HIPAA Compliance for Medical Practices
61.1K views | +12 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

Data Breaches Expose Nearly 140 Million Records

Data Breaches Expose Nearly 140 Million Records | HIPAA Compliance for Medical Practices | Scoop.it

The latest report from the Identity Theft Resource Center (ITRC) reveals that there has been a total of 472 data breaches recorded through August 11, 2015, and more than 139 million records have been exposed. The annual total includes 21.5 million records exposed in the attack on the U.S. Office of Personnel Management in June and 78.8 million health care customer records exposed at Anthem in February.

A June report by cybersecurity firm Trustwave said that of the 574 hacking incidents and data breaches the company was asked to investigate in 2014, 43% came in the retail industry, 13% came from the food and beverage industry and 12% from the hospitality industry. More striking, perhaps: 81% of victims did not discover on their own that they had been hacked. In cases where a company discovers the attack on its own, it takes about two weeks to stop it. When companies do not run their own security programs, it takes more than five months to contain the breach.


E-commerce sites were compromised in 42% of attacks and point-of-sales systems were hit in 40%. The totals were up 7% and 13%, respectively, from 2013.


The total number of data breaches increased by six in the week, according to the ITRC. The business sector accounts for about 645,000 exposed records in 184 incidents so far in 2015. That represents 39% of the incidents, but just 0.5% of the exposed records.


The medical/health care sector posted the second-largest percentage of the total breaches so far this year, 35.6% (168) out of the total of 472. The number of records exposed in these breaches totaled 109.5 million, or 78.6% of the total so far in 2015.


The number of banking/credit/financial breaches totals 45 for the year to date and involves more than 411,000 records, some 9.7% of the total number of breaches and 0.3% of the records exposed. These numbers are unchanged from the prior week.


The government/military sector has suffered 36 data breaches so far this year, just 7.7% of the total, but about 20% of the total number of records exposed. These numbers were also unchanged from the prior week.


The educational sector has seen 39 data breaches in 2015, accounting for 8.3% of all breaches for the year. Nearly 740,000 records have been exposed, about 0.5% of the total so far in 2015.

In all of 2014, ITRC tracked an annual record number of 783 data breaches, up 27.5% year over year. The previous high was 662 breaches in 2010. Since beginning to track data breaches in 2005, ITRC had counted 5,497 breaches through August 11, 2015, involving more than 818 million records. Compared with 2014, the number of data breaches is about 2.3% lower to date in 2015.

more...
No comment yet.
Scoop.it!

Hospital Slammed With $218,000 HIPAA Fine

Hospital Slammed With $218,000 HIPAA Fine | HIPAA Compliance for Medical Practices | Scoop.it

Federal regulators have slapped a Boston area hospital with a $218,000 HIPAA penalty after an investigation following two security incidents. One involved staff members using an Internet site to share documents containing patient data without first assessing risks. The other involved the theft of a worker's personally owned unencrypted laptop and storage device.


The Department of Health and Human Services' Office for Civil Rights says it has entered a resolution agreement with St. Elizabeth's Medical Center that also includes a "robust" corrective action plan to correct deficiencies in the hospital's HIPAA compliance program.

The Brighton, Mass.-based medical center is part of Steward Health Care System.


Privacy and security experts say the OCR settlement offers a number of valuable lessons, including the importance of the workforce knowing how to report security issues internally, as well as the need to have strong policies and procedures for safeguarding PHI in the cloud.

Complaint Filed

On Nov. 16, 2012, OCR received a complaint alleging noncompliance with the HIPAA by medical center workforce members. "Specifically, the complaint alleged that workforce members used an Internet-based document sharing application to store documents containing electronic protected health information of at least 498 individuals without having analyzed the risks associated with such a practice," the OCR statement says.


OCR's subsequent investigation determined that the medical center "failed to timely identify and respond to the known security incident, mitigate the harmful effects of the security incident and document the security incident and its outcome."


"Organizations must pay particular attention to HIPAA's requirements when using internet-based document sharing applications," says Jocelyn Samuels, OCR director in the statement. "In order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner."


Separately, on Aug. 25, 2014, St. Elizabeth's Medical Center submitted notification to OCR regarding abreach involving unencrypted ePHI stored on a former hospital workforce member's personal laptop and USB flash drive, affecting 595 individuals. The OCR "wall of shame" website of health data breaches impacting 500 or more individuals says the incident involved a theft.

Corrective Action Plan

In addition to the financial penalty - which OCR says takes into consideration the circumstances of the complaint and breach, the size of the entity, and the type of PHI disclosed - the agreement includes a corrective action plan "to cure gaps in the organization's HIPAA compliance program raised by both the complaint and the breach."

The plan calls for the medical center to:


  • Conduct a "self-assessment" of workforce members' familiarity and compliance with the hospital's policies and procedures that address issues including transmission and storage of ePHI;
  • Review and revise policies and procedures related to ePHI; and
  • Revise workforce training related to HIPAA and protection of PHI.
Lessons Learned

Other healthcare organizations and their business associates need to heed some lessons from OCR's latest HIPAA enforcement action, two compliance experts say.


Privacy attorney Adam Greene of the law firm Davis Wright Tremaine notes: "The settlement indicates that OCR first learned of alleged noncompliance through complaints by the covered entity's workforce members. Entities should consider whether their employees know how to report HIPAA issues internally to the privacy and security officers and ensure that any concerns are adequately addressed. Otherwise, the employees' next stop may be complaining to the government."

The settlement also highlights the importance of having a cloud computing strategy, Greene points out. That strategy, he says, should include "policies, training and potential technical safeguards to keep PHI off of unauthorized online file-sharing services."


The enforcement action spotlights the continuing challenge of preventing unencrypted PHI from ending up on personal devices, where it may become the subject of a breach, he notes.

The case also sheds light on how OCR evaluates compliance issues, he says. "The settlement highlights that OCR will look at multiple HIPAA incidents together, as it is not clear that OCR would have entered into a settlement agreement if there had only been the incident involving online file sharing software, but took action after an unrelated second incident involving PHI ending up on personal devices."


Privacy attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek, says the settlement "serves as an important reminder that a covered entity or a business associate must make sure that the organization's risk assessment takes into account any relationship where PHI has been disclosed to a contractor or vendor so as to ensure that appropriate safeguards to protect the data are in place."


The alleged violations involving the document sharing vendor, he says, "involve failure to have a BA agreement in place prior to disclosing PHI to the vendor, as well as failing to have appropriate security management processes in place to evaluate when a BA agreement is needed when bringing on a new contractor that will handle PHI."

St. Elizabeth's Medical Center did not immediately respond to an Information Security Media Group request for comment.

Previous Settlements

The settlement with the Boston-area medical center is the second HIPAA resolution agreement signed by OCR so far this year. In April, the agency OK'd an agreement with Cornell Prescription Pharmacyfor an incident related to unsecure disposal of paper records containing PHI. In that agreement, Cornell was fined $125,000 and also adopted a corrective action plan to correct deficiencies in its HIPAA compliance program.


The settlement with St. Elizabeth is OCR's 25th HIPAA enforcement action involving a financial penalty and/or resolution agreement that OCR has taken since 2008.


But privacy advocate Deborah Peel, M.D., founder of Patient Privacy Rights, says OCR isn't doing enough to crack down on organizations involved in HIPAA privacy breaches.


"Assessing penalties that low - St. Elizabeth will pay $218,400 - guarantees that virtually no organizations will fix their destructive practices," she says. "Industry views low fines as simply a cost of doing business. They'll take their chances and see if they're caught."


The largest HIPAA financial penalty to date issued by OCR was a $4.8 million settlement with New York-Presbyterian Hospital and Columbia University for incidents tied to the same 2010 breach that affected about 6,800 patients. The incidents involved unsecured patient data on a network.

more...
No comment yet.
Scoop.it!

Hospital Slammed With $218,000 HIPAA Fine

Hospital Slammed With $218,000 HIPAA Fine | HIPAA Compliance for Medical Practices | Scoop.it

Federal regulators have slapped a Boston area hospital with a $218,000 HIPAA penalty after an investigation following two security incidents. One involved staff members using an Internet site to share documents containing patient data without first assessing risks. The other involved the theft of a worker's personally owned unencrypted laptop and storage device.


The Department of Health and Human Services' Office for Civil Rights says it has entered a resolution agreement with St. Elizabeth's Medical Center that also includes a "robust" corrective action plan to correct deficiencies in the hospital's HIPAA compliance program.

The Brighton, Mass.-based medical center is part of Steward Health Care System.


Privacy and security experts say the OCR settlement offers a number of valuable lessons, including the importance of the workforce knowing how to report security issues internally, as well as the need to have strong policies and procedures for safeguarding PHI in the cloud.

Complaint Filed

On Nov. 16, 2012, OCR received a complaint alleging noncompliance with the HIPAA by medical center workforce members. "Specifically, the complaint alleged that workforce members used an Internet-based document sharing application to store documents containing electronic protected health information of at least 498 individuals without having analyzed the risks associated with such a practice," the OCR statement says.


OCR's subsequent investigation determined that the medical center "failed to timely identify and respond to the known security incident, mitigate the harmful effects of the security incident and document the security incident and its outcome."


"Organizations must pay particular attention to HIPAA's requirements when using internet-based document sharing applications," says Jocelyn Samuels, OCR director in the statement. "In order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner."


Separately, on Aug. 25, 2014, St. Elizabeth's Medical Center submitted notification to OCR regarding a breach involving unencrypted ePHI stored on a former hospital workforce member's personal laptop and USB flash drive, affecting 595 individuals. The OCR "wall of shame" website of health data breaches impacting 500 or more individuals says the incident involved a theft.

Corrective Action Plan

In addition to the financial penalty - which OCR says takes into consideration the circumstances of the complaint and breach, the size of the entity, and the type of PHI disclosed - the agreement includes a corrective action plan "to cure gaps in the organization's HIPAA compliance program raised by both the complaint and the breach."

The plan calls for the medical center to:


  • Conduct a "self-assessment" of workforce members' familiarity and compliance with the hospital's policies and procedures that address issues including transmission and storage of ePHI;
  • Review and revise policies and procedures related to ePHI; and
  • Revise workforce training related to HIPAA and protection of PHI.


Lessons Learned

Other healthcare organizations and their business associates need to heed some lessons from OCR's latest HIPAA enforcement action, two compliance experts say.


