HIPAA Compliance for Medical Practices
83.7K views | +2 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

Don’t Forget to Update Your Software -

Don’t Forget to Update Your Software - | HIPAA Compliance for Medical Practices | Scoop.it

On Monday, December 8th, the Office for Civil Rights (“OCR”) at the Department of Health and Human Services announced another new HIPAA settlement. As with most recent settlements, the latest settlement is being used to set up an example of what not to do.

This time, Anchorage Community Mental Health Services (“ACMHS”) has agreed to pay $150,000 after failing to follow the requirements of the HIPAA Security Rule. The settlement is the result of a self-notification filed by ACMHS that malware infected its information technology systems, resulting in a breach impacting approximately 2,743 individuals. When OCR went to investigate, OCR found that ACMHS had implemented security policies. However, ACMHS did not tailor the policies to its own operations, nor did ACMHS actually follow the policies adopted. The lack of adherence resulted in ACMHS not identifying or addressing basic security risks, which deficiencies included not updated its technology resources. The lack of updates left the systems vulnerable to malware.

In addition to paying the fine, ACMHS is required to implement a corrective action plan as prepared by OCR. The corrective action plan last remains in place for 2 years, but should act as the baseline for a good HIPAA compliance plan going forward. The terms of the corrective action plan are fairly straightforward and do not contain any surprises. The requirements are essentially to comply with the HIPAA Privacy and Security Rules, which all covered entities and business associates should do anyway.

As indicated above, the breach in this case was caused by a failure to update software and install patches as necessary. This demonstrates the need to evaluate information technology systems to ensure that the system remains current and up to date. An organization cannot install a piece of software or hardware and expect that it will always serve its purposes. Attacks on systems and exploitation of vulnerabilities are always evolving, which means the systems being attacked must do the same thing.

With regard to the HIPAA Security Rule, organizations should remember that compliance is customizable. The Security Rule recognizes and acknowledges that all organizations are different. As such, certain elements are required and others are addressable. The required elements must be put into place and organizations need to make a case by case assessment on how to deal with the addressable items. A risk analysis is the essential first step as the analysis will identify areas of weakness for an organization.

It is not enough just to do a risk analysis once and then prepare and implement policies though. HIPAA Security Policies must be living, breathing documents that adapt to changing circumstances. An area of high vulnerability in the year of adoption can drop by the wayside a few years down the road while a new, unknown area at first becomes a major risk. The changing environment is why organizations must constantly monitor and evaluate policies to ensure good coverage.

Lastly, putting policies into place and not following them, as was done by ACMHS, is a big problem. When a breach or other instance of non-compliance arises, having unfollowed policies will be a major red flag for the government. If policies are adopted, then an organization is arguably aware of what it had to do in order to comply. Willful or negligent failure to follow the policies then could be ground for a higher fine and other pain being imposed. Education and awareness are essential. Compliance can take up time and it is not always easy to measure the return on investment, but the money that can be saved down the road is likely incalculable.



No comment yet.
Scoop.it!

HIPAA Compliance within Revenue Cycle Management

HIPAA Compliance within Revenue Cycle Management | HIPAA Compliance for Medical Practices | Scoop.it
The inclusion of HIPAA transactions intends to reduce administrative costs, but to do so, medical practices will need to strengthen their revenue cycle management processes.

The healthcare industry is constantly striving to prevent fraud and abuse within the system, and emphasize compliance and accuracy. Revenue cycle management (RCM), the process that include claims management processing, payment, and revenue generation, is a hospitals first line of defense against these issues. Still, the revenue cycle process could be flawed, causing further problems if not suitably standardized.

The HIPAA Security Rule, which was enacted on April 14, 2001, specifically focuses on the safeguarding of electronic protected health information. HIPAA started because of congressional concern about the portability and continuity of health coverage. Congress passed legislature, “In order to increase the efficiency, effectiveness, and cost savings through the use of electronic data interchange in the healthcare industry,”

HIPAA “requires all healthcare providers, healthcare clearinghouses, and health plans to implement and utilize standardized formats when transmitting electronic data.” The inclusion of HIPAA transactions intends to reduce administrative costs, but to do so, medical practices will need to strengthen their RCM processes.

The RCM process starts with patient scheduling. The key to this step is in gathering the most vital patient information as possible. Medical practices should ensure that any protected health information (PHI) is stored and catalogued appropriately. As required by the HIPAA law, practices must “Identify assets and information systems that create, receive, transmit, or maintain” PHI. Hardware in which PHI is stored or shared must be catalogued as required.

In addition to identifying these devices, a practice should have hardware and software firewalls in place and should maintain updates to these programs as needed. Data encryption is also an important way for a practice to remain HIPAA compliant within its RCM process. The following are examples of information that must be encrypted to assure HIPAA compliance:

  • Billing information
  • Case management data
  • Lab and clinical data
  • Patient reports and transcripts
  • Emails between patients and doctors, and between referral doctors

Once the patient is scheduled and appears for their appointment, medical documentation must take place. Maintaining clear and detailed patient files is an important part of a practice’s RCM. Without well-maintained documentation, services rendered to a patient may come into doubt as well as payments received. To prevent missing information and to remain HIPAA compliant, a practice should put a written set of standards in place to maintain accurate documentation.

A practice should then run a risk assessment of these standards and practices to confirm that they “are reasonable and appropriate to provide adequate protection against reasonably anticipated threats or hazards to the confidentiality, integrity, or availability” of PHI. If the risk assessment confirms the suitability of the standards, then they should be implemented.

After the patient’s medical data is recorded and the services are rendered, it’s time for a provider to be reimbursed. Yet, often claims can be denied, and bills go unpaid. To prevent this, a practice should implement additional standards to prevent revenue loss.

An example of revenue loss due to denied claims isn’t difficult to find, and each one leaves unhappy customers in its wake. In New York, a health insurance subcontractor allegedly mishandled the protected health information (PHI) data of approximately 500 patients, causing denial letters to be sent to the wrong members. The resolution required additional notification to be sent and cost valuable company time and money.

It’s not enough just for a practice to have these processes in place in order to be HIPAA compliant in their RCM. These processes need to be checked and re-checked regularly in order to ensure HIPPA compliance standards are maintained at all times. As the HIPAA law is being changed and amended regularly, a practice that fails to stay on top of these changes can suddenly find itself no longer HIPAA compliant.

The penalties for a practice not meeting HIPAA compliance standards can be fiscally damaging. A practice that violates HIPAA rules will be fined, with a cost ranging from $100 to $50,000 per violation (or per record), up to a maximum of $1.5 million per year and can carry criminal charges which could result in jail time.

These fines and charges are measured, and broken down into two different categories: Reasonable Cause and Willful Neglect. Reasonable Cause fines imposed upon a practice can range from $100 to $50,000 per incident (release of 500 medical records) and does not involve jail time. However, Willful Neglect fines on a practice range from $10,000 to $50,000 for each incident and can result in criminal charges and jail time.

With full patient records selling for about $500 on the black market, it’s not difficult to see why medical information is considered valuable to modern-day criminals. Along with the unpleasant possibility of steep fines and jail time, this is all the more incentive for medical providers to buckle down on their HIPAA compliance.

Remaining HIPAA compliant in their RCM will not only prevent a practice from the harsh penalties of non-compliance, but will also protect their patients from losing their personal information in a possible cybersecurity breach. In the long run, keeping HIPAA its RCM HIPAA complaint will increase a practice’s efficiency, and save them valuable time and cost.



No comment yet.
Scoop.it!

HIPAA Settlement Continues to Emphasize the Importance of Security Policies and Procedures | The National Law Review

HIPAA Settlement Continues to Emphasize the Importance of Security Policies and Procedures | The National Law Review | HIPAA Compliance for Medical Practices | Scoop.it

recently announced settlement between Anchorage Community Mental Health (“ACMHS”) and the U.S. Department of Health & Human Services Office for Civil Rights (“OCR”) emphasizes, once again, the importance of compliance with the Security Rule and keeping IT infrastructure up to date.  ACMHS, a five-facility nonprofit organization based in Anchorage, agreed to pay $150,000 and adopt a corrective action plan to address compliance with the HIPAA Security Rule.

OCR began investigating ACMHS after ACMHS reported a breach of unsecured electronic protected health information (e-PHI) caused by malware involving 2,700 individuals in March 2012.  In its investigation, OCR concluded that ACMHS failed to conduct a thorough risk assessment, failed to implement Security Rule policies and procedures, and failed to implement technical security measures to protect e-PHI through the use of firewalls and regularly supported and updated software.  OCR’s bulletin announcing the settlement noted that though ACMHS had adopted sample Security Rule policies and procedures, it failed to follow those policies and procedures. 

OCR has repeatedly emphasized the importance of conducting risk assessments and continuing to update and revise risk assessments based on new threats.  This emphasis was a key takeaway from the September Joint OCR/NIST HIPAA Security Conference. The ACMHS settlement underscores that Security Rule compliance cannot be accomplished with a one-size-fits-all, “check the box” approach.  Instead, compliance requires entities to undertake a thorough and tailored risk assessment and to routinely assess new threats and vulnerabilities.



No comment yet.
Scoop.it!

Why health IT companies may not take HIPAA seriously until 2016 | mHealthNews

Why health IT companies may not take HIPAA seriously until 2016 | mHealthNews | HIPAA Compliance for Medical Practices | Scoop.it

When the Final Omnibus Rule came into effect on March 23, 2013, the intent was to make business associates (BAs) more accountable for the protection of the data they were managing on behalf of covered entities (CEs) such as hospitals or health plans. Prior to this, BAs were only liable for whatever was put into a Business Associates Agreement (BAA) by the CE, and even then that liability was restricted to any civil action that may be taken by the CE. 

However, the Final Omnibus Rule extended the same federal provisions to BAs that had previously been restricted to CEs, meaning that whether a business associate signed a BA or not, they were federally required to operate in accordance with the Security, Privacy and Breach Notification rules. Failure to do so could result in federal penalties of up to $1.5 million per breach type, and even criminal prosecution.

