - that the company failed to protect customers' confidential information, putting those affected at risk for identity theft. Among the complaints' allegations is that the data breach resulted from Premera's alleged "failures to follow HIPAA."

Two of the suits also note that Premera was warned in an April 2014 draft audit report by the U.S. Office of Personnel Management that its IT systems "were vulnerable to attack because of inadequate security precautions".

"That audit identified ... vulnerabilities related to Premera's failure to implement critical security patches and software updates, and warned that 'failure to promptly install important updates increases the risk that vulnerabilities will not be remediated and sensitive data could be breached,'" notes one lawsuit, Tennielle Cossey, et al vs. Premera.

That suit also states, "If the [OPM] audit were not enough, the events of 2014 alone should have placed Premera on notice of the need to improve its cyber security systems." The complaint notes that Community Health Systems in August 2014 also revealed a hacker breach that affected 4.5 million patients. "This prompted a 'flash warning' by the FBI to entities in the healthcare industry that it had observed 'malicious actors targeting health care related systems,'" the suit says.

The suits are seeking unspecified damages, both "actual and statutory." Among the allegations in some of the suits are violations of the Washington Consumer Protection Act.

A Premera spokeswoman declined to comment about the suits. She noted, however, that Premera "expected there would be class action lawsuits filed" against the company in the wake of the breach "because that's typically what happens."

Attorney John Yanchunis of the Tampa-based law firm Morgan & Morgan, which is representing plaintiffs in one of the Premera class action suits, says he expects that the cases eventually will be consolidated into one case in the federal court. The Premera breach "is more egregious than the Home Depot or Target breaches because those [credit] cards can be cancelled," he says. "Unlike those other breaches, the information involved in the Premera breach can be used to file fraudulent tax returns and fraudulently secure healthcare in someone else's name."

Congressional Scrutiny

In addition to the lawsuits, Premera is also dealing with Congressional scrutiny in the wake of the breach.

A March 20 letter to Premera CEO Jeffrey Roe, Sen. Patty Murray, D-Wash., on behalf of the Senate Committee on Health, Education, Labor and Pensions, asked the company to answer 15 questions related to the breach and the company's information security practices. Those questions range from why Premera waited six weeks to publicly announce the breach after its discovery, to whether the hacking incident is related to the Anthem Inc. hacking breach, to steps Premera is taking to bolster its information security in the wake of the incident.

In the March 27 response letter to Murray, which Premera provided to Information Security Media Group, Roe says the public announcement of the breach was delayed based on advice from Mandiant, a consulting firm it had hired to assist in the forensic investigation of the incident.

"Mandiant warned Premera about the dangers of making any public announcement about the attack until the following steps could be taken: 1) Mandiant completed scanning all servers and workstations for areas of infection to identify all attack vectors; 2) systems were remediated in a concentrated time to lock the attackers out of system; and, 3) remediation was followed by scanning to verify that the all backdoors were eliminated," the letter states.

Roe also describes in the letter some details about the breach: "Upon penetration of Premera's network, the attackers gained access to log-in credentials and then deployed other tools and tactics to gain broad access to Premera's network." He adds: "Mandiant's investigation to date has identified only intrusion but no exfiltration of information from Premera's systems. Mandiant has not conclusively determined the initial vector of compromise. That is, the [company doesn't] know if the malware came from a phishing email, a contaminated website, or another source of intrusion.

The letter also notes that Mandiant "found no evidence that the cyberattack on Premera was the result of, or was related to, any of the items identified in the [2014] OPM [audit] report." Plus, Roe notes: "Premera is not in a position to opine about whether the Premera and Anthem attacks were connected or which attack occurred first. Because these attacks are the subject of active FBI investigations, Premera encourages your office to contact the FBI for additional information."

Premera is implementing several Mandiant recommendations to bolster security moving forward, Roe says in the letter. In addition to removing all malware and backdoors from its IT systems in response to this cyberattack, Roe says Premera has implemented a number of system enhancements, including, among others:

  • Deploying multiple-factor authentication for remote access to Premera's network;
  • Scanning servers, desktops and laptops as a requirement for continued use of devices on the network;
  • Installing enhanced monitoring tools to provide reports of any new attacks on our computer networks;
  • Enhancing and expanding security and system event logging capabilities; and
  • Engaging a service provider for advanced monitoring services.
State Scrutiny

Besides the lawsuits and the Congressional scrutiny, Premera is also facing a probe from insurance officials in three states - Washington, Oregon and Alaska.

Washington Insurance Commissioner Michael Kreidler said that the states will conduct a "market conduct examination" of Premera related to the breach. The examination will include on-site reviews of the insurer's financial books, records, transactions and how they relate to its activities in the marketplace, Kreidler explained in a statement.

Jan Vajda's curator insight, April 5, 2015 3:26 PM

Přidejte svůj pohled ...


