HIPAA Compliance for Medical Practices
61.1K views | +12 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

CFO Gets Prison Time for HITECH Fraud

CFO Gets Prison Time for HITECH Fraud | HIPAA Compliance for Medical Practices | Scoop.it

A former Texas hospital CFO has been sentenced to 23 months in federal prison for submitting false documents so a medical center could receive payments under the HITECH Act electronic health records financial incentive program.


In addition to his prison sentence, Joe White, former CFO of the now-shuttered Shelby Regional Medical Center in East Texas, was ordered to pay restitution of nearly $4.5 million to the HITECH incentive payment program.


Court documents indicate that to help pay the restitution, White has been ordered to liquidate an IRA account and an annuity, which as of November 2014, had respective balances of about $115,000 and $2,500.


White, 68, of Cameron, Texas, pleaded guilty on Nov. 12, 2014, to making false statements in November 2012 to the Centers for Medicare and Medicaid Services that Shelby Regional Medical Center was a meaningful user of EHRs, when the hospital actually was primarily using paper records, according to the Department of Justice.


To obtain financial incentives from Medicare or Medicaid under the HITECH Act, hospitals and physicians must submit detailed documents that attest to meeting the requirements for the program, including conducting a HIPAAsecurity risk assessment.

Case Details

In a statement issued by the FBI on June 18, U.S. attorney John Bales said, "The EHR incentive program was designed to enhance the delivery of excellent medical care to all Americans and especially for those citizens who live in underserved, rural areas like Shelby County. There is no doubt that Mr. White understood that purpose and yet, he intentionally decided to steal taxpayer monies and in the process, undermine and abuse this important program."


According to information presented in court, White was CFO for Shelby Regional as well as other hospitals owned and operated by Tariq Mahmood, M.D., of Cedar Hill, Texas.


The 54-bed Shelby Regional closed last year amidst legal issues involving Mahmood, who was indicted by a federal grand jury on April 11, 2013. He was charged with conspiracy to commit healthcare fraud and seven counts of healthcare fraud.


Court documents indicate that Mahmood was sentenced on April 14 to 135 months in federal prison, and also ordered to pay restitution totaling nearly $100,000 to CMS, the Texas Department of Health and Human Services and Blue Cross Blue Shield.


White oversaw the implementation of EHRs for Shelby Regional and was responsible for attesting to the meaningful use of the EHRs to qualify to receive HITECH incentive payments from Medicare, according to the FBI.


As a result of White's false attestation, Shelby Regional Medical Center received nearly $786,000 from Medicare, the FBI statement says. In total, hospitals owned by Mahmood were paid more than $16 million under the Medicare and Medicaid EHR incentive program, the FBI says.


A Justice Department spokeswoman tells Information Security Media Group that the $4.5 million restitution that White was ordered to pay represents the EHR incentive money Shelby Regional received from CMS under false attestation, as well as EHR incentive money that other hospitals owned by Mahmood, for which White was also CFO, received from CMS. While White did not personally receive the incentive money from CMS, "restitution is mandatory pursuant to the Mandatory Victim Restitution Act of 1996," she explains, citing 18 USC 3663A(a)(1), which says, "Notwithstanding any other provision of law, when sentencing a defendant convicted of an offense described in subsection (c), the court shall order, in addition to...any other penalty authorized by law, that the defendant make restitution to the victim of the offense. ..."

More Cases to Come?

Healthcare attorney Brad Rostolsky of the law firm Reed Smith says that although most healthcare professionals and organizations participating in the HITECH meaningful use incentive program are trying to play by the rules, federal regulators must be on the look-out for potential fraudsters, considering the billions of dollars in incentives being paid.


"My sense is that the large majority of institutional and small/solo practice providers appreciate the context in which these meaningful use attestations are being made, and they focus on ensuring that the attestations are true and accurate," he says. "That said, in situations where the facts are as they are [in the Joe White case], it would not surprise me if the government continues to be aggressive in its enforcement."


Attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek, says he expects federal authorities will file more HITECH criminal cases. "The sense we have gotten from public statements by OIG and others involved in prosecuting healthcare fraud violations is that there are a number of investigations ongoing to determine if there has been fraud in obtaining funds through the EHR incentive payment program," he says.


