HIPAA Compliance for Medical Practices
60.5K views | +0 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

HIPAA breach puts blame on business associate

HIPAA breach puts blame on business associate | HIPAA Compliance for Medical Practices | Scoop.it

A New York healthcare provider is notifying its patients that their medical data has been compromised after one of its business associates reported the theft of an employee-owned laptop and unencrypted smartphone.    The New York-based Senior Health Partners, part of the Healthfirst health plan, has mailed out breach notification letters to 2,700 of its members after discovering that a laptop and mobile phone belonging to a registered nurse employed by its business associates were reported stolen.    Officials say the nurse's laptop, which was stolen back on Nov. 26, was encrypted, but the encryption key was in the laptop bag that was taken. The mobile phone stolen was neither encrypted nor password-protected. The nurse was employed by Senior Health Partners' business associated with Premier Home Health, which notified the long-term care provider on Dec. 10. Affected patients were mailed notification letters Jan. 30.    An investigation into the theft found that the privately-owned laptop included a "potentially accessible" email, containing patient names, demographics, Social Security numbers, Medicaid IDs, dates of birth, clinical diagnoses and treatment information and health insurance claim numbers. "Senior Health Partners sincerely regrets that this incident occurred," read a Jan. 30 press statement. "It takes the privacy and security of members' health information very seriously and expects its vendors to do the same. SHP values the trust its members have placed in it as their health plan, and it is SHP's priority to reassure its members that it is taking steps to ensure its members' information is protected."   Asked what Senior Health Partners' policy was around encryption and using privately owned devices for work purposes, Healthcare IT News did not receive a response before publication time.    To date, nearly 42 million individuals have had their protected health information compromised in a reportable HIPAA privacy or security breach, according to data from the Department of Health and Human Services.


more...
No comment yet.
Scoop.it!

VoIP Phones and HIPAA Compliance

VoIP Phones and HIPAA Compliance | HIPAA Compliance for Medical Practices | Scoop.it

So, what about your VoIP phone system? Many organizations have migrated to VoIP service.  VoIP (or “Voice over Internet Protocol”) is a method for taking analog audio signals and turning them into digital data that can be transmitted over the Internet instead of traditional analog phone lines. Does patient information stored and processed by these phone systems constitute electronic Protected Health Information?

By definition, electronic PHI is data which is transmitted or maintained on electronic media. Electronic media is defined as either:

  1. Electronic storage material, which includes, for example, computer hard drives, or
  2. Transmission media, which includes, for example, the internet. Note that part of this definition changed with the 2013 Omnibus Rule changes, and states “Certain transmissions, including of paper, via facsimile, and of voice, via the telephone, are not considered to be transmissions via electronic media, if the information being exchanged did not exist in electronic form immediately before the transmission”.

Note the words in red which were represent changes made to the rule in 2013. For VoiP systems that do not include voice mail (this eliminates just about all VoiP systems) there might be opportunity for debate whether the information in VoiP systems met the definition of ePHI.  However, voice mails are clearly stored on computer hard drives or other electronic storage material.

What features does HIPAA look for with VoIP software that processes ePHI?   The implementation specifications in the HIPAA rule that apply to software include:

  1. Unique User ID & authentication. Phones identify themselves with the phone number or serial number on the phone. A certificate installed on the phone is used for authentication using PKI.
  2. Access Controls. Certain users may have additional privileges beyond making phone calls so the system should support different classes of users.
  3. Audit logs. The system should record call meta data, as well as any details regarding any administrative activities performed by an authenticated user.
  4. Encryption. TLS and or VPNs can be employed between IP Phones and the Communications Manager Software. For data at rest, for example, voicemails, other encryption technologies can be used.
  5. Business Associate Agreement (for cloud providers). When cloud-based VoIP solutions are used, an essential ingredient is the HIPAA Business Associate agreement. The cloud provider has an additional set of compliance obligations including their own physical, technical and administrative controls.

It is not surprising that some cloud VoiP vendors offer interpretations of HIPAA which claim that their services and VoiP phone technology falls under the so-called “conduit exception”. The “conduit exception” excludes organizations that provide mere courier services including the U.S Postal Service, or internet service providers.  For an excellent post regarding this narrow exception.

The takeaway – include your VoIP phone system in application inventory, assess risks during your risk assessment, conduct the appropriate security evaluation and document compliance.


more...
No comment yet.
Scoop.it!

$10 Million Fine in Improper Disposal Case

$10 Million Fine in Improper Disposal Case | HIPAA Compliance for Medical Practices | Scoop.it

The grocery store chain Safeway has been ordered to pay a $9.87 million penalty as part of a settlement with California prosecutors related to improper disposal of confidential pharmacy records and hazardous waste in dumpsters.

The settlement resolves allegations that Safeway unlawfully disposed of customer pharmacy records containing private medical information in violation of California's Confidentiality of Medical Information Act.


Prosecutors in California also alleged Safeway unlawfully disposed of various hazardous materials over a period of longer than seven years. Those materials included over-the-counter medications, pharmaceuticals, aerosol products, ignitable liquids, batteries, electronic devices and other toxic, ignitable and corrosive materials, according to a statement from the Alameda County District Attorney's Office. That office took the lead on the civil enforcement lawsuit filed on Dec. 31 by a coalition of 43 California district attorneys and two city attorneys.

Safeway operates about 500 stores and distribution centers in California under a number of brand names, including Von's, Pavilions and Pak 'n Save, and is in the process of merging with another large grocery chain, Albertsons, which operates stores in several states under brands that include ACME, Albertsons, Jewel-Osco, Lucky, Shaws, Star Market and Super Saver.

The case against Safeway by the California district attorneys was based on a series of waste inspections of dumpsters belonging to Safeway facilities conducted by state environmental regulators and other inspectors during 2012 and 2013.

Kenneth Mifsud, Alameda County assistant district attorney, tells Information Security Media Group that the inspections were conducted at dozens of Safeway stores about once a month during an 18-month period. Investigators - who examined retail store waste taken to landfills - found violations in about 40 percent of the stores inspected. In some cases, pharmacy documents, such as store summaries listing medical and personal information on dozens of patients, were found among the waste, he says.

"The inspections revealed that Safeway was routinely and systematically sending hazardous wastes to local landfills, and was failing to take measures to protect the privacy of their pharmacy customers' confidential medical information," says the Alameda County district attorney's statement. "Upon being notified by prosecutors of the widespread issues, Safeway worked cooperatively to remedy the issue, enhance its environmental compliance program and train its employees to properly handle such waste."

The case against Safeway spotlights the importance of retail pharmacy chains, hospitals and other healthcare entities properly shredding or "making indecipherable" patient and other consumer personal information before disposing it, Mifsud says.

"There's a risk of identity theft committed by dumpster divers, and unfortunately by some employees," he says.

Settlement Terms

According to settlement documents filed in the Superior Court in Alameda County on Dec. 31 - the same day the suit was filed by the district attorneys against Safeway - the $9.87 million in civil penalties and costs Safeway agreed to pay are mainly related to the environmental and unfair business claims against the company. The unfair business claims encompass the violations of California's medical confidentiality laws, Mifsud says.

Also as part of the settlement, the retailer must also "maintain and enhance, as necessary" its customer record destruction program to ensure that confidential medical information is disposed of in a manner that protects individuals' privacy. Plus, it must take several steps related to environmental compliance, including ensuring that its workforce is trained in properly disposing waste.

Court documents do not indicate how many customers' improperly dumped pharmacy records were found by inspectors. Mifsud says it's difficult to estimate the number of patients or pharmacy records that were affected by the improper disposal because the inspections only provided "a snapshot" of the some stores' activities.

Approximately 500 Safeway retail stores and distribution centers in the state must abide by the corrective action terms of the settlement, Mifsud says.

State attorneys started negotiations with Safeway in 2012, when the first violations were first discovered, he says. The suit and settlement documents were both filed in court the same day, Dec. 31, as a formality to those discussions, he explains.

In a statement to ISMG, Safeway says, "We have enhanced [our] programs and added new and supplementary training to ensure strict adherence to the law and to our policies. Safeway will continue to dedicate significant resources to these important programs."

Privacy and security attorney Kathryn Coburn, a partner at law firm Cooke Kobrick LLP, says that the Safeway case is a reminder to all organizations that having policies about protecting sensitive information of patients is not enough; they also need to have procedures for the workforce to follow and training to ensure those procedures are understood.

"Everyone I deal with has policies. But if there are no procedures, and no training, those policies aren't any good," she says.

Other Disposal Cases

The Safeway settlement is not the first time enforcement actions have been taken by regulators against a retailer charged with improper disposal of sensitive medical information.

In a 2010 settlement with the U.S. Department of Health and Human Services, Rite Aid Corp. agreed to pay a $1 million fine and take corrective action after some of its stores improperly disposed of prescription information in dumpsters. Also, a $2.25 million HHS settlement was reached in a similar case against CVS Caremark in February 2009.