HIPAA breach puts blame on business associate

HIPAA breach puts blame on business associate | HIPAA Compliance for Medical Practices | Scoop.it

A New York healthcare provider is notifying its patients that their medical data has been compromised after one of its business associates reported the theft of an employee-owned laptop and unencrypted smartphone.    The New York-based Senior Health Partners, part of the Healthfirst health plan, has mailed out breach notification letters to 2,700 of its members after discovering that a laptop and mobile phone belonging to a registered nurse employed by its business associates were reported stolen.    Officials say the nurse's laptop, which was stolen back on Nov. 26, was encrypted, but the encryption key was in the laptop bag that was taken. The mobile phone stolen was neither encrypted nor password-protected. The nurse was employed by Senior Health Partners' business associated with Premier Home Health, which notified the long-term care provider on Dec. 10. Affected patients were mailed notification letters Jan. 30.    An investigation into the theft found that the privately-owned laptop included a "potentially accessible" email, containing patient names, demographics, Social Security numbers, Medicaid IDs, dates of birth, clinical diagnoses and treatment information and health insurance claim numbers. "Senior Health Partners sincerely regrets that this incident occurred," read a Jan. 30 press statement. "It takes the privacy and security of members' health information very seriously and expects its vendors to do the same. SHP values the trust its members have placed in it as their health plan, and it is SHP's priority to reassure its members that it is taking steps to ensure its members' information is protected."   Asked what Senior Health Partners' policy was around encryption and using privately owned devices for work purposes, Healthcare IT News did not receive a response before publication time.    To date, nearly 42 million individuals have had their protected health information compromised in a reportable HIPAA privacy or security breach, according to data from the Department of Health and Human Services.

No comment yet.

Where Is HIPAA Taking Physician Practices?

Where Is HIPAA Taking Physician Practices? | HIPAA Compliance for Medical Practices | Scoop.it


Several provisions of the Health Insurance Portability and Accountability Act of 1996, or HIPAA, were intended to encourage electronic data interchange (EDI) and safeguard the security, privacy, and confidentiality of patient health information In the context of this act, security is the means by which confidentiality and privacy are insured. Confidentially defines how patient data can be protected from inappropriate access, while privacy is concerned with who should have access to the patient data. This article explores how the policies stipulated by HIPAA are shaping the practice of medicine and will likely affect your practice in the future.


HIPAA Security vs Innovation:

If you're a typical small-practice physician, odds are that you view HIPAA as simply another federally mandated cost of practising medicine, regardless of the intended outcome of the act. This position is understandable, given the cost of mandated training for you and your office staff. Furthermore, if your practice is computerised, then you'll need to spend even more money on software upgrades and possibly additional training from the vendor.

HIPAA rules and regulations are complex, in part because much of compliance is open to interpretation. For example, security issues, which are predominantly in the domain of software and hardware vendors, are based on “risk assessment,” not specific technology standards. The act doesn't stipulate specific technologies or endorse nationally recognised procedures, but leaves it up to the physician practice or medical enterprise to ensure that patient health data are secure. (HIPAA's security standards take effect on April 20, 2005, for all “covered entities” except small health plans However, because HIPAA enforcement is complaint-driven – there are no “HIPAA Police” checking to see that your practice meets the law's requirements – differences in interpretation of the act are likely to end up in a courtroom at some point. For this reason, some experts recommend assessment of HIPAA compliance by outside counsel.

Most physicians are understandably concerned with the immediate compliance issues surrounding HIPAA and privacy and confidentiality of patient data. Even though the security standards were designed to be “technology-neutral,” the vagaries of these requirements are having a direct impact on medicine beyond the acute phase of compliance, especially in the introduction of new technologies in the clinical arena. New technologies, from wireless to tablet PCs, bring with them added functionality, potential workflow enhancements, and efficiencies – as well as new HIPAA security compliance issues.

Consider, for example, the effect of HIPAA's privacy rules on a physician contemplating the purchase of a Palm Pilot or other PDA. Even late adopters have probably observed the benefit of PDAs. Need to share patient data? Just beam it across the infrared link from one PDA to the next. Need to review patient lab data? Just touch the screen and the data are only a second away.

But it isn't that simple once HIPAA enters into the picture. Now a PDA carrying patient data is a compliance concern, as HIPAA's privacy rule applies to all mediums of a patient's protected health information, whether it's print, verbal, or electronic. Does your PDA have a login and auto logout feature? If not, then anyone could take your PDA and look up patient data. Consider the liability issues if you forgot your PDA at a coffee shop and someone picked it up and scanned through your list of patients. But with a login screen, one of the major benefits of a PDA – instant access to data – is lost.

If you use one of the wireless PDAs, such as the BlackBerry, then there are additional HIPAA-related issues: Does your PDA support the encryption of email and patient data it sends over the Internet? Is the encryption enabled? Is the level of encryption good enough for HIPAA?