Holtzman suggests that those organizations that have received HITECH incentives must keep thorough documentation to prove they met all the requirements.


"The key is to keep detailed documentation of the information that was used to support the representations in the attestation for seven years," he says. "An individual or organization can avoid criminal culpability through showing that a reasonable effort was made to support a belief that the provider or hospital had met the meaningful use requirements and was therefore eligible for receiving EHR incentive payments."

HITECH Audits

While criminal cases related to the HITECH Act EHR incentive program have been rare, federal regulators have been ratcheting up their audits of healthcare entities attesting to "meaningful use" of EHRs.


Among those selected was Temple University Health System in Philadelphia, which recently passed an audit for meaningful use compliance at one of its hospitals, says CISO Mitch Parker. The area of attestation most closely scrutinized by CMS auditors was Temple's HIPAA security risk assessment, he says.


"You can't skimp on the risk assessment. That's the first and foremost item that they look for," he says. "And it can't be one of those cut-and-dry ones. You have to be very detailed about it. We had about 300 categories in ours."

more...
No comment yet.
Scoop.it!

Five Common HIPAA Compliance Issues to Avoid

Five Common HIPAA Compliance Issues to Avoid | HIPAA Compliance for Medical Practices | Scoop.it

In the news recently was a story about surgeons in China who were punished after taking group photos next to apparently unconscious patients.  In the photo, doctors and nurses in scrubs pose with a supposedly unconscious patient on the operating table in the operating room.  Of course, you cannot see the patient and, but for the headline, you could not tell from the photo whether it was even real or staged.  The public apparently found the #surgeryselfie unacceptable and the surgeons and nurses are now facing unknown consequences.

Violation of patient privacy rights is nothing new in the U.S.  If you look at some of the true stories that are listed on www.patientprivacyrights.org, you would be shocked at HIPAA violations that occur:

• In Florida, Walgreens Co. mailed free samples of Prozac Weekly to patients who were taking Prozac Daily.
• A Fort Lauderdale physician gave his fishing buddy, a drug company representative, a list of patients suffering from depression and the salesman arranged to send trial packages of Prozac Weekly to their homes without the patients’ knowledge or permission.
• A Pakistani woman threatened to post the entire medical files of over 300,000 patients of UC Medical Center (San Francisco) if she wasn’t paid for her medical transcribing services. The hospital was surprised to learn that the company awarded the job of transcribing the medical records had sub-contracted all those records to a company outside of the United States.
• A hospital employee easily viewed and stole Tammy Wynette’s medical records from the hospital’s databases and sold the information to the National Enquirer and Star.
• A banker who also served on his county’s health board cross-referenced customer accounts with patient information. He then called due the mortgages of anyone suffering from cancer.

Although these examples may be shocking, they are but a few of the routine HIPAA violations that occur daily across the country.   According to the Office for Civil Rights (OCR), since the compliance date of the Privacy Rule in April 2003, OCR has received over 105,960 HIPAA complaints and has initiated over 1,157 compliance reviews. 

Most HIPAA cases (23,181) have been resolved by requiring changes in privacy practices and corrective actions by, or providing technical assistance to, HIPAA covered entities and their business associates. 

OCR has investigated complaints against many different types of entities including: national pharmacy chains, major medical centers, group health plans, hospital chains, and small provider offices.

Based on OCR’s report, the compliance issues investigated most (in order of frequency) were:
1. Impermissible uses and disclosures of protected health information;
2. Lack of safeguards of protected health information;
3. Lack of patient access to their protected health information;
4. Lack of administrative safeguards of electronic protected health information; and
5. Use or disclosure of more than the minimum necessary protected health information.

Although most HIPAA cases appear to be resolved by the OCR, 540 referrals were made by the OCR to the Department of Justice for criminal investigation.  This would be for cases that involved the knowing disclosure or obtaining of protected health information in violation of the rules.

Finally, the most common types of covered entities that have been required to take corrective action to achieve voluntary compliance are, in order of frequency:
1. Private practices;
2. General hospitals;
3. Outpatient facilities;
4. Pharmacies; and
5. Health plans (group health plans and health insurance issuers).

As you will note, private practice are at the top of that list!  

