HIPAA Compliance for Medical Practices
63.7K views | +7 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

HIPAA and Ransomware: What You Need to Know

HIPAA and Ransomware: What You Need to Know | HIPAA Compliance for Medical Practices | Scoop.it

When it comes to HIPAA and ransomware, there are some key responsibilities that health care professionals have when handling an incident. Following the regulation is essential to keeping your behavioral health practice out of the headlines and mitigating the risk to patients’ sensitive health data.

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has yet to release new regulation specifically in regards to HIPAA and ransomware. However, in 2016 after a string of ransomware attacks impacted hospitals and health services across North America, guidance was released about how to handle a ransomware incident should one impact your practice.

What is Ransomware?

Ransomware is a type of malware that infects your computer or network. The malicious software automatically encrypts your data, and then the hackers responsible demand a ransom in exchange for access.

Sometimes, the ransomware will even give health care providers a countdown: pay the ransom within the time allotted, or face permanently losing access to this electronic protected health information (ePHI). ePHI is any health care data that can be used to identify a patient that is stored in electronic format, such as electronic health records systems (EHRs).

How to Handle HIPAA and Ransomware

In the event of a ransomware incident, the first thing you should do is report the incident to local law authority. HHS guidance on the matter even goes so far as to include contacting the FBI, though this is only fully necessary for larger organizations such as hospital systems.

If you have reason to believe that ePHI has been accessed by the hackers, then you must also report the breach to OCR. If your organization already has an effective HIPAA compliance solution in place, then you should have full documentation in place that can prove to OCR investigators that you’ve done everything possible to prevent breaches.

Having a HIPAA compliance program in place can’t prevent a ransomware attack from occurring, but it’s your best defense against heavy federal fines in the event that a breach does occur. HIPAA fines have already reached $17.1 million in 2017 alone, which is set to outpace 2016’s record breaking $23.5 million.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Requirements – Time for a Major Regulatory Change

HIPAA Requirements – Time for a Major Regulatory Change | HIPAA Compliance for Medical Practices | Scoop.it

It is only fitting that legislation that was created in the mid 1990’s be considered, as most HIPAA experts would agree, outdated. Even with changes brought about by HITECH and the Omnibus Act, the implementation specifications remain relatively unchanged. It is still one-size-fits-all when it comes to meeting the requirements.

 

Sure, you could argue what is reasonable and appropriate for one healthcare provider is not for another. Therefore, it comes down to how each implementation specification is interpreted, how you decipher what the Code of Federal Regulation (CFR) is asking for.

 

After spending 27 years working for the Federal government and being involved in policy and regulatory oversight, even I sometimes struggle with how to make sense of a particular CFR.

For larger healthcare providers that have regulatory and compliance staff, HIPAA compliance might be a bit easier. But for the smaller providers who are required to follow all of the same requirements, albeit what is “reasonable and appropriate,” this is a colossal struggle. I can see why some small providers just throw their hands up and say, “This is way too complex for us to figure out.”

 

When the HIPAA legislation was created, the healthcare system in this country was really starting to transform. Today, with more and more specialty practices and other types of healthcare service providers tapping into this growing market, updating regulation requirements must be a priority. It cannot be a one-size-fits-all requirement anymore. The U.S. Congress needs to take into consideration how the healthcare industry has changed, in particular with the emergence of new health related mobile apps hitting the techno-sphere. HIPAA regulatory requirements must be adaptable to meet this changing environment.

 

When I conduct a HIPAA risk assessment for a smaller healthcare provider and I ask a question in an attempt to adhere to the implementation specification, often I get a non-applicable response. The hard work for me is how to get that provider covered in meeting a required implementation specification if it is non-applicable. If a provider is truly making the effort with due diligence to follow the HIPAA regulations, then that should be factored into the equation.  The process must allow for more discretion when it comes to some of the implementation specifications.

 

All of this will require legislative fixes. The U.S. Congress can rattle a few cages and give the impression there is real concern with making sure healthcare providers are doing everything they can to safeguard patient records, but until there is movement towards making necessary legislative changes, HIPAA requirements will remain as confusing to some as the U.S. tax code.

 

Back in the mid 1990’s, Senators Kasebaum and Kennedy, the sponsors of the insurance reform legislation that became known as HIPAA, clearly had a vision about the changing landscape of healthcare security in this country. Which current day senators will have that vision and want to undertake this monumental task in reforming HIPAA for the next decade remains to be seen.  The time is now to start down this road.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Top 10 Myths of HIPAA Risk Analysis

Top 10 Myths of HIPAA Risk Analysis | HIPAA Compliance for Medical Practices | Scoop.it

The following is a top 10 list distinguishing fact from fiction when it comes to conducting A HIPAA Security Risk Analysis.

  1. The security risk analysis is optional for small providers. False. All providers who are “covered entities” under HIPAA are required to perform a risk analysis. In addition, all providers who want to receive EHR incentive payments must conduct a risk analysis.
  2. Simply installing a certified EHR fulfills the security risk analysis Meaningful Use requirement. False. Even with a certified EHR, you must perform a full security risk analysis. Security requirements address all electronic protected health information you maintain, not just what is in your EHR.
  3. My EHR vendor took care of everything I need to do about privacy and security. False. Your EHR vendor may be able to provide information, assistance, and training on the privacy and security aspects of the EHR product. However, EHR vendors are not responsible for making their products compliant with HIPAA Privacy and Security Rules. It is solely your responsibility to have a complete risk analysis conducted.
  4. I have to outsource the security risk analysis. False. It is possible for small practices to do risk analysis themselves but can be time consuming. However, doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional.
  5. A checklist will suffice for the risk analysis requirement. False. Checklists can be useful tools, especially when starting a risk analysis, but they fall short of performing a systematic security risk analysis or documenting that one has been performed.
  6. There is a specific risk analysis method that I must follow. False. A risk analysis can be performed in countless ways. OCR has issued Guidance on Risk Analysis Requirements of the Security Rule. This guidance assists organizations in identifying and implementing the most effective and appropriate safeguards to secure e-PHI.
  7. My security risk analysis only needs to look at my EHR. False. Review all electronic devices that store, capture, or modify electronic protected health information. Include your EHR hardware and software and devices that can access your EHR data (e.g., your tablet computer, your practice manager’s mobile phone). Remember that copiers also store data.
  8. I only need to do a risk analysis once. False. To comply with HIPAA, you must continue to review, correct or modify, and update security protections.
  9. Before I attest for an EHR incentive program, I must fully mitigate all risks. False. The EHR incentive program requires correcting any deficiencies (identified during the risk analysis) during the reporting period, as part of its risk management process.
  10. Each year, I’ll have to completely redo my security risk analysis. False. Perform the full security risk analysis as you adopt an EHR. Each year or when changes to your practice or electronic systems occur, review and update the prior analysis for changes in risks. Under the Meaningful Use Programs, reviews are required for each EHR reporting period.
Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Covered Entities Must Share PHI with Patients Even if it is Requested in an Unencrypted Format

Covered Entities Must Share PHI with Patients Even if it is Requested in an Unencrypted Format | HIPAA Compliance for Medical Practices | Scoop.it

This month, Atlantic Information Services reported that covered entities must provide patients with their ePHI when they request it, in a format that the patient can open on their computer. Does this mean Covered Entities may have to send unencrypted emails containing electronic Personal Health Information (ePHI) to their patients? It depends on what the patient requests.

