HIPAA Compliance for Medical Practices
62.2K views | +12 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

Healthcare providers: Brace for record-breaking HIPAA violation fines

Healthcare providers: Brace for record-breaking HIPAA violation fines | HIPAA Compliance for Medical Practices | Scoop.it

OCR could hand down some whopping fines for HIPAA violations later this year, privacy attorney Adam Greene told govinfosecurity.com in an interview.


"We've heard anecdotally that [OCR] has a significant pipeline of unprecedented settlement agreements, meaning particularly high amounts" of financial penalties, says Greene, a partner at Washington law firm law firm Davis Wright Tremaine, who previously worked for the Department of Health and Human Services' Office for Civil Rights.

The industry could see "some really surprising settlement agreements [and] potential record-breaking" financial penalties later this year, he said.


An OCR attorney made a similar prediction nearly a year ago. Jerome B. Meites, OCR chief regional counsel for the Chicago area, said the HIPAA nforcement actions over the past year would pale in comparison to the next 12 months.


He was referring to nine settlements in the previous year totaling more than $10 million, including a record $4.8 million fine announced in May 2014 against New York-Presbyterian Hospital and Columbia University.

Despite the high-profile cases, though, research from ProPublica found OCR had levied fines just 22 times since 2009.


Greene attributed that to lack of resources. OCR receives about 10,000 complaints a year and tries to resolve all that have validity, he told GovInfoSecurity


The HIPAA audit program is on hold as the agency works to upgrade technology. It's not clear when it will resume.


more...
No comment yet.
Scoop.it!

OCR HIPAA Audits Delayed Once Again

OCR HIPAA Audits Delayed Once Again | HIPAA Compliance for Medical Practices | Scoop.it
The Department of Health & Human Services (HHS) Office for Civil Rights (OCR) Director Jocelyn Samuels still does not have a set date for when the next round of HIPAA audits will take place. Samuels spoke earlier this week at the 23rd National HIPAA Summit in Washington, D.C., and explained that the OCR has still not finalized the audit procedures, according to a Lexology contribution piece by Jennifer Hennessey.

This round of HIPAA audits had originally been scheduled for the fall of 2014, but OCR health information privacy senior advisor Linda Sanches said at the time that the audits were delayed so new technology could be properly implemented.2015-02-05-hhs-budget

“In any IT project, IT plans don’t always go the way you expect them to,” Sanches said at the HIMSS Privacy & Security Forum. “There are things from the spring that I thought we’d be able to accomplish, but we weren’t able to. But I’m happy because the process that we were going to use before was much more labor intensive in term of analyzing data.”

Samuels reportedly also mentioned the HIPAA audit protocols were still being developed, and urged covered entities to continue to monitor the OCR site to remain updated on when the audits will begin.

This latest phase of HIPAA audits is set to include business associates along with covered entities.

“The OCR HIPAA Audit program analyzes processes, controls, and policies of selected covered entities pursuant to the HITECH Act audit mandate,” according to the HHS website. “OCR established a comprehensive audit protocol that contains the requirements to be assessed through these performance audits.”

Even though the procedure for the next round of HIPAA audits has not yet been finalized, HHS explained that they will be “organized around modules” the focus on the privacy, security, and breach notification aspects of HIPAA. Depending on the covered entity – or business associate – under review, the combination of these requirements could vary, according to HHS.

While there is not yet a deadline for HIPAA audits in 2015, that does not mean that covered entities and their business associates should ignore the concept entirely. The audit protocol covers areas that need to be in top working order anyway, such as the notice of privacy practices for PHI, rights to request privacy protection for PHI, and individuals’ access to PHI.

Conducting a HIPAA risk assessment is also an important way for healthcare organizations to evaluate the potential risks and vulnerabilities within their facility and how they are adhering to HIPAA. This type of analysis could also be beneficial when the HIPAA audits are announced, and ensure that facilities are on the right track in evaluating their privacy and security performance.

The HIPAA audit timeline continues to be pushed back, but covered entities and business associates can still ensure that they are prepared and compliant.
more...
No comment yet.
Scoop.it!