And retail pharmacies aren't the only organizations that have been cited by regulators for improper disposal of medical information. For example, HHS' Office for Civil Rights last June announced an $800,000 HIPAA settlement with Parkview Health Systems, an Indiana community health system, after paper medical records for 5,000 to 8,000 patients were dumped in the driveway of a physician's home.

Security and privacy attorney Stephen Wu of the law firm Silicon Valley Law Group says OCR could decide to open a HIPAA non-compliance case against Safeway based on the findings by state regulators in their suit against the retailer.

"If I were Safeway's counsel, I'd be advising the company to look for another shoe to drop," Wu says.

Mifsud says he's unaware if OCR is investigating the Safeway matter. OCR did not respond to ISMG's request for comment.


more...
No comment yet.
Scoop.it!

IT Maintenance Crucial for HIPAA Compliance

The Department of Health and Human Services' (HHS) Office for Civil Rights (OCR) recently announced an agreement with a medical center to settle charges stemming from the center’s failure to prevent malware from infecting its computers. The malicious programming breached the electronic protected health information (ePHI) of 2,743 individuals in violation of the Health Insurance Portability and Accountability Act (HIPAA).

The medical center was fined $150,000 and agreed to implement a corrective action plan for violating the mandates of HIPAA’s Security Rule. Under the Security Rule, covered entities and business associates must implement appropriate administrative, physical and technical safeguards to protect the confidentiality, integrity and security of ePHI.

According to OCR, the medical center adopted policies to comply with the HIPAA Security Rule, but failed to follow them after putting them to paper. The medical center did not perform an accurate or thorough risk assessment for ePHI, nor did it implement the necessary policies, procedures or technical security measures to prevent unauthorized access to ePHI. Specifically, OCR maintains that the medical center’s failure to identify and address basic risks — e.g., not regularly updating firewalls and running outdated, unsupported software — was the direct cause of the introduction of malicious software into its systems.

In addition to the monetary fine, the medical center agreed to implement a two-year corrective action plan requiring it to —

  • Revise, adopt and distribute updated Security Rule policies and procedures approved by OCR;
  • Develop and provide updated security awareness training — based on training materials approved by OCR — to employees, and update and repeat such training annually;
  • Conduct annual assessments of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI in its possession and document the security measures implemented to address those risks and vulnerabilities;
  • Investigate and report to OCR any violations of its Security Rule policies and procedures by employees; and
  • Submit annual reports to OCR describing its compliance with the corrective action plan.
  • OCR used its announcement to highlight the fact that HIPAA compliance is a continuous process and requires more than establishing initial policies, procedures and systems. Rather, covered entities and business associates will only be able to avoid expensive HIPAA fines and penalties by conducting regular ePHI risk assessments, addressing identified security vulnerabilities and regularly updating HIPAA policies and procedures.

Although technological safeguards are vital to keeping ePHI secure, human error is also a significant threat to patient data security and privacy, making a knowledgeable workforce crucial to HIPAA compliance. Covered entities and business associates can ensure HIPAA compliance with Thomson Reuters’ online training courses on HIPAA Privacy and Security and U.S. Data Privacy and Security. Our online compliance training courses explain the essential principles of HIPAA requirements and of safeguarding individuals’ personal information.


more...
No comment yet.
Scoop.it!

Employees could leave health systems vulnerable to hacks

Employees could leave health systems vulnerable to hacks | HIPAA Compliance for Medical Practices | Scoop.it

Healthcare organizations are vulnerable to cyberattacks in many ways, with a big threat being a company or hospital's own employees, according to Ari Baranoff, assistant special agent in charge for the U.S. Secret Service's Criminal Investigative Division.

"Your workforce is a potential vulnerability to your network," Baranoff tells Healthcare IT Security. "Constantly educating your workforce and testing your workforce on their cyberhygiene is very important."

Even if employees mean no harm, just by browsing the Internet or checking their email they can put networks at risk, Baranoff says. It's especially dangerous if these activities are done using the same system that houses electronic health records or other hospital information.

In addition, employee information is also something that often is at risk and can raise problems for hospitals. The Secret Service has seen growing interest in extortion and ransomware campaigns in the healthcare industry, according to Baranoff.

However, a great deal of the threats to health systems come from the outside world, he adds.

For instance, recent breach at Sony Pictures, the health information of employees was hacked, including a memo with treatment and diagnosis details about an employee's child with special needs, as well as a spreadsheet from a human resources folder containing birth dates, health conditions and medical costs.

Data breaches are expected to increase in 2015, with healthcare "a vulnerable and attractive target for cybercriminals," according to Experian's 2015 Data Breach Industry Forecast.

Electronic medical records and consumer-generated data from wearables and other devices will continue to add to the vulnerability and complexity in securing personal health information, according to the report.

more...
No comment yet.
Scoop.it!

CHIME chairman calls for mixed approach to security

CHIME chairman calls for mixed approach to security | HIPAA Compliance for Medical Practices | Scoop.it

Healthcare organizations need a variety of strategies to address security threats, according to Charles Christian, CIO at Columbus, Georgia-based St. Francis Hospital and new chairman of the College of Healthcare Information Management Executives (CHIME).

That includes technology, education, policy and best practices, he says, in an interview with HealthcareInfoSecurity.

"We have to be diligent and constantly learn about what might occur so we can prepare for that," Christian says. "It's not just one or two things, it's a variety of things that we must do."

Beyond policy, it involves ensuring that employees are education about security, and auditing "to make sure the education is sticking," he says. On the technology side, it includes network access controls, firewalls and encryption.

CHIME is working with the Office of the National Coordinator for Health IT on interoperability, security and other issues.

"I'm really glad the ONC is looking at this," Christian says. "With their office's attention on this, it really raises the level of importance of cybersecurity up where it needs to be."

In an attempt to close a gap its members found in organizations focused on cybersecurity, CHIME created its own last summer--the Association for Executives in Healthcare Information Security, he explains.

The new organization will be focused on "supporting the professional development and peer-to-peer needs of CSOs," according to CHIME.

Small organizations, in particular, often can't afford to have a dedicated security person. To that end, the new organization is trying to provide needed security education so that such organizations don't have to rely on system or application vendors for this knowledge, Christian says.

Security experts foresee even more cyberattacks on healthcare organizations in 2015, especially increases in phishing and ransomware attacks.

Jeff Bell, HIMSS privacy and security committee chair, urges organizations to heed the cyberthreat intelligence provided by the U.S. Computer Emergency Readiness Team, the U.S. Department of Homeland Security National Cybersecurity and Communications Integration Center and others.


more...
No comment yet.
Scoop.it!

N.J. Law Requires Insurers to Encrypt

N.J. Law Requires Insurers to Encrypt | HIPAA Compliance for Medical Practices | Scoop.it

A New Jersey law that will go into effect in July requires health insurers in the state to encrypt personal information that they store in their computers - a stronger requirement than what's included in HIPAA .

The new law, signed by N.J. governor Chris Christie last week, was triggered by a number of health data breaches in the state, including the 2013 Horizon Blue Cross Blue Shield of New Jersey breach affecting 840,000 individuals. That breach involved the theft of two unencrypted laptops.


The new law states: "Health insurance carriers shall not compile or maintain computerized records that include personal information, unless that information is secured by encryption or by any other method or technology rendering the information unreadable, undecipherable, or otherwise unusable by an unauthorized person.

The law applies to "end user computer systems" and computerized records transmitted across public networks. It notes that end-user computer systems include, for example, desktop computers, laptop computers, tablets or other mobile devices, or removable media.

Personal information covered by the encryption mandate includes individual's first name or first initial and last name linked with any one or more of the following data elements: Social Security number; driver's license number or State identification card number; address; and identifiable health information.

Different than HIPAA

"The New Jersey law differs from HIPAA in that it mandates implementing encryption, whereas HIPAA mandates addressing encryption," privacy attorney Adam Greene of law firm Davis Wright Tremaine says.

The Department of Health and Human Services offers this explanation of the HIPAA encryption requirement on its website: "The encryption implementation specification is addressable, and must therefore be implemented if, after a risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of electronic PHI.

"If the entity decides that the addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate. If the standard can otherwise be met, the covered entity may choose to not implement the implementation specification or any equivalent alternative measure and document the rationale for this decision."

Greene points out that because the new state law is tougher than HIPAA, "A New Jersey health plan could determine that some of its protected health information does not require encryption under HIPAA, but they will nevertheless be required to encrypt the information under the New Jersey law."


more...
No comment yet.
Scoop.it!

Tips For Reducing HIPAA Violation Risks

Tips For Reducing HIPAA Violation Risks | HIPAA Compliance for Medical Practices | Scoop.it

The need to attend to data security in increasing exponentially as enforcement tightens and the risk of significant financial penalties for HIPAA violations looms. To that end, a new white paper by Core Security provides some guidance for keeping data safe and avoiding risks of compromised patient information.