The HHS statement that patients have the right to access their ePHI and that covered entities “must provide this access in the manner requested by the individual” has created confusion. Covered entities are now left trying to find ways to provide patients access to their ePHI without violating HIPAA requirements.

The Privacy Rule “allows the use of unencrypted email when communicating ePHI between the healthcare provider and the patient…provided they apply reasonable safeguards when doing so”. 1

Examples of safeguards include:

  1. Check the email address for accuracy.
  2. Send email to confirm the recipient before sending the ePHI.
  3. Limit the amount of information disclosed.
  4. Encrypt emails.

Many covered entities have policies in place requiring all email containing ePHI be encrypted, and we at Total HIPAA Compliance fully support these policies. Patients may complain about opening an encrypted email, but the alternative is that you are potentially exposing their unencrypted Protected Health Information to all kinds of unknown risks. An unencrypted email can go through multiple servers before it reaches its final destination, and every server it stops in on its way to its final destination is another potential failure point.

How do you protect your patients while giving them access to their information in the format requested?

  1. Don’t explicitly offer unencrypted communication– I know this sounds disingenuous, but if you have a communication request from a patient, it’s always best to default by sending those communications encrypted.
  2. Explain the risks of sending unencrypted communications– Most non-technical people don’t understand the risks they are taking by sending communications unencrypted. You can relate the privacy level to sending an electronic postcard listing all their requested information. It is estimated that medical identity theft costs an individual $13,500.2 This is a major reason to insist that all communications with patients be encrypted.
  3. Make the barrier for unencrypted communication high. HHS states, if the healthcare provider feels the patient is not aware of the risks of using unencrypted emails for ePHI, or has concerns about liability, they can inform the patients of those risks and allow the patient to make the decision. If the patient then decides to request the receipt of the ePHI using unencrypted email, the covered entity will be exempt of possible liability because the patient has given their explicit permission to receive the ePHI in an unencrypted form. Make sure the client signs off each time there is a requested unencrypted communication. This burden may push a client to receive information encrypted.
  4. Here is a form you can use if a client insists on having communications sent unencrypted.

Ways to Make Patient Communication Easier While Using Encryption:

Patient Portals
A patient portal is a secure website that patients can access with a username and password. Portals allow patients to access their ePHI through an internet connection. This is an elegant way to provide the patient with their PHI and not expose the information to hackers.

Use a different encrypted email provider
There are many HIPAA compliant email encryption services you can use. Some are easier for patients to use than others. If your patients are consistently complaining, maybe it’s time to look into a new provider. There are many great options out there that will integrate with your EHR.

Two of our favorite encrypted email platforms for ease of use and cost are:

  1. Virtru This application allows users to integrate with almost any email provider. Vitru Pro is HIPAA compliant and will sign a Business Associate Agreement. Virtru offers end-to-end encryption with the ability to revoke a message at any time. Vitru makes it easy for the sender to encrypt messages and the receiver to respond encrypted.
  2. Protected Trust is also another great product. The email recipient has to be registered with Protected Trust, but this is free for your patients. Protected Trust offers many different verification options for the recipient, including sending recipients a phone call or text message to verify their identity. This application is easy to use for the receiver since they do not have to install any software or create a new email address.

The HIPAA Omnibus update strives to make communication between providers and patients easier as well as protect the privacy of your patients. This can be tricky for the health care provider, but patients always have the right to access their own PHI, and it is up to healthcare providers to grant them that access. As patients begin to demand more communication, covered entities will have to figure out the best way to do this, while remaining HIPAA compliant.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Bring Your Own Device (BYOD) Guidance 

Bring Your Own Device (BYOD) Guidance  | HIPAA Compliance for Medical Practices | Scoop.it

Bring Your Own Device (BYOD) Guidance

 

                   Bring Your Own Device, or BYOD, is when employers allow their employees to use their own electronic devices (phones, computers, tablets, etc.) on the organisations network.

BYOD has progressed from infrequent implementation to the norm. In 2015, Tech Pro Research released a study which reported that about 74% of respondents were already using or planning to use BYOD in their organization.¹

Despite its growth, not many organisations are completely confident in BYOD. In 2016, NueMD conducted a HIPAA survey. In this survey, they asked participants how confident they are that the devices they use in their business are HIPAA compliant, and found that only 20% of respondents were at all confident.

                  BYOD can open organisations up to serious security issues if not handled correctly. Since employees are using their own devices, they will take these devices home (and everywhere else); thus, there is more of a chance for these devices to be lost or stolen. Electronics were a lot more secure when it was the norm to leave them in the office. It was up to the company to protect those devices. Now with BYOD, employees will have to use extra caution in order to keep their devices safe.

BYOD also opens up organisations to malware. With an employee using the device for personal use as well, it is easier for a phishing email to reach the employee if the proper security software is not loaded. In addition, malware may be part of a download when unapproved applications are added by the employee. That malware would then affect everything on the device, including work related information. This puts the PHI on your network at risk.

            Obviously, there must be some positives to BYOD, or it would not be as popular as it is. The main advantage is that it cuts costs for the organization. If employees can bring their own devices, organisations can save money because they do not have pay to provide devices for employees. BYOD also results in better productivity because employees are using a device they already understand. No time is wasted on training employees how to use the device.

The implementation of BYOD has grown every year. Eventually you will need to consider BYOD and establish guidelines for implementing it on your network that respect the privacy of the user’s device. Access should only be requested for security reasons outlined in your policy. If you do choose to implement BYOD, it’s important to clearly define this decision in your policies and procedures.

First, you should have policies and procedures in place outlining the use of devices on your network. The policies and procedures should include:

  1. Acceptable uses:
    1. What apps are employees allowed to run?
    2. What websites should and shouldn’t be accessed?
    3. Can they be used for personal use during work?
  2. Acceptable devices:
    1. Will you allow laptops, phones, and tablets?
    2. What type of devices will you allow (Apple, Android, Windows, Blackberry, PC, etc)?
    3. How are you encrypting devices?
  3. Policies:
    1. Is the device configuration set up by the organisation's IT department?
    2. Is connectivity supported by IT?
    3. How often will you require a password change?
    4. Do you have a remote wipe policy?