HIPAA Audits Are Still on Hold

HIPAA Audits Are Still on Hold | HIPAA Compliance for Medical Practices | Scoop.it

`The unit of the Department of Health and Human Services that enforces HIPAA still has plenty of work to do before it can launch its long-promised next round of HIPAA compliance audits, as planned for this year.

The HHS Office for Civil Rights has yet to develop a revised protocol for conducting the audits, OCR Director Jocelyn Samuels revealed during a Jan. 13 media briefing.


Samuels declined to offer a timeline for when OCR plans to resume its HIPAA audits, which Samuels says will include covered entities as well as business associates, who are now directly liable for HIPAA compliance under the HIPAA Omnibus Rule.

Early in 2014, OCR officials said the agency expected to resume compliance audits of covered entities in the fall of 2014, later expanding the program to include audits of business associates based on those vendors identified by covered entities in pre-audit surveys.

Then in September, OCR officials said the audit launch was stalled because of a delay in the rollout of technology to collect audit-related documents from covered entities and business associates.

In her comments Jan. 13, Samuels did not offer an explanation for the prolonged delay in resumption of HIPAA audits.

"OCR is committed to implementing an effective audit program, and audits will be an important compliance tool for OCR," Samuels said. The audits "will enable OCR to identify best practices and proactively uncover risks and vulnerabilities, like our other enforcement tools, such as complaints and compliance reviews; provide a proactive and systematic means to assess and improve industry compliance; enhance industry awareness of compliance obligations; and enable OCR to target its outreach and technical assistance to identified problems and to offer tools to the industry for self-evaluation and prevention. Organizations should continue to monitor the OCR website for future announcements on the program."

In 2012, OCR conducted a pilot HIPAA audit program for 115 covered entities that was carried out by a contractor, the consulting firm KPMG. It also issued an audit protocol offering a detailed breakdown of what was reviewed. OCR is revising the protocol to reflect changes brought by the HIPAA Omnibus Rule.

Rules In the Works

In addition to the pending audits, other HIPAA-related activities under way at OCR for 2015 include:

  • A final version of a proposed rule HHS issued last January to permit certain covered entities, including state agencies, to disclose to the National Instant Criminal Background Check System the identities of persons prohibited by federal law from possessing or receiving a firearm for reasons related to mental health;
  • An advanced notice of proposed rulemaking related to a HITECH Act mandate for HHS to develop a methodology to distribute a percentage of monetary settlements and penalties collected by OCR to individuals affected by breaches and other HIPAA violations;
  • A possible request for additional public input on OCR's proposed accounting of disclosures rule making. Samuels says OCR is still evaluating the comments it received on the proposed accounting of disclosures rule it issued in 2011, as well as recommendations from the HIT Policy Committee about refining the rule.

In a statement provided to Information Security Media Group, Samuels noted, "The [accounting of disclosures] rulemaking is still listed as a long-term action on our last published regulatory agenda. We are exploring ways to further solicit public input on this important issue."

OCR in May 2011 issued a notice of proposed rulemaking for updating accounting of disclosures requirements under HIPAA. The proposal generated hundreds of complaints from healthcare providers and others. Many of the complaints were aimed at a controversial "access report" provision. As proposed, the access report would need to contain the date and time of access to electronic records, the name of the person or entity accessing protected health information, and a description of the information and user action, such as whether information was created, modified or deleted. The proposal would also provide patients with the right for an accounting of disclosures of electronic PHI made up to three years prior to the request.

Other Enforcement Activities

OCR also has a number of other enforcement activities planned for 2015, Samuels said in the Jan. 13 briefing.

"We will continue to identify and bring to resolution high impact cases that send strong enforcement messages to the industry about compliance," she said. "These types of cases can include the lack of a comprehensive risk analysis and risk management practices, ignoring identified threats and hazards to systems containing electronic protected health information, and insufficient policies and procedures, and training of workforce members."