Privacy attorney Adam Greene of the law firm Davis Wright Tremaine notes: "The settlement indicates that OCR first learned of alleged noncompliance through complaints by the covered entity's workforce members. Entities should consider whether their employees know how to report HIPAA issues internally to the privacy and security officers and ensure that any concerns are adequately addressed. Otherwise, the employees' next stop may be complaining to the government."

The settlement also highlights the importance of having a cloud computing strategy, Greene points out. That strategy, he says, should include "policies, training and potential technical safeguards to keep PHI off of unauthorized online file-sharing services."


The enforcement action spotlights the continuing challenge of preventing unencrypted PHI from ending up on personal devices, where it may become the subject of a breach, he notes.


The case also sheds light on how OCR evaluates compliance issues, he says. "The settlement highlights that OCR will look at multiple HIPAA incidents together, as it is not clear that OCR would have entered into a settlement agreement if there had only been the incident involving online file sharing software, but took action after an unrelated second incident involving PHI ending up on personal devices."


Privacy attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek, says the settlement "serves as an important reminder that a covered entity or a business associate must make sure that the organization's risk assessment takes into account any relationship where PHI has been disclosed to a contractor or vendor so as to ensure that appropriate safeguards to protect the data are in place."


The alleged violations involving the document sharing vendor, he says, "involve failure to have a BA agreement in place prior to disclosing PHI to the vendor, as well as failing to have appropriate security management processes in place to evaluate when a BA agreement is needed when bringing on a new contractor that will handle PHI."

St. Elizabeth's Medical Center did not immediately respond to an Information Security Media Group request for comment.

Previous Settlements

The settlement with the Boston-area medical center is the second HIPAA resolution agreement signed by OCR so far this year. In April, the agency OK'd an agreement with Cornell Prescription Pharmacyfor an incident related to unsecure disposal of paper records containing PHI. In that agreement, Cornell was fined $125,000 and also adopted a corrective action plan to correct deficiencies in its HIPAA compliance program.


The settlement with St. Elizabeth is OCR's 25th HIPAA enforcement action involving a financial penalty and/or resolution agreement that OCR has taken since 2008.


But privacy advocate Deborah Peel, M.D., founder of Patient Privacy Rights, says OCR isn't doing enough to crack down on organizations involved in HIPAA privacy breaches.


"Assessing penalties that low - St. Elizabeth will pay $218,400 - guarantees that virtually no organizations will fix their destructive practices," she says. "Industry views low fines as simply a cost of doing business. They'll take their chances and see if they're caught."

The largest HIPAA financial penalty to date issued by OCR was a $4.8 million settlement with New York-Presbyterian Hospital and Columbia University for incidents tied to the same 2010 breach that affected about 6,800 patients. The incidents involved unsecured patient data on a network.

more...
No comment yet.
Scoop.it!

The most dangerous data breach ever known

The most dangerous data breach ever known | HIPAA Compliance for Medical Practices | Scoop.it

From time to time I have the depressing task to write about yet another data loss event that caused the personal details of millions of people to fall into the hands of criminals. Usually this is credit card data, along with names and email addresses. Sometimes physical addresses are included, and occasionally even more sensitive data like Social Security numbers goes along for the ride. Usually this data was collected by a large retailer that had no qualms about storing the sensitive information, but clearly neglected to properly secure it.


Stolen data is primarily used for credit card fraud, though if there's enough information available, identity theft is a definite possibility. Millions of affected people have been forced to get new credit cards, check their statements for fraudulent charges, and rework any automated payment arrangements and whatnot. It's a big pain in the ass, and frankly, it has happened far too often, especially when once should be considered more than enough.




Heartland, Target, TJX, Anthem ... we've seen some massive data breaches over the years. But none can hold a candle to the breach the U.S. government announced last week. Not even close. On a scale of one to 10, with one being the loss of credit card numbers and names, this data loss event would conservatively be a 15.


Most people aren't aware of exactly what type of information the federal government collects on its employees, especially those with security clearances. We all have some idea that government employees have relatively strict reporting requirements for financial information, and we know that federal workers with higher clearances undergo thorough background checks and must submit to interviews of both themselves and their family and friends. This is done to flag potential problems and to prevent outside agents from having undue influence over people who may have access to sensitive information and materials.


Put simply, if you have a security clearance, the government would like to know if you have a drug problem or if you are in serious debt, because a foreign interest may try to use that situation as leverage to coerce you into revealing sensitive information. In the interest of national security, these safeguards make sense.


But the true nature and scope of the information required by the government and subsequently collected by the government on an employee is massive. Take a look at Standard Form 86. This is a 127-page form that usually takes a week or more to complete and requires the entry of the applicant's Social Security number on each page. The data included on this form is not just enough for identity theft, but enough to allow a person to literally become another person. Each Standard Form 86 fully documents the life of the subject. The only thing missing is the name of your first crush, though that might be in there somewhere too.


Some 18 million people had this level of personal data -- and more, including data collected by observers -- lost to foreign agents last week. If the government collected this data to know if an employee was vulnerable to undue outside influence, then it just succeeded in closing that loop itself, having now released it into the wild. All of those vulnerabilities are now known and available for exploit to whomever stole the data, or to whomever they wish to sell that data. This is very, very bad.


I should also mention that many of those whose personal information was swept up in this data loss event were never even government employees in the first place. They may have filled out the forms and submitted applications, but they were never hired or they declined the job. This includes prospective TSA agents right on up through CIA employees -- the higher the position, the higher the clearance, the more sensitive the data that was collected and lost. Information on these peoples' infidelities, sexual fetishes, mental illnesses, criminal activities, debts, and other highly personal information is now in the hands of cyber-attackers. This is damage that cannot be undone or mitigated. We can change credit card numbers and refund fraudulent charges, but we can't change any of the personal data and intimate details of these people's lives. That's a permanent loss.

One could argue that however disastrous this data loss event is, the government had a requirement to store this data. It needed to collect and maintain this data, even if it failed to secure it. That said, this is the same government that is collecting a massive amount of data on all of us, whether we're prospective federal employees or not, via Internet and phone surveillance. If the federal government is lax enough to lose immeasurably sensitive information on its employees, how secure is the data that it has decided it needs to collect on everyone in the world?


Many people believe that the U.S. government shouldn't be collecting and storing this data in the first place, and that there's no need to maintain that data collection. This event underscores the fact that maintaining this data is not just privacy invasion on a massive scale, but it's actually dangerous. What happens when the next data loss event contains highly sensitive data on hundreds of millions of people? We can't put that cat back in the box no matter how we might try. You might think that the best way to guard against that possibility is to stop collecting that data in the first place.

more...
No comment yet.
Scoop.it!

Upcoming HIPAA audits may target financial institutions - here’s how to prepare

Upcoming HIPAA audits may target financial institutions - here’s how to prepare | HIPAA Compliance for Medical Practices | Scoop.it

Much like a tornado watch, the conditions appear to be right for a coming storm: the upcoming Phase 2 HIPAA audits. The Department of Health and Human Services Office for Civil Rights (OCR) has begun verifying contact information of potential audit targets. This serves as a warning that OCR will be auditing for HIPAA compliance, which unlike the pilot audits, will target business associates, including financial institutions, as well as HIPAA-covered entities.


Government regulation is not new to financial institutions. What is new is that an additional regulator with a different perspective has been thrown into the mix. And the stakes are high, with HIPAA carrying both civil and criminal penalties, and resolution amounts tending to reflect the size of the organization being scrutinized.


Financial institutions usually enjoy a statutory exemption from HIPAA when they provide “typical” banking services such as processing payments and issuing credit, even when the financial institutions come in contact with protected health information. But, when services go beyond these recognized functions, financial institutions that create, receive, maintain, or transmit protected health information may well have become business associates with direct obligations under HIPAA (as well as contractual obligation through “business associate contracts”). Additionally, financial institutions that convert non-standard electronic HIPAA transactions (usually transactions related to health care billing and payment) into standard transactions—and vice versa—may be health care clearinghouses that are covered entities under HIPAA.


Preparation for Audits


To prepare for the next round of audits, which is described in more detail below, financial institutions that are business associates or covered entities may want to consider the following steps:

  • Verify that a current HIPAA risk analysis is in place and that the risk analysis actually identifies and categorizes risks (e.g., low, medium, high) rather than merely documenting that controls are in place or documenting the gaps in compliance with the HIPAA Security Rule (see OCR Guidance on Risk Analysis and HHS’ Security Risk Assessment Tool). This may entail establishing an inventory of information, systems, and devices
  • Document the action items identified in the risk analysis and the steps taken to address these items or establish reasonable timelines
  • Verify that policies are up to date and dated, particularly pertaining to:
    • Data breach notification
    • Risk analysis and risk management
  • Have supplemental documentation related to the above topics readily available and relatively self-explanatory (e.g., clearly labeled) such as:
    • Risk analyses and risk management plans
    • Documentation that addressable implementation specifications have been addressed
    • Documentation of investigations relating to breaches
    • A copy of any recent breach notifications
    • Breach risk assessments where notifications were not made
    • Documentation of the timelines from the discovery of a breach until the notifications of the breach were made
  • Maintain a current list of business associates and subcontractor business associates with relevant contact information (an internal audit of accounts payable may help identify business associates and is a methodology that was used by OCR’s contractors in Phase 1 audits to identify business associates)
  • Confirm that appropriate workforce members have received HIPAA training (and that training has been documented)
  • Prepare for an audit, perhaps including using an audit assessment tool, such as the DWT audit toolkit. Consider whether it is appropriate to involve legal counsel, which may extend a privilege over the preparation process.


What to expect from the Phase 2 audits


For the first time, business associates will be included in OCR’s HIPAA audits. OCR will request a list of business associates from covered entities (and perhaps other business associates).


Phase 2 will be conducted primarily by OCR staff. Most of these audits likely will be desk audits, although some on-site audits may occur, depending on OCR resources.


As originally announced, OCR plans to audit approximately 350 covered entities and 50 business associates. To start the audit process, OCR will verify contact information – which now is underway. Then, OCR will collect relevant information through a pre-audit survey to select an appropriate sample. OCR will follow up with notifications and data requests to those selected for the audit.