As Health IT Outcomes earlier noted, PwC report investigating the state of healthcare compliance found there is still much progress to be made in healthcare compliance across the board, and HIPAA privacy and security remain the top compliance concerns. Penalties for violations are increasing and reputations can be damaged, not to mention the imminent start of privacy audits from the HHS Office for Civil Rights. Compliance officers are challenged to fill gaps in their policies and procedures and be ready to demonstrate compliance with HIPAA requirements.

The cost of breaches can be crippling for healthcare organizations. For example, the OCR fined two health organizations almost $2 million in the wake of the theft of laptops, while Parkview Health paid out $800,000 in HIPAA fines and agreed to institute a corrective plan of action after it was alleged that the institution was dumping sensitive records.

These types of violations aren’t going away, either. A Redspin Breach Report found there was a 138 percent rise in the number of healthcare records breached in 2013, affecting some eight million records.

The Core Security whitepaper, Attack Intelligence: The Key To Reducing Risk in Healthcare, is designed to help healthcare institutions avoid these costly incidents. As the study asserts, “HIPAA-covered entities need to both identify their risks and take steps to mitigate that risk once they become aware of it.”

And yet, recent research demonstrates few healthcare industry professionals have a solid understanding of their own risks. A survey conducted by Healthcare Information Security found OCR audits have resulted in an increase in risk assessments, but that those assessments are often not complete. The data revealed 63 percent of respondents reported a data breach in 2014, and almost 50 percent acknowledged a data breach affecting a business partner. One contributing factor to these figures was that fewer than half of the 200 healthcare organizations surveyed had a documented risk assessment and risk management strategy in place and only 40 percent said they had one in the works.

While most healthcare organizations are cognizant of the need for basic security tools in assessing risk, the whitepaper asserts they do not provide the critical type of information necessary to manage risk – “actionable attack intelligence about sensitive IT assets like the medical record application servers or the backend databases that hold ePHI.”

“Healthcare organizations are familiar with risk management,” said Eric Cowperthwaite of Core Security, “But they aren’t necessarily thinking about how they’re going to be attacked. You may have a vulnerability management program. But the question is ‘How do you know which vulnerabilities matter? How do you know which possible attacks are likely – or not?’”


more...
No comment yet.
Scoop.it!

Electronic data breach planning: 4 tips for reducing liability risk | Lexology

Electronic data breach planning: 4 tips for reducing liability risk | Lexology | HIPAA Compliance for Medical Practices | Scoop.it

There is no doubt that electronic data breaches are a hot topic. The recent breach of Morgan Stanley’s customer data is a prime example and chilling reminder that businesses, no matter the amount of security measures, are at risk of an electronic data breach. Indeed, as nearly every state has passed its own set of unique electronic data breach laws, electronic data breaches are becoming a much larger liability concern for companies, in terms of both financial and reputational harm.

In 2014, Kentucky passed KRS 365.732 and joined 46 other states in quantifying and qualifying what constitutes a data breach and the obligations that arise from a breach. Like most states, Kentucky’s law does not include breaches of financial or health information which are covered under federal law in the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act.

Because of this increased liability, businesses should be proactive in trying to manage risk in the event a data breach occurs.

Is My Company at Risk for an Electronic Data Breach?

While the news has focused on large electronic data breaches of major retailers, electronic data breaches of a smaller scale are much more common. Even more problematic may be the reputational loss of consumer trust and confidence resulting from an electronic data breach. Any business or organization that electronically collects and/or stores personal information is susceptible to a breach. Consider the following five questions:

  1. Do you have customers’ or potential customers’ information stored electronically?
  2. Do you store or transmit electronic files with customers’ information?
  3. Do you have client information stored on a cloud or with a third party vendor?
  4. Do you process credit card transactions?
  5. Do you have wireless networks in your office?

If you answered yes to the first question, you are at risk of an electronic data breach. Answering yes to any of the questions that follow greatly increase your risk for a data breach.

What is a Data Breach?

In general, a data breach occurs when there is an unauthorized disclosure of personal information. There is no model rule for what constitutes a breach of someone’s personal information and each state can define what constitutes personal information.

In Kentucky, personal information is defined as a person’s name coupled with a social security number, driver’s license number, or credit/debit card or account number and passcode. However, some states define personal information much more broadly. For example, Texas defines personal information as any “sensitive” information.

A data breach is commonly thought of in context of computer hacking, however, data breaches can occur in a number of more innocuous ways. In fact, most statutes are defined so broadly that a data breach occurs if an employee loses his/her cellphone containing personal information of a customer. As such, most companies today, no matter size, are at risk.

Decreasing Your Company’s Electronic Data Breach Liability

Planning for and proactively adopting preventative measures in the event of an electronic data breach is the most important thing you can do to protect against potential liability. Being prepared can save you time, likely a significant amount of money, and any reputational harm associated with the data breach.

Most state laws require actual damages to bring a claim for a breach of data. Not surprisingly, in reviewing cases in which customers brought a claim for a breach of data, damages were less or non-existent when companies reacted and notified their customers quickly of the breach. (See generally Giordano v. Wachovia Sec., 2006 U.S. Dist. LEXIS 52266, Civ. No. 06-476JBS, 2006 WL 2177036 (D.N.J. July 31, 2006); Key v. DSW, Inc., 454 F. Supp. 2d 684 (S.D. Ohio 2006).

4 Tips for Reducing Liability Risk

While the type and amount of data a company collects or has access to will lead to varying plans, the following are some general tips that all businesses should know:

#1: Know what type of information is electronically stored. If a breach occurs, the information compromised may not be considered “personal information” under certain state laws. In addition, many state laws do not require action or impose liability if data is compromised that is encrypted. Further, take a hard look at the personal information you are collecting and determine whether such information is necessary to serve and know your customer. If the answer is no, not collecting that data would reduce your liability, as well as save valuable server or cloud space.

#2: Know where that information is stored. Most businesses use “clouds” to store their data on a remote server. Clouds offer different types of data storage, services and security levels. Many cloud vendors actually rely on subcontractors to hold their customers’ information. In many cases, these subcontractors are located overseas making any attempt to seek indemnification for a breach very difficult and expensive.

#3: Be ready to react. Have your notification template in place to communicate and know who is making that communication if a data breach occurs. Figuring out what should be done and communicated and who should lead this charge should occur before a breach occurs. Not having a plan of action will delay a reaction and likely lead to increased liability and reputational harm.

#4: Test your systems and your plan. A data breach does not have to mean that you breached the duty of care to your customers. Showing that you are using the best in class systems to prevent a breach and that you test your systems for a breach in a consistent manner, will assist in showing that you are meeting your duty of care owed to your customers.

Not only will the steps above help in limiting any liability your company may face if a data breach occurs, but it will also likely allow you to identify potential gaps in your data security, therefore, preventing a breach from occurring. Data breaches are inevitable these days, which is why having a well-defined incident response plan and team in place is important.

If you do believe customer data has been compromised, you should contact an attorney immediately to help you understand what duties you may have to notify and further protect your customers’ information. As stated above, reacting quickly can help reduce any liability that may be caused by the breach.

more...
No comment yet.
Scoop.it!

Actual Compliance with HIPAA is a Must

The U.S. Department of Health and Human Services, Office for Civil Rights (HHS-OCR), has recently entered into another HIPAA settlement, emphasizing yet again the government’s focus on the HIPAA Security Rule. The settlement highlights that health care entities cannot merely adopt HIPAA policies but that they must actually implement and follow those policies in practice on an ongoing basis.  In early December 2014, HHS-OCR confirmed that Anchorage Community Mental Health Services (ACMHS), a nonprofit organization providing behavioral health care services, had agreed to pay a $150,000 fine and adopt a corrective action plan to correct deficiencies in its HIPAA compliance program and to report to HHS-OCR on the state of its compliance for two years. The settlement was based on a HHS-OCR investigation regarding ACMHS’s breach of unsecured electronic protected health information (ePHI).  The breach was the result of a malware that compromised the security of ACMHS’ information technology (IT) resources and affected 2,743 individuals.

During its investigation, OCR-HHS found that ACMHS had adopted sample HIPAA Security Rule policies and procedures in 2005, but these policies and procedures were not followed and/or updated.  Thus, ACMHS could have avoided the breach (and not be subject to the settlement agreement), if it had followed its own policies and procedures and regularly assessed and updated its IT resources with available patches. The settlement with ACMHS is just one of several recent settlements arising from an HHS-OCR investigation, either because an organization self-reported a breach of ePHI or because HHS-OCR investigated an organization’s HIPAA compliance program after receiving a complaint or as part of its annual audit protocol.  No matter how the investigation begins, HHS-OCR will expect an organization to have fully implemented and updated its HIPAA compliance program and/or policies and procedures.  Compliance with the HIPAA Security Rule requires organizations (among other things) to assess risks to ePHI on a regular basis, including whenever new software, e.g., a patient portal, is implemented.  Organizations cannot simply adopt HIPAA policies and procedures, conduct training and then ignore HIPAA.  All organizations subject to HIPAA, both “covered entities” and “business associates” (regardless of size), must devote ongoing resources to protect personal health information from security threats.


more...
No comment yet.
Scoop.it!