 

Second, decide whether or not to implement Mobile Device Management (MDM).  MDM creates a single unified console through which IT can administer different mobile devices and operating systems. MDM allows an organisation's IT department to do things like remotely wipe devices, encrypt devices, secure VPN, and locate devices.

MDM allows you to selectively wipe the information lost on stolen devices. Some devices such as iPhone's have a built-in application (i.e. Find My iPhone). Android phones can be tracked and wiped using Android Device Manager. Both applications are great for individuals, but not necessarily the best option for an enterprise situation where you will need to track more than one device. Wiping a device is a heavy handed approach that may make employees hesitant to use their device on your network, as all of their personal information could be wiped along with work related data. With BYOD in place, employees know what’s expected of them when they use their personal devices at work, including the possibility that the company will use MDM to remotely wipe information as needed.

Alternatives to consider are Mobile Application Management (MAM) and Agent-less BYOD. MAM is software that controls access to mobile apps on BYOD devices. A report by Bit-glass found that only 14% of participants have adopted MAM. Accordingly, MAM never really took off, and MDM has now stagnated due to privacy concerns.³ Their solution is Bit-glass Agent-less BYOD, which protects corporate data on any device without an application. It also has an automated deployment process that does not require IT intervention. Agent-less BYOD is meant to be more secure and less strict on the employee because of its selective wiping capabilities.⁴

Finally, a BYOD policy agreement should confirm that the BYOD user understands and agrees to the policies and procedures. The user should also understand that the organization owns the work-related information on their device. Therefore, the organization has the right to take away access to the company network at any time. The BYOD agreement should be signed by the user, a department manager, and IT.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

HIPAA and Social Media: Avoiding Costly Mistakes | Eyemaginations

HIPAA and Social Media: Avoiding Costly Mistakes | Eyemaginations | HIPAA Compliance for Medical Practices | Scoop.it

A nurse inspired by a young chemotherapy patient’s courage posts a photo on her personal Facebook page, being careful not to use the patient’s name. A practice manager posts a photo of an office party on Instagram; a stack of patient files is in the background. A nurse writes an angry blog post about an alleged cop-killer who is being treated at the hospital where she works, but does not name the patient, victim, or her employer. What do all of these scenarios have in common? They are all examples of HIPAA violations that led to a healthcare professional being reprimanded, fined, or fired.

You may think your practice is up to date on patient privacy, but changes in HIPAA policies, healthcare information technology, and the explosion of social media have changed the game. “Despite widespread awareness of the need to store and send sensitive patient data securely, physicians and practices run afoul of HIPAA rules on a regular basis, which opens the door to both civil and criminal penalties,” reports Medical Economics. The maximum HIPAA fines have increased to a whopping $50,000 per violation.

Here’s what you need to know about HIPAA and protecting your patients and your practice in this age of social media and oversharing.

Decoding ‘patient identifiers’

Because there are new social media platforms emerging all the time, it can be daunting to figure out what’s OK to post and what’s not. First, you and your employees need to understand what is considered a HIPAA violation on social networks. Most healthcare professionals know to avoid impermissible use or disclosure that compromises the security or privacy of a patient’s protected health information (PHI). The confusion arises in defining what PHI is and is not.

HIPAA specifies 18 identifiers beyond a patient’s name that must be kept private. One of those is “full face photographic images and any comparable images,” which is where the nurse mentioned in the Facebook example above ran afoul of HIPAA. This even includes recognizable patient photos or files in the background of photos, such as in the office party example above. You’re not even in the clear if you’re simply reposting or “regramming” photos of a patient sharing all the details of their medical issues on their own social media accounts. If the patient can be identified, don’t do it.

It’s also important to consider things that might be “patient identifiers” besides a person’s name or face. In one case, a nurse posted a comment on a small-town newspaper’s blog that mentioned a patient’s age and mobility aids, which were enough to figure out whom she was discussing.  “In small communities especially, people can quickly determine who is in the hospital and for what with just a few details. Innocent comments about a patient lead to identification,” notes Kyna Veatch on the legal website Law360.com.  

This also goes for celebrities and high-profile people. In the case of the nurse mentioned above who angrily shared her views about a patient online, news coverage about the murder case made it clear whom she was talking about. Another common example of HIPAA violations is when staffers cannot contain their excitement about treating a pro athlete or well-known TV personality and “overshare” on social media. “Posting verbal ‘gossip’ about a patient to unauthorized individuals, even if the name is not disclosed” can get medical practices into hot water with HIPAA, warns the company Healthcare Compliance Pros (HCP).

HIPAA do’s and don’ts

Let’s look at some best practices related to HIPAA and social media:

Do keep your and your employees’ personal social media accounts separate from the practice accounts. “Some ophthalmologists choose to create personal pages with pseudonyms that only their friends and family know,” notes Veatch. “This keeps patients from searching for them and sending friend requests.” Avoid “friending” patients on personal or practice accounts, and advise your employees to do the same.

Don’t make the mistake of thinking that posts are private or disappear once they have been deleted.Search engines and screenshots can make even deleted posts permanent. As a general rule, don’t post anything you wouldn’t be comfortable sharing in public. “If there is any doubt at all about a certain post, picture, or comment then check with your compliance officer or even a colleague before publishing,” advises HCP.

Do speak up when patients are asking for medical advice online. Crowdsourcing your medical care on social media is never a good idea, but people do it all the time. Doctors can offer advice as long as it’s general and not specific to one patient. Sharing a patient education video on a particular health topic or condition can be one way to do it. “Speaking to patients as a collective on social media should steer providers away from any privacy risks,” per physician and social media expert Kevin Pho of KevinMD.com. If an unknown patient reaches out and asks a personal health question on social media, “take that conversation offline with a standard response that asks the patient to call the office and make an appointment, or if an emergency, to call 911 or go to the emergency department,” he advises.

Don’t overlook staff training. Educating your staff and having a solid social media policy in place is imperative to HIPAA compliance, according to Healthcare IT News. Your policy should define social media, mention specific sites, and describe what information employees are allowed to post online and what is off-limits, on both the practice pages and their personal pages. As Healthcare IT News states, “When employees post on social media, not only do they represent themselves, they represent the employer, the office, and all healthcare professionals.”

 

 

 

 

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

Why 'Adaptive Defense' Is Critical

Why 'Adaptive Defense' Is Critical | HIPAA Compliance for Medical Practices | Scoop.it

As hacker attacks, such as the breach of Anthem Inc., become more common, it's more critical than ever for organizations to carry out a comprehensive "adaptive defense model" to protect sensitive information, says Dave Merkel, chief technology officer at FireEye.