As currently anticipated, Phase 2 audits will be more narrowly focused than the comprehensive audits in Phase 1. Phase 2 topics are to be based on deficiencies identified in Phase 1, including breach notification, risk analysis, and a corresponding risk management plan.

Covered entities and business associates will have about two weeks to respond to initial data requests. OCR has indicated that auditors will not seek clarification or additional data and only data submitted on time will be considered. OCR discourages submitting extraneous information. OCR will not consider policies and similar documentation created after the date of the audit request. OCR will provide a draft report to audited entities and provide an opportunity for comment prior to issuing a final report.


Projected “Round 2” of Phase 2 audits and beyond may move to device and media controls, transmission security (e.g., encryption of transmitted protected health information), Privacy Rule safeguards (e.g., governing hard copy and oral information), encryption and decryption, physical facility access controls, breach reports (e.g., to OCR), and complaint processes.


Impacts of Audits


Although OCR’s communications regarding Phase 1 audits suggested that they would not be used as a vehicle for formal enforcement, OCR has indicated that Phase 2 and future audits may be more closely tied to enforcement, where adverse findings could lead to civil monetary penalties or resolution agreements.


This alert describes OCR’s most recent information on its audit program. The information is subject to significant change as OCR rolls out Phase 2.

more...
No comment yet.
Scoop.it!

Bill Would Clarify HIPAA Privacy Rules

Bill Would Clarify HIPAA Privacy Rules | HIPAA Compliance for Medical Practices | Scoop.it

Rep. Doris Matsui (D-Calif.), a member of the House Energy and Commerce Health Subcommittee, has introduced legislation to “elevate and formalize agency guidance on HIPAA privacy rules,” particularly as it pertains to patients with mental illness.


The Including Families in Mental Health Recovery Act (H.R. 2690) has been endorsed by the American Psychological Association, American Psychiatric Association, National Council for Behavioral Health, and National Disability Rights Network, among other stakeholder organizations.


“Healthcare providers and administrators have long lacked clarity on HIPAA rules and thus have been cautious to share information with family members and caregivers of patients,” said Matsui in a written statement. “This lack of clarity creates significant challenges to patients, their doctors and family. Sharing the right information with the right family and caregivers can help a patient, while still protecting their privacy. Assisting family and caregivers with being involved in a patient’s care can be of the utmost importance, and can even mean life or death.”


Although the Department of Health and Human Services’ Office of Civil Rights issued guidance in February 2014 on the topic, Matsui argues that “better understanding and awareness of the guidance will give providers the confidence to practice discretion in delicate situations, to best determine whether it is in an individual’s best interest to share information with family members and caregivers on a case-by-case basis.”


According to John Snook, executive director of the Treatment Advocacy Center,HIPAA privacy rules were never intended to prevent people from receiving necessary medical care. “But we hear from families every day who are kept in the dark about their loved one’s treatment because of confusion and uncertainty around the requirements of HIPAA,” Snook said. “We applaud Congresswoman Matsui for seeking a solution that will safeguard necessary confidentiality while ensuring families can share and receive critical information during a psychiatric crisis.”


Rusty Selix,executive director of the Mental Health Association of California and executive director of the California Council of Community Mental Health Agencies, added: “Government officials, healthcare providers and administrators have long lacked clarity and thus have been cautious to allow sharing of information that they fear might violate the HIPAA privacy law in regards to sharing health information with family members and caregivers of patients. This legislation will provide the education to eliminate the lack of clarity and give providers and administrators the confidence to share information with family members whose support is needed in crisis situations.” 

more...
No comment yet.
Scoop.it!

Four Common HIPAA Misconceptions

Four Common HIPAA Misconceptions | HIPAA Compliance for Medical Practices | Scoop.it

While practices must work hard to comply with HIPAA, some are taking HIPAA compliance efforts a bit too far. That's according to risk management experts, who say there are some common compliance misconceptions that are costing practices unnecessary time and resources.

Here's what they say many practices are avoiding that they don't necessarily need to avoid, and some extra steps they say practices are taking that they don't necessarily need to take.


1. Avoiding leaving phone messages

While it's true that a phone message from your practice to a patient could be overheard by the wrong party, phone messages that contain protected health information (PHI) don't need to be strictly off limits at your practice, says Jim Hook, director of consulting services at healthcare consulting firm The Fox Group, LLC."Many offices adopt a blanket policy of, well, 'We can't leave you any phone messages because HIPAA says we can't,' and, that's really not true," he says. "You can always get consent from a patient on how they want to be communicated with."


Hook recommends asking all of your patients to sign a form indicating in what manner you are permitted to communicate with them, such as by mail, e-mail, text, and phone message. "If the patient says, 'Yes, you can call and leave me phone messages at this phone number I'm giving you,' then it's not a HIPAA violation to use that method of communication," he says.


2. Avoiding discussing PHI

It's important to safeguard PHI as much as possible, but some practices are taking unnecessary precautions, says Michelle Caswell, senior director, legal and compliance, at healthcare risk-management consulting firm Clearwater Compliance, LLC.


"I think there's still a fear among small providers ... that they can't discuss protected health information anywhere in the [practice]," she says. "They feel that they have to almost build soundproof walls and put up bulletproof glass or soundproof glass to prevent any sort of disclosure of protected health information, and that's not what HIPAA requires at all. HIPAA allows for incidental disclosures, [which] are disclosures that happen [incidentally] around your job. So if you've got a nurse and a doctor talking, maybe at the nurses' station, and someone overhears that Mr. Smith has blood work today, that probably wouldn't be a violation because it's incidental to the job. Where else are the doctors and nurses going to talk?"


As long as you are applying "reasonable and appropriate" safeguards, Caswell says you should be in the clear.


3. Requiring unnecessary business associate agreements

HIPAA requires practices to have written agreements, often referred to as business associate agreements (BAAs), with other entities that receive or work with their PHI. Essentially, the agreements state that the business associates will appropriately safeguard the PHI they receive or create on behalf of the practice.


Still, some practices take unnecessary precautions when it comes to BAAs, says Robert Tennant, senior policy adviser of government affairs for the Medical Group Management Association. "A lot of practices are very concerned about people like janitorial services [and] plant maintenance folks, and they have them sign business associate agreements, but those folks are not business associates for the most part," says Tennant. "You may want to have them sign confidentiality agreements basically saying, 'If you do come across any information of a medical nature, protected health information, you are not permitted to look at it, copy it, keep it ...,' But, you do not need to sign a business associate agreement with anybody other than those folks that you actually give PHI to for a specific reason, like if you've got a law office or accounting office or a shredding company that is coming in to pick up PHI to destroy it."


4. Requiring unnecessary patient authorizations

While it's critical to comply with HIPAA's requirement that only those who have a valid reason to access a patient's medical record, such as treatment purposes, payment purposes, or healthcare operations, have access to it — some practices are misconstruing that rule, says Tennant. "They demand patient authorization before they transfer data to another provider for treatment purposes," he says. "I understand why they do it, but it's one of those things that … can cause delays and confusion, and even some acrimony between the patient and the provider. If it's for treatment purposes specifically, you do not need a patient authorization."

more...
No comment yet.
Scoop.it!

Think Your Practice is HIPAA Compliant? Think Again.

Think Your Practice is HIPAA Compliant? Think Again. | HIPAA Compliance for Medical Practices | Scoop.it

You may think you know HIPAA inside and out, but experts say many practices and physicians are making mistakes regarding protected health information (PHI) that could get them into big trouble with the law. Here are nine of the most common compliance missteps they say practices and physicians are making.

1. TEXTING UNENCRYPTED PHI

For most physicians, texting is an easy, convenient, and efficient way to communicate with patients and colleagues. But if a text contains unencrypted PHI, that could raise serious HIPAA problems.


"One of the big things people are doing these days is texting PHI, and people seem to be ignoring the fact that text messages can be read by anyone, they can be forwarded to anyone, [and] they're not encrypted in any fashion when they reside on a telecommunications provider's server," says Jim Hook, director of consulting services at healthcare consulting firm The Fox Group, LLC. "People really need to understand that [short message service (SMS)] text messaging is inherently nonsecure, and it's noncompliant with HIPAA."


That's not to say that texting PHI is never appropriate, it just means that physicians must find a way to do so securely. While the privacy and security rules don't provide explicit text messaging guidelines, they do state that covered entities must have "reasonable and appropriate safeguards to protect the confidentiality, availability, and integrity of protected health information," says Michelle Caswell, senior director, legal and compliance, at healthcare risk-management consulting firm Clearwater Compliance, LLC. As a result, Caswell, who formerly worked for HHS' Office for Civil Rights, says physicians must consider, "What would I put on my [smart] phone to reasonably and appropriately safeguard that information?" Most likely, the answer will be a secure messaging service with encryption, she says, adding that many inexpensive solutions are available to providers.


2. E-MAILING UNENCRYPTED PHI

Similar to text messaging, many physicians are e-mailing unencrypted PHI to patients and colleagues. As Robert Tennant, senior policy adviser of government affairs for the Medical Group Management Association says, e-mailing is becoming ubiquitous in our society, and healthcare is no exception.


If your providers are e-mailing PHI, consider implementing a secure e-mail application; for instance, one that recognizes when content included in the e-mail contains sensitive information and therefore automatically encrypts the e-mail. Your practice could use the application to specify certain circumstances in which e-mails should be encrypted; such as the inclusion of social security numbers or credit card numbers. The application would then filter e-mails for that specified content, and when it finds that content, encrypt those e-mails automatically, says Caswell.


Another option is to use a secure e-mail application to set up filters to automatically encrypt e-mails sent with attachments, or encrypt e-mails when senders include a word like "sensitive" or "encrypt" in the subject line, she says. An added benefit of encrypting e-mail is if a potential breach occurs, like the theft of a laptop containing e-mails with PHI, that is not considered a reportable breach if the e-mails stored on the laptop are encrypted, says Tennant. "You don't need to go through all of the rigmarole in terms of reporting the breach to the affected individual, and ultimately, to the government," he says. "So it's sort of a get out of jail free card in that sense."


If your practice would rather prohibit the use of e-mail altogether, a great alternative might be a patient portal that enables secure messaging.


Finally, if patients insist on having PHI e-mailed to them despite the risks, get their permission in writing for you to send and receive their e-mails, says Tennant.