HIPAA Security Evaluation – HIPAA Risk Analysis – Explained -

HIPAA Security Evaluation – HIPAA Risk Analysis – Explained - | HIPAA Compliance for Medical Practices | Scoop.it

Compliance assessment? Security Evaluation? Risk Assessment? Risk Analysis? Compliance Analysis? Huh?

Lots of confusion continues to swirl around the difference between a HIPAA Security Evaluation versus HIPAA Security Risk Analysis.No wonder, the terms are often used interchangeably.

Let’s end the confusion…


Technically, one might argue when it comes to regulatory compliance of any type, three types of assessments can be completed:

1.Compliance Assessments (Evaluation, in HIPAA Security Final Rule parlance) answer questions like: “Where do we stand with respect to the regulations?” and “How well are we achieving ongoing compliance?”

2.Risk Assessments (Analysis, in HIPAA Security Final Rule parlance) answer questions like: “What is our risk exposure to information assets (e.g., PHI)?” and “What do we need to do to mitigate risks?”

3.Readiness Assessments answer questions like “Have we implemented adequate privacy safeguards?”, “Have we implemented adequate security safeguards?” and are we ready for audit.

We focus on the first two in this post because these are the ones you must complete.Both are Required by the HIPAA Security Final Rule.

A thorough HIPAA Security Compliance Evaluation broadly covers all aspects of the law including all 18 Standards and 42 Implementation specifications that comprise the Administrative, Physical and Technical Safeguards (CFR 164.308, 310, 312) in the HIPAA Security Final Rule.Additionally, this evaluation must cover CFR 164.314 and 316 related to Organizational Requirements, Policies and Procedures and Documentation.

As indicated above, completing this HIPAA Security Compliance Evaluation is required by every Covered Entity and Business Associate. The language of the law is in 45 C.F.R. § 164.308(a)(8):

Standard: Evaluation. Perform a periodic technical and non-technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, which establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart.

This type of assessment is a critical step and should be completed whether one is just starting a HIPAA Security Compliance program, rejuvenating an existing program and maintaining an existing program.The output of the evaluation establishes a baseline against which overall progress can be measured by the executive team, compliance or risk officer, audit committee or board.Think FOREST view. At the end of such an evaluation, one would have a Summary Compliance Indicator such as the one shown in the following Security Evaluation Compliance Summary:

A HIPAA Security Risk Analysis (§164.308(a)(1)(ii)(A)) is also required by law to be performed by every Covered Entity and Business Associate.Additionally, completion of the Risk Analysis is a core requirement to meet Meaningful Use objectives.Section 164.308(a)(1)(ii)(A) of the HIPAA Security Final Rule states:

RISK ANALYSIS (Required).

Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].

As required by The HITECH Act, the Office of Civil Rights, within the Department of Health and Human Services (HHS), has issued final “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”.This guidance was published on July 8, 2010.No specific methodology was indicated.However, the guidance describes nine (9) essential elements a Risk Analysis must incorporate, regardless of the risk analysis methodology employed.We have designed a Risk Analysis methodology and ToolKit around these elements while using industry best practices.

As an example, upon evaluation of each information asset that creates, receives, maintains or transmits electronic Protected Health Information (ePHI), one would have an asset-by-asset evaluation of risk, along with mitigation actions involving new safeguards or controls:

Upon completion of the Risk Analysis for all information assets, an overall Risk Analysis Project Tracking tool would be used to ensure ongoing project management of the implementation of safeguards:

So, when it comes to HIPAA Security Compliance Evaluation, think:

  • Forest-level view
  • Overall compliance with the HIPAA Security Final Rule
  • Establishing baseline evaluation score for measuring progress
  • Asking: Have we documented appropriate policies and procedures, etc?
  • Asking: Are we performing against our policies and procedures?

When it comes to HIPAA Security Risk Analysis, think:

  • Trees/Weeds-level view of each information asset with PHI
  • Meeting a specific step in the overall compliance process
  • Understanding current safeguards and controls in place
  • Asking: What are our specific risks and exposures to information assets?
  • Asking: What do we need to do to mitigate these risks?

Both the HIPAA Security Compliance Evaluation and the HIPAA Security Risk Analysis are, required by law and important and necessary steps on your HIPAA HITECH Security compliance journey.


more...
No comment yet.
Scoop.it!

Think you're not subject to HIPAA? You might want to think again

Think you're not subject to HIPAA? You might want to think again | HIPAA Compliance for Medical Practices | Scoop.it

Do you think of HIPAA as a law that applies only to health care providers? If so, the good news is that you’re not alone. The bad news is that you may have some work to do.

While it is true that HIPAA applies to most health care providers, HIPAA’s applicability is far more widespread. In fact, HIPAA applies to a broad range of companies that may not even be in the traditional health care space. This article focuses on HIPAA’s applicability to two lesser known categories of entities that are subject to HIPAA: group health plans and companies that provide services to covered entities involving the creation, receipt, maintenance or transmission of protected health information. This article also provides guidance on steps to take if your company does in fact have HIPAA obligations. Don't panic, you can do this!

HIPAA's reach is wider than it appears

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations apply to covered entities and business associates. The term “covered entity” is defined to include only the following: health care clearinghouses, most health care providers, and… health plans.

Yes, you read that correctly. As described further below, if you are a company that offers a health plan, your company's health plan is likely subject to HIPAA. This surprising to many employers, particularly if the company has no connection to the health care industry.

Another little surprise is that “business associates” are also directly subject to HIPAA. “Business associates” are companies that perform certain services for covered entities that involve the creation, receipt, maintenance and/or transmission of protected health information (PHI). This includes companies that provide data storage services (e.g., cloud providers), as well as accountants, lawyers, consultants and others who provide services to covered entities involving PHI. The term “protected health information” or “PHI” is broadly defined by HIPAA to mean information created or received by a covered entity that relates to the health of an individual or the payment for the provision of health care to an individual, transmitted or maintained in any form or medium.

Your company’s group health plan is (probably) a HIPAA covered entity

Was your New Year’s resolution to discover that your company’s group health plan is a HIPAA covered entity? If so, you’re in luck! Employee welfare benefit plans (in addition to other health plans) are HIPAA covered entities and are subject to HIPAA, unless the plan is self-administered and has fewer than 50 participants. However, if a company's plan is fully-insured and the only PHI the sponsor receives is enrollment and summary information, the plan may have fewer HIPAA compliance obligations.

Under HIPAA, the group health plan is treated as a separate legal entity from the plan sponsor (e.g., the employer). This is an important distinction to keep in mind and one that is easily confused — the group health plan, not the sponsor, is the HIPAA covered entity. This distinction is important because HIPAA prohibits group health plans from disclosing PHI back to the sponsor, with limited exceptions. One of the exceptions permits group health plans to disclose limited PHI to the sponsor to allow the sponsor to perform plan administrative functions; however, HIPAA’s specific requirements must be followed.


Be on alert if your company provides services to covered entities requiring access to PHI

Many companies function as a business associate under HIPAA without realizing it. Does your company provide services — directly or indirectly — to a covered entity that involves the creation, receipt, maintenance or transmission of PHI? If the answer to this question is yes, your company is likely a business associate and directly subject to HIPAA.

Even if a company is not providing services directly to a covered entity, it may still be providing services to a covered entity indirectly as a subcontractor to a business associate of a covered entity. For example, a covered entity may hire a business associate to provide data storage for its PHI. That business associate may in turn hire a subcontractor to maintain some of the covered entity's data. If that data includes PHI, the subcontractor is also considered a business associate under HIPAA. This is true even though the company has not directly contracted with the covered entity to provide the services. 

I think we are subject to HIPAA. Now what do we do?

If your company’s group health plan is subject to HIPAA and/or your company functions as a business associate, there are certain steps you will need to take to comply with HIPAA. For example, health plans and business associates must:

  • Develop HIPAA privacy and security policies and procedures, and provide proper training on those policies and procedures
  • Perform a security risk assessment to determine risks and vulnerabilities to the electronic PHI held by the entity
  • Appoint a privacy and security officer to oversee HIPAA compliance
  • Enter into HIPAA-compliant business associate agreements in relation to any applicable business associate services

In addition, group health plans must amend their plan documents to address HIPAA's requirements and must provide a Notice of Privacy Practices to individuals at the time of enrollment in the plan and notify individuals of the availability of the Notice and how to obtain it every three years.

If the Office for Civil Rights (OCR) determines that the group health plan or business associate is not in compliance with HIPAA, it may impose an appropriate civil monetary penalty or pursue criminal penalties. The civil monetary penalties are tiered based on intent and generally range from $100 to $1,500,000. The OCR also works in conjunction with the Department of Justice to refer possible criminal violations of HIPAA. Given the high stakes of noncompliance, it is critical to understand the scope of your HIPAA obligations and take steps toward ensuring compliance.


more...
No comment yet.
Scoop.it!

