HIPAA Compliance for Medical Practices
65.0K views | +0 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

Data breach costs rise 23 percent since 2013

Data breach costs rise 23 percent since 2013 | HIPAA Compliance for Medical Practices | Scoop.it

The cost of a data breach on a company is $3.8 million, a jump of 23 percent from 2013, according to a Ponemon Institute report sponsored by IBM.


The study looks at the cost of data breaches at 350 companies in 11 countries. The cost for each record stolen that contained sensitive information was about $145-$154; stolen healthcare records were the most costly, reaching as high as $363 per record, according to the report.


The reasons for the increase, Ponemon Institute founder Larry Ponemon says in an announcement, include the growing number of cyberattacks on all industries, the financial consequences of losing consumers after an attack and the cost of investigations into breaches.

Breaches and cyberattacks on the healthcare industry are far too common, with a new one reported almost every week. In the past six months, health insurers Anthem, Premera and CareFirst BlueCross BlueShield have had to notify patients that their information was compromised in an attack.


Anthem may face damage control costs of more than $100 million after a cybersecurity attack exposed the information of about 80 million of its current and former customers.


The Ponemon study also looked at the impact of involvement of industry leaders on data breaches. Researchers found more positive consequences and reduced costs when boards of directors take an active role in a breach's aftermath.

more...
No comment yet.
Scoop.it!

Medical Staff Resistance to HIPAA Compliance

Medical Staff Resistance to HIPAA Compliance | HIPAA Compliance for Medical Practices | Scoop.it

Recently, while reading a 2013 article in Information Week, "Doctors Push Back Against Health ITs Workflow Demands," I thought about various scenarios individuals have brought to my attention. It is indisputable that both the healthcare industry and physicians have been dealing with a dramatic shift in the landscape and, in turn, having to adapt to and implement a variety of new processes. In the article, the authors say, "There's a powerful force working against the spread of health IT: physician anger, as doctors resist adopting workflows that can feel to them more like manufacturing than traditional treatment." There are several reasons for this: uncertainty in reimbursement, the transition to ICD-10, and compliance requirements related to HIPAA and the Affordable Care Act.

Some of the situations that have been brought to my attention include: entities refusing to sign a Business Associate Agreement (BAA), refusing to choose a vendor because a password is required to be utilized and periodically changed in order to text message, and giving a username/password to other members of the care team to change or augment the electronic health record. Needless to say, all of these scenarios are problematic for several reasons. First and foremost, they violate the legal standards set forth in HIPAA, the HITECH Act, and the 2013 Final Omnibus Rule. Second, engaging in these practices makes the person more vulnerable. Lastly, refusing to utilize a password in order to optimize both IT security and compliance is foolish.


At its core, a Business Associate Agreement is required between parties who create, receive, maintain, or transmit protected health information (PHI) on behalf of or for a covered entity. The phrase "on behalf of or for" is crucial because it extends beyond the relationship between the covered entity and a single business associate. This is the requirement of federal HIPAA. States may, and in fact do, have more stringent requirements.


One of the greatest areas of vulnerability is texting sensitive data using smartphones. Hence, it is crucial to make sure that the iPhone App is encrypted and requires a password (ideally, this would be a two-factor identification method). Yet, I have heard stories where physicians belligerently refuse to adopt a technology because of the requirement.

Lastly, providing a nurse or PA with access to a medical record utilizing the physician's user name and password is absurd. Think of the Ebola case in Dallas, Texas, where the nurses left notes in one section that the physicians did not read. What if both individuals had used the same user ID and password? How easy would it be to look at the audit log and determine who made the entry? The level of legal liability associated with this practice is exponential.


Given that these scenarios really do happen, what steps can be taken by physicians and other entities? Here are a few suggestions:


• Adopt a "no tolerance" policy and sanctions for non-compliance from the medical staff in relation to HIPAA compliance. Many organizations have these in place.

• Get your Business Associate Agreements in order and keep a log of all the vendors, business associates, and other entities that need to have one — along with the date they were executed.

• Never give your user id/password to anyone; the system administrator has it.


more...
No comment yet.
Scoop.it!

Coast Guard called to task for insufficient health data privacy

Coast Guard called to task for insufficient health data privacy | HIPAA Compliance for Medical Practices | Scoop.it

The U.S. Coast Guard has made progress in developing a culture of privacy, but still faces challenges because it lacks a strong organizational approach to resolving health privacy issues, according to a reportfrom the Department of Homeland Security's Office of Inspector General (OIG).


The report is based on an audit to determine whether the Coast Guard complies with privacy regulations, including the Health Insurance Portability and Accountability Act.


The report cites five areas of concern:

  1. Coast Guard privacy and HIPAA officials do not formally communicate to improve privacy oversight and incident reporting, which limits USCG's ability to assess and mitigate the risks of future privacy or HIPAA breaches. The OIG urges a formal mechanism be set up to ensure that communication takes place.
  2. USCG does not have consistent instructions for managing and securing health records. The report calls for consistent instructions for managing health record retention and disposal.
  3. The Cost Guard's clinics have not completed contingency planning to safeguard privacy data from loss in case of disaster. The report shows photos of rooms full of paper records in tubs and others of water damage to a ceiling. OIG says the Coast Guard should make a plan of action and milestones to ensure it is safeguarding privacy data in the event of emergency or disaster.
  4. Clinics lack processes to periodically review physical security, placing privacy data at unnecessary risk. The OIG calls for an action plan and periodic review of physical safeguards to mitigate risks to protected health information at clinics.
  5. USCG has not assessed the merchant mariner credentialing program and processes to identify and reduce risk to merchant mariners' privacy data managed throughout its geographically dispersed program operations. The report says there needs to be a plan to improve controls to better protect this data.


The Coast Guard agreed with all recommendations made by the OIG. It is the only branch of the Department of Homeland Security that has an EHR system for its work force, FierceEMR previously reported. It adopted an Epic system in 2012. 