As we head into 2015, among the many items to consider is whether your practice’s operations are compliant with HIPAA.   Although many groups complete required training, too many have become disinterested in HIPAA over time.  It’s a good idea to remind your staff of the consequences of violating HIPAA and to emphasize that comments on Twitter about patients, posting #surgeryselfies, or otherwise allowing curiosity to lead to inappropriate records review, will not be tolerated. 

In smaller physician offices, staff can become quite lax about password access and too casual about the use of e-mail, messaging and other types of patient interactions that are not HIPAA compliant. 

All of these areas are ones that should be revisited in the New Year. Make a resolution to revisit your practice’s commitment to HIPAA in 2015!


more...
No comment yet.
Scoop.it!

No Pre-Existing Condition Exclusions Means HIPAA Certificates No Longer Required | JD Supra

Earlier this year, the Departments of Health and Human Services, Labor and the Treasury issued a final rule implementing the Affordable Care Act (ACA) and revising the requirements of other healthcare laws and regulations affected by the ACA. One of the most significant changes made was to prohibit group health plans and issuers from imposing pre-existing condition exclusions on any enrollees in plans beginning on or after January 1, 2014. Consequently, as of December 31, 2014, health plans and issuers will no longer be required to issue the Certificates of Creditable Coverage previously required under the Health Insurance Portability and Accountability Act (HIPAA).

HIPAA guarantees continuous healthcare coverage for employees who change policies or jobs, or who retire and take advantage of the Consolidated Omnibus Budget Reconciliation Act (COBRA). These portability provisions required health plan and COBRA administrators to ease the burden of transitioning between healthcare policies by providing a Certificate of Continuous Coverage 30 days before the expiration of the plan's coverage or before the insured leaves employment to helpoffset a preexisting condition exclusion period under a new health plan.

The ACA’s prohibition on pre-existing condition exclusions for plan years beginning on or after January 1, 2014 makes these HIPAA Certificates unnecessary — and are therefore no longer required — for plans beginning in 2015 and later. For plans beginning before January 1, 2014, plans and issuers may place limited exclusions on pre-existing conditions and must still automatically provide HIPAA Certificates to individuals when they lose coverage or upon request for a period of 24 months following termination of coverage.

This is only one of many obligations imposed on employers and health care organizations under a law aimed at protecting individual health information. HIPAA violations can have serious consequences, from employment discipline or termination for employees to criminal prosecution and civil penalties up to $250,000 for healthcare professionals. The most effective way to prevent such violations is to provide employees with HIPAA training to keep protected health information confidential and follow proper security practices when handling such information.


more...
No comment yet.
Scoop.it!

Recent HIPAA decisions suggest state courts may look to federal regulations to define negligence in the data-security context | Lexology

Recent HIPAA decisions suggest state courts may look to federal regulations to define negligence in the data-security context | Lexology | HIPAA Compliance for Medical Practices | Scoop.it

A recent decision of the Connecticut Supreme Court signals a growing trend in Health Insurance Portability and Accountability Act (HIPAA) jurisprudence that could prove significant in the broader data-security context. 

Although HIPAA contains no private right of action and preempts contrary state laws, several courts have held the HIPAA does not preempt state-law negligence claims for improper disclosure of private patient information and—importantly—that HIPAA regulations may inform the state-law duty of care. This trend and the most recent case,Byrne v. Avery Center for Obstetrics & Gynecology, P.C.,1 should be of interest not only to health care providers, but also to all companies collecting or disseminating sensitive customer information.  Courts have yet to address the contours of any common-law duty to protect consumer data in the data-security context, but Byrne suggests that courts could look to federal regulations and standards, even if the federal-law sources do not provide private rights of action.  While certainly not new, data-breach lawsuits have become more common after numerous high-profile breaches within the past year.  But most of the litigation to-date has centered on a plaintiff’s ability to state a cause of action. Plaintiffs have tried numerous common-law theories: breach of contract, unjust enrichment, invasion of privacy, misrepresentation and negligence. Courts generally reject contract, unjust enrichment and misrepresentation claims unless the defendants undertook some specific security obligations in their contracts or privacy policies.  Invasion of privacy claims frequently fail for lack of “publication,” and negligence claims fail for lack of actual injury—e.g., identity theft—under either the economic loss doctrine or Article III standing. 

