HIPAA Compliance for Medical Practices
63.7K views | +25 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

Make Sure Business Associates Don’t Violate HIPAA

Make Sure Business Associates Don’t Violate HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

A violation of HIPAA by a practice’s business associate underscores the importance for conducting adequate due diligence, having business associate agreements (BAAs) in place, and ensuring that the level of encryption is adequate.


The U.S. Federal Trade Commission (FTC) recently released a statement indicating that a business associate, Henry Schein Practice Solutions, Inc. (“Schein”), a dental practice software company, will pay the government $250,000 for false advertising associated with what was relayed to the public and what was actually used in its products in relation to the level of encryption. While the fine is not considered large by any means, the implications for medical professionals, business associates, and subcontractors alike, are significant. 


The ramifications to the company, in relation to the issuance of the administrative complaint and the consent agreement are:


• Pay a $250,000 fine;

• Prohibition on “misleading customers about the extent to which its products use industry-standard encryption or how its products are used to ensure regulatory compliance”;

• Prohibition on claims that patient data was protected; and

• Schein needs notify all of its clients who purchased during the period when the material misstatements were made; and

• That the consent agreement will be published in the Federal Register.


Of equal or greater significance is the “NOTE” on the FTC’s press release, which states:


NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions for twenty years. Each violation of such an order may result in a civil penalty of up to $16,000.


The takeaways for providers and business associates alike are significant. All government agencies are taking a hard look at material misrepresentations related to HIPAA compliance. The potential implications are significant and underscore the importance of not cutting corners in relation to risk assessments and compliance.

more...
No comment yet.
Scoop.it!

HIPAA Compliance is a Business Risk

HIPAA Compliance is a Business Risk | HIPAA Compliance for Medical Practices | Scoop.it

Medicine is Risky


The practice of medicine is a risky business. There is always the risk that a certain treatment will fail to help a patient. There is a risk of being accused of malpractice. There is a risk of being accused of incorrectly billing a patient, insurance company or government agency. There is a risk of being sued by an employee or ex-employee for HR related issues. The list of risks goes on and on.


Healthcare is not unique when it comes to risk. Lawyers, accountants, architects and engineers all have associated business risk. In fact, it can be argued that every business has associated risk. The risk of a business failing is with every business no matter what vertical that business operates in. Just ask Enron and RadioShack and Joe’s pizza.


Manage Risk


The key to business risk is how an organization manages the risk. Healthcare organizations have malpractice insurance which usually comes with a malpractice risk management program. The program identifies areas of risk, provides steps to reduce risk and defines steps to minimize impact of losses when they occur 


Risk management refers to strategies that reduce and minimize the possibility of an adverse outcome, harm, or a loss. The systematic gathering and utilization of data are essential to loss prevention. Good risk management techniques improve the quality of patient care and reduce the probability of an adverse outcome or a medical malpractice claim. This core curriculum outlines the attitudes, knowledge, and skills currently recommended for residents in the area of risk management. The primary goal of a successful risk management is to reduce untoward events to patients. Risk management programs are designed to reduce the risk to patients and resulting liability to the health care provider. Standard of care is the foundation for risk management. The main factors in risk management include the following.


Nonmedical and medical risk management is a three-step process which involves: 1) identifying risk; 2) avoiding or minimizing the risk of loss; and 3) reducing the impact of losses when they occur. Medical risk management focuses on risk reduction through improvement of patient care.


Patient Data Risk


The practice of creating, storing and accessing electronic patient data brings with it new risks to healthcare organizations. Sure in the past there was a risk of someone breaking into an office and stealing patients’ paper charts but the risk exponentially increases now that a majority of new patient data is electronic. All this data is spread across electronic health records (EHRs), patient portals, digital x-ray machines, email, desktops, laptops, USB drives, smartphones and tablets. There are risks of an employee mistake like losing a laptop with patient information or falling for a fake email that tricks them into giving up information that thieves can use to access and steal patient data.


Like any other business risk, the risk to patient data needs to be properly managed. Just like with a malpractice risk management program, the risk to patient data needs to be addresses with 3 steps:


  1. Identifying Risk – it is critical that organizations understand what risks are associated with electronic patient data. Where is the data stored or accessed? As mentioned previously, the data could be stored on servers in an office, in a cloud-based EHR, on laptops or mobile devices. It is critical to get a thorough inventory of all patient data that is created, stored or accessed. The next step is understanding the risk to all of this patient data. The risk to data stored on a digital ultrasound machine is much different than data stored on laptops that leave an office.
  2. Minimize Risk – once the various risks are identified to patient data, it is critical to take steps to reduce the risk. Implementing the proper safeguards such as security policies and procedures and employee training can go a long way to lower the risk to patient data.
  3. Reduce the Impact – unfortunately it is very difficult to eliminate the risk to patient data. Steps can be taken to lower the risk but the amount of patient data is increasing every day and the risk of employee mistakes or criminals stealing the data increases as well. Organizations need to have a plan in place to respond to a patient data breach. That plan may include a breach response program that defines the steps the organization will take if there is a breach, or ensuring that an organization’s IT department or company is prepared to respond and/or stop a suspected data breach. Reducing the impact of a patient data breach might include cyber insurance that will provide financial resources to help the organization in the event of a data breach.


Don’t Hate HIPAA


Many people I talk to tell me they hate HIPAA regulations. I don’t blame them. Most people don’t like forced government regulations that have the threat of audits and fines. But HIPAA regulations are really just a risk management program for patient data. HIPAA calls for organizations to take inventory of where patient information is created, stored or accessed. It requires organizations to identify and manage associated risk to patient data. And it calls for organizations to be prepared to respond and lower the impact if patient data is lost, stolen or breached. When compared to a malpractice risk management program, the HIPAA risk management program is very similar.


When I talk to people about HIPAA I make it clear that the risk of a random HIPAA audit is very low. But the risk that patient data is lost, stolen or breached is increasing every day. Patient data needs to be thought of as a business risk that needs to be properly managed.

more...
No comment yet.
Scoop.it!

Closing the gaps in HIPAA compliance

Closing the gaps in HIPAA compliance | HIPAA Compliance for Medical Practices | Scoop.it

It's been more than ten years since Congress passed the Health Insurance Portability and Accountability Act (HIPAA). Healthcare organizations have worked ever since to consistently maintain the privacy and security of patient health information. HIPAA requirements are vast and deep, requiring considerable effort for organizations to keep up with. Many--especially physician practices and smaller hospitals--do not have the bandwidth to keep on top of all the different HIPAA nuances.


Compounding this lack of resources is a widespread belief that HIPAA violations or security breaches only occur in other organizations. As such, practice leaders may think there is low risk in noncompliance and not prioritize the work. In addition, staff may not realize whose responsibility compliance is, leaving an important task open-ended and potentially incomplete.  


All that said, organizations that make a commitment to HIPAA compliance can protect themselves and their patients. HIPAA compliance, or lack thereof, has both financial and cultural implications, so identifying common HIPAA compliance gaps is a great way to start down the path to compliance. This article will discuss two major gaps that many organization encounter: the prevailing "it won't happen to us" attitude and a lack of concentrated resources to maintain compliance.


The ever-mounting risk


There has never been a more important time to enhance a HIPAA compliance program. With the increasing prevalence of laptops and portable devices that house electronic health records and other patient information, the risk that a technology device will be stolen and its data compromised is growing. Hackers are also becoming more sophisticated--the news is full of organizations that have experienced attacks on their secure information.


Evolving technology is not the only risk factor. In fact, many compliance breaches stem from human error. For instance, staff might inadvertently leave a patient record open on a computer screen or a paper file in a public place. Perhaps a physician forgets his or her laptop in the car or shares his or her private security code with non-authorized personnel in an effort to make life easier. While seemingly minor, all of these examples showcase how HIPAA breaches can occur. Luckily, being proactive in identifying risk can help organizations better prepare.


Position for HIPAA Success


While getting a handle on HIPAA compliance may seem overwhelming, it is achievable for organizations that take a well-considered approach. A key first step is laying the cultural groundwork, which includes addressing attitudes toward HIPAA and making sure proper resources are allocated and effectively concentrated. Here are a few strategies for getting started.


Address the attitude toward compliance. For HIPAA compliance to gain attention, organization leaders must acknowledge and emphasize the importance of preserving data privacy and security. Moreover, they need to communicate that keeping information safe is every staff person's responsibility. This requires more than just lip service, but rather a concerted effort to uncover and resolve possible issues, effectively dispelling the "a breach won't happen to us" attitude.


One effective way to bring HIPAA compliance to the forefront is to conduct an informal analysis of the current state of compliance in the organization. Leaders should walk through the organization, using a critical eye to spot red flags. For example, does staff quickly respond to patient medical record requests and follow a consistent and well-defined process? How does the organization secure portable technology? What are the facility's rules about security passwords? Does staff know not to discuss a patient's care in common areas? An organization should consider documenting this assessment and sharing it with staff, so that everyone gains an appreciation of how compliance works and how organization can improve. Within this document, leaders may also want to outline the potential consequences of a breach, citing similar organizations that experienced a problem and the financial and cultural ramifications.

Another way to underscore the importance of an organization's commitment to HIPAA compliance is to be open about improvement. Leaders should encourage staff to report any gaps they notice, particularly workarounds that could place the organization at risk. For example, if a staff member sees that his peers are constantly rushing and leaving electronic medical records open, there should be a method for safely sharing that information with leadership. The response should be encouraging, not punitive, emphasizing the need for improvement not disciplinary action. Also, when making changes, leaders should gain staff feedback to make sure that new processes and technology fit within workflow and do not place an undue burden on staff.


Critically assess, and allocate, resources. To keep on top of HIPAA, organizations should have at least one staff person dedicated to compliance as part of his or her job. This individual should perform regular audits, review and update policies, provide training, conduct risk assessments and so on. Organizations must closely look at whether they can earmark the necessary resources. If they can't, they may have to consider seeking outside assistance in the form of technology, consultants or outsourcing. Leaving compliance to chance or placing it as an ad hoc responsibility will not be sufficient to protect patient data.


Making the Commitment


Ultimately, an organization will be successful in complying with HIPAA if it is honest with itself about the risks it faces, the resources it can allocate and what gaps exist. Facilities that take a hard look at these gaps and work to mitigate them will go a long way in keeping information safe, protecting patients and themselves.

more...
No comment yet.
Scoop.it!

Reminders for HIPAA Compliance with Business Associates

Reminders for HIPAA Compliance with Business Associates | HIPAA Compliance for Medical Practices | Scoop.it

Maintaining HIPAA compliance is clearly a top priority for covered entities. With technology evolving, third-party partnerships are also becoming more common, which means that more healthcare organizations are likely working with business associates.


Whether a covered entity is working with a cloud services provider, or a company to assist in handling their financials, it is critical that HIPAA compliance stays a top priority. The HIPAA Omnibus Rule even changed how business associates can be held liable for potential HIPAA violations. All parties should have a thorough understanding of their relationship, and how they are expected to maintain patient data security.


This week, HealthITSecurity.com will discuss the intricacies of the relationship between a coverd entity and a business associate. Moreover, the importance of a comprehensive business associate agreement will be explained, and examples will be given of what the consequences could be should either entity violate HIPAA.

What is a business associate?


A business associate could be any organization that works on behalf of, or for, a covered entity. For example, if a hospital employs a company to assist with its claims processing, then that third-party becomes a business associate. Or, an attorney who is working for a healthcare provider and has access to patients’ PHI, would also be considered a business associate.


“Covered entities may disclose protected health information to an entity in its role as a business associate only to help the covered entity carry out its health care functions – not for the business associate’s independent use or purposes, except as needed for the proper management and administration of the business associate,” according to the Department of Health and Human Services (HHS).