BA agreements likely a bigger target of 2015 OCR enforcement, attorneys say

BA agreements likely a bigger target of 2015 OCR enforcement, attorneys say | HIPAA Compliance for Medical Practices | Scoop.it

The $150,000 fine that U.S. Department of Health and Human Services' Office for Civil Rights levied against an Alaska mental health organization last month could be a sign that OCR is settling in after a wave of leadership changes in 2014 and gearing up to aggressively investigate HIPAA compliance complaints, according to a former federal attorney.

Ex-OCR lawyer David Holtzman notes that there are more than 6,000 HIPAA privacy and security rule complaints and compliance reviews under investigation in an article at HealthcareInfoSecurity. He predicts more high-profile enforcement actions in 2015.

Holtzman echoes a warning from Jerome B. Meites, OCR chief regional counsel for the Chicago area, who told an American Bar Association conference last summer that the whopping fines levied over the past year will "pale in comparison" to those expected to come.

Meanwhile, privacy and healthcare attorneys Alisa Chestler and Donna Fraiche of law firm Baker Donelson, in an interview with HealthcareInfoSecurity, urge healthcare organizations to conduct their own mock audits to determine any exposures and to do their best to fix those problems.

They also recommend keeping all such documentation in one place--including all records of HIPAA education programs conducted with staff, and evidence that they've reviewed all business associate agreements--and ensuring that it's up to date. Chestler and Fraiche foresee BA agreements being a bigger target of OCR enforcement actions in 2015.

In particular, Chestler and Fraiche say, organizations need to re-examine all bring-your-own-device policies and make sure they address any issues that have arisen since those policies were last reviewed.

In September, OCR announced it was delaying the start of the second round of audits in order get a web portal up an running through which entities could submit information. A specific start date has not been announced, only that the new audits will begin in early 2015.

Brett Short, chief compliance officer at the University of Kentucky HealthCare in Lexington, Kentucky, spoke with FierceHealthIT about receiving a call from an auditor when the organization had never received a letter saying it had 10 days to submit required documents.


more...
No comment yet.
Scoop.it!

Five common mistakes and how to avoid them for 2015 HIPAA audits

Five common mistakes and how to avoid them for 2015 HIPAA audits | HIPAA Compliance for Medical Practices | Scoop.it

2014 saw a rise in data breaches and HIPAA compliance failures within the healthcare industry. The Office for Civil Rights (OCR) takes privacy and security seriously, and more organizations have been fined for failure to comply with the Health Insurance Portability and Accountability Act (HIPAA). This year, the OCR will use the HIPAA audit program to randomly assess healthcare entities and business associates for compliance with the HIPAA privacy, security and breach notification rules. Here are five mistakes to avoid:  

  1. Failure to keep up with regulatory requirements

Gain a better understanding of specifications for standards as “required” versus “addressable.” Some covered entities must comply with every Security Rule standard. Covered entities must determine if the addressable section is reasonable after a risk assessment, and, if not, the Security Rule allows them to adopt an alternative measure. Be sure to document everything, particularly since the OCR may look at encryption with audits this year.  

  1. No documented security program

The OCR wants to know how you implement a security risk assessment program, so be sure your organization has a documented security awareness program. Once you know the requirements, assess your environment and your users. Does your organization have a security and compliance program in place? How well is it implemented? Who is involved? How often do you communicate? Everyone in your organization should be held responsible for ensuring the safety of data and following proper procedures. Have a plan and a point person in place, and ensure your compliance and security teams talk to each other. Create a committee with stakeholders and clear responsibility, and make sure the plan is documented, communicated and enforced across the organization.

  1. A reactive approach to audits

Once you establish a security program, proactively monitor security and performance indicators, as OCR audits will focus heavily on breach plans and the controls you have in place to protect them. Auditors will look for access to critical group memberships, so make sure you’re auditing and reporting on user activity – including your privileged users. Auditors are increasingly more interested in this area, due to the recent increase in insider incidents.

  1. Assumptions regarding business associates agreements

Contractors and subcontractors who process health insurance claims are liable for the protection of private patient information. Make sure you have an updated business associate agreement in place, and ensure the chain of responsibility is documented, agreed upon, and reviewed frequently by both parties. You can find sample contracts offered by the OCR to help you through this process. 

  1. A checkbox approach to compliance

Regulators want to discontinue the checkbox approach to compliance in favor of a risk-based security approach. Compliance and security must go hand-in-hand, and organizations will benefit from incorporating this mindset across both teams. Strong security measures make it easier to meet compliance regulations. By adopting an organizational self-discovery approach, you will have a higher level of visibility and awareness of internal issues, and achieve a more resilient business process and the next level of organizational maturity.


more...
No comment yet.
Scoop.it!

HIPAA Enforcement: Waiting for Ramp Up

HIPAA Enforcement: Waiting for Ramp Up | HIPAA Compliance for Medical Practices | Scoop.it

Some privacy and security experts are concerned that the Department of Health and Human Services' Office for Civil Rights isn't taking bold enough action in its promised efforts to step up HIPAA enforcement. They cite ongoing delays in the startup of OCR's next phase of federal HIPAA compliance audits, as well as the relatively small number of OCR HIPAA enforcement settlements in 2014 involving financial penalties.


During a Jan. 13 media briefing, OCR Director Jocelyn Samuels said her office is planning to launch its next phase of HIPAA compliance audits "expeditiously," but offered no timeline as to when (see HIPAA Audits Are Still On Hold). She said a new protocol for the next round of audits, taking into account new requirements in the HIPAA Omnibus Rule, had yet to be developed.

Last year, OCR had said that the next phase of HIPAA audits would begin in the fall of 2014 with the audits of about 350 covered entities, followed by audits of approximately 50 business associates to be conducted in early 2015. In recently acknowledging ongoing delays in the resumption of audits, OCR officials haven't said if those target numbers are still part of the agency's audit plans.

"The delay [in audits] could be like the 'boy who cried wolf,'" says Tom Walsh, a president of security consulting firm Tom Walsh Consulting. "After a while, organizations begin to think, 'It will never happen.' Or 'It will never happen to us'."

Security expert Brian Evans, senior managing consultant of IBM Security Services, notes: "Any delay in random audits allow covered entities and business associates to justify reallocating their focus and efforts in areas other than protecting information and addressing HIPAA requirements. Conversely, an active audit program serves as an additional motivator for CEs and BAs associates to protect information more effectively. "

Reasons for Delay

A number of factors may be contributing to the delay in OCR resuming its audit program. For example, OCR has had a number of senior leadership changes in recent months, including Samuels joining in July to replace former director Leon Rodriguez. At the same time, OCR resources are likely being squeezed as more HIPAA breaches and complaints are filed and investigated by regional offices. On top of that, a delay in a technology roll-out to help automate the collection of audit-related documentation from covered entities and business associates is also likely a culprit in the stalled audit effort.

But the delay, whatever the reason behind it, could hamper efforts to boost compliance, some observers say.

"I definitely think the continuing delay is a bad thing," says privacy expert Kate Borten, president of consulting firm The Marblehead Group. "I'm disappointed, but not surprised, at the ongoing delay in OCR HIPAA audits. Unfortunately, it will be seen as taking the pressure off compliance efforts at some CEs and BAs - and they may be the most likely to need it.

"While many organizations are committed to continually improving their programs, plenty of others are oblivious to their obligations, such as to perform risk assessments and have a breach response plan. Until a robust audit program is fully implemented, I predict industry compliance will remain spotty."

Privacy attorney Adam Greene, of the law firm Davis Wright Tremaine, says that even though the audits appear to be in limbo, covered entities and business associates are taking a big risk if they use that delay as an excuse to slack off.

"Covered entities and business associates should not take too much of a sigh of relief based on the audit program delays," he says. "While the audits are important, the far larger enforcement risks continue to come from information security breaches and patient complaints.

Greene says the biggest question he has about the delayed audit program "is how many of the next round of audits will be narrowly focused desk audits and how many, if any, will be comprehensive onsite audits. OCR has referenced that they intend to do onsite audits as resources permit, but they have provided mixed signals regarding whether they currently have the resources allocated to perform such on-sites," he says.

Evans says OCR should widen its pool of covered entities and business associates that are audited.

"I would like to see a larger number of organizations audited or, minimally, surveyed. Increasing the candidate pool heightens organizational readiness to pursue and maintain compliance," he says. "Offsite 'desk audits' can be a cost-effective way of gathering compliance data and cover a wider population in the process. It also provides a more representative sampling of data for future OCR audits."

Three Monetary Penalties in 2014

When the HIPAA Omnibus Rule went into effect in September 2013, OCR had pledged to ramp up its HIPAA enforcement activities. Anticipated action included a resumption of the audit program as well as more investigations that could result in financial sanctions for HIPAA violations.

