HIPAA Compliance for Medical Practices
59.2K views | +3 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

Is the SHIN-NY “Public Utility” HIE Funding a Model for Other HIE? | EMR and HIPAA

Is the SHIN-NY “Public Utility” HIE Funding a Model for Other HIE? | EMR and HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

I first started working with the New York eHealth Collaborative (NYeC) many years ago when they first organized the Digital Health Conference many years ago. Hopefully they’ll have me back again this year since I’ve really enjoyed our ongoing partnership. Plus, it’s a great way for me to get a deeper look into the New York Health IT landscape.

While NYeC organizes this conference, has an accelerator, and is (is this a was yet?) even a REC, the core of everything they do is around their HIE called the SHIN-NY. Unlike some states who don’t have any HIE or RHIO, New York has 10 regional health information exchanges (formerly and for some people still called RHIOs). The SHIN-NY is the platform which connects all of the state’s RHIOs into one connected health network. Plus, I know they’re working on some other more general initiatives that share and get data from organizations outside of New York as well.

While the SHIN-NY has been worked on and sending data for a number of years, the news just came out that Governor Cuomo included $55 million in state funding for the SHIN-NY HIE. This is a unique funding model and it makes me wonder how many other states will follow their lead. Plus, you have to juxtapose this funding with my own state of Nevada’s decision to stop funding the state HIE that was supported with a lot of federal government funds as well.

In my HIE experience, I’ve found that every state is unique in how they fund and grow their HIE. Much of it often has to do with the cultural norms of the state. For example, New York is use to high state taxes that support a number of government programs. Nevada on the other hand is use to no state tax and government funding largely coming from the hospital and gaming sectors. Plus, this doesn’t even take into account the local healthcare bureaucracies and idiosyncrasies that exist.

What do you think of this type of HIE funding model? Do you wish your state would do something similar? Will we see other states follow New York’s example?

I’m excited to see how NY, NYeC and the SHIN-NY do with this HIE funding. Knowing many of the leaders in that organization, I think they’re going to be a great success and have a real impact for good on healthcare in NY.



more...
No comment yet.
Scoop.it!

Stolen Laptops = HIPAA Settlements Totaling Nearly Two Million Dollars - Health Insurance Portability and Accountability Act | The National Law Review

Stolen Laptops = HIPAA Settlements Totaling Nearly Two Million Dollars - Health Insurance Portability and Accountability Act | The National Law Review | HIPAA Compliance for Medical Practices | Scoop.it

Unencrypted laptop computers and other mobile devices pose significant risks to the security of patient information, reminds the U.S. Department of Health and Human Services Office for Civil Rights (OCR) in its announcement yesterday that it collected $1,975,220 from two entities collectively to resolve potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. All HIPAA covered entities and business associates should review these resolutions agreements as they are instructive to handling a key area of risk for just about any such organization – electronic mobile devices – which are frequently lost or stolen, and not encrypted.

In one of the cases, OCR found that the covered entity, Concentra Health Services:

failed to adequately remediate and manage its identified lack of encryption or, alternatively,document why encryption was not reasonable and appropriate and implement an equivalent alternative measure to encryption, if reasonable and appropriate.

In other words, OCR claims that although Concentra identified the lack of encryption as a risk, OCR determined that it failed to adequately remediate or manage the risk. It is also important to note, however, that OCR acknowledged that encryption is an “addressable” standard under the HIPAA Security Rule. This means that covered entities and business associates need not encrypt such devices, provided they determine encryption is not reasonable and appropriate, and implement an equivalent alternative measure(s) to encryption, if reasonable and appropriate, and document that determination.

In the other case, following receipt of a breach notice in February 2012 from the covered entity concerning a stolen unencrypted laptop with protected health information of 148 individuals, OCR investigated and contends that the covered entity failed to comply with multiple requirements of the HIPAA Privacy and Security Rules, including conducting a thorough risk assessment.

So, there are a number of lessons for covered entities and business associates from these resolutions including:

  1. Conduct a risk assessment to identify vulnerabilities. HHS recently released a tool to assist covered entities with this step.

  2. Doing a risk assessment is not enough. Risks identified in the assessment have to be dealt with completely and consistently.

  3. While encryption may be preferred, it is not required so long as the entity identifies and applies alternative measures that are reasonable and appropriate, and documents that determination. But remember that depending on the information stored on the laptops or other mobile storage devices, states such as Massachusetts may require those laptops and devices be encrypted.



more...
No comment yet.
Scoop.it!

More practical, relevant, and actionable health IT advice to be doled out at HealthIMPACT East in NYC on Wednesday

More practical, relevant, and actionable health IT advice to be doled out at HealthIMPACT East in NYC on Wednesday | HIPAA Compliance for Medical Practices | Scoop.it

Our vision of providing a packed one day event focused on practical, relevant, and actionable health IT advice was very well received in Houston earlier this month. We wanted to focus not on canned PowerPoint decks and promotion of tech hype but specific advice on how and where to apply IT in healthcare settings. Based on some of the feedback we got, it looks like we struck a chord:

“I did enjoy the HealthIMPACT Forum in Houston and will definitely recommend attending. The information was of great value and it was enjoyable to meet and network with others. I look forward to next year!” – Barbara Presley, Clinical Documentation Improvement Program, University Medical Center Brackenridge

“HealthIMPACT seemed more focused with only high quality contributors and content. HealthIMPACT was collaborative with fewer ‘talking heads’ and more open and honest dialog. I truly felt that it was a more intimate environment for sharing.” – Zachery Jiwa, Innovation FellowUS Department of Health and Human Services

“[The open format] allows for valuable exchange between participants. The forum consists of important topics and fluid discussions going where the audience wants to take it.” – George Conklin, Senior Vice President and CIOChristus Health

I’m often asked why, as a health IT blogger, I wanted to lead HealthIMPACT. Here’s a three minute video overview:


Based on the feedback from the Houston event and what we’ve heard from our surveys, below are some of the topics we’ve heard the audience wants covered during the day at HealthIMPACT East on Wednesday and future events coming up in Santa Monica, Nashville, and Chicago. Of course, not everything can be covered in one day but because we run a non traditional format we’ll cover a lot more ground because the audience decides where to take us.

Meaningful Use

  • Assuring on-time and on-budget completion of projects (principally MU2), in the face of reduced reimbursement and personnel resources.
  • Implementation of MU 2
  • Meeting MU2 and CMS rules w/minimal impact on physician workflow/productivity
  • Transition of Care (TOC) measure and use of CCDA & DIRECT Messaging
  • Developing solutions that will satisfy conflicting requirements between CMS sections, without requiring staff to do multiplicative documentation.
  • Effective Clinical Integration Ideas EHR (Epic Implementation)
  • Epic implementation
  • Interoperability legacy systems and modern systems
  • Keeping track of rapid changes in software in the electronic health record
  • Keeping track of changes from CMS
  • Staying current of IT information that comes so fast
  • Meaningful Use Audits
  • Implementing electronic medical record
  • Successfully attestation for Stage 2 Phase 1 MU
  • Maintaining metrics in the face of ever changing regulatory requirements
  • Transition of the traditional quality core measures to the electronic clinical quality measures
  • Managing changes in workflows as new components in the EHR are implemented to meet meaningful use requirements

Patient Engagement

  • How will involvement of patients in their own care change the way healthcare is practiced? Will it really?
  • What efforts are being made to reach out to the average patient in the population so they can access and use the health care system the same way that the average person is able to use the banking or retail system?

Data Governance

  • Ensuring data accuracy
  • Control data output to ensure it is of highest quality and provides consistent outcomes.
  • Data governance, measure burden, data analysis
  • Strategies for accurate and reliable data entry
  • Ensuring the quality of information within your EMR
  • Use of computerized assisted clinical documentation or coding to improve clinical outcomes
  • CAC, Computer Assisted Physician Documentation (CAPD)
  • Master Data Management
  • Reconciliation of data between systems

Clinical Informatics

  • Use of analytics/data to coordinate care and cut costs
  • Developing Heath Care Data and Analytics division
  • Knowledge of successful strategies to move forward clinical informatics agenda
  • Population Heath and Data Mining
  • Not seeing nursing informatics (N I) working in our healthcare facilities
  • Seeing NI as a leaders in the field.
  • Job availability for NI
  • Ways in which nursing informatics is impacting healthcare
  • The integration of Nursing informatics as a part of IT in healthcare
  • Focus on nursing informatics and their role in healthcare
  • cost big data interoperability

Clinical Decision Support

  • Enabling more robust clinical decision support
  • Exploring, and successfully implementing alternate delivery methods of care

Interoperability

  • Information exchange between hospital and outside groups/providers
  • Mobile interoperability of Patient Data
  • Interoperability strategies to ensure exchange of quality information
  • HIE Connectivity, Direct Trust Testing/Connectivity
  • Improved communication between providers

Mobility

  • How to get the most out of mobile platforms.
  • Role of mobile devices in Health IT.
  • Telehealth
  • Clinical solutions and patient engagement solutions
  • How to be successful with cloud strategies

Cost & Resources

  • Ensuring that using IT in care delivery actually helps in reducing cost of healthcare Cutting cost of the contracted services
  • Supporting the education efforts of various departments, without having to assume responsibility for conducting the actual education
  • Prioritizing to corporate strategic direction.
  • Workflow of IT operations area – more efficient
  • How to evaluate new technoloty
  • global sense of what the most useful cutting edge technologies are
  • Resources Money changes in government regulations
  • Project management C-suite expectations Talent acquisition
  • Money to implement, train, maintain. Trained technical people. Affordable bandwidth.
  • Funding; dealing with increasing integration requirements; need for speed in an increasing complicated environment.
  • Budgets Finding qualified staff to fill positions GRC culture change to make the business more responsible for their applications
  • Change management in general

Innovations

  • What start-up technologies are larger institutions potentially looking at?
  • What apps should patients be “prescribed”?
  • Trends, direction in technologies for new technologies like wearable technology etc.