The business associate agreement must also include the following information, according to HHS:


  • Describe the permitted and required PHI uses by the business associate
  • Provide that the business associate will not use or further disclose PHI other than as permitted or required by the contract or as required by law;
  • Require the business associate to use appropriate safeguards to prevent inappropriate PHI use or disclosure


Essentially, business associates are also responsible for the protection of PHI. As previously mentioned, the HIPAA Omnibus Rule made this a federal requirement. Let’s go back to the example of a claims processing firm. The business associate agreement between that firm and a hospital should outline requirements for how the claims processing firm is expected to keep PHI secure while it is working with the hospital. Should a health data breach occur, the claims processing firm could face serious consequences if it is determined that it violated the business associate agreement.


Not only does the business associate agreement dictate how and when PHI could be disclosed, it also outlines the potential consequences should sensitive information be exposed:


“A business associate may use or disclose protected health information only as permitted or required by its business associate contract or as required by law. A business associate is directly liable under the HIPAA Rules and subject to civil and, in some cases, criminal penalties for making uses and disclosures of protected health information that are not authorized by its contract or required by law. A business associate also is directly liable and subject to civil penalties for failing to safeguard electronic protected health information in accordance with the HIPAA Security Rule.”


The contract between a covered entity and business associate can also have a termination date. For example, perhaps a medical transcriptionist was hired for six months. At the end of that six month period, the business associate agreement can require that any PHI that had been received in that time to be destroyed.


Moreover, the covered entity can require that medical transcriptionist to make “internal practices, books, and records relating to the use and disclosure” of received PHI available to HHS to ensure that the covered entity is HIPAA compliant. It is also important to note that any contract can be terminated if the business associate is found to have violated “a material term.”


What happens if a business associate exposes PHI?


When a covered entity experiences a health data breach, it will likely have to deal with a federal and state investigation, as well as potential public backlash. There may even be potential fines due to possible HIPAA violations. Business associates will go through the same process should they suffer from their own data breach that potentially puts patients’ PHI at risk.


For example, in June 2015, Medical Informatics Engineering (MIE) announced that it had been the victim of a “sophisticated cyber attack,” and some of its clients may be affected. Affected clients included Concentra, Fort Wayne Neurological Center, Franciscan St. Francis Health Indianapolis, Gynecology Center, Inc. Fort Wayne, and Rochester Medical Group.


Possibly exposed information included patient names, mailing addresses, email addresses, and dates of birth. Some patients may have also had Social Security numbers, lab results, dictated reports, and medical conditions exposed.


Not long after, a class action lawsuit was filed against MIE, alleging that MIE failed “to take adequate and reasonable measures to ensure its data systems were protected,” and also failed “to take available steps to prevent and stop the breach from ever happening.”


Similarly, third party facility Medical Management LLC reported that approximately 2,200 patients at one of its healthcare providers may have had their records exposed by a Medical Management employee. Medical Management handles the billing for numerous healthcare providers across the country, and organizations in several states notified patients of the incident.


The data breach occurred when a now former Medical Management employee copied individuals’ personal information from the billing system over the past two years. That former employee then illegally disclosed that information to a third party.


“MML takes this matter very seriously and terminated this employee after being informed of this criminal investigation,” Medical Management said in a statement. “MML is cooperating with federal law enforcement authorities in their criminal investigation.”


Covered entities and business associates must be able to work together when it comes to patient PHI security. Health data breaches can happen at any organization, regardless of size. By keeping health data security policies current, and regularly reviewing them, both types of facilities have a better chance of detecting potential weaknesses. Having comprehensive business associate agreements in place will also ensure that all parties understand how they are required to keep PHI secure.

more...
No comment yet.
Scoop.it!

Is the Collective Will Present for a Concerted Push on Cybersecurity?

Is the Collective Will Present for a Concerted Push on Cybersecurity? | HIPAA Compliance for Medical Practices | Scoop.it

It was a privilege and a pleasure to moderate the panel “Healthcare Cyber Security Solutions: Concepts and Trends,” at the Denver CHIME Lead Forum on Monday, July 20. The panel I moderated was part of a daylong event held at the Sheraton Downtown Denver, and sponsored by the Ann Arbor, Mich.-based College of Healthcare Information Management Executives (CHIME) and the Institute for Health Technology Transformation (iHT2, a sister organization of Healthcare Informatics under the corporate umbrella of our parent company, the Vendome Group LLC).


I was joined on the panel by Mike Archuleta, director of IT at Mt. San Rafael (Colo.) Hospital; Guy Turner, chief data security officer at Sutter Healthcare (San Francisco); Francisco C. Dominicci, R.N., CIO and director of health IT for the Colorado Springs (Colo.) Military Health System; Ryan Witt, vice president, healthcare industry practice, at Fortinet (Sunnyvale, Calif.); and Steve Shihadeh, senior vice president at the Seattle-based Caradigm.


Our panel’s discussion covered a very wide range of topics under the cybersecurity umbrella, including why that term itself is becoming more used these days.


Numerous statements were made by panelists that I found to be particularly worth recounting. Among those was Turner’s strongly urging attendees to adopt behavioral pattern recognition solutions, as had been recommended earlier in the day by Mac McMillan, CEO of the Austin, Tex.-based CynergisTek consulting firm. As McMillan had stressed, so did Turner, the fact that, as Turner put it, “You have to invest in tools for pattern recognition for anomalous behavior.” To not do so essentially leaves one’s entire clinical information system open to hackers once they’ve penetrated the outer defenses of the system.

Importantly, all the panelists agreed that investing in cybersecurity solutions and measures really is exactly that: a form of investment. It can’t be seen purely as a “cost” or set of costs, as can many

purchases, given the risks facing patient care organizations these days.


As for the term “cybersecurity,” there was general consensus around the idea that there is some logic to that term in some cases now eclipsing the terms “data security” and “IT security” in industry usage, since so many of the security issues facing patient care organizations really are online and electronic in nature.


Among the important statements made during the discussion were this one by Dominicci: “Providers need to hold vendors accountable, he stressed, noting that there is an intensifying need on the part of healthcare IT leaders to be able to hold vendors accountable for their ability to help ensure the security of information systems in a more thorough way than was ever needed until recently.


How will the accelerating consolidation of patient care organizations through mergers and acquisitions affect the broader dynamics around investing in cybersecurity? In fact, said Shihadeh, with consolidation proceeding apace, this is in fact a good time for investment in cybersecurity tools and processes. “There is a good opportunity now to invest,” he said, “because of the bigger patient care organizations involved. Large integrated delivery networks are being created, and those larger organizations will have the capital to be able to fund these initiatives” in beefing up cybersecurity/IT security, in his view.


Of course, there are people-based issues as well. What about a question from the audience around whether the leaders of patient care organizations should focus their efforts on grooming or recruiting individuals with healthcare industry-specific data security experience, versus bringing talented individuals in from other industries, and teaching them the ins and outs of healthcare IT security, versus IT security in other industries? Turner was very blunt in stating his perspective: “It’s easier to teach someone the healthcare business than it is to teach someone with a healthcare background all the technical aspects of IT security,” he said. “I would very willingly seek people outside healthcare,” he opined, as patient care organizations are finding themselves trying to fill such important positions as chief information security officer (CISO) in an environment in which the number of potential candidates is dwarfed by the need for qualified individuals these days.


And what of the next couple to few years in this whole arena? There was a broad consensus on the panel that things will get worse before they get better, across range of issues in the IT/cybersecurity arena. The panelists agreed that the ongoing series of announced data breaches will inevitably intensify, growing in number and frequency, before a very broad collective consensus emerges in the U.S. healthcare industry around what to do about all of this, and industry leaders will band together in very broad, concerted efforts.


It was very clear to me from this panel discussion with these industry leaders, that it will indeed require a huge, collective commitment, at a policy, industry, strategic, and business level, for the leaders of healthcare IT industry-wide, to move forward together to address the issues facing us. Several references were made to the recent disclosure on the part of the leaders of the UCLA Health System of a massive data breach there, which may have exposed 4.5 million people to being data-compromised; and the consensus on the panel was that such disclosures are being seen as “wake up calls”—in a patient care delivery setting, they might be referred to as “sentinel events”—that will eventually compel collective action, on the industry and policy levels.


It was also agreed that the headlong rush into accountable care organization development, population health management innovation, and health information exchange, all of which are extremely worthwhile, valuable areas of pursuit, will inevitably ratchet up the risks for patient care organizations around cybersecurity/IT security.


In short, the immediate future is one fraught  with danger and challenge, everyone agreed. And yet one did not leave that session with a sense of despair, but rather with a sense of “let’s-roll-up-our-sleeves” commitment to action, at a time when there is no time to waste, and there are many, many extremely tasks ahead—and that there is indeed both a collective intelligence, as well as a collective will, to move forward industry-wide in this incredibly crucial area for all the stakeholder groups in U.S. healthcare.

more...
No comment yet.
Scoop.it!

Why Hackers Love Healthcare Organizations

Why Hackers Love Healthcare Organizations | HIPAA Compliance for Medical Practices | Scoop.it

If you look at all the data breaches that took place in 2014, you might conclude that healthcare organizations have lax cybersecurity protocols. You’d be wrong, but it’s not hard to see how you might reach that conclusion. Last year, the healthcare sector reported more breaches—333 in all—than any other industry. Like any symptom viewed in isolation, diagnosing the real ailment in the healthcare industry requires a more thorough examination. Want to know why hackers are so intent on breaking into healthcare organizations’ systems—and so successful? Here are the top reasons:


Healthcare data is the most valuable data of all.


If a hacker goes through the trouble of infiltrating, say, an e-commerce vendor or a brick-and-mortar retailer, he’ll walk away with thousands or hundreds of thousands of credit card numbers. That’s no small haul, but credit card companies and consumers have learned to deal with breaches. Banks assign their customers new numbers, issue them new cards and promise to wipe any suspicious charges. By the time hackers can sell their stolen card data, much of it is useless.


Healthcare data, by contrast, gives criminals just about everything they need to steal identities, creating valuable goods to sell on the black market. A breach at a health insurance company, for example, could yield data ranging from bank account and Social Security numbers to medical history to family names and beyond. Think of all of the fraudulent accounts a criminal could open simply by getting ahold of a customer’s Social Security number, her address and her mother’s maiden name.


In an industry where everything is sensitive and regulated, workers resist additional controls.


Just like chief information security officers in other industries, CISOs working in healthcare evaluate their vulnerabilities and their priority technology upgrades on an ongoing basis. Because of healthcare information’s depth, deploying new technology can be complex, but selling users on that technology and its associated security protocols can be seriously challenging. A doctor who has to endure multiple controls just to  prescribe medication or complete another mundane task might understandably bristle when the security team introduces multi-factor authentication or some other process that he views as just another obstacle to doing his job.


Human beings—including medical providers—are fallible, and hackers know it.


When my wife was in the hospital for the birth of our daughter, I noticed something during every nursing shift. The staff left patient folders open on the front desk. There was ample security to protect newborns themselves, but not to protect their data. Harried working conditions also contribute to the potential exposure of digital data. If an over-tired doctor heads home after a 20-hour shift and forgets his laptop in the taxi, that could be just the opening a criminal needs to access an entire healthcare system. Humans aren’t error proof, which is why the technology, particularly in healthcare, has to be.


A hacker only needs to be right once; the healthcare organization needs to be right all the time.


For every high-profile data breach affecting a healthcare organization during the past 18 months, there are experts ready to say, “They should have known better.” “They should have known laptops have to be encrypted.” “They should have known they had to train their staff to avoid phishing scams.” “They should have known...” Whatever security protocol completes that should-have-known statement, the reality is that no one can predict every scenario. If you try to manage data security through prediction, you will fail. It’s always a race between the good guys and the bad guys, and the bad guys only have to get it right one time to do serious damage. Instead of trying to predict and prevent every possible attack method, security teams need to implement technology capable of understanding normal user behavior and sounding alerts when activity deviates from established patterns.