Few cases have gone beyond the pleadings, and fewer still have reached the question of what a state-law negligence duty entails in the context of data breach.  In the HIPAA context, however, courts have begun to look to federal regulations for guidance, a trend that could inform courts in data-breach cases that survive the pleadings.

The plaintiff in Byrne received treatment in connection with her pregnancy from the defendant obstetrics center, which agreed in its privacy policy not to disclose her health information without authorization. But after the child’s father filed paternity actions and served a subpoena, the obstetrics center mailed a copy of the plaintiff’s medical records to the family law court without informing Byrne. Before Byrne could seal the records, the father reviewed them and allegedly harassed and threatened her.  Byrne sued the obstetrics center, alleging, in pertinent part, statutory negligence, common-law negligence and negligent infliction of emotional distress. 

The trial court dismissed the statutory and common-law negligence claims and the negligent infliction of emotional distress count, reasoning that they were essentially HIPAA claims in disguise.2  More specifically, addressing the state statutory negligence claim, the court wrote that “[t]o the extent that [the statute] permits disclosure of protected medical records pursuant to a subpoena without the safeguards provided by HIPAA, it is both contrary to and less stringent than HIPAA and therefore superseded by HIPAA.” Similarly, the trial court opined that if “common law negligence permits a private right of action for claims that amount to HIPAA violations, it is a contrary provision of law and subject to HIPAA’s preemption rule” and “[b]ecause it is not more stringent [than HIPAA], the preemption exception does not apply.” The court further ruled that insofar as the doctrine of negligent infliction of emotional distress “permits a private right of action for HIPAA claims” it is also is preempted by HIPAA.

The Connecticut Supreme Court reversed the trial court’s decision, holding that HIPAA does not preempt state-law negligence actions for breach of patient confidentiality, as such actions are not “contrary” to HIPAA, but either complementary or “more stringent.”3  Of interest in the broader data-security context, Connecticut joined courts in North Carolina, Kentucky, Delaware and Maine by ruling that “HIPAA and its implementing regulations may be utilized to inform the standard of care applicable” in state-law negligence actions.4  In addition, district courts in Tennessee and Missouri have remanded negligence claims predicated on HIPAA regulations to the respective state courts, implying that such claims are proper under state law.

These rulings apply only in the HIPAA context and only in those specific states. Even so, the cases bear watching from a data-security perspective, as courts could employ similar reasoning in data-breach actions, looking to regulations or pronouncements by the Federal Trade Commission, Federal Communications Commission, or other federal regulatory entities that have entered or might yet enter the data-security fray. 

It is important to note that the Connecticut Supreme Court in Byrneassumed, without holding, that Connecticut’s common law recognizes a negligence action for breach of patient confidentiality, so state courts could still hold that companies owe no data-security duties beyond those assumed in contract or imposed by statute.  Moreover, the court noted that HIPAA regulations are relevant to the negligence standard of care to the extent they have become “common practice” for Connecticut health care providers. On this reasoning, only those standards that achieve frequent use within an industry or locale would inform a negligence duty. 

Given the increase in data-breach lawsuits and the trend in HIPAA cases, companies should pay close attention to federal regulatory efforts, especially those that gain common use, even if those standards do not carry penalty provisions or private rights of action.


more...
No comment yet.
Scoop.it!

Sony Pictures Admits HIPAA Data Might Have Been Compromised During Breach

Sony Pictures Admits HIPAA Data Might Have Been Compromised During Breach | HIPAA Compliance for Medical Practices | Scoop.it

In a breach notification letter sent to employees this week, Sony Pictures outlines the full scope of data that was compromised by attackers shortly before the Thanksgiving holiday.

The notice is similar to an email sent earlier this month, but with more detail, and encourages staff to take advantage of AllClearID, which will offer identity protection services for the next 12 months.

Featured Resource

It also warns them against Phishing attacks, or other malicious communications that might use this incident as leverage.

The letter discusses the "brazen cyber attack" carried out by a group calling themselves GOP – or Guardians of Peace.

The group claims to have spent more than a year accessing Sony's network, and has been leaking batches of internal documents and communications since November 26. To date, the group has leaked more than 200GB of data, including pre-release movies, executive emails, sales and marketing data, and nearly everything from human resources.