DHS has a system for immigrant detainees, but not its own employees. The system fully implemented earlier this year at U.S. Immigration and Customs Enforcement is considered one of the largest and "most robust" EHR systems in the federal government, according to an ICE announcement. It's sure to be eclipsed in size, though, by the $11 billion contract to be let later this year to modernize the Department of Defense system.


more...
No comment yet.
Scoop.it!

Office for Civil Rights Launches Phase 2 HIPAA Audit Program with Pre-Audit Screening Surveys

Office for Civil Rights  Launches Phase 2 HIPAA Audit Program with Pre-Audit Screening Surveys | HIPAA Compliance for Medical Practices | Scoop.it

Health Insurance Portability and Accountability Act of 1996 (HIPAA) covered entities have reported that the U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently sent pre-audit screening surveys to a pool of covered entities that may be selected for a second phase of audits (Phase 2 Audits) of compliance with the HIPAA Privacy, Security and Breach Notification Standards, as required by the Health Information Technology for Economic and Clinical Health Act (HITECH Act). OCR had originally planned to issue these screening surveys in the summer of 2014.

Unlike the pilot audits conducted in 2011 and 2012 (Phase 1 Audits), which focused on covered entities, OCR is conducting Phase 2 Audits of both covered entities and business associates. The Phase 2 Audit program will focus on areas of greater risk to the security of protected health information (PHI) and on pervasive non-compliance based on OCR’s Phase I Audit findings and observations, rather than a comprehensive review of all of the HIPAA Standards. OCR also intends for the Phase 2 Audits to identify best practices and uncover risks and vulnerabilities that OCR has not identified through other enforcement activities. OCR has stated that it will use the Phase 2 Audit findings to identify technical assistance that it should develop for covered entities and business associates. In circumstances where an audit reveals a serious compliance concern, OCR may initiate a compliance review of the audited organization that could lead to civil money penalties.

The following sections describe the Phase 2 Audit program and identify steps that covered entities and business associates should take to prepare for Phase 2 Audits.

Selection of Phase 2 Audit Recipients


Based on prior statements from OCR about the Phase 2 Audits, the surveys recently issued to covered entities appear to indicate that OCR has randomly selected a pool of 550 to 800 covered entities through the National Provider Identifier database and America’s Health Insurance Plans’ databases of health plans and health care clearinghouses. The survey requests organization and contact information.  

OCR has said that based on the survey responses, it will select approximately 350 covered entities, including 232 health care providers, 109 health plans and 9 health care clearinghouses, for Phase 2 Audits. OCR will then notify and send data requests to the 350 selected covered entities. The data requests will ask the covered entities to identify and provide contact information for their business associates. OCR will select the business associates that will participate in the Phase 2 Audits from this pool. OCR had previously indicated that compliance audits of business associates would begin in 2015 and continue into 2016, but this timeframe will likely be pushed back based on the delay in the Phase II Audits of covered entities.

Audit Process


OCR will audit approximately 150 of the 350 selected covered entities and 50 of the selected business associates for compliance with the Security Standards, 100 covered entities for compliance with the Privacy Standards, and 100 covered entities for compliance with the Breach Notification Standards. 

Covered entities and business associates will have two weeks to respond to OCR’s audit request. The data requests will specify content and file organization, file names and any other document submission requirements. OCR will only consider current documentation that is submitted on time. OCR has indicated that auditors will not have an opportunity to contact the entity for clarifications or to request additional information, so it is critical that the documents accurately reflect the program. Failure to respond to a request could lead to a referral to the applicable OCR Regional Office for a compliance review. The Phase 2 Audits are expected to take place over three years.

OCR previously stated that the Phase 2 HIPAA Audits would be conducted as “desk audits” rather than onsite visits. In more recent statements, however, OCR has indicated that while most Phase 2 Audits will be desk audits, OCR will also conduct some onsite, comprehensive audits. OCR has said that it will make the Phase 2 Audit protocol available on its website so that organizations may use it for internal compliance assessments.

The Phase 2 Audits will target HIPAA Standards that were frequent sources of non-compliance in the Phase 1 Audits, including risk analysis and risk management, content and timeliness of breach notifications, notice of privacy practices, individual access, the Privacy Standards’ reasonable safeguards requirement, workforce member training, device and media controls, and transmission security. OCR projects that later Phase 2 Audits will focus on the Security Standards’ encryption and decryption requirements, facility access control, breach reports and complaints, and other areas identified by earlier Phase 2 Audits. Phase 2 Audits of business associates will focus on risk analysis, risk management and breach reporting to covered entities.

OCR will present the organization with a draft audit report to allow management to comment before the report is finalized. OCR will then take into account management’s response and issue a final report.

What Should You Do to Prepare for the Phase 2 Audits?


Covered entities and business associates should take the following steps to ensure that they are prepared for a potential Phase 2 Audit:

  • Confirm that the organization has recently completed a comprehensive assessment of potential security risks and vulnerabilities to the organization (Risk Assessment)

  • Confirm that all action items identified in the Risk Assessment have been completed or are on a reasonable timeline to completion

  • Ensure that the organization has a complete inventory of business associates and their contact information for purposes of the Phase 2 Audit data requests

  • If the organization has not implemented any of the Security Standards’ addressable implementation standards for any of its information systems, confirm that the organization has documented (1) why any such addressable implementation standard was not reasonable and appropriate, and (2) all alternative security measures that were implemented

  • Ensure that the organization has implemented a breach notification policy that accurately reflects the content and deadline requirements for breach notification under the Breach Notification Standards

  • For health care provider and health plan covered entities, ensure that the organization has a compliant Notice of Privacy Practices and not only a website privacy notice

  • Ensure that the organization has reasonable and appropriate safeguards in place for PHI that exists in any form, including paper and verbal PHI

  • Confirm that workforce members have received training on the HIPAA Standards that are necessary or appropriate for workforce members to perform their job duties

  • Confirm that the organization maintains an inventory of information system assets, including mobile devices (even in a bring-your-own-device environment)

  • Confirm that all systems and software that transmit electronic PHI employ encryption technology, or that the organization has a documented risk analysis supporting the decision not to employ encryption

  • Confirm that the organization has adopted a facility security plan for each physical location that stores or otherwise has access to PHI, in addition to a security policy that requires a physical security plan

  • Review the organization’s HIPAA security policies to identify any actions that have not been completed as required (physical security plan, disaster recovery plan, emergency access procedures, etc.)


more...
No comment yet.
Scoop.it!