Perhaps you've been considering adding a wireless (WiFi) LAN to your clinic or practice. You may have good reason to; wireless will allow you to carry a laptop into examining rooms for decision support and not have to worry about Ethernet cords. But considering HIPAA, is your WiFi system secure? Is the data encryption good enough? If not, will you have to buy new PCs and PDAs, or simply upgrade the operating systems? Do you need to hire a consultant? Maybe it's easier to simply string cables to each office and forget about the laptop this year. Or maybe it would be better to hold off on the computer-assisted decision support project altogether.

Paradoxically, although proponents of HIPAA once thought that it would enhance the move toward the electronic medical record (EMR), I believe that it is having the opposite effect. Because of the uncertainty surrounding HIPAA compliance and whether the legal system will be swamped with cases alleging violations of privacy, it's simply safer for small practices to stay with paper charts, and let the big medical practices deal with the inevitable lawsuits.

This brings up another cost issue: Does your insurance cover a patient suit over HIPAA? If so, how inclusive is the insurance? For example, let's say your practice regularly sends digital audio files overseas for transcription. You send the audio files and receive text documents a day later. Do you know how the patient data are handled at the transcription service? If a transcriptionist overseas decides to protest his or her low wages by posting a transcription of your patient's clinic visit openly on the Web, are you liable? Will your insurer pay? This example isn't as far-fetched as it might seem. In October 2003, a disgruntled Pakistani transcriber threatened the University of California-San Francisco over back pay.[3] She threatened to post patients' confidential files on the Internet unless she was paid more money. To show that she was serious, she sent UCSF an unencrypted email with a patient record attached.


HIPAA, Privacy, and the Physician:

Whereas compliance with HIPAA's upcoming security requirements is largely in the purview of vendors and the information services department in most larger medical centres, privacy concerns are usually addressed at the physician level. Consider the major privacy provisions of the act, most of which took effect in April 2003, listed in the Table.

Major Privacy Components of HIPAA, Based on Data From the DHHS.

Implementing each of these privacy components falls squarely on you and your office staff. You, your office manager, or someone else in your practice must be designated the Privacy Officer and given the responsibility of ensuring compliance with the act. If you haven't already had at least 1 practice walk-through with the major privacy provisions, make sure you do so.



Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

Website Error Leads to Data Breach

Website Error Leads to Data Breach | HIPAA Compliance for Medical Practices | Scoop.it

An error in a coding upgrade for a Blue Shield of California website resulted in a breach affecting 843 individuals. The incident is a reminder to all organizations about the importance of sound systems development life cycle practices.

In a notification letter being mailed by Blue Shield of California to affected members, the insurer says the breach involved a secure website that group health benefit plan adminstrators and brokers use to manage information about their own plans' members. "As the unintended result of a computer code update Blue Shield made to the website on May 9," the letter states, three users who logged into their own website accounts simultaneously were able to view member information associated with the other users' accounts. The problem was reported to Blue Shield's privacy office on May 18.

Blue Shield of California tells Information Security Media Group that the site affected was the company's Blue Shield Employer Portal. "This issue did not impact Blue Shield's public/member website," the company says. When the issue was discovered, the website was promptly taken offline to identify and fix the problem, according to the insurer.

"The website was returned to service on May 19, 2015," according to the notification letter. The insurer is offering all impacted individuals free credit monitoring and identity theft resolution services for one year.

Exposed information included names, Social Security numbers, Blue Shield identification numbers, dates of birth and home addresses. "None of your financial information was made available as a result of this incident," the notification letter says. "The users who had unauthorized access to PHI as a result of this incident have confirmed that they did not retain copies, they did not use or further disclose your PHI, and that they have deleted, returned to Blue Shield, and/or securely destroyed all records of the PHI they accessed without authorization."

The Blue Shield of California notification letter also notes that the company's investigation revealed that the breach "was the result of human error on the part of Blue Shield staff members, and the matter was not reported to law enforcement authorities for further investigation."

Similar Incidents

The coding error at Blue Shield of California that led to the users being able to view other individuals' information isn't a first in terms of programming mistakes on a healthcare-sector website leading to privacy concerns.

For example, in the early weeks of the launch of HealthCare.gov in the fall of 2013, a software glitch allowed a North Carolina consumer to access personal information of a South Carolina man. The Department of Health and Human Services' Centers for Medicare and Medicaid Services said at the time that the mistake was "immediately" fixed once the problem was reported. Still, the incident raised more concerns about the overall security of the Affordable Care Act health information exchange site.

Software design and coding mistakes that leave PHI viewable on websites led to at least one healthcare entity paying a financial penalty to HHS' Office for Civil Rights.

An OCR investigation of Phoenix Cardiac Surgery P.C., with offices in Phoenix and Prescott, began in February 2009, following a report that the practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible.

The investigation determined the practice had implemented few policies and procedures to comply with the HIPAA privacy and security rules and had limited safeguards in place to protect patients' information, according to an HHS statement. The investigation led to the healthcare practice signing an OCR resolution agreement, which included a corrective action plan and a $100,000 financial penalty.