The healthcare industry is at a pivotal point in terms of its data security. After a record year of data leaks and losses, security leaders know the havoc breaches wreak, and they know it’s time to re-evaluate their defenses. Instead of deploying tools that can only withstand one type of attack or implementing processes that ignore the inherent fallibility of human end users, CISOs need to pay attention to the user data itself. By focusing on user behavior intelligence, healthcare organizations can spot and stop attacks before hackers fatally damage their reputations.

more...
Roger Steven's comment, July 10, 2015 6:33 AM
http://www.mentorhealth.com/control/hipaa-and-security-breaches
Ashley Anne Abeling's curator insight, July 15, 2015 6:54 PM

Technology has it advantages but this is one of the downsides of using it to store very personal and important information. Making sure that the offices I work for and educating my students on the importance of internet safety is a priority of mine as an educator. We take for granted technology and when something goes wrong we have to be prepared for the aftermath.

Scoop.it!

Shoring Up HealthCare.gov Security

Shoring Up HealthCare.gov Security | HIPAA Compliance for Medical Practices | Scoop.it

The future of Obamacare seems more certain now that the Supreme Court has upheld subsidies for consumers who purchase policies on the federal health insurance exchange. As a result, it's more critical than ever for the federal government to ensure that personally identifiable information is adequately safeguarded on the HealthCare.gov website for the program, as well as state insurance exchanges, as they gear up for open enrollment in the fall.


In recent months, hackers have increasingly focused their attacks on government and healthcare systems. Targets of attacks have included the U.S. Office of Personnel Management and the Internal Revenue Service, as well as health insurers Anthem Inc. and Premera Blue Cross


That's why many security experts are calling attention to the need to make certain that systems supporting the Affordable Care Act, or Obamacare, programs are secure.


"Affordable Care Act insurance exchanges are a hodgepodge of programs operated by states and the federal governments," notes privacy attorney David Holtzman, vice president of compliance at the security consulting firm CynergisTek. "With the recent news of discovery of coordinated, highly sophisticated attacks on large government operated databases, as well as incidents involving large health insurers, it stands to reason that the information systems serving as the backbone to the health insurance marketplaces are an attractive target because of their size and the sensitivity of the information they hold."


Lee Tien, a senior staff attorney at the Electronic Frontier Foundation, a civil liberties group, notes: "All large collections of sensitive personal data are at risk." When it comes to potential fraud, "healthcare data is considered more valuable on the open market," he says. "Obviously it matters how well they're protected."

Under Scrutiny

Certainly, security of the federal HealthCare.gov health insurance exchange, which facilitates the electronic health insurance marketplaces for 34 states, has been under intense scrutiny since its rollout in the fall of 2013 during the first open enrollment season for Obamacare.


Congress, as well as government watchdog agencies, including the Government Accountability Office and the Department of Health and Human Services' Office of Inspector General, have examined whether the federal health insurance exchanges - and the 16 state-operated health insurance exchanges - have in place the processes and technology to prevent breaches involving consumers' personal information, including Social Security numbers.


For instance, in April, the OIG issued a report reviewing California's health insurance exchange - Covered California - and the security controls that were in place as of June 2014. The OIG found that California had implemented security controls for its website and databases for its health insurance exchange, but the watchdog agency said more improvements were needed.


OIG determined that California had not performed a vulnerability scan in accordance with federal requirements. Also, the GAO said that Covered California's security plan did not meet some of the Centers for Medicare and Medicaid Services' minimum requirements for protection of marketplace systems, and that Covered California did not have security settings for some user accounts. California officials, in their response to the report, said they planned to implement the OIG's recommendations related to vulnerability scans, security plans and user account settings.


A September 2014 GAO report examining HealthCare.gov security found that CMS - the Department of Health and Human Services unit responsible for the federal insurance exchange - had not always required or enforced strong password controls, adequately restricted systems supporting HealthCare.gov from accessing the Internet, consistently implemented software patches and properly configured an administrative network.


In addition to the HealthCare.gov exchange, another related potential target for hackers is HHS' Multidimensional Insurance Data Analytics System, or MIDAS, which a federal IT budget planning document describes as a "perpetual central repository for capturing, aggregating and analyzing information on health insurance coverage."

The GAO noted in its September 2014 report that MIDAS is intended to create summary reporting and performance metrics related to the federally facilitated marketplace and otherHealthCare.gov-related systems by aggregating data, including PII, collected during the plan enrollment process. GAO found, however, that at the time of its review, CMS hadn't yet approved an impact analysis of MIDAS privacy risks "to demonstrate that it has assessed the potential for PII to be displayed to users, among other risks, and taken steps to ensure that the privacy of that data is protected."


In a recent report, the Associated Press noted a variety of concerns about MIDAS, including current plans for data to be retained indefinitely. "Despite [a] poor track record on protecting the private information of Americans, [the Obama administration] continues to use systems without adequately assessing these critical components," said Sen. Orrin Hatch, R-Utah.


CMS did not immediately respond to an Information Security Media Group request for an update on the security of the MIDAS system.

Data Risks

Health insurers, as well as health insurance exchanges and their related databases, are a potential target for hackers because "any collection of data that includes Social Security numbers is particularly vulnerable," notes security expert Tom Walsh, founder of the consulting firm tw-Security.


"Healthcare was doing a good job of eliminating Social Security numbers from our systems. In the old days, the SSN was a person's member number for their insurance. It was finally getting to the point where SSNs were less frequently collected and used in healthcare," he says.


However, under Obamacare, sensitive consumer data, including Social Security numbers and income information, is used on the insurance exchanges to help individuals enroll in insurance plans and qualify for subsidies, Walsh notes. "So healthcare is back in the SSN game again - especially insurance companies."


Ray Biondo, chief information security officer at insurer Health Care Services Corp. says that the federal government has been taking action to address cyberthreats.


"We have been partnering with the Department of Homeland Security and the FBI and sharing threat information," Biondo says. "They've been collaborative and cooperative and helping us in that space."

Still, all players in the healthcare arena are anxious about potential attacks, he admits. "Everyone is worried about being next."

Playing Politics

Holtzman, the consultant, says it's important that politics don't get in the way of government agencies making the investments that are needed to shore up the security of health insurance exchange data.

"Everyone agrees that the federal and state governments should take decisive action to test existing information security safeguards on the systems that support the health insurance marketplace, and to take appropriate measures to ensure that the data, wherever it is held, is secured from the cybersecurity threat," he says.


"What concerns me is that in the long-running political debate over ACA, Congress has said that the HHS may not spend federal funds to support the development and implementation of the ACA. Perhaps it would be in the public interest to ensure that the fight over whether ACA is good policy does not prevent critical funds needed for investment in protecting the government information systems holding the personal information of millions of Americans from the cybersecurity threat."


Walsh says that protecting the health insurance exchanges also comes down to basics. "I was surprised when I read that the OPM did not encrypt data at rest. The government should lead by example and implement better security practices."


Tien of the Electronic Frontier Foundation, sums up his concerns: "The OPM example shows how pathetically lax information security can be. [The government] needs to make defense a priority and spend money on it."

more...
No comment yet.
Scoop.it!

Unencrypted Device Breaches Persist

Unencrypted Device Breaches Persist | HIPAA Compliance for Medical Practices | Scoop.it

Although hacker attacks have dominated headlines in recent months, a snapshot of the federal tally of major health databreaches shows that stolen unencrypted devices continue to be a common breach cause, although these incidents usually affect far fewer patients.


As of June 23, the Department of Health and Human Services' Office for Civil Rights' "wall of shame" website of health data breaches affecting 500 or more individuals showed 1,251 incidents affecting nearly 134.9 million individuals.


Those totals have grown from 1,213 breaches affecting 133.2 million individuals in an April 29 snapshot prepared by Information Security Media Group.


The federal tally lists all major breaches involving protected health information since September 2009, when the HIPAA Breach Notification rule went into effect. As of June 23, about 52 percent of breaches on the tally listed "theft" as the cause.


Among the breaches added to the tally in recent weeks are about a dozen involving stolen unencrypted computers. Lately, those type of incidents have been overshadowed by massive hacking attacks, such as those that hit Anthem Inc.and Premera Blue Cross.


"Although we've seen some large hacking attacks, they are aimed at higher-profile organizations than the more typical provider organization," says privacy and security expert Kate Borten, founder of the consulting firm, The Marblehead Group. "Attackers know that these organizations have a very high volume of valuable data. But I continue to believe that unencrypted PHI on devices and media that are lost or stolen is 'the' most common breach scenario affecting organizations of any size."


Borten predicts that many incidents involving unencrypted devices will continue to be added to the wall of shame. "Getting those devices encrypted is an ongoing challenge when we expand the requirement to tablets and smartphones, particularly when owned by the users, not the organization," she says. "We also shouldn't overlook encryption of media, including tapes, disks and USB storage drives."

Unencrypted Device Breaches

The largest breach involving unencrypted devices that was recently added to the tally was an incident reported to HHS on June 1 by Oregon Health Co-Op., an insurer.


That incident, which impacted 14,000 individuals, involved a laptop stolen on April 3. In a statement, the insurer says the device contained member and dependent names, addresses, health plan and identification numbers, dates of birth and Social Security numbers. "There is no indication this personal information has been accessed or inappropriately used by unauthorized individuals," the statement says.

Also recently added to the federal tally was a breach affecting 12,000 individuals reported on June 10 by Nevada healthcare provider Implants, Dentures & Dental, which is listed on the federal tally as "doing business as Half Dental." The incident is listed as a theft involving electronic medical records, a laptop, a network server and other portable electronic devices.


In addition to the recent incidents involving stolen or lost unencrypted devices, several breaches added to the wall of shame involve loss or stolen paper records or film.


"Breaches of non-electronic film and paper will never end, but at least these breaches are typically limited to one or a small number of affected individuals," Borten says. Because many of the breaches involving paper or film are often due to human error, "effective, repeated training is essential" to help prevention of such incidents, she says.

Hacking Incidents Added

The largest breach added to the tally in recent weeks, however, is the hacker attack on CareFirst BlueCross BlueShield, which was reported on May 20 to HHS and affected 1.1 million individuals. Baltimore-based CareFirst has said that an "unauthorized intrusion" into a database dating back to June 2014 was discovered in April by Mandiant, a cyberforensics unit of security vendor FireEye, discovered the attack on CareFirst in April. Mandiant was asked by CareFirst to conduct a proactive examination of CareFirst's environment, following the hacker attacks on Anthem and Premera.


Another hacker incident added to the tally affected South Bend, Ind.-based Beacon Health System. That incident, reported to HHS on May 20, is listed as affecting about 307,000 individuals. The organization has said patients' protected health information, including patient name, doctor's name, internal patient ID number, and in some cases, Social Security numbers and treatment information, was exposed as a result of phishing attacks on some employees that started in November 2013. The attacks led to hackers accessing "email boxes" that contained patient information.

Addressing Multiple Threats

Healthcare organizations need to continue their efforts to protect data from the threats posed by cyber-attackers, insiders or street thieves, says Borten, the consultant.


"There's no simple answer, but security is complex, and so the solutions, or mitigating controls, must be numerous and varied."

more...
No comment yet.
Scoop.it!

Hospital ID Theft Leads to Fraud

Hospital ID Theft Leads to Fraud | HIPAA Compliance for Medical Practices | Scoop.it

Eight alleged members of an identity theft ring, including a former assistant clerk at Montefiore Medical Center in New York, have been indicted on a variety of charges stemming from using stolen information on nearly 13,000 patients to make purchases at retailers.


Ann Patterson, senior vice president and program director of the Medical Identity Fraud Alliance, says that the incident points to the need for ongoing vigilance by healthcare organizations to prevent and detect ID theft and other related crimes.


Manhattan District Attorney Cyrus Vance Jr. alleges in a statement that members of the ID theft ring made up to $50,000 in purchases at retailers in Manhattan by opening up store credit card accounts using patient information stolen by former hospital worker, Monique Walker, 32.