Don’t Forget the Paper: Records and Policies

Don’t Forget the Paper: Records and Policies | HIPAA Compliance for Medical Practices | Scoop.it

Another HIPAA breach settlement announcement and another lesson from the Department of Health and Human Services Office for Civil Rights (“OCR”). Cornell Prescription Pharmacy (“Cornell”) is a single location pharmacy located in Colorado that will pay OCR $125,000 to resolve allegations of a variety of HIPAA violations. When the facts of the circumstances are described, it will likely raise questions as to why the settlement was so low.


The issues at Cornell were revealed to OCR by a local new station. The news station found paper-based protected health information disposed of in unsecure dumpster generally accessible to the public. After receiving the report, OCR investigated Cornell. OCR’s investigation revealed that Cornell had no written policies in place to implement the HIPAA Privacy Rule, no training regarding Privacy Rule requirements was conducted, and protected health information was not reasonably safeguarded.


Despite all of these findings, as indicated above, Cornell only faces a $125,000 settlement amount in addition to the usual requirement to enter into a corrective action plan. It is interesting to note that on April 27, 2015 when the settlement was announced, the first Resolution Agreement posted showed a resolution payment of $767,520. No information has been provided to explain the reduction. One possible answer is that Cornell is a very small entity and may not have been able to afford the higher resolution amount. It would be beneficial to monitor for more information on this account.


As set forth in the settlement announcement, OCR wants every entity to know that it may be subject to HIPAA enforcement, including fines and penalties. A quote from OCR Director Jocelyn Samuels says it all: “Regardless of size, organizations cannot abandon protected health information or dispose of it in dumpsters or other container that are accessible by . . .unauthorized persons.” It is incumbent upon all organizations to implement appropriate policies and procedures to satisfy HIPAA requirements.


One of the more stunning aspects of the Cornell settlement was the revelation that Cornell had no written policies or procedures to comply with the Privacy Rule. This is slightly different from other settlements where OCR found inadequate or non-existent security policies. Arguably, privacy policies are easier to implement because the Privacy Rule provides a pretty comprehensive and clearcut guide with regard to what policies and procedures need to be put into place. Additionally, there is not a need to do an equivalent of a risk analysis to determine what security policies to put into place.


While the statement about no policies being in place should be shocking, multiple surveys recently have found that a lack of knowledge about HIPAA is still fairly widespread. HIPAA in its original form has been around for almost 20 years at this point. Why is it that organizations still do not know what they need to do to comply? Is it unintentional lack of awareness or something more deliberate? No matter the reason, the government is clearly monitoring and looking for organizations that are not in compliance. The resolution amounts remain wildly unpredictable, but many statements have suggested that recent fines will pale in comparison to fines that will be levied in the future. It is better for organizations to get their houses in order at this point rather than having an audit uncover deficiencies. It will be a safe bet that any problems found in an audit will result in higher fines being assessed.


more...
No comment yet.
Scoop.it!

Privacy experts worry 21st Century Cures Act could weaken HIPAA

Privacy experts worry 21st Century Cures Act could weaken HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

Some patient privacy advocates worry the language in the revised 21st Century Cures Act could significantly weaken the HIPAA privacy protections for patient data, according to an article at HealthcareInfoSecurity.com.


Most notably, the draft legislation, designed to accelerate the discovery, development and delivery of new drugs and treatments would allow protected health information to be used for research purposes without patient consent as long as it's being used by covered entities or their business associates.


"Because PHI used for research could involve genetic information, the [research exemption] could potentially provide [use and disclosure] of information on the genetic traits of family members," privacy attorney David Holtzman told HealthcareInfoSecurity. "Once that data is out, you can't get it back."


Deborah Peel, M.D., founder of the advocacy group Patient Privacy Rights, said it's an especially bad idea, pointing out that there is "no 'chain of custody' for our health data. It's impossible to know where in the world it is or how it's being used," she said.


Another provision in the draft bill would give researchers remote access to PHI maintained by a covered entity if "appropriate security and privacy safeguards are maintained by the covered entity and the researcher, and the protected health information is not copied or otherwise retained by the researcher."


In cases where the disclosure of PHI is to a researcher that is not a covered entity or business associate, the statute appears to allow covered entities to make the decision to grant remote access, rather than requiring it go through a review board, according to privacy attorney Adam Greene of the law firm Davis Wright Tremaine.

The bill also appears to allow covered entities and business associates to receive payments in exchange for disclosing protected health information for research. As it stands now, payments are limited to the reasonable cost of preparing and transmitting PHI.


The bill's current language requires the changes to be made to HIPAA within 12 months of passage.


The American Medical Informatics Association (AMIA) has been lobbying for allowing the changes for certain types of "observational" research.


"The intent was never to open up all research and all data without patients' consent," AMIA president and CEO Douglas Fridsma told Healthcare Info Security.


Currently, patient PHI can be used without consent only for improving operations within a particular healthcare organization, but if an organization discovers a method--say a surgical checklist--that improves care for all patients, it cannot publish a paper on that without the consent of every patient studied, he explained.


more...
No comment yet.
Scoop.it!

Health Research Bill Would Alter HIPAA

Health Research Bill Would Alter HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

Some privacy experts are concerned that a bipartisan 21st Century Cures bill, as drafted, would weaken HIPAA privacy protections for patient information. The measure, among other things, is designed to help the medical community speed up the development of new drugs and treatments.