Although the model should incorporate several technologies, including multi-factor authentication, encryption and intrusion detection systems, it must go beyond that, Merkel says in an interview with Information Security Media Group.


"You also have to have intelligence," he notes. "The bad guy has [intelligence] about you, why don't you have it about the bad guy?"

Organizations also have to ensure they have expertise to protect data, detect breaches and respond appropriately, he stresses. "The bad guys are always innovating, so you have to also."

Going beyond a focus on breach prevention is essential, Merkel says, because breaches are inevitable. "You need to be analyzing, hunting in your environment, looking for attackers constantly with your human expertise, and then when you identify something that might be an incident, you have to respond, and you have to do it quickly ... so if you do have an event, you go from identifying the event to resolving it in minutes, as opposed to what we unfortunately frequently see, which is resolving it in weeks or months or potentially years."

Mandiant, a FireEye company, is working with health insurer Anthem in the digital forensic investigation of a hacking attack that may have exposed up to 80 million individuals' unencrypted information, but Merkel says he cannot yet reveal any details. The breach is believed by Anthem to have begun with phishing e-mails sent to a handful of its employees.

In the interview, Merkel also discusses:

  • How spear phishing and social engineering schemes are becoming more sophisticated, and why organizations need to put effort into learning more about potential bad actors and their motivation for attacks;
  • Why neither encryption nor multifactor authentication are silver bullets to protect data;
  • Why the healthcare sector is a growing target for hacker attacks.

Merkel has more than 15 years of experience in the information security and incident response fields. Before joining FireEye, he was CTO and vice president of products at cybersecurity firm Mandiant, which was acquired by FireEye, where he focused on shaping the strategy and direction of the company's technology and engineering solutions. Earlier, Merkel spent more than seven years leading a team of technologists at America Online to protect corporate systems and network infrastructure. And he was a special agent with the United States Air Force office of special investigations


more...
No comment yet.
Scoop.it!

Make sure your HIT security system meets these 6 criteria to avoid medical identify theft

Make sure your HIT security system meets these 6 criteria to avoid medical identify theft | HIPAA Compliance for Medical Practices | Scoop.it

With the mandate from government across the healthcare industry to start putting all medical records online, more attention is being given to the protection of Personal Health Information (PHI). You can draw obvious conclusions about how personal and sensitive information could be misused if improperly disclosed. Some fear that it might be used to deny insurance coverage, impact employment, or lead to discrimination. The Health Insurance Portability and Accountability Act (HIPAA) establishes a baseline of protection that applies to health care providers and insurers throughout the United States. Its privacy requirements mandate the protection of sensitive personal information. However, there is another “health related” twist on the protection of sensitive information – medical identity theft.

According to the 2013 Survey on Medical Identify Theft, medical fraud has increased nearly 20 percent in the past year, affecting an estimated 1.84 million American adults and costing victims $12.3 billion in out-of-pocket medical expenditures.

Medical fraud can occur in a number of ways—including medical personnel billing a health plan for fake or inflated treatment claims, falsifying information to obtain prescription drugs, and using another individual’s information to obtain free medical care. Often, these crimes are committed through illegal purchase of Personal Identifiable Information (PII) or by unethical actions of healthcare providers. Whether accidental or purposely done, health care fraud leads to loss of trust in providers, hefty fines, and loss of license. For example, Columbia/HCA was required to pay $1.7 billion in fines, penalties, and damages for Medicare fraud.

This is perhaps the most frightening of all forms of identity theft, although not the most widely discussed. Medical identity theft occurs when someone uses a person’s name or other parts of their identity — such as insurance information — without the person’s knowledge to obtain medical services or goods. While the intention is to obtain medications, prescriptions, or to falsely bill insurance providers, the risk to the victim may be quite serious – leading to inappropriate and improper medical treatment. While this is a critically important issue, little data and research about it has been done.

In addition to the cost to each individual victim, medical identify theft creates a huge financial burden on public health systems. In May of 2009, the US Department of Justice (DOJ) and the Department of Health and Human Services (HHS) announced the creation of the Health Care Fraud Prevention and Enforcement Action Team (HEAT). Focusing primarily upon Medicaid and Medicare fraud, this program has sought to recover billions of dollars of tax payer money improperly billed against these systems – affecting not only the long term solvency of the system, but also the vulnerable population it serves. In 2011, HEAT coordinated the largest-ever federal health care fraud takedown, involving an aggregation of $530 million in fraudulent billing.

Health insurance and medical services organizations can help prevent medical identity fraud by implementing technology to counteract attacks and monitor their customer databases for possible data breaches. When selecting the correct technology for your organization, be sure to select a solution that can do the following:

  • Discover data across multiple information gateways in your enterprise in order to shed light on dark data and other potential sources of risk. Sensitive information may not be obvious at first glance but can open up an organization to an array of issues if leaked.
  • Scan content in motion or at rest against out-of-the-box or customized checks for a wide range of privacy, information assurance, operational security, sensitive security information, and accessibility requirements. Organizations require different levels of security based on regulations, subject matter, and size. Be sure to select a technology with a solid framework that can be customized based on your needs.
  • Drive enterprise classification and taxonomy with user-assisted and automated classification for all content.
  • Take corrective action automatically to secure, delete, move, quarantine, encrypt, or redact risk defined content. These automated actions can reduce costs by eliminating the need for increased hiring to continuously monitor information security initiatives.
  • Enhance incident tracking and management with an integrated incident management system in addition to trend reports and historical analysis to measure your organization’s improvements over time.
  • Monitor data and systems on an ongoing basis to demonstrate and report on conformance across your enterprise wide information gateways and systems.

There is much research still to be done on this subject. It’s easy to extrapolate that if there are billions of dollars in Medicare fraud, those false claims may in fact be entered into the medical records of unsuspecting individuals. We don’t yet fully understand those consequences. So while it may seem like one of those cautionary tales that are simply outrageous and could never happen to you, the best advice is to “Never say never” and do what you can to protect your information. Always remember that an ounce of prevention is worth a pound of cure.


more...
No comment yet.
Scoop.it!

HIPAA compliance patient engagement strategy

HIPAA compliance patient engagement strategy | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA compliance as a patient engagement strategy is becoming more and more appealing for health care professionals of all kind. Behavioral health professionals in particular can capitalize on an effective HIPAA compliance program as another means of developing a patient engagement strategy–attracting new patients who care about the integrity of their health care data.

Developing a patient engagement strategy is an essential way to attract new patients to your practice. Common methods that you can capitalize on include developing a social media presence or creating a newsletter to highlight industry updates or services you offer.

But HIPAA compliance gives you a unique way to address patients’ needs for data privacy, all while satisfying the regulatory requirements put forth by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR).