The corrective action plan required the physicians practice, among other measures, to conduct arisk assessment and implement appropriate policies and procedures.

Measures to Take

Security and privacy expert Andrew Hicks, director and healthcare practice lead at the risk management consulting firm Coalfire, says that to avoid website-related mistakes that can lead toprivacy breaches, it's important that entities implement appropriate controls as well as follow the right systems development steps.

"Organizations should have a sound systems development life cycle - SDLC - in place to assess all systems in a production environment, especially those that are externally facing," he says. "Components of a mature SDLC would include code reviews, user acceptance testing, change management, systems analysis, penetration testing, and application validation testing."

Healthcare entities and business associates need to strive for more than just HIPAA compliance to avoid similar mishaps, he notes.

"Organizations that are solely seeking HIPAA compliance - rather than a comprehensive information security program - will never have the assurance that website vulnerabilities have been mitigated through the implementation of appropriate controls," he says. "In other words, HIPAA does not explicitly require penetration testing, secure code reviews, change management, and patch management, to name a few. These concepts are fundamental to IT security, but absent from any OCR regulation, including HIPAA."

Earlier Blue Shield Breach

About a year ago, Blue Shield of California reported a data breach involving several spreadsheet reports that inadvertently contained the Social Security numbers of 18,000 physicians and other healthcare providers.

The spreadsheets submitted by the plan were released 10 times by the state's Department of Managed Health Care. In California, health plans electronically submit monthly to the state agency a roster of all physicians and other medical providers who have contracts with the insurers. Those rosters are supposed to contain the healthcare providers' names, business addresses, business phones, medical groups and practice areas - but not Social Security numbers. DMHC makes those rosters available to the public, upon request.

No comment yet.

HIPAA audits to resume soon

HIPAA audits to resume soon | HIPAA Compliance for Medical Practices | Scoop.it

Long-term care providers should get ready for the second round of HIPAA compliance audits this year, but the agency in charge of them is keeping mum about the exact date.

And while Health & Human Services' Office for Civil Rights (OCR) expects to single out only around 110 providers, long-term care facilities are being urged to begin preparations as soon as possible, Kelly McLendon, managing director of CompliancePro Solutions, said during a recent Health Care Compliance Association webinar. That includes performing security and risk analyses, updating privacy and security incident response plans and automating privacy and security investigation, tracking and management protocols, according to published reports.

The agency has not announced specifics yet, but the coming round of audits could focus heavily on HIPAA security and privacy risk management, breach notification and Notice of Privacy practices.

OCR was scheduled to do the audits last year but went idle because of funding problems. Providers are advised not to rely on audit protocols issued in 2012, the last time OCR performed audits, and watch for phase two protocols to be posted on the OCR website. Audits will likely begin about 90 days after posting, McLendon said.

The news will do little to help a Denver-area pharmacy that specializes in compounded medications for area hospice agencies, according to published reports. The business will have to pay $125,000 and take corrective measures after local media notified the OCR it allegedly disposed of unsecured documents in an unlocked, open container. The documents reportedly contained private health data on more than 1,600 patients.

No comment yet.

4 keys to HIPAA audit prep

4 keys to HIPAA audit prep | HIPAA Compliance for Medical Practices | Scoop.it

With the delay of the Office for Civil Rights (OCR) HIPAA audits, organizations would be wise to not push compliance further down the priority list. Yet many are woefully unprepared for both data breaches and the audits, writes Mark Fulford, partner at LBMC Security & Risk Services in an article at Health IT and Security Review.

"If organizations let down their guard, they will become vulnerable to both data breaches and the OCR audits themselves when they inevitably arrive," he says. "And all indications are that the audits will bring an unprecedented level of scrutiny and enforcement to healthcare security."

Being chosen for an audit means submitting documentation of your organization's compliance. Yet HIPAA guidance isn't specific, he says, allowing you to explain your reasoning behind your security approach.

Among his recommendations:

  1. Conduct a risk assessment. Evaluate your organization before OCR does, making sure you have everything covered including servers, personal computers, mobile devices and more
  2. Document everything. Keep detailed records of your security measures and procedures, as well as your incident response plans
  3. Identify your business associates. Verify that these entities also maintain appropriate security
  4. Train your team and stay-up-to-date. Security is a team effort; ensure that your employees are trained to respond to phishing, social engineering, malware and other attacks.

Despite a proliferation of healthcare breaches and warnings from the Office of Civil Rights that it plans to crack down on organizations that don't effectively protect patient data, research from ProPublica found that few organizations actually have been fined for it.

However, that's expected to change. Privacy attorney Adam Greene said he's heard that OCR has pipeline of "unprecedented" settlements in the works.

An OCR attorney made a similar statement nearly a year ago. Jerome B. Meites, OCR chief regional counsel for the Chicago area, said the HIPAA enforcement actions over the past year would pale in comparison to the following 12 months.