This change was driven by the fact that an increasing percentage of heathcare data is being managed by BAs such as health IT vendors. While covered entities still account for the majority of breach incidents, BAs are responsible for most of the records breached.

However, after an initial flurry of activity before and after this date, most business associates have responded to this change with general apathy. Being in a position to talk to companies every day who operate as business associates, I am repeatedly underwhelmed by their efforts to take security and compliance seriously, despite this change in the law. Indeed, even when offered the chance to enhance their security posture and, by extension, their compliance to HIPAA regulations in a simple an affordable manner, many decline to do so, stating a conflict of priorities. It's not that they are necessarily unaware of the potential consequences – rather, they simply do not see it as a sufficient priority. They often see themselves as being too small, or that they first need to build a business before worrying about protecting it. And the reality is they see no immediate consequence to their procrastination.

It's like the speed limit being reduced from 65 mph to 55 mph. While notices are posted, after initial caution by drivers, they see no police cars on the side of the road or any evidence that anyone is being pulled over, so they don’t reduce their speed. Indeed, as more cars come onto the freeway some start to go faster, which encourages others to follow suit. Everyone knows they are speeding, but then everyone else is doing it and no one seems to be getting penalized for it.

The challenge for companies is that while there may not be visible enforcement right now, that is because it takes a while for breaches to be discovered, investigated and adjudicated – on average about three years. Most HIPAA judgments being pronounced today relate to breaches that occurred in 2011.

So to extend the previous analogy, while there may not be police visible on the side of the road, there are speed cameras. The violators will not receive their speeding ticket until a considerable time after the offence was committed, meaning they continue to speed long after their first offence.

In terms of HIPAA enforcement that means most judgments will not become public until 2016, at which time I would hope most BAs will already have realized that it can happen to them, and will have started making adequate protections an imperative.  But until they do, they will need to hope they do not drive past an OCR speed camera.



No comment yet.
Scoop.it!

Does Walgreens Loss Set a Precedent for Employer Liability for HIPAA Violations? | AIS Health

Does Walgreens Loss Set a Precedent for Employer Liability for HIPAA Violations? | AIS Health | HIPAA Compliance for Medical Practices | Scoop.it

When the Indiana Court of Appeals released its decision upholding the $1.44 million jury verdict against Walgreens for privacy violations by an employee pharmacist, the press and blogosphere started buzzing about the precedent it was setting — an employer could be held liable for the HIPAA violations of an employee. This was the view espoused by the plaintiff’s attorney, Neal F. Eggeson, in a statement to the Indianapolis Star on Friday, Nov. 14, the date of the decision.

The plaintiff, Abigail Hinchy, had sued Walgreens and its pharmacist, Audra Withers, for viewing her prescription records without authorization and then disclosing the information to her husband, who was a former boyfriend of Hinchy’s and the father of her child, who threatened to use the information in a paternity lawsuit. After contacting the company, Walgreens acknowledged the HIPAA violation to Hinchy and said that it had given Withers a written warning and required her to retake a HIPAA computer training program.

Hinchy sued both Walgreens and the pharmacist. In her complaint, Hinchy alleged negligence and professional malpractice, invasion of privacy and public disclosure of private facts, and invasion of privacy/intrusion against Withers. She alleged the same causes of action against Walgreens, under the theory of “respondeat superior,” under which an employer is held responsible for the actions of employees performed within the scope of their employment. Walgreens argued that an employer should not be held liable for acts of an employee who knowingly violated company policy, in this case, HIPAA policies and procedures.

In its decision, the court of appeals cited a number of Indiana cases to explain the concept of respondeat superior. In particular, it focused on when an employee is “acting within the scope of employment when performing work assigned by the employer or engaging in a course of conduct subject to the employer’s control.” After reviewing the case law, the court concluded that “Wither’s actions were of the same general nature as those authorized, or incident to the actions that were authorized, by Walgreens.... Hinchy belonged to the same general category of individuals to whom Withers owed a duty of privacy protection by virtue of her employment as a pharmacist.”

The court also explained that for respondeat superior liability to attach “there must also be underlying liability of the acting party,” in this case, Withers. Hinchy sued Withers on two theories of direct liability — professional malpractice and public disclosure of private facts. The court did not express an opinion on whether Indiana recognized the tort of public disclosure of private facts, which could encompass a HIPAA violation, because Walgreens had not appealed the trial court’s denial of summary judgment on the claim of privacy invasion. Instead, it considered whether Withers committed “the tort of negligence by virtue of professional malpractice of a pharmacist.” It found that under Indiana law, Withers had a duty of confidentiality to Hinchy and that she had breached that duty when she examined Hinchy’s prescription records without authorization and subsequently disclosed the information. “Under these circumstances,” the court said, “we find that the jury verdict can be affirmed based upon the respondeat superior liability of Walgreens, which attaches via the liability of Withers for her negligence/professional malpractice.”

Employer Liability for Employees Is Not New

According to Jeff Drummond, a partner in the Dallas office of Jackson Walker LLP, employer liability for employee actions when acting within the scope of employment has been around forever, and to conclude that the appeal confirmed that privacy breach victims may hold employers responsible is an “overreach.” The issue in the Walgreens case was whether the employee was acting in the scope of her employment when the employee breached HIPAA and violated company policy. In this case, the jury decided that the employee was, and the appellate court declined to overturn that decision. But, according to Drummond, “in this particular case, the appellate court gave too much credence to the fact that the employee’s wrongdoing (looking at medical records she shouldn’t have looked at) was very similar to activities the employee would take in the performance of her legitimate duties (looking at medical records she should look at); if that’s the case, a waiter stealing a customer’s credit card number would be attributable to the restaurant owner, which doesn’t seem fair.”

Walgreens also argued that the $1.44 million jury verdict was excessive and based on improper factors. The court cited evidence admitted at trial regarding the damages and dismissed Walgreens’ arguments because they amounted to a request to reweigh the evidence, which, the court said, it does not do when evaluating a damages award. It found the evidence presented sufficient to support the award.

Privacy attorney Adam Greene of the law firm of Davis Wright Tremaine points out, “Even if a plaintiff can demonstrate a violation of HIPAA, a challenge has been showing damages. What remains to be seen is whether the $1.4 million verdict in the Walgreens case leads to similar findings of harm in other state cases, or whether this was a particularly unique fact pattern.”

Drummond points out that “while the pharmacist definitely ‘used’ PHI improperly by accessing PHI she should not have accessed, the plaintiff’s damages came not from that use, but from a further ‘disclosure’ of the data” to Withers’ husband, the father of Hinchy’s child. While the pharmacist’s improper use of the PHI closely tracked the pharmacist’s proper uses of PHI, any disclosure (which would be required for the damages to occur) would not be within the pharmacist’s normal employment activities and might provide a good argument that the actions of the pharmacist were outside the scope of employment.”

Walgreens plans to appeal the court of appeal’s decision.

What Is the Impact on Other State Cases?

So how much impact will this decision have on other state cases alleging privacy violations using HIPAA as the standard of care? Are employers now more likely to be held liable for employees who violate HIPAA while on the job?

According to Drummond, “I don’t think there were too many plaintiffs sitting on the sidelines, not making legitimate state-law claims because they know there’s no private cause of action under HIPAA. I’ve thought all along that, while clearly you can’t sue for a HIPAA violation, you could still sue for a state law violation. These cases may make plaintiffs’ lawyers more interested in bringing marginal cases, where there’s no clear state law allowing a breach of confidentiality claim. But where there’s a clear state law right to sue, I don’t think HIPAA’s ‘no private cause of action’ standard has been much of an impediment,” even before the Walgreens case.

Covered entities, Drummond says, should “have strong, consistent, and enforced policies and procedures. Draft clear data use and disclosure rules and information pathways, and constantly remind your employees of their duties and obligations. Regularly audit your employees and their data access/use/disclosure activities, and encourage your employees to keep tabs on each other (to positively reinforce data rules, but also to report suspicious activities). Promptly correct errors and mistakes, and punish employees who willfully or carelessly violate policies and procedures. Covered entity employers must take visible steps to place HIPAA-violating activities outside the ‘scope of duties’ of their employees in any way they can.”



No comment yet.
Scoop.it!

Feds Reach Settlements With Groups Over HIPAA, Consent Violations - iHealthBeat

Feds Reach Settlements With Groups Over HIPAA, Consent Violations - iHealthBeat | HIPAA Compliance for Medical Practices | Scoop.it

Under a settlement with HHS' Office for Civil Rights, Alaska-based Anchorage Community Mental Health Services has agreed to pay a $150,000 fine and undertake corrective action after failing to comply with HIPAA, Health Data Management reports.

ACMHS reported a March 2012 malware data breach to HHS that affected the personal health information of 2,743 individuals (Goedert, Health Data Management, 12/9). A subsequent OCR investigation found that while the organization had adopted HIPAA policies and procedures in 2005, they were not followed by company employees from 2005 to 2012 (McCann, Healthcare IT News, 12/9). Specifically, OCR found that ACMHS did not:

    Carry out a risk assessment or implement security measures to mitigate risk;
  • Put security measures, such as threat monitoring or firewalls, into place to prevent unauthorized access of protected data transmitted over its network;
  • Update patches to its health IT system on a regular basis (Health Data Management, 12/9); or
  • Update its IT system software (Healthcare IT News, 12/9).

As part of its settlement, ACMHS will be required to provide OCR with updates of its security rule procedures and policies and potentially revise them if recommended by OCR. In addition, ACMHS will be required to:

  • Carry out yearly risk assessments and document the steps they are taking or plan to take to mitigate identified risks;
  • Give the updated policies and procedures to staff members and provide them with general security awareness training; and
  • Notify OCR of any compliance failures and, if applicable, steps ACMHS takes to mitigate harm from such failures and prevent their reoccurrence.

ACMHS will need to report to OCR for a two-year period and keep compliance-related documents for six years (Health Data Management, 12/9).