HIPAA Compliance as a Differentiator

By implementing an effective HIPAA compliance program in your practice, you can be directly involved in ongoing national conversations about data privacy and security. With ransomware incidents in the news week after week, and new concerns about data breaches reaching unprecedented levels, HIPAA compliance is the perfect way to address these concerns for your prospective patients.

Think of it this way: in the same way that concerned buyers will shop around for the perfect laptop to meet their needs, a discerning patient will shop around for a behavioral health practice that works for them. Data security-minded individuals are a growing demographic of health care consumers, especially among millennials in today’s market.

Adopting a HIPAA compliance program can allow you to address these concerns, and give you a new way to market your business. You can make your practice stand out from others in your area, all while protecting the sensitive health data that you come into contact with daily.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Medical Identity Thefts Account for 43% of all Reported Identity Theft Cases in U.S.   

Medical Identity Thefts Account for 43% of all Reported Identity Theft Cases in U.S.    | HIPAA Compliance for Medical Practices | Scoop.it

You may want to ask your medical or dental provider what measures they are taking to protect your electronic health records. In some cases, the answer may surprise you. Here is a recent article from USA Today that will get your attention.

Nearly half of identity thefts in U.S. are medical info.

Story Highlights

  • Medical records of between 27.8 million and 67.7 million have been breached since 2009
  • Thieves have used stolen medical information for all sorts of nefarious reasons
  • Perpetrators use different methods to obtain information, from stealing laptops to hacking into computer networks

If modern technology has ushered in a plague of identity theft, one particular strain of the disease has emerged as most virulent: medical identity theft.

Last month, the Identity Theft Resource Center produced a survey showing that medical-related identity theft accounted for 43% of all identity thefts reported in the United States in 2013. That is a far greater chunk than identity thefts involving banking and finance, the government and the military, or education. The U.S. Department of Health and Human Services says that since it started keeping records in 2009, the medical records of between 27.8 million and 67.7 million people have been breached.

The definition of medical identity theft is the fraudulent acquisition of someone's personal information – name, Social Security number, health insurance number – for the purpose of illegally obtaining medical services or devices, insurance reimbursements or prescription drugs.

"Medical identity theft is a growing and dangerous crime that leaves its victims with little to no recourse for recovery," said Pam Dixon, the founder and executive director of World Privacy Forum. "Victims often experience financial repercussions and worse yet, they frequently discover erroneous information has been added to their personal medical files due to the thief's activities." The Affordable Care Act has raised the stakes. One of the main concerns swirling around the disastrous rollout of federal and state health insurance exchanges last fall was whether the malfunctioning online marketplaces were compromising the confidentiality of Americans' medical information. Meanwhile, the law's emphasis on digitizing medical records, touted as a way to boost efficiency and cut costs, comes amid intensifying concerns over the security of computer networks.

Edward Snowden, the former National Security Agency contractor who has disclosed the agency's activities to the media, says the NSA has cracked the encryption used to protect the medical records of millions of Americans.

 

MULTIPLE MOTIVES

Thieves have used stolen medical information for all sorts of nefarious reasons, according to information collected by World Privacy Forum, a research group that seeks to educate consumers about privacy risks. For example:

  • A Massachusetts psychiatrist created false diagnoses of drug addiction and severe depression for people who were not his patients in order to submit medical insurance claims for psychiatric sessions that never occurred. One man discovered the false diagnoses when he applied for a job. He hadn't even been a patient.
  • An identity thief in Missouri used the information of actual people to create false driver's licenses in their names. Using one of them, she was able to enter a regional health center, obtain the health records of a woman she was impersonating, and leave with a prescription in the woman's name.
  • An Ohio woman working in a dental office gained access to protected information of Medicaid patients in order to illegally obtain prescription drugs.
  • A Pennsylvania man found that an imposter had used his identity at five different hospitals in order to receive more than $100,000 in treatment. At each spot, the imposter left behind a medical history in his victim's name.
  • A Colorado man whose Social Security number, name and address had been stolen received a bill for $44,000 for a surgery he not undergone.

Perpetrators use different methods to obtain the information, ranging from stealing laptops to hacking into computer networks, according to Sam Imandoust of the Identity Theft Resource Center. "With a click of a few buttons, you might have access to the records of 10,000 patients. Each bit of information can be sold for $10 to $20," he said.

According to HHS, the theft of a computer or other electronic device is involved in more than half of medical-related security breaches. Twenty percent of medical identity thefts result from someone gaining unauthorized access to information or passing it on without permission. Fourteen percent of breaches can be attributed to hacking.

"We say encrypt, encrypt, encrypt," said Rachel Seeger, a spokesman for HHS's Office For Civil Rights, which is charged with investigating breaches of medical records in health plans, medical practices, hospitals and related institutions.

 

RELYING ON THE HONOR SYSTEM

The records in a laptop that a fired employee lifted from the North County Hospital in Newport, Vt., last year had not been encrypted. The laptop contained the records of as many as 550 patients. Around the time that breach was uncovered, HHS cited the hospital for a second breach involving two employees gaining access to records without authorization. Those cases are ongoing.

Wendy Franklin, director of development and community relations at North County, said the hospital generally does encrypt its records. Franklin also noted that North County requires all of its employees to sign agreements not to disclose medical records and to undergo training in confidentiality laws and procedures. She also said the hospital has instituted an audit to track access to private health records. But, in the end, Franklin said, the hospital largely has to rely on the honor system.

Two federal laws govern the confidentiality of medical records: the Health Insurance Portability and Accountability Act (HIPAA), originally passed in 1996, and the Health Information Technology (HITECH) Act of 2009. Together they lay out what health care providers and affiliated businesses are required to do to protect confidentiality of patients.

According to James Pyles, a Washington, D.C., lawyer who has dealt with health issues for more than 40 years, all 50 states have their own privacy laws and 46 of them require consumer notification when there is a security breach of private records.

HHS can impose a civil fine of between $100 and $50,000 for each failure of a business, institution or provider to meet privacy standards, up to a maximum of $1.5 million per year. A person who knowingly violates HIPAA faces a criminal fine of $50,000 and up to a year in prison. If the perpetrator tried to sell the information for "commercial advantage, personal gain or malicious harm," he or she could face a $250,000 fine and up to 10 years in prison.

The HIPAA law includes exceptions that allow a provider to share medical information without a patient's permission. A common example is when hospital business offices share information for the purpose of seeking payment. But there are also exceptions for "public health activities," "health oversight activities," "law enforcement purposes," and other purposes. No wonder, Pyles said, some patients are reluctant to disclose to a medical provider that they have a sexually transmitted disease or a mental illness unless they have to.

Under the HITECH law, a medical provider, health plan or medical institution must notify patients when a breach of their medical records is discovered. HHS must also be contacted. HHS discloses breaches involving 500 or more patients.