No comment yet.

Health system sees 7th HIPAA data breach

Health system sees 7th HIPAA data breach | HIPAA Compliance for Medical Practices | Scoop.it

How many breaches, how many compromises of patients' confidential medical information does it take before there are some questions asked of an organization and its security policies? One health system recently announced its seventh large HIPAA breach.

The 20-hospital St. Vincent health system in Indianapolis, part of Ascension Health, most recently notified 760 of its medical group patients that their Social Security numbers and clinicaldata was compromised in an email phishing incident. The breach, which was discovered by hospital officials back in December 2014, marked the seventh breach for the health system in a less than five years.
It wasn't until March 12, 2015, that officials said they discovered which patients were impacted by the breach, which involved the compromise of an employee's network username and password. 
"St.Vincent Medical Group sincerely apologizes for any inconvenience this unfortunate incident may cause," St. Vincent officials wrote in the patient notification letter. 
According to data from the Office for Civil Rights, which keeps track of HIPAA breaches involving 500 people or more, St. Vincent health system has been a repeat HIPAA offender. Its most recent breach, reported in July 2014, compromised the health data of 63,325 patients after a clerical error sent patients letters to the wrong patients. 
The health system has also reported two breaches involving the theft of unencrypted laptops, which collectively compromised the health data of 2,341 patients. 

No comment yet.

HIPAA Privacy and Security Guidance Updated

HIPAA Privacy and Security Guidance Updated | HIPAA Compliance for Medical Practices | Scoop.it

The Office of the National Coordinator for Health IT this week released an updated version of its privacy and security guidance to help healthcare providers better understand how to integrate federal health information privacy and security requirements into their practices. The guidance was last published in 2011.

The new version of the guidance provides updated information about compliance with the Medicare and Medicaid Electronic Health Record (EHR) Incentive Programs’ privacy and security requirements as well as the HIPAA Privacy, Security, and Breach Notification Rules.

Some of the areas covered in the new guidance include real-world application of how the HIPAA Privacy and Security Rules apply to a practice and the rules surrounding use and disclosure of private health information. The guidance also addresses “Meaningful Use” programs in more detail. Meaningful Use programs encourage health care organizations to adopt EHRs through a staged approach. Each stage contains core requirements that providers must meet.

Unlike the first guidance, which focused on Stage 1 privacy and security objectives, the updated version adds in core objectives for Stage 2 of the Meaningful Use program. Under Stage 2, providers must respond to patient requests regarding how their electronic health information is being handled.

The guidance also provides examples designed to assist providers in understanding whether someone is a business associate. These examples reflect changes made under the Health and Human Services Department’s Omnibus Rule, which makes contractors, subcontractors, and other business associates of healthcare entities that process health insurance claims liable for the protection of private patient information.

Additionally, the guidance outlines a seven-step approach for providers looking to create a security management process. Steps include selecting a team, documenting the process, developing an action plan, and managing and mitigating risk.

No comment yet.

Why Understanding HIPAA Rules Will Help With ONC Certification

Why Understanding HIPAA Rules Will Help With ONC Certification | HIPAA Compliance for Medical Practices | Scoop.it

Understanding HIPAA rules will have far reaching benefits for covered entities. Not only will they be compliant in terms of keeping patient PHI secure, but it will also ensure that those facilities are able to adhere to other federal certification programs. With the push for nationwide interoperability, it is extremely important that organizations of all sizes understand how they can exchange information in a secure and federally compliant way.

Earlier this year, the Office of the National Coordinator (ONC) released its proposal for the 2015 Health IT Certification Criteria. The ONC said that it will “ensure all health IT presented for certification possess the relevant privacy and security capabilities.” Moreover, certified health IT will be more transparent and reliable through surveillance and disclosure requirements.

ONC Senior Policy Analyst Michael Lipinski spoke with HealthITSecurity.com at HIMSS last week, and broke down why understanding HIPAA rules will help covered entities on their way to compliance and with ONC certification.

The ONC certification program has certain capabilities that it certifies to, Lipinski explained, and the way the ONC set up its approach depends on what a facility is bringing forward to be certified.

“What we’ve always said about our privacy and security criteria is that it helps support compliance, but it doesn’t guarantee compliance with the HIPAA Privacy or Security rules,” Lipinski said. “Or even with meeting your requirements under the EHR incentive program.”

One complaint that the ONC has received in terms of information sharing is that covered entities claim they cannot exchange data because of HIPAA rules. However, that likely stems from a lack of understanding what the HIPAA Privacy and Security Rules actually entail, Lipinski said. If that misunderstanding of what HIPAA compliance actually is exists, it can make it more difficult for healthcare organizations to move forward.

“I think that issue is not so much a certification issue, because it’s about payment, treatment, and operations, and you can exchange for those reasons,” Lipinski said. “I think maybe what they found is that there are those instances where they could do it, and they’re making the misinterpretation that they could have done that for treatment and exchange that information.”