Security

  • System implementation Security
  • Authentication, electronic signature
  • Medical & Personal Device Security
  • Security and Privacy Mobility
more...
No comment yet.
Scoop.it!

Six Reality Checks of HIPAA Compliance | EMR and HIPAA

Six Reality Checks of HIPAA Compliance | EMR and HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

Between Windows XP causing HIPAA compliance issues and the risk associated with the risk assessment required by meaningful use, many in healthcare are really waking up to the HIPAA compliance requirements. Certainly there’s always been an overtone of HIPAA compliance in the industry, but it’s one thing to think about HIPAA compliance and another to be HIPAA compliant.

 

This whitepaper called HIPAA Compliance: 6 Reality Checks is a great wake up call to those that feel they have nothing to worry about when it comes to HIPAA. While many are getting ready, there are still plenty that need a reality check when it comes to HIPAA compliance.

 

Here’s a look at why everyone could likely benefit from a HIPAA reality check:

(1) Data breaches are a constant threat

(2) OCR audits reveal health care providers are not in compliance

(3) Workforce members pose a significant risk for HIPAA liability

(4) Patients are aware of their right to file a complaint

(5) OCR is increasing its focus on HIPAA enforcement

(6) HIPAA Compliance is not an option, it’s LAW

 

Obviously, the whitepaper goes into a lot more detail on each of these areas. As I look through the list, what seems clear to me is that HIPAA compliance is a problem. Every organization should ask themselves the following questions:

 

Are we HIPAA compliant?

 

What are you doing to mitigate the risk of a breach or HIPAA violation?

 

When I look at the 6 Reality Checks details in the whitepaper, I realize that everyone could benefit from a harder look at their HIPAA compliance. A little bit of investment now, could save a lot of heartache later.

Technical Dr. Inc.'s insight:

Does your practice need a HIPAA Risk Assessment?  We can help!  Contact us at inquiry@technicaldr.com or call 877-910-0004 x3 today!


- The Technical Doctor Team

more...
No comment yet.
Scoop.it!

HIPAA Audit Tips – Sort out your Business Associate status before OCR does!

HIPAA Audit Tips –  Sort out your Business Associate status before OCR does! | HIPAA Compliance for Medical Practices | Scoop.it

There was an interesting discussion at the recent OCR/NIST 6th Annual Conference on Safeguarding Health Information.  Several of the conference attendees were seeking clarification from the OCR on the categorization of an entity which stores encrypted PHI on behalf of a covered entity, but does not possess the encryption keys nor have any mechanism to decrypt, or otherwise access, the plaintext data. They did not appear happy with the response they received.

Much of the confusion stems from the concept of “conduits”, a term which was introduced in the preamble of the Privacy Rule in 2000. The initial language characterized a conduit as an entity that…

“…transports information but does not access it other than on a random or infrequent basis as may be necessary for the performance of the transportation service, or as required by law. Since no disclosure is intended by the covered entity and the probability of exposure of any particular protected health information to a conduit is very small, we do not consider a conduit to be a business associate of the covered entity.”

The classic example used is the U.S. Postal service (and its electronic equivalents) who act as couriers of data sent from Point A to Point B.

The 2013 Omnibus Final Rule provides significantly more detail on conduits, but this additional detail still leaves the question posed by the conference attendees unresolved.

The preamble of the Omnibus Rule states that the conduit exception is intended to be a narrow one that is limited to transmission services where the PHI data is transient, not persistent.

The Omnibus Rule goes on to say…

“To help clarify this point, we have modified the definition of ‘‘business associate’’ to generally provide that a business associate includes a person who ‘‘creates, receives, maintains, or transmits’’ (emphasis added) protected health information on behalf of a covered entity.”

David Holtzman, Sr. Health Information Technology and Privacy Specialist for the OCR, attempted to provide some clarification by stating that one test to determine if a Business Associate agreement is required, is persistence of custody rather than ability to access.  Holtzman acknowledged that this topic is being discussed internally at the OCR and said they are working to provide clarification on the issue.

So, it would seem that, barring any reversal in direction from the OCR, entities which store ePHI on behalf of a Covered Entity or a Business Associate, will indeed be required to comply with the regulations and complete a Business Associate agreement, regardless of their ability to decrypt or access the data in their custody.

There is an interesting parallel in the Payment Card Industry, which has attempted to avoid federal regulation by implementing the PCI Data Security Standard (PCI-DSS) for all organizations which store, process, or transmit credit card data.  The PCI Security Standards Council, the consortium that establishes the compliance standards for the PCI program, evaluated this same topic of entities which store encrypted data but have no ability to decrypt or access it.  In August 2012 the Standards Council issued clarification in the form of a FAQ article (Article Number: 1233) which states:

“…if a merchant stores media containing only encrypted data at a third-party back-up storage facility, and the third-party provider has no access to decryption keys and no ability to decrypt the data, then the presence of encrypted data alone would not bring the third-party provider into scope for PCI DSS”

So I suppose it stands to reason that since we’re comparing two different industries (Health Care & Electronic Payments) and two different governance models (Federal Regulation vs. Industry Self-regulation) that we have two different answers to the same question. In the meantime, we will all be anxiously awaiting the formal clarification from the OCR.

The standard disclaimers hold here; the opinions contained herein are those of the author, who is not an attorney and is not offering legal advice. Determining if a Business Associate agreement is required in a particular situation is best decided by working in conjunction with your Legal Counsel.

more...
No comment yet.
Scoop.it!

HIPAA Privacy and Security Reminders – UT Physicians Laptop Goes Missing - HIPAA-HITECH Compliance Software & Consulting - Clearwater Compliance

HIPAA Privacy and Security Reminders – UT Physicians Laptop Goes Missing - HIPAA-HITECH Compliance Software & Consulting - Clearwater Compliance | HIPAA Compliance for Medical Practices | Scoop.it

What Happened?

On August 28, 2013, UT Physicians, the medical group practice of The University of Texas Health Science Center at Houston (UTHealth) Medical School, announced that an unencrypted laptop computer containing some patient information was discovered missing on Aug. 2 from a locked closet in a UT Physicians orthopedic clinic.

 

What Was the Nature of the Information and How Many Individuals Were Affected?

UT Physicians reported that 596 individuals’ information was stored on the laptop. The specialized laptop computer attached to an electromyography machine included hand and arm image data from February 2010 to July 13. Patient information stored on the computer included names, birth dates and medical record numbers. There were no addresses, social security numbers, or insurance or other financial information stored on the laptop.

What Was Done to Mitigate / Remediate?

  • UT Physicians began mailing letters today to 596 patients whose information was stored on the laptop on August 28th. 
  • Reportedly, encryption of all laptops has been the policy at UT Physicians and UTHealth for the last two years and all known laptops – more than 5,000 – have been encrypted. 
  • The medical group and UTHealth have taken steps to ensure that the missing laptop in the orthopedic clinic is an isolated incident.
  • UT Physicians and UTHealth officials continue to work with law enforcement in their investigation.
  • UT Physicians and UTHealth are conducting a physical search of all clinics and offices to ensure that there are no other unencrypted laptops or storage devices attached to medical equipment. 
  • They are tightening the processes for the purchase of medical equipment.
  • UT Physicians and UTHealth have initiated additional review processes and inventories and invested in hardware, software and personnel to ensure that all personal information on UT Physicians’ and UTHealth’s computers and hard drives is encrypted.

 

What Should Organizations Do Next?

  • Make sure all mobile devices containing PII and PHI (laptops, smartphones, portable USB drives, thumb drives, etc.) are encrypted
  • Ensure documented policies and procedures are in place, are being followed and reflect actual practices.
  • Implement a regular sampling audit of devices to ensure encryption is installed and operational.
  • Complete a thorough, bona fide risk analysis of all mobile devices to ensure that all threats, vulnerabilities and controls have been considered.

If you’d like keep up to date on HIPAA Security and Privacy reminders or HIPAA-HITECH in general, please also consider (all optional!):

more...
No comment yet.
Scoop.it!

Do Security and Privacy Concerns Drive Cloud Adoption? | EMR and HIPAA

Do Security and Privacy Concerns Drive Cloud Adoption? | EMR and HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

In one of my recent conversations with Dr. Andy Litt, Chief Medical Officer at Dell, he made a really interesting but possibly counter intuitive observation. While maybe not a direct quote from him, I took away this observation from Dr. Litt:

Security and privacy drives people to the cloud.

Talk about an ironic statement. I imagine if I were to talk to a dozen CIOs, they would be more concerned about the security and privacy implications of the cloud. I don’t imagine most would look at the cloud as the solution to some of their security and privacy problems.