Discovery of the breach is useful but doesn't correct the mischief that may have happened. Although patients can have corrected information put in their files, it's difficult to get fraudulent information removed because of the fear of medical liability.

"It's almost impossible to clear up a medical record once medical identity theft has occurred," said Pyles. "If someone is getting false information into your file, theirs gets laced with yours and it's impossible to segregate what information is about you and what is about them."

Pyles describes the status quo as "the worst of two worlds," he said. The U.S. has "a regulated industry that is saddled with laws with so many loopholes that they don't know what they are responsible for, and a public that doesn't believe their health information is being protected."

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Medical Identity Theft: A Troubling Trend

Medical Identity Theft: A Troubling Trend | HIPAA Compliance for Medical Practices | Scoop.it

The Ponemon Institute, a nationally recognized privacy research firm, recently released its Fourth Annual Patient Privacy and Data Security Study. For healthcare providers, it is probably not much of a new revelation that the study found more criminals are stealing patient records to commit medical identity theft. This type of crime is a less-risk and highly profitable industry.

What is attention grabbing is that these criminal attacks on healthcare providers increased dramatically and are up 100% since 2010. According to the study, these breaches cost the industry about $5.6 billion a year.

If your medical or dental practice has electronic medical records (EMR) and is following all the proper HIPAA Security Rule safeguards, this can help to identity possible unauthorized access or fraud. If your practice has paper charts, the unauthorized access to patient records could be virtually untraceable until an identity theft cases occurs. For EMR, training staff to be alert to fraud trends can help, along with a systematic way to continuously review audit logs to see who is accessing patient records.

Here are three tips to help your practice be more proactive in fighting medical identity theft:

  1. Conduct background checks on ALL staff, regardless if access to patient records is required for their particular positions or not.
  2. Set up a robust education campaign to make patients aware of medical identity theft and teach them how to report any errors discovered on their Explanation of Benefits.
  3. Implement a response program for possible medical identity theft cases. The program needs to have comprehensive but understandable written policies and procedures for immediate action for a flagged record.

As the risk will only continue to grow, the reputation and credibility of your practice in addressing patient record breaches is at stake here. Having a proactive plan in place will help your practice quickly recognize possible medical identity theft cases and initiate an immediate and required action.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Top Ten Total HIPAA Blogs

Top Ten Total HIPAA Blogs | HIPAA Compliance for Medical Practices | Scoop.it

The countdown of Total HIPAA’s most popular blogs of 2016 continues this week with #5 through #1. Not surprisingly–the top three are technical topics. If you have any topics you would like us to consider in 2017, please fill out the suggestion form at the end of this summary.

Top Ten Count Down Continued

    1. Does HIPAA Restrict Healthcare Professionals from Communicating with Family and Friends?

Buddy Dyer, the mayor of Orlando, requested a waiver of the HIPAA rules following the June 12 shooting at Pulse Nightclub. A statement from HHS Assistant Secretary for Public Affairs, Kevin Griffis, explained the reason why the waiver was not needed in Orlando: “HIPAA allows health care professionals the flexibility to disclose limited health information to the public or media in appropriate circumstances. These disclosures, which are made when it is determined to be in the best interest of a patient, are permissible without a waiver to help identify incapacitated patients, or to locate family members of patients to share information about their condition. Disclosures are permissible to same sex, as well as opposite sex, partners.” In order to understand under what circumstances Mayor Dyer and healthcare providers should be concerned about HIPAA restrictions, we look at the Law in this blog.

    1. Covered Entities Must Share PHI with Patients Even if it is Requested in an Unencrypted Format

HHS stated that patients have the right to access their ePHI and that Covered Entities must provide this access in the manner requested by the individual. While the Privacy Rule does allow the use of unencrypted email when communicating ePHI between the healthcare provider and the patient, we suggest you take the steps outlined in this blog to protect your patients’ ePHI while still giving them access to their information.

    1. HIPAA Compliant Email Encryption Review 2016

Covered Entities, Business Associates and Business Associate Subcontractors are required to protect the PHI they hold at rest, in storage and in transit. In this blog, we reviewed six HIPAA-compliant and affordable email encryption solutions with a focus on solutions for small businesses.

    1. It’s Time to Upgrade Your Internet Explorer NOW and Forever

When it comes to your software, we know how you feel – if it’s not broken, why fix it? Upgrading is a pain! Upgrade one thing and your computer programs can collapse like a house of cards. In this instance, it is VERY important for your business security that you upgrade to the latest version of Internet Explorer—NOW! As of January 12, 2016, Microsoft announced it was only supporting technical and security updates for Internet Explorer 11. What did this change mean to you?

    1. HIPAA Compliant Text Messaging Application Review

Today everyone uses text messaging (“texting”) for easy and quick communication. It is a great tool for convenience and efficiency, but most users don’t realize that texting is an unencrypted form of communication that can be intercepted at any point in transmission. In this blog we reviewed four companies that offer secure messaging solutions for small to medium organizations using encryption to allow organizations to send PHI through text.

Thank you for your support on Social Media this year! As HHS continues to crack down with additional audits on both covered entities and business associates, our goal is to provide you with all the materials you need. Many of our blog topics come directly from questions sent by our clients and followers.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

The Status Of HIPAA Compliance

The Status Of HIPAA Compliance | HIPAA Compliance for Medical Practices | Scoop.it

The Office for Civil Rights (OCR), the agency within the U.S. Department of Health and Human Services tasked with HIPAA compliance enforcement, is about to start formally notifying various healthcare providers and plans that they have been selected for an audit. Those covered entities selected will be required to submit specific documentation to OCR that demonstrates how their respective organizations are complying with HIPAA compliance requirements. 

 

The goal with the Phase 2 Audit program is to determine how well covered entities are implementing the correct policies and procedures for HIPAA compliance. If the results of the Phase 2 audits are anything like the first audit, OCR is probably going to see disappointing data indicating most organizations are not fully complying with all the requirements. 

 

There is an easier way to find out the status of current compliance with covered entities, not to mention a less costly way, in saving the taxpayers money in paying a contractor to gather the needed results.  Published reports showed that OCR paid about 9 million dollars to the global audit firm KPMG in 2012 to conduct the Phase 1 audits.

 

NueMD released the results of their follow-up survey to the original survey conducted in 2014, which looked at the status of HIPAA compliance. In the updated survey, 927 respondents, which included practices and billing companies, answered a number of revealing questions about the current status of HIPAA knowledge and compliance. For comparison purposes, OCR is looking to identify about 200 covered entities for the Phase 2 audit.

 

So what did NueMD find out in their updated survey? Overall HIPAA compliance is still not close to where it needs to be with most organizations. With so many HIPAA data breaches occurring on what seems like a daily basis, the survey clearly shows why this is occurring.

