HIPAA Compliance for Medical Practices
59.2K views | +3 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

5 Types of HIPAA Violation for Doctors to Avoid

5 Types of HIPAA Violation for Doctors to Avoid | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA Violations are a constant threat to doctors running a medical practice. Since 1996, the The Health Insurance Portability and Accountability Act has been in place, giving physicians and their teams reasons to guard their patient privacy closely. 
 
Depending upon the type of the breach, physicians can be liable for $100 up to $50,000 for each violation, with a maximum of $1.5 million for identical provisions during a calendar year.

Worse than this, some violations can lead to imprisonment in extreme circumstances. (For a full guide to the levels of HIPAA violation, you can review this guide.)

For these reason, as well as securing and safe-guarding your patient security, it is very important to know which HIPPA violations to avoid. Essentially, if you violate HIPAA, you’re risking the information of your patients, as well as potentially your credibility and reputation as a professional. 
 
Here are a group of HIPAA violations doctors may wish to avoid:

1) Discussing patient information publicly

If your staff discuss patients’ names, addresses and or insurance plans at check-in, you are technically breaching patient confidentiality. Make sure patients and office staff have a way to discuss insurance or change of address in private. Also, create a quiet place for phone calls to occur. Even if you’re just calling a patient to setup or confirm an appointment, it is better to do this in a private area if possible.
 

2) Paper files in Non-Secure Locations

The days of having paper charts are fading away, as more and more doctors move to using an EHR for all patient records. If you still use any form of paper documents, be sure not to leave them in unsecured or unattended areas. Also be wary of charts, paperwork and forms that patients bring in from other practices that they are filed and stored securely.
 
Also, if you are converting from paper documents to an electronic office, be sure to shred any patient records before you dispose of them.

3) Non-Encrypted Email or Sending Incorrect emails

Never underestimate the importance of encryption, even for seemingly innocent files. The use of non-encrypted email services, such as gmail, outlook, yahoo and other well known email services can cause a risk of hackers being able to access your information. For this reason, you might consider an-encrypted email or file sharing service for pertinent patient information.
 
 Along with this, make sure to consider that you are sending patient information to the correct recipient. When sending bulk emails to patients, it is easy to overlook the address it is being sent to. You can put patients at risk and you can lose their trust, simply because you didn’t double-check your recipient or an email attachment. This is one of those areas where slow, steady careful checking pays off.

4) Unsecured Patient Portals

If you use or are considering creating a patient portal, make it has secure login compliance, so that any personal patient information is not easily accessible without a username and password. 
 
 When it comes to families who can share information, be sure to get authorisation from a patient first. A good practice is to require identity verification for password reminders, and you might also remind your patients to access their patient portal when they have a secure internet connection.

5) Non-HIPAA video chat

Some doctors have considered using Skype or Face-time to communicate with patients. While they are great free platforms for video chat, the reality is the weren’t designed to be HIPAA-compliant.

The challenge is that even though a doctor can ensure their Internet connection is secure, there is very little they can do to make sure everything is secure on the the patient’s receiving end. Another alternative is to ensure the is a Business Associate Agreement in place. The same issues arise with security for text messaging, so be sure to use HIPAA compliant texting tools here as well. The solution here is to ideally use a HIPAA compliant application designed for Telemedicine. 

Doctors may have several HIPAA violations without getting fined, but that doesn’t mean it isn’t a negative for your practice. A data breach of any kind can damage your practice reputation even without your knowledge. By treating all patient information with the same caution you can and enjoy the peace of mind that comes with being HIPAA compliant.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

Data Breach Reporting Requirements for Medical Practices

Data Breach Reporting Requirements for Medical Practices | HIPAA Compliance for Medical Practices | Scoop.it

Are we ready to replace passwords with biometrics for access to our facilities' networks and EHRs? I know that I'm ready for something easier and more secure than my ever-changing facility login, a byproduct of being forced by the system to change my password every couple of months.

In its current iteration, the EHR at my facility takes three separate login steps to get into the record to document a patient encounter or retrieve information. This doesn't seem like much, but multiply it by 20 or 30 patients and it becomes burdensome and a significant time waster.

If a terminal is locked, I have to enter my credentials to access the system and from there, I have to enter my credentials to open the EHR. Then if I want to dictate any notes, I have to again enter my credentials to open the dictation software. It gets old in a hurry, and is a major complaint among members of the medical staff at my community hospital.

The IT team in our organization is experimenting with using the embedded "near field" chip in our ID cards as a way in which to log in to the EHR. It would be a big step forward and would eliminate the majority of authentication to access our EHR. It would also have the added advantage of encouraging all members of the medical staff to carry their hospital IDs, but not all software needed for charting supports this mode of authentication.

Fast Identity Online (FIDO) is the current buzz phrase that refers to all of the biometric authentication technology currently available or planned. We are already using our fingerprints in a variety of ways to unlock our phones and doors, and there are readily available technologies that rely on retinas, irises, face recognition, or voice recognition that are being developed to solve authentication and security problems. We have seen the future in a variety of science fiction films, and much of it is working and available technology.

While there is a tremendous upside to FIDO technology, there are also significant downsides in the form of privacy. We constantly see that passwords are not 100 percent secure, and companies tasked with protecting our personal data stored on their servers also fail. It is not too much of a stretch to raise concerns about personal biometric data being stored on vulnerable servers, and the privacy vulnerability that this represents to us all as individuals.

There should be similar concerns with biometric security data. My fingerprints are stored on my phone as a security measure, but could an enterprising criminal find a way to use that data to reconstruct my fingerprints?

As always, computer technology and software are well ahead of privacy protections and personal security, and will remain so for some time, possibly forever.

To make it work on an EHR, we need enterprise level solutions, as the thought of customizing my FIDO login separately at each terminal in the hospital, defeats the purpose and intent of making this simultaneously easier and more secure.