Walker was an assistant clerk at Montefiore Medical Center, where her position gave her access to patients' names, dates of birth, Social Security numbers, and other personal information, Vance says.

Between 2012 and 2013, Walker allegedly printed thousands of patients' records on a near daily basis and supplied them to a co-defendant, Fernando Salazar, 28, according to Vance's statement.

Salazar is accused of acting as the ringleader of the operation. He allegedly purchased at least 250 items personal identifying information from Walker for as little as $3 per record, Vance says.


The stolen information was then allegedly provided to other defendants to open credit card accounts that were used for purchasing gift cards and merchandize at retailers, including Barneys New York, Macy's, Victoria's Secret, Zales, Bergdorf Goodman and Lord & Taylor.

Walker is charged with one count of felony grand larceny and one count of felony unlawful possession of personal identification information. The other defendants are charged with varying counts of grand larceny, identity theft and criminal possession of a forged instrument, among other charges.


All of the defendants have been arrested and arraigned in criminal court, and have various dates pending for their next court appearances.


"Case after case, we've seen how theft by a single company insider, who is often working with identity thieves on the outside, can rapidly victimize a business and thousands of its customers," Vance says. "Motivated by greed, profit and a complete disregard for their victims, identity thieves often feed stolen information to larger criminal operations, which then go on to defraud additional businesses and victims. In this case, a hospital employee privy to confidential patient records allegedly sold financial information for as little $3 per record."

Hospital Fires Worker

A Montefiore spokeswoman tells Information Security Media Group that the medical center was informed by law enforcement on May 15 of Walker's alleged crimes dating back to 2012 and 2013. As a result, Walker, who worked for the hospital for about three years, was fired, the spokeswoman says. "Montefiore is fully cooperating with law enforcement, including the Manhattan's District Attorney's office," a hospital statement says.


Law enforcement discovered the connection to Montefiore patient information while investigators were working on the ID theft case, the Montefiore spokeswoman says.


Of the 12,000-plus patient records that were compromised, it's uncertain how many individuals are victims of ID theft crimes, she says. But as a precaution, Montefiore is offering all impacted patients free identity recovery services, 12 months of free credit monitoring and a $1 million insurance policy to protect against identity theft-related costs.


Montefiore has reported the breach to the Department of Health and Human Services Office for Civil Rights, the spokeswoman says. While that incident as of June 22 was not yet listed on HHS'"wall of shame" tally of health data breaches affecting 500 or more individuals, three other breaches at Montefiore Medical Center appear on the federal website.


Those incidents, all reported in 2010, involved the theft of unencrypted computers. That includes the theft of a laptop in March 2010 which resulted in a breach impacting 625; and two July 2010 thefts of desktop computers that impacted 16,820 and 23,753 individuals.

Breach Prevention Steps

In a statement, Montefiore says that following the alleged crimes committed by Walker that were discovered in May, the hospital has expanded both its technology monitoring capabilities and employee training on safeguarding an accessing patient records to further bolster its privacy safeguards.


"The employee involved in this case received significant privacy and security training and despite that training, chose to violate our policies," the statement notes. "In response to this incident, Montefiore is also adding additional technical safeguards to protect patient information from theft or similar criminal activity in the future."


A hospital spokeswoman says the hospital has rolled out "sophisticated technology" to monitor for improper access by employees to the hospital's electronic patient records


The hospital also says it performs criminal background checks on all employees and "has comprehensive policies and procedures, as well as a code of conduct, which prohibits employees from looking at patient records when there is not a work-related reason to do so."

Steps to Take

Dan Berger, CEO of security consulting firm RedSpin, says it's not surprising the breach went undetected for so long because insider attacks are difficult to uncover. It's unclear if the Montefiore hospital clerk had "good reason to access so many records" as part of her job, he notes.


Patterson of the Medical Identity Fraud Alliance notes: "In addition to proper vetting of employees, the continued evaluation of employee education and awareness training programs and of your internal fraud detection programs is necessary. It's not something you do once and are done. Employees who are properly vetted upon initial hire may have changing circumstances that change their work integrity later on in their employ."


Additionally, security measures often need tweaking as circumstances within an organization change, she says.


"Fraud detection processes that worked when a specific type of workflow procedure was in place may need to be adjusted as that workflow process changes. An emphasis on continued evaluation of all components - people, process, technologies - for fraud detection is good practice."


Workforce training is important not only for preventing breaches, including those involving ID crimes, but also to help detect those incidents, she says. "Each employee must understand their role in protecting PHI. Equally important is regular and continued evaluation of the training programs to make sure that employees are adhering to the policies put in place, and that the 'red flags' detection systems are keeping pace with changing technologies and workplace practices."

more...
No comment yet.
Scoop.it!

Consolidating Technology as Part of a Practice Merger

Consolidating Technology as Part of a Practice Merger | HIPAA Compliance for Medical Practices | Scoop.it

As the healthcare industry moves toward value-based care, smaller physician practices, larger group practices, health systems, and independent delivery networks  are continuing to consolidate. This process works to help organizations eliminate redundancies, reduce risk, and foster more collaborative care. In fact, according to a recent KPMG study, 84 percent of surveyed mergers and acquisitions (M&A) professionals identified healthcare as the most active M&A industry for 2015, showing this trend will only grow throughout this year.

The process of joining two distinct healthcare entities is typically complex, as organizations must try to combine and consolidate clinical, administrative, and financial operations. One task often at the top of the "to-do" list is reviewing the technology systems used across the enterprise in order to determine how to leverage technology going forward. Will they continue to use disparate systems? Will they seek to integrate their existing solutions? Will they pursue whole different systems?


Most organizations prioritize this kind of review for their EHR and practice management solutions; however, it is essential to look beyond these "usual technology players". As part of the first wave of technology analysis, merging entities should carefully consider how they plan to address compliance technology — including OSHA and HIPAA solutions or regulated medical waste disposal processes — to safeguard patients, staff, visitors, and the healthcare organization as a whole. Without this type of review, an organization may put itself at risk, ultimately impacting the success of a potential merger.


Why It's Important to Review Compliance Technology


At first glance, making a concerted effort to assess compliance technology may not seem like a top priority for organizations working through a merger. However, there are tangible benefits to establishing a cohesive compliance support system upfront in the partnership.                 

                                             

First and foremost, leveraging a single, or well-integrated set, of compliance tools can promote standardization, encouraging constant adherence to best practices throughout both the smaller practice and the rest of the associated enterprise. This, in turn, can limit potential risks. Consistent compliance technology across all settings of an enterprise, from the practices to the hospitals, ensures an organization reliably follows rules and regulations. This not only prevents fines and penalties, but also enhances patient safety and security. For example, if OSHA technology is the same throughout an entire health system, the organization can be confident that all staff members, regardless of setting, understand their role in keeping the environment safe, such as when to wear personal protective equipment or how to properly dispose of medical waste to prevent the spread of infection. When staff regularly abides by OSHA regulations, they create an environment conducive to safe patient care, enabling physicians to focus on providing top-notch care to patients.


In addition to reducing risk, standardizing compliance efforts can have patient satisfaction benefits as well, as the uniformity across settings communicates that the organization values a consistent and best practice-driven approach to safety and security. For example, if an organization has one solution that provides HIPAA education to all its staff members, the organization can be sure that everywhere a patient enters the system — hospital, physician practice, urgent care center, and so on — he or she will be treated the same way and his or her information will be preserved using the same methods. This can give patients more confidence in the organization and help the merged entity protect its reputation as it grows, which can have a positive impact on patient retention and revenue.


Things to Look for When Formulating a Technology Strategy


As previously mentioned, a key aspect in reviewing technology involves determining whether physician practices and hospitals will continue to use disparate systems or whether integration is possible and preferable.


Here are a few questions to ask when making this decision to ensure the ultimate choice best fits with the entire organization's requirements.


• Does a solution meet the compliance needs of all parties? 


For example, if a physician practice is merging with a hospital, does the solution meet both physician and hospital requirements? Similarly, if a smaller physician practice is joining with a larger one, are the nuances of both entities addressed? If the answer is no, then the organization should consider whether it should seek an alternative product that meets both need sets or whether it should keep separate technology in place. If the answer is yes, the organization should think about how best to implement the technology across various settings. This may involve pulling together an implementation team with representation from all parties to foster a more collaborative onboarding approach to ensure a smooth transition.


• Does the solution offer the necessary depth and breadth of experience?


All compliance tools are not created equally, so organizations must fully vet a solution's capabilities when considering whether to keep an existing product or pursue another one. In particular, organizations should check the level of expert support the technology offers, assessing how easy it is for staff to get questions answered. For example, navigating OSHA compliance is a complex endeavor. Not only should an OSHA tool provide clear guidance on how to meet federal regulations, but it should also have defined pathways for addressing unique issues. So, if a staff member has a question, he should be able to easily reach out to experts at the vendor to get the question answered, with a response arriving in a timely fashion.


• Is the compliance software easy to use? 


Organizations should be especially sensitive to a tool's usability because more people will be interacting with the technology once the merger is complete, and some of these individuals may have very little, if any, experience with automated solutions. A product's ease-of-use will directly correlate to adoption, and compliance technology is only as beneficial as your staff's willingness to reliably and correctly use it. If an organization has to choose between two products, and one has 24-hour customer service, easy-to-navigate pages, robust reporting, and streamlined compliance checklists, then the organization may want to select that tool over one that is not as user-friendly.


An Ounce of Prevention


As organizations continue to consolidate, they should commit time to reviewing compliance tools as part of a larger technology review, mapping out a forward strategy that includes quality compliance technology and support for all settings within the enterprise. By taking a concerted approach, organizations can ensure they remain compliant, promote standardization, and reliably support safety and security initiatives throughout all care settings — proactively mitigating risks while elevating quality.

more...
No comment yet.
Scoop.it!

EHR Vendor Target of Latest Hack

EHR Vendor Target of Latest Hack | HIPAA Compliance for Medical Practices | Scoop.it

Web-based electronic health record vendor Medical Informatics Engineering, and its personal health records subsidiary, NoMoreClipBoard, say a cyber-attack has resulted in a data breach affecting some healthcare clients and an undisclosed number of patients.


In a statement, Medical Informatics Engineering says that on May 26, it discovered suspicious activity on one of its servers.


A forensics investigation by the company's internal team and an independent forensics expert determined that a "sophisticated cyber-attack" involving unauthorized access to its network began on May 7. The breach resulted in the compromise of protected health information relating to certain patients affiliated with certain clients, the company says.


"We emphasize that the patients of only certain clients of Medical Informatics Engineering were affected by this compromise and those clients have all been notified," the company says. Clients include: Concentra, a nationwide chain of healthcare clinics; Fort Wayne (Ind.) Neurological Center; Franciscan St. Francis Health Indianapolis; Gynecology Center, Inc. Fort Wayne; and Rochester Medical Group, Rochester Hills, Mich.


Information exposed in the breach affecting the Web-basedEHR system includes patient's name, mailing address, email address, date of birth, and for some patients a Social Security number, lab results, dictated reports and medical conditions. "No financial or credit card information has been compromised, as we do not collect or store this information," the company says.

PHR Also Breached

Medical Informatics Engineering says it also determined that the cyber-attack compromised PHI of its NoMoreClipboard subsidiary, which serves patients who assemble personal health records. A separate notice was issued for affected clients and patients. Information exposed for individuals who use a NoMoreClipboard portal/personal health record, includes name, home address, username, hashed password, security question and answer, email address, date of birth, health information and Social Security number.


"We strongly encourage all NoMoreClipboard users to change their passwords," the company says in its statement. "We also strongly encourage everyone to use different passwords for each of their various accounts. Do not use the same password twice. The next time a NoMoreClipboard user logs in, we will prompt a password change."

As part of the password change process, the company says it will send a five-digit PIN code to a cell phone, via an automated phone call, or to an email address already associated with the NoMoreClipboard account. "Users will have to enter this five-digit code to reset their password," the company says. "We are also emailing NoMoreClipboard users to encourage this password change."


