HIPAA Compliance for Medical Practices
60.5K views | +0 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

3 Key Rules for Effective Risk Management - HIPAA-HITECH Compliance

Has your organization built a culture of risk management? Before you answer, let’s get specific.

The word culture is an overused term, and many times we don’t clearly articulate what we mean when we bring culture into the equation.

It’s a nice placeholder term when we want to express that something should be a priority. As a result, true “culture” movements ever move beyond committees and brainstorming sessions. With that in mind, here is a high-level roadmap for ensuring that protecting sensitive data is a part of everyday life within your organization:

1. Get closer and be committed.

If you agree that protecting data and managing risk should be priorities for your organization, then obviously you should be more involved and engaged in the process of evaluating your current efforts and managing your future actions. And it must be clear to everyone that you are taking this matter very seriously. In the case of Home Depot, former employees reported that senior leaders repeatedly ignored their warnings that the company’s security was lacking. They claim that executives brushed them off by saying, “We sell hammers.” If it isn’t important to you, it won’t be important to them. And if you don’t keep it top of mind and front and center, no one else will. Get it on the agenda!

2. Take a balanced and proactive approach.

The best way to do the right thing when it comes to protecting sensitive data is to have a full grasp on potential threats and firm plans for mitigating or eliminating risks. A thorough security risk analysis, followed by a systematic risk management plan will not only help you stay in good graces with OCR, it will help you be proactive in guiding your organization and limiting the likelihood and impact of adverse events related to information privacy and security. Along with being proactive, you must take a balanced approach. Ensure equal time and emphasis is dedicated to policies, procedures, people and safeguards.

3. Equip and empower your workforce.

As part of the balanced approach mentioned above, your employees play a big part in your ability to keep data safe. While it’s true that hack attacks and other external threats are on the rise, the vast majority of data breaches actually occur because of people. A combination of malicious and unintentional actions by members of your workforce is the greatest threat to the security of your data.

As a result, you need to equip your information security professionals to do their job effectively, including additional budget or bandwidth as needed to adequately address prioritized risks. You also need to invest in data security training for anyone who comes into contact with sensitive health information.

All along the way, you need to make sure that employees understand the importance of protecting sensitive data.

They need to feel like it’s part of their day job and see the direct tie it has to the bottom line. They also need to feel empowered to speak up when something’s not right and have well-defined and accessible channels for providing feedback. In the end, your workforce will either be your greatest asset, or your worst enemy. It’s up to you to determine which will be true for your business.

The growing expectation is that C-Suites and Boards are paying more attention to safeguarding sensitive information. The U.S. Securities and Exchange Commission recently called on boards to be more involved in “managing cyber risks and more adaptable to changing risks.”

At the end of the day, this is a conclusion that forward-thinking, high-performing organizations will reach on their own.


more...
No comment yet.
Scoop.it!

Coalfire Predicts: In 2015 the Cost of Cybersecurity and Risk Management Will Remain on Track to Double | EMR, EHR and Healthcare IT News

Coalfire Predicts: In 2015 the Cost of Cybersecurity and Risk Management Will Remain on Track to Double | EMR, EHR and Healthcare IT News | HIPAA Compliance for Medical Practices | Scoop.it

Coalfire, the leading independent information technology governance, risk and compliance (IT GRC) firm, today released its top ten cybersecurity predictions for 2015.

“It’s time for companies to start looking ahead at the next generation of threats and to step up their game to better protect consumer data. The threat landscape is continuously evolving. If you don’t already have threat intelligence and response plans ready for implementation in 2015, now is the time. As 2014 ends, it’s clear this was the year everything changed in the world of information security,” said Rick Dakin, Coalfire’s CEO and chief security strategist. “As high-profile data breaches were announced one after another, consumers stopped believing companies took protecting their information seriously.”

Coalfire conducts more than 1,000 audits and assessments of systems containing sensitive data each year. Based on the trends in those investigations, Dakin predicts the following for 2015:

  1. Motivated Threat Actors – The number and sophistication of cyber threats will continue to increase exponentially. Fueled by both geopolitics and economic incentives, international (and often state-sponsored) criminal organizations will escalate their development of offensive cyber capabilities.
  2. Redefining the Defense – The demands of cybersecurity are fundamentally changing IT. Cyber risk management and security compliance will take an equal weight to other design criteria like functionality, capacity and performance. Financial ROIs will be balanced by a new understanding of risk exposure for sub-par solutions.
  3. Three Heads vs. One – In large organizations, there are technical roles that require the knowledge and experience of CIOs, CTOs and CISOs. While some have predicted the death of the CIO role, we see instead a balancing of responsibility between three peers.
  4. Investments Will Increase – In the face of pernicious new threats, the cost of cybersecurity and risk management will remain on track to double over the next three years.
  5. New Fronts – The expansion of mobility, cloud computing, bring your own device (BYOD) policies, and the Internet of Things will provide new (and previously unforeseen) opportunities for cyber-crime, cyber-warfare, and cyber-terrorism.
  6. Universal Monitoring – As a result of cyber-incidents, every organization (or person) will be using some form of continuous monitoring service (threat, scanning, identity or credit). These will be legislated, mandated by financials institutions or insurers, or acquired on their own behalf.
  7. Business Leadership on Policy Development – Executive leadership will lead to further development and maturation of standards across private sector and governmental organizations. This approach to security and cyber risk management will reduce the potential for “unforeseen” damage from cyber-attacks, cyber warfare and cyberterrorism.
  8. New Threat Detection and Response Technologies – There will be an increased use of crowdsourcing, machine intelligence, and cognitive/advanced analytics to detect and stay ahead of threats. Bounties for catching bad actors and advanced algorithmics will help the “good guys” identify and stay ahead of the hordes of malicious players.
  9. Improved Security – New and better applications of authentication, EMV, encryption and tokenized solutions will increase the security of payments and other personal and confidential information. Apple Pay and other next-generation solutions will overcome anti-NFC inertia and lead to increasing adoption of mobile-based security technologies for both retail payment and other applications, such as healthcare, where critical and confidential information is exchanged.
  10. Back to Offense – We will see the beginnings of a shift from cyber-defense to cyber-offense. From attempting to build impenetrable systems, to building systems that make it possible to identify attackers and provide the means to prosecute, frustrate or delay them.