PaymentsMD Settlements

In related news, medical billing company PaymentsMD and its former CEO Michael Hughes have reached a proposed settlement with the Federal Trade Commission over charges that the company misled consumers by inappropriately obtaining consent to collect their personal health data, Clinical Innovation & Technology reports (Pedulli, Clinical Innovation & Technology, 12/8).

According to FTC, as part of an effort to develop a separate Patient Health Report Service, PaymentsMD changed its registration process for its patient portal to include a request to authorize the company and its affiliated partners to contact insurers, medical labs and pharmacies to obtain patient data (FTC release, 12/3). Such data included patients':

  • Diagnoses;
  • Lab tests;
  • Lab test results;
  • Prescriptions; and
  • Procedures.

FTC said that PaymentsMD asked for four separate authorizations in small windows with only six lines of text at a given time and gave patients the opportunity to accept all the authorizations at once.

FTC Bureau of Consumer Protection Director Jessica Rich said, "Using deceptive tactics to gain consumers' 'permission' to collect their full health history is contrary to the most basic privacy principles."

Under the proposed settlement, PaymentsMD would:

  • Destroy any collected patient data; and
  • Obtain affirmative express consent from patients prior to collecting patients' data from third parties (Clinical Innovation & Technology, 12/8).



No comment yet.
Scoop.it!

$150K HIPAA Fine for Unpatched Software

$150K HIPAA Fine for Unpatched Software | HIPAA Compliance for Medical Practices | Scoop.it

Federal regulators are sending a powerful message about the importance of applying software patches by slapping an Alaska mental health services providers with a $150,000 HIPAA sanction.

The Department of Health and Human Services' Office for Civil Rights says Anchorage Community Mental Health Services' failure to apply software patches contributed to a 2012 malware-related breach affecting more than 2,700 individuals.


ACMHS is a five-facility, non-for-profit organization providing behavioral healthcare services to children, adults and families.

The HIPAA settlement in the Alaska case marks the first time OCR has levied a penalty tied to unpatched software, which is not specifically addressed in the HIPAA Security Rule.

Managing Risk

"Most of the previous [OCR] corrective action plans that I reviewed focused on policies, procedures and other forms of documentation," says security adviser Tom Walsh, president of Tom Walsh Consulting. "Many times, people are surprised to discover that there is nothing specifically written in the HIPAA Security Rule regarding vulnerability or patch management, firewalls, and monitoring of inbound and outbound traffic. However, it is difficult to manage risk appropriately without these prevailing security practices."

A meaningful risk analysis must include "looking beyond the minimum requirements in the HIPAA Security Rule and exercising proper due diligence to properly evaluate any risk factors that could affect patient information," Walsh stresses.

Independent HIPAA and healthcare attorney Susan A. Miller notes: "This is a wake-up call that people should be looking very closely at the security risk assessment tools available from ONC and OCR, as well as NIST [National Institute of Standards and Technology].

"The lesson here is that when a software patch or update is sent by a vendor, they should be applied immediately," Miller adds. "That includes operating systems, electronic health records, practice management - and any electronic tool containing PHI."

Malware Incident

OCR says it opened an investigation after receiving notification in June 2012 from ACMHS regarding a March 2012 incident involving malware compromising the security of the mental health provider's information technology resources.

OCR's investigation revealed that ACMHS had adopted sample HIPAA Security Rule policies and procedures in 2005, but these were not followed. The security incident was the direct result of ACMHS failing to identify and address basic risks, such as not regularly updating software with available patches and running outdated, unsupported software, OCR says.

"ACMHS failed to implement technical security measures to guard against unauthorized access to e-PHI that is transmitted over an electronic communications network by failing to ensure that firewalls were in place with threat identification monitoring of inbound and outbound traffic and that information technology resources were both supported and regularly updated with available patches," says the OCR resolution agreement with ACMHS.

In addition, OCR says that contributing to the incident was ACMHS' failure to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of e-PHI.

"Successful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ePHI on a regular basis," says OCR Director Jocelyn Samuels. "This includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks."

Corrective Actions

The corrective action plan with ACMHS calls for the mental health services provider to revise and distribute to all members of its workforce the organization's HIPAA Security Rule policies and procedures.

The plan also requires that ACMHS obtain a signed initial compliance certification from all members of its workforce, stating that they have read and agree to abide by the security rule policies and procedures. In addition, the plan requires ACMHS' workforce to attend HIPAA security training.

Also, the plan requires the organization to annually conduct a thorough risk assessment and document the security measures it implements to address the issues identified.

Other Settlements

The settlement with the Alaska provider is the third HIPAA resolution agreement issued by OCR in 2014. OCR announced a record $4.8 million settlement in May with New York-Presbyterian Hospital and Columbia University. That case involved a breach of unsecured patient data on a network, affecting about 6,800 patients. In that settlement, OCR cited, among other factors, the lack of a risk analysis and failure to implement appropriate security policies.

The other 2014 OCR resolution agreement was an $800,000 settlement with Parkview Health System, a not-for-profit organization serving northeast Indiana and northwest Ohio. The provider agreed to the settlement involving "potential violations" of the HIPAA Privacy Rule as a result of an incident in June 2009 involving the dumping of paper medical records of 5,000 to 8,000 patients.



No comment yet.
Scoop.it!

Mobile Health, HIPAA And Health Technology Predictions For 2015

Mobile Health, HIPAA And Health Technology Predictions For 2015 | HIPAA Compliance for Medical Practices | Scoop.it
TrueVault'€™s CEO and Co-Founder, Jason Wang recently shared his predictions on health technology, mobile health and HIPAA for 2015. Maintaining HIPAA compliance for healthcare applications is frustrating and time consuming for developers. TrueVault is known as the first company to make HIPAA compliance convenient for healthcare apps.
Concerns in areas such in costs, administrative, technical and physical safeguards which require custom development and software architecture can take up to months within the development process timeline to complete. 
 
HIPAA complaints and violations will reach all-time highs
HIPAA complaints in 2013 were nearly 4x the number of complaints in 2003, the year the law was enacted. 
The change in HIPAA compliance requirements for BA's in 9/13 means more companies are subject to HIPAA oversight.
The number of complaints filed by July 31, 2014 was 71% higher than the number filed during the same time period in 2013
The sheer number of new devices, applications and users mean even more complaints for HHS.
The amount of health data collected will skyrocket
With the launch of Apple Health, Apple Watch, GoogleFit and SAMI more health data than ever before will be captured by mobile devices.
Industry estimates predict more than 500 million smartphone users will collect mobile health data. 
This is up more than 5x from the 95 million 2013 mobile health users. 
Wearable devices go mainstream
With the Apple Watch, Microsoft Band and other wearable entrants, wearable devices will finally become mainstream. 
IHS estimates that nearly 90 million wearable devices will be sold in 2015 (source) with a market value of more than $5 billion

Data safety concerns will be top of mind for consumers
Mobile health data collection will be tempered by growing consumer concerns over data safety and privacy. 
60% of Americans recently surveyed by GfK are more concerned about online data security than they were last year. 
In a December, 2013 poll by Radius Global Market Research, more than three-quarters of internet users at least ?somewhat agreed? that they would stop using a service, product or retailer if they felt their privacy was violated.  

mHealth companies will need to win consumer trust to gain health data access
Consumers are willing to give data to the companies they trust. 
New startups will need to prove their security bonafides before consumers turn over sensitive health information. 
78% of internet users said they only purchased from companies they trusted. (source)
Adults ranked health data the second most sensitive data they have, behind their social security number in the same Pew survey 


The health care industry is prone to data being at risk of privacy and security breaches. Trust and regulatory compliance is crucial. Data continues to become even more challenging as areas such as cost, risk and complexity are present across different platforms. Health care applications have sensitive data. As businesses move to the cloud this information requires further protection and new security standards.


No comment yet.
Scoop.it!

HIPAA rules on privacy taken too far

HIPAA rules on privacy taken too far | HIPAA Compliance for Medical Practices | Scoop.it

Recently, I was told by a court official in Outagamie County that federal law prohibited the release of the name of a man I had just heard speak in open court.

He was a participant in the county’s Drug and Alcohol Treatment Court. He had been charged with driving while intoxicated as a fourth offense, but was offered a chance to go through a treatment program instead of serving jail time.

I attended the proceeding as a reporter for The Post-Crescent, working on a story for Gannett Wisconsin Media’s statewide probe into repeat drunken drivers. The man had made a point about the costs of the program and I wanted to verify his charge history.

But when I asked for his name, the court official said it could not be released, citing the federal Health Insurance Portability and Accountability Act of 1996. That law, commonly called HIPAA, protects private health information.

It also, as this episode attests, is often misapplied.

In this case, there was no valid reason for withholding the man’s name, and after a discussion with the circuit judge, I was able to obtain it. I ended up using his comment but not naming him in my story.

This was a public program, run by publicly paid officials, involving criminal defendants serving court-ordered sentences. The decision of whether to use this person’s name should be up to the media, not the court official.

As the Reporters Committee for Freedom of the Press has noted, HIPAA remains a “prickly” obstacle for journalists. To help reduce conflicts and confusion, the group has sorted out just who and who isn’t impacted.

Health care organizations like hospitals, life insurers, ambulance services and public health authorities are all subject to HIPAA rules. Firefighters, police, court officials, reporters and patients themselves are not.

Neither are public officials who have nothing to do with the delivery of health care services. And yet, in one instance, a Louisiana State University representative told reporters he couldn’t discuss a player’s knee injury.

“Due to these new medical laws, our hands are tied,” the official said.

Often, the most valuable information available to reporters is found on health facility directories, which are not protected by HIPAA. Hospitals may release an individual’s name, location in the facility and general condition.

HIPAA also doesn’t bar reporters from interviewing patients in a waiting room.

Statistical information related to hospitals, including their billing data, is not covered by HIPAA. Much of this information can be released electronically without names attached.

The Association of Health Care Journalists has produced another useful list of what HIPAA does not protect, including police and fire incident reports, court records, birth and autopsy records.

Felice Freyer, the association’s treasurer and a member of its Right to Know Committee, said HIPAA overreach is widespread.