It seems that an enterprising technology company would see the opportunity in allowing medical providers to quickly and securely sign into an EHR. I know that there are a lot of smart people working on this problem in an attempt to make this both easier and more secure for those of us in the trenches.

As the pace of technology development and implementation becomes more rapid, so does the need for increasing security and privacy, as well as reducing the technological burden on the healthcare providers who daily have the use this technology in the performance of their jobs. These competing trends get more important everyday as the penetration of the EHR becomes more ubiquitous.


more...
No comment yet.
Scoop.it!

Protect Your Practice Data Against a Breach

Protect Your Practice Data Against a Breach | HIPAA Compliance for Medical Practices | Scoop.it

Technology has changed the face of patient care. But it has also opened a Pandora's Box of lurid and potentially expensive data breaches. Don't be lulled into a false sense of security because you may think your practice is too small to be a target for hackers. The lessons for large health systems are as relevant as those for small, independent practices. Data security can't be left to chance.

Ike Devji an Arizona-based asset protection and risk-management attorney works with physicians to help them develop policies to protect their practice data and minimize liability risk. He says most doctors suffer from what he calls "risk myopia," meaning that they are focused too intently on mitigating malpractice risk. But what about identity theft or HIPAA violations or securing patient financial data? "If [data breaches] could happen to the most sophisticated companies in the world, who have entire dedicated teams of IT security professionals, believe me, it can happen to your medical practice," cautions Devji.

So what should you do? There are many ways that your practice can protect itself against data breaches, even if your technology budget is slim. Here's how our experts say you should start.


TAKE DATA SECURITY SERIOUSLY


Even before you invest in software and support services to protect your patient data, you need to be clear about how your practice will approach data security. Too often, practice policies are absent or left up to individuals to haphazardly carry out. According to Devji, that is asking for trouble.

Devji's experience has taught him that practices often don't take cybersecurity seriously enough. He says that crimes happen most often when there is opportunity — it is easier for hackers to target a small practice and steal patient credit card numbers, than it is to, say, break into American Express.

Another concern for practices is making sure they are compliant with HIPAA regulations. In 2013, HHS released the HIPAA Omnibus Rule that strengthened the original provisions in HIPAA, bringing the total number of regulations up to 49, says Marion Jenkins, chief strategy officer at 3t Systems, a healthcare consulting company. He says the regulatory landscape is complex, and even a small practice could be looking at hundreds of thousands of dollars in fines for an unintentional HIPAA violation.

Devji says his firm makes sure that clients have an appropriate data security plan in place that includes HIPAA protections, limits staff access to protected health information (PHI), and also identifies the individual(s) who will be responsible for implementing and monitoring the plan. Here are five other key provisions that should be part of any data security plan.


FIND QUALIFIED IT SUPPORT


Because smaller practices don't generally have an IT support budget, they tend to gravitate to free tools and solutions, which can be problematic, says Boatner Blankenstein, senior director of solutions engineering for Bomgar, an enterprise technology solutions company. "Without having IT resources, there's just a lot of opportunity for misuse of technology. Scams and things — people calling and saying they're here to help you and they are really not," he says.

Jenkins says that the strongest leg of your risk-prevention strategy should be finding professional IT support that you can trust. "I have a three-question quiz that [practices] can give to an IT provider … The quiz has to be given orally, because the first question is 'How do you spell HIPAA?' The second question is 'What does it stand for?' and the third question is 'What is the difference between HIPAA security and HIPAA privacy?' If they can't answer those three questions, then you probably have a HIPAA problem waiting to happen," he says.

PROVIDE STAFF TRAINING AND EDUCATION

Your staff members are not able to learn your data security policies through osmosis. So, you must make data security a priority and teach them how to approach it. Devji says many times HIPAA violations occur through simple mistakes, like failing to lock computers and mobile devices with passwords, and copying sensitive data to an unencrypted USB drive.

Your staff training should cover at a minimum:

• The use of practice computers for personal e-mails and Internet surfing;

• Transporting data offsite using mobile devices;

• Protocols for departing staff members, e.g. changing passwords and network access;

• Educating staff on HIPAA requirements;

• The use of mobile devices at home and work; and

• Encrypting all patient data, regardless of the device.

INSTALL AND UPDATE ANTI-VIRUS SOFTWARE

In the course of a normal business day, practices are communicating electronically with multiple websites and healthcare networks, like CMS, third-party payers, and the CDC, for example. It is vital to have adequate virus and malware protection programs installed on all desk-top computers and mobile devices, especially if they are used to access the practice's EHR system.

"[Anti-malware, anti-virus protection, anti-spam] are absolutely required by HIPAA. One of the 49 requirements is you have to protect your systems from malicious software," says Jenkins.

But don't stop there. Your software must be updated on a continuous basis. How many times have you skipped over software updates for your computer because you are too busy to stop what you are doing? Unfortunately, when you do that, you are missing out on critical security patches. Devji says "many of those updates are security specific and are continually patching vulnerabilities that are found in those programs." Skipping updates just makes it that much easier for hackers to access your computer system.


ADOPT DATA ENCRYPTION


Protecting your patient data doesn't always require a sophisticated security solution. The safest thing a practice can do is guard against the loss or theft of mobile devices and make sure that all data is encrypted — both at rest and in motion. The Verizon 2014 Data Breach Investigations Report found that together, insider misuse, miscellaneous errors, and physical theft and loss accounted for 73 percent of security breaches in the healthcare industry.

The report recommends:

• Encrypting mobile devices, like laptops and USB drives;

• Backing up sensitive data; and

• Securing mobile devices with locks to immovable fixtures, like cabinets, when not in use.