"Although [Sony Pictures Entertainment] is in the process of investigating the scope of the cyber attack, SPE believes that the following types of personally identifiable information that you provided to SPE may have been obtained by unauthorized individuals: (i) name, (ii) address, (iii) Social Security Number, driver's license number, passport number, and/or other government identifier, (iv) bank account information, (v) credit card information for corporate travel and expense, (vi) username and passwords, (vii) compensation and (viii) other employment related information.

"In addition, unauthorized individuals may have obtained (ix) HIPAA protected health information, such as name, Social Security Number, claims, appeals information you submitted to SPE (including diagnosis and disability code), date of birth, home address, and member ID number to the extent that you and/or your dependents participated in SPE health plans, and (x) health/medical information that you provided to us outside of SPE health plans."

Sony's attackers have leaked more than 30,000 HR records, which is why the list of compromised data in the breach notification letter is so vast.

While not mentioned in the letter directly, the leaked data also included criminal background checks, offer letters (salary and job details), and records related to personnel reviews and opinions within HR.

On Monday, Sony Pictures held a company-wide meeting at its headquarters west of Los Angeles. The details of the meeting are still emerging, but the gathering was supposed to inform employees as to the current state of the breach investigation, and hopefully offer a timeline of when things are expected to be back to normal.

Employees who have spoken to CSO have stated that network access is limited, and several systems used for day-to-day operations are still offline.

Staff are relying on weak Wi-Fi signals, Verizon Mobile Hot Spots, and a backup e-mail service that only allows communications with verified addresses. Other employees have also confirmed the grim conditions, adding that since the network shutdown shortly before Thanksgiving; productivity has slowed to a crawl in some cases.



more...
No comment yet.
Scoop.it!

Countering HITECH Privacy Risks from Internet of Things Products

Countering HITECH Privacy Risks from Internet of Things Products | HIPAA Compliance for Medical Practices | Scoop.it

Ready or not, the Internet of Things is poised to change the world – and the way we deliver and receive medical care. Sensors and transmitters are now cheap and small enough to be placed into virtually any product, making it possible for products as diverse as electronic toothbrushes, Fitbits and Apple Watches to connect to the Internet and allow users to control and monitor activities and gather data.

The Internet of Things has profound implications for the healthcare sector. Doctors can use connected devices for tasks like monitoring patient vital signs, analyzing data on exercise activity and much more. But along with the new possibilities comes an increased risk of a data breaches and non-compliance with HITECH privacy rules and HIPAA patient protections. The challenges aren’t necessarily inherent to the devices themselves; they arise from an increase in vulnerability to the network as a whole.

Internet of Things devices that connect with healthcare provider networks introduce a new point of entry to the network, which means devices and connections can be compromised and used to access sensitive data. For healthcare providers, this makes the following questions important: Who is securing the device? Who is controlling communication protocols? It’s similar to the challenges businesses of all types are confronting in the “bring-your-own-device” era, in which workers use personal smartphones and tablets to handle business activities.

The important thing to remember is that a network is only as secure as its weakest link. This was true before Internet of Things devices became a growing trend: The business operations side of healthcare organizations have to contend with employee device security challenges and vulnerabilities associated with partner organizations just like any other business. The difference is that with Internet of Things devices coming online and being used by patients and healthcare providers, there are more opportunities for the security chain to break.

What are the potential weak links? The device itself could be compromised. The device user’s tablet or smartphone could be hacked. The home network that transmits the data to the healthcare provider could be breached. The point is, the nature of the threat hasn’t really changed – the number of entry points has expanded. And that means healthcare providers should be proactive about addressing the issue.

So how can healthcare providers mitigate the risk? One good place to start would be to educate patients who will be using remote devices on security basics. Commonsense tips would include not downloading apps or files from unknown sources and being careful about whom they trust with their data: A password management system, for example, should only be used if it comes from a trustworthy, well-established source.

For healthcare providers, precautions include making sure cloud-based data handlers are compliant with HITECH privacy regulations and that the staff fully understands their obligations, including the most recent HIPAA Omnibus privacy protections. Providers should conduct a thorough analysis of their security environment – including connection points – and have a system in place to perform ongoing assessments as the network evolves.