Medical Informatics Engineering says the breach has been reported to law enforcement, including the FBI, and the company is cooperating with the investigation. Upon discovering the breach, the company says it "immediately began an investigation to identify and remediate any identified security vulnerability."


Medical Informatics Engineering and its NoMoreClipBoard subsidary are offering affected individuals free credit monitoring and identity protection services for the next 24 months.


The company did not immediately reply to a request for comment.

Going After Patient Data

This incident shows that any healthcare-related company or business associate is a target for attackers, says security and privacy expert Kate Borten, founder and CEO of The Marblehead Group consultancy.

"Assuming the attack was targeted, this is just another example of going after a big chunk of patient data," she says. "I don't think it matters to an attacker whether the company is a health plan/insurer or a health information exchange, or a provider. It's just an organization with a significant volume of PHI."

more...
No comment yet.
Scoop.it!

HIPAA Privacy and Security Guidance Updated

HIPAA Privacy and Security Guidance Updated | HIPAA Compliance for Medical Practices | Scoop.it

The Office of the National Coordinator for Health IT this week released an updated version of its privacy and security guidance to help healthcare providers better understand how to integrate federal health information privacy and security requirements into their practices. The guidance was last published in 2011.


The new version of the guidance provides updated information about compliance with the Medicare and Medicaid Electronic Health Record (EHR) Incentive Programs’ privacy and security requirements as well as the HIPAA Privacy, Security, and Breach Notification Rules.


Some of the areas covered in the new guidance include real-world application of how the HIPAA Privacy and Security Rules apply to a practice and the rules surrounding use and disclosure of private health information. The guidance also addresses “Meaningful Use” programs in more detail. Meaningful Use programs encourage health care organizations to adopt EHRs through a staged approach. Each stage contains core requirements that providers must meet.


Unlike the first guidance, which focused on Stage 1 privacy and security objectives, the updated version adds in core objectives for Stage 2 of the Meaningful Use program. Under Stage 2, providers must respond to patient requests regarding how their electronic health information is being handled.


The guidance also provides examples designed to assist providers in understanding whether someone is a business associate. These examples reflect changes made under the Health and Human Services Department’s Omnibus Rule, which makes contractors, subcontractors, and other business associates of healthcare entities that process health insurance claims liable for the protection of private patient information.


Additionally, the guidance outlines a seven-step approach for providers looking to create a security management process. Steps include selecting a team, documenting the process, developing an action plan, and managing and mitigating risk.

more...
No comment yet.
Scoop.it!

Doximity launching app for the Apple Watch

Doximity launching app for the Apple Watch | HIPAA Compliance for Medical Practices | Scoop.it

Doximity announced today that they are launching an app for the Apple Watch, which hits the shelves later this month.


Many physicians will be familiar with Doximity, now that more than half of us have become registered users. Designed as a social network for physicians, Doximity includes a number of features that physicians will find useful for a lot more than just staying in touch with colleagues. In the recent rush of registrations on Doximity related to their partnership with US News and World Report, we wrote a quick guide on those key features. Included was secure HIPAA compliant messaging as well as an e-fax number and a journal feed.


Doximity’s Apple Watch app will bring some of these key features to your wrist. In particular, you’ll be able to read messages sent to you and dictate messages to other – without taking out your phone or pager, jumping on a computer, or spending endless minutes on hold trying to reach a colleague. You can also get notifications when you have a new fax come in – you can automatically view the fax on your iPhone using the Handoff functionality.

This hits on one the key functionalities we put on our wish list of apps for the Apple Watch – HIPAA compliant messaging. There are some limitations here worth noting. In particular, Doximity is limited to physicians so this won’t help with communication among a multi-disciplinary healthcare team, such as in a hospital or clinic. I wouldn’t be able to let a nurse know about a new medication or a social worker about an at-risk patient. Other platforms, like TigerText, will hopefully step in to bring that functionality to wearables like Apple Watch. That being said, the ability to send messages more easily to colleagues both inside and outside my own institution can be incredibly helpful.


We’re excited to see big players in the digital health space like Doximity embracing the Apple Watch. One natural question that frequently comes up is “what about Android devices?” Well, as Doximity points out, 85% of their mobile traffic is from iPhones & iPads. Its well recognized that physicians have largely embraced Apple devices and so medical app developers are going to go there first. So while many solid options have been available for Android, we expect the Apple Watch to be a catalyst in the development of new tools for clinicians.

Doximity’s app is just the start.


more...
No comment yet.
Scoop.it!

Did Doctor Violate HIPAA for Political Campaign?

Did Doctor Violate HIPAA for Political Campaign? | HIPAA Compliance for Medical Practices | Scoop.it

Federal regulators are reportedly investigating whether a physician in Richmond, Va., violatedHIPAA privacy regulations by using patient information to help her campaign for the state senate.


The Philadelphia office of the Department of Health and Human Services' Office for Civil Rights is investigating potential HIPAA violations by Siobhan Dunnavant, M.D., a Republican state senate candidate, after a complaint alleged the obstetrician-gynecologist used her patients' protected health information - including names and addresses - to solicit contributions, volunteers and votes, according to an NBC news report.


Conservative blogger Thomas White tells Information Security Media Group that he reported to HHS earlier this year that letters and emails about Dunnavant's candidacy were sent to her patients prior to the June primary race in the state's 12th district, which includes western Hanover County. White says he notified HHS after receiving a copy of a letter from a Dunnavant patient who was annoyed at receiving the campaign-related communications from her doctor.


"I would love for you to be involved," Dunnavant wrote to patients, also reassuring them that their care would not be impacted if she's elected, according to a copy of a campaign letter posted on the NBC website."You can connect and get information on my website. There you can sign up to get information, a bumper sticker or yard sign and volunteer," the posted letter states. Other campaign-related material included emails sent to patients that were signed by "Friends of Siobhan Dunnavant," NBC reports and White confirmed, citing reports from patients.


The physician is one of three candidates seeking the state senate seat in the Nov. 3 election.

Patient Confidentiality

A spokeswoman for Dunnavant's medical practice declined to confirm to Information Security Media Group whether OCR is investigating Dunnavant for alleged HIPAA privacyviolations. However, in a statement, the spokeswoman said, "We are aware of concerns regarding patient communication, and we are reviewing the issue with the highest rigor and diligence. Please be assured we hold confidentiality of patient information of paramount importance, and thank patients for entrusting us with their care."


A spokeswoman in OCR's Washington headquarters also declined to comment on the situation. "As a matter of policy, the Office for Civil Rights does not release information about current or potential investigations, nor can we opine on this case," she says.


White, editor of varight.com, says he first received a copy of one of Dunnavant's campaign letters in May, and that he was the first to report on the issues raised by the letters. He tells ISMG he filed a complaint with the federal government after he confirmed that the use of patient information for campaign purposes was a potential violation of privacy laws.


Nearly four months later, an investigator in OCR's regional office in Philadelphia, which is responsible for Virginia, on Sept. 29 responded to White's complaint, indicating the doctor's actions would be examined. White says he also confirmed again in a call to OCR on Oct. 28 that the case is still under investigation.


"You allege that Dr. Dunnavant impermissibly used the protected health information of her patients. We have carefully reviewed your allegation and are initiating an investigation to determine if there has been a failure to comply with the requirements of the applicable regulation," OCR wrote to White, according to a copy of the OCR letter that appears on White's website.

HIPAA Regulations

Privacy attorney Adam Greene of the law firm Davis Wright Tremaine says Dunnavant's alleged use of patient information raises several HIPAA compliance concerns.


"HHS interprets HIPAA to cover demographic information held by a HIPAA-covered healthcare provider if it is in a context that indicates that the individuals are patients of the provider," he notes. "Healthcare providers must be careful when using patient contact information to mail anything to the patient - even if no specific diagnostic or payment information is used. If a patient's address is used to send marketing communications or other communications unrelated to treatment, payment, or healthcare operations without the patient's authorization, then this may be an impermissible use of protected health information under HIPAA."


If patient contact information is shared with someone else, such as a political campaign, that also could be a HIPAA violation, Greene adds. "The same information that can be found in a phone book - to the extent anyone uses phone books - may be restricted in the hands of healthcare providers."


Privacy attorney David Holtzman, vice president of compliance at the security consulting firm CynergisTek, notes that the HIPAA Privacy Rule has "a blanket prohibition" on a HIPAA covered entity disclosing the protected health information of their patients without first seeking authorization of the individual - except where specifically permitted or required by the rule.


"There is no provision in the privacy rule where a healthcare provider who is a HIPAA covered entity can disclose patient information to a political campaign," he points out.


Because of those restrictions, federal regulators will carefully scrutinize the case, Holtzman predicts. "It is likely that OCR will look closely at the doctor's correspondence for its communication about her candidacy for political office, how to contact the campaign or obtain campaign products as well as the statement that the letter was paid for and authorized by the campaign organization."


An OCR investigation into the alleged violations of the HIPAA Privacy Rule could result in HHS imposing a civil monetary penalty, Holtzman notes. "There are criminal penalties under the HIPAA statute for 'knowingly obtaining or disclosing identifiable health information in violation of the HIPAA statute,'" he adds.

Potential Penalties

Offenses committed with the intent to view, transfer or use individually identifiable health information for commercial advantage, personal gain or malicious harm are punishable by a fine of up to $250,000 and imprisonment for up to 10 years, Holtzman notes.


"The Department of Justice is responsible for investigating and prosecuting criminal violations of the HIPAA statute," he says. "And changes in the HITECH Act clarified that a covered entity can face both civil penalties for violations of the privacy rule and criminal prosecution for the same incident involving the prohibited disclosure of patient health information."


The U.S. Department of Justice did not respond to ISMG's request for comment on whether it's planning to investigate the Dunnavant case.

more...
No comment yet.
Scoop.it!

OCR launches new HIPAA resource on mobile app development

OCR launches new HIPAA resource on mobile app development | HIPAA Compliance for Medical Practices | Scoop.it

The Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS) recently launched a new resource: a platform for mobile health developers and “others interested in the intersection of health information technology and HIPAA privacy protection.”


In the announcement of this platform, OCR noted that there has been an “explosion” of technology using data regarding the health of individuals in innovative ways to improve health outcomes. However, OCR said that “many mHealth developers are not familiar with the HIPAA Rules and how the rules would apply to their products,” and that “[b]uilding privacy and security protections into technology products enhances their value by providing some assurance to users that the information is safe and secure and will be used and disclosed only as approved or expected.”


The OCR platform for mobile app developers has its own website. Anyone – not just mobile app developers – may browse and use the website. Users may submit questions, offer comments on other submissions and vote on a topic's relevance. OCR noted that to do so users will need to sign in using their email address, “but their identities and addresses will be anonymous to OCR.” 


OCR asked stakeholders to provide input on the following issues related to mobile app development: What topics should we address in guidance? What current provisions leave you scratching your heads? How should this guidance look in order to make it more understandable and more accessible?


Users can also submit questions about HIPAA or use cases through this website. OCR explained that, “we cannot respond individually to questions, we will try to post links to existing relevant resources when we can.” Finally, in the announcement OCR stated that posting or commenting on a question on this website, “will not subject anyone to enforcement action.” 

more...
No comment yet.
Scoop.it!

Moving in Front of Healthcare’s Connectivity Curve

Moving in Front of Healthcare’s Connectivity Curve | HIPAA Compliance for Medical Practices | Scoop.it

As a clinician, technology is a significant interest in my life. I have always felt that one way in which to stay young is to embrace technology, and to understand how technology integrates into our professional and personal lives.


This past April, I was intrigued by the announcement of ResearchKit by Apple.. The first research apps developed covered five areas of study: Asthma, breast cancer, cardiovascular disease, diabetes, and Parkinson’s disease. However, the number of commercial and institutional research organizations using the open-source platform of ResearchKit is expanding daily.