CONDUCT SECURITY AUDITS


Many practices are not aware that conducting an internal risk assessment is required by HIPAA, says Jenkins. He says he has conducted over 100 HIPAA security assessments, and the number of practices that have passed is "less than 5 percent." He says that while there are templates available through the HHS Office of the National Coordinator for Health Information Technology's website, practices should consider soliciting professional help, as "some of [the assessment] is pretty technical."

Some key action points here are:

• Engage an IT security expert or EHR vendor to audit your networks, equipment, and processes.

• Make sure that software upgrades are current on all equipment and devices.

• Review your anti-virus software to make sure it provides adequate protection.

IN SUMMARY

Medical practice data security can't be left to chance; the stakes are just too high. Fortunately, after securing professional advice, there are simple things you can do to secure your information.

Take these steps to ward off loss of data and equipment:

• Create a practice data security plan

• Provide staff training on data security

• Install anti-virus and anti-malpractice software

• Adopt data encryption

• Conduct security audits


more...
No comment yet.
Scoop.it!

Hospital email hack compromises PHI of 4,400 patients

Hospital email hack compromises PHI of 4,400 patients | HIPAA Compliance for Medical Practices | Scoop.it

Hackers gained access to the email accounts of employees at St. Mary’s Health in Evansville, Indiana, by uncovering their usernames and passwords. The hack exposed the PHI of nearly 4,400 St. Mary’s patients, according to a breach notice.

What’s more, some have speculated that St. Mary’s may have violated the HIPAA Breach Notification Rule as it appears it did not notify individuals of the breach within 60 days of initial discovery. On December 3, 2014, St. Mary’s learned that its employees’ usernames and passwords were compromised. After launching an investigation, the healthcare facility discovered January 8 that the compromised email accounts contained patient PHI. St. Mary’s posted a breach notification letter on its website March 5 stating that it would also notify affected individuals by mail and alert media outlets.

PHI linked to the compromised email accounts included:

    Names
    Dates of birth
    Gender
    Dates of service
    Insurance information
    Limited health information
    Some Social Security numbers


more...
No comment yet.
Scoop.it!

Breaking Down HIPAA Rules: Data Breach Notification

Breaking Down HIPAA Rules: Data Breach Notification | HIPAA Compliance for Medical Practices | Scoop.it

Recent headlines are bringing certain HIPAA rules and regulations to the forefront of healthcare, legal, and public discussion. In the wake of the Anthem data breach that potentially exposed the personally identifiable information of up to 78 million individuals, the data breach notification rule is becoming more prevalent.

Questions are arising over how Anthem business associates are affected. Are those organizations obligated in the same way when it comes to notifying customers? What about notifying the authorities? Perhaps some healthcare entities see the Anthem situation and wonder what they would be obligated to do in a similar situation. We’ll discuss the larger aspects of the HIPAA breach notification rule, and explain exactly how covered entities are required to notify individuals and the necessary authorities.

What is the HIPAA breach notification rule?

The HIPAA breach notification rule requires that covered entities and their business associates notify necessary parties after unsecured protected health information (PHI) is compromised. For example, let’s say that a healthcare organization leaves an unencrypted laptop in a room that is not properly secured. The device is stolen and suddenly several hundred patients’ PHI is potentially in criminals’ hands. The healthcare organization in question is required under HIPAA to notify the patients, the Department of Health & Human Services (HHS) and potentially the media.

If a covered entity or business associate the covered entity or business associate, can show that there is small chance that the PHI was compromised based on a risk assessment of at least the following factors:

  • The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
  • The unauthorized person who used the protected health information or to whom the disclosure was made;
  • Whether the protected health information was actually acquired or viewed;
  • The extent to which the risk to the protected health information has been mitigated.

Covered entities and business associates may also be able to give the necessary breach notifications without performing a risk assessment to determine the probability that the PHI was compromised, according to HHS.

It is also important to note that the HIPAA breach notification rule only applies to unsecured PHI. This is PHI “that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in guidance.”

Essentially, if a covered entity or business associate does not make the effort to protect sensitive information, such as using passwords or multi-factor authentication, it may be deemed as being unsecured PHI. This calls back to the need for healthcare organizations to implement and adhere to administrative, technical, and physical safeguards. All of these will help facilities better protect PHI.

What are the notification requirements?

The HIPAA breach notification requirements will vary depending on how many individuals are possibly affected by the exposure of unprotected PHI. If more than 500 people are potentially at risk, then the organization must notify prominent media outlets serving the State or jurisdiction. As far as timeline, this notice must be given “without unreasonable delay” and in no case later than 60 days following the discovery of a breach. The same information that was on individual notifications must be included in the media notice.

The Secretary must also be notified in the same time frame for breaches affecting over 500 people. In instances where fewer than 500 people are affected, covered entities need to make an annual report. However, these notices are due to the Secretary “no later than 60 days after the end of the calendar year in which the breaches are discovered.”

Regardless of the size of the data breach, individual notification must also take place without unreasonable delay or no later than 60 days following the breach discovery. If there is outdated contact information for 10 or more individuals, then the covered entity must post the notice on its web site’s home page for at least 90 days or give the notice to major print or broadcast media where the affected individuals likely live.

The following information must be included in the individual notifications:

  • A brief description of the breach
  • A description of the types of information that were involved in the breach
  • The steps affected individuals should take to protect themselves from potential harm
  • A brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches
  • Contact information for the covered entity (or business associate, as applicable).

With the HIPAA Omnibus Rule, business associates are also now responsible for protecting patients’ PHI. Should a data breach occur at a business associate’s facility, that organization needs to notify its covered entity without reasonable delay and no later than 60 days following the breach’s discovery.

Proper documentation is required

HIPAA administrative requirements are quite important in the breach notification process. For example, HHS demands that covered entities need to show that all required notifications are provided following a data breach or prove that a use or disclosure of unsecured PHI did not constitute a breach. This would require covered entities to document that all required notifications were made, or document that notification was not necessary.