However, Dr. Litt is right. Many times a cloud based EHR or other software is much more secure than a server hosted in a doctors office. The reality is that many healthcare organizations large or small just can’t invest the same money in securing their data as compared with a cloud provider.

It’s not for lack of desire to make sure the data is secure and private. However, if you’re a small doctor’s office, you can only apply so many resources to the problem. Even a small EHR vendor with a few hundred doctors can invest more money in the security and privacy of their data than a solo practice. Although, this is true for even very large practices and even many hospitals.

One reason why I think many will disagree with this notion is because there’s a difference between a cloud provider who can be more secure and private and one who actually executes on that possibility. It’s a fair question that everyone should ask. Although, this can be verified. You can audit your cloud provider and see that they’re indeed putting in security and privacy capabilities that are beyond what you’d be able to do on your own.

more...
No comment yet.
Scoop.it!

12 Tips to Prevent a Healthcare Data Breach

12 Tips to Prevent a Healthcare Data Breach | HIPAA Compliance for Medical Practices | Scoop.it

Privacy and security have always been priorities for healthcare CIOs, but changes to HIPAA under the HITECH ACT of 2009 put the issues squarely in the spotlight. Providers that suffer data breaches that affect more than 500 patients must notify the Department of Health and Human Services, which maintains a public list of all breaches, and are subject to fines of up to $1.5 million (on top of mitigation costs). These 12 tips can help you avoid the costly, and embarrassing, consequences of suffering a healthcare data breach.

Conduct a Risk Assessment

The HIPAA Security Rule, passed in 2003, required health care organizations to conduct a risk assessment but didn't penalize noncompliance, so few providers did it. The HITECH Act changed that by making security risk analysis a core, or mandatory, requirement under Stage 1 of the meaningful use of electronic health record software. (Meaningful use provides financial incentives to organizations using EHR by 2014 and penalties to those who aren't.) The Office for Civil Rights' guidance on conducting a risk analysis says providers should identify vulnerabilities in information systems or security policies as well as natural, human and environmental threats to the security of protected health information (PHI).

Educate Employees About HIPAA

Knowledge is power, after all. Make sure all employees know what personal health information (PHI) can and cannot be shared with patients, caregivers and outsiders—bearing in mind that, in addition to federal HIPAA regulations, individual states have their own rules. This training should happen on a regular basis, not just when an employee is hired. Use high-profile data breaches to illustrate worst practices and discuss what should have been done differently. Set a social media policy that clearly defines what is and is not appropriate, and share it with all employees, whether they see patients or not.

Tell Employees to Watch Their Stuff

Hackers are responsible for fewer than 10 percent of the healthcare data breaches that have been reported to date. Most, it turns out, are the result or lost or stolen laptops, backup tapes, CDs, thumb drives or other types of portable electronic devices. These devices have been stolen from a physician's home, taken from a car or misplaced. Yes, it is IT's responsibility to secure the devices it issues employees—and that will be covered later—but employees need to understand the repercussions of their forgetfulness.

Keep an Eye on Paper Records

Many providers are ditching paper charts for EHR technology, largely because the HITECH Act requires them to do so. The HITECH Act says nothing about paper records, though. They remain plentiful—and prone to loss, having been involved in one in four breaches. Medical records and X-rays been left on the train 70 miles away. Whether paper records go offsite or stay onsite, visit their location regularly and make sure physical security passes muster. Or take the final step—scan all paper records, import them into your EHR and get rid of paper once and for all.

Encrypt Data at Rest and in Motion

HIPAA doesn’t require encryption per se, but the HITECH Act states that if encrypted data falls into the wrong hands, the incident does not constitute a data breach. Centrally managed data encryption technology adhering to the Advanced Encryption Standard is the best starting point, since it's the data that's most important to thieves and malicious hackers. Be sure to encrypt data in transmission, too; only decrypt data after a user has been authenticated, and encrypt it again once it arrives at its destination (Side note: When you're engaging in health information exchange, get patients' permission to send and receive data—and consider letting them opt out if they feel the process threatens their privacy.)

Encrypt Hardware, Too

Remember those lost laptops from the fourth slide? They're why you shouldn't solely settle for data encryption. Lock up the servers your data sits on, the mobile devices employees use to move data around and the network endpoints through which data is exchanged. Store encryption keys for backup tapes separately from the tapes themselves, and don't lose the keys. Same goes for the transparent data encryption product you're using on your database. Consider "on-the-fly" server encryption as a way to encrypt and decrypt data before it's loaded or saved and unbeknownst to the end user. Finally, don't forget about medical devices that regularly collect and transmit data. If they're too old to be encrypted, either replace them or shore up network security.

Subnet Wireless Networks

If patients can get free Wi-Fi at McDonald's, they'll expect it when they're at the hospital. The key, of course, is to give patients what they want without exposing PHI and other sensitive information. Subnetting, or creating subnetworks, is the best way to do this. Set aside part of your network for public use; limit guest activity to the browser. Use separate, more secure subnets for business applications, any app that touches PHI and any app that's involved with credit card transactions. Another subnet for those old medical devices may be a good idea, too. As stated, encrypt each subnet in accordance with Wi-Fi Protected Access 2 protocols, and change WPA2 keys frequently.

Take Identity and Access Management Seriously

Many people, with many different job titles, need access to patient data. What a physician needs to see will differ dramatically from what an attending nurse, bill collector or fundraising coordinator needs to see. Use IAM technology to give employees access to only the data that's relevant to their role within the healthcare organization. Automate this process, so all the new residents who start July 1 have individual accounts. Make it easy for one user to log off a shared machine and another user to log on, too. That way, employees actually use their own login credentials, which makes audit trails easier to follow, and applications aren't carelessly left unattended just because no one logs off when they walk away from a computer.

Create an Airtight BYOD Policy

Mobile devices such as the iPad will make their way into healthcare facilities whether you like it or not. It's only a matter of time before doctors want access to PHI on them. In your BYOD policy, prevent users from storing data locally, lest the device fall into the wrong hands, and insist upon bidirectional authentication to verify a password and a token whenever access to PHI is requested. (An extra step, yes, but it ensures that the correct person is viewing the data.) Consider measures that prevent devices from connecting to healthcare apps beyond a certain distance from the medical campus or after a certain length of time. Finally, maintain remote wipe and autolock capabilities and forbid the use of cellphone cameras.

Examine Service-Level Agreements With a Fine-Toothed Comb

The cloud is an increasingly attractive option for healthcare organizations that need to archive years' worth of patient data but lack the space (or expertise) to do it onsite. If you go to the cloud, keep several things in mind. Your SLA should clearly state that you, not the cloud service provider (CSP), own your data. The SLA should also spell out how the CSP will comply with HIPAA, PCI DSS and relevant state data privacy laws and how you will be granted access to your data. Examine the provider's backup, disaster preparedness, disaster recovery and uptime guarantees carefully. This is especially true if you've decided to move mission- and life-critical data to the cloud, as this places a premium on application recovery.

Nag Business Associates

Under revised HIPAA rules, HIPAA business associates are held to the same standards as HIPAA covered entities when it comes to protecting patient data and being fined for failing to do so. Update your business associate agreements to reflect this—and do so regularly. Force business associates to create processes for discovering and reporting data breaches to you. Work with them to explicitly state who's responsible for what in the event of a data breach, and remember that state breach notification laws may differ from HIPAA. Make your BAs responsible for their subcontractors' actions, since a healthcare data breach caused by the subcontractor will eventually get back to you.

Hire a Good Lawyer

If you do suffer a breach, expect to hear from the Office for Civil Rights within the U.S. Department of Health and Human Services; the OCR investigates and hands out fines for HIPAA violations. Expect to hear from lawyers representing patients, too. Law firms see big money in healthcare breach cases, which isn't surprising since there have been more than 500 since 2009—many of them preventable. Proving negligence can be difficult, though, since even organizations in full compliance with the law have suffered a breach. Whatever happens, play nice. Cignet Health, recipient of the largest HIPAA violation to date ($4.3 million), was hit so hard because it withheld patient records and didn't cooperate with OCR.

 

Technical Dr. Inc.'s insight:

Have you had a Risk Assessment performed on your practice?  This is an annual requirement, so contact the experts to have your assessment scheduled today.  inquiry@technicaldr.com or 877-910-0004


-The Technical Doctor Team

more...
No comment yet.
Scoop.it!

Should you care about HIPAA compliance? | Healthcare IT News

Should you care about HIPAA compliance? | Healthcare IT News | HIPAA Compliance for Medical Practices | Scoop.it

The HIPAA/HITECH Omnibus Rule became effective just over one year ago. The compliance date was just over six months ago. Within about another six months (plus or minus), Federal regulators – at the Office for Civil Rights at the US Department of Health and Human Services – will begin a new round of HIPAA compliance audits. They are already actively involved in complaint investigations governed by the “new” HIPAA rules. Other Federal, state and territorial authorities are actively involved in HIPAA and related health data privacy and security enforcement activity: the Federal Trade Commission, the Secret Service, the Puerto Rico Health Insurance Administration, state attorneys general. The “Wall of Shame” on the OCR website adds information about newly disclosed data breaches on a regular basis. Fines under the new HIPAA rules may hit $1.5 million or more. Fines under other regulatory schemes have climbed significantly higher. Compliance agreements, follow-up audits and more await those covered entities (healthcare providers or payers) (CEs) or business associates (everyone else in the healthcare ecosystem – billing services, marketing agencies, consultants, shredding contractors, attorneys, accountants, etc.) (BAs) unfortunate enough to experience a lapse in their HIPAA compliance programs and to have occasion to file a breach notification, or to be the subject of a complaint investigation or random audit.