But OCR announced only three resolution agreements in 2014 involving monetary penalties for cases involving violations of HIPAA. The biggest enforcement action was in May 2014, when OCR announced a record $4.8 million settlement in with New York-Presbyterian Hospital and Columbia University. That case involved a breach of unsecured patient data on a network, affecting about 6,800 patients.

Walsh says he believes it's unlikely that OCR will ramp up the number of penalties it issues this year.

"I heard ... Samuels state that the OCR is interested in voluntary compliance. Enforcement penalties and corrective action plans are the tools the OCR will use - when necessary to obtain compliance when it is obvious that nothing else will work," he says.

"Provider healthcare organizations are facing some tough budget issues starting in 2015. Imposing stiff fines for noncompliance is like the bank charging for overdrafts on insufficient funds in a checking account."

Greene, the attorney, says it's still too soon to tell how OCR's enforcement priorities may change under Samuels's leadership. "Once we have 2015 behind us ... we will have a better sense of whether OCR is increasing the number of financial settlements and how, exactly, the audit program fits into OCR's enforcement efforts. "

Enforcement Arsenal

Samuels told reporters Jan. 13 that OCR expects to receive about 17,000 HIPAA complaints this year, and it will continue to use its "arsenal" of enforcement tools, including resolution agreements, corrective action plans, and financial settlements, to shine a spotlight on "high impact cases," including breaches and other HIPAA investigations that show "egregious" and "systemic" compliance concerns.

"We will continue to identify and bring to resolution high impact cases that send strong enforcement messages to the industry about compliance," Samuels said.

more...
No comment yet.
Scoop.it!

HIPAA Audits Are Still on Hold

HIPAA Audits Are Still on Hold | HIPAA Compliance for Medical Practices | Scoop.it

`The unit of the Department of Health and Human Services that enforces HIPAA still has plenty of work to do before it can launch its long-promised next round of HIPAA compliance audits, as planned for this year.

The HHS Office for Civil Rights has yet to develop a revised protocol for conducting the audits, OCR Director Jocelyn Samuels revealed during a Jan. 13 media briefing.


Samuels declined to offer a timeline for when OCR plans to resume its HIPAA audits, which Samuels says will include covered entities as well as business associates, who are now directly liable for HIPAA compliance under the HIPAA Omnibus Rule.

Early in 2014, OCR officials said the agency expected to resume compliance audits of covered entities in the fall of 2014, later expanding the program to include audits of business associates based on those vendors identified by covered entities in pre-audit surveys.

Then in September, OCR officials said the audit launch was stalled because of a delay in the rollout of technology to collect audit-related documents from covered entities and business associates.

In her comments Jan. 13, Samuels did not offer an explanation for the prolonged delay in resumption of HIPAA audits.

"OCR is committed to implementing an effective audit program, and audits will be an important compliance tool for OCR," Samuels said. The audits "will enable OCR to identify best practices and proactively uncover risks and vulnerabilities, like our other enforcement tools, such as complaints and compliance reviews; provide a proactive and systematic means to assess and improve industry compliance; enhance industry awareness of compliance obligations; and enable OCR to target its outreach and technical assistance to identified problems and to offer tools to the industry for self-evaluation and prevention. Organizations should continue to monitor the OCR website for future announcements on the program."

In 2012, OCR conducted a pilot HIPAA audit program for 115 covered entities that was carried out by a contractor, the consulting firm KPMG. It also issued an audit protocol offering a detailed breakdown of what was reviewed. OCR is revising the protocol to reflect changes brought by the HIPAA Omnibus Rule.

Rules In the Works

In addition to the pending audits, other HIPAA-related activities under way at OCR for 2015 include:

  • A final version of a proposed rule HHS issued last January to permit certain covered entities, including state agencies, to disclose to the National Instant Criminal Background Check System the identities of persons prohibited by federal law from possessing or receiving a firearm for reasons related to mental health;
  • An advanced notice of proposed rulemaking related to a HITECH Act mandate for HHS to develop a methodology to distribute a percentage of monetary settlements and penalties collected by OCR to individuals affected by breaches and other HIPAA violations;
  • A possible request for additional public input on OCR's proposed accounting of disclosures rule making. Samuels says OCR is still evaluating the comments it received on the proposed accounting of disclosures rule it issued in 2011, as well as recommendations from the HIT Policy Committee about refining the rule.

In a statement provided to Information Security Media Group, Samuels noted, "The [accounting of disclosures] rulemaking is still listed as a long-term action on our last published regulatory agenda. We are exploring ways to further solicit public input on this important issue."

OCR in May 2011 issued a notice of proposed rulemaking for updating accounting of disclosures requirements under HIPAA. The proposal generated hundreds of complaints from healthcare providers and others. Many of the complaints were aimed at a controversial "access report" provision. As proposed, the access report would need to contain the date and time of access to electronic records, the name of the person or entity accessing protected health information, and a description of the information and user action, such as whether information was created, modified or deleted. The proposal would also provide patients with the right for an accounting of disclosures of electronic PHI made up to three years prior to the request.

Other Enforcement Activities

OCR also has a number of other enforcement activities planned for 2015, Samuels said in the Jan. 13 briefing.

"We will continue to identify and bring to resolution high impact cases that send strong enforcement messages to the industry about compliance," she said. "These types of cases can include the lack of a comprehensive risk analysis and risk management practices, ignoring identified threats and hazards to systems containing electronic protected health information, and insufficient policies and procedures, and training of workforce members."

OCR also expects to provide policy clarification for a variety of topics, including cloud computing and the "minimum necessary" rule, which HHS says is based on the premise that protected health information should only be used or disclosed if it is necessary to satisfy a particular purpose or carry out a function.

"We will also continue dialogues with our stakeholders about issues on which they would like additional interpretation," Samuels says.


more...
No comment yet.
Scoop.it!

HIPAA privacy and public health emergency situations

HIPAA privacy and public health emergency situations | HIPAA Compliance for Medical Practices | Scoop.it

In light of the Ebola outbreak, the U.S. Department of Health and Human Services (HHS), Office of Civil Rights (OCR) has issued a bulletin reminding health care providers that the protections under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule are not set aside during an emergency.  OCR reminds covered entities that “the protections of the Privacy Rule are not set aside during an emergency.”  OCR cautions that in an emergency situation, covered entities must continue to implement reasonable safeguards to protect patient information against impermissible uses and disclosures.  Thus, covered entities and their business associates should review the HIPAA Privacy Rule to ensure that uses and disclosures in emergency situations are appropriate, as well as provide training and reminders to employees.

HIPAA recognizes that under certain circumstances it may be necessary to share patient information without authorization.  OCR’s bulletin notes that covered entities may disclose protected health information without a patient’s authorization as necessary to treat the patient or a different patient.  HIPAA also allows covered entities to release patient information without authorization for certain public health activities.  A covered entity may disclose protected health information to a public health authority that is authorized by law to collect or receive the information for the purpose of preventing or controlling disease, injury, or disability.  Information may also be shared at the direction of a public health authority to a foreign government that is acting in collaboration with the public health authority.   In addition, health information may be shared with persons at risk of contracting or spreading a disease or condition if authorized by law.  Finally, health care providers may share patient information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public consistent with applicable law and ethical standards.

There are additional circumstances that allow the disclosure of protected health information.  A covered entity may disclose protected health information to a patient’s family members, relatives, friends, or other persons who the patient identifies as being involved in the patient’s care and disaster relief organizations.  Covered entities should review the specific circumstances that allow the release of this information.

Covered entities should also review whether the minimum necessary requirement applies.  For most disclosures, but notably not disclosures to health care providers for treatment purposes, a covered entity must make reasonable efforts to limit the information disclosed to the “minimum necessary” to accomplish the purpose.

Although the media has reported many details about Ebola patients, HIPAA is not suspended when providing information to the media about Ebola or other public health emergencies.  Therefore, covered entities should carefully review the rules surrounding disclosures to the media or others not involved in the care of the patient.  If the media requests information about a particular patient by name, a health care facility may release limited facility directory information to acknowledge that the individual is a patient and provide basic information about the patient’s condition in general terms, if the patient has not objected or restricted the release of this information, but information about an incapacitated patient may only be released if the disclosure is believed to be in the patient’s best interest and is consistent with the patient’s prior expressed preferences.   General information about a patient’s condition includes critical or stable, deceased, or treated and released.  OCR cautions that affirmative reporting or disclosure to the media or the public at large about an identifiable patient or  specific information may not be done without the patient’s or an authorized personal representative’s written authorization, unless one of the limited circumstances described elsewhere in OCR’s bulletin is applicable.

Although HIPAA is not suspended during a public health or other emergency, the HHS Secretary may waive certain provisions under the Project Bioshield Act of 2004 and section 1135(b)(7) of the Social Security Act.  The limited waiver applies to certain sanctions and penalties of the Privacy Rule if the President declares an emergency or disaster and the HHS Secretary declares a public emergency.  The waiver only applies in the emergency area and for the emergency period identified; to hospitals that have instituted a disaster protocol; and for up to 72 hours after the hospital implements its disaster protocol.  Once the Presidential or Secretarial declaration ends, a hospital must comply with the entire Privacy Rule, even if less than 72 hours have elapsed since the hospital implemented its disaster protocol.


more...
No comment yet.
Scoop.it!