This could be done in one of two ways. First, a covered entity shows that its risk assessment found a low probability that the PHI was compromised by the impermissible use or disclosure. The second way could be through “the application of any other exceptions to the definition of ‘breach.’”

Moreover, healthcare organizations need to have written policies and procedures in place that cover the breach notification process. Employees need to then be trained on those policies and procedures. It is also essential for covered entities to develop and apply sanctions where necessary should employees not comply with the documented policies and procedures.

Essentially, it is important for covered entities to create a contingency plan in case a data breach happens. No healthcare organization wants to fall victim to a data breach, but it is unrealistic to assume that nothing will ever happen. That is why it is important to develop, implement and document the appropriate administrative safeguards. That way, when a healthcare data breach does occur, a covered entity will hopefully avoid federal fines in terms of its data breach notification process.


more...
No comment yet.
Scoop.it!

Digital copiers — a source of data breach

Digital copiers — a source of data breach | HIPAA Compliance for Medical Practices | Scoop.it

Could the office copy machine pose a threat to the security of staff or clients?

Yes, says a local expert.


A 2010 CBS investigative report, revealed a hard drive from a digital office copier from Affinity Health Plan Inc. was repurchased and found to contain nearly 344,579 confidential medical records. The copier’s hard drive was never scrubbed, or erased.


Due to the data breach, Affinity Health was found to be in violation of HIPAA Privacy and Security Rules and fined $1,215,780 in 2013.


Stories like this concern Carmen Pitarra, owner of 4 The Office, a business-to-business office supply service in Pittston. He said digital copiers and multi-functional devices contain internal hard drives allowing the devices the ability to multi-task. Although, most devices have disk encryption, breaches such as what happened to Affinity Health can occur.


To prevent a repeat, Pitarra is trying to educate his clients on industry security measures and how to use them.


“We are not like ‘the sky is falling’ because it is not,” Pitarra said. “The industry has done its job in creating security measures and kits. We want to raise awareness.”


Data breaches


Data breaches can happen easily, he said.


• Step one: a business leases a digital, multi-function copier.


• Step two: overwriting or hard drive clearing options are not utilized, which allow for every document scanned, copied, printed or faxed to be saved to the hard drive.


• Step three: When the lease expires or the machine reaches its end-of-life the hard drive is not scrubbed or replaced. All information from payroll to clients’ travels off with the copier to a new owner, which could be overseas.


“Sixty to 70 percent of leased digital copiers are remarketed,” Pitarra said. “In today’s data-driven world, information can be easily obtained if the safe guards are not used.”


The copier’s hard drive is similar to that of a laptop, he said, and can be removed, The information could be accessed through a hard-drive reader, available online starting at $16.95.


Large corporations have become aware of potential data security breaches and implemented a variety of precautions, including having incoming jobs held until the recipient enters a pass code or swipe a card to release the information, Pitarra said.


“It is the small businesses I am worried about,” Pitarra said.


The local dentist office, small car dealership or independent financial advisors who may not have access to an IT department are the ones more frequently at risk, he said.


Many manufacturers have a standard security feature called “Hard Disk Image Overwrite,” which if turned on can erase images on the hard drive after every print-job. A report will print confirming a successful overwrite.


Don Nelson, chief technology officer with Luzerne County Community College in Nanticoke, said their security policy requires hard drives to be removed from the machine before it can be taken from the campus. Hard drives are then disposed.


“One way to destroy a hard drive, is to take a drill and put holes through the middle of it,” Nelson said.


Pitarra said his staff is trained to remove the hard drive and give it to the business owner before removing the machine from the property. A new hard drive is installed with the proper firmware, which is the programming to make the copier operational.


Pitarra said he has been considering placing a sticker on his machines with hard drives to make business owners aware and take data security precautions.


Not every copier has a hard drive


It is important for business owners to know what kind of copier they have and whether or not it has a hard drive. Pitarra and Nelson advise that if an owner is not sure to contact the manufacturer or licensed technician.


Melissa Werner, executive director at the Hoyt Public Library, said the library’s printer — used for a variety of purposes by the general public — does not have a hard drive.


“When we purchased our copier, we choose one that did not have that feature,” Werner said.


A store representative from the UPS Store in the Gateway Shopping Center in Edwardsville, stated the copiers and fax machines within the store are designed for public use and “do not have a memory and do not store any information.” The highly used copier and fax machines are leased through a independent company through the United Postal Service.


more...
No comment yet.
Scoop.it!

Prison Term in HIPAA Violation Case

Prison Term in HIPAA Violation Case | HIPAA Compliance for Medical Practices | Scoop.it

A former Texas hospital worker has been sentenced to 18 months in federal prison for criminal HIPAA violations, one of the toughest penalties yet for that crime. And some legal experts predict more criminal prosecutions for HIPAA violations are likely.

"We have seen between a dozen and two dozen HIPAA criminal prosecutions over the years, so they are pretty rare," says privacy attorney Adam Greene of law firm Davis Wright Tremaine. "But the threat of criminal use of health information and demographic information - such as Social Security numbers - continues to grow, so it wouldn't be surprising to see an increase in these prosecutions."

Joshua Hippler, 30, formerly of Longview, Texas, was sentenced by a U.S. District Court judge after pleading guilty on Aug. 28, 2014, to wrongful disclosure of individually identifiable health information, according to the U.S. Department of Justice.

In addition to his incarceration, court documents also indicate that Hippler's sentence includes a three-year supervised release and an order to pay $12,152 restitution. The criminal complaint against Hippler, and other documents related to the case, however, are sealed by the court.

HIPAA Violation Details

Federal prosecutors say that from December 2012 through January 2013, Hippler was an employee of an unidentified East Texas hospital. During this time, he obtained protected health information with the intent to use it for personal gain, prosecutors say.

A DOJ spokeswoman in July told Information Security Media Group that the HIPAA violation came to light when Hippler was arrested in Georgia and found to be in possession of patient records.