“Often times, people are unsure about the law and can’t be bothered to check so it’s easier to say ‘no’ and refer to HIPAA,” said Freyer, a health care reporter for the Boston Globe.

“Frequently, hospitals say they can’t let you talk to a patient, but that’s not true.”

No one disputes that people have a right to privacy when it comes to personal medical matters. But that right should not be taken to absurd lengths, beyond what the law prescribes.



No comment yet.
Scoop.it!

Doug Fridsma: Why amending HIPAA makes sense for research

Doug Fridsma: Why amending HIPAA makes sense for research | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA poses an "artificial barrier" to certain types of research that could improve patient care, Douglas Fridsma, M.D., president and chief executive officer of the American Medical Informatics Association (AMIA), says in an interview at Healthcare Info Security.

AMIA has been urging Congress to amend HIPAA to allow use of patients' personal health information without their consent for certain types of "observational" research.

"There are still important safeguards that need to be put in place to maintain the trust that patients place in their providers. The intent was never to open up all research and all data without patients' consent," Fridsma says.

So far, patient PHI can be used without consent only for improving operations within a particular healthcare organization. However, say, if a hospital determines that a surgical checklist reduces post-operative infections in its patients, that finding cannot be published as a research paper without the consent of every patient studied, he says.

"[HIPAA] has this paradoxical effect that says the hospital can use that information to improve its operations, but if it finds something that is tremendously valuable and of generalizable interest, they are not allowed to share that finding more broadly. … So in effect HIPAA is a disincentive to share this generalizable knowledge," he explained.

The changes AMIA is advocating would be only for observational research--somebody noticing a pattern, he adds. This type of research does not involve a treatment intervention.

"People will not be put in clinical trials without their knowledge," he says.

Despite various calls to amend HIPAA, Mac McMillan, chairman of the HIMSS Privacy & Security Policy Task Force, told FierceHealthIT he doesn't foresee any change in the next year, largely due to the political climate.

Meanwhile, the American Health Information Management Association has been on a big push to help healthcare organizations improve their information governance.



No comment yet.
Scoop.it!

Survey: With HIPAA audits looming, small practices far from compliant

Survey: With HIPAA audits looming, small practices far from compliant | HIPAA Compliance for Medical Practices | Scoop.it

NueMD in partnership with Porter Research and The Daniel Brown Law Group, today announced the results of its recent survey on HIPAA compliance within small practices and billing companies. The survey of more than 1,100 healthcare professionals, conducted during October 2014, found medical practices and billing companies are struggling to comply with regulations under the Health Insurance Portability and Accountability Act (HIPAA).

"Understanding HIPAA can be difficult for practices and billing companies, especially if they're already scrambling to keep up with changes like ICD-10 and Meaningful Use," said Caleb Clarke, sales and marketing director at NueMD. "With audits looming, we wanted to get a sense of where the industry stands and provide resources to help those who may be struggling."

The survey found:

  • 66% of respondents were unaware of HIPAA audits
  • 35% of respondents said their business has conducted a HIPAA-required risk analysis
  • 34% of owners, managers, and administrators reported that they were "very confident" that their electronic devices that contain PHI were HIPAA compliant
  • 24% of managers, owners, and administrators at medical practices reported that they've evaluated all of their Business Associate Agreements
  • 56% of office staff and (non-owner) care providers at practices said they've received HIPAA training in the last year

"It's troubling to see that so many practices aren't participating in training programs for their staff, said Daniel Brown, managing shareholder at The Daniel Brown Law Group. "If an audit were to occur at that particular practice, one of the biggest red flags is that the staff is unaware of the HIPAA compliance plan and what their role is in it."



No comment yet.
Scoop.it!

Are Medical Practices Prepared for OCR HIPAA Audits? | HealthITSecurity.com

The Office for Civil Rights of the Department of Health and Human Services will be conducting random HIPAA audits.
Although a timeline has not yet been set, the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) will be conducting random HIPAA audits of physician practices, healthcare facilities and business associates (BAs).
The audits will assess each facility’s adoption and implementation of HIPAA safeguards which includes privacy and security risk assessments, security breach notifications, notice of privacy practices and training on policies and procedures. However, according to a survey conducted by NueMD, only 32 percent of medical practices and their staff polled were aware that OCR HIPAA audits would be taking place.
In order for a practice to be HIPAA compliant, a few requirements need to be met, the first of which is creating a compliance plan. Out of the medical practices polled, 58 percent indicated that they had a HIPAA compliance plan while 19 percent said that they didn’t know if they had a plan and 23 percent indicated they did not have a plan.
The compliance plan should cover all aspects of HIPAA compliance including information security, sending and storage, identifying security and privacy officer responsibilities, staff training programs, plan of response to security breaches, and keeping track of and securing electronic devices and communications. Annual HIPAA training should be included as part of a practice’s compliance plan.
Auditors may raise a red flag if a practice’s staff isn’t all on the same page. All staff members within a practice should be made aware of how to react to security breaches and should know who the appointed HIPAA security and privacy officers are.
A practice is also required to adopt a formal policy that details how it will handle a HIPAA security breach. An unauthorized disclosure of electronic protected health information (PHI) could happen through loss or theft of a laptop that contains unencrypted PHI or computer hacking. If improperly secured, data breaches can even occur from within the practice. Even though security breaches are becoming more common and have legal and business impacts, only 45 percent of practices polled indicated that they had a formal policy for a security breach in place.
For a practice to be best prepared for its HIPAA audit it should conduct risk analyses periodically. Only 33 percent of polled practices said that they had performed a risk analysis. An analysis identifies ways in which PHI could be leaked or compromised and helps practices strengthen their compliance plans. When respondents were asked how confident they were that someone was actively monitoring their practice’s HIPAA compliance, only 38 percent answered that they were confident.
The implementation of HIPAA safeguards is important in helping healthcare facilities and their staff keep PHI protected and secure. Practices should prep their HIPAA safeguards while awaiting the OCR’s timeline confirmation.



No comment yet.
Scoop.it!

Coalfire Predicts: In 2015 the Cost of Cybersecurity and Risk Management Will Remain on Track to Double | EMR, EHR and Healthcare IT News

Coalfire Predicts: In 2015 the Cost of Cybersecurity and Risk Management Will Remain on Track to Double | EMR, EHR and Healthcare IT News | HIPAA Compliance for Medical Practices | Scoop.it

Coalfire, the leading independent information technology governance, risk and compliance (IT GRC) firm, today released its top ten cybersecurity predictions for 2015.

“It’s time for companies to start looking ahead at the next generation of threats and to step up their game to better protect consumer data. The threat landscape is continuously evolving. If you don’t already have threat intelligence and response plans ready for implementation in 2015, now is the time. As 2014 ends, it’s clear this was the year everything changed in the world of information security,” said Rick Dakin, Coalfire’s CEO and chief security strategist. “As high-profile data breaches were announced one after another, consumers stopped believing companies took protecting their information seriously.”

Coalfire conducts more than 1,000 audits and assessments of systems containing sensitive data each year. Based on the trends in those investigations, Dakin predicts the following for 2015:

  1. Motivated Threat Actors – The number and sophistication of cyber threats will continue to increase exponentially. Fueled by both geopolitics and economic incentives, international (and often state-sponsored) criminal organizations will escalate their development of offensive cyber capabilities.
  2. Redefining the Defense – The demands of cybersecurity are fundamentally changing IT. Cyber risk management and security compliance will take an equal weight to other design criteria like functionality, capacity and performance. Financial ROIs will be balanced by a new understanding of risk exposure for sub-par solutions.
  3. Three Heads vs. One – In large organizations, there are technical roles that require the knowledge and experience of CIOs, CTOs and CISOs. While some have predicted the death of the CIO role, we see instead a balancing of responsibility between three peers.
  4. Investments Will Increase – In the face of pernicious new threats, the cost of cybersecurity and risk management will remain on track to double over the next three years.
  5. New Fronts – The expansion of mobility, cloud computing, bring your own device (BYOD) policies, and the Internet of Things will provide new (and previously unforeseen) opportunities for cyber-crime, cyber-warfare, and cyber-terrorism.
  6. Universal Monitoring – As a result of cyber-incidents, every organization (or person) will be using some form of continuous monitoring service (threat, scanning, identity or credit). These will be legislated, mandated by financials institutions or insurers, or acquired on their own behalf.
  7. Business Leadership on Policy Development – Executive leadership will lead to further development and maturation of standards across private sector and governmental organizations. This approach to security and cyber risk management will reduce the potential for “unforeseen” damage from cyber-attacks, cyber warfare and cyberterrorism.
  8. New Threat Detection and Response Technologies – There will be an increased use of crowdsourcing, machine intelligence, and cognitive/advanced analytics to detect and stay ahead of threats. Bounties for catching bad actors and advanced algorithmics will help the “good guys” identify and stay ahead of the hordes of malicious players.
  9. Improved Security – New and better applications of authentication, EMV, encryption and tokenized solutions will increase the security of payments and other personal and confidential information. Apple Pay and other next-generation solutions will overcome anti-NFC inertia and lead to increasing adoption of mobile-based security technologies for both retail payment and other applications, such as healthcare, where critical and confidential information is exchanged.
  10. Back to Offense – We will see the beginnings of a shift from cyber-defense to cyber-offense. From attempting to build impenetrable systems, to building systems that make it possible to identify attackers and provide the means to prosecute, frustrate or delay them.



No comment yet.
Scoop.it!

$150K HIPAA Fine for Unpatched Software

$150K HIPAA Fine for Unpatched Software | HIPAA Compliance for Medical Practices | Scoop.it

Federal regulators are sending a powerful message about the importance of applying software patches by slapping an Alaska mental health services providers with a $150,000 HIPAA sanction.

The Department of Health and Human Services' Office for Civil Rights says Anchorage Community Mental Health Services' failure to apply software patches contributed to a 2012 malware-related breach affecting more than 2,700 individuals.


ACMHS is a five-facility, non-for-profit organization providing behavioral healthcare services to children, adults and families.

The HIPAA settlement in the Alaska case marks the first time OCR has levied a penalty tied to unpatched software, which is not specifically addressed in the HIPAA Security Rule.