3. FAILING TO CONDUCT A RISK ANALYSIS

If your practice has not conducted a security risk analysis — and about 31 percent of you have not, according to our 2014 Technology Survey, Sponsored by Kareo — it is violating HIPAA. The security rule requires any covered entity creating or storing PHI electronically to perform one. Essentially, this means practices must go through a series of steps to assess potential risks and vulnerabilities to the confidentiality, integrity, and availability of their electronic protected health information (ePHI).


Though the security risk analysis requirement has been in place since the security rule was formally adopted in 2003, it's been pretty widely ignored by practices, says Hook. Part of the reason, he says, is lack of enforcement of the requirement until recently. Since conducting a security risk analysis is now an attestation requirement in the EHR incentive program, auditors are increasingly noting whether practices are in compliance.


4. FAILING TO UPDATE THE NPP

If your practice has not updated its Notice of Privacy Practices (NPP) recently, it could be violating HIPAA. The HIPAA Omnibus Rule requires practices to update these policies and take additional steps to ensure patients are aware of them, says Tennant.

Some of the required updates to the NPP include:


• Information regarding uses and disclosures that require authorization;

• Information about an individual's right to restrict certain disclosures of PHI to a health plan; and

• Information regarding an affected individual's right to be notified following a privacy or security breach.


In addition to updating the NPP, a practice must post it prominently in its facility and on the website, and have new patients sign it and offer a copy to them, says Tennant. "I'd say of every 10 practices, hospitals, dental offices I go into, nine of them don't have their privacy notice in the waiting room," he says.


5. IGNORING RECORD AMMENDMENT REQUESTS

Don't hesitate to take action when patients request an amendment to information in their medical records, cautions Cindy Winn, deputy director of consulting services at The Fox Group, LLC. Under the HIPAA Privacy Rule, patients have the right to request a change to their records, and providers must act on those requests within 60 days, she says.


If you disagree with a patient's requested change, you must explain, in writing, why you are not making the requested change, says Hook. Then, share that reasoning with the patient and store a copy of it in the patient's medical record, as well as a copy of the patient's written request for the amendment.


6. NOT PROVIDING ENOUGH TRAINING

The privacy and security rules require formal HIPAA education and training of staff. Though the rules don't provide detailed guidance regarding what training is required, Hook recommends training all the members of your workforce on policies and procedures that address privacy and security at the time of hire, and at least annually thereafter.


The HIPAA Security Rule also requires practices to provide "periodic security reminders" to staff, says Caswell, adding that many practices are unaware of this. Actions that might satisfy this requirement include sending e-mails to staff when privacy and security issues come up in the news, such as information about a recent malware outbreak; or inserting a regular "security awareness" column in staff e-newsletters.

Finally, be sure to document any HIPAA training provided to staff.


7. OVERCHARING FOR RECORD COPIES

With few exceptions, the privacy rule requires practices to provide patients with copies of their medical records when requested. It also requires you to provide access to the record in the form requested by the individual, if it is readily producible in that manner.


While practices can charge for copies of records, some practices may be getting into trouble due to the fee they are charging, says Tennant. "HIPAA is pretty clear that you can only charge a cost-based fee and most of those are set by the state, so most states have [limits such as] 50 cents a page up to maybe $1 a page ... but you can't charge a $50 handling fee or processing fee; at least it's highly discouraged," says Tennant.


To ensure you are following the appropriate guidelines when dealing with record copy requests, review your state's regulations and consult an attorney. Also, keep in mind that though the privacy rule requires practices to provide copies within 30 days of the request, some states require even shorter timeframes.


8. BEING TOO OPEN WITH ACCESS

If your practice does not have security controls in place regarding who can access what medical records and in what situations, it's setting itself up for a HIPAA violation. The privacy rule requires that only those who have a valid reason to access a patient's record — treatment purposes, payment purposes, or healthcare operations — should do so, says Caswell. "If none of those things exist, then a person shouldn't [access] an individual's chart."


Caswell says practices need to take steps to ensure that staff members do not participate in "record snooping" — inappropriately accessing a neighbor's record, a family member's record, or even their own record.


She recommends practices take the following precautions:


• Train staff on appropriate record access;

• Implement policies related to appropriate record access; and

• Run EHR audits regularly to determine whether inappropriate access is occurring.


9. RELEASING TOO MUCH INFORMATION

Similar to providing too much access to staff, some practices provide too much access to outside entities, says Caswell. For instance, they release too much PHI when responding to requests such as subpoenas for medical records, requests for immunization information from schools, or requests for information from a payer.


"If there's, say, for instance, litigation going on and an attorney says, 'I need the record from December 2012 to February 2014,' it is your responsibility to only send that amount of information and not send anything else, so sort of applying what's called the minimum necessary standard," says Caswell. "When you receive outside requests for PHI, pay close attention to the dates for which information is requested, as well as the specific information requested."

more...
No comment yet.
Scoop.it!

Average Cost of Data Breach Rises to $3.8 Million

Average Cost of Data Breach Rises to $3.8 Million | HIPAA Compliance for Medical Practices | Scoop.it

Based on a study of 350 companies in 11 countries, the average data breach costs a company an average of $3.79 million, or $154 for every lost or stolen record. The amounts represent an increase from the overall average cost of $3.52 million in 2014 and a per-record cost of $145.

Massive data breaches such as the estimated 56 million credit and debit card numbers stolen from Home Depot Inc. (NYSE: HD) in 2014 and the 40 million exposed by the Target Corp. (NYSE: TGT) in the attack against the company during the 2013 holiday shopping season cost the companies far more than that average. One estimate of the cost to Home Depot came in at $10 billion by 2020 (an average of $177 per lost record).


Over the next 24 months, companies and organizations in Brazil and France are the most likely to experience a data breach involving a minimum of 10,000 records, while organizations in Canada and Germany are the least likely to have such a breach. The somewhat good news is that any company is more likely to have a breach involving 10,000 or fewer records (22% chance) than a breach involving more than 100,000 records (less than 1% chance).

The data was released earlier this week by International Business Machines Corp. (NYSE: IBM) and the Ponemon Institute, a data security consulting and research firm. All 350 companies included in the study have experienced a data breach at some time, with the breaches ranging from a low of about 2,200 comprised records to a high of more than 101,000 breached records.


The research notes three major reasons for the higher costs in 2015:

  • Cyberattacks occur more frequently and the cost to repair the damage is higher.
  • The cost of the lost business is higher while repairs are being made.
  • Costs to detect breaches are higher.


In the United States, the cost of a data breach averages $6.5 million, the highest in the world, followed by Germany which has an average total cost of $4.9 million. The lowest costs are posted in Brazil ($1.8 million) and India ($1.5 million).


The cost of a data breach to a health care organization could be as much as $363 per record. From 2014 to 2015, the retail industry has seen its costs for a data breach rise from $105 to $165 per lost or stolen record.


Data breaches are most often the result of malicious or criminal attacks (47% of the time), with system glitches accounting for 29% of data breaches and human error accounting for the remaining 25%. More than half of all breaches are the result of a system glitch or human error in all but three locations: Canada, Germany and the combined Saudi Arabia-United Arab Emirates region. In the United States, malicious or criminal attacks account for 49% of data breaches.

more...
No comment yet.
Scoop.it!

A quick guide to HIPAA compliance for physicians

A quick guide to HIPAA compliance for physicians | HIPAA Compliance for Medical Practices | Scoop.it

If you haven’t done so already, consider circling September 23, 2013 on your calendar. That’s the day that the federal government will start enforcing changes to the Health Insurance Portability and Accountability Act (HIPAA). The changes affect everything from how you secure your patients’ protected health information to the contracts you sign with vendors to what you need to tell patients about their privacy rights. Although the new regulations officially took effect in March, physicians and other entities covered by HIPAA were given 6 months to comply. The U.S. Department of Health and Human Services, which developed the regulations, says the updates are needed to account for the widespread use of electronic health records and other changes in health information technology that have occurred since HIPAA was enacted in 1996.

Compliance with the updated regulations require medical practices to:

  • conduct a risk analysis to determine the vulnerability of electronic protected health information (PHI) to loss or theft, and document that they have done so;

  • encrypt patient PHI so that it can’t be used if it’s lost or stolen;

  • review policies and procedures for what do if PHI is lost, stolen, or inappropriately disclosed;

  • review contracts with vendors and other “business associates” that have access to PHI to ensure that the vendors have proper safeguards in place to secure patient PHI.

The penalty for unauthorized disclosure of PHI consists of fines that range from $100 to $50,000, depending on the circumstances of the disclosure and the size of the practice.

The new regulations also:

  • allow patients to forbid disclosure of information about a test or treatment for which the patient has paid out-of-pocket, thus requiring  practices to be able to identify and separate information a patient doesn’t want disclosed so that it’s not accidentally sent to an insurance provider;

  • permit patients to request their health information in electronic form, and require practices to comply with the request within 30 days with one 30-day extension permitted; and

  • require practices to update their notice of privacy practices to include all patients’ rights, and send the updated notice to all patients and posting it in the practice’s office and on its Web site.

more...
No comment yet.
Scoop.it!

HIPAA guidance for small to mid-size medical practices

HIPAA guidance for small to mid-size medical practices | HIPAA Compliance for Medical Practices | Scoop.it

For small and mid-size medical practices, HIPAA compliance has long been a small problem. After all, it wasn’t very long ago that all but the largest practices could rest relatively easy, knowing their very smallness made them unappealing targets for regulators looking for bigger fish to fry. As long as they didn’t blatantly, repeatedly or intentionally violate HIPAA’s strictures, they rarely rated government action beyond (at most) a warning letter.


Those days are now over. The federal government is cracking down harder on practices that violate HIPAA privacy and security regulations by scheduling more frequent audits and issuing stiffer fines. And practices are being forced to respond with more rigorous compliance plans.


The same federal stimulus law that offered incentives for practices to purchase electronic health records (EHR) systems also beefed up HIPAA’s privacy and security regulations. If your practice hasn’t reviewed and updated your HIPAA policy recently, then now’s the time.


The good news? Most of the time what catches the attention of the Office for Civil Rights (OCR) in the U.S. Department of Health & Human Services are things that should be common sense. Was the OCR trying to send a message by fining an independent Arizona cardiac practice $100,000 for a HIPAA violation in 2012? You bet. But the practice placed sensitive patient information, including names and medical procedures, on an online scheduling system that was accessible by anyone who was adept at guessing passwords.