The case was investigated by the Department of Health and Human Services' Office of Inspector General and the U.S. Postal Inspection Service.

Other Cases

While the sentence Hippler received was a tougher penalty than seen in most other HIPAA- related criminal cases, some others have received stiffer penalties in cases that involved HIPAA violations as well as other crimes.

In October 2013, Florida U.S. district court documents show, Denetria Barnes, a former nursing assistant at a Florida assisted living facility, was sentenced to 37 months in prison after pleading guilty to several federal offenses, including conspiracy to defraud the U.S. government and wrongful disclosure of HIPAA protected information.

In April 2013, Helene Michel, the former owner of a Long Island, N.Y., medical supply company, was sentenced to 12 years in prison in a case that involved $10.7 million in Medicare fraud as well as criminal HIPAA violations.

Aside from those cases, most other defendants sentenced for criminal HIPAA violations have generally gotten lighter sentences.

For example, last November, Christopher R. Lykes Jr., a former South Carolina state employee, was sentenced to three years of probation, plus community service, after he sent personal information about more than 228,000 Medicaid recipients to his personal e-mail account. Lykes pleaded guilty to four counts of willful examination of private records by a public employee and one count of criminal conspiracy.

And in 2010, former UCLA Healthcare System surgeon Huping Zhou was sentenced to four months in prison after admitting he illegally read private electronic medical records of celebrities and others. Zhou was the first defendant in the nation to receive a prison sentence for a HIPAA privacy violation, according to the U.S. attorney's office for the central district of California.

Growing Problem

"I do expect us to see more prosecutions as the interest in healthcare information increases for a variety of purposes, including identity theft, cyberstalking, public shaming and celebrity watching," says privacy and security attorney Scot Ganow of law firm Faruki Ireland and Cox PLL.

"As long as the healthcare industry continues to actively use Social Security numbers, we will see increased criminal activity and related prosecutions," he says. "The data is simply too tempting for criminal activity. When you think of what information is kept in medical records, the identity theft 'Big 3' are always there: Name, date of birth, and Social Security number. "

As to the punishment that defendants get for HIPAA related violations, "sentencing guidelines are designed to punish and hopefully deter the illegal behavior," Ganow says. "On the civil side, whether a privacy claim advances most often depends on whether the plaintiff can show she experienced harm, or her risk of harm substantially increased, as a direct result of the breach or wrongful disclosure. I would speculate the criminal sentences would indeed become more exacting when harm is shown or the activity had a significant impact on the victims, be they individuals, businesses or even the government.


more...
No comment yet.
Scoop.it!

Anthem Suffers the Largest Healthcare Data Breach to Date

Anthem Suffers the Largest Healthcare Data Breach to Date | HIPAA Compliance for Medical Practices | Scoop.it

Hackers have stolen millions of customer and employees records from Anthem, the country’s second-largest health insurer. Anthem states the hackers were able to gain access to Anthem’s IT database obtaining personal information from around 80 million current and former Anthem members such as their names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data. However, there is no evidence the hackers stole credit card or medical information, such as claims, test results or diagnostic codes.

Hackers Steal 80M Records in Anthem Security Data Breach Joseph R. Swedish

“Safeguarding your personal, financial and medical information is one of our top priorities, and because of that, we have state-of-the-art information security systems to protect your data. However, despite our efforts, Anthem was the target of a very sophisticated external cyber attack.

Anthem’s own associates’ personal information – including my own – was accessed during this security breach. We join you in your concern and frustration, and I assure you that we are working around the clock to do everything we can to further secure your data.,” said Anthem President and CEO Joseph R. Swedish, in a statement.

Anthem has notified the FBI and has fully cooperated with their investigation, as well as bringing on cybersecurity firm Mandiant to evaluate their systems and identify solutions. The recent attack would make it largest healthcare data breach to date, according to Vitor De Souza, a spokesman for Mandiant. For now it is unclear how the hackers were able to access Anthem’s database.

Anthem has set up a website, www.AnthemFacts.com, and a toll-free number, 1-877-263-7995, to help respond to any questions. The company also noted it would provide free identity repair services and credit monitoring.

“Health records are the new gold for hackers. When your credit card number is stolen you can cancel the card and get a new one, but your health record includes your social security number which cannot be replaced. Hackers have gotten very sophisticated so early discovery of breaches is the best way for organizations to limit the damage,” said Nat Kausik, CEO of Bitglass to HIT Consultant.

According to the 2014 Healthcare Breach Report from Bitglass, the total number of healthcare data breaches per year has remained fairly constant for the past three years—averaging about 200 breaches per year. About 6x as many credit card numbers as medical records are stolen each year. The cost of healthcare data breaches is steep: Up to $50,000 per HIPAA violation, or up to $1,500,000 per calendar year per identical violation.

more...
No comment yet.
Scoop.it!

Protect Your Practice Data Against a Breach

Protect Your Practice Data Against a Breach | HIPAA Compliance for Medical Practices | Scoop.it

Technology has changed the face of patient care. But it has also opened a Pandora's Box of lurid and potentially expensive data breaches. Don't be lulled into a false sense of security because you may think your practice is too small to be a target for hackers. The lessons for large health systems are as relevant as those for small, independent practices. Data security can't be left to chance.

Ike Devji an Arizona-based asset protection and risk-management attorney works with physicians to help them develop policies to protect their practice data and minimize liability risk. He says most doctors suffer from what he calls "risk myopia," meaning that they are focused too intently on mitigating malpractice risk. But what about identity theft or HIPAA violations or securing patient financial data? "If [data breaches] could happen to the most sophisticated companies in the world, who have entire dedicated teams of IT security professionals, believe me, it can happen to your medical practice," cautions Devji.

So what should you do? There are many ways that your practice can protect itself against data breaches, even if your technology budget is slim. Here's how our experts say you should start.