Managing Risk

"Most of the previous [OCR] corrective action plans that I reviewed focused on policies, procedures and other forms of documentation," says security adviser Tom Walsh, president of Tom Walsh Consulting. "Many times, people are surprised to discover that there is nothing specifically written in the HIPAA Security Rule regarding vulnerability or patch management, firewalls, and monitoring of inbound and outbound traffic. However, it is difficult to manage risk appropriately without these prevailing security practices."

A meaningful risk analysis must include "looking beyond the minimum requirements in the HIPAA Security Rule and exercising proper due diligence to properly evaluate any risk factors that could affect patient information," Walsh stresses.

Independent HIPAA and healthcare attorney Susan A. Miller notes: "This is a wake-up call that people should be looking very closely at the security risk assessment tools available from ONC and OCR, as well as NIST [National Institute of Standards and Technology].

"The lesson here is that when a software patch or update is sent by a vendor, they should be applied immediately," Miller adds. "That includes operating systems, electronic health records, practice management - and any electronic tool containing PHI."

Malware Incident

OCR says it opened an investigation after receiving notification in June 2012 from ACMHS regarding a March 2012 incident involving malware compromising the security of the mental health provider's information technology resources.

OCR's investigation revealed that ACMHS had adopted sample HIPAA Security Rule policies and procedures in 2005, but these were not followed. The security incident was the direct result of ACMHS failing to identify and address basic risks, such as not regularly updating software with available patches and running outdated, unsupported software, OCR says.

"ACMHS failed to implement technical security measures to guard against unauthorized access to e-PHI that is transmitted over an electronic communications network by failing to ensure that firewalls were in place with threat identification monitoring of inbound and outbound traffic and that information technology resources were both supported and regularly updated with available patches," says the OCR resolution agreement with ACMHS.

In addition, OCR says that contributing to the incident was ACMHS' failure to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of e-PHI.

"Successful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ePHI on a regular basis," says OCR Director Jocelyn Samuels. "This includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks."

Corrective Actions

The corrective action plan with ACMHS calls for the mental health services provider to revise and distribute to all members of its workforce the organization's HIPAA Security Rule policies and procedures.

The plan also requires that ACMHS obtain a signed initial compliance certification from all members of its workforce, stating that they have read and agree to abide by the security rule policies and procedures. In addition, the plan requires ACMHS' workforce to attend HIPAA security training.

Also, the plan requires the organization to annually conduct a thorough risk assessment and document the security measures it implements to address the issues identified.

Other Settlements

The settlement with the Alaska provider is the third HIPAA resolution agreement issued by OCR in 2014. OCR announced a record $4.8 million settlement in May with New York-Presbyterian Hospital and Columbia University. That case involved a breach of unsecured patient data on a network, affecting about 6,800 patients. In that settlement, OCR cited, among other factors, the lack of a risk analysis and failure to implement appropriate security policies.

The other 2014 OCR resolution agreement was an $800,000 settlement with Parkview Health System, a not-for-profit organization serving northeast Indiana and northwest Ohio. The provider agreed to the settlement involving "potential violations" of the HIPAA Privacy Rule as a result of an incident in June 2009 involving the dumping of paper medical records of 5,000 to 8,000 patients.



No comment yet.
Scoop.it!

Provider Beware: HIPAA and State Privacy Laws May Inform Negligence Suits | The National Law Review

Provider Beware: HIPAA and State Privacy Laws May Inform Negligence Suits | The National Law Review | HIPAA Compliance for Medical Practices | Scoop.it

A recent opinion from the Connecticut Supreme Court illustrates that HIPAA is not the only law that covered entities and business associates must worry about if an unauthorized disclosure of protected health information (PHI) happens on their watch.

In Emily Byrne v. Avery Center For Obstetrics and Gynecology PC (Docket No. CV-07-6001633-S),the plaintiff filed a four-count complaint against the defendant OB-GYN provider, alleging common law allegations of breach of contract, negligence, negligent misrepresentation, and negligent infliction of emotional distress, after the defendant released plaintiff’s medical records in responding to a subpoena in a paternity suit.  The plaintiff had instructed the defendant not to release medical records to the putative father before the defendant received the subpoena, but the opinion does not elaborate on whether the plaintiff knew that a lawsuit was imminent.

The trial court initially dismissed the negligence and negligent infliction of emotional distress claims ruling that: (1) there is no private right of action under HIPAA; and (2) common law negligence claims that amount to HIPAA violations should be preempted by HIPAA.  The Supreme Court rejected the lower court’s second conclusion and remanded the case for further proceedings.

After doing an in-depth analysis of the regulatory history of HIPAA’s preemption provisions against the prevailing case law, the Supreme Court concluded that “neither HIPAA nor its implementing regulations were intended to preempt tort actions under state law arising out of the unauthorized release of a plaintiff’s medical records.”

As my colleague Dianne Bourque commented to Law360, “[t]he case is an important reminder that HIPAA does not exist in a vacuum, and that a HIPAA violation may result in a variety of state law claims.”

The Supreme Court further concluded that “to the extent it has become the common practice for Connecticut health care providers to follow the procedures required under HIPAA in rendering services to their patients, HIPAA[,] its implementing regulations [and state privacy laws like Conn. Gen. Stat. § 52-146o] may be utilized to inform the standard of care applicable to such claims.”

It is clear from this case that plaintiffs are becoming more sophisticated in using HIPAA and other state privacy laws as a tool to inform private rights of action under consumer protection statutes, class actions, and common law.  This highlights the importance for holders of PHI or other confidential information to stay abreast of legal developments related to privacy and security to ensure that their policies and procedures do not become obsolete and expose them to risks beyond HIPAA penalties and sanctions.  We will continue to provide updates on such legal developments on our blog.



No comment yet.
Scoop.it!

Rx for data breaches – planning | Lexology

Rx for data breaches – planning | Lexology | HIPAA Compliance for Medical Practices | Scoop.it

Data breach reports have become a staple of the daily news. Companies of all sizes and across all industries are reporting breaches—whether caused by sophisticated third-party hackers or simple human error, such as a laptop stolen from an employee’s vehicle. The Privacy Rights Clearinghouse publishes a chronology of reported data breaches. The list includes over 4,440 reported data breaches from 2005, which averages out to more than one reported breach per day. The reality is that data breaches will continue to happen; so one day soon your company, like the others on this list, may need to report a breach to its customers and regulatory agencies. If your company does not yet have a formal written data breach incident response management plan in place or your current plan has not been reviewed and updated in awhile, it may be time to focus on your company’s data breach preparedness. As Benjamin Franklin noted, “if you fail to plan, you are planning to fail.”

Data Breach Preparedness Metrics

A recent study completed by the Ponemon Institute, LLC, “Is Your Company Ready for a Big Data Breach? The Second Annual Study on Data Breach Preparedness,” notes that more companies are reporting data breach incidents. In 2013, 33 percent of respondents said their company had experienced a data breach involving the loss or theft of more than 1,000 records in the past two years. In 2014, that percentage increased to 43 percent. Sixty percent of the companies that had experienced data breaches also reported their company had experienced more than one data breach in the past two years.

The Ponemon study indicated that more companies are putting data breach response plans and teams in place. In 2014, 73 percent of the companies surveyed had such plans in place, up from 61 percent in the prior year. Seventy-two percent of companies have also assigned teams to lead data breach response efforts, up from 67 percent last year. Despite this planning, only 30% of respondents said their companies are “effective” or “very effective” in developing and executing a data breach plan. Only 22 percent of respondents with data breach plans in place said their organizations review and update these plans at least yearly. Review a copy of the Ponemon Institute’s study, “Is Your Company Ready for a Big Data Breach? The Second Annual Study on Data Breach Preparedness.” This same study reveals that responding to a data breach costs an average of 10 times more if the company does not have already have a data breach response plan in place before the data breach occurs. After all, when a significant data breach hits, the company must scramble to comply with the varying short-fuse customer notification and regulatory reporting requirements of each state (as well as federal requirements in some instances), all while trying to correct the data vulnerability and manage a serious public relations firestorm and the almost certain onset of data breach class action litigation. This is not the time to be trying to put together a response team from scratch or trying to learn what the reporting and notification requirements are in the first place.

Preparing a Data Breach Plan

Although every company’s data breach response plan will be unique, there are certain issues all companies should consider in developing or updating a breach response plan. Below is a top 10 list of matters to consider:

Number 1 – Plan and Paper

Your company should have a written data breach incident response management plan and cross-functional team in place prior to any data breach. The plan should identify the members of the team, including both in-house and outside personnel. This team should be “on call” and immediately activated post-breach.

Forty-nine percent of the respondents in the Ponemon study indicated that their companies provided no training on how to respond to questions about a data breach incident. Your company’s breach response plan should include templates of letters informing customers of the breach, customer service and call center scripts, and press releases. This prior planning will help minimize your company’s post-breach response time to ensure compliance with applicable statutory or regulatory notification requirements.

Number 2 – Know the Lay of the Land

Your company should understand the federal and state privacy laws that apply to your business and your customer footprint, as well as the representations made in your current customer privacy notices, including any separate privacy disclosures provided to website visitors. Your company should also conduct periodic risk assessments and adapt your privacy compliance program and breach response plans to reflect these changing risks.

Data breaches can result in class action lawsuits filed by impacted customers, regulatory investigations, and negative local or national media press coverage. Your response plan should address these post-breach risks.

Number 3 – Reengineer Internal Engineering

You cannot respond to a data breach if you do not know about the data breach. Your company may want to establish an internal data breach hotline or some other reporting mechanism to ensure that, as soon as a potential breach is discovered, this news can be quickly reported to your Chief Privacy Officer, Chief Information Security Officer, or other responsible privacy person.

Number 4 – Enhance External Engineering

Breaches also happen at third-party vendors and business partners, so you may need to enhance your vendor/partner management governance. The Ponemon study noted that the use of standard or model data security and breach contract terms with third parties, vendors, or business partners has increased. In 2013, 65 percent of respondents said their company had such terms in place and that number increased to 70 percent in the current survey results.