A discussion draft unveiled on April 29 proposes that the Secretary of the Department of Health and Human Services would "revise or clarify" the HIPAA Privacy Rule's provisions on the use and disclosure of protected health information for research purposes.


Under the current HIPAA Privacy Rule, PHI is allowed be used or disclosed by a covered entity for healthcare treatment, payment and operations without authorization by the patient. If a proposed provision in the draft legislation is signed into law, patient authorization would not be required for PHI use or disclosure for research purposes if covered entities or business associates, as defined under HIPAA, are involved.

The draft was jointly issued by Fred Upton, R-Mich., chairman of the House Energy and Commerce Committee, Rep. Diana DeGette, D-Col., ranking member of the Oversight and Investigations Subcommittee, and several other Republican and Democratic House members. Work on the legislation began a year ago, and a markup version of the bill, which covers a broad range of topics, is expected this week.

"Most significantly, the bill would require HHS to revise the HIPAA regulations so that uses and disclosures for research are treated the same as uses and disclosures for a covered entity's own healthcare operations, as long as any disclosures go to a HIPAA covered entity or business associate," says privacy attorney Adam Greene of the law firm Davis Wright Tremaine.


"This seems to mean that such research uses and disclosures could occur without an individual's authorization or an Institutional Review Board's or Privacy Board's waiver of authorization," he says. Essentially, research uses and disclosures would only be restricted by the 'minimum necessary' standard, he says. The HIPAA Privacy Rule generally requires covered entities to take reasonable steps to limit the use or disclosure of, and requests for, PHI to the "minimum necessary" to accomplish the intended purpose.

Easing Research

Backers of the bill say it's needed because it has the potential of helping to knock down barriers to advancing medical innovation and treatment, including tapping breakthroughs in molecular medicine, genomics and related health technologies.


"For the first time ever, we in Congress are going to take a comprehensive look at what steps we can take to accelerate the pace of cures in America," DeGette says in a statement. We are looking at the full arc of this process - from the discovery of clues in basic science, to streamlining the drug and device development process, to unleashing the power of digital medicine and social media at the treatment delivery phase."


A source at the Energy and Commerce Committee say the markup of the bill is expected on May 14. "We are very careful to limit the potential to use PHI for research purposes only to covered entities and business associates working for covered entities - trusted organizations that have a relationship with the individual and that are already allowed to use PHI to improve care," the source says. "The committee wants those covered entities to not only improve care in their own institution, but be able to publish the findings of their research - without disclosing any identifiable PHI, of course. The bill ensures that PHI used for research is fully covered by the protections of the HIPAA privacy, security and breach reporting rules."


But some privacy experts say the bill goes too far in potentially removing patient privacy protections when it comes to the use of PHI for research.


The privacy provisions, as they appear in the draft bill, "roll back essential protections of the control that patients have over how their information is used and disclosed," says privacy attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek. "Because PHI used for research could involve genetic information, the [research exemption] could potentially provide [use and disclosure] of information on the genetic traits of family members. Once that data is out, you can't get it back."

Other Privacy Provisions

The bill also proposes providing individuals with one-time authorization that would allow the use and disclosure of their PHI for future research purposes.


"In cases where the covered entity or business associate needs an authorization, it would require HHS to put its interpretation into regulation that an authorization can encompass future research studies," Greene says. The bill's proposals appear to further expand the authority to use and disclose protected health information for research and codify in regulation a recent HHS interpretation allowing an advanced authorization for future research."


While HHS indicated in the HIPAA Omnibus Rule commentary that an authorization may authorize uses and disclosures of protected health information for future research studies, Greene says, "this bill would require HHS to put this into the HIPAA regulations themselves."

Deborah C. Peel, M.D., founder of Patient Privacy Rights, an advocacy group, tells Information Security Media Group the future-research proposal is "a very bad idea," adding "no data should ever be used except for a single purpose. It's especially bad because today we have no 'chain of custody' for our health data. It's impossible to know where in the world it is or how it's being used. The risks of today's ubiquitous data surveillance and collection systems are unknown. When has it ever been smart to agree to something you have no understanding of?"


Another provision in the draft bill would give researchers remote access to PHI maintained by a covered entity if ''appropriate security and privacy safeguards are maintained by the covered entity and the researcher, and the protected health information is not copied or otherwise retained by the researcher."


Greene says that in cases where the disclosure of PHI is to a researcher that is not a covered entity or business associate, "the statute would broaden the permission for disclosing protected health information preparatory to research, allowing a covered entity to grant remote access to the researcher, rather than requiring that the review occurs at the facility."


Additionally the bill would make changes regarding PHI used in paid research. "The proposed bill appears to also allow covered entities and business associates to receive remuneration, such as payments, in exchange for disclosing protected health information for research," Greene notes. "Currently, such payment would be limited to the reasonable cost for preparation and transmittal of the protected health information."


The remuneration proposal also diminishes patients' control over how their PHI is used for paid research, Holtzman says. "The proposals remove key reforms in the HITECH Act [HIPAA Omnibus final rule] that require specific [patient] authorization for disclosures of information when money is changing hands," Holtzman says. "That [HITECH provision] is to give an individual a choice when there is remuneration involved. The proposal would roll back important rights requiring patient permission when their health information is disclosed in exchange for payment."

More Scrutiny Needed

Holtzman says he hopes the provisions in the draft bill are thoroughly vetted before the legislation progresses further. "This document appears to be in the early stages. I trust that the privacy community would undergo exhaustive debate and review of this document at it develops."


Greene predicts that the proposal "may garner strong views from both the research community and privacy advocates, with researchers perhaps indicating that HIPAA is standing in the way of good research and that these changes are necessary, while some privacy advocates may claim that these changes go too far in allowing uses and disclosures without an individual's consent or authorization.