OCR also expects to provide policy clarification for a variety of topics, including cloud computing and the "minimum necessary" rule, which HHS says is based on the premise that protected health information should only be used or disclosed if it is necessary to satisfy a particular purpose or carry out a function.

"We will also continue dialogues with our stakeholders about issues on which they would like additional interpretation," Samuels says.


more...
No comment yet.
Scoop.it!

$150,000 HIPAA Settlement Following Breach of Unsecured PHI Due To Malware | JD Supra

The U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) announced on December 8, 2014 that a community behavioral health organization agreed to pay $150,000 and adopt a corrective action plan to settle potential violations related to the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

In March 2012, Anchorage Community Mental Health Services (ACMHS) notified OCR regarding a breach of unsecured electronic protected health information from malware that compromised the security of ACMHS’ information technology resources. The breach affected 2,743 individuals. ACMHS is a five-facility, non-profit organization providing behavioral health care services in Alaska.

As part of its investigation, OCR noted that ACMHS had adopted HIPAA security rule policies and procedures in 2005, but ACMHS did not follow these rules. As part of the Resolution Agreement, OCR stated that for almost seven years, “ACMHS failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability” of its electronic protected health information. During that same time period, OCR stated that ACMHS did not implement policies and procedures requiring implementation of security measures. During a four-year period, ACMHS did not implement technical security measures to guard against unauthorized access to electronic protected health information that was transmitted over an electronic communications network by “failing to ensure that firewalls were in place with threat identification monitoring of inbound and outbound traffic and that information technology resources were both supported and regularly updated with available patches.”

In early December 2014, ACHMS agreed to enter into a Corrective Action Plan (CAP) with HHS. The two-year CAP requires ACHMS to revise its security rule policies and procedures and distribute them to all workforce members who use or disclose electronic protected health information; provide general security awareness training materials for all workforce members, and conduct an annual “accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability” of its electronic protected health information. ACHMS is required to provide annual reports to HHS of its compliance with the CAP.

In the press releasing announcing the resolution with ACMHS, HHS emphasized that successful HIPAA compliance includes, “reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.”

This is the sixth resolution agreement announced by OCR in 2014. Overall, HHS has entered into 21 resolution agreements relating to HIPAA compliance. HIPAA compliance continues to be a focus of OCR activities.



more...
No comment yet.
Scoop.it!

OCR delays phase two HIPAA audits

OCR delays phase two HIPAA audits | HIPAA Compliance for Medical Practices | Scoop.it

OCR Director Jocelyn Samuels recently stated that audit procedures for phase two HIPAA audits have yet to be finalized, delaying the start date of the audits, according to lexology.com. OCR originally planned to begin phase two audits in fall 2014.

Unlike phase one, the second phase of HIPAA privacy, security, and breach notification audits will likely be desk-based, which means OCR will not conduct on-site audits of covered entities (CE) and business associates (BA) unless resources are available. OCR representatives confirmed during a panel at the 2014 AHIMA Convention and Exhibit September 30, 2014, that the agency had begun its process of randomly selecting CE for the next round of audits, but had not sent notifications to facilities yet. At minimum, it will include large and small hospitals, dental practices, health insurance companies, and health plans in its pool of organizations that may be selected for an audit. BA audits are expected to begin after CE audits are underway, according to the panel.


more...
No comment yet.
Scoop.it!

3 Key Rules for Effective Risk Management - HIPAA-HITECH Compliance

Has your organization built a culture of risk management? Before you answer, let’s get specific.

The word culture is an overused term, and many times we don’t clearly articulate what we mean when we bring culture into the equation.

It’s a nice placeholder term when we want to express that something should be a priority. As a result, true “culture” movements ever move beyond committees and brainstorming sessions. With that in mind, here is a high-level roadmap for ensuring that protecting sensitive data is a part of everyday life within your organization:

1. Get closer and be committed.

If you agree that protecting data and managing risk should be priorities for your organization, then obviously you should be more involved and engaged in the process of evaluating your current efforts and managing your future actions. And it must be clear to everyone that you are taking this matter very seriously. In the case of Home Depot, former employees reported that senior leaders repeatedly ignored their warnings that the company’s security was lacking. They claim that executives brushed them off by saying, “We sell hammers.” If it isn’t important to you, it won’t be important to them. And if you don’t keep it top of mind and front and center, no one else will. Get it on the agenda!