If you have not already done so, you should revise your contracts with third-party vendors and business partners to ensure they are required to have a data security program in place and to immediately notify you of a breach. The contacts should also permit you to periodically audit your third-party vendors and business partners for compliance with these terms—and you should audit your vendors and partners to ensure compliance.

Number 5 – Adopt Holistic Privacy Compliance Approach

Privacy issues permeate your entire business, so you should incorporate privacy compliance into all business functions, business lines, and functional departments.

Number 6 - Tone at the Top

Senior management should affirmatively make privacy compliance and data breach preparedness a clear business priority and play an active role in assisting the company in preparing for and responding to data breach incidents. The Ponemon study noted that only 36 percent of the companies surveyed indicated that their leadership team had requested to be notified as soon as possible of a material data breach.

The person within the company responsible for privacy compliance must have buy-in and authority from senior management. If your company does not currently have a Chief Privacy Officer, Chief Information Security Officer, or other responsible privacy person, consider adding someone in this role, even if that person wears other hats, and ensure that person has access to and reporting requirements to the senior leadership team.

Number 7 – Increase Education and Training

Your company should continually educate all employees, including senior management, on the importance of safeguarding sensitive data and the risks of data breaches. One of the most recent breaches reported in the Privacy Rights Clearinghouse list resulted from the theft of a laptop from an employee’s vehicle. Intentional or inadvertent data breaches by employees will always remain a risk, but proactive training can reduce this risk.

Number 8 – Conduct Periodic Reviews and Simulations

Your company should establish a periodic review schedule of your data breach incident response management plan to ensure the plan reflects the current security risks facing the company as identified in your periodic risk assessments. You may want to consider staging breach response simulations. Seventy-seven percent of respondents in the Ponemon study indicated that such “fire drills” were a key step companies should take to improve breach responses.

Number 9 – Engage External Help

Your company should establish relationships with credit-monitoring services, law firms, breach investigation consultants, public relations firms, and others prior to a data breach. This prior planning will help minimize response times after breach incidents, and facilitate rapidly implementable voluntary remediation options such as free credit monitoring or identity theft protection to affected customers. Such measures, if promptly made available, can significantly moot or mitigate exposure on the litigation front.

Number 10 – Consider Financial Impact of Breaches

Your company should budget every year for the cost of responding to data breach incidents—and for the cost of preparing for data breaches. You cannot postpone notifying your customers or regulators, where required, of a data while your breach incident budget request winds its way through your formal off-budget funding approval channels.

You may also want to consider obtaining a cyber insurance policy. The Ponemon study noted that only 10 percent of respondents in 2013 indicated their company had purchased a policy. In 2014, this percentage more than doubled to 26 percent.

Bottom Line

Advance planning can help reduce the high cost of data breaches and the time it takes your company to respond to its customers and regulators after a breach incident. The current per record cost of a data breach averages $201. As reported in the Ponemon study, companies incurred an average cost of $3.5 million in responding to a single data breach incident. In a security filing in August 2014, Target reported that the costs associated with its data breach had reached $148 million as of the second quarter of 2014. Your company may not experience a Target-sized breach, but the costs of responding to one or more smaller-scale data breaches can still impact your company’s bottom line.

The Ponemon study identified certain factors that influence the cost of responding to a data breach incident. The study noted that, among other factors, a company that has a formal incident management response plan in place prior to the incident can reduce the average cost of a data breach by as much as $17 per record. Since advance planning pays off in the end, it may be wise to invest some time and money in comprehensive breach response planning today. You may not only save money, but a prompt and proactive data breach response strategy will go a long way in maintaining the trust of your customers after a breach.



No comment yet.
Scoop.it!

Provider beware: HIPAA and state privacy laws may inform negligence suits | Lexology

Provider beware: HIPAA and state privacy laws may inform negligence suits | Lexology | HIPAA Compliance for Medical Practices | Scoop.it

A recent opinion from the Connecticut Supreme Court illustrates that HIPAA is not the only law that covered entities and business associates must worry about if an unauthorized disclosure of protected health information (PHI) happens on their watch.

In Emily Byrne v. Avery Center For Obstetrics and Gynecology PC (Docket No. CV-07-6001633-S), the plaintiff filed a four-count complaint against the defendant OB-GYN provider, alleging common law allegations of breach of contract, negligence, negligent misrepresentation, and negligent infliction of emotional distress, after the defendant released plaintiff’s medical records in responding to a subpoena in a paternity suit.  The plaintiff had instructed the defendant not to release medical records to the putative father before the defendant received the subpoena, but the opinion does not elaborate on whether the plaintiff knew that a lawsuit was imminent.

The trial court initially dismissed the negligence and negligent infliction of emotional distress claims ruling that: (1) there is no private right of action under HIPAA; and (2) common law negligence claims that amount to HIPAA violations should be preempted by HIPAA.  The Supreme Court rejected the lower court’s second conclusion and remanded the case for further proceedings.

After doing an in-depth analysis of the regulatory history of HIPAA’s preemption provisions against the prevailing case law, the Supreme Court concluded that “neither HIPAA nor its implementing regulations were intended to preempt tort actions under state law arising out of the unauthorized release of a plaintiff’s medical records.”

As my colleague Dianne Bourque commented to Law360, “[t]he case is an important reminder that HIPAA does not exist in a vacuum, and that a HIPAA violation may result in a variety of state law claims.”

The Supreme Court further concluded that “to the extent it has become the common practice for Connecticut health care providers to follow the procedures required under HIPAA in rendering services to their patients, HIPAA[,] its implementing regulations [and state privacy laws like Conn. Gen. Stat. § 52-146o] may be utilized to inform the standard of care applicable to such claims.”

It is clear from this case that plaintiffs are becoming more sophisticated in using HIPAA and other state privacy laws as a tool to inform private rights of action under consumer protection statutes, class actions, and common law.  This highlights the importance for holders of PHI or other confidential information to stay abreast of legal developments related to privacy and security to ensure that their policies and procedures do not become obsolete and expose them to risks beyond HIPAA penalties and sanctions.  We will continue to provide updates on such legal developments on our blog.



No comment yet.
Scoop.it!

HHS slaps provider with $150K bill for HIPAA breach | Healthcare IT News

HHS slaps provider with $150K bill for HIPAA breach | Healthcare IT News | HIPAA Compliance for Medical Practices | Scoop.it
A five-facility mental health organization in Alaska has agreed to pay up and shape up its HIPAA compliance program after a Department of Health and Human Services investigation found the group failed to appropriately safeguard patient data.
 
Anchorage Community Mental Health Services will pay $150,000 to HHS to settle potential HIPAA violations after the organization failed to patch their systems and continued to run outdated, unsupported software that eventually led to a malware data breach affecting 2,743 individuals. ACMHS reported the breach to HHS back in March 2012.


 
Following the investigation by the Office for Civil Rights, the HHS division responsible for HIPAA enforcement, officials discovered ACMHS had adopted HIPAA security policies and procedures, but they were not followed by the organization's employees for a seven-year period, from 2005 to 2012.
 
The data breach of electronic protected health information resulted after ACMHS failed to "identify and address basic risks," OCR officials wrote in settlement bulletin. Specifically, the organization neglected to update IT resources with system patches and updated software. 
 
"Successful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ePHI on a regular basis," said OCR Director Jocelyn Samuels, in the December bulletin. “This includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks."
 
In addition to the $150,000 settlement, Anchorage Community Mental Health Services will also be required to implement a corrective action plan and subsequently report to OCR on its compliance program. 


 
To date, nearly 41.5 million people have had their protected health information compromised in a reportable HIPAA privacy or security breach, according to the most recent HHS data. 
 
In its most recent settlement before ACMHS, HHS in June slapped the six-hospital Parkview Health System in Fort Wayne, Indiana, with an $800,000 settlement after Parkview dumped 71 boxes of patient records in the driveway of a retiring physician's home while she was away. According to the complaint, the medical records were "unattended and accessible to unauthorized persons" on the physician's driveway, located in a "heavily trafficked" area.


 
Earlier this year, OCR also set records after announcing its largest monetary settlement ever with New York-Presbyterian Hospital and Columbia University Medical Center, who together agreed to hand over a whopping $4.8 million to settle alleged HIPAA violations after the electronic protected health information of 6,800 patients wound up on Google back in 2010. 
 
To date, OCR has levied some $26 million in monetary settlements against 24 HIPAA-covered entities found to have violated privacy, security and breach notification rules



No comment yet.
Scoop.it!

How employee snooping results in HIPAA trouble

How employee snooping results in HIPAA trouble | HIPAA Compliance for Medical Practices | Scoop.it

One of today’s biggest data challenges involves preventing the improper access of protected patient information. When your own employees sneak a peek at patient records without authorization—either out of curiosity or malicious intent—your organization can pay the price.

Mary Chaput, CFO and compliance officer at consultancy Clearwater Compliance LLC in Nashville, Tenn., says the number of cases of employee snooping is probably much larger than the cases reported to federal officials.

“Besides celebrity cases, we call the bulk of them the ‘ex factor,’ for ex-spouse, ex-friend or ex-colleague,” she says. “The organization may apply sanctions, and there may be some remuneration. But the reputational damage could be huge.”
 

Indiana case a game changer

Until recently, violations of HIPAA (Health Insurance Portability and Accountability Act) were investigated and sanctioned solely by the Department of Health and Human Services’ Office for Civil Rights (OCR) and state regulators. But a recent Indiana case has added a new twist: A court of appeals upheld a $1.4 million verdict for a Walgreens pharmacy customer whose prescription information was provided to a third party by a snooping pharmacist.

However, the law does not allow individuals to claim HIPAA violations directly in a privacy lawsuit. Only the government can cite HIPAA violations. Neal Eggeson, the lawyer who successfully argued the case in Indiana, used HIPAA to establish the standard of care. So Walgreens was not sued for violating HIPAA but for negligence. Similarly, the pharmacist was not sued for violating HIPAA but for professional malpractice.