It’s been 10 years since the April 14, 2003, compliance date for the HIPAA Privacy Rule, so most, if not all, physician practices should know better than to post protected health information (PHI) in a public forum such as Google Docs or Dropbox.


Here are some other common-sense tips for keeping your practice on the right side of the law:


  • Train your staff. HIPAA requires that you have a training program in place regarding the proper handling of PHI. All staff members must know what they are authorized to view, how to manage computer passwords, what they may and may not say in front of patients, and so on. Providing an annual refresher on this type of training is highly recommended. Make sure everyone, including physicians, receives the training. Document it.
  • Establish written protocols for information access. Staff should have access to the portions of patients’ PHI that are necessary to perform their jobs -- and that’s all. This should be perfectly clear and in writing. And your protocols should include examples of the specific types of information that different staff members are authorized to view, based on job function.
  • Use discretion in the reception area. Don’t use public sign-in sheets. Don’t make any mention of the reason for a patient’s appointment until you’re both out of earshot of the waiting room. Make sure computer screens aren’t visible to non-staff members in any public areas of the office.
  • Plan for breaches. What would happen if there were an accidental breach of patient information? Say, someone mistakenly includes patient information in an email attachment, and the attached document includes patient names and Social Security numbers? Or how would you handle an intentional breach? For example, maybe a staffer has some personal grudge against one of your patients (an ex-boyfriend, perhaps) and posts something embarrassing about the patient on Facebook. You should prepare a specific response for scenarios like these because they do happen.
  • Use computer passwords correctly. If you have any centralized computer terminals that get used by more than one staffer, make sure everyone logs out whenever they’re finished. To be safe, set up those computers so a login is required after brief periods of inactivity, say two or three minutes. Even if you don’t have centralized computer stations (and most small practices don’t), you should require your employees to change their own passwords every few months.
  • Hire a consultant to help you comply with HIPAA’s security provisions, which are far more technical than the Privacy Rule. Alas, mere common sense won’t help you determine whether your computer network is properly encrypted. Get help.


The Privacy Rule notwithstanding, HIPAA continues to be mostly a common-sense law. What’s new is that the government is no longer limiting its enforcement actions to hospitals and the biggest practices. But since most private practices should have been following HIPAA plans for at least 10 years now, it’s likely they’ll need to do little more than review, update, and continue to implement their plan.

more...
No comment yet.
Scoop.it!

IRS: 100,000 Taxpayer Accounts Breached

IRS: 100,000 Taxpayer Accounts Breached | HIPAA Compliance for Medical Practices | Scoop.it

Using personal information gained from third-party sources to circumvent authenticationprotections, hackers breached more than 100,000 accounts of taxpayers who had used the Internal Revenue Service's "Get Transcript" application, which has been temporarily shuttered.


The Get Transcript service allows taxpayers to review their tax account transactions, line-by-line tax return information or wage and income reported to the IRS for a specific tax year. "The IRS is continuing to conduct further reviews on those instances where the transcript application was accessed, including how many of these households filed taxes in 2015," the IRS said in a May 26 statement. "It's possible that some of these transcript accesses were made with an eye toward using them for identity theft for next year's tax season. "


The IRS branded the hack as a sophisticated effort. "Third parties succeeded in clearing a multi-step authentication process that required prior personal knowledge about the taxpayer, including Social Security information, date of birth, tax filing status and street address before accessing IRS systems," the IRS said. "The multi-layer process also requires an additional step, where applicants must correctly answer several personal identity verification questions that typically are only known by the taxpayer."


IRS Commissioner John Koskinen, at a press conference, said several years of taxpayers' returns and tax information were exposed. "We're confident these are not amateurs, these actually are organized crime syndicates that not only we but everyone in the financial industry are dealing with," he said.

Breach Didn't Affect Core Systems

The IRS said the breach did not involve its core computer system that processes tax filings.


Tax agency officials did not specifically identify the third-party sources where the PII originally was stolen, although it characterized them as "questionable email domains." But several experts suggested that the hackers could have acquired the initial PII from other breaches. "We live in a world where the Internet has become a database of 'you' and where one data breach can easily feed another," says Ken Westin, senior security analyst for the IT security firm Tripwire. "The information that was used to bypass the security screen ... are all components of data that have recently been compromised in health insurance data breaches."


The IRS said it spotted last week unusual activity occurring on the Get Transcript application, suggesting that unauthorized individuals had access to some accounts on the transcript application. The tax agency said the breach started in February and continued until mid-May.

Attempts Made to Hack 200,000 Accounts

Following an initial review, IRS investigators surmised that hackers attempted to access 200,000 taxpayer accounts through the Get Transcript application and gained access to more than 100,000 accounts. During the tax filing season, the IRS said taxpayers successfully and safely downloaded about 23 million transcripts.

The IRS is offering free credit monitoring services are being offered to the 100,000 taxpayers whose accounts were breached. "The IRS is marking the underlying taxpayer accounts on our core processing system to flag for potential identity theft to protect taxpayers going forward - both right now and in 2016," the IRS said.


The breach is being investigated by the Treasury Inspector General for Tax Administration and IRS offices, including Criminal Investigation.

more...
No comment yet.
Scoop.it!

Cybercrime price tag to reach $2 trillion

Cybercrime price tag to reach $2 trillion | HIPAA Compliance for Medical Practices | Scoop.it

If you haven't gotten serious about data cyberattacks at your organization, now's the time to do so. Because they're about to hit companies worldwide with a $2.1 trillion price tag.


At least that's according to new research published by Juniper Research, which took a closer look at the costs associated with cybercrime and what they'll end up costing companies on a global scale. And the numbers are staggering.


Going digital will increase the cost of data breaches to almost four times the cost estimated for this year, reaching $2.1 trillion (yes, that's trillion with a "t") in 2019. Breaking that down to the average cost of one of the breaches? Corporations can count on paying more than $150 million per breach by 2020.


The report, which focuses on both corporate and financial threats, underscored that the lion's share of these breaches will not come from targeting mobile devices. Rather, cybercriminals are still going after traditional IT and network infrastructure.


"Currently, we aren't seeing much dangerous mobile or IoT malware because it's not profitable," said James Moar, research analyst at Juniper Research and author of the report, in a press statement. "The kind of threats we will see on these devices will be either ransomware, with consumers' devices locked down until they pay the hackers to use their devices, or as part of botnets, where processing power is harnessed as part of a more lucrative hack. With the absence of a direct payout from IoT hacks, there is little motive for criminals to develop the required tools."


Juniper analysts also say some 60 percent of these global cyberattacks will target North American companies. 


more...
No comment yet.
Scoop.it!

HIPAA’s demands on the IT industry

HIPAA’s demands on the IT industry | HIPAA Compliance for Medical Practices | Scoop.it

We’re familiar with signing our lives away at the doctor’s office on HIPAA paperwork, but how is this policy affecting the IT industry?

Since the mid ’90s, the Health Insurance Portability and Accountability Act has regulated health insurance coverage and health care transactions. HIPAA protects patient privacy to ensure safekeeping of all medical information the patient may not wish to disclose. Long story short: HIPAA creates a higher standard to protect patient privacy and confidentiality. HIPAA holds institutions, organizations and offices responsible for protecting private patient information — and provides a framework for punishment when violators unlawfully access or share protected information.


In the past, HIPAA primarily affected hospital procedures. However, a large shift in policy created a ripple that stretched out to the IT industry. The Health Information Technology for Economic and Clinical Health Act of 2009 added technology and financial associates to the list of regulated parties. Things changed even more in 2013 when lawmakers added the Final Omnibus Rule, which significantly expanded the act's Protected Health Information regulations. This ruling greatly changed the relationship between HIPAA and the IT industry.


The rule’s provisions allowed HIPAA to administer new regulations on modern technology and the IT industry. The Final Omnibus Rule paid special attention to cloud storage, mobile devices and remote technologies that offer new ways to access patient information — and, consequently, provide more opportunities for privacy and security breaches. Formerly, a security breach was only considered a breach if the information contained birthdates or ZIP codes. Under the Final Omnibus Rule, all breaches of limited data must be handled the same, regardless of their content.


So, where does this leave the IT industry? When a cloud database administrator or independent IT consultant works directly with protected health information, the person or company automatically becomes a business associate who is subject to the rules and penalties of HIPAA. Since health care providers and their system administrators already know HIPAA regulations well, the IT industry and service providers are now playing catch-up. This means the IT industry has to learn the new regulations quickly and thoroughly to ensure the rules are being followed accordingly. For those still playing catch-up, or those that need a refresher course, allow us to summarize the rules of Title II:


The Privacy Rule  —Gives patients more control and protection over their confidential information.


The Transactions and Code Sets Rule — Keeps transactions standard throughout the industry.


The Security Rule — Updated to accommodate for the technological advances and thus the new forms of security breaches.


The Unique Identifiers Rule — Standardizes and protects the communication between health care providers and insurers.


The Enforcement Rule — Includes harsh penalties for HIPAA violations.


For people working with medical and patient data on a daily basis, HIPAA's privacy and security rules directly affect both the hardware and the software used to store and send data. According to the U.S. Department of Health & Human Services, everything from Drug Enforcement Administration numbers to vendor finances to patient identities can be subject to security breaches in health care databases. With so much at risk, the IT industry must be aware of the new regulations and be prepared to provide counsel on security and backup plans.


IT companies have come up with several solutions for security and backup that are HIPAA compliant, due to an increased need after 2013. Cloud computing offers ease of access, reliable backups and streamlined communication. Additional private cloud options were created with HIPAA regulations in mind — making sure all operations are secure, smart and compliant. With a private cloud, data is separate, safe and in an identifiable location. Only the particular client has access to the data in private clouds, perfectly complying with HIPAA policy.


New regulations are always a headache for database administrators, but HIPAA might settle the score with its new rules by preventing many more problems in the future. Hopefully, stricter privacy regulations and more defensive systems will emphasize the importance of innovative, up-to-date storage centers and solutions.

more...
No comment yet.
Scoop.it!

Bill That Changes HIPAA Passes House

Bill That Changes HIPAA Passes House | HIPAA Compliance for Medical Practices | Scoop.it

The U.S. House of Representatives on July 10 passed a bill aimed at accelerating the advancement of medical innovation that contains a controversial provision calling for significant changes to the HIPAAPrivacy Rule.