The Internet of Things has the potential to transform the healthcare industry, giving doctors and patients new tools to monitor health status and wellness activities. But there are significant risks involved. It’s important to remember that everything is based on trust, to some extent. Generally, there’s not much financial incentive for hackers to target individual patients’ data, but metadata from a population can be incredibly valuable, so healthcare providers should use caution and partner with an InfoSec specialist who understands their unique needs.

more...
No comment yet.
Scoop.it!

Survey: Charging patients for EHR access may violate HIPAA

Survey: Charging patients for EHR access may violate HIPAA | HIPAA Compliance for Medical Practices | Scoop.it
Dive Brief:
  • A survey of healthcare providers has revealed that as much as 25% of those who charge patients for EHRs may be violating HIPAA rules by doing so, according to a report released by the American Health Information Management Association.
  • While it is permitted to charge patients a "reasonable, cost-based fee" to access their electronic medical records, the survey revealed that many providers simply mimic their individual state's photocopy policy for public records requests, charging around $1 per page. Because the fee being charged to the patient is not related to the cost of providing the record, it constitutes a violation of HIPAA policy, the report stated.
  • "Regarding charges for electronic and paper copies of records, more than half (52.6%) of respondents indicated that they charge patients for electronic copies of their medical records, and nearly two-thirds (64.7%) reported that they charge patients for paper copies of their medical records," the report stated. "Charges for electronic copies varied from a flat fee for a device to per-page fees or some combination of the two, and charges for paper copies were generally by page, with 65% reporting that they charged less than $1.00 per page. Nearly one in four respondents (23.6%) commented that they follow their state's rates for copies. Following the state rates would suggest that the fees are not uniquely based on the cost to the facility. This finding would appear to be inconsistent with HIPAA and HITECH requirements that patients may only be charged a 'reasonable cost-based fee' for copies of their medical records."
Dive Insight:

There is no doubt that the implementation of EHRs is one of the most expensive projects to hit the healthcare industry since its inception, and it's obvious that the cost of implementation is going to eventually be picked up by the consumer. Taxpayers are already footing the bill for the $28 billion already appropriated by Congress to facilitate EHR implementation through its meaningful use program, but that still doesn't cover all of their EHR expenses.

All that being said, what's at issue here is a patient's right to obtain his or her medical records. The whole point of the paperless revolution is to streamline health information and reduce costs associated with paper-only records. By that logic, HIPAA requirements are reasonable. They simply state that providers don't have the right to charge patients unreasonably to get electronic copies of their records.

Now, $1 a page (or even less) may not sound unreasonable on the surface, but with medical advances transforming many fatal conditions into chronic conditions, patients are living longer with proper treatment. It's not uncommon for a cancer patient in remission to have hundreds of pages in their medical records. And in the age of the ACA, many patients are changing doctors and plans, necessitating transfer of the EHRs. Is it fair to charge several hundred dollars for a process that is equivalent in many cases to pointing, clicking and sending an email?


more...
No comment yet.
Scoop.it!

NYC businesses need to focus on HIPAA training in 2015

NYC businesses need to focus on HIPAA training in 2015 | HIPAA Compliance for Medical Practices | Scoop.it

As more people get health insurance in accordance with the current requirements, there will be an increased volume of medical records to process. Accuracy and timeliness are essential when dealing with patients' medical records. As a result of updated regulations, NYC businesses will need to focus on updated HIPAA training in 2015.

Facts About HIPAA

In 1996, Congress passed the Health Insurance Portability and Accountability Act (HIPAA). The act is meant to streamline procedures and ensure optimum protection for patient records. HIPPA makes it possible for American workers and their families to transfer and continue health insurance coverage when they lose or change their employment.

HIPAA also establishes standards for health care information on electronic billing and other process as well as minimizes fraud and abuse. Finally, it requires confidential handling of protected health info to protect patients' privacy. Health care providers, medical billing agencies and other health-related industries must be in compliance with HIPAA.