Former Ind. dentist to pay $12K after allegedly violating HIPAA...

Former Ind. dentist to pay $12K after allegedly violating HIPAA... | HIPAA Compliance for Medical Practices | Scoop.it

Indiana Attorney General Greg Zoeller reached a $12,000 settlement with Joseph Beck over allegations that the former Kokomo dentist violated Health Insurance Portability and Accountability (HIPAA) laws by improperly disposing of patient records.

After the Indiana Board of Dentistry permanently revoked Beck's license to practice, more than 60 boxes from his Comfort Dental clinic were found in an Indianapolis trash dumpster in 2013. The boxes contained files that allegedly held private information on more than 5,600 patients dating from 2002 to 2007, which violated state privacy laws as well as HIPAA regulations, Zoeller said.


The information ranged from full names and phone numbers to addresses and social security numbers. No cases of identification theft were reported. 

Beck allegedly had hired Just the Connection, Inc., a third-party company to retrieve and dispose of the records.

“In an era when online data breaches are top of mind, we may forget that hard-copy paper files, especially in a medical context, can contain highly sensitive information that is ripe for identity theft or other crimes,” Zoeller said. “This file dump was an egregious violation of patient privacy and safety.”

Beck's license to practice in Indiana was revoked over allegations of neligence and fradulent billing practices.


more...
No comment yet.
Scoop.it!

Patient discharged with paperwork of 20 other patients

Patient discharged with paperwork of 20 other patients | HIPAA Compliance for Medical Practices | Scoop.it
The Medical Center of Aurora in Colorado is under scrutiny for discharging a patient with the paperwork of 20 other patients, according to Fox 31 Denver.

On November 22, 2014, the medical center discharged Karen Billings and included the medical information of 20 other patients in the documentation provided. Billings returned to the medical center where a nurse retrieved other patients’ paperwork. However, upon reviewing her file the following day, Billings found that she was still in possession of seven pages of operating room notes belonging to other patients, Fox 31 Denver reported.

Billings said the paperwork given to her listed patients’ dates of birth, physician names, procedures, and medications. The medical center is offering free identity theft protection for affected patients, according to Fox 31 Denver.
more...
No comment yet.
Scoop.it!

Indiana Attorney General Enforces HIPAA For First Time – Another Lesson for Small Business | The National Law Review

Indiana Attorney General Enforces HIPAA For First Time – Another Lesson for Small Business | The National Law Review | HIPAA Compliance for Medical Practices | Scoop.it

As we reported, state Attorneys General have authority to enforce the privacy and security regulations under the Health Insurance Portability and Accountability Act (HIPAA), pursuant to the authority granted under the Health Information Technology for Clinical and Economic Health (HITECH) Act. Shortly after announcing plans to seek legislation requiring stronger protections for personal and financial information, Indiana Attorney General Greg Zoeller reached a settlement with a dentist in his state, Joseph Beck, for improperly dumping patient records in violation of state law and HIPAA. The dentist agreed to pay $12,000 in fines.

According to news reports, over 60 boxes containing years of dental records pertaining to over 5,600 patients, and including very sensitive personal information, were found in a dumpster. Apparently, the dentist hired a third party vendor to dispose of the records; that vendor likely was a business associate under HIPAA and, if so, also subject to the HIPAA privacy and security rules.

For small medical or dental practices, as for other professional service businesses such as lawyers, accountants, and insurance brokers, data security can be both daunting and expensive if there is a breach. Like many businesses, small businesses rely on third party vendors to perform certain activities. When those activities involve personal information of the business’ customers, the business owner should be paying more attention. Ask the vendor about what steps it has in place to protect information, does it have a written information security plan, it is licensed, does it have insurance in the event of a breach, does it train employees about data security, and, yes, how does it dispose the records and data it is being asked to handle. In many states, businesses are required to have language in the service agreements with vendors about data security when the vendors are going to handle personal information. There is a similar provision under HIPAA for business associates.

It is troubling to see that sensitive records are still being found in dumpsters even after the many widely-publicized data breaches. But, as here, the owner of the records may not be able to avoid responsibility by shifting it to the vendor.


more...
No comment yet.
Scoop.it!

Survey: Charging patients for EHR access may violate HIPAA

Survey: Charging patients for EHR access may violate HIPAA | HIPAA Compliance for Medical Practices | Scoop.it
Dive Brief:
  • A survey of healthcare providers has revealed that as much as 25% of those who charge patients for EHRs may be violating HIPAA rules by doing so, according to a report released by the American Health Information Management Association.
  • While it is permitted to charge patients a "reasonable, cost-based fee" to access their electronic medical records, the survey revealed that many providers simply mimic their individual state's photocopy policy for public records requests, charging around $1 per page. Because the fee being charged to the patient is not related to the cost of providing the record, it constitutes a violation of HIPAA policy, the report stated.
  • "Regarding charges for electronic and paper copies of records, more than half (52.6%) of respondents indicated that they charge patients for electronic copies of their medical records, and nearly two-thirds (64.7%) reported that they charge patients for paper copies of their medical records," the report stated. "Charges for electronic copies varied from a flat fee for a device to per-page fees or some combination of the two, and charges for paper copies were generally by page, with 65% reporting that they charged less than $1.00 per page. Nearly one in four respondents (23.6%) commented that they follow their state's rates for copies. Following the state rates would suggest that the fees are not uniquely based on the cost to the facility. This finding would appear to be inconsistent with HIPAA and HITECH requirements that patients may only be charged a 'reasonable cost-based fee' for copies of their medical records."
Dive Insight:

There is no doubt that the implementation of EHRs is one of the most expensive projects to hit the healthcare industry since its inception, and it's obvious that the cost of implementation is going to eventually be picked up by the consumer. Taxpayers are already footing the bill for the $28 billion already appropriated by Congress to facilitate EHR implementation through its meaningful use program, but that still doesn't cover all of their EHR expenses.

All that being said, what's at issue here is a patient's right to obtain his or her medical records. The whole point of the paperless revolution is to streamline health information and reduce costs associated with paper-only records. By that logic, HIPAA requirements are reasonable. They simply state that providers don't have the right to charge patients unreasonably to get electronic copies of their records.

Now, $1 a page (or even less) may not sound unreasonable on the surface, but with medical advances transforming many fatal conditions into chronic conditions, patients are living longer with proper treatment. It's not uncommon for a cancer patient in remission to have hundreds of pages in their medical records. And in the age of the ACA, many patients are changing doctors and plans, necessitating transfer of the EHRs. Is it fair to charge several hundred dollars for a process that is equivalent in many cases to pointing, clicking and sending an email?


more...
No comment yet.
Scoop.it!

Is healthcare prepared for data-sharing's security risks?

Is healthcare prepared for data-sharing's security risks? | HIPAA Compliance for Medical Practices | Scoop.it

The data-sharing requirements for the Meaningful Use program and the Affordable Care Act pose significant security challenges to healthcare organizations, and Erik Devine, chief security officer at Riverside Medical Center, predicts organizations will learn this year just how prepared they are.

In an interview with HealthcareInfoSecurity, Devine says his 370-bed hospital in Kankakee, Illinois, will focus on employee training, making sure systems are patched and third-party review--"making sure we're doing what our policies say we're doing."

He foresees more persistent threats in 2015, such as the Sony hack and other breaches seen last year.

"I think healthcare is going to see a lot of attacks in ransomware," Devine says. "Employees leaking data unknowingly is a big threat to healthcare systems. Hackers are going to take advantage of that and look for the monetary value in return."

Health information exchanges will pose particular challenges, he adds.

"Are we prepared to manage all the information that's flowing in and out of the system? ... Trying to get information for the patient out there in the real world so they have better experiences at any hospital they visit will obviously will carry significant risks. Is healthcare ready for that change? That's what we're going to determine in 2015 and further."

In its 2015 Data Breach Industry Forecast, Experian called healthcare "a vulnerable and attractive target for cybercriminals." However, it noted that employees remain the leading cause of compromises, but receive the least attention from their employers.

Security experts foresee phishing and ransomware attacks posing particular challenges to healthcare organizations in the coming year.

To help protect against threats like those, the healthcare industry should make use of cyberthreat intelligence, according to Jeff Bell, HIMSS privacy and security committee chair.

Entities such as the U.S. Computer Emergency Readiness Team, the U.S. Department of Homeland Security National Cybersecurity and Communications Integration Center and the National Cyber-Forensics & Training Alliance provide information on threats, malware and vulnerabilities that organizations can use to increase their security systems, Bell says. Vendors of security products also often have their own intelligence feeds.

more...
No comment yet.
Scoop.it!