There are innumerable clinical, financial and compliance issues to be concerned about in this watershed era for the American healthcare system. However, do not forget about HIPAA.

Long before becoming covered entities under HIPAA, physician practices have been aware of their responsibilities regarding privacy and security of protected health information (PHI in HIPAA-speak). The HIPAA rules have added a layer of compliance requirements to a pre-existing landscape of patient records privacy laws. Some of the regulatory changes affect the ways in which physician practices may market to new and established patients, but many of the changes that took effect last year relate to the obligations of business associates – “downstream contractors” that deal in PHI on behalf of physician practices. BAs are now explicitly subject to the same compliance requirements applicable to CEs. And it is the responsibility of each CE to ensure that downstream contractors are doing what they are supposed to be doing in the realm of HIPAA compliance – or risk being held liable for the failings of their BAs. It is therefore a good time for physician practices to re-examine their HIPAA compliance plans, the scrutiny applied to their BAs’ HIPAA compliance programs, and their contractual agreements with BAs. The bottom line is, well, the bottom line; Covered Entities are now explicitly liable for the HIPAA compliance of their Business Associates.

What does this mean in practice?

1. Tailor-made compliance plans. Unlike other regulatory schemes, which envision compliance with specific rules and regulations, and allow for certification of compliance, HIPAA is a much looser construct. There are standards, but adherence with all of them is not mandatory. Some standards are “addressable” – which means that regulated entities may address certain regulatory concerns in ways other than full compliance with the methods outlined in the rule. The idea is that this is not a one-size-fits-all program; rather, HIPAA compliance programs need to be tailored to the privacy and security needs of an individual CE or BA.

2. Adoption of policies; review of policies and related documents. Privacy and security policies must be revised and updated on a regular basis, particularly in connection with a major regulatory overhaul such as the promulgation of the Omnibus Rule, but also on an annual basis. Grandfathered Business Associate Agreements (BAAs) should be reviewed for compliance with the new regulations as well. More and more CEs are looking for indemnification provisions in their BAAs. In the end, though, the indemnities are only as good as the BA’s HIPAA compliance program and insurance, both of which bear closer examination.

3. Workforce training. Once appropriate policies, agreements and insurance are in place, the workforce must be trained, and tested, on the HIPAA compliance material.

4. Risk assessments. Annual risk assessments – preferably handled by outside data security experts – must be conducted on an annual basis. A good risk assessment will uncover room for improvement even in an organization that is highly attuned to HIPAA compliance. Why? Because this is more of a continuous improvement exercise addressing evolving realities than it is check-the-box compliance with a static rule.

Are there things other than HIPAA compliance that demand investment of staff and other resources? Of course there are. But the costs associated with failing to invest appropriately in this realm can be significant. Multi-million-dollar fines and imposition of compliance monitoring agreements – to say nothing of the attendant negative publicity – may be devastating. It seems clear that the investment in HIPAA compliance is one that is likely to pay dividends over the years.

A well-developed, well-documented and well-implemented privacy and security policy, where training and testing of staff is documented, where key agreements are in place and easily producible for review when your friendly neighborhood government agent comes knocking, will go a long way towards minimizing potential sanctions when (not if) your organization experiences a breach of privacy or security of protected health information.

more...
No comment yet.
Scoop.it!

4 ways to ensure HIPAA compliance | Government Health IT

The HIPAA/HITECH Omnibus Rule became effective just over one year ago. The compliance date was just over six months ago. Within about another six months (plus or minus), Federal regulators – at the Office for Civil Rights at the US Department of Health and Human Services – will begin a new round of HIPAA compliance audits.

Regulators are already actively involved in complaint investigations governed by the “new” HIPAA rules. Other Federal, state and territorial authorities are actively involved in HIPAA and related health data privacy and security enforcement activity: the Federal Trade Commission, the Secret Service, the Puerto Rico Health Insurance Administration, state attorneys general.

The “Wall of Shame” on the OCR website adds information about newly disclosed data breaches on a regular basis. Fines under the new HIPAA rules may hit $1.5 million or more. Fines under other regulatory schemes have climbed significantly higher. Compliance agreements, follow-up audits and more await those covered entities (healthcare providers or payers) (CEs) or business associates (everyone else in the healthcare ecosystem – billing services, marketing agencies, consultants, shredding contractors, attorneys, accountants, etc.) unfortunate enough to experience a lapse in their HIPAA compliance programs and to have occasion to file a breach notification, or to be the subject of a complaint investigation or random audit.

Long before becoming covered entities under HIPAA, physician practices have been aware of their responsibilities regarding privacy and security of protected health information (PHI in HIPAA-speak). The HIPAA rules have added a layer of compliance requirements to a pre-existing landscape of patient records privacy laws. Some of the regulatory changes affect the ways in which physician practices may market to new and established patients, but many of the changes that took effect last year relate to the obligations of business associates – “downstream contractors” that deal in PHI on behalf of physician practices.

BAs are now explicitly subject to the same compliance requirements applicable to CEs. And it is the responsibility of each CE to ensure that downstream contractors are doing what they are supposed to be doing in the realm of HIPAA compliance – or risk being held liable for the failings of their BAs. It is therefore a good time for physician practices to re-examine their HIPAA compliance plans, the scrutiny applied to their BAs’ HIPAA compliance programs, and their contractual agreements with BAs. The bottom line is, well, the bottom line; covered entities are now explicitly liable for the HIPAA compliance of their business associates.

What does this mean in practice?

1. Tailor-made compliance plans. Unlike other regulatory schemes, which envision compliance with specific rules and regulations, and allow for certification of compliance, HIPAA is a much looser construct. There are standards, but adherence with all of them is not mandatory. Some standards are “addressable” – which means that regulated entities may address certain regulatory concerns in ways other than full compliance with the methods outlined in the rule. The idea is that this is not a one-size-fits-all program; rather, HIPAA compliance programs need to be tailored to the privacy and security needs of an individual CE or BA.

2. Adoption of policies; review of policies and related documents. Privacy and security policies must be revised and updated on a regular basis, particularly in connection with a major regulatory overhaul such as the promulgation of the Omnibus Rule, but also on an annual basis. Grandfathered Business Associate Agreements (BAAs) should be reviewed for compliance with the new regulations as well. More and more CEs are looking for indemnification provisions in their BAAs. In the end, though, the indemnities are only as good as the BA’s HIPAA compliance program and insurance, both of which bear closer examination.

3. Workforce training. Once appropriate policies, agreements and insurance are in place, the workforce must be trained, and tested, on the HIPAA compliance material.

4. Risk assessments. Annual risk assessments – preferably handled by outside data security experts – must be conducted on an annual basis. A good risk assessment will uncover room for improvement even in an organization that is highly attuned to HIPAA compliance. Why? Because this is more of a continuous improvement exercise addressing evolving realities than it is check-the-box compliance with a static rule.

Are there things other than HIPAA compliance that demand investment of staff and other resources? Of course there are. But the costs associated with failing to invest appropriately in this realm can be significant. Multi-million-dollar fines and imposition of compliance monitoring agreements – to say nothing of the attendant negative publicity – may be devastating. It seems clear that the investment in HIPAA compliance is one that is likely to pay dividends over the years.

A well-developed, well-documented and well-implemented privacy and security policy, where training and testing of staff is documented, where key agreements are in place and easily producible for review when your friendly neighborhood government agent comes knocking, will go a long way towards minimizing potential sanctions when (not if) your organization experiences a breach of privacy or security of protected health information.

David Harlow is Principal of The Harlow Group LLC, a health care law and consulting firm based in Boston, MA. He blogs regularly at HealthBlawg, where this post originally appeared. Follow him on Twitter.

See also:

The future of health IT security

What health orgs need to know about Heartbleed



more...
No comment yet.
Scoop.it!

Life as a Healthcare CIO: HIPAA and Fundraising

Life as a Healthcare CIO: HIPAA and Fundraising | HIPAA Compliance for Medical Practices | Scoop.it
+Tag

I was recently asked about using patient identified data for fundraising.

The HIPAA Omnibus rule does permit the use of  department of service, treating physician, and outcomes information in fund raising activities with an understanding that a patient can opt out and their wishes must be respected.

*The Notice of Privacy Practices must disclose fundraising and right to opt out.
*The covered entity or business associate must not send further communications to those individuals who have opted out, but opt out can be limited to a specific campaign.
*If PHI not used (e.g., a purchased list) notice and opt out do not apply.

Here’s an excellent overview of the regulation and best practices related to fundraising

How do I think about supporting healthcare fundraising activities with IT?

*Keep all data centrally managed so that no shadow databases of patient identified information are stored in departments or on mobile storage systems.

*Ensure that experts perform all queries and create “minimal need to know” views of patient information.

*Create audit trails of all lookups

*Support the Development department with business intelligence tools that enable them to do their work but eliminate the need to access clinical systems

*Ensure that opt out requirements are respected.