TAKE DATA SECURITY SERIOUSLY

Even before you invest in software and support services to protect your patient data, you need to be clear about how your practice will approach data security. Too often, practice policies are absent or left up to individuals to haphazardly carry out. According to Devji, that is asking for trouble.

Devji's experience has taught him that practices often don't take cybersecurity seriously enough. He says that crimes happen most often when there is opportunity — it is easier for hackers to target a small practice and steal patient credit card numbers, than it is to, say, break into American Express.

Another concern for practices is making sure they are compliant with HIPAA regulations. In 2013, HHS released the HIPAA Omnibus Rule that strengthened the original provisions in HIPAA, bringing the total number of regulations up to 49, says Marion Jenkins, chief strategy officer at 3t Systems, a healthcare consulting company. He says the regulatory landscape is complex, and even a small practice could be looking at hundreds of thousands of dollars in fines for an unintentional HIPAA violation.

Devji says his firm makes sure that clients have an appropriate data security plan in place that includes HIPAA protections, limits staff access to protected health information (PHI), and also identifies the individual(s) who will be responsible for implementing and monitoring the plan. Here are five other key provisions that should be part of any data security plan.


FIND QUALIFIED IT SUPPORT


Because smaller practices don't generally have an IT support budget, they tend to gravitate to free tools and solutions, which can be problematic, says Boatner Blankenstein, senior director of solutions engineering for Bomgar, an enterprise technology solutions company. "Without having IT resources, there's just a lot of opportunity for misuse of technology. Scams and things — people calling and saying they're here to help you and they are really not," he says.

Jenkins says that the strongest leg of your risk-prevention strategy should be finding professional IT support that you can trust. "I have a three-question quiz that [practices] can give to an IT provider … The quiz has to be given orally, because the first question is 'How do you spell HIPAA?' The second question is 'What does it stand for?' and the third question is 'What is the difference between HIPAA security and HIPAA privacy?' If they can't answer those three questions, then you probably have a HIPAA problem waiting to happen," he says.

PROVIDE STAFF TRAINING AND EDUCATION

Your staff members are not able to learn your data security policies through osmosis. So, you must make data security a priority and teach them how to approach it. Devji says many times HIPAA violations occur through simple mistakes, like failing to lock computers and mobile devices with passwords, and copying sensitive data to an unencrypted USB drive.

Your staff training should cover at a minimum:

• The use of practice computers for personal e-mails and Internet surfing;

• Transporting data offsite using mobile devices;

• Protocols for departing staff members, e.g. changing passwords and network access;

• Educating staff on HIPAA requirements;

• The use of mobile devices at home and work; and

• Encrypting all patient data, regardless of the device.

INSTALL AND UPDATE ANTI-VIRUS SOFTWARE

In the course of a normal business day, practices are communicating electronically with multiple websites and healthcare networks, like CMS, third-party payers, and the CDC, for example. It is vital to have adequate virus and malware protection programs installed on all desk-top computers and mobile devices, especially if they are used to access the practice's EHR system.

"[Anti-malware, anti-virus protection, anti-spam] are absolutely required by HIPAA. One of the 49 requirements is you have to protect your systems from malicious software," says Jenkins.

But don't stop there. Your software must be updated on a continuous basis. How many times have you skipped over software updates for your computer because you are too busy to stop what you are doing? Unfortunately, when you do that, you are missing out on critical security patches. Devji says "many of those updates are security specific and are continually patching vulnerabilities that are found in those programs." Skipping updates just makes it that much easier for hackers to access your computer system.


ADOPT DATA ENCRYPTION


Protecting your patient data doesn't always require a sophisticated security solution. The safest thing a practice can do is guard against the loss or theft of mobile devices and make sure that all data is encrypted — both at rest and in motion. The Verizon 2014 Data Breach Investigations Report found that together, insider misuse, miscellaneous errors, and physical theft and loss accounted for 73 percent of security breaches in the healthcare industry.

The report recommends:

• Encrypting mobile devices, like laptops and USB drives;

• Backing up sensitive data; and

• Securing mobile devices with locks to immovable fixtures, like cabinets, when not in use.


CONDUCT SECURITY AUDITS


Many practices are not aware that conducting an internal risk assessment is required by HIPAA, says Jenkins. He says he has conducted over 100 HIPAA security assessments, and the number of practices that have passed is "less than 5 percent." He says that while there are templates available through the HHS Office of the National Coordinator for Health Information Technology's website, practices should consider soliciting professional help, as "some of [the assessment] is pretty technical."

Some key action points here are:

• Engage an IT security expert or EHR vendor to audit your networks, equipment, and processes.

• Make sure that software upgrades are current on all equipment and devices.

• Review your anti-virus software to make sure it provides adequate protection.


IN SUMMARY


Medical practice data security can't be left to chance; the stakes are just too high. Fortunately, after securing professional advice, there are simple things you can do to secure your information.

Take these steps to ward off loss of data and equipment:

• Create a practice data security plan

• Provide staff training on data security

• Install anti-virus and anti-malpractice software

• Adopt data encryption

• Conduct security audits


more...
No comment yet.
Scoop.it!

Securely Disposing Medical Practice Equipment

Securely Disposing Medical Practice Equipment | HIPAA Compliance for Medical Practices | Scoop.it
It goes without saying that computers are expensive. Medical practices will often gift used office equipment to employees or family members; or donate them to vocational programs. Risk management attorney Ike Devji says that donating old equipment like scanners, fax machines, and computers at the end of the year is very common. "At the end of the year practices will rush to spend money so that it is not taxable. They buy [new] equipment … and computers are replaced."

There's just one small problem. Deleting sensitive patient data will not permanently eliminate it from the hard drive of the device. And if you've donated your practice's scanner to the local thrift store, it still contains sensitive patient data that "a well-trained 12-year-old kid with access to YouTube can get … off the hard drive," says Devji.