Healthcare facilities are using that as an excuse not to exchange, when under HIPAA they could have done so for payment, treatment or operations options, he added.

“It’s not so much in the wheelhouse of certification, but more like we said in the report that we would work with OCR and make sure there’s appropriate guidance and understanding of the HIPAA Privacy and Security rules so that hopefully that will enable more free flow of the information.”

That sentiment echoes what ONC Chief Privacy Officer Lucia Savage said about interoperability and the future of information sharing for healthcare. In a HIMSS interview Savage explained that HIPAA supports information sharing, but that support depends on the decisions made by healthcare providers.

However, a difficult aspect of creating nationwide interoperability will be in relation to state law and state policies on health IT privacy, Savage said, mainly because states have diverse rules.

“That’s a very long dialogue, and has a very long time frame in where we can accomplish what we want to accomplish,” Savage said. “I think people are concerned about that.”

No comment yet.

ONC issues new privacy, security handbook

ONC issues new privacy, security handbook | HIPAA Compliance for Medical Practices | Scoop.it

During the HIMSS15 annual conference in Chicago last week, the Office of the National Coordinator for Health IT announced the release of a new and improved guide for securing electronic health information that hospitals, providers and business associates can integrate into their practice.

How to comply with MU security requirements, questions you should ask your health IT vendors and everything from cybersecurity and HIPAA to action plans and checklists are among the big highlights.
Many useful tips, permitted use cases, compliance requirements and HIPAA explanations have been added since the last update, four years ago.
The guide, as ONC Chief Privacy Officer Lucia Savage explained in a blog post, has been revised to include new "practical information" on topics such as cybersecurity, encryption, patient access and HIPAA privacy and security rules in action. The revised version also include information on compliance with the EHR Incentive Programs' security requirements.
And for those looking for more guidance on what questions to ask your health IT vendors, look no further.
The handbook "also offers suggested questions providers may want to ask their health IT developers or EHR companies so they can be confident that the systems they buy and use will meet their privacy and security needs," Savage explained.
Top of this list are questions such as: "How does my backup and recovery system work? How often do I test this recovery system? How much remote access will the health IT developer have to my system?" and "How much of the health IT developer's training covers privacy and security awareness, requirements and functions?"
According to a new Verizon data breach report that analyzed the healthcare vertical, physical theft or loss accounted for the lion's share, some 26 percent, of security incidents by pattern. Another 20 percent of security incidents were due to insider privilege and insider misuse; "miscellaneous errors" accounted for 19 percent. Other patterns noted in the report for the healthcare vertical were upticks in DoS and Web app attacks, at 9 percent and 7 percent respectively. 

No comment yet.

Could Big HIPAA Settlements Be Coming?

Could Big HIPAA Settlements Be Coming? | HIPAA Compliance for Medical Practices | Scoop.it

Federal regulators will likely announce a number of eye-popping financial settlements for HIPAA violations later this year as a result of breach investigations, predicts privacy attorney Adam Greene.

So far this year, the Department of Health and Human Services' Office for Civil Rights hasn't revealed any HIPAA settlement agreements with covered entities or business associates. But in an interview with Information Security Media Group during the HIMSS 2015 conference in Chicago, Greene predicts a big change in the second half of the year.

"We've heard anecdotally that [OCR] has a significant pipeline of unprecedented settlement agreements, meaning particularly high amounts [of financial penalties] and a particularly large number," says Greene, who formerly worked at OCR. "So it wouldn't be surprising for us to start seeing in the latter part of this year some really surprising settlement agreements with respect to potential record-breaking [financial penalties]. I think the delay, this gap in settlement agreements, relates to the change in leadership at OCR and for that new leadership to get settled in."

Last July, Jocelyn Samuels was named the new director of OCR. Samuels, who was formerly acting assistant attorney general for the Civil Rights Division at the U.S. Department of Justice, replaced Leon Rodriguez, who was named director of U.S. Citizenship and Immigration Services, a unit of the Department of Homeland Security.

In 2014, OCR announced six resolution agreements involving monetary penalties for cases involving violations of HIPAA. The biggest enforcement action was in May 2014, when OCR announced a $4.8 million settlement with New York-Presbyterian Hospital and Columbia University. That case involved a breach of unsecured patient data on a network, affecting about 6,800 patients.

As for potential OCR settlements with business associates, who became directly liable for HIPAA compliance under the HIPAA Omnibus Rule, Greene doesn't expect OCR action until next year.

"We see that [the time between] an actual [HIPAA] incident happening and an actual settlement agreement tends to be two to three years. And business associates were not being held liable by HHS for [HIPAA] compliance until September 2013," he notes. "So it seems that if you had a breach by a business associate at the end of 2013, that could lead to an investigation of the business associate ... and we could see the fruition of that investigation by the end of this year, but more likely next year."