Peel, the consumer advocate, contends: "These new provisions are really out-of-date and clearly designed for paper consents - a total nightmare."


Under the current language in the bill, HHS would be required to make the changes to HIPAA "not later than 12 months after the date of the enactment of the Act."


more...
No comment yet.
Scoop.it!

OCR addresses application of HIPAA privacy rule to Workplace Wellness Programs

OCR addresses application of HIPAA privacy rule to Workplace Wellness Programs | HIPAA Compliance for Medical Practices | Scoop.it

Healthcare providers are accustomed to the privacy and security rules contained within the Health Insurance Portability and Accountability Act (“HIPAA” or the “Act”) – particularly as they apply to the careful management of patient information. On April 24, 2015, the Health and Human Services Office for Civil Rights (OCR) issued important guidance regarding HIPAA’s application to employee health and wellness programs. OCR is responsible for enforcing the Act’s privacy and security rules.


The HIPAA privacy and security rules generally apply to “covered entities” – defined as (1) A health plan; (2) A health care clearinghouse; or (3) A health care provider who transmits any health information in electronic. The rules also apply to “business associates.” The Act is most often associated with medical records generated by a health care provider. An employer – solely by hiring and paying an employee – is not impacted by the obligations of the Act. In general, the Act does not apply to an employee’s employment records.

OCR’s recent guidance addresses two important issues: 1) when does the Act extend to an employer’s health and wellness program; and 2) when may a health plan provide a sponsor employer with access to a participant’s protected health information (PHI).


The recent guidance makes clear that the application of the Act depends upon the structure of the employer’s health and wellness plan. Note that a health plan is a “covered entity” and is subject to the Act. OCR noted that a health and wellness program that is offered to employees as part of the employer’s health plan benefit is covered by the Act and its rules. A health and wellness program that is not part of a health plan is not covered by the Act and its rules – though other federal and state laws may apply to protect the confidential nature of such information.


In many instances, an employer (as the health plan’s sponsor) may administer the health and wellness program (among other elements of the plan). A health plan (a “covered entity” and subject to the Act) may provide an employer-sponsor access to an employee’s health information under limited circumstances where the employer-sponsor is involved in administering the program. In particular, the employer-sponsor may provide access to the employee’s PHI only to permit the employer-sponsor to perform its administrative functions and agree to modify its plan documents and certify that it will:


  1. Establish adequate separation between employees who perform plan administration functions and those who do not;
  2. Not use or disclose PHI for employment-related actions or other purposes not permitted by the Privacy Rule;
  3. Where electronic PHI is involved, implement reasonable and appropriate administrative, technical, and physical safeguards to protect the information, including by ensuring that there are firewalls or other security measures in place to support the required separation between plan administration and employment functions; and report to the group health plan any unauthorized use or disclosure, or other security incident, of which it becomes aware.


Health plans and employers (particularly those within the health care industry where HIPAA awareness is already high) should be prepared to proactively address the protection of and access afforded to an employee-participants’ PHI. In addition, since the health plan (as a “covered entity”) has specific obligations related to any PHI breach, health plan and employer-sponsor should carefully and thoroughly review the privacy and security protection provided to all employee-participant PHI.


If an employee-sponsor does not perform administrative functions on behalf of the health plan, access to an employee-participant’s PHI is further limited. In particular, in such instances, the health plan may only disclose: 1) information on which individuals are participating in the plan or enrolled in the health insurance issuer or HMO offered by the plan; and 2) summary health information to the extent requested for purposes of modifying the plan or obtaining premium bids for coverage under the plan.


more...
No comment yet.
Scoop.it!

Health system sees 7th HIPAA data breach

Health system sees 7th HIPAA data breach | HIPAA Compliance for Medical Practices | Scoop.it

How many breaches, how many compromises of patients' confidential medical information does it take before there are some questions asked of an organization and its security policies? One health system recently announced its seventh large HIPAA breach.

 
The 20-hospital St. Vincent health system in Indianapolis, part of Ascension Health, most recently notified 760 of its medical group patients that their Social Security numbers and clinicaldata was compromised in an email phishing incident. The breach, which was discovered by hospital officials back in December 2014, marked the seventh breach for the health system in a less than five years.
 
It wasn't until March 12, 2015, that officials said they discovered which patients were impacted by the breach, which involved the compromise of an employee's network username and password. 
 
"St.Vincent Medical Group sincerely apologizes for any inconvenience this unfortunate incident may cause," St. Vincent officials wrote in the patient notification letter. 
 
According to data from the Office for Civil Rights, which keeps track of HIPAA breaches involving 500 people or more, St. Vincent health system has been a repeat HIPAA offender. Its most recent breach, reported in July 2014, compromised the health data of 63,325 patients after a clerical error sent patients letters to the wrong patients. 
 
The health system has also reported two breaches involving the theft of unencrypted laptops, which collectively compromised the health data of 2,341 patients. 


more...
No comment yet.
Scoop.it!

Data Breach Insurance: Does Your Policy Have You Covered?

Data Breach Insurance: Does Your Policy Have You Covered? | HIPAA Compliance for Medical Practices | Scoop.it

Recent developments in two closely watched cases suggest that companies that experience data breaches may not be able to get insurance coverage under standard commercial general liability (CGL)policies. CGLs typically provide defense and indemnity coverage for the insured against third-party claims for personal injury, bodily injury or property damage. In the emerging area of insurance coverage for data breaches, court decisions about whether insureds can force their insurance companies to cover costs for data breaches under the broad language of CGLs have been mixed, and little appellate-level authority exists.

more...
No comment yet.
Scoop.it!

Shocks and surprises in new breach trend studies

Shocks and surprises in new breach trend studies | HIPAA Compliance for Medical Practices | Scoop.it

Since 2010, HHS has documented more than 1,000 major data breaches (where each incident involved the compromise of more than 500 patient records). Now we’re starting to see some in-depth analyses of those breaches.