ACA, HIPAA and HITECH

In 2010, President Obama signed the Affordable Care Act (ACA). In 2013, the U.S. Health and Human Services' Office for Civil Rights released is final regulations pertaining to privacy rights for patients. As a result, there have been major changes related required of health care providers in accordance with two federal laws, HIPAA and the Health Information Technology for Economic and Clinical Health Act (HITECH), which was enacted in 2009.

Changes include direct regulation of subcontractors as well as health plans being prohibited from using generic information for underwriting, among many others. People have new rights to their health info and the government has a greater ability to enforce the law. As a result, NYC businesses need to ensure their staff is properly trained to fully understand the ramifications of these regulations.

Updated HIPAA Training

There are options when it comes to HIPAA training for employees. The U.S. Department of Health and Human Services Office of Civil Rights offers six educational programs for health care providers that cover various compliance aspects of HIPAA rules. Private providers, such as Global Learning Systems, offer updated HIPAA training to satisfy the mandatory HIPAA an HITECH training components for a business' staff. Learners are updated about security and privacy requirements mandated in Title II of HIPAA, HITECH amendments and the Final Omnibus Rule to provide enhanced privacy protection to patients.

Recently Renal & Urology News stated training is a cost-effective and easy HIPAA safeguard. As the workload increases in 2015, it creates a greater likelihood of errors being made. Organizations in NYC must consider staff training to ensure compliance, reduce the risk of costly mistakes and ensure the proper level of privacy for each patient.


more...
No comment yet.
Scoop.it!

HIPAA rules on privacy taken too far

HIPAA rules on privacy taken too far | HIPAA Compliance for Medical Practices | Scoop.it

Recently, I was told by a court official in Outagamie County that federal law prohibited the release of the name of a man I had just heard speak in open court.

He was a participant in the county's Drug and Alcohol Treatment Court. He had been charged with driving while intoxicated as a fourth offense, but was offered a chance to go through a treatment program instead of serving jail time.

I attended the proceeding as a reporter for The Post-Crescent, working on a story for Gannett Wisconsin Media's statewide probe into repeat drunken drivers. The man had made a point about the costs of the program and I wanted to verify his charge history.

But when I asked for his name, the court official said it could not be released, citing the federal Health Insurance Portability and Accountability Act of 1996. That law, commonly called HIPAA, protects private health information.

It also, as this episode attests, is often misapplied.

In this case, there was no valid reason for withholding the man's name, and after a discussion with the circuit judge, I was able to obtain it. I ended up using his comment but not naming him in my story.

This was a public program, run by publicly paid officials, involving criminal defendants serving court-ordered sentences. The decision of whether to use this person's name should be up to the media, not the court official.

As the Reporters Committee for Freedom of the Press has noted, HIPAA remains a "prickly" obstacle for journalists. To help reduce conflicts and confusion, the group has sorted out just who and who isn't impacted.

Health care organizations like hospitals, life insurers, ambulance services and public health authorities are all subject to HIPAA rules. Firefighters, police, court officials, reporters and patients themselves are not.

Neither are public officials who have nothing to do with the delivery of health care services. And yet, in one instance, a Louisiana State University representative told reporters he couldn't discuss a player's knee injury.

"Due to these new medical laws, our hands are tied," the official said.

Often, the most valuable information available to reporters is found on health facility directories, which are not protected by HIPAA. Hospitals may release an individual's name, location in the facility and general condition.

HIPAA also doesn't bar reporters from interviewing patients in a waiting room.

Statistical information related to hospitals, including their billing data, is not covered by HIPAA. Much of this information can be released electronically without names attached.

The Association of Health Care Journalists has produced another useful list of what HIPAA does not protect, including police and fire incident reports, court records, birth and autopsy records.

Felice Freyer, the association's treasurer and a member of its Right to Know Committee, said HIPAA overreach is widespread.

"Often times, people are unsure about the law and can't be bothered to check so it's easier to say 'no' and refer to HIPAA," said Freyer, a health care reporter for the Boston Globe.

"Frequently, hospitals say they can't let you talk to a patient, but that's not true."

No one disputes that people have a right to privacy when it comes to personal medical matters. But that right should not be taken to absurd lengths, beyond what the law prescribes.


more...
No comment yet.
Scoop.it!