In the interview, Greene also discusses:

  • What's likely to come next in OCR's plans for a permanent HIPAA compliance audit program, which has been on hold since 2012;
  • The OCR enforcement activities that organizations should be most worried about;
  • Why the Centers for Medicare and Medicaid Services is proposing to lower the requirements for patients electronically accessing their health records in Stages 1 and 2 of the HITECH Act "meaningful use" financial incentive program for electronic health records.

As a partner at the law firm Davis Wright Tremaine LLP in Washington, Greene specializes in HIPAA and HITECH Act issues. He formerly was senior health information technology and privacy specialist at the HHS Office for Civil Rights, where he played a significant role in administering and enforcing the HIPAA privacy, security and breach notification rules.

No comment yet.

Health Providers Beware: HIPAA Breaches May Give Rise To Negligence Actions

Health Providers Beware: HIPAA Breaches May Give Rise To Negligence Actions | HIPAA Compliance for Medical Practices | Scoop.it

Electronic medical records provide a multitude of benefits for providers and patients by promoting efficient record access, cost savings and better patient care.  So what's the down side?

Well, for starters, these records are ripe for hacking and inadvertent disclosures. As mentioned in a previous post, health care fraud has reached new heights by and through the theft of personal and medical information.  Left in the wrong hands, the sensitive information contained in these computerized records could unleash a fraud firestorm.

Historically, medical providers have successfully defended against claims brought by plaintiffs whose information was hacked or otherwise improperly accessed by relying upon the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") which expressly provides that there is no private right of action under HIPAA.  This success may be short lived as the number of hackers has increased and some courts, like Connecticut's Supreme Court,  have indicated a willingness to allow plaintiffs to bring claims for negligence and privacy violations against providers under state law.

HIPAA Standard of Care

In Byrne v. Avery Ctr. For Obstetrics & Gynecology, 314 Conn. 433 (2013), a health center produced a patient's protected health information (PHI) in response to a subpoena without notifying the patient and without taking any steps to protect it from disclosure in violation of HIPAA's guidelines.  The aggrieved patient filed an action against the provider for breach of contract, negligence, and negligent infliction of emotional distress.

While noting HIPAA's language with regard to private rights of action, the Court did not find that limitation dispositive of the negligence claim brought by the patient.  The Court hinted that a  violation of the standards promulgated under HIPAA may support a deviation from the standard of care required for a negligence claim.

Will New Jersey Follow Connecticut?

Given the proliferation of electronic medical records and the overwhelming amount of paperwork that healthcare providers deal with on a daily basis, the odds of falling victim to a HIPAA breach have markedly increased.  New Jersey health care providers should be mindful of the Connecticut case because New Jersey may follow this trend of reviewing HIPAA guidelines as a standard of care that may be considered to support a negligence action.

Problem Prevention
  1. Review and update HIPAA policies.
  2. Educate staff on the significance of the policies and demand 100% compliance.
  3. Develop a process to deal with subpoenas to ensure that the practice is in compliance with all applicable standards under federal and state law.

No comment yet.

Current HIPAA Requirements Sufficient, AHA Tells ONC

Current HIPAA Requirements Sufficient, AHA Tells ONC | HIPAA Compliance for Medical Practices | Scoop.it
The current HIPAA requirements are enough to support the improvement of the healthcare infrastructure to better support secure data sharing in support of clinical care, according to the American Hospital Association (AHA).

In a letter to the Office of the National Coordinator (ONC) Secretary Karen DeSalvo, AHA Senior Vice President of Public Policy Analysis and Development Linda Fishman wrote that overall, the AHA agrees with the ONC Interoperability Roadmap. However, the AHA worries “that the roadmap is not sufficiently grounded in an assessment of present realities or focused enough on the steps that will enable public and private stakeholders to travel from the present regulatory, clinical and technology environment to the future state envisioned.”aha_logo

Fishman explained that the roadmap needs to be more specific in the immediate steps and resources necessary to improve nationwide interoperability. Moreover, a more clear outline is needed to highlight the short-term, intermediate-term, and long-term timeframes in terms of interoperability.

“Given the significant investments already made, the AHA urges ONC to adopt the current requirements of the meaningful use program and the capabilities of the 2014 Edition certified EHRs as the starting point for the nationwide interoperability roadmap,” Fishman wrote.

In terms of privacy and security, the AHA does not agree with the roadmap in its suggestions for change. For example, the roadmap states that “current government and private sector programs provide insufficient incentives for interoperability across the care continuum.” The AHA disagrees, and Fishman wrote that the current HIPAA requirements are sufficient for improving the infrastructure for better data sharing.

“The proper focus should be on making these requirements the prevailing standard nationwide if it is essential to address access to health information within the interoperability context,” the AHA explained. “The roadmap proposals could exacerbate the existing conflict among federal, state and local laws, rather than working to limit them.”

It is also necessary for the ONC to work with the Department of Health & Human Services (HHS) Office for Civil Rights (OCR) to see where additional guidance might be required in terms of HIPAA requirements. Specifically, stakeholders might need assistance in understanding how privacy and security rules apply in ACOs and other multi-stakeholder alternative delivery system organizations.