Devji points out that a high-end digital scanner can store up to 10,000 pages of patient data. And equipment that is synched to your EHR, even smartphones and tablets, needs to be destroyed or disposed of in a secure manner.

If you have old equipment that you'd like to get rid of, contact your IT consultant. He should be able to point you in the right direction. Or you could follow Devji's approach: He uses his old equipment for target practice in the Arizona desert.
more...
No comment yet.
Scoop.it!

Premera data breach affected Oregon's LifeWise members

The cyberattack at Premera Blue Cross in Washington state also affected 60,000 current and former members of LifeWise Health Plan of Oregon.

The two companies are affiliated and share a common IT system for claims, said Eric Earling, vice president of corporate communications at Premera.


The attack began last May and affected data going back to 2002.

"It was a sophisticated cyber attack," Earling said. "They got access, but there's no evidence they removed information from the system."

Altogether, the cyberattack may have exposed medical data and financial information of 11 million customers. It is the largest breach reported to date involving patient medical information, Dave Kennedy, an expert in health care security, told the New York Times.

Medical records can be sold on underground criminal exchanges and can be used to engage in insurance fraud, the Times reported.

It's not the first large breach uncovered this year. On Jan. 29, insurer Anthem disclosed a cyberattack involving records of 79 million customers in Blue Cross Blue Shield plans across the U.S. That attack was unrelated to the one at Premera, Earling said.


He referred Oregon customers to Lifewiseupdate.com for information on the attack and to access two years of free credit monitoring and identity protection services to anyone affected by the incident.

A message on the site reads in part: "Our investigation determined that the attackers may have gained unauthorized access to applicants and members' information, which could include member name, date of birth, address, telephone number, email address, Social Security number, member identification number, bank account information, and claims information, including clinical information.

"Individuals who do business with us and provided us with their email address, personal bank account number or social security number are also affected."


The FBI is investigating the attack.

more...
No comment yet.
Scoop.it!

Stolen hard drives bring more data breach pain for US health services

Stolen hard drives bring more data breach pain for US health services | HIPAA Compliance for Medical Practices | Scoop.it

The Indiana State Medical Association (ISMA) has warned 39,090 of its clients that their private data may be at risk of leakage, after the "random" theft of a pair of backup hard drives.

The drives were being transported to an offsite storage location when the theft occurred, on 13 February. ISMA went public with the breach on Monday, having apparently sent out letters to those affected a few days earlier, three weeks after the incident.

Data on the drives includes at least the standard set of personal details, such as names, dates of birth, health plan ID numbers, and physical and email addresses. In some cases it also includes Social Security Numbers and/or details of medical history.

Those affected should already have been told what level of information about them may have been leaked.

ISMA's statement claims the data on the drives "cannot be retrieved without special equipment and technical expertise", although it's not clear if that equipment and know-how means anything more than a computer to connect the drives to and the skills to plug them in and mount them.

There's certainly no mention of strong encryption being applied to the records, implying that they were stored relatively insecurely.

ISMA has posted a detailed FAQ for those affected, and will provide credit monitoring services for those who want them - the deadline to apply for this is 8 June 2015.

Many of them may already have availed themselves of ID protection, as there's likely to be a considerable overlap with the epic Anthem breach, which affected huge numbers of people across the US.

As Paul Ducklin recently pointed out, medical information is highly sensitive, opening up all sorts of opportunities for social engineering and identity theft.

All such data needs to be properly secured, to protect it not just from hackers as in the Anthem case, but also from inadequate anonymisation when referenced online, and of course from the many dangers of the physical world.

Backups are of course a vital part of any security and integrity regime, but it's worth remembering that they also bring some added security risks of their own. Backed-up data needs to be stored securely, ideally in a separate location from the master copies, and transporting data is always a fragile part of the chain.

We routinely hear of data being lost in the post, devices being mislaid in trains, planes and taxis, and even records simply falling off the back of trucks.

In this case, the incident is described as a "random criminal act". The proper tactic to mitigate this risk is not heavily-armed security guards escorting couriers to backup storage locations, but something much simpler and cheaper.

All data considered sensitive or important should be strongly encrypted as a matter of routine when immediate access is not required.

Off-site backups in particular should be locked down as strongly as possible, given that decryption time will not add significantly to the restore process.

Keeping data well encrypted adds another layer on top of the security of storage facilities, and minimises the danger from "random criminal acts", and even carelessness, when data is in transit.


Via Paulo Félix
more...
No comment yet.
Scoop.it!

When HIPAA Applies to Patient Assistance Programs (and When It Doesn’t)

When HIPAA Applies to Patient Assistance Programs (and When It Doesn’t) | HIPAA Compliance for Medical Practices | Scoop.it

Patient Assistance Programs (PAPs) have proliferated in recent years, despite the fact that many commonly-prescribed medications have lost patent protection and the Affordable Care Act (ACA) has attempted to eliminate pre-existing condition discrimination by insurance companies.  Still, drug costs remain unaffordable to many patients, particularly those with high-cost, chronic conditions, even when patients have insurance coverage.  An article published recently in the New England Journal of Medicine suggests that the ACA has increased insurance coverage for an estimated 10 million previously uninsured individuals in 2014, some insurers are structuring drug formularies in a manner that discriminates against (and discourages enrollment of) patients suffering from particular high-cost conditions.

Regardless of the cause, the need for and utilization of PAPs raises interesting questions related to privacy and security of protected health information (PHI).  I had the opportunity to co-present a workshop session on HIPAA at CBI’s 16th Annual Patient Assistance and Access Programs Conference in Baltimore, MD this week with Paula Stannard, Esq. of Alston & Bird.  The conference was well-attended, and Paula and I were asked a number of questions during and after our workshop that showed interest in HIPAA compliance by PAP entities, as well as confusion regarding it.