As with most things involving privacy and security, it is possible to balance business needs and regulatory compliance.   Centrally managing the process requires close collaboration between IT and the fundraising business owners.    Strong policies, communication and relationships are just as important as the technology.

more...
No comment yet.
Scoop.it!

UPMC data breach may affect as many as 27,000 employees

UPMC data breach may affect as many as 27,000 employees | HIPAA Compliance for Medical Practices | Scoop.it
UPMC data breach may affect as many as 27,000 employeesApril 17, 2014 9:11 PM
Share with others:

By Robert Zullo / Pittsburgh Post-Gazette

UPMC now says the personal information of as many as 27,000 of its employees may have been put at risk by a data breach that was first reported to the health care conglomerate in February.

“As of today, 788 employees have been the victims of tax fraud,” UPMC spokeswoman Gloria Kreps wrote in a statement. “We want to assure our patients that no patient information was breached. We are continuing to work with the IRS, Secret Service and FBI to determine the source of the breach. We continue to urge our employees to register with LifeLock as an important step to deter any additional fraudulent activity.”

The new figure, provided Thursday, was the latest increase by UPMC since employees began reporting instances of identity theft about two months ago.

At first, UPMC said the issue affected only a few dozen employees, then about 322.

“That’s what we were saying all along ... is that there are thousands,” said Michael Kraemer, a Pittsburgh lawyer who has filed a lawsuit seeking class-action status against UPMC for the breach on behalf of employees who had fraudulent bank accounts opened in their name and tax returns stolen. “The message for this huge number of people is you need to keep track of any out-of-pocket expenses and any time you spend dealing with this.”

The lawsuit alleges that vulnerabilities in UPMC’s computer system allowed for the breach and the company did not reasonably safeguard the sensitive information in its care.

In addition to the stolen tax refunds, Mr. Kraemer said he has heard from UPMC employees who say they have had bank accounts drained, though he has not yet been able to independently verify the claims.

He questioned why it has taken UPMC so long to identify the scope of the problem.

“It is extremely concerning that when this story broke in February, the response from UPMC was that ‘It’s OK, only 20 people were affected,’” Mr. Kraemer said. “This is something that arguably they should have known back in February. ... People are now exposed.”

Mr. Kraemer said UPMC sought and received a 30-day extension to respond to his suit, filed Feb. 27, and is still within that window.

The hospital group and its affiliates employee about 62,000 people and Mr. Kraemer said he has heard from employees in every facet of UPMC’s operations.

“Just from the sheer number of people I’ve talked to, I don’t see any department that’s been excluded,” Mr. Kraemer said. “Why isn’t it every single employee?”

A UPMC spokesperson said all employees who could have been potentially affected by the breach have been notified.

After the potential data theft was reported, the company set up a hot line for employees to call about their case, created a “comprehensive employee intranet site with information and resources,” hired a tax firm to help employees file the required IRS identity theft affidavit form and offered reimbursement if the employees have hired someone to do it for them. UPMC also offered credit monitoring services for the affected employees and reimbursement employees for costs associated with filing a police report, it has said.

In a letter, UPMC urged employees to contact their banks and check with the IRS to ensure that tax returns have not been fraudulently filed in their names as well as to prevent the potential for future incidents. UPMC also said it is providing LifeLock identity protection free of charge to employees who enroll by April 28.

“We are putting our full resources behind efforts to investigate and secure our systems,” UPMC Vice President John P. Houston wrote in the letter. “We recognize a situation like this creates stress and anxiety about the safety of your personal information and we want to provide you with all the tools and resources we can to help you deal with this all-too-common crime.”


Read more: http://www.post-gazette.com/business/finance/2014/04/17/UPMC-data-breach-may-affect-as-many-as-27-000-employees/stories/201404170277#ixzz2zXgXTyKl



more...
No comment yet.
Scoop.it!

Security Risk Assessment | Providers & Professionals | HealthIT.gov

Security Risk Assessment | Providers & Professionals | HealthIT.gov | HIPAA Compliance for Medical Practices | Scoop.it
Technical Dr. Inc.'s insight:
Subtitle: 
What is Risk Assessment?
Description: 

The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that covered entities conduct a risk assessment of their healthcare organization. A risk assessment helps your organization ensure it is compliant with HIPAA’s administrative, physical, and technical safeguards. A risk assessment also helps reveal areas where your organization’s protected health information (PHI) could be at risk. Watch the Security Risk Analysis video to learn more about the assessment process and how it benefits your organization or visit the Office for Civil Rights' official guidance.

Read the HHS Press Release.

more...
No comment yet.
Scoop.it!

Where Are the Big Business Associate HIPAA Breaches? | EMR and HIPAA

Where Are the Big Business Associate HIPAA Breaches? | EMR and HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

It seems like I have HIPAA and security on my mind lately. It started with me writing about the 6 HIPAA Compliance Reality Checks whitepaper and then carried over with my piece looking at whether cloud adoption addresses security and privacy concerns. In the later post, there’s been a really rich discussion around the ability of an enterprise organization to be able to secure their systems better than most healthcare organizations.

As part of that discussion I started thinking about the HHS HIPAA Wall of Shame. Off hand, I couldn’t think of any incidents where a business associate (ie. a healthcare cloud provider) was ever posted on the wall or any reports of major HIPAA breaches by a large business associate. Do you know of some that I’ve just missed?

When I looked at the HIPAA Wall of Shame, there wasn’t even a covered entity type for business associates. I guess they’re not technically a covered entity even though they act like one now thanks to HIPAA Omnibus. Maybe that’s why we haven’t heard of any and we don’t see any listed? However, there is a filter on the HIPAA Breach disclosure page that says “Business Associate Present?” If you use that filter, 277 of the breaches had a “business associate present.” Compare that with the 982 breaches they have posted since they started in late 2009.

I took a minute to dig into some of the other numbers. Since they started in 2009, they’ve reported breaches that affected 31,319,872 lives. My rough estimate for 2013 (which doesn’t include some breaches that occurred over a period of time) is 7.25 million lives affected. So far in 2014 they’ve posted HIPAA breaches with 478,603 lives affected.

Certainly HIPAA omnibus only went into effect late last year. However, I wonder if HHS plans to expand the HIPAA Wall of Shame to include breaches by business associates. You know that they’re already happening or that they’re going to happen. Although, not as often if you believe my previous piece on them being more secure.

As I considered why we don’t know of other HIPAA business associate breaches, I wondered why else we might not have heard more. I think it’s naive to think that none of them have had issues. Statistics alone tells us otherwise. I do wonder if there is just not a culture of following HIPAA guidelines so we don’t hear about them?

Many healthcare business associates don’t do much more than pay lip service to HIPAA. Many don’t realize that under the new HIPAA omnibus they’re going to be held accountable similar to a covered entity. If they don’t know those basic things, then can we expect them to disclose when there’s been a HIPAA breach? In healthcare organizations they now have that culture of disclosure. I’m not sure the same can be said for business associates.

Then again, maybe I’m wrong and business associates are just so much better at HIPAA compliance, security and privacy, that there haven’t been any major breaches to disclose. If that’s the case, it won’t last forever.

more...
No comment yet.
Scoop.it!

HHS announces HIPAA settlements for stolen laptops | Lexology

HHS announces HIPAA settlements for stolen laptops | Lexology | HIPAA Compliance for Medical Practices | Scoop.it
  • USA
  • April 25 2014

On April 22, 2014, the Department of Health and Human Services ("HHS") announced that it reached settlements with two covered entities arising from alleged violations of the Health Insurance Portability and Accountability Act ("HIPAA") Privacy and Security Rules.  Both settlements involve the theft of unencrypted laptops and follow investigations in which the Office for Civil Rights ("OCR") found ongoing deficiencies in HIPAA compliance.  These cases mark the 19th and 20th HIPAA enforcement actions taken by HHS since 2008 and the 2nd and 3rd this year.  OCR representatives have stated that there are several more cases in the pipeline.

In the press release announcing the settlements, the OCR Deputy Director for Health Information Privacy, Susan McAndrew, noted that "[o]ur message...is simple:  encryption is your best defense against these incidents."

The Settlements

The first settlement involves a national provider of occupational medicine, urgent care, physical therapy and wellness services that is headquartered in Texas.  OCR Region X began an investigation of the provider when it received a breach report that an unencrypted laptop was stolen from one of its Missouri facilities in December 2011, affecting 870 individuals.  OCR's investigation found that the provider previously had conducted risk analyses that identified the absence of encryption on portable devices as a critical risk but had been inconsistent in its steps to remediate that risk, which were not yet complete.  OCR's investigation also found that the provider's security management processes were insufficient and did not adequately safeguard patient information.

HHS and the provider entered into a Resolution Agreement under which the provider agrees to pay $1,725,220 and comply with a Corrective Action Plan.

The second settlement involves an Arkansas health plan.  In February 2012, the health plan reported to OCR that an unencrypted laptop computer containing the electronic protected health information ("ePHI") of 148 individuals was stolen from a workforce member's car.  OCR Region VII's investigation found that over a period of time the health plan did not implement policies and procedures to prevent, detect, contain and correct security violations.  Specifically, the OCR found that the health plan had not conducted an accurate and thorough assessment and did not implement security measures sufficient to reduce risks and vulnerabilities to ePHI, which are HIPAA Security Rule requirements.  OCR also found that the health plan did not implement physical safeguards for all workstations to restrict access to authorized users.