More than 75,000 people have enrolled in ongoing health studies using ResearchKit apps to gather health data. Smartphones and wearable technology, with their microphones, cameras, motion sensors, and GPS devices, have unique advantages for gathering health data, and, in some cases, can serve as a valuable addition to regular care from a provider.


The possibilities for benefiting the body of health knowledge are endless. However, it is important for patients to be mindful and use these tools wisely in this modern world of connectivity.

More than a few people are commenting on the possible risks of gathering data in this way. As always in our modern society, available technology is way ahead of regulations. For example, we have strong laws and regulations regarding patient confidentiality enshrined in medical tradition and HIPAA.


Recognizing this vulnerability, Apple added the following to their app store submission guidelines: “All studies conducted via ResearchKit must obtain prior approval from an independent ethics review board.” Meaning, all studies must obtain Institutional Review Baords (IRB) approval. This is a good step in the right direction, but much more care is needed to gather data with the expanding number of ResearchKit apps, to ensure that personal health data is protected and that this technology is used in an ethical, and lawful, way.


Regardless of the all the caveats, I remain intrigued and hopeful that leveraging technology via tools such as smartphones and software like ResearchKit will be a great boon to the understanding of disease and treatments around the world.


I would recommend the following to put us ahead of the curve with these new tools:


  1. Ethical guidelines and procedures need to be developed by the research community in the U.S. to ensure that use of technology in research data gathering is done with the greatest protection of the patients’ individual health data.
  2. Laws and regulations need to be considered to ensure the integrity of the data as well as the protection of personal health information.
  3. Companies like Apple, who are leading the roll out of this technology, should not wait for state and federal governmental entities to regulate the use of technology in research and should be leaders in the ethical, responsible use of apps to gather and use health research data.


Technology in medicine is constantly evolving. We have to try to evolve with it, however, and recognize that the law of unintended consequences is always present, and will always present challenges as the vast universe of technology expands with every increasing speed in medicine and every other area of life.

more...
No comment yet.
Scoop.it!

What Closing the HIPAA Gaps Means for the Future of Healthcare Privacy

What Closing the HIPAA Gaps Means for the Future of Healthcare Privacy | HIPAA Compliance for Medical Practices | Scoop.it

By now, most people have felt the effects of the HIPAA Privacy Rule (from the Health Insurance Portability and Accountability Act). HIPAA has set the primary standard for the privacy of healthcare information in the United States since the rule went into effect in 2003. It’s an important rule that creates significant baseline privacy protections for healthcare information across the country.


Yet, from the beginning, important gaps have existed in HIPAA – the most significant involving its “scope.” The rule was driven by congressional decisions having little to do with privacy, but focused more on the portability of health insurance coverage and the transmission of standardized electronic transactions.


Because of the way the HIPAA law was crafted, the U.S. Department of Health and Human Services (HHS) could only write a privacy rule focused on HIPAA “covered entities” like healthcare providers and health insurers. This left certain segments of related industries that regularly use or create healthcare information—such as life insurers or workers compensation carriers— beyond the reach of the HIPAA rules. Therefore, the HIPAA has always had a limited scope that did not provide full protection for all medical privacy.


So why do we care about this now?


While the initial gaps in HIPAA were modest, in the past decade, we’ve seen a dramatic increase in the range of entities that create, use, and disclose healthcare information and an explosion in the creation of healthcare data that falls outside HIPAA.


For example, commercial websites like Web MD and patient support groups regularly gather and distribute healthcare information. We’ve also seen a significant expansion in mobile applications directed to healthcare data or offered in connection with health information. There’s a new range of “wearable” products that gather your health data. Virtually none of this information is covered by HIPAA.


At the same time, the growing popularity of Big Data is also spreading the potential impact from this unprotected healthcare data. A recent White House report found that Big Data analytics have the potential to eclipse longstanding civil rights protections in how personal information is used in many areas including healthcare. The report also stated that the privacy frameworks that currently cover healthcare information may not be well suited to address these developments. There is no indication that this explosion is slowing down.


We’ve reached (and passed) a tipping point on this issue, creating enormous concern over how the privacy interests of individuals are being protected (if at all) for this “non-HIPAA” healthcare data. So, what can be done to address this problem?


Debating the solutions


Healthcare leaders have called for broader controls to afford some level of privacy to all health information, regardless of its source. For example, FTC commissioner Julie Brill asks whether we should be “breaking down the legal silos to better protect that same health information when it is generated elsewhere.”


These risks also intersect with the goal of “patient engagement,” which has become an important theme of healthcare reform. There’s increased concern about how patients view this use of data, and whether there are meaningful ways for patients to understand how their data is being used. The complexity of the regulatory structure (where protections depend on sources of data rather than “kinds” of data), and the determining data sources (which is often difficult, if not impossible), has led to an increased call for broader but simplified regulation of healthcare data overall. This likely will call into question the lines that were drawn by the HIPAA statute, and easily could lead to a re-evaluation of the overall HIPAA framework.


Three options are being discussed on how to address non-HIPAA healthcare data:


  • Establishing a specific set of principles applicable only to “non-HIPAA healthcare data” (with an obvious ambiguity about what “healthcare data” would mean)
  • Developing a set of principles (through an amendment to the scope of HIPAA or otherwise) that would apply to all healthcare data
  • Creating a broader general privacy law that would apply to all personal data (with or without a carve-out for data currently covered by the HIPAA rules).


Conclusions


It’s clear that the debate and policymaking “noise” on this issue will be ongoing and extensive. Affected groups will make proposals, regulators will opine, and legislative hearings will be held. Industry groups may develop guidelines or standards to forestall federal legislation. We’re a long way from any agreement on defining new rules, despite the growing consensus that something must be done.

Therefore, companies that create, gather, use, or disclose any kind of healthcare data should evaluate how this debate might affect them and how their behavior might need to change in the future. The challenge for your company is to understand these issues, think carefully and strategically about your role in the debate, and anticipate how they could affect your business going forward.

more...
No comment yet.
Scoop.it!

HIPAA Criminal Violations on the Rise

HIPAA Criminal Violations on the Rise | HIPAA Compliance for Medical Practices | Scoop.it

Stories appear almost everyday about medical records being improperly accessed, hacked or otherwise being stolen. The number of stories about such thefts is almost matched by the number of stories about the high value placed upon medical records by identity thieves and others. This confluence of events highlights the pressure being faced by the healthcare industry to protect the privacy and security of medical records in all forms.


While stories about hacking and other outside attacks garner the most attention, the biggest threat to a healthcare organization’s records is most likely an insider. The threat from an insider can take the form of snooping (accessing and viewing records out of curiosity) to more criminal motives such as wanting to sell medical information. Examples of criminally motivated insiders, unfortunately, are increasing.


One recent example occurred at Montefiore Medical Center in New York where an assistant clerk allegedly stole patient names, Social Security numbers, and birth dates from thousands of patients. The hospital employee then sold the information for as little as $3 per record. The individuals who acquired the information used it to allegedly go on a shopping spree across New York for over $50,000.

Another recent example comes out of Providence Alaska Medical Center in Anchorage, AK. In Anchorage, a financial worker at a hospital provided information about a patient to a friend. Unfortunately, that friend he had injured for which he was under criminal investigation. The friend wanted to know if either of the patients had reported him to the police. Clearly, the access by the financial worker was improper.


While it could previously be said that instances of criminal convictions or indictments were rare, the examples do appear to be coming with increasing frequency. What should organizations do? Is this conduct actually preventable? As is true with HIPAA compliance generally, the key is to educate and train members of an organization’s workforce. If someone is unaware of HIPAA requirements, it is hard to comply.

However, it can also be extremely difficult to prevent criminal conduct altogether. If an individual has an improper motive, that individual will likely find a way to do what they want to do. From this perspective, organizations cannot prevent the conduct, but should consider what measures can be taken to mitigate the impact of improper access or taking of information. It would be a good idea to monitor and audit access or use of information to be able to catch when information could be going out or otherwise accessed when not appropriate. Overall, the issue becomes one of how well does an organization monitor its systems and take action when a suspected issue presents itself.

more...
No comment yet.
Scoop.it!

Six Potential HIPAA Threats for PHOs and Super Groups

Six Potential HIPAA Threats for PHOs and Super Groups | HIPAA Compliance for Medical Practices | Scoop.it

Physician Hospital Organizations (PHOs) and super groups are on the rise. About 40 percent of physicians either work for a hospital or a practice group owned by a hospital, or they ban together to form a super group. Individual practices share operations, billing, and other administrative functions, gain leverage with insurance companies, add specialist resources and increase referrals, improve patient outcomes with a cohesive care plan, and more. The benefits are plentiful.

But just like a negative restaurant review on Yelp can hurt customer patronage and the restaurant's reputation, one practice that commits a HIPAA violation can affect the entire group, and result in an expensive fine, cause distrust among patients, and in extreme cases, the data breach can lead to medical identity theft.


For PHOs and super groups, adherence to HIPAA rules becomes more complicated when compliance isn't consistent among the group's practices, and a compliance officer isn't on board to manage risks and respond to violations.


At a minimum, the group should identify the potential sources for exposure of electronic protected health information (ePHI) and take measures to avert them. For example:


Super groups include smaller practices that struggle with HIPAA compliance and associated time and costs. Although PHOs or super groups may be abundant in physicians, employees, and offices, these assets could come from a majority of smaller organizations. Historically smaller practices struggle with resources to comply with HIPAA and hiring expensive compliance consultants could be prohibitive at the individual practice level.


Each practice uses a different EHR, or the EHR is centralized but the ePHI is stored on different devices. It becomes difficult to assess HIPAA compliance as well as how patient data is being protected when there are various EHRs implemented across multiple practices. Some EHRs may be cloud based while other systems reside in an individual practice's office. Getting an accurate inventory of where ePHI is stored or accessed can be challenging.


Hospitals can't conduct thorough security risk assessments for each practice in the group. A PHO could have 20 or more individual practices and the time required to perform individual security risk assessments could be daunting. These risk assessments are labor intensive and could strain the resources of hospital compliance staff.


Meaningful use drives HIPAA compliance and grants from HHS could be significant, especially with a large number of providers. Along with these funds comes responsibility to comply with meaningful use objectives. One of the most frequent causes of failing a meaningful use audit is ignoring a HIPAA security risk assessment. If one practice fails an audit, it could open the door to other practices in the group being audited, which could result in a domino effect and a significant portion of EHR incentive funds having to be returned.


For physician groups that share patient information the security is only as strong as the weakest link — one practice or even one employee. A breach at one practice could expose patient information for many or all other practices. Security is then defined by the weakest link or the practice that has the weakest security implemented.


Untrained employees in the front office unwittingly violate HIPAA and a patient's right to privacy. An employee could fall for a phishing scam that gives criminals access to a practice's network, and compromises the security of many or all practices within the PHO or super group.


The best way to avoid a HIPAA violation and a patient data breach is to create a group policy that requires each practice to:


• Perform regular HIPAA security risk assessments;

 •Inventory location of patient information;

• Assess common threats;

• Identify additional security needs;

• Set up policies and procedures;

• Stay up to date on patient privacy rules and requisite patient forms; and

• Properly train employees in protecting both the privacy and security of ePHI.


Make sure every practice in the group treats HIPAA compliance with the same care as a patient's medical condition.

more...
Roger Steven's comment, July 10, 2015 6:34 AM
nice article www.mentorhealth.com
Scoop.it!