In the new issue of the Journal of the American Medical Association (JAMA), there’s a study that concludes that 29 million medical records were compromised between 2010 and 2013.

The JAMA study also found that six of the breaches involved at least one million records each – and more than one third of all breaches occurred in just five states: California, Texas, Florida, New York and Illinois.


The study was accompanied by an earnest editorial subtitled “The Importance of Good Data Hygiene.” The authors called for a total overhaul of HIPAA, which they described as “antiquated and inadequate.” They noted that HIPAA doesn’t adequately regulate the use of Protected Health Information (PHI) by “digital behemoths” like Apple, Google, Facebook and Twitter.


In addition to the JAMA report, our company did an extensive analysis of 2014 data breach trends summarized here. We thoroughly documented 89 of those breaches, and we excluded the huge Community Health Systems breach so it wouldn’t skew the other data. Here are the most important trends we spotted:

Non-digital breaches still a problem

In the 89 incidents, paper breaches accounted for 9 percent of compromised records in the first half of 2014 – and 31 percent in the second half. Nearly 200,000 paper records were compromised, plus about 60,000 pieces of individually identifiable health information ranging from lab specimens to x-rays. Obviously, it’s still vitally important to safeguard the confidentiality of non-digital health records. Organizations must clarify and enforce policies and procedures to achieve that goal.

Theft of portables still a concern

We confirmed the loss or theft of 12 portable computing devices last year – and the lack of appropriate physical safeguards was a major contributing factor. In addition to taking greater common-sense precautions, organizations should use whole-disk encryption and other technical safeguards to render PHI unusable, unreadable or indecipherable to unauthorized people. Policies and procedures for portable device security need to be clearly communicated to all employees – and workforce training needs to involve much more than a dry online tutorial.

Watch out for rogue employees and business associates

We uncovered 45 incidents involving company insiders that resulted in the compromise of nearly half a million records. In other words, about half of all the data breaches were the result of mistakes or malice by an organization’s own people. It’s impossible to prevent every workforce-related breach, but everyone in the organization needs to be on the lookout for unusual activities that could spell trouble. All employees and BAs need to know that the hammer will come down – swiftly and consistently – on insiders who intentionally compromise patient data.

No organization should shout “hooray” simply for avoiding an Anthem-scale breach. There are many other incidents – improper disposal of paper records, misplaced x-rays, employee snooping, and more – that can still do a lot of financial and reputational damage. Those are the types of breaches that even a HIPAA tech-fix can’t solve.

These breach trend summaries agree on one main point: healthcare organizations need to constantly assess the maturity of their information risk management programs – and not view them as a narrowly defined “HIPAA compliance” duty.


more...
No comment yet.
Scoop.it!

Kareo Announces Apple Watch App To Improve Medical Practice Efficiency

Kareo Announces Apple Watch App To Improve Medical Practice Efficiency | HIPAA Compliance for Medical Practices | Scoop.it

Kareo, the leading provider of cloud-based medical office software for independent medical practices, today announced the launch of its Apple Watch App. Kareo’s most recent innovation extends the functionality of the company’s EHR to Apple Watch, streamlining care delivery and enhancing the patient experience by improving communications, reducing patient wait times, and increasing practice efficiency.


Kareo is launching this new Apple Watch App in response to the growing demands on physicians to increase their focus on all aspects of patient engagement. “Physicians are on their feet attending to the needs of patients for the majority of the day, leaving little time to check their schedules and prepare for the next appointment,” said Dr. Tom Giannulli, CMIO of Kareo. “Recognizing this demanding care delivery environment, Kareo’s Apple Watch App will help doctors better manage their schedule while enabling enhanced communication throughout the day, improving their ability to deliver a great patient experience.”

Kareo’s Apple Watch App provides the most relevant, practice-oriented information necessary to improve care and increase practice efficiency. Key functionalities of the App include:


  • Secure messaging that allows the user to send, reply, and read messages via dictation. Messages can be sent to staff or patients using Kareo’s secure messaging system, improving overall patient engagement and practice communication.
  • An agenda that allows the provider to quickly reference their schedule and see the status of appointments checked-in, no show, late, checked out, etc., helping reduce wait times and improve practice efficiency.
  • Appointment reminders that can be sent five minutes before the next scheduled appointment. The notification subtly vibrates the watch, indicating that the doctor has an impending appointment.
  • Appointment information that is accessible within a notification or through the agenda, allowing the provider to review details such as the patient’s name, time of appointment, visit type, and reason for the visit.
  • “I’m Running Late” pre-set messages that allow the doctor inform other staff members when they are running behind and how much longer they expect to be. This improves practice communication and enables the front desk to give patients a more accurate wait time estimate.
  • Apple “Glances” that provide a quick overview of key practice metrics, including how many patients are scheduled throughout the day, how many patients are waiting to be seen, and which patients are currently waiting in an exam room.


All features of Kareo’s Apple Watch App are HIPAA compliant and secure, ensuring all data are private, yet easily accessible.

“Independent physicians need new tools to grow strong, patient-centered practices, and Kareo’s Apple Watch App is another example of Kareo’s focus on helping physicians leverage innovative technology to drive their success,” said Dan Rodrigues, founder and CEO of Kareo. “With key practice and patient information accessible on their wrists, physicians are able to discreetly and efficiently provide updates to staff while staying focused on what matters most – the patient.”


more...
No comment yet.
Scoop.it!

Data Breach Costs to Soar to $2.1 Trillion

Data Breach Costs to Soar to $2.1 Trillion | HIPAA Compliance for Medical Practices | Scoop.it

The rapid digitization of consumers’ lives and enterprise records will increase the cost of data breaches to $2.1 trillion globally by 2019.

That’s according to Juniper Research, which found in a recent study that breach costs will increase to almost four times the estimated cost of breaches in 2015. And, the average cost of a data breach will exceed $150 million by 2020, as more business infrastructure gets connected.