2. Take a balanced and proactive approach.

The best way to do the right thing when it comes to protecting sensitive data is to have a full grasp on potential threats and firm plans for mitigating or eliminating risks. A thorough security risk analysis, followed by a systematic risk management plan will not only help you stay in good graces with OCR, it will help you be proactive in guiding your organization and limiting the likelihood and impact of adverse events related to information privacy and security. Along with being proactive, you must take a balanced approach. Ensure equal time and emphasis is dedicated to policies, procedures, people and safeguards.

3. Equip and empower your workforce.

As part of the balanced approach mentioned above, your employees play a big part in your ability to keep data safe. While it’s true that hack attacks and other external threats are on the rise, the vast majority of data breaches actually occur because of people. A combination of malicious and unintentional actions by members of your workforce is the greatest threat to the security of your data.

As a result, you need to equip your information security professionals to do their job effectively, including additional budget or bandwidth as needed to adequately address prioritized risks. You also need to invest in data security training for anyone who comes into contact with sensitive health information.

All along the way, you need to make sure that employees understand the importance of protecting sensitive data.

They need to feel like it’s part of their day job and see the direct tie it has to the bottom line. They also need to feel empowered to speak up when something’s not right and have well-defined and accessible channels for providing feedback. In the end, your workforce will either be your greatest asset, or your worst enemy. It’s up to you to determine which will be true for your business.

The growing expectation is that C-Suites and Boards are paying more attention to safeguarding sensitive information. The U.S. Securities and Exchange Commission recently called on boards to be more involved in “managing cyber risks and more adaptable to changing risks.”

At the end of the day, this is a conclusion that forward-thinking, high-performing organizations will reach on their own.


more...
No comment yet.
Scoop.it!

BA agreements likely a bigger target of 2015 OCR enforcement, attorneys say

BA agreements likely a bigger target of 2015 OCR enforcement, attorneys say | HIPAA Compliance for Medical Practices | Scoop.it

The $150,000 fine that U.S. Department of Health and Human Services' Office for Civil Rights levied against an Alaska mental health organization last month could be a sign that OCR is settling in after a wave of leadership changes in 2014 and gearing up to aggressively investigate HIPAA compliance complaints, according to a former federal attorney.

Ex-OCR lawyer David Holtzman notes that there are more than 6,000 HIPAA privacy and security rule complaints and compliance reviews under investigation in an article at HealthcareInfoSecurity. He predicts more high-profile enforcement actions in 2015.

Holtzman echoes a warning from Jerome B. Meites, OCR chief regional counsel for the Chicago area, who told an American Bar Association conference last summer that the whopping fines levied over the past year will "pale in comparison" to those expected to come.

Meanwhile, privacy and healthcare attorneys Alisa Chestler and Donna Fraiche of law firm Baker Donelson, in an interview with HealthcareInfoSecurity, urge healthcare organizations to conduct their own mock audits to determine any exposures and to do their best to fix those problems.

They also recommend keeping all such documentation in one place--including all records of HIPAA education programs conducted with staff, and evidence that they've reviewed all business associate agreements--and ensuring that it's up to date. Chestler and Fraiche foresee BA agreements being a bigger target of OCR enforcement actions in 2015.

In particular, Chestler and Fraiche say, organizations need to re-examine all bring-your-own-device policies and make sure they address any issues that have arisen since those policies were last reviewed.

In September, OCR announced it was delaying the start of the second round of audits in order get a web portal up an running through which entities could submit information. A specific start date has not been announced, only that the new audits will begin in early 2015.

Brett Short, chief compliance officer at the University of Kentucky HealthCare in Lexington, Kentucky, spoke with FierceHealthIT about receiving a call from an auditor when the organization had never received a letter saying it had 10 days to submit required documents.


more...
No comment yet.