243 arrested in 10 states for healthcare fraud, false claims, kickbacks, medical ID theft

243 arrested in 10 states for healthcare fraud, false claims, kickbacks, medical ID theft | HIPAA Compliance for Medical Practices | Scoop.it
The Medicare Fraud Strike Force swept through 10 states and arrested 243 people—46 of them physicians, nurses, and other licensed medical professionals—for allegedly defrauding the government out of $712 million in false Medicare and Medicaid billings, federal officials announced June 18. In addition to targeting instances of false claims and kickbacks, the strike force also uncovered evidence of medical identity theft.
Among the defendants is Mariamma Viju of Garland, Texas, an RN and the co-owner and nursing director for Dallas Home Health, Inc. A federal indictment accuses Viju and a co-conspirator of stealing patient information from Dallas-area hospitals in order to then solicit those patients for her business, as well as submitting false Medicare and Medicaid claims, and paying out cash kickbacks to beneficiaries.
In total, the scheme netted Viju $2.5 million in fraudulently obtained payments between 2008 and 2013. She was arrested June 16 and charged with one count of conspiracy to commit healthcare fraud, five counts of healthcare fraud, and one count of wrongful disclosure of individually identifiable health information.
The indictment says Viju allegedly took patient information from Baylor University Medical Center at Dallas, where she worked as a nurse until she was fired in 2012. Dallas Home Health then billed Medicare and Texas Medicaid for home health services on behalf of beneficiaries who were not homebound or otherwise eligible for covered home health services.
Viju also allegedly falsified and exaggerated patients’ health conditions to increase the amounts billed to Medicare and Medicaid, and thereby boost payments to Dallas Home Health. The indictment says she paid kickbacks to Medicare beneficiaries as well to recruit and retain them as patients of Dallas Home Health.
Viju’s co-conspirator—a co-owner of Dallas Home Health—wasn’t named in the indictment, but in a news release from the U.S. Attorney’s Office for the Northern District of Texas, that person was identified as her husband Viju Mathew. He’s a former registration specialist at Parkland Hospital in Dallas and pleaded guilty in November 2014 to one count of fraud and related activity in connection with identity theft.
Prosecutors say he used his position to obtain PHI, including names, phone numbers, birthdates, Medicare information, and government-issued health insurance claim numbers, so he could use it to contact prospective patients for his home health care business. He is due to be sentenced in August 2015.
In another case in Maryland, Harry Crawford—owner of RX Resources and Solutions—and two of his employees—Elma Myles and Matthew Hightower—are all charged with aggravated identity theft in addition to healthcare fraud and conspiracy to commit healthcare fraud.
An indictment from a federal grand jury accuses Crawford, Myles, and Hightower of fraudulently using actual names, addresses, and unique insurance identification numbers of numerous Medicaid beneficiaries to submit fraudulent claims totaling approximately $900,000 between 2010 and 2014.
The alleged scheme used Crawford’s durable medical equipment and disposable medical supply company to bill insurers for equipment and supplies that were never provided to beneficiaries, bill for amounts far in excess of the services delivered, and bill for supplies that weren’t needed and were never prescribed by a physician.
These are just two examples of the criminal fraud uncovered by the strike force.
In other cases, defendants face similar fraud and conspiracy charges for fraudulent billing schemes as well as charges for cash kickbacks, and money laundering, according to the Department of Justice (DOJ). The DOJ says more than 40 defendants are accused of defrauding the Medicare prescription drug program.
This was the largest coordinated takedown, in terms of defendants and money, in the history of the Medicare Fraud Strike Force, according to the DOJ. CMS also suspended licenses for several healthcare providers with authority granted to the agency under the Affordable Care Act.
more...
No comment yet.
Scoop.it!

US data breach affected 18 million, four times larger than said

US data breach affected 18 million, four times larger than said | HIPAA Compliance for Medical Practices | Scoop.it

According to a CNN report released on Tuesday, Federal Bureau of Investigation (FBI) Director James Comey estimated that 18 million, over four times more than the publicly acknowledged four million, current, former and prospective federal employees were affected by a breach of the United States government Office of Personnel Management.

The data of the U.S. government Office of Personnel Management, the agency that handles security clearances and U.S. government employee records and information, was breached last year by two massive cyber-attacks that were only recently discovered and revealed. Government officials originally said that the attack, which occurred in the OPM office as well as the Interior Department, could potentially affect four million people at every federal agency. 

However, according to the new report released by CNN, that number is over four times more than what has been originally said. In the report FBI Director James Comey estimated that 18 million federal employees were affected.

Using the OPM's internal data, Comey presented the number to Senators in closed-door briefings throughout the recent few weeks, U.S. official briefed on the matter told CNN. 

The agency's spokesman has said that they haven't verified the larger number, so far sticking by the over-four million estimate originally provided. 

According to U.S. officials briefed in the subject, the number of people whose data is breached will continue to grow. This is because hackers accessed a data base storing SF86 questionnaire – government forms used for security clearances – which have private information about government officials' family members. 

Following the discovery of the breach, a U.S. law enforcement official told Reuters that "a foreign entity or government" was believed to be behind the attacks, with authorities looking into a possible Chinese intrusion, according to the news agency who quoted a source close to the matter. 

OPM officials are expected to attend multiple congressional hearings throughout the week to provide their take on the breach. 
Last week, OPM auditors told a House Oversight and Government Affairs Committee that crucial databases storing sensitive national security information did not meet federal security standards. 

Michael Esser, OPM's assistant inspector general for audits, wrote in testimony prepared for committee: "Not only was a large volume (11 out of 47 systems) of OPM's IT systems operating without a valid Authorization, but several of these systems are among the most critical and sensitive applications owned by the agency."

more...
No comment yet.
Scoop.it!

HIPAAChat: secure messaging and telemedicine platform

HIPAAChat: secure messaging and telemedicine platform | HIPAA Compliance for Medical Practices | Scoop.it

To provide the best care for our patients, physicians and healthcare workers must communicate constantly.  For many of us, text messaging, push-to-talk messages, and video calling have become the preferred method of contact.


However, SMS, FaceTime, Skype, and iMessage are not technically HIPAA-compliant platforms. Even though some like FaceTime may meet data security standards that could make them HIPAA compliant, they don’t necessarily commit to it.


We have seen an influx of HIPAA-compliant secure messaging apps over the past few years like AthenaTextDoximityTigerText, and others. HIPAAChat enters into this market as an easy to use app with an intuitive format and some pretty unique features that make it stand out. Following the acquisition by Everbridge, a world leader in cloud-based, unified critical communications, HIPAAChat also incorporates advanced Enterprise utility and interoperability. Secure text, group chat, image transfer – check. Dictate/audio transfer/push-to-talk – check. Real-time, live video calling? You bet! HIPAAChat provides all these features packaged in an app that is as easy to use as iMessage and FaceTime.


User Interface


After downloading the HIPAAChat app, setup was extremely simple and only required input of your name, email, and phone number. Optional information included a photo upload and a 4-digit pin setup if your phone isn’t fingerprint or password protected. In order to connect with colleagues, both parties must have the app on their smartphone. However, within the app, you can select people from your existing contacts or enter a phone number or email and an invitation will be sent prompting them to download the app to begin HIPAA-compliant communication.


HIPAAChat is available for both Android and iPhone devices. As a result, the app facilitates secure messaging between all members of the care team, including physicians, nurses, social workers, consultants, etc. One of the main features that kept me using the HIPAAChat app is the simple, clean, and intuitive interface. I have been using this app to answer questions about patients from residents and referring doctors. Despite a busy clinical and surgical volume, the app allows for minimal disruption in my current routine.


Functions


Messaging


The messaging features are standard and work the same as SMS or iMessage. The interface shows when a message was read and also displays when a message is being typed. A nice feature of this and other secure messaging apps is the ability to group text with users. The Enterprise software allows for additional features, including the creation of group distribution lists via active directory/ADAM and LDAP synchronization. This would be particularly useful for alerting specialized medical teams, such as a Stroke Team, Code Team, Trauma Team, etc. In our practice, we have been using HIPAAChat to relay information on surgical or clinic add-ons, questions on patient management, and consultations from other doctors. 


Photos


In ophthalmology, as with many other medical specialties, we heavily rely on imaging for patient care. A picture is often worth a thousand words. HIPAAChat allows for secure transmission of photos with a simple tap of the camera icon. Users can choose to take a new photo or choose an existing photo, without leaving the app interface. One feature missing in the current version is the ability to transmit saved videos asynchronously.


Touch-to-talk/Talk-to-text


Walkie-talkie or push-to-talk allows recording voice messages with the touch of a button. This feature actually plays the audio message instead of converting to text. However, the audio message is played back over the speaker, so you must be cognizant of people around as they will hear the message. In addition to touch-to-talk, the app also allows talk-to-text, making it extremely easy to dictate text messages on the fly. With the release of smart watches like the Apple Watch, these features could open the door to efficient audio messaging on your wrist since these devices won’t allow texting on the screens. Message alerts show up on the Apple Watch, but the current version will not display actual messages. Although future versions are likely to incorporate the use of the smart watches.


Audio/Video calling


A main distinguishing feature of HIPAAChat from several competitors is the ability for real-time audio and video calling. As a result, the HIPAAChat app can also serve as a telemedicine platform. The video calling has a similar interface as FaceTime or Skype, again contributing to the ease-of-use and intuitive nature of the app. Call clarity and picture quality was very good, without any significant delays or picture freezes when I used it on our Wifi network.


Security


With maximum fines of $50,000 per violation and up to $1.5 million annually for repeat violations, secure messaging of PHI is imperative. HIPAAChat allows for secure, encrypted transmission of messages as part of the Everbridge platform. The app meets all the administrative, technical, and physical safeguards.


Enterprise


I have been using the basic HIPAAChat lite, which is free for download and offers the core secure communication features. The Enterprise-level adds an IT administrator console for managing users and devices, an Active Directory sync, archiving and data retention, auditing, reporting, and analytics. Additionally, the Enterprise version facilitates system integration with EHRs, labs, admissions/discharge/transfer systems, and nurse call/intercom systems. For institutions wanting custom integration, fully documented APIs are available and based on specific needs.


Telemedicine


The live video calling feature of the HIPAAChat app sets it apart from other secure messaging apps that I have used. Whereas two systems are usually needed for secure messaging and telemedicine, HIPAAChat combines the two in one platform. Additionally, unlike many telemedicine platforms, the physician can access secure video on their smartphone or tablet, making it truly portable.


The HIPAAChat platform enables physicians to communicate virtually with other medical staff, consultants, and even patients from anywhere. I have found that the video consultations can be very useful in the emergency room setting, often preventing unneeded transfers, follow-up, or unnecessary treatment. Everbridge also offers an iCart that serves as a mobile telemedicine platform, ideally suited for the emergency room. The iCart is a mobile cart on wheels with the attachment of a tablet. The housing of the tablet allows for attachment of video lights, a Wood’s lamp, and macro lenses specifically for ophthalmology and dermatology.

more...
Lyfe Media's curator insight, June 19, 2015 1:48 PM

Technology is quickly coming to the medical fields rescue by improving processes and cutting costs. HIPAACHAT is just one of the tools doing exactly that. This article explains the different features the app has and how it's making incredible improvements to a necessary industry. LyfeNews

Scoop.it!

Think Your Practice is HIPAA Compliant? Think Again.

Think Your Practice is HIPAA Compliant? Think Again. | HIPAA Compliance for Medical Practices | Scoop.it

You may think you know HIPAA inside and out, but experts say many practices and physicians are making mistakes regarding protected health information (PHI) that could get them into big trouble with the law. Here are nine of the most common compliance missteps they say practices and physicians are making.

1. TEXTING UNENCRYPTED PHI


For most physicians, texting is an easy, convenient, and efficient way to communicate with patients and colleagues. But if a text contains unencrypted PHI, that could raise serious HIPAA problems.


"One of the big things people are doing these days is texting PHI, and people seem to be ignoring the fact that text messages can be read by anyone, they can be forwarded to anyone, [and] they're not encrypted in any fashion when they reside on a telecommunications provider's server," says Jim Hook, director of consulting services at healthcare consulting firm The Fox Group, LLC. "People really need to understand that [short message service (SMS)] text messaging is inherently nonsecure, and it's noncompliant with HIPAA."