 

Here are some significant findings of the survey:

 

  • Regarding the annual requirement for HIPAA Security Awareness Training, the 2014 survey indicated 62% of owners, managers and administrators claimed they provided training for their staff annually — now that number has dropped to 58%.

 

  • Appointing HIPAA Security and Privacy Officers is another requirement for compliance. The survey found an actual decrease in these appointments. Although appointments were only a few percentages down, the study said, “These may not be extraordinary changes, but the numbers are moving in the wrong direction!”  Agreed.

 

  • On the positive side, the survey showed, “A region that suggests a correlation between increased awareness and improved compliance is that of Business Associate Agreements,” (BAA).  In 2014, 60% of the respondents were aware of the use of BAAs, where in 2016, 68% now claim to know more about these rules.  

 

  • Another positive finding was in the awareness of the HIPAA Omnibus updates. In 2014, respondents indicated 64% were aware of the updates in law. That percent increased to 69% this time around. There are many additional patient rights afforded by the Omnibus Rule that healthcare providers must be aware of. Although there was an increase, providers must do a better job in understanding their responsibilities under Omnibus. 

 

The NueMD updated survey is a great barometer to gauge overall HIPAA compliance efforts, but as the survey shows, covered entities still have a long way to go to make sure they fully understand all the requirements and just not some.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

How HIPAA applies to the burgeoning world of mobile health

How HIPAA applies to the burgeoning world of mobile health | HIPAA Compliance for Medical Practices | Scoop.it

The federal regulatory environment has not kept pace with the progress of mobile health. Mobile health is driven by consumers who expect to have all sorts of information, including health data, on their phones, said Jeffrey Dunifon, an associate attorney at Baker & McKenzie who previously was an investigator at the Department of Health and Human Services Office for Civil Rights.

 

 

To help healthcare provider organizations and mobile developers navigate the HIPAA waters, Dunifon points to the HIPAA Questions Portal at hipaaqsportal.hhs.gov, which was launched by HHS. Providers and developers ask questions, HHS provides answers, said Dunifon, who spoke today at the HIMSS and Healthcare IT News Privacy & Security Forum in Los Angeles during a session entitled "HIPAA and mHealth: Key Challenges and Solutions."

 

 

"Key issues covered on the site include businesses regulated by HIPAA, information covered by HIPAA, and HIPAA compliance measures," Dunifon said.

When it comes to mobile health, or mHealth, it's important to fully understand the entities covered by HIPAA. These include healthcare providers, health plans and clearinghouses.

"Less clear, though, is when a company becomes a business associate under HIPAA," Dunifon explained. "A business associate is any entity that accesses or discloses protected health information for or on behalf of a covered entity or another business associate. This is very relevant in the developer environment."

 

 

Examples of businesses and tools that could require a business associate agreement, according to Dunifon, include:

 

  • A cloud services vendor that hosts PHI. "OCR has said in no uncertain terms that if an organization is using a cloud services vendor to host PHI, it needs a business associate agreement," Dunifon said.

 

  • An electronic health record developer that accesses PHI to help troubleshoot technical issues. "This is more on the routine side of the business associate definition, a company that has routine, ongoing access," he said.

 

  • A live translation mobile app used between healthcare providers and patients. "If an organization is using an iPhone or iPad on a live basis to have conversations between patients and providers discussing PHI, that needs to be covered by a business associate agreement," Dunifon said.

 

  • A patient appointment scheduling and payment mobile app. "If a provider offers to let patients schedule an appointment or pay for an appointment, that app developer needs to be covered by a business associate agreement," he said. "That can be a little confusing sometimes because there's not a clear health element to it."

 

  • Remote medical devices or apps sharing health indicators. "If you have a medical device someone is wearing that's sending information to an app, which is sharing that with the healthcare provider, and the app company is playing a role in transmitting or maintaining that information, that may be PHI covered by HIPAA," Dunifon said.

 

 

"In mobile health, if a consumer is paying for a product, it might not be PHI," he added. "But if it is being tracked by a covered entity, then it may be PHI."

 

 

Dunifon pointed conference attendees to a variety of resources to help with HIPAA compliance and mHealth, including the National Institute of Standards and Technology's Special Publications, the HHS Office for Civil Rights, HIMSS and Baker & McKenzie.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

Prison Term for ID Theft at Hospital

Prison Term for ID Theft at Hospital | HIPAA Compliance for Medical Practices | Scoop.it

A former Alabama hospital worker has been sentenced to serve two years in prison for his role in an identity theft case that led to federal tax refund fraud. The case also has resulted in a class action lawsuit.

The breach at 235-bed Flowers Hospital in Dothan, Ala., spotlights that "insider threats are a large challenge," says privacy attorney Adam Greene, of law firm Davis Wright Tremaine, who is not involved in the case. "Policies, procedures and training can influence good employees, but may have little impact on employees who are considering using information for criminal purposes," he says.


"Some good ways to reduce the risk include thorough background checks of employees, reducing the use of Social Security numbers and other risky information within the organization where possible, minimizing the types of employees who have access to such information, reviewing system activity to identify patterns that may demonstrate abuse of access, and considering technologies such as data loss prevention to reduce the risk of information leaving the network," the attorney adds.

But Greene notes that even with all the right controls in place, "it is virtually impossible to completely eliminate the threat of insiders abusing their access to information systems."

Restitution Required

The U.S. Department of Justice, in a Dec. 12 statement, said that in addition to his prison sentence, former hospital lab technician, Kamarian D. Millender was also ordered to pay about $19,000 in restitution after pleading guilty in July to one count of aggravated identity theft.

Flowers Hospital, where Millender formerly worked, is part of the Community Health Systems chain. But the breach involving Millender was unrelated to a larger hacker attack on Community Health Systems earlier this year that affected 4.5 million patients.

The Alabama hospital incident is listed on the Department of Health and Human Services' "wall of shame" list of major breaches as a theft of paper records occurring from June 2013 to February 2014 and affecting 629 individuals.

Fraud Scheme

In the criminal case against Millender, federal prosecutors say he and others stole patient medical records that contained personal identification information, which was then used to file more than 100 false tax returns, victimizing approximately 73 individuals. Prosecutors say the false tax returns attempted to defraud an estimated $536,000 from the IRS. However, "the IRS was able to stop the vast majority of the falsely claimed refunds, but approximately $18,915 in refunds were issued," according to the prosecutors' statement.

Meanwhile, the class action lawsuit filed against Flowers Hospital in May alleges that the breach affected "thousands" of plaintiffs.

"Flowers [Hospital] flagrantly disregarded plaintiffs' ... privacy rights by intentionally, willfully, recklessly and/or negligently failing to take the necessary precautions required to safeguard and protect their PII/PHI from unauthorized disclosure," the suit alleges. The suit claims the plaintiffs' personal information "was improperly handled and stored, and was otherwise not kept in accordance with applicable and appropriate security protocols, policies and procedures," which led to the theft.