HHS and the health plan also entered into a Resolution Agreement under which the health plan agrees to pay $250,000 and comply with a Corrective Action Plan.

In both cases, the Corrective Action Plan requires the covered entities to implement and report on a number of HIPAA compliance activities, including:

  • Providing HHS with a risk analysis of all potential risks and vulnerabilities to all of the provider's ePHI;
  • Providing HHS a risk management plan that describes all evidence of implemented and planned remediation actions and, for all planned remediation actions, timelines for expected completion;
  • Conducting security awareness training for workforce members; and
  • Submitting annual reports of compliance to OCR for two years.

Practical Takeaways

In light of these HIPAA enforcement actions, covered entities and business associates should continue to take the necessary steps to safeguard their ePHI, including:

  • Addressing the HIPAA Security Rule encryption standard, which requires that encryption be implemented unless it is not reasonable and appropriate, in which case an alternative measure must be implemented and documented;
  • Determining which devices and equipment contain or have access to ePHI and apply the encryption standard to all such devices, such as portable devices, desktop computers and medical equipment;
  • Conducting comprehensive risk analyses to identify and evaluate security vulnerabilities for ePHI;
  • Creating a detailed remediation plan for any vulnerabilities identified by the risk analysis and taking swift and consistent action to complete remediation activities according to their level of criticality;
  • Updating privacy and security polices regularly;
  • Updating and providing privacy and security training for workforce members periodically;
  • Investigating and sanctioning workforce members promptly and appropriately for violations of HIPAA policies and procedures; and
  • Conducting an independent HIPAA compliance assessment utilizing the OCR HIPAA Audit Protocol.



more...
No comment yet.
Scoop.it!

ACO’s and the Tech Needed to Be Ready | EMR and HIPAA

ACO’s and the Tech Needed to Be Ready | EMR and HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

The following is a guest post by Barry Haitoff, CEO of Medical Management Corporation of America.

For those not familiar with ACOs (Accountable Care Organizations), I want to provide some insight into ACOs and how a medical practice can better prepare themselves for the coming shift in reimbursement, which is epitomized by the ACO. This is a challenging subject since the ACO is a somewhat nebulous idea that’s rapidly changing, but hopefully I can provide you some strategies that will help you be prepared for the coming changes.

You may remember when we talked in a previous post about the Value Based Payment Modifier and its impact on healthcare reimbursement. As we talked about in that post, healthcare reimbursement is changing and CMS is looking to only pay those providers who are providing quality care. As part of this movement, an ACO is an organization that works on behalf of a community of patients to ensure quality care.

The metrics of how they’ll measure what they reimburse and what they consider quality care are likely to rapidly change over the next few years while CMS figures out how to measure this. However, one key to being ready for this shift is that you’ll need to be part of an organization or group of providers that will take accountability for a patient population.

In some areas of the country, the hospitals are leading these organizations, but in other areas groups of physicians are coming together to form an ACO of just physicians. Either way can work. The key is that the members of these groups are going to each share in the reimbursement the group receives for improving the quality of healthcare patients in the community receive.

Also worth noting is that membership in an ACO isn’t necessarily a prerequisite for value based reimbursement. Whether you choose to be a member of an ACO or not, you’re going to be impacted by value based reimbursement and will need to be ready for the change. Not being ready could lead to lower reimbursement for the services you provide.

While it’s great that organizations of doctors are coming together to meet the need for ACOs, much more is going to be needed to do well in an ACO reimbursement world. The reality is that an ACO can’t exist without technology. Don’t even think about trying to meet the ACO requirements without the use of technology. ACOs will base their reimbursement on trackable data that can be aggregated across a community of providers that are likely on hundreds of different systems. Try doing that on paper. It just won’t happen.

In fact, many people probably think that their EHR software will be enough to meet the needs of the ACO as well. I believe this to be a myth. Without a doubt, the EHR will play a major role in the gathering and distribution of the EHR data. However, unless you’re a homogeneous ACO with providers that are all on the same single instance of an EHR, you’re going to need a whole suite of services that connect, aggregate, and interpret the EHR data for the community of patients. Add on top of that the communication needs of an ACO and the care manager style tracking that will need to occur and it’s unlike your EHR is going to be up to the task of an ACO. They’ll be too busy dealing with meaningful use and EHR certification.

Let me highlight three places where an ACO will need technology:

Communication
One of the key needs in an ACO is quality communication. This communication will happen provider to provider, provider to care manager, provider to patient, and care manager to patient and vice versa. You can expect that this communication will be a mix of secure text messaging and secure emails. In some cases it will be facilitated by a patient portal, but most of the secure messaging platforms for healthcare are much slicker and more effective than a patient portal that so far patients have rarely used.

Are you using a next generation secure messaging system to communicate with other providers, your staff, and the patient? You’ll likely need to use one in an ACO.

Provider Data Aggregation
Much like paper charts won’t be enough in an ACO world, faxed documents won’t be enough either. Providers in an ACO will need to have patient data from across the entire community of ACO providers. At a minimum providers in an ACO will need to have their EHRs connected with Direct, but most will need to have some sort of outside HIE that helps transfer, aggregate and track all the data that’s available for a patient in the ACO.

The ACO and doctor will really benefit from all the patient data being available at the click of the button. Without it, I’m not sure that ACOs will be able to meet the required quality measures.

Patient Data Aggregation
While all of the providers will need to be sharing their patient data, I think most ACOs will benefit from aggregating patient data as well. At first the ACO won’t be aggregating all of the patient generated data that’s available. Instead, they’ll find a slice of their patient community where they can have the most impact. Then, they’ll work with those patients to improve the care they receive. This is going to require ACOs to receive and track patient generated data. Without it, the ACO won’t have any idea how it’s doing. With so many patients on mobile devices or with access to the internet, what an amazing opportunity we have to really engage with patients.

Those are just a few of the ways technology is going to be needed for the coming changes in healthcare reimbursement and the shift towards value based care in things we call ACOs. Far too many providers are sitting on the sidelines while they let ACOs settle into place. What a missed opportunity. The fact that the ACOs are rapidly changing means that if you participate and make your voice heard, you can help to shape the direction of them going forward. We definitely need more doctors involved in these conversations.

Medical Management Corporation of America, a leading provider of medical billing services, is a proud sponsor of EMR and HIPAA.



more...
No comment yet.
Scoop.it!

The Critical Difference: HIPAA Security Evaluation v HIPAA Security Risk Analysis - HIPAA-HITECH Compliance Software & Consulting - Clearwater Compliance

The Critical Difference: HIPAA Security Evaluation v HIPAA Security Risk Analysis - HIPAA-HITECH Compliance Software & Consulting - Clearwater Compliance | HIPAA Compliance for Medical Practices | Scoop.it

Compliance assessment? Security Evaluation? Risk Assessment? Risk Analysis? Compliance Analysis? Huh? Just what does the HIPAA Security Final Rule and/or The HITECH Act and/or Meaningful Use Final Rule require?


THE CHALLENGE:

The HITECH Act was a “game changer” when it comes to HIPAA Security Rule Compliance.

1)      Mandatory audits (Subtitle D, Part 1, Section 13411) have begun

2)      HHS non-compliance fines returning to HHS’ coffers will be reinvested in more enforcement

3)      State Attorneys General can now bring civil actions and have already started doing so

4)      Business Associates (BAs) are now statutorily obligated to comply with the law

5)      Subcontractors are minimally contractually obligated and may be designated as BAs

6)      Data Breach Notification requirements are stringent

7)      The OCR recently published the Audit Protocols it is using for both the mandated audits as well as for any investigations related to claims

Numerous experts has advised that the best way to get started with your compliance program is to take stock of where you are today.  Unfortunately, the advice includes many terms used interchangeably to complete a:  Compliance Assessment! Security Evaluation! Risk Assessment! Risk Analysis! Compliance Analysis!

This webinar ends the confusion, identifies the types of evaluations required by the HIPAA Security Final Rule (and Meaningful Use Stage I Requirements) and explains the differences.

Complying with the HIPAA Security Final Rule itself and as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was enacted as part of the American Recovery and Reinvestment Act (ARRA) of 2009 involves many steps and considerations.  What’s most important is starting on the right foot.

We focus on the two evaluations you must complete, by law. Both are Required by the HIPAA Security Final Rule.

A thorough HIPAA Security Compliance Evaluation broadly covers all aspects of the law including all 22 Standards and 53 Implementation Specifications that comprise the Administrative, Physical and Technical Safeguards (CFR 164.308, 310, 312) in the HIPAA Security Final Rule. Additionally, this evaluation must cover CFR 164.314 and 316 related to Organizational Requirements, Policies and Procedures and Documentation.

As indicated above, completing this HIPAA Security Compliance Evaluation is required by every Covered Entity and Business Associate. The language of the law is:

45 C.F.R. § 164.308(a)(8): Evaluation.

Standard: Evaluation. Perform a periodic technical and non-technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, which establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart.

This type of evaluation is a critical step and should be completed whether one is just starting a HIPAA Security Compliance program, rejuvenating an existing program or maintaining an existing program. The output of the evaluation establishes a baseline against which overall progress can be measured by the executive team, compliance or risk officer, audit committee or board. Think FOREST view.