“Under the current HIPAA privacy rule, the use and/or disclosure of protected health information between covered entities for health care operations that expressly qualify as quality assessment and improvement activities is permissible only when both the disclosing and receiving covered entity have or had a relationship with the patient about whom the information pertains. Achieving the meaningful quality and efficiency improvements that a clinically integrated setting promises requires that all participating providers be able to share and conduct population-based data analyses.”

The AHA also recommended that ONC continue to work within the broader framework of the existing cybersecurity policy. Cybersecurity activities need to “align with the ongoing collaboration of the Departments of Homeland Security and HHS with public-private collaborations.” The NIST Cybersecurity Framework must also be kept in mind because it is the “overarching federal approach to cybersecurity.”

It is important to find the right balance when it comes to information sharing, as the data must also be kept secure. However, the current policy frameworks already address this issue, according to the AHA, and it is necessary for the ONC to work within those policies to improve interoperability.
No comment yet.

Cyber Risk Q&A: Is Your Medical Practice Protected?

Cyber Risk Q&A: Is Your Medical Practice Protected? | HIPAA Compliance for Medical Practices | Scoop.it

The threat of data breaches and cyber threats is not news to any of us. However, Anthem’s recent 80 million-record data breach was an attention-getter — or it should have been for all of us in the healthcare industry.

But it all became very personal for me the morning after the Anthem news when I opened my local newspaper to a Page 2 story with the headline, “Is your doctor’s office the most dangerous place for your data?” This AP story outlined what all of us should be concerned about. That is, a healthcare practice will face a PR nightmare if a data breach occurs involving patient records.

It is no coincidence that healthcare leads all other industries in the number of data breaches, the total amount of compromised records, and the costs associated with such breaches. Healthcare databases are the pot of gold at the end of the rainbow for cyber criminals. There are three categories of protected health information (PHI) that cyber criminals target: personally identifiable information (PII), such as name, birthdate, and social security number; personal credit information (PCI), including credit card numbers; and PHI, including medical records. Healthcare providers and insurers collect all three types of information and store it electronically.

Data breach statistics and costs related to the healthcare industry are eye-opening. Crittenden Research suggests that annual number of healthcare breaches increased from 160 to 333 between 2010 and 2014. The number of records exposed increased from 1,874,360 to 8,277,991 in the same timeframe. The Ponemon Institute reports that the per-record data breach cost is now $201 averaged across all industries. But the eye-popping number for healthcare is $359! These costs include notification, credit-monitoring, forensic accounting, public relations, legal, and losses related to customer/patient loss and re-acquisition.

So, what is a healthcare practice supposed to do? I have two suggestions.
1. Have a cyber-risk review done of your practice and implement the recommendations. Many of the common threats are easily addressed.
2. Purchase cyber-liability insurance.  Please know this is objective advice. I do not sell cyber-liability insurance. But I certainly buy it!

Our healthcare clients routinely ask us about cyber liability insurance, even though we don’t offer this coverage on a standalone basis. Here are our responses to a few of the more common questions:

How does cyber-liability insurance work?
The real value of cyber liability insurance is the bundling of breach response services. When a data breach occurs, the policyholder works with a data-breach coach who coordinates a rapid response. Forensic accounting, public relations, client notifications, credit monitoring, and legal advice are all included. Some policies also cover fines and penalties and protection from third-party lawsuits. But these are rare if a rapid response is well coordinated. The policyholder can purchase varying coverage limits.

Doesn’t my medical-malpractice coverage already cover this?
Most medical-malpractice policies include modest levels of cyber liability coverage. My concern is that the coverage limit is typically in the $50,000 to $100,000 range. This is much too low. Do your own math. How many records does your practice store? Multiply this by the $359 per-record data breach cost figure. Yep, not enough coverage there. Standalone policies with sufficient limits are plentiful and relatively affordable.

Is cyber insurance worth the cost?
I mentioned above I purchase this for our business. We invest heavily in our data security. I’ve never been one to try to beat the odds. The same Ponemon study cited earlier estimates that the probability of a healthcare entity experiencing a breach involving 10,000 or fewer records is 19.2 percent. That’s a one-in-five chance you will be a victim. I don’t know about you, but I don’t like those odds without plenty of protection.

If our business experiences a data breach, I want a rapid response with proper client notification, credit monitoring, and whatever protection our clients need. Our clients’ trust and confidence in us is our biggest asset.

For a physician, the patient-doctor trust relationship is paramount — not something to chance damaging through the malicious actions of an anonymous cyber thief.

So, yes, I think it’s an obvious choice financially. You need to evaluate your own needs regarding your business.

Cyber liability is a growing threat to all of us involved with the healthcare industry. But proper risk management and insurance protection are solid steps any of us can take to fight back.

Happy computing!

No comment yet.