The healthcare industry could see more individuals filing negligence or malpractice lawsuits based on snooping cases in the future, especially if the organization has done little to train employees or investigate allegations.
 

What to do

As of 2012, a practice can be fined $1.5 million per HIPAA violation in cases of willful neglect, in addition to individual lawsuits. So what can behavioral healthcare providers do to limit the risk?
 

1/ Training

“Employee training on this topic needs to be provided initially and then annually at a minimum,” says Angela Dinh Rose, director of HIM practice excellence for the American Health Information Management Association (AHIMA). “Constantly audit your system and check for whether improper access is occurring.”

She says organizations should pay attention to patient complaints. Auditing can help identify possible trends in inappropriate access.
 

2/ Communicate the no-peeking policy to every employee

Every provider organization must communicate its policy to employees and apply appropriate sanctions consistently, Chaput says.

“The reason I say consistently is that some organizations tend to treat executives and top medical staff a little differently,” she says. “Employees have to know what the consequences will be. With snooping, we recommend if they are caught once, they lose their jobs. People have to know why it happened. Sanctions must be rigorous and consistently applied.”
 

3/ Limit access to data

In addition, make sure that employees have only the minimum access necessary to do their jobs, Chaput says. For instance, a receptionist does not need information about medical conditions, so block that employee’s access to it.
 

4/ Monitor VIP patient records

AHIMA’s Dinh Rose says VIP patient records could be specially flagged and their access monitored all day long.

“A popup box could tell employees they are entering a confidential record and all accesses are being audited,” she says. “That gives them one more chance to get out of the file.”
 

5/ Discourage log-in piggybacking

According to Chaput, it is also important to monitor for any inappropriate sharing of user IDs and passwords. For example, some clinicians don’t like logging in and out of an EHR system repeatedly and push the IT staff to make the automatic logoff as long as 30 minutes. But that could leave data available for snooping, she says.
 

6/ Focus on people issues

Much of the media attention about data breaches focuses on hackers breaking into networks, but Chaput points out that 93 percent of breach incidents published on the HHS “Wall of Shame” involve people making mistakes such as leaving an unencrypted laptop in a car or employees snooping.

“Always focus on the people issues,” she says. “Make sure there is a documented policy.”

If there is an incident, tighten up the policy and reinforce it. Completing your due diligence upfront and responding quickly to any incident should help in any type of lawsuit situation.
 

Great examples of costly violations:

In the largest snooping fine to date, the UCLA Health System agreed to pay $865,000 in 2011 to settle potential HIPAA violations involving employees improperly accessing celebrities’ electronic medical records.

In 2009 California regulators used a newly passed law to fine Kaiser Permanente's Bellflower hospital $250,000 for failing to keep employees from snooping in the medical records of Nadya Suleman, the mother who gave birth to octuplets.



No comment yet.
Scoop.it!

State law may provide a remedy for breach of HIPAA’s privacy rules | Lexology

State law may provide a remedy for breach of HIPAA’s privacy rules | Lexology | HIPAA Compliance for Medical Practices | Scoop.it

When a woman received extortion threats and other forms of harassment from an ex-lover, she sued her medical provider for unauthorized disclosure of her medical records. Byrne v. Avery Center for Obstetrics and Gynecology, P.C., 314 Conn. 433 (2014). She further alleged that the threats and harassment directly resulted from a breach of the defendant’s duty of confidentiality under the Health Insurance Portability and Accountability Act (“HIPAA”). During her course of treatment, the defendant provided her with a copy of its notice of privacy practices that expressly stated it would not disclose medical records without obtaining authorization from the patient. Additionally, the plaintiff specifically instructed the defendant not to disclose her medical records to her ex-lover. But, when her ex-lover filed a paternity suit against her and served the defendant with a subpoena requesting a copy of her medical records, the defendant failed to notify her of the subpoena, to file a motion to quash the subpoena, or to appear in court. Instead, the defendant mailed a copy of her medical records to him.

As a result, the plaintiff filed four claims against the defendant. First, the plaintiff alleged that the defendant breached its contract when it disclosed her protected health information (“PHI”) in violation of its notice of privacy practices. Second, she claimed that the defendant was negligent when it failed to care for her PHI and disclosed her PHI without her authorization. Her third and fourth claims were for negligent misrepresentation and negligent infliction of emotional distress.

Since HIPAA does not create a private right of action for breach of its privacy provisions, the trial court interpreted common law claims for negligence and negligent infliction of emotional distress that relate to a breach of HIPAA’s privacy rules as inconsistent with HIPAA. Thus, in reliance on HIPAA’s preemption provision, the trial court granted the defendant’s motion for summary judgment on the claims for negligence and negligent infliction of emotional distress. Notably, the claims for breach of contract and negligent misrepresentation were not dismissed by the trial court, thus these claims were not reviewed on appeal.

On November 11, 2014, the Supreme Court of Connecticut held that HIPAA does not preempt a private cause of action arising from the unauthorized disclosure of PHI based on state common law, thereby reversing the trial court’s dismissal of the plaintiff’s claims for negligence and negligent infliction of emotional distress. Specifically, the Court found that if state law provides a plaintiff with a remedy for a medical provider’s breach of its duty of confidentiality, HIPAA does not preempt the plaintiff’s state law remedies for negligence or negligent infliction of emotional distress. Rather, a state law will be preempted by HIPAA only if it is impossible for a medical provider to comply with both the federal and state laws. Furthermore, a state law is not preempted by HIPAA if it relates to the privacy of PHI and provides an individual with greater privacy protection than HIPAA.

The Court did not analyze whether Connecticut law provides a remedy for a medical provider’s breach of its duty of confidentiality, it only determined that HIPAA would not preempt an available remedy under state law. Thus, the Court did not decide whether the plaintiff was successful in her claims for negligence and negligent infliction of emotional distress. The Court did, however, find that HIPAA may be used to determine the applicable standard of care for such state law claims.



No comment yet.
Scoop.it!

Countering HITECH Privacy Risks from Internet of Things Products

Countering HITECH Privacy Risks from Internet of Things Products | HIPAA Compliance for Medical Practices | Scoop.it

Ready or not, the Internet of Things is poised to change the world – and the way we deliver and receive medical care. Sensors and transmitters are now cheap and small enough to be placed into virtually any product, making it possible for products as diverse as electronic toothbrushes, Fitbits and Apple Watches to connect to the Internet and allow users to control and monitor activities and gather data.

The Internet of Things has profound implications for the healthcare sector. Doctors can use connected devices for tasks like monitoring patient vital signs, analyzing data on exercise activity and much more. But along with the new possibilities comes an increased risk of a data breaches and non-compliance with HITECH privacy rules and HIPAA patient protections. The challenges aren’t necessarily inherent to the devices themselves; they arise from an increase in vulnerability to the network as a whole.

Internet of Things devices that connect with healthcare provider networks introduce a new point of entry to the network, which means devices and connections can be compromised and used to access sensitive data. For healthcare providers, this makes the following questions important: Who is securing the device? Who is controlling communication protocols? It’s similar to the challenges businesses of all types are confronting in the “bring-your-own-device” era, in which workers use personal smartphones and tablets to handle business activities.

The important thing to remember is that a network is only as secure as its weakest link. This was true before Internet of Things devices became a growing trend: The business operations side of healthcare organizations have to contend with employee device security challenges and vulnerabilities associated with partner organizations just like any other business. The difference is that with Internet of Things devices coming online and being used by patients and healthcare providers, there are more opportunities for the security chain to break.

What are the potential weak links? The device itself could be compromised. The device user’s tablet or smartphone could be hacked. The home network that transmits the data to the healthcare provider could be breached. The point is, the nature of the threat hasn’t really changed – the number of entry points has expanded. And that means healthcare providers should be proactive about addressing the issue.

So how can healthcare providers mitigate the risk? One good place to start would be to educate patients who will be using remote devices on security basics. Commonsense tips would include not downloading apps or files from unknown sources and being careful about whom they trust with their data: A password management system, for example, should only be used if it comes from a trustworthy, well-established source.

For healthcare providers, precautions include making sure cloud-based data handlers are compliant with HITECH privacy regulations and that the staff fully understands their obligations, including the most recent HIPAA Omnibus privacy protections. Providers should conduct a thorough analysis of their security environment – including connection points – and have a system in place to perform ongoing assessments as the network evolves.

The Internet of Things has the potential to transform the healthcare industry, giving doctors and patients new tools to monitor health status and wellness activities. But there are significant risks involved. It’s important to remember that everything is based on trust, to some extent. Generally, there’s not much financial incentive for hackers to target individual patients’ data, but metadata from a population can be incredibly valuable, so healthcare providers should use caution and partner with an InfoSec specialist who understands their unique needs.

No comment yet.
Scoop.it!

Data breach trends for 2015: Credit cards, healthcare records will be vulnerable

Data breach trends for 2015: Credit cards, healthcare records will be vulnerable | HIPAA Compliance for Medical Practices | Scoop.it

The data breaches of 2014 have yet to fade into memory, and we already have 2015 looming. Experian's 2015 Data Breach Industry Forecast gives us much to anticipate, and I've asked security experts to weigh in with their thoughts for the coming year as well.

Experian highlights a number of key factors that will drive or contribute to data breaches in 2015. A few of them aren't surprising: Organizations are focusing too much on external attacks when insiders are a significantly bigger threat, and attackers are likely to go after cloud-based services and data. A few new factors, however, merit your attention. 

First, there is a looming deadline of October, 2015 for retailers to upgrade to point-of-sale systems capable of processing chip-and-PIN credit cards. As banks and credit card issuers adopt more secure chip-and-PIN cards, and more consumers have them in hand, it will be significantly more difficult to clone cards or perpetrate credit card fraud. That’s why Experian expects cybercriminals to increase the volume of attacks early in 2015, to compromise as much as possible while they still can.

The third thing that stands out in the Experian report is an increased focus on healthcare breaches. Electronic medical records, and the explosion of health or fitness-related wearable devices make sensitive personal health information more vulnerable than ever to being compromised or exposed.