A HIPAA Security Risk Analysis is also required by law to be performed by every Covered Entity and Business Associate. Additionally, completion of the Risk Analysis is a core requirement to meet Meaningful Use objectives. The HIPAA Security Final Rule states:

45 C.F.R. § 164.308(a)(1)(ii)(A) RISK ANALYSIS (Required).

Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].

Both the HIPAA Security Compliance Evaluation and the HIPAA Security Risk Analysis are required by law and are equally important and necessary steps on your HIPAA-HITECH Security compliance journey.

Knowing what evaluation to complete when is a challenging decision even for the largest and most sophisticated organizations.


THE SOLUTION

If your organization creates, receives, maintains or transmits ePHI, you should attend this webinar and learn the difference between these two types of evaluations.

This webinar briefly reviews the HIPAA-HITECH regulatory requirements for both types of evaluations, discusses the essential objectives and requirements of both, explains the differences and provides tangible, actionable approaches to complete each one.

The concepts of the importance of both evaluations to any compliance program, the different types of assessments one can complete, the explicit legal requirements, the penalties of failure to comply with the laws and many other key compliance process steps will be discussed.


The evaluation approaches presented in the webinar have been used by organizations of all sizes and are purposefully designed to be used by the largest CEs and BAs (e.g., hospitals, insurors, care management firms, etc) to the smallest CEs, BAs and subcontractors (e.g., small medical practices, clinics, dental offices, medical billing companies etc.).

No matter where you are in your HIPAA-HITECH compliance journey, you will benefit from learning about:

  • The requirements of the HIPAA Security Final Rule for evaluations and assessments
  • The difference between a compliance evaluation and a risk analysis
  • The HIPAA Security Final Rule civil and criminal penalties
  • Practical, actionable steps to complete the evaluations required by law
  • Available software and tools to jump-start your evaluation processes and overall compliance program

Becoming HIPAA-HITECH Security Rule compliant is an important and large project for any organization.  Taking stock of where you are today is a great way to jump-start or revitalize your compliance programs and be prepared for compliance audits and investigations that are being conducted by the OCR and those audits that have been announced will be conducted randomly for eligible providers that certified for EHR incentives under the American Recovery and Reinvestment Act of 2009 (ARRA).

more...
No comment yet.
Scoop.it!

HIPAA Risk Analysis Tip – Yes, Risk-Analyze Printers, Copiers and Scanners

HIPAA Risk Analysis Tip – Yes, Risk-Analyze Printers, Copiers and Scanners | HIPAA Compliance for Medical Practices | Scoop.it
HIPAA Risk Analysis Tip – Yes, Risk-Analyze Printers, Copiers and Scanners

Affinity Health Plan (AHP) is a not-for-profit managed care plan serving the New York metropolitan area.  Affinity estimated that up to 344,579 individuals may have been affected by this breach. OCR’s investigation indicated that Affinity impermissibly disclosed the electronic protected health information (ePHI) of these affected individuals when it returned multiple photocopiers to leasing agents without erasing the data contained on their copier hard drives.

The Problem

According the the AHP Settlement Agreement / Corrective Action Plan, OCR’s investigation indicated that the following conduct occurred (“Covered Conduct”):

  1. AHP impermissibly disclosed the ePHI of up to 344,579 individuals when it failed to properly erase photocopier hard drives prior to sending the photocopiers to a leasing company.
  2. AHP failed to assess and identify the potential security risks and vulnerabilities of ePHI stored in the photocopier hard drives.
  3. AHP failed to implement its policies for the disposal of ePHI with respect to the aforementioned photocopier hard drives.

Affinity indicated that it was informed by a representative of CBS Evening News that, as part of an investigatory report, CBS had purchased a photocopier previously leased by Affinity. CBS informed Affinity that the copier that Affinity had used contained confidential medical information on the hard drive.  Here’s a link to the 60 Minutes video story Digital Photocopiers Loaded With Secrets.

The Solution

HIPAA Covered Entities and Business Associates are statutorily obligated to fully comply with all standards and implementation specifications in the HIPAA Security Rule.  The Risk Analysis implementation specification at 45 CFR §164.308(a)(1)(ii)(A) requires that organizations identify and prioritize exposures that may compromise the confidentiality, integrity and availability of ePHI.

When conducting the Risk Analysis, an organization must consider exposures to all information assets that create, receive, maintain or transmit ePHI.  Copiers, scanners and printers that contain ePHI must me included in this analysis.

As with any other information asset and/or underlying media type, one needs to carefully consider the threats and vulnerabilities related to hard drives stored in copiers, scanners and printers.  For example, the absence of controls to prevent the “improper destruction, disposal or reuse of copier hard drives” could allow, as it did on the case of AHP, unauthorized access to ePHI.  Such access compromises the confidentiality of that ePHI; in this case, of roughly 345,000 health plan members.

Controls that might have been implemented had AHP completed a bona fide risk analysis might include, but not be limited to: encryption of the copier hard drives, media re-use and disposal policy and procedures, security/privacy awareness and training and change control processes.

The Results of Doing a Bona Fide Risk Analysis

According to NIST Special Publication 800-30 Revision 1 Guide for Conducting Risk Assessments , a Risk Analysis is “the process of identifying, prioritizing, and estimating risks to organizational operations”.  Done properly, all risks to all information assets and underlying media are identified so that an organization can make informed decisions about how to treat their risks.  I am sure the people at AHP are competent professionals who simply didn’t have the benefit of knowing about this specific exposure related to copier hard drives.  Don’t get caught in the same place — complete a robust, bona fide HIPAA Risk Analysis ASAP and update it on an annual basis.



more...
No comment yet.
Scoop.it!

Unencrpyted Laptops Prove Costly | HIPAA, HITECH & HIT

Unencrpyted Laptops Prove Costly | HIPAA, HITECH & HIT | HIPAA Compliance for Medical Practices | Scoop.it

Is the PHI on all your mobile devices encrypted?  If not, here’s another two million reasons to make encryption your top priority. The Office of Civil Rights (OCR) of the Department of Health and Human Services announced on April 22, 2014 that they had imposed nearly $2 million in penalties on two entities as a result of the theft of unencrypted laptops.

As previously noted in this blog, theft or loss of laptops or other portable electronic devices remains a predominant factor in HIPAA breaches, constituting 57.5% of the approximately 400 List Breaches that involved reported theft or loss as of August 2013.

In the first incident, Concentra Health Services was fined $1,725,220 and agreed to adopt a corrective action plan after an OCR investigation following a report of the theft of an unencrypted laptop from a physical therapy clinic.  According to the press release,

“OCR’s investigation revealed Concentra had previously recognized in multiple risk analyses that a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information (ePHI) was a critical risk.  While steps were taken to begin encryption, Concentra’s efforts were incomplete and inconsistent over time leaving patient PHI vulnerable throughout the organization. OCR’s investigation further found Concentra had insufficient security management processes in place to safeguard patient information.”

This isn’t Concentra’s first experience with laptop theft. The OCR list of Breaches Affecting 500 or More Individuals (also known as the “Wall of Shame”) includes two prior similar incidents, one in 2009 and another in 2011. (It is unclear whether this theft was related to the 2011 incident). Modern Healthcare reports that Concentra reported 16 additional breaches involving fewer than 500 individuals’ records.  So, although 434 out of 597 laptops had been encrypted according to HealthITSecurity.com, a batting average of .726 wasn’t good enough given their status as repeat offenders. Concentra’s resolution agreement, including the Corrective Action Plan, is available here and is worth reading.  Among other conditions, OCR requires that the company provide an update regarding its encryption status, including the percentage of all Concentra devices and equipment (laptops, desktops, medical equipment, tablets, and other storage devices) that are encrypted and an explanation for the percentage of devices and equipment that are not encrypted.

The company’s incomplete and inadequate implementation of compliance steps after known vulnerabilities had been identified may also have contributed to the severity of the penalty.  One of the worst things a covered entity or business associate can do is to engage in a half-hearted compliance effort that documents knowledge of uncorrected problems.

In the second case, Arkansas-based QCA Health Plan reported the theft of an unencrypted laptop containing records of 148 individuals. OCR noted that its investigation revealed that QCA failed to comply with multiple requirements of the HIPAA Privacy and Security Rules, beginning from the compliance date of the Security Rule in April 2005 and ending in June 2012. QCA agreed to pay $250,000 and implement upgraded security procedures and employee training. QCA’s Resolution Agreement and Corrective Action Plan is here. This case marks only the second time OCR has fined an entity for a breach involving less than 500 individuals’ PHI, following the Hospice of North Idaho settlement.

One lesson is clear from both incidents: if these laptops had been encrypted in accordance with NIST standards, neither entity would have been subjected to fines and additional government oversight.  As enforcement continues to ramp up and target both Covered Entities and Business Associates, and as the use of mobile devices continues to increase, there is no excuse to delay full implementation of encryption.  Encryption isn’t a panacea, but it’s as close as you can get in the HIPAA compliance world.

more...
No comment yet.
Scoop.it!

http://www.govhealthit.com/news/fed-privacy-enforcers-sock-health-org-17m-penalty

The HHS Office for Civil Rights has announced settlements today with two healthcare organizations for a combined $1,975,220 penalty after their unencrypted computers were stolen.
 
The biggest of the two fines, levied against Concentra Health Services, called for $1,725,220 to settle potential violations and required Concentra to "adopt a corrective action plan to evidence their remediation of these findings," according to HHS.
 