The research, entitled ‘The Future of Cybercrime & Security: Financial and Corporate Threats & Mitigation’, has found that the majority of these breaches will come from existing IT and network infrastructure. While new threats targeting mobile devices and the Internet of Things (IoT) are being reported at an increasing rate, the number of infected devices is minimal in comparison to more traditional computing devices.

The report also highlights the increasing professionalism of cybercrime, with the emergence of cybercrime products (i.e. sale of malware creation software) over the past year, as well as the decline in casual activist hacks. Hacktivism has become more successful and less prolific—in future, Juniper expects fewer attacks overall, but more successful ones.


“Currently, we aren’t seeing much dangerous mobile or IoT malware because it’s not profitable,” noted report author James Moar. “The kind of threats we will see on these devices will be either ransomware, with consumers’ devices locked down until they pay the hackers to use their devices, or as part of botnets, where processing power is harnessed as part of a more lucrative hack. With the absence of a direct payout from IoT hacks, there is little motive for criminals to develop the required tools.”


In terms of geography, nearly 60% of anticipated data breaches worldwide in 2015 will occur in North America, the firm said, but this proportion will decrease over time as other countries become both richer and more digitized.



more...
No comment yet.
Scoop.it!

HIPAA rules apply to most workplace wellness programs

HIPAA rules apply to most workplace wellness programs | HIPAA Compliance for Medical Practices | Scoop.it

Wellness programs are great ways for employers to provide guidance on ways employees can improve their health through fitness, diet and various other means. But oftentimes, employers forget that wellness programs may be an extension of a company’s heath care plan. As such, the Health Insurance Portability and Accountability Act (HIPAA) rules apply equally to these wellness programs as they do health care plans.

The U.S. Department of Health and Human Services (HHS) recently released a list of questions and answers to remind employers of their HIPAA obligations with regard to wellness programs.


In the release, titled “HIPAA Privacy and Security and Workplace Wellness Programs,” HHS clarifies which wellness programs are subject to HIPAA rules. That is, any workplace wellness program a company offers as part of a group health plan for employees. “Where a workplace wellness program is offered as part of a group health plan, the individually identifiable health information collected from or created about participants in the wellness program is [protected health information (PHI)] and protected by the HIPAA Rules,” HHS says.

The department also said that workplace wellness programs which do not provide any health benefits and are not connected to the health plan are not subject to HIPAA. However, it warns that “other Federal or state laws may apply and regulate the collection and/or use of the information” collected through that program.


The Q&A also addresses the HIPAA protections that are in place when a workplace wellness program is offered through the group health plan for plan sponsor employees regarding their access to individually identifiable health information about participants in that program. HHS clarifies when an employer should have access to PHI and what it may and may not do with that information.


Because this is the time of year that employers are beginning to develop their wellness programs for the following year, the Q&As serve as an excellent reminder that HIPAA rules apply for most wellness programs. As companies begin their new programs, it’s essential they keep this in mind.


more...
No comment yet.
Scoop.it!

Cybercrime price tag to reach $2 trillion

Cybercrime price tag to reach $2 trillion | HIPAA Compliance for Medical Practices | Scoop.it

If you haven't gotten serious about data cyberattacks at your organization, now's the time to do so. Because they're about to hit companies worldwide with a $2.1 trillion price tag.


At least that's according to new research published by Juniper Research, which took a closer look at the costs associated with cybercrime and what they'll end up costing companies on a global scale. And the numbers are staggering.


Going digital will increase the cost of data breaches to almost four times the cost estimated for this year, reaching $2.1 trillion (yes, that's trillion with a "t") in 2019. Breaking that down to the average cost of one of the breaches? Corporations can count on paying more than $150 million per breach by 2020.


The report, which focuses on both corporate and financial threats, underscored that the lion's share of these breaches will not come from targeting mobile devices. Rather, cybercriminals are still going after traditional IT and network infrastructure.


"Currently, we aren't seeing much dangerous mobile or IoT malware because it's not profitable," said James Moar, research analyst at Juniper Research and author of the report, in a press statement. "The kind of threats we will see on these devices will be either ransomware, with consumers' devices locked down until they pay the hackers to use their devices, or as part of botnets, where processing power is harnessed as part of a more lucrative hack. With the absence of a direct payout from IoT hacks, there is little motive for criminals to develop the required tools."


Juniper analysts also say some 60 percent of these global cyberattacks will target North American companies. 


more...
No comment yet.
Scoop.it!

2015 Phase Two HIPAA audits – delayed again

2015 Phase Two HIPAA audits – delayed again | HIPAA Compliance for Medical Practices | Scoop.it

Recently, the Director of the Department of Health and Human Services Office for Civil Rights (“OCR”) confirmed that OCR is still working to finalize the procedures for “Phase Two” HIPAA audits. OCR had initially planned to launch the Phase Two audits in the Fall of 2014. Apparently, the delay is the result of behind-schedule implementation of the technology that OCR will use to collect audit-related documentation from covered entities and business associates via a web portal. An official date for the launch of Phase Two audits has not yet been announced.


The HIPAA Audit Program is authorized under Section 13411 of the HITECH Act, and is designed to test entities compliance with the Privacy Rule, Security Rule, and Breach Notification Standards. If you are a covered entity or business associate, this delay in the launch of Phase Two audits provides a great opportunity to conduct a comprehensive assessment of your current HIPAA compliance program. This means doing much more than just checking boxes and having an old binder of policies and procedures on your shelf. Instead, covered entities and business associates need to take real action, such as reviewing the audit protocol from the pilot program and applying it to your organization, conducting a risk assessment, engaging a dialogue with your compliance officer, and reviewing/updating training materials, among others.

Being proactive now will go a long-way towards easing the burden of Phase Two audit, should your organization be selected. 


more...
No comment yet.
Scoop.it!