Paula and I crafted a scenario in which a PAP’s data system is hacked, and the hacker gains access to individually identifiable health information stored on the system.  Both Patient A and Patient B have insurance, but suffer from a condition requiring a medication not on their carriers’ formularies.  Patient A put his own information into the PAP system after learning about the PAP from TV ad.  Patient B let his physician put her information into the PAP system, after the physician explained that the hospital at which the physician works has an arrangement with the PAP whereby the PAP will help with getting insurance coverage.

We asked the audience whether the hacker’s access to Patient A’s and Patient B’s information in the PAP was a HIPAA breach.  A follow up to this blog will discuss the factors relevant to deciding when HIPAA applies to PAPs (and individually identifiable information they maintain) and when it doesn’t.


more...
No comment yet.
Scoop.it!

HIPAA Compliant Technology and the Importance of Encryption

The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for protecting sensitive patient data. This means that any covered entity (CE) or business associate (BA) that deals with protected health information (PHI) must ensure that all the required physical, network, and process security measures are in place and followed. The HIPAA Privacy Rule addresses the storage, accessing and sharing of PHI, whereas the HIPAA Security Rule outlines the security standards which protect health data created, received, maintained or transmitted electronically; known as electronic protected health information (ePHI).

The Health Information Technology for Economic and Clinical Health (HITECH) Act was passed as a supplemental act in 2009, and was formed in response to the improvements and increase in health technology development, and the increased use of ePHI.  Transmission Security is required of HIPAA compliant hosts to protect against unauthorized public access of ePHI; however, both authentication and encryption are stated to be addressable, rather than required. This concerns all methods of transmitting data, whether it be email, Internet, or even over a private network, such as a private cloud.

Confusion around some of the items classified as addressable within these technical standards, especially around encryption, increases the risk of fines for organizations that choose not to address these standards. Fines are very likely to be handed to organizations should they experience a data breach as a result of not using encryption, even if a risk assessment is in place. Encryption is expected to be one of the key areas OCR focus on when conducting phase 2 HIPAA audits later this year.

Using Technology to Comply with HIPAA

Mechanisms exist to meet the requirements of the HIPAA safeguards, starting with use of a HIPAA compliant network hosting provider.  HIPAA compliant networks must have robust firewalls in place to protect an organization’s network from hackers or data thieves. Secure platforms are required for all organizations that transmit ePHI. These platforms should deploy encryption when transmitting ePHI, and have administrative controls to safeguard the integrity of ePHI. These platforms should also have the capacity to retract messages in the event of a breach risk and be able to remotely remove a mobile device from the system if it is lost by its owner, stolen or otherwise disposed of. In addition to this, all devices used to store or transmit ePHI, such as laptops and mobile devices, should be password protected and encrypted.

The Ramifications of Failing to Encrypt

Since 2012, the U.S. Department of Health and Human Services (HHS) has issued large monetary fines for violations of the HIPAA Privacy Rule following the introduction of HITECH. Some of its biggest fines have been due to lost or stolen laptops which were unencrypted.  In April 2014, Concentra Health Services were fined $1,725,220 to settle HIPAA Privacy violations which occurred after an unencrypted laptop was stolen from one its offices.  Some organizations may wrongly conclude that encryption is technically not required in all cases under the HIPAA Security Rule, as it is an “addressable” standard under HIPAA, meaning that it is required only where reasonable and appropriate based on a risk assessment.  However, these fines raise the question of how encryption of mobile devices containing ePHI is viewed. It is clear from the Concentra Health Service settlement that conducting risk assessments is not enough to avoid penalties under HIPAA. Rather, the risks identified in the assessment must be addressed completely and consistently.  Using encryption of ePHI during transmission is another important consideration organizations need to assess when completing risk assessments. When transmitting data between devices, it is crucial that organizations select a vendor that is HIPAA compliant – without doing so, there is potential to expose organizations to enormous risk of data breaches.


more...
No comment yet.
Scoop.it!

Beyond HIPAA Risk Assessments: Added Measures for Avoiding PHI Breaches

Beyond HIPAA Risk Assessments: Added Measures for Avoiding PHI Breaches | HIPAA Compliance for Medical Practices | Scoop.it

Last year, several high profile security incidents occurred at healthcare organizations where a HIPAA Risk Assessment (HSRA) had previously been conducted. This should provoke some pointed questions: Was the HSRA comprehensive enough? Was the remediation plan implemented correctly and in a timely manner? Was an ongoing process of risk management adopted? In this webinar, attendees will learn why HSRA's are a necessary but not sufficient part of maintaining the security of protected health information (PHI).

  • What qualifies as a comprehensive HIPAA risk analysis?;
  • Learn why HIPAA Risk Assessments are necessary but not sufficient;
  • What are the elements of an ongoing security risk management program?
  • What else can be done to lower the risk of hacking incidents?.
Background

HIPAA Risk Assessments are a valuable component of a healthcare organization's information security program. They fulfill a mandatory requirement of the HIPAA Security Rule, Omnibus Rule, and where applicable, the EHR Meaningful Use Incentive Program. Compliance, however, is not synonymous with security.

The purpose of an HSRA is to identify threats and vulnerabilities. But without a comprehensive remediation and ongoing risk management plan, the HSRA itself is of little value. Further, many HSRA's are too limited in scope, focusing only on policies or "low-hanging" fruit while ignoring more critical and complex risks.

From 2010-2013, the vast majority of breaches of PHI resulted from lost or stolen portable devices. In 2014, the landscape changed. Hackers went on the attack, attracted by high value of data stores of PHI. Millions of health records were stolen. Hackers typically exploit vulnerabilities in the network infrastructure or in web applications. In addition, individual credentials are often compromised through "phishing" email attacks. Were these risks identified in your HSRA?


more...
No comment yet.