Latest HIPAA settlement emphasizes need to regularly address software vulnerabilities | Lexology

Latest HIPAA settlement emphasizes need to regularly address software vulnerabilities | Lexology | HIPAA Compliance for Medical Practices | Scoop.it

On December 2, the Department of Health and Human Services, Office for Civil Rights (OCR) announced a $150,000 settlement with Anchorage Community Mental Health Services, Inc. (ACMHS) for alleged violations of the HIPAA Security Rule. The announcement followed an OCR investigation into a breach of unsecured electronic protected health information (ePHI) affecting 2,743 individuals. OCR highlighted three Security Rule violations in its resolution agreement: (1) failure to conduct an accurate and thorough risk analysis; (2) failure to implement security policies and procedures; and (3) failure to have reasonable firewalls in place, as well as supported and patched IT resources. In a press release regarding the settlement, OCR Director Jocelyn Samuels noted that “successful HIPAA compliance . . . . includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.”

OCR began its investigation after ACMHS reported a malware-related breach of unsecured ePHI on March 12, 2012. OCR stated that the breach was the direct result of ACMHS’ failure to “identify and address basic risks” to the security and confidentiality of ePHI in its custody. ACMHS adopted sample Security Rule policies and procedures in 2005, but apparently did not implement them until OCR’s investigation began in 2012. OCR’s review of the ACMHS IT infrastructure revealed critical shortcomings including unpatched systems running outdated or unsupported software, and inadequate firewalls with insufficient threat identification monitoring of inbound and outbound traffic.

The ACMHS settlement emphasizes three key takeaways for HIPAA covered entities and business associates:

  • Tailor Security Rule compliance programs. Although the HIPAA Security Rule provides flexibility to entities in choosing the most appropriate compliance strategies, each organization must (1) conduct an accurate and thorough assessment of the particular risks facing ePHI held by the entity and (2) tailor its policies and procedures to adequately address those risks. This settlement demonstrates that a “one size fits all” approach based on template policies and procedures will not suffice for Security Rule compliance.
  • Conduct regular and thorough risk assessments. As OCR and NIST emphasized in a September conference on safeguarding health information, comprehensive risk analysis and risk management are two cornerstones of an effective IT security program. In its press release regarding the ACMHS settlement, OCR highlighted its Security Rule Risk Assessment Toolreleased in March 2014, which was developed to assist small- to medium-size providers with conducting risk assessments.
  • Regularly patch and update software. The OCR investigation determined that the breach suffered by ACMHS may have been preventable had its employees regularly patched known vulnerabilities and kept software up to date. OCR also identified the need for entities to maintain threat identification monitoring, which is significant given the dynamic and evolving cybersecurity threat landscape.

In addition to the monetary payment, the settlement agreement imposes a two-year corrective action plan. The ACMHS settlement follows a series of enforcement actions in which OCR has entered into resolution agreements and corrective action plans with HIPAA covered entities for alleged violations of the Privacy, Security, and Breach Notification Rules. In the past two years, OCR has entered into twelve HIPAA resolution agreements, with settlements totaling over $11.7 million. As OCR prepares to roll out the next phase of its audit program, which will be used as an enforcement tool and may lead to full-scale compliance reviews, HIPAA-regulated entities should examine their security practices to ensure they are appropriately managing risks to ePHI—which includes reviewing systems and applications for unpatched vulnerabilities or unsupported software.



more...
No comment yet.
Scoop.it!

Are You Ready for a HIPAA Audit?

Are You Ready for a HIPAA Audit? | HIPAA Compliance for Medical Practices | Scoop.it

CynergisTek, a health information technology security consultancy, is offering a full-scale mock audit for HIPAA privacy, security and breach notification compliance to prepare covered entities for real audits from the HHS Office for Civil Rights.

The mock audit will apply OCR timeliness and follow the government’s process starting with receiving an audit notification letter. Other areas covered include complying required documentation and reviewing them for deficiencies, onsite interviews with staff, draft and final audit reports, a workshop of findings and lessons learned, and a performance evaluation presentation with senior executives.

“CynergisTek will hold your staff to OCR standards when assessing your organization’s ability to demonstrate HIPAA compliance and will identify your organization’s readiness and ability to respond,” according to information from the company. The audit may be disruptive to normal operations, as would a real one, it warns.



more...
No comment yet.