That's not to say that texting PHI is never appropriate, it just means that physicians must find a way to do so securely. While the privacy and security rules don't provide explicit text messaging guidelines, they do state that covered entities must have "reasonable and appropriate safeguards to protect the confidentiality, availability, and integrity of protected health information," says Michelle Caswell, senior director, legal and compliance, at healthcare risk-management consulting firm Clearwater Compliance, LLC. As a result, Caswell, who formerly worked for HHS' Office for Civil Rights, says physicians must consider, "What would I put on my [smart] phone to reasonably and appropriately safeguard that information?" Most likely, the answer will be a secure messaging service with encryption, she says, adding that many inexpensive solutions are available to providers.


2. E-MAILING UNENCRYPTED PHI


Similar to text messaging, many physicians are e-mailing unencrypted PHI to patients and colleagues. As Robert Tennant, senior policy adviser of government affairs for the Medical Group Management Association says, e-mailing is becoming ubiquitous in our society, and healthcare is no exception.


If your providers are e-mailing PHI, consider implementing a secure e-mail application; for instance, one that recognizes when content included in the e-mail contains sensitive information and therefore automatically encrypts the e-mail. Your practice could use the application to specify certain circumstances in which e-mails should be encrypted; such as the inclusion of social security numbers or credit card numbers. The application would then filter e-mails for that specified content, and when it finds that content, encrypt those e-mails automatically, says Caswell.


Another option is to use a secure e-mail application to set up filters to automatically encrypt e-mails sent with attachments, or encrypt e-mails when senders include a word like "sensitive" or "encrypt" in the subject line, she says. An added benefit of encrypting e-mail is if a potential breach occurs, like the theft of a laptop containing e-mails with PHI, that is not considered a reportable breach if the e-mails stored on the laptop are encrypted, says Tennant. "You don't need to go through all of the rigmarole in terms of reporting the breach to the affected individual, and ultimately, to the government," he says. "So it's sort of a get out of jail free card in that sense."


If your practice would rather prohibit the use of e-mail altogether, a great alternative might be a patient portal that enables secure messaging.


Finally, if patients insist on having PHI e-mailed to them despite the risks, get their permission in writing for you to send and receive their e-mails, says Tennant.


3. FAILING TO CONDUCT A RISK ANALYSIS


If your practice has not conducted a security risk analysis — and about 31 percent of you have not, according to our 2014 Technology Survey, Sponsored by Kareo — it is violating HIPAA. The security rule requires any covered entity creating or storing PHI electronically to perform one. Essentially, this means practices must go through a series of steps to assess potential risks and vulnerabilities to the confidentiality, integrity, and availability of their electronic protected health information (ePHI).


Though the security risk analysis requirement has been in place since the security rule was formally adopted in 2003, it's been pretty widely ignored by practices, says Hook. Part of the reason, he says, is lack of enforcement of the requirement until recently. Since conducting a security risk analysis is now an attestation requirement in the EHR incentive program, auditors are increasingly noting whether practices are in compliance.


4. FAILING TO UPDATE THE NPP


If your practice has not updated its Notice of Privacy Practices (NPP) recently, it could be violating HIPAA. The HIPAA Omnibus Rule requires practices to update these policies and take additional steps to ensure patients are aware of them, says Tennant.

Some of the required updates to the NPP include:


• Information regarding uses and disclosures that require authorization;


• Information about an individual's right to restrict certain disclosures of PHI to a health plan; and


• Information regarding an affected individual's right to be notified following a privacy or security breach.


In addition to updating the NPP, a practice must post it prominently in its facility and on the website, and have new patients sign it and offer a copy to them, says Tennant. "I'd say of every 10 practices, hospitals, dental offices I go into, nine of them don't have their privacy notice in the waiting room," he says.


5. IGNORING RECORD AMMENDMENT REQUESTS


Don't hesitate to take action when patients request an amendment to information in their medical records, cautions Cindy Winn, deputy director of consulting services at The Fox Group, LLC. Under the HIPAA Privacy Rule, patients have the right to request a change to their records, and providers must act on those requests within 60 days, she says.


If you disagree with a patient's requested change, you must explain, in writing, why you are not making the requested change, says Hook. Then, share that reasoning with the patient and store a copy of it in the patient's medical record, as well as a copy of the patient's written request for the amendment.


6. NOT PROVIDING ENOUGH TRAINING


The privacy and security rules require formal HIPAA education and training of staff. Though the rules don't provide detailed guidance regarding what training is required, Hook recommends training all the members of your workforce on policies and procedures that address privacy and security at the time of hire, and at least annually thereafter.


The HIPAA Security Rule also requires practices to provide "periodic security reminders" to staff, says Caswell, adding that many practices are unaware of this. Actions that might satisfy this requirement include sending e-mails to staff when privacy and security issues come up in the news, such as information about a recent malware outbreak; or inserting a regular "security awareness" column in staff e-newsletters.

Finally, be sure to document any HIPAA training provided to staff.


7. OVERCHARING FOR RECORD COPIES


With few exceptions, the privacy rule requires practices to provide patients with copies of their medical records when requested. It also requires you to provide access to the record in the form requested by the individual, if it is readily producible in that manner.


While practices can charge for copies of records, some practices may be getting into trouble due to the fee they are charging, says Tennant. "HIPAA is pretty clear that you can only charge a cost-based fee and most of those are set by the state, so most states have [limits such as] 50 cents a page up to maybe $1 a page ... but you can't charge a $50 handling fee or processing fee; at least it's highly discouraged," says Tennant.


To ensure you are following the appropriate guidelines when dealing with record copy requests, review your state's regulations and consult an attorney. Also, keep in mind that though the privacy rule requires practices to provide copies within 30 days of the request, some states require even shorter timeframes.


8. BEING TOO OPEN WITH ACCESS


If your practice does not have security controls in place regarding who can access what medical records and in what situations, it's setting itself up for a HIPAA violation. The privacy rule requires that only those who have a valid reason to access a patient's record — treatment purposes, payment purposes, or healthcare operations — should do so, says Caswell. "If none of those things exist, then a person shouldn't [access] an individual's chart."


Caswell says practices need to take steps to ensure that staff members do not participate in "record snooping" — inappropriately accessing a neighbor's record, a family member's record, or even their own record.


She recommends practices take the following precautions:

• Train staff on appropriate record access;

• Implement policies related to appropriate record access; and

• Run EHR audits regularly to determine whether inappropriate access is occurring.


9. RELEASING TOO MUCH INFORMATION


Similar to providing too much access to staff, some practices provide too much access to outside entities, says Caswell. For instance, they release too much PHI when responding to requests such as subpoenas for medical records, requests for immunization information from schools, or requests for information from a payer.


"If there's, say, for instance, litigation going on and an attorney says, 'I need the record from December 2012 to February 2014,' it is your responsibility to only send that amount of information and not send anything else, so sort of applying what's called the minimum necessary standard," says Caswell. "When you receive outside requests for PHI, pay close attention to the dates for which information is requested, as well as the specific information requested."

more...
No comment yet.
Scoop.it!

Congress must fix Obamacare if court guts it: U.S. official

Congress must fix Obamacare if court guts it: U.S. official | HIPAA Compliance for Medical Practices | Scoop.it

The U.S. Congress and states would have to fix Obamacare if the Supreme Court disallows its tax subsidies that help people pay for insurance coverage, U.S. Health and Human Services Secretary Sylvia Burwell said on Wednesday.


Anti-Obamacare libertarian activists are fighting to strip the subsidies from 6.4 million Americans in 34 states who use the plan and a ruling in their favor would mark a significant setback for President Barack Obama's signature healthcare law.


"If the court makes that decision, we're going to do everything we can," Burwell told the House of Representatives Ways and Means Committee, after she was asked in a hearing how the Obama administration would react if the court rules against it later this month in the case known as King v. Burwell.


But she added, "The critical decisions will sit with the Congress and states and governors to determine if those subsidies are available."

Burwell added she had not seen a plan in the Republican-led Congress that would repair problems that might follow if the court decides to scrap the subsidies, while at the same time protecting the basic tenets of the Affordable Care Act.


She said Obama would not sign into law proposed legislation by Senator Ron Johnson to extend the subsidies until August 2017, which has attracted the most support among other Senate Republicans.

The Supreme Court is expected to rule by the end of this month in King V. Burwell.


The plaintiffs are challenging subsidies that are paid to low- and middle-income Americans to help them afford insurance coverage on federal healthcare exchanges.


Thirteen states and the District of Columbia would not be affected by the ruling because they have their own health care exchanges. Obama has said there is no legal basis for the court to dismantle the subsidies. The administration has produced no "Plan B" in case he is wrong.

"They refuse to acknowledge that they even are thinking about a backup plan," House Ways and Means Chairman Paul Ryan, a Republican, said after the hearing.


Republicans in Congress have opposed the law since its inception. They say they will unveil a proposed solution after the court rules.

Burwell said the Johnson measure would take away the subsidies over time and repeal key parts of Obamacare, such as guaranteed coverage for people with pre-existing conditions.

more...
No comment yet.
Scoop.it!

Why Understanding HIPAA Rules Will Help With ONC Certification

Why Understanding HIPAA Rules Will Help With ONC Certification | HIPAA Compliance for Medical Practices | Scoop.it

Understanding HIPAA rules will have far reaching benefits for covered entities. Not only will they be compliant in terms of keeping patient PHI secure, but it will also ensure that those facilities are able to adhere to other federal certification programs. With the push for nationwide interoperability, it is extremely important that organizations of all sizes understand how they can exchange information in a secure and federally compliant way.


Earlier this year, the Office of the National Coordinator (ONC) released its proposal for the 2015 Health IT Certification Criteria. The ONC said that it will “ensure all health IT presented for certification possess the relevant privacy and security capabilities.” Moreover, certified health IT will be more transparent and reliable through surveillance and disclosure requirements.


ONC Senior Policy Analyst Michael Lipinski spoke with HealthITSecurity.com at HIMSS last week, and broke down why understanding HIPAA rules will help covered entities on their way to compliance and with ONC certification.


The ONC certification program has certain capabilities that it certifies to, Lipinski explained, and the way the ONC set up its approach depends on what a facility is bringing forward to be certified.

“What we’ve always said about our privacy and security criteria is that it helps support compliance, but it doesn’t guarantee compliance with the HIPAA Privacy or Security rules,” Lipinski said. “Or even with meeting your requirements under the EHR incentive program.”


One complaint that the ONC has received in terms of information sharing is that covered entities claim they cannot exchange data because of HIPAA rules. However, that likely stems from a lack of understanding what the HIPAA Privacy and Security Rules actually entail, Lipinski said. If that misunderstanding of what HIPAA compliance actually is exists, it can make it more difficult for healthcare organizations to move forward.


“I think that issue is not so much a certification issue, because it’s about payment, treatment, and operations, and you can exchange for those reasons,” Lipinski said. “I think maybe what they found is that there are those instances where they could do it, and they’re making the misinterpretation that they could have done that for treatment and exchange that information.”


Healthcare facilities are using that as an excuse not to exchange, when under HIPAA they could have done so for payment, treatment or operations options, he added.


“It’s not so much in the wheelhouse of certification, but more like we said in the report that we would work with OCR and make sure there’s appropriate guidance and understanding of the HIPAA Privacy and Security rules so that hopefully that will enable more free flow of the information.”


That sentiment echoes what ONC Chief Privacy Officer Lucia Savage said about interoperability and the future of information sharing for healthcare. In a HIMSS interview Savage explained that HIPAA supports information sharing, but that support depends on the decisions made by healthcare providers.


However, a difficult aspect of creating nationwide interoperability will be in relation to state law and state policies on health IT privacy, Savage said, mainly because states have diverse rules.


“That’s a very long dialogue, and has a very long time frame in where we can accomplish what we want to accomplish,” Savage said. “I think people are concerned about that.”


more...
No comment yet.