HIPAA audits to resume soon

HIPAA audits to resume soon | HIPAA Compliance for Medical Practices | Scoop.it

Long-term care providers should get ready for the second round of HIPAA compliance audits this year, but the agency in charge of them is keeping mum about the exact date.

And while Health & Human Services' Office for Civil Rights (OCR) expects to single out only around 110 providers, long-term care facilities are being urged to begin preparations as soon as possible, Kelly McLendon, managing director of CompliancePro Solutions, said during a recent Health Care Compliance Association webinar. That includes performing security and risk analyses, updating privacy and security incident response plans and automating privacy and security investigation, tracking and management protocols, according to published reports.

The agency has not announced specifics yet, but the coming round of audits could focus heavily on HIPAA security and privacy risk management, breach notification and Notice of Privacy practices.

OCR was scheduled to do the audits last year but went idle because of funding problems. Providers are advised not to rely on audit protocols issued in 2012, the last time OCR performed audits, and watch for phase two protocols to be posted on the OCR website. Audits will likely begin about 90 days after posting, McLendon said.

The news will do little to help a Denver-area pharmacy that specializes in compounded medications for area hospice agencies, according to published reports. The business will have to pay $125,000 and take corrective measures after local media notified the OCR it allegedly disposed of unsecured documents in an unlocked, open container. The documents reportedly contained private health data on more than 1,600 patients.


more...
No comment yet.
Scoop.it!

Don't confuse EHR HIPAA compliance with total HIPAA compliance

Don't confuse EHR HIPAA compliance with total HIPAA compliance | HIPAA Compliance for Medical Practices | Scoop.it

Electronic health records (EHR) systems are revolutionizing the collection and standardization of patient medical information. Never before has it been so easy for healthcare practitioners to have patient information so readily available, allowing for more efficient and accurate care.


Unfortunately, what many organizations today don’t realize is, just because their EHR system is compliant with HIPAA security standards, their entity as a whole may not be fully compliant.

Every healthcare organization under HIPAA is responsible for the protection of patient data, regardless of whether they use a vendor to process or store their patient records. If your EHR vendor claims you don’t have to worry about HIPAA compliance, don’t believe them – it’s just not true.


Privacy and security are much more than simply having a HIPAA compliant EHR. It is truly frightening when I hear a healthcare company, or even worse, an EHR vendor, claim their EHR system covers all of a healthcare company’s HIPAA requirements. Even for cloud-based EHR systems, this simply is not the case.

Maintaining a secure EHR system

The newly revised HIPAA Security Rule requires providers to assess the security of their databases, applications, and systems that contain patient data against a list of 75 specific security controls. These controls include specific safeguards to be in place for the purpose of protecting PHI.


In our ever-changing digital environment, it’s critical that healthcare organizations regularly assess their security programs as a whole to ensure they have the policies, procedures, and security measures in place to better protect patient information and avoid costly regulatory enforcements.


Unfortunately, addressing risks to electronic patient data is not always a top priority.


We need to get the message out that HIPAA compliance (and the protection of patient data) cannot be relegated to simply checking a box (i.e., my EHR system is compliant, therefore, my practice is compliant, too). HIPAA compliance must, instead, be addressed across an organization wherever patient data is present.

Understand current security measures

The ongoing responsibility of managing patient data throughout an organization requires an organized, well-thought-out approach to risk management. No matter how small or long established, it’s critical for healthcare entities to understand what they are doing to protect patient data, what they are not doing, and what they should be doing in the future.


While some EHR systems and their related equipment have security features built into or provided as part of a service, they are not always configured or enabled properly. In addition, medical equipment is often web-enabled (can connect remotely to send information to a server), but that equipment may not be checked for proper security.

As the guardian of patient health information, it is up to each healthcare organization to learn and understand the basic features of their IT assets and medical devices, what security mechanisms are in place, and how to use them.


There are a number of actions an entity can take to make sure that their EHR systems and IT assets are secure. Such measures leverage an integrated use of data loss prevention tools, intrusion prevention, anti-malware, file integrity monitoring, robust identity management and authentication programs, role-based access and data security solutions.

The road to HIPAA compliance

Creating adequate safeguards does not happen overnight. While it may seem overwhelming and time-consuming at first (due to HIPAA’s complex nature), the biggest obstacle to overcome is actually getting the entire process started.


Begin by carving out a regular, weekly routine – perhaps starting at 30 minutes per week when your staff members who are responsible for HIPAA compliance can meet to discuss the privacy and security of patient data.


Here are some specific actions your entity should take when working to protect patient information:

  • Have a designated HIPAA-assigned compliance officer or team member. Clearly and specifically lay out the roles of everyone in your organization involved with HIPAA compliance responsibilities.
  • Ensure that access to ePHI is restricted based on an individual’s job roles and/or responsibilities.
  • Conduct an annual HIPAA security risk analysis (specifically required under HIPAA rules.) This can involve regularly engaging with a trusted provider that can remotely monitor and maintain your network and devices to ensure ongoing security.
  • Mitigate and address any risks identified during your HIPAA risk analysis including deficient security, administrative and physical controls, access to environments where ePHI is stored, and a disaster recovery plan.
  • Make sure your policies and procedures match up to the requirements of HIPAA.
  • Require user authentication, such as passwords or PIN numbers that limit access to patient information to authorized-only individuals.
  • Encrypt patient information using a key known or made available only to authorized individuals.
  • Incorporate audit trails, which record who accessed your information, what changes were made, and when they were made, providing an additional layer of security.
  • Implement workstation security, which ensures the computer terminals that access individual health records cannot be used by unauthorized persons.


Privacy and security concerns are key when it comes to HIPAA, but it’s also important to ensure your enterprise as a whole is protected. With 75 different requirements that fall under the HIPAA Security Rule umbrella, it’s critical to ensure all systems where ePHI resides are protected. Otherwise, organizations are placing themselves and their patients at serious risk.


more...
No comment yet.