The House approved the 21st Century Cures bill by a vote of 344 to 77. Among the 309-page bill's many provisions is a proposal that the Secretary of Health and Human Services "revise or clarify" the HIPAA Privacy Rule's provisions on the use and disclosure of protected health information for research purposes.


Under HIPAA, PHI is allowed to be used or disclosed by a covered entity for healthcare treatment, payment and operations without authorization by the patient. If the proposed legislation is eventually signed into law, patient authorization would not be required for PHI use or disclosure for research purposes if only covered entities or business associates, as defined under HIPAA, are involved in exchanging and using the data.


That provision - as well as many others in the bill - aim to help fuel more speedy research and development of promising medical treatments and devices.


"The act says ... if you're sharing [patient PHI] with a covered entity [or a BA], you don't necessarily need the individual's consent prior to sharing - and that's something our members have been receptive too," notes Leslie Krigstein, interim vice president of public policy at the College of Healthcare Information Management Executives, an organization that represents 1,600 CIOs and CISOs.


"The complexity of consent has been a barrier [to health information sharing] ... and the language [contained in the bill] will hopefully move the conversation forward," she says.


Some privacy advocates, however, have opposed the bill's HIPAA-altering provision.


Allowing the use of PHI by researchers without individuals' consent or knowledge only makes the privacy and security of that data less certain, says Deborah Peel, M.D., founder of Patient Privacy Rights, an advocacy group,.


"Researchers and all those that take our data magnify the risks of data breach, data theft, data sale and harms," she says. "Researchers are simply more weak links in the U.S. healthcare system which already has 100s of millions of weak links."

Changes Ahead?

If the legislation is signed into law in its current form, healthcare entities and business associateswould need to change their policies related to how they handle PHI.


"If the bill is enacted, it will not place additional responsibilities on covered entities and business associates. Rather, it will provide them with greater flexibility to use and disclose protected health information for research," says privacy attorney Adam Greene, partner at law firm Davis Wright Tremaine. "Covered entities and business associates who seek to take advantage of these changes would need to revise their policies and procedures accordingly." For instance, some covered entities also may need to revise their notices of privacy practices if their notices get into great detail on research, Greene notes.

Other Provisions

In addition to the privacy provisions, the bill also calls for penalizing vendors of electronic health records and other health IT systems that fail to meet standards for interoperable and secureinformation exchange.


The bill calls for HHS to develop methods to measure whether EHRs and other health information technology are interoperable, and authorizes HHS to penalize EHR vendors with decertification of their products if their software fails to meet interoperability requirements.


In addition, the bill also contains provisions for "patient empowerment," allowing individuals to have the right to "the entirety" of their health information, including data contained in an EHR, whether structured and unstructured. An example of unstructured data might include physician notes, for instance, although that is not specifically named in the legislation.


"Healthcare providers should not have the ability to deny a patient's request for access to the entirety of such health information," the bill says.


A House source tells Information Security Media Group that the Senate has been working on an "Innovation Agenda" for the past few months calling for policies similar to those contained in the 21st Century Cures bill. House leaders say it's their goal to have a bill sent to the president's desk by the end of the year, the source says.

more...
No comment yet.
Scoop.it!

Data Breaches on Record Pace for 2015

Data Breaches on Record Pace for 2015 | HIPAA Compliance for Medical Practices | Scoop.it

Data breaches in 2015 are on pace to break records both in the number of breaches and records exposed, the San Diego-based Identity Theft Resource Center said.


In 2014, the number of U.S. data breaches tracked by ITRC hit a record high of 783, with 85,611,528 confirmed records exposed.

So far this year, as of June 30, the number of breaches captured on the ITRC report totaled 400 data incidents, one more than on June 30, 2014. Additionally, 117,576,693 records had been confirmed to be at risk.


That is significant given the finding of IBM Cost of Data Breach Study conducted by Ponemon Institute, which reported the cost incurred for each lost or stolen record containing sensitive averaged $154.

ITRC reported a significant jump of about 85% in the number of breaches in the banking sector over the same period last year. The biggest credit union breach so far this year took place at the $308 million Winston-Salem, N.C.-based Piedmont Advantage Credit Union, which notified its entire 46,000 membership in early March that one of its laptops containing personal information, including Social Security numbers, was missing.


Affected institutions are encouraged to participate in public comment on the assessment tool.


Year-to-date, the five industry sectors broken down by ITRC based on the percentage of breaches were business with 40.3%,

medical/healthcare at 34.8%, banking/credit/financial representing 10%, educational with 7.8% and government/military reporting 7.3%.

Based on the number of confirmed records, the medical/healthcare sector reported 100,926,229 records breached, government/military reported 15,391,057, educational had 724,318, banking/credit/financial reported 408,377 and business had 126,712.


The ITRC 2015 Breach Report was compiled using data breachesconfirmed by various media sources and/or notification lists from state governmental agencies.


Some breaches were not included in the report because they do not yet have reported statistics or remain unconfirmed, the firm said. 

more...
No comment yet.
Scoop.it!

243 arrested in 10 states for healthcare fraud, false claims, kickbacks, medical ID theft

243 arrested in 10 states for healthcare fraud, false claims, kickbacks, medical ID theft | HIPAA Compliance for Medical Practices | Scoop.it
The Medicare Fraud Strike Force swept through 10 states and arrested 243 people—46 of them physicians, nurses, and other licensed medical professionals—for allegedly defrauding the government out of $712 million in false Medicare and Medicaid billings, federal officials announced June 18. In addition to targeting instances of false claims and kickbacks, the strike force also uncovered evidence of medical identity theft.
Among the defendants is Mariamma Viju of Garland, Texas, an RN and the co-owner and nursing director for Dallas Home Health, Inc. A federal indictment accuses Viju and a co-conspirator of stealing patient information from Dallas-area hospitals in order to then solicit those patients for her business, as well as submitting false Medicare and Medicaid claims, and paying out cash kickbacks to beneficiaries.
In total, the scheme netted Viju $2.5 million in fraudulently obtained payments between 2008 and 2013. She was arrested June 16 and charged with one count of conspiracy to commit healthcare fraud, five counts of healthcare fraud, and one count of wrongful disclosure of individually identifiable health information.
The indictment says Viju allegedly took patient information from Baylor University Medical Center at Dallas, where she worked as a nurse until she was fired in 2012. Dallas Home Health then billed Medicare and Texas Medicaid for home health services on behalf of beneficiaries who were not homebound or otherwise eligible for covered home health services.
Viju also allegedly falsified and exaggerated patients’ health conditions to increase the amounts billed to Medicare and Medicaid, and thereby boost payments to Dallas Home Health. The indictment says she paid kickbacks to Medicare beneficiaries as well to recruit and retain them as patients of Dallas Home Health.
Viju’s co-conspirator—a co-owner of Dallas Home Health—wasn’t named in the indictment, but in a news release from the U.S. Attorney’s Office for the Northern District of Texas, that person was identified as her husband Viju Mathew. He’s a former registration specialist at Parkland Hospital in Dallas and pleaded guilty in November 2014 to one count of fraud and related activity in connection with identity theft.
Prosecutors say he used his position to obtain PHI, including names, phone numbers, birthdates, Medicare information, and government-issued health insurance claim numbers, so he could use it to contact prospective patients for his home health care business. He is due to be sentenced in August 2015.
In another case in Maryland, Harry Crawford—owner of RX Resources and Solutions—and two of his employees—Elma Myles and Matthew Hightower—are all charged with aggravated identity theft in addition to healthcare fraud and conspiracy to commit healthcare fraud.
An indictment from a federal grand jury accuses Crawford, Myles, and Hightower of fraudulently using actual names, addresses, and unique insurance identification numbers of numerous Medicaid beneficiaries to submit fraudulent claims totaling approximately $900,000 between 2010 and 2014.
The alleged scheme used Crawford’s durable medical equipment and disposable medical supply company to bill insurers for equipment and supplies that were never provided to beneficiaries, bill for amounts far in excess of the services delivered, and bill for supplies that weren’t needed and were never prescribed by a physician.
These are just two examples of the criminal fraud uncovered by the strike force.
In other cases, defendants face similar fraud and conspiracy charges for fraudulent billing schemes as well as charges for cash kickbacks, and money laundering, according to the Department of Justice (DOJ). The DOJ says more than 40 defendants are accused of defrauding the Medicare prescription drug program.
This was the largest coordinated takedown, in terms of defendants and money, in the history of the Medicare Fraud Strike Force, according to the DOJ. CMS also suspended licenses for several healthcare providers with authority granted to the agency under the Affordable Care Act.
more...
No comment yet.
Scoop.it!

Four Common HIPAA Misconceptions

Four Common HIPAA Misconceptions | HIPAA Compliance for Medical Practices | Scoop.it

While practices must work hard to comply with HIPAA, some are taking HIPAA compliance efforts a bit too far. That's according to risk management experts, who say there are some common compliance misconceptions that are costing practices unnecessary time and resources.

Here's what they say many practices are avoiding that they don't necessarily need to avoid, and some extra steps they say practices are taking that they don't necessarily need to take.


1. Avoiding leaving phone messages


While it's true that a phone message from your practice to a patient could be overheard by the wrong party, phone messages that contain protected health information (PHI) don't need to be strictly off limits at your practice, says Jim Hook, director of consulting services at healthcare consulting firm The Fox Group, LLC."Many offices adopt a blanket policy of, well, 'We can't leave you any phone messages because HIPAA says we can't,' and, that's really not true," he says. "You can always get consent from a patient on how they want to be communicated with."


Hook recommends asking all of your patients to sign a form indicating in what manner you are permitted to communicate with them, such as by mail, e-mail, text, and phone message. "If the patient says, 'Yes, you can call and leave me phone messages at this phone number I'm giving you,' then it's not a HIPAA violation to use that method of communication," he says.


2. Avoiding discussing PHI


It's important to safeguard PHI as much as possible, but some practices are taking unnecessary precautions, says Michelle Caswell, senior director, legal and compliance, at healthcare risk-management consulting firm Clearwater Compliance, LLC.