more...
No comment yet.
Scoop.it!

HIPAA Audits Are Still on Hold

HIPAA Audits Are Still on Hold | HIPAA Compliance for Medical Practices | Scoop.it

`The unit of the Department of Health and Human Services that enforces HIPAA still has plenty of work to do before it can launch its long-promised next round of HIPAA compliance audits, as planned for this year.

The HHS Office for Civil Rights has yet to develop a revised protocol for conducting the audits, OCR Director Jocelyn Samuels revealed during a Jan. 13 media briefing.


Samuels declined to offer a timeline for when OCR plans to resume its HIPAA audits, which Samuels says will include covered entities as well as business associates, who are now directly liable for HIPAA compliance under the HIPAA Omnibus Rule.

Early in 2014, OCR officials said the agency expected to resume compliance audits of covered entities in the fall of 2014, later expanding the program to include audits of business associates based on those vendors identified by covered entities in pre-audit surveys.

Then in September, OCR officials said the audit launch was stalled because of a delay in the rollout of technology to collect audit-related documents from covered entities and business associates.

In her comments Jan. 13, Samuels did not offer an explanation for the prolonged delay in resumption of HIPAA audits.

"OCR is committed to implementing an effective audit program, and audits will be an important compliance tool for OCR," Samuels said. The audits "will enable OCR to identify best practices and proactively uncover risks and vulnerabilities, like our other enforcement tools, such as complaints and compliance reviews; provide a proactive and systematic means to assess and improve industry compliance; enhance industry awareness of compliance obligations; and enable OCR to target its outreach and technical assistance to identified problems and to offer tools to the industry for self-evaluation and prevention. Organizations should continue to monitor the OCR website for future announcements on the program."

In 2012, OCR conducted a pilot HIPAA audit program for 115 covered entities that was carried out by a contractor, the consulting firm KPMG. It also issued an audit protocol offering a detailed breakdown of what was reviewed. OCR is revising the protocol to reflect changes brought by the HIPAA Omnibus Rule.

Rules In the Works

In addition to the pending audits, other HIPAA-related activities under way at OCR for 2015 include:

  • A final version of a proposed rule HHS issued last January to permit certain covered entities, including state agencies, to disclose to the National Instant Criminal Background Check System the identities of persons prohibited by federal law from possessing or receiving a firearm for reasons related to mental health;
  • An advanced notice of proposed rulemaking related to a HITECH Act mandate for HHS to develop a methodology to distribute a percentage of monetary settlements and penalties collected by OCR to individuals affected by breaches and other HIPAA violations;
  • A possible request for additional public input on OCR's proposed accounting of disclosures rule making. Samuels says OCR is still evaluating the comments it received on the proposed accounting of disclosures rule it issued in 2011, as well as recommendations from the HIT Policy Committee about refining the rule.

In a statement provided to Information Security Media Group, Samuels noted, "The [accounting of disclosures] rulemaking is still listed as a long-term action on our last published regulatory agenda. We are exploring ways to further solicit public input on this important issue."

OCR in May 2011 issued a notice of proposed rulemaking for updating accounting of disclosures requirements under HIPAA. The proposal generated hundreds of complaints from healthcare providers and others. Many of the complaints were aimed at a controversial "access report" provision. As proposed, the access report would need to contain the date and time of access to electronic records, the name of the person or entity accessing protected health information, and a description of the information and user action, such as whether information was created, modified or deleted. The proposal would also provide patients with the right for an accounting of disclosures of electronic PHI made up to three years prior to the request.

Other Enforcement Activities

OCR also has a number of other enforcement activities planned for 2015, Samuels said in the Jan. 13 briefing.

"We will continue to identify and bring to resolution high impact cases that send strong enforcement messages to the industry about compliance," she said. "These types of cases can include the lack of a comprehensive risk analysis and risk management practices, ignoring identified threats and hazards to systems containing electronic protected health information, and insufficient policies and procedures, and training of workforce members."

OCR also expects to provide policy clarification for a variety of topics, including cloud computing and the "minimum necessary" rule, which HHS says is based on the premise that protected health information should only be used or disclosed if it is necessary to satisfy a particular purpose or carry out a function.

"We will also continue dialogues with our stakeholders about issues on which they would like additional interpretation," Samuels says.


more...
No comment yet.