The risk of health related data being breached is also a concern voiced by Ken Westin, security analyst with Tripwire. He pointed out that part of the reason that retail breaches have escalated is because cybercriminals have developed the technologies and market for monetizing that data. “The bad news is that other industries can easily become targets once a market develops for the type of data they have. I am particularly concerned about health insurance fraud—it’s driving increasing demand for health care records and most healthcare organizations are not prepared for the level of sophistication and persistence we have seen from attackers in the retail segment.”

“There will absolutely be more breaches in 2015—possibly even more than we saw in 2014 due to the booming underground market for hackers and cybercriminals around both credit card data and identity theft,” warned Kevin Routhier, founder and CEO of Coretelligent. “This growing market, coupled with readily available and productized rootkits, malware and other tools will continue to drive more data breaches in the coming years as this is a lucrative practice for enterprising criminals.”

The rise in data breach headlines, however, may not necessarily suggest an increase in actual data breaches. It’s possible that organizations are just getting better at discovering that they’ve been breached, so it gets more attention than it would have in previous years.

Tim Erlin, director of IT risk and security strategy for Tripwire, echoed that sentiment. “The plethora of announced breaches in the news this year is, by definition, a trailing indicator of actual breach activity. You can only discover breaches that have happened, and there’s no indication that we’re at the end of the road with existing breach activity. Because we expect organizations to improve their ability to detect the breaches, we’ll see the pattern of announcements continue through 2015.”

The combination of a rise in actual data breach attacks, and an increase in the ability to discover them will make 2015 a busy year for data breaches. Whether we’re defending against new attacks, or just detecting existing breaches that have already compromised organizations, there will be no shortage of data breach headlines in 2015.




Andrew Margolies's curator insight, December 11, 2014 2:47 PM

Make sure your e-commerce site is protected with the latest advances in online e-commerce security. Find out more at creditcardprocessing.gr8.com.

Scoop.it!

Employer liability for HIPAA violations: a new day dawning? | Lexology

Employer liability for HIPAA violations: a new day dawning? | Lexology | HIPAA Compliance for Medical Practices | Scoop.it

The Indiana Court of Appeals recently issued an opinion in the case of Walgreen Co. vs Hinchy that could permanently alter the landscape for employer liability for HIPAA violations committed by employees.  Health care providers should be aware of this case and take actions to limit their exposure to this type of liability.

Background

In 2010, a Walgreen Co. (“Walgreens”) pharmacist utilized her information access rights to review the prescription records for her current boyfriend’s ex-girlfriend.  The purpose for accessing the records was to obtain information about the ex-girlfriend’s use of prescriptions for birth control and a sexually transmitted disease.  Evidence indicated that the pharmacist also shared the information she found with her boyfriend, who shared it with at least three other individuals.  When the ex-girlfriend became aware of the potential that her information had been improperly accessed, she contacted a local Walgreens pharmacy but was informed by a person at that store that they could not track whether her records had been accessed.

When the ex-girlfriend eventually learned of her ex-boyfriend’s relationship with a Walgreens pharmacist, she again contacted Walgreens, who, after investigation, confirmed that the pharmacist had viewed the information for personal purposes in violation of HIPAA.  Walgreens disciplined the pharmacist with a written warning and by requiring her to take additional online HIPAA training.  The ex-girlfriend subsequently filed suit against both the pharmacist and Walgreens in Marion County, Indiana, alleging claims of negligence/professional malpractice, invasion of privacy/public disclosure of private facts, invasion of privacy/intrusion, negligent training, negligent supervision, negligent retention and negligence/professional malpractice.  In July 2013, a jury found in favor of the ex-girlfriend and held Walgreens and the pharmacist liable for $1.4 million in damages.  Walgreens appealed that verdict to the Indiana Court of Appeals.

The Appellate Court Decision 

The Indiana Court of Appeals affirmed the trial court’s verdict, holding that the trial court did not commit reversible error in its various rulings and that the damages award was not excessive.  The underlying theory of liability for the jury verdict was not clear to the appellate court, but the court noted that sufficient evidence was presented to the jury to justify a verdict based on negligence by virtue of professional malpractice of a pharmacist.  Essentially, the court recognized that pharmacists owe their customers a duty of confidentiality and that a breach of that duty can cause damages to the customer.  Whether the pharmacist’s breach of that duty can also be attributed to Walgreens became the focus of the appellate court’s opinion.

Walgreens alleged on appeal that the trial court should not have sent the case to the jury for claims based on respondeat superior because the employee was acting outside the scope of her employment when she inappropriately accessed the records.  Respondeat superior is the doctrine regarding when an employer will be held liable for the acts of its employees.  Walgreens had argued that the trial court should have determined as a matter of law that Walgreens was not liable for the actions of the pharmacist because those actions were prohibited by Walgreens policy and inconsistent with the HIPAA training Walgreens provided the pharmacist and thus outside the scope of her employment.

The appellate court determined that whether the pharmacist’s conduct was within the scope of her employment was a proper question for the jury since her actions “were of the same general nature as those authorized, or incidental to the actions that were authorized by Walgreen.”  According to the court, since the pharmacist had legitimate access to patient prescription histories on the Walgreens computer system, her misuse of that access for personal reasons remained within the scope of her employment.  The appellate court thus affirmed the jury verdict based upon Walgreens’ respondeat superior liability for the negligence/professional malpractice of the pharmacist.

The appellate court also upheld the amount of the jury verdict, holding that there was sufficient evidence in the record to support holding Walgreens and the pharmacist liable for $1.4 million in damages.  Factors cited by the appellate court in support of the damage amount included:

  • The ex-girlfriend’s records included sensitive information about her use of birth control and treatment for a sexually transmitted disease;
  • The information became known to several people, including the ex-girlfriend’s father; and
  • The ex-girlfriend testified that she experienced emotional harm that affected her ability to care for her child and caused her to begin taking a more expensive antidepressant.

Walgreens argued that the damages were excessive and based on improper factors because the ex-girlfriend did not have any physical injuries or conditions resulting from the breach, she did not lose any wages as a result of the breach, and she did not offer any professional testimony supporting her claimed emotional harm.  The appellate court refused to reweigh the evidence and change the damage amount awarded by the jury.

Impact

In upholding the verdict against Walgreens, the appellate court established some precedent that should get the attention of health care providers.  The case is important in a few ways.  First, it recognizes that a health care provider in Indiana may be held liable for monetary damages arising from a wrongful disclosure of patient information on a professional malpractice theory.  In essence, the court is recognizing the duty of confidentiality as part of the professional standard of care for health care providers.  Second, the court is permitting such liability even in the absence of physical harm or professional testimony to support claimed emotional harm.  This could materially lower the bar for proving damages in these types of cases.

Third, the case establishes that a health care provider could still be liable for a wrongful use or disclosure by an employee even where the employee’s actions directly contravene the provider’s established and implemented confidentiality policies.  Health care providers are required by HIPAA and other authorities to have policies governing the use and disclosure of health information and to train their workforce members to follow those policies.  This case makes it clear that compliance with HIPAA and those other authorities is not sufficient to avoid liability to individuals for the wrongful actions of employees.

Recommendations

In order for health care providers to reduce the likelihood of liability to patients for the wrongful use or disclosure of health information by employees, providers should consider the following recommendations:

  • Ensure that the provider has strict policies forbidding the use or disclosure of patient information for non-work-related purposes and enforce those policies consistently when potential issues arise.  If liability is possible where policies and procedures already are in place, then the failure to have clear policies in this regard will make proving such a case that much easier.
  • Regularly monitor and track access to patient information by workforce members.  Providers should have a process in place for auditing workforce access to patient information that proactively seeks to identify and prevent the potential inappropriate use and disclosure of such information.  Audit processes can serve as an effective deterrent for employees considering such activity.
  • When an instance of potential wrongful use or disclosure is discovered, the provider’s process should require the immediate loss or suspension of the individual’s access to patient information until the issue can be investigated and resolved.
  • Have personnel policies that allow for the imposition of significant disciplinary action, including termination, when an employee uses his or her legitimate access to health information for personal purposes.  Meaningful and decisive disciplinary action might help reduce the likelihood that an individual will bring an action against the provider for the actions of that employee.   The potential for such disciplinary action also can serve as an effective deterrent to employees considering misusing health information.
  • Be sure that policies and procedures are in place governing the receipt of patient complaints and that all appropriate workforce members are trained on those procedures.  How patient complaints are handled from the beginning can be a material factor in a given individual’s decision whether to sue the provider for a wrongful use or disclosure.



No comment yet.
Scoop.it!

Survey: With HIPAA audits looming, small practices far from compliant

Survey: With HIPAA audits looming, small practices far from compliant | HIPAA Compliance for Medical Practices | Scoop.it

NueMD in partnership with Porter Research and The Daniel Brown Law Group, today announced the results of its recent survey on HIPAA compliance within small practices and billing companies. The survey of more than 1,100 healthcare professionals, conducted during October 2014, found medical practices and billing companies are struggling to comply with regulations under the Health InsurancePortability and Accountability Act (HIPAA).

"Understanding HIPAA can be difficult for practices and billing companies, especially if they're already scrambling to keep up with changes like ICD-10 and Meaningful Use," said Caleb Clarke, sales and marketing director at NueMD. "With audits looming, we wanted to get a sense of where the industry stands and provide resources to help those who may be struggling."

The survey found:

  • 66% of respondents were unaware of HIPAA audits
  • 35% of respondents said their business has conducted a HIPAA-required risk analysis
  • 34% of owners, managers, and administrators reported that they were "very confident" that their electronic devices that contain PHI were HIPAA compliant
  • 24% of managers, owners, and administrators at medical practices reported that they've evaluated all of their Business Associate Agreements
  • 56% of office staff and (non-owner) care providers at practices said they've received HIPAA training in the last year

"It's troubling to see that so many practices aren't participating in training programs for their staff, said Daniel Brown, managing shareholder at The Daniel Brown Law Group. "If an audit were to occur at that particular practice, one of the biggest red flags is that the staff is unaware of the HIPAA compliance plan and what their role is in it."



No comment yet.