"I think there's still a fear among small providers ... that they can't discuss protected health information anywhere in the [practice]," she says. "They feel that they have to almost build soundproof walls and put up bulletproof glass or soundproof glass to prevent any sort of disclosure of protected health information, and that's not what HIPAA requires at all. HIPAA allows for incidental disclosures, [which] are disclosures that happen [incidentally] around your job. So if you've got a nurse and a doctor talking, maybe at the nurses' station, and someone overhears that Mr. Smith has blood work today, that probably wouldn't be a violation because it's incidental to the job. Where else are the doctors and nurses going to talk?"


As long as you are applying "reasonable and appropriate" safeguards, Caswell says you should be in the clear.


3. Requiring unnecessary business associate agreements


HIPAA requires practices to have written agreements, often referred to as business associate agreements (BAAs), with other entities that receive or work with their PHI. Essentially, the agreements state that the business associates will appropriately safeguard the PHI they receive or create on behalf of the practice.


Still, some practices take unnecessary precautions when it comes to BAAs, says Robert Tennant, senior policy adviser of government affairs for the Medical Group Management Association. "A lot of practices are very concerned about people like janitorial services [and] plant maintenance folks, and they have them sign business associate agreements, but those folks are not business associates for the most part," says Tennant. "You may want to have them sign confidentiality agreements basically saying, 'If you do come across any information of a medical nature, protected health information, you are not permitted to look at it, copy it, keep it ...,' But, you do not need to sign a business associate agreement with anybody other than those folks that you actually give PHI to for a specific reason, like if you've got a law office or accounting office or a shredding company that is coming in to pick up PHI to destroy it."


4. Requiring unnecessary patient authorizations


While it's critical to comply with HIPAA's requirement that only those who have a valid reason to access a patient's medical record, such as treatment purposes, payment purposes, or healthcare operations, have access to it — some practices are misconstruing that rule, says Tennant. "They demand patient authorization before they transfer data to another provider for treatment purposes," he says. "I understand why they do it, but it's one of those things that … can cause delays and confusion, and even some acrimony between the patient and the provider. If it's for treatment purposes specifically, you do not need a patient authorization."

more...
No comment yet.
Scoop.it!

Why Even Small Data Breaches Hit Hard

Why Even Small Data Breaches Hit Hard | HIPAA Compliance for Medical Practices | Scoop.it

For the past few years, major organizations have dropped the ball on cybersecurity again and again. Retailers, insurance providers, educational institutions, and even the U.S. government have all exposed inordinate amounts of their customers’ personal, financial and sometimes even medical information.


This sensitive data is often used to commit identity theft and fraud — a correlation so strong that two-thirds of identity fraud victims in 2014 had previously received a data breach notification.


It may feel like every Fortune 500 company will inevitably be breached, which could lead consumers to believe they can just sit back and wait. But that’s simply not the case. And this “data breach fatigue” is a rather dangerous mindset to sink into.


Signs of identity theft can hide in the smallest of spaces: deep within your credit file, in archived taxes and even in your medical records. Without quick action following a data breach, you may miss major red flags and end up paying the consequences only after the problem has exponentially grown.


Let’s erase this cloudy viewpoint by shifting our focus on when and where a breach will really hurt by taking a look at the little guys — data breaches in small businesses.


Small businesses, particularly small medical practices, are major targets for cybercriminals. These organizations hold a plethora of sensitive data, while typically possessing only the bare minimum in terms of security.


On average, it takes more than 200 days for an organization to detect that it has been hacked.


A small-scale data breach is also rather lackluster in comparison to it’s brand-name counterparts. Large breaches garner widespread media attention, which drives swift action amongst all parties — the impacted organization, financial institutions and consumers. With time and public awareness against them, hackers know their stolen data will soon be too hot to profit from and will only use a small percentage of it as quickly as possible.


This attention-grabbing factor is completely obsolete in terms of a small-scale data breach, giving the hackers time to sort out how to most effectively maximize their profits.


So how often do these small-scale breaches occur? Just take a look at Fighting Identity Crime’s monthly breach summaries and you’ll see a distinct pattern — small medical practices and businesses flood the list, each with a considerable amount of exposed data associated with their attack.


Many of these exposed customers may still be unaware of their vulnerability to identity theft and fraud. Meanwhile, others probably know their data was leaked but still don’t fully understand the risks associated with a small-scale data breach.


On average, the total cost of a data breach is now $3.8 million, up from $3.5 million in 2014. While a consumers’ financial institution will immediately bear this cost, it will likely impact the consumer later through indirect fees and a reduction of product offerings.

more...
No comment yet.
Scoop.it!

Complying with the HIPAA Nondisclosure Rule

Complying with the HIPAA Nondisclosure Rule | HIPAA Compliance for Medical Practices | Scoop.it

Under the HIPAA Omnibus Rule, patients can request a restriction on a disclosure of PHI to a health plan if they pay out of pocket, in full for the service. Practices must agree to such a request unless they are required by law to bill that health plan (as is the case with some Medicaid plans).

During a session at the Medical Group Management Association 2014 Annual Conference, Loretta Duncan, senior medical practice consultant with malpractice insurer the State Volunteer Mutual Insurance Company in Brentwood, Tenn., shared some of her compliance tips:


• If the service the patient does not want disclosed is bundled with something else, explain that the patient may need to pay more out-of-pocket costs than expected.

• Make sure that communication is tight between all staff and departments regarding nondisclosure.

• Document your new nondisclosure policies and procedures.

• Be careful when e-prescribing, as pharmacies may bill to the insurance plan before the patient has a chance to let the pharmacy know that the information should not be disclosed.

more...
No comment yet.
Scoop.it!

What Happens in HIPAA Audits: Breaking Down HIPAA Rules

What Happens in HIPAA Audits: Breaking Down HIPAA Rules | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA audits are something that covered entities of all sizes must be prepared to potentially go through. As technology continues to evolve, facilities need to ensure that they are maintaining PHI security and understand how best to keep sensitive information secure.


The Department of Health & Human Services (HHS) Office for Civil Rights (OCR) had originally scheduled its second round of HIPAA audits for the fall of 2014, yet as of this publication, round two is still waiting to be scheduled. Regardless, HIPAA audits are an essential aspect to the HIPAA Privacy and Security Rules.


We’ll break down the finer points of the audit process and why it is important, while also highlighting tips for facilities in case they are selected for an OCR HIPAA audit.


What are the HIPAA audits?


The OCR HIPAA audit program was designed to analyze the processes, controls, and policies that selected covered entities have in place in relation to the HITECH Act audit mandate, according to the HHS website.

OCR established a comprehensive audit protocol that contains the requirements to be assessed through these performance audits. The entire audit protocol is organized around modules, representing separate elements of privacy, security, and breach notification. The combination of these multiple requirements may vary based on the type of covered entity selected for review.

The HIPAA audits also are designed to cover HIPAA Privacy Rule requirements in seven areas:

  • Notice of privacy practices for PHI
  • Rights to request privacy protection for PHI
  • Access of individuals to PHI
  • Administrative requirements
  • Uses and disclosures of PHI
  • Amendment of PHI
  • Accounting of disclosures.


Why are the HIPAA audits important?


HIPAA audits are not just a way for OCR to ensure that covered entities are keeping themselves HIPAA compliant. Having periodic reviews of audit logs can help healthcare facilities not only detect unauthorized access to patient information, but also provide forensic evidence during security investigations. Auditing also helps organizations track PHI disclosures, learn about new threats and intrusion attempts, and even help to determine the organization’s overall effectiveness of policies and user education.


In FY 2014 alone, the OCR resolved more than 15,000 complaints of alleged HIPAA violations, according to the national FY 2016 budget request proposal report.


“OCR conducted a pilot program to ensure that its audit functions could be performed in the most efficient and effective way, and in FY 2015 will continue designing, testing, and implementing its audit function to measure compliance with privacy, security, and breach notification requirements,” the report authors explained. “Audits are a proactive approach to evaluating and ensuring HIPAA privacy and security compliance.”


The HIPAA audits are important because they help incentivize covered entities to remain HIPAA compliant, but they are also an opportunity to strengthen up organization’s security measures and find any weak spots in their approach to security.


What if I am selected for the HIPAA audit program?


As previously mentioned, there is not yet an exact date for when the next round of HIPAA audits will take place, there have been several reports that preliminary surveys have been sent to covered entities that may be selected for audits.


According to a report in The National Law Review, OCR will audit approximately 150 of the 350 selected covered entities and 50 of the selected business associates for compliance with the Security Standards. Furthermore, OCR will audit 100 covered entities for compliance with the Privacy Standards and 100 covered entities for Breach Notification Standards compliance.


Whether your organization received one of those surveys or not, it’s important for entities to have at least a basic plan in place for potential audits. Healthcare organizations should not rely on a false sense of security, and they need to ensure that when their data systems and safeguards are being reviewed, that facilities try and keep in mind what the OCR would be looking for so no areas are missed.


Current physical safeguards, administrative safeguards, and technical safeguards are not only required by the Security Rule, but they work together to protect health information. In addition to those areas, here are a few key things for covered entities to maintain, as they may play a role in the HIPAA audit process:


  • Perform comprehensive and periodic risk analyses
  • Keep thorough inventories of business associates and their contracts or BAAs.
  • Maintain thorough accounts of where ePHI is stored, this includes but is not necessarily limited to internal databases, mobile devices and paper documents.
  • Thorough records of all security training that has taken place.
  • Documented evidence of the facility’s encryption capabilities.


If covered entities have performed a proper risk assessment, preparing for the HIPAA audits will not be as daunting. For further discussion on the legal implications of risk assessments and analyses.


Maintain compliance and stay prepared


Perhaps one of the best ways to prepare for a potential OCR HIPAA audit is to keep all three safeguards current, ensuring to adjust them as necessary as technology evolves.


It is also essential for covered entities to know their BAs, and have all appropriate contracts and business associate agreements in place and up to date.


Conducting periodic risk analysis will also be beneficial, and covered entities should be sure to be able to provide evidence of compliance. This can include documentation of policies and procedures being in place. For example, instances where a facility has sanctioned people and whether it was consistent with its sanctions policy will be beneficial if an audit takes place that looks at the sanction process.


Without a risk analysis, it is much more difficult for healthcare organizations to know where they are in terms of security. This can be detrimental not only for HIPAA audits, but also in maintaining comprehensive data security. Periodic reviews will help facilities continue to work toward maintaining HIPAA compliance and keeping sensitive data as secure as possible.

more...
No comment yet.
Scoop.it!