The class action suit alleges that patient information affected by the breach includes names, addresses, dates of birth, Social Security numbers, treating physician and/or departments for each individual, medical diagnoses, medical record numbers, medical service codes, and health insurance information.

"There is a high likelihood that significant identity theft and/or identity fraud has not yet been discovered or reported and a high probability that criminals who may now possess plaintiffs' PII and PHI, but will do so later, or re-sell it," the lawsuit states. It alleges the hospital violated the Fair Credit Reporting Act and contains allegations of negligence and invasion of privacy by public disclosure of private facts. It seeks unspecified damages as well as reimbursement for legal expenses.

A Flowers Hospital spokeswoman declined to comment on the criminal case involving the former lab worker or the class action lawsuit.

An attorney representing the plaintiffs in the class action suit against Flowers did not reply to Information Security Media Group's request for comment. Federal prosecutors involved with the Millender criminal case also did not respond to ISMG's request for comment.

Preventing ID Theft

Privacy and information security expert Rebecca Herold points out that a big hurdle with preventing insider breaches is that, "many organizations don't want to accept that their employees would ever take information from patients or insureds and commit a crime with them, especially within healthcare provider settings, where the focus is on patient health and well-being."

Because of that trust, "organizations often do not have the policies, processes, training, awareness reminders, oversight and auditing in place to verify that employees truly are doing the right things and have not wandered off the path of compliance onto the criminal highway," says Herold, a co-owner of the consulting firm HIPAA Compliance Tools and CEO of The Privacy Professor.

While potential insider breaches will always pose a challenge for many healthcare related organizations, there is one key piece of advice that can go a long way in preventing these incidents, Herold says.

"It always starts from the top: there must be strong support for information security and privacy initiatives from the organization's top leader," she says. "Make sure all employees know that top management expects them to work in a legal and ethical manner, and that those violating the corporate policies, and applicable laws, will face appropriate sanctions, including the potential for termination and for legal actions and jail time."

more...
No comment yet.
Scoop.it!

Optical Care Chain Loses a Server, Again

Optical Care Chain Loses a Server, Again | HIPAA Compliance for Medical Practices | Scoop.it
For the second time in recent weeks, Visionworks Inc., has revealed that one of its stores misplaced a database server, apparently due to improper disposal.

See Also: Security Alerts: Identifying Signals, Avoiding Noise

In a Nov. 21 statement, Visionworks, a unit of Pittsburgh, Pa.-based healthcare insurer Highmark Inc., revealed that a database server at a store in Jacksonville, Fla., containing "partially unencrypted protected health information" belonging to approximately 48,000 customers had been mistakenly discarded after it was replaced on June 2 during scheduled computer upgrades.
Related Content

Top Data Breaches: Week of July 28
Target Names New CEO Following Breach
White House Hack: A Lesson Learned
Why PCI Will Issue Log Monitoring Guidance
Why a Nation-State Would Hack JPMorgan

Related Whitepapers

How JPMorgan Chase Adopted DMARC to Stop Cyberattacks and Protect their Brand
Fight Phishing and Fradulent Email with Big Data
Breach Prevention Tactics: How to Eliminate Stored Passwords
How to Secure Enterprise Email Without Disrupting Employee Workflows
Blocking Foreign Espionage and Threats to Intellectual Property

Last month, the chain announced that a store in Annapolis, Md., lost a database server containing patient information in June while it was being replaced during a store renovation (see Lost Server: What Went Wrong?). The lost Maryland computer, which contained data on 75,000 customers of that store location, is believed by Visionworks to have been discarded by mistake in a landfill.

The Jacksonville server also went missing following a computer replacement upgrade, which was recently completed, says the company.

A Highmark spokesman tells Information Security Media Group: "These were two different incidents; no other servers have been lost" from any other locations.

Any individuals who received services at the Jacksonville store prior to Sept. 26, 2014, may have been affected, the company says. Data contained on the lost server includes credit card information, which was encrypted. Visionworks did not specify what kind of PHI was unencrypted on the server, but did say eye exam information was not stored on the lost computer.

"While the location of the server is still undetermined, it was likely discarded by an employee," Visionworks says in the statement. "At this time, there is no reason to believe that any of the information residing on the server has been accessed or used inappropriately."

Visionworks says it will provide affected customers at its Jacksonville store with free credit monitoring for one year, just as it did in the Annapolis incident.
Preventive Steps

The Highmark spokesman declined to comment on steps the company is taking to prevent the loss of more servers from its stores. "Visionworks is in the process of fully encrypting all servers. The process should be complete within the next six months," he says.

While encrypting all data on the lost computer could have potentially prevented the breach at both store locations, "Server hard-drive encryption in an optometrist store is very rare," notes Kerry McConnell, a senior consultant at security services firm, Tom Walsh Consulting.

Security experts say the back-to-back incidents spotlight the need for organizations to have solid inventory management and data disposal practices, and to ensure that staff are aware of those policies.

"In our experience doing HIPAA risk assessments, we often see storerooms or locked 'cages' of older used equipment," says Dan Berger, CEO of security services firm Redspin. "We often point this out as a vulnerability for precisely the reason that occurred at Visionworks. Once taken out of service, it is very easy to forget what is on each server or workstation," he says. "That sets the stage for an inadvertent discarding of a device that contains lots of confidential data."

Berger stresses that having policies safeguarding PHI even when it's no longer needed is mandated under HIPAA.

"We cite the HIPAA Security Rule, which requires that covered entities and business associates implement policies and procedures to address the final disposition of electronic PHI and/or the hardware or electronic media on which it is stored," he says.
Another Highmark Breach

Visionworks' parent company, Highmark, had another recent breach, according to the Department of Health and Human Services' "wall of shame" tally of breaches affecting 500 or more individual. That April incident, which affected about 2,600 individuals, involved "health profile and care summaries and corresponding cover letters that were incorrectly mailed."

The incident exposed the names, addresses, telephone numbers, dates of birth, unique medical identifiers, gender, medications, and health information of the affected individuals.

The HHS site notes that following the breach, Highmark "issued a new unique medical identifier to each member impacted by the incident." Additionally, the breach list entry for the incident notes that Highmark "determined that a process failure by an employee was the root cause for the incorrect mailing and subsequently terminated the employee."

Furthermore, as a result of the HHS' Office for Civil Rights' investigation into that incident, Highmark "instituted new quality review procedures for mailings and retrained employees on its privacy practices and departmental policies, processes and procedures," notes the tally entry. "OCR obtained details of the covered entity's revised policies on its health profiles to assure they include only the minimum necessary information."
more...
No comment yet.