Scope of HIPAA Compliance Remains Uneven

Scope of HIPAA Compliance Remains Uneven | HIPAA Compliance for Medical Practices | Scoop.it

A recent survey of HIPAA compliance conducted by NueMD revealed a startling range of knowledge and compliance with HIPAA. Even though HIPAA has been around since 1996 and was updated to include the HITECH Act modifications in 2009, many medical practices revealed they were unaware of the full scope of HIPAA requirements, did not necessarily understand what they did know, or have not implemented full compliance programs.

From the compliance perspective, only 58% of respondents indicated that they had a compliance plan. Even worse at this point in time, especially given the number of high profile violations and settlements, 23% responded that no plan was in place. Further, the percentage of practices that have a breach notification policy falls even further, with only 45% having a formal policy in place in the event that a breach occurs.

Diving deeper into questions related to electronic devices and use of social media continues the discomfort presented by the survey. For example, less than half of all staff or management associated with practices are confident that electronic devices or mobile devices are HIPAA compliant. There is a somewhat surprising confidence that electronic communications and social media are used in compliance with HIPAA though. Clearly, social media is a growing and new tool in healthcare, but 30% of office staff and non-owner providers and 34% management and owners were confident that social media is being used in a compliant manner.

The results of the survey should not be overly surprising. When the Office for Civil Rights (“OCR”) of the Department of Health and Human Services conducted its pilot round of HIPAA audits in 2012, the results were consistent with findings of the survey. HIPAA compliance was all over the place and did not present a rosy picture. Instead, the OCR found non-compliance with any number of issues, including basic misunderstandings of just what HIPAA actually does.

Given the constantly evolving nature of threats, the relatively low numbers of practices with robust compliance programs in place or even strong confidence that HIPAA is being properly followed raises a significant level of concern. The OCR has been very clear over the past couple of years that lack of preparedness is not well tolerated. When the settlements are examined, it becomes apparent that OCR is trying to teach lessons to all of those entities that are or may be subject to the requirements of HIPAA.

What can be done to address the widespread non-compliance with HIPAA and even general lack of knowledge or awareness of HIPAA? First, education on multiple fronts and a better understanding of its multiple goals is a necessary step. For one thing, education must include a basic introduction to HIPAA and how HIPAA is designed to protect and secure information. Once a general awareness is established, then it may be possible to demonstrate why compliance is so important. Further, once the first level of education is complete, then it will be possible to move to the next level, which would be grasping how HIPAA applies to a particular entity (i.e. a healthcare provider, health plan, employer, business associate and others) and what policies and procedures are needed to fully comply with all of HIPAA’s requirements. While this level of education may appear and sound very basic and fundamental, the survey and audit results support the view that education at this level is a necessity. It is also important to note that education is not a once and done proposition. Instead, education must be a constant because the healthcare world is always changing. Everyone should always be reminded of their HIPAA obligations and how HIPAA is impacted by new technology and practices.

Once the initial education process is complete, then it should be easier to adopt and follow a comprehensive compliance program. A compliance program, which means policies and procedures, is the means by which a covered entity or business associate will satisfy its HIPAA obligations. A compliance program should not be feared, though. To the contrary, it may be viewed as an opportunity for an organization to put some best practices into place or otherwise help ensure that operations may flow more smoothly. While HIPAA can be seen as a barrier, it may be more appropriate to view it as a means of guiding a practice and offering a common set of expectations both to organizations within the healthcare field, but also to individuals or patients who interact with those entities.

While it seems there is a lot to do, the present state of affairs offers an opportunity to change how the future will play out. Now that HIPAA is becoming the center of attention, there is the chance for organizations that have not taken all of the necessary steps to now chart a course that takes HIPAA into account and positions the organization for compliance going forward. Organizations have received an inadvertent grace period by the delay of the newest audits to be conducted by the OCR. The opportunity should not be lost. Surveys, such as the one conducted by NueMD, present yet another learning opportunity and can start the dialogue in crafting and implementing a sound HIPAA compliance program.

more...
No comment yet.
Scoop.it!

FTC's Edith Ramirez: Connected health devices create bevy of privacy risks

FTC's Edith Ramirez: Connected health devices create bevy of privacy risks | HIPAA Compliance for Medical Practices | Scoop.it

For much of 2014, the Federal Trade Commission made it a point to be a prominent voice regarding the protection of consumer health information. Last May, for instance, it published a report recommending that Congress force data brokers to be more transparent about how they use the personal information of consumers, including health information.

And in July, FTC Commissioner Julie Brill spoke about how consumers should be given more choices from developers when it comes to data sharing by smartphone apps gathering health information.

That trend continued Tuesday at the International Consumer Electronics Show in Las Vegas, where FTC Chairwoman Edith Ramirez spoke about privacy protection, including for health data. Ramirez noted, for instance, that while the Internet of Things has the potential to improve global health, the risks are massive.

"Connected devices that provide increased convenience and improve health services are also collecting, transmitting, storing and often sharing vast amounts of consumer data, some of it highly personal, thereby creating a number of privacy risks," Ramirez said. "These risks to privacy and security undermine consumer trust."

Ramirez outlined three challenges to consumer privacy presented by the Internet of Things:

  • Ubiquitous data collection
  • Unexpected data use resulting in adverse consequences
  • Increased security risks

Additionally, she said that technology developers must take three steps to ensure consumer privacy:

  • Adopt "security by design"
  • Engage in data minimization
  • Boost transparency and offer consumers choices for data usage

"[T]he risks that unauthorized access create intensify as we adopt more and more devices linked to our physical safety, such as our cars, medical care and homes," Ramirez said.

Members of the House Committee on Oversight and Government Reform questioned the FTC's health data and cybersecurity authority at a hearing last summer. Committee Chairman Darrell Issa (R-Calif.) said that safeguards are needed to guide the FTC's processes in determining entities subject to security enforcement.

Last January, the agency ruled that entities covered under the Health Insurance Portability and Accountability Act may also be subject to security enforcement by the FTC.


more...
No comment yet.
Scoop.it!

What Constitutes a HIPAA Violation? | HealthITSecurity.com

What Constitutes a HIPAA Violation? | HealthITSecurity.com | HIPAA Compliance for Medical Practices | Scoop.it

No individual wants his or her protected health information (PHI) to be unnecessarily made public. Not only is the information personal, but if it fell into the wrong hands, it could lead to many issues – personal and even medical – for the patient in question.

As technology continues to evolve, it also seems that the number of healthcare data breaches is on the rise. Rightfully so, more people are becoming aware of how their information is shared electronically. But are all concerns over electronic data sharing warranted? Is everything considered a HIPAA violation?

That concern is one reason why some hospitals are reportedly abandoning a long-held tradition: announcing the first birth of the new year. Community Health Systems recently ordered its facilities nationwide to stop publicizing the first baby born in the year, according to the Associated Press.

“We know the birth of the new year baby is a joyous and exciting event, but protecting patient safety and privacy is our most important responsibility,” Community Health spokeswoman Tomi Galin told the news source.

Galin added that the move was a preventative measure, and not because of specific threats or abduction attempts. Moreover, the National Center for Missing & Exploited Children cautions healthcare providers how much information they give to the media, Galin said. For example, home addresses or other personally identifiable information does not need to be released.

Community Health made headlines last year when it reported that Chinese cyber criminals hacked into its database, compromising the information of 4.5 million patients. The data included names, addresses, birth dates, telephone numbers and Social Security numbers. However, no credit card or medical data were involved.

Another surprising area where a HIPAA violation concern arose was in Major League Baseball. Matt Kemp played for the Los Angeles Dodgers, and was involved in a trade deal that would send him to the San Diego Padres. However, there were concerns over Kemp’s physical condition, according to a Yahoo Sports story. Specifically, a USA Today article reported that Kemp’s physical showed severe arthritis in his hips.

Yahoo Sports quoted a tweet from Ken Rosenthal, which said it would not be good if the Padres had leaked the medical information.

“Information damages Kemp in public realm. Gives appearance of #Padres trying to leverage medical information. And is a violation of HIPAA,” read the tweet.

But what exactly constitutes a HIPAA violation? According to the Department of Health and Human Services (HHS), organizations defined as a HIPAA covered entity need to comply with the rule’s requirements to protect patients’ privacy and security.

“If a covered entity engages a business associate to help it carry out its health care activities and functions, the covered entity must have a written business associate contract or other arrangement with the business associate that establishes specifically what the business associate has been engaged to do and requires the business associate to comply with the Rules’ requirements to protect the privacy and security of protected health information,” according to HHS.

Something that is seemingly innocent, such as announcing the first baby born in a new year, will not always lead to things such as identity theft. However, too much personal information, or information that is given without written parental consent, might be enough for a criminal to take advantage of the situation.

In terms of professional athletes, their information is often in the public eye. But covered entities must remain diligent in keeping PHI safe, regardless of who the data belongs to. Neither of these situations is necessarily a HIPAA violation, but it is important for healthcare organizations – and their patients – to remain current on all regulations to best protect sensitive information.


more...
No comment yet.