Health system's data breach insurance claims get challenged

Health system's data breach insurance claims get challenged | HIPAA Compliance for Medical Practices | Scoop.it

What happens when a health system with liability insurance fails to secure protected health information of its patients and is hit with a $4.13 million class action settlement for it? The civil actions of one insurance company are suggesting the claims money doesn't come easy if you fail to follow minimum required security practices.


The three-hospital Cottage Health System in California back in December 2013 notified 32,755 of its patients whose protected health information had been compromised after the health system and one of its third-party vendors, inSync, stored unencrypted medical records on a system accessible to the Internet. Resultantly, the data may have been publicly available on search engines like Google.


The health system, which had a liability policy with Columbia Casualty Company, is now being challenged by the insurance company in court. The Chicago-based insurance company, which operates as a subsidiary of Continental Casualty Company, is challenging the claims of Cottage Health System, which thus far total nearly $4.13 million settlements filed by patients, saying the health system "provided false responses" to a risk control self assessment when it applied for a liability policy.


Columbia officials in a complaint filed this May point to an exclusion pertaining to failure to follow minimum required practices. This exclusion, they write, "precludes coverage for any loss based upon, directly or indirectly, arising out of, or in any way involving '(a)ny failure of an Insured to continuously implement the procedures and risk controls identified in the Insured's application.'"


The health system's data breach, as Columbia officials allege, was caused by Cottage's "failure to regularly check and maintain security patches on its systems, its failure to regularly re-assess its information security exposure and enhance risk controls, its failure to have a system in place to detect unauthorized access or attempts to access sensitive information stored on its servers and its failure to control and track all changes to its network."


In its application for the liability policy, Cottage Health System made "misrepresentations" regarding its security practices, and as such, Columbia is seeking reimbursement from the health system for the full $4.13 million that it had paid to Cottage thus far, in addition to attorney fees and related expenses.


In part of the application, Cottage answered "yes" to performing due diligence on third-party vendors to ensure their safeguards of protecting data are adequate; auditing these vendors at least once per year and requiring these third-party vendors have "sufficient liquid assets or maintain enough insurance to cover their liability arising from a breach of privacy or confidentiality." The vendor who contributed to the data breach, inSync, according to the complaint, does not have sufficient assets or insurance that covers the breach.

more...
No comment yet.
Scoop.it!

Don’t think that your small practice is exempt from HIPAA violations. Take a lesson from a small practice that recently incurred a hefty fine after a theft.

Don’t think that your small practice is exempt from HIPAA violations. Take a lesson from a small practice that recently incurred a hefty fine after a theft. | HIPAA Compliance for Medical Practices | Scoop.it

If you think that your small medical practice is safe from a Health Insurance Portability and Accountability Act of 1996 (HIPAA) violation, a recent case may make you think otherwise. Not only should you take steps to protect your practice, you should also take steps to protect the information of your patients, as one small, private practice in Massachusetts recently discovered.


A Small Mistake With Huge Consequences


Adult & Pediatric Dermatology, P.C. in Concord, Mass. experienced a recent theft when an unencrypted thumb drive was stolen from the vehicle of an employee. The drive housed the electronic protected health information of roughly 2,200 patients. The thumb drive has yet to be recovered.


An investigation was launched by the HHS Office for Civil Rights. They discovered that the practice failed to complete an accurate and full risk vulnerability analysis as to the security and confidentiality of electronic protected health information. The investigation also revealed that the practice had failed to adhere to the requirements set by the Breach Notification


Rule stating that practices must have written procedures and policies in place, and that employees must be properly trained to adequately handle sensitive medical information.


Truth and Consequences


As a result of the security breach, Adult & Pediatric Dermatology has agreed to pay $150,000 as part of a settlement. Furthermore, the practice has also been required to include a corrective action plan in order to become compliant with HIPAA requirements.


What’s unique about this case is that it’s the very first settlement that involved a covered entity for failing to have proper procedures and policies that address the breach notification stipulations of the Health Information Technology for Economic and Clinical Health Act, also known as the HITECH Act.


Hope for the Best, Prepare for the Worst


The best way to respond to a worst-case scenario is to prepare well before it happens. No matter how small or young your practice is, always make sure that you are fully compliant with HIPAA regulations as well as any other related medical regulations. Just because you aren’t aware you’re in violation of a regulation, rule or law doesn’t mean that you’ll get a slap on the wrist. Instead, you might get slapped with a large fine and possibly even more devastating consequences that could mean disaster for your small practice.


Take some time out to see which regulations apply to your specific medical practice and which apply to practices everywhere. Make sure you and your employees know how to react in the event that sensitive patient information were to become stolen, hacked or otherwise tampered with. With the way that medical technology is changing, there may be dangers and threats to your practice and patient information that you aren’t yet aware of. Stay up-to-date on the changes taking place in medical technology and the potential dangers they bring with them. Remember that an ounce of prevention is worth a pound of cure.

more...
No comment yet.
Scoop.it!

Data breaches cost an average of US$3.8M: Study

Data breaches cost an average of US$3.8M: Study | HIPAA Compliance for Medical Practices | Scoop.it

The cost of data breaches is rising for companies around the world as sophisticated thieves target valuable financial and medical records, according to a study released on Wednesday.


The total average cost of a data breach is now US$3.8 million, up from $3.5 million a year ago, according to a study by data security research organization Ponemon Institute, paid for by International Business Machines Corp.


The direct costs include hiring experts to fix the breach, investigating the cause, setting up hotlines for customers and offering credit monitoring for victims. Business lost because customers are wary after a breach can be even greater, the study said.


Data breaches are becoming more common and significant, with high-profile attacks on Sony Corp, JPMorgan Chase and retailers Target Corp and Home Depot Inc in the past year and a half.


"Most of what's occurring is through organized crime," said Caleb Barlow, vice president of IBM Security. "These are well-funded groups. They work Monday to Friday. They are probably better funded and better staffed than a lot people who are trying to defend against them."

IBM, which sells cybersecurity services to companies, has a vested interest in highlighting the costs of data breaches.


The cost of a data breach is now $154 per record lost or stolen, up from $145 last year, according to the study, based on interviews with 350 companies from 11 major countries that had suffered a data breach.


The study's authors said average costs did not apply to mega-breaches affecting millions of customers, such as those suffered by JPMorgan Chase, Target and Home Depot, which cost the companies far greater sums. Target alone said last year its breach cost $148 million.


The study found that the health care was most at risk for costly breaches, with an average cost per record lost or stolen as high as $363, more than twice the average for all sectors of $154.


That reflects the relatively high value of a person's medical records on the underground market, said IBM, as Social Security information is much more useful for identity theft than simple names, addresses or credit card numbers.

more...
No comment yet.
Scoop.it!

Criminal Attacks Surpass Negligence as Top Data Breach Source, Survey Finds

Criminal Attacks Surpass Negligence as Top Data Breach Source, Survey Finds | HIPAA Compliance for Medical Practices | Scoop.it

In the fifth year of its annual survey about privacy and security issues facing healthcare organizations, the Ponemon Institute found that for the first time providers reported that the No. 1 root cause of their data breaches was criminal and malicious attacks, surpassing mistakes and employee negligence.

“Criminal attacks are up 125 percent compared to five years ago” among survey respondents, said Larry Ponemon, chairman and founder of the Ponemon Institute. In fact, 45 percent of healthcare organizations surveyed said the root cause of the data breach was a criminal attack and 12 percent said it was due to a malicious insider, he added.

For the first time, Ponemon included business associates (BAs) in the survey. In the case of BAs, 39 percent said a criminal attacker caused the breach and 10 percent said it was due to a malicious insider.

Ponemon surveyed representatives of 90 healthcare organizations and 88 business associates in February and March 2015. The study also looked beyond data breaches to other types of cyber incidents such as denial-of-service attacks and malware infections. Seventy-eight percent of healthcare organizations and 82 percent of BAs reported experiencing web-borne malware attacks. Eighty-eight percent of providers reported cases of spear phising.

“Looking at the big picture, organizations are continuing to struggle with their responsibilities to protect sensitive and confidential information,” Ponemon said. “One reason is that a lot of organizations lack the resources to get that job done,” he said. Fifty-six percent of providers and 59 percent of BAs thought their resources were inadequate to the task. “It has been an issue for five years,” he said. “If anything, it has gotten a little bit better, but we still have a long way to go.”

Ponemon noted that the rate of data breach is remarkably high, with 91 percent of providers experiencing one or more breaches in the last year, and 40 percent of respondents had more than five data breaches over the past two years. “Some of these data breaches could be very small events, less than 100 records, but they are still a big event for the patient whose data is exposed,” he said.

Speaking about the increase in criminal attacks, Rick Kam, co-founder of ID Experts, a software and services firm that sponsors the annual Ponemon study, said the FBI has been increasingly warning the healthcare industry about cyberattacks. “Medical records on the black market are worth somewhere between $60 and $70 as opposed to 50 cents or a dollar for a social security number or credit card number,” he said. “There is a real stimulus for criminal organizations that exist in Eastern Europe, Russia, China and Iran to go after and compromise these organizations to get access to that data.”

A few more bullet points from the survey results:

• In the past two years, healthcare organizations spent an average of more than $2 million to resolve the consequences of a data breach involving an average of almost more than 2,700 lost or stolen records.

• When healthcare organizations were asked what type of security incident worries them most, 70 percent said the negligent or careless employee. This is followed by 40 percent of respondents who said cyber attackers and 33 percent who said it is the use of public cloud services. Insecure mobile apps and insecure medical devices are the least problematic (13 percent and 6 percent of respondents, respectively).

• Fifty-eight percent of healthcare organizations surveyed agree that policies and procedures are in place to effectively prevent or quickly detect unauthorized patient data access, loss or theft. However, less than half (49 percent) agreed that they have sufficient technologies, and only 33 percent agree they have sufficient resources to prevent or quickly detect a data breach.

• Slightly more than half (53 percent) of organizations surveyed said they have personnel with the necessary technical expertise to be able to identify and resolve data breaches involving the unauthorized access, loss or theft of patient data.

• Most healthcare organizations surveyed have an incident response process in place. Sixty-nine percent have a process with involvement from information technology, information security and compliance. However, 56 percent of respondents say more funding and resources are needed to make it effective.


more...
No comment yet.