"Covered entities and business associates must understand that mobile device security is their obligation," OCR officials said in the settlement.
 
The mega-penalty is meant to drive home the point that unencrypted laptops and mobile devices pose significant risks to the security of patient information, said Susan McAndrew, OCR’s deputy director of health information privacy.
 
"Our message to these organizations is simple: Encryption is your best defense against these incidents," she said.
 
Concentra's OCR investigation followed a breach report that an unencrypted laptop was stolen from one of its facilities, the Springfield Missouri Physical Therapy Center.
 
The probe found that Concentra had previously recognized, in multiple risk analyses, that a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information was a critical risk.
 
Steps were taken to begin encryption, but Concentra’s efforts were "incomplete and inconsistent over time," according to an HHS press release, leaving patient PHI vulnerable throughout the organization.
 
In addition, OCR’s investigation found that Concentra had put in place sufficient security management processes to protect that information. 
 
Meanwhile, OCR received a breach notice in February 2012 from Arkansas-based QCA Health Plan, reporting that an unencrypted laptop with the PHI of 148 individuals was stolen from an employee's car.
 
QCA encrypted its devices following discovery of the breach, but OCR’s investigation revealed that QCA failed to comply with multiple requirements of the HIPAA Privacy and Security Rule, beginning from the compliance date of the security rule in April 2005 and ending in June 2012.
 
To make amends, QCA has agreed to a $250,000 settlement and is required to provide HHS with an updated risk analysis and corresponding risk management plan that includes specific security measures to reduce the risks to and vulnerabilities of its PHI. It is also required to retrain its workforce and document its ongoing compliance efforts.
 
Speaking earlier this year at HIMSS14, McAndrew made it clear that "compliance and enforcement is really where the action is going to be," in 2014.
 
After recounting whopping OCR settlements from the past year, such as WellPoint's $1.7 million fine for leaving PHI viewable online, and Affinity Health Plan's $1.2 million fine for failing to properly dispose of a photocopier, she said she expected more big settlement numbers would be in the offing.
 
But McAndrew had little sympathy for HIPAA transgressors. "This is just common IT stuff," she said, adding that stiff penalties could be avoided by simply "(paying) attention to details."
 
To help other health organizations avoid these fines, OCR has set up six educational programs for providers on compliance with various aspects of the HIPAA Privacy and Security Rule. Each is available with free continuing medical education credits for physicians and continuing education credits for healthcare professionals. Learn more here.
http://www.govhealthit.com/news/fed-privacy-enforcers-sock-health-org-17m-penalty
more...
No comment yet.
Scoop.it!

Colleagues In Cuffs: When Employees Steal Patient Records - InformationWeek

Colleagues In Cuffs: When Employees Steal Patient Records - InformationWeek | HIPAA Compliance for Medical Practices | Scoop.it

The Queens County DA recently arrested two Jamaica Hospital employees for stealing patient data, a lucrative crime occurring at hospitals across the nation.

The Queens, N.Y., district attorney recently charged two employees of Jamaica Hospital Medical Center with illegally accessing emergency room patients' medical records and personal identification information, and selling that data to individuals who then solicited services such as outpatient care or legal assistance -- sometimes while patients were still in the ER.

“These defendants are accused of blatantly violating their HIPAA obligations and illegally trolling through confidential patient records. Their alleged actions led to patients who were seeking treatment for injuries unwittingly being victimized again with the illegal release of their personal information and medical records," said DA Richard Brown, in a statement.

Sponsor video, mouseover for sound
 

Defendants Maritza Amador, 44, and Dache Prawl, 45, were registrars at the Queens, N.Y., hospital's ER. Allegedly the duo illegally accessed personal information, including Social Security numbers and medical data, and passed that information to people who falsely represented themselves as representatives of the hospital to patients. These individuals offered transportation to outpatient therapy, attorney services related to car accident injuries, and follow-up medical treatment, the DA charges. They were released without bail and their next court date is May 20, the Queens County DA's office told InformationWeek.

[ Do you know where your data is? Read Healthcare Data Security: Focus On 'Business Associates'.]

The Health Insurance Portability and Accountability Act (HIPAA) and the regulations that have grown up around it set high standards. Yet this is not the first -- and, no doubt, won't be the last -- time employees allegedly stole patient data.

In May 2013, a physician and office worker reportedly quit Pensacola, Fla.-based Sight and Sun Eyeworks without notice; they allegedly took with them 9,000 patient records and Social Security numbers, which they used to reschedule patients' appointments at their new practice, local media reported.  



In San Francisco, a city employee allegedly sent the confidential data of about 2,500 Medi-Cal recipients to her home computer in an effort to combat her dismissal for "poor performance." The worker's attorneys and union representatives also saw the data, which included patient information and Social Security numbers. In another case, a former benefits clerk for United Healthcare Workers West was sentenced to 12 years and four months in prison for stealing the data of about 30,000 union employees of Kaiser Permanente in California. Crooks used the data to buy merchandise valued at more than $1 million, according to a published report.

A Miami respiratory therapist reportedly sold patients' personal information for up to $150 per person; buyers then used the data to illegally file and claim patients' tax returns, Florida media said. Tallahassee Memorial Hospital offered identity protection services to more than 100 patients after discovering a hospital employee illegally accessed data for a fraudulent tax scheme.

Despite many instances of malicious breaches, 75% of healthcare organizations believe employee negligence is their biggest security concern, according to the Fourth Annual Ponemon Report on Patient Privacy and Data Security. In 2013, 12% of organizations reported a malicious insider breached patient security, compared with 14% in both 2012 and 2011, the research firm said. The average cost of a data breach last year? Almost $2 million, down slightly from the prior year, Ponemon estimated.

Healthcare organizations will spend about $70 billion on security in 2017, a whopping 75% increase from $40 billion in 2012, according to the Boyd Company. Yet protecting data from greedy, careless, or disgruntled employees is, in some ways, more challenging than safeguarding records from external threats.

IT departments must ensure users only access records necessary for their roles and responsibilities, promptly changing authorizations when an employee's job changes and cutting off all access when an employee leaves the organization.

In addition, managers, colleagues, and human resource departments -- as well as monitoring tools and alarms -- must put extra focus on unhappy employees. A mindboggling 85% of employees are not satisfied with their jobs and only 13% are actively engaged, according to Gallup's "State of the Global Workplace" report. Of those dissatisfied employees, 24% are "actively disengaged," meaning they proactively undermine colleagues' work and, perhaps, help themselves to patient data to pad their bank accounts or wreak havoc on their employer.

Installing firewalls and locking down databases doesn't work if thieves have the keys or designed the infrastructure. To secure patient data, IT must ensure information is safe from everyone, even colleagues in the department across the hall. 

Medical data breaches seem to show up on the 6 o'clock news almost every week. If you think it wouldn't happen to you -- or the financial impact will be minor -- think again. Download the Healthcare Data Breaches Cost More Than You Think report today. (Free registration required.)



more...
No comment yet.
Scoop.it!

A Critique of the New HIPAA Audit Plans

A Critique of the New HIPAA Audit Plans | HIPAA Compliance for Medical Practices | Scoop.it

As the Department of Health and Human Services' Office for Civil Rights gears up to begin its next round of HIPAA compliance audits, security and privacy experts are giving OCR's plans mixed reviews.

When OCR resumes its audit program in the coming months, the agency plans a limited number of narrowly focused "desk audits." Comprehensive on-site audits will be performed only "as resources allow," says an OCR spokeswoman. OCR plans to audit 350 covered entities beginning in the fall and 50 business associates in 2015 (see HIPAA Audits: Round 2 Details Revealed).

Some security and privacy experts say OCR's new approach to offsite, highly focused audits could help the agency become more efficient in reviewing the compliance of covered entities and business associates. But others believe the plans will come up short in driving compliance, compared with more in-depth, on-site audits, as were conducted during a pilot in 2012.

Audit Plans

OCR's audits of covered entities will focus on specific areas of HIPAA compliance, according to a recent presentation at the Health Care Compliance Association Conference by Linda Sanches, OCR senior adviser for health information privacy. That includes 100 audits focused on the HIPAA privacy rule, especially privacy notices and compliance with individuals' right to access their protected health information; 100 audits on compliance with the HIPAA Omnibus breach notification rule; and 150 focused on the security rule, especially risk analysis.

The business associates audits will focus on compliance with the risk analysis and breach notification requirements, according to Sanches' presentation.

The first round of pilot audits conducted in 2012 by OCR's contractor, consulting firm KPMG, involved on-site visits that all examined a broad list of HIPAA compliance issues at 115 covered entities. In contrast, the next phase of desk audits will be conducted by OCR's staff.

Selected covered entities will receive notification and data requests in fall 2014, while business associates will be notified in 2015, the OCR spokeswoman says.

Onsite vs. Offsite Audits

Privacy and security expert Rebecca Herold, a partner at consulting firm Compliance Helper and CEO of The Privacy Professor, says OCR's new focus on desk audits is a good idea.

"It is a very good move to improve efficiency and widen the numbers of CEs, and BAs, that are being audited," she says. "I've done over 250 HIPAA audits since 2000. After you've gotten a good methodology down for performing HIPAA audits, you can then learn from your experiences, know the areas of most common non-compliance and risk, and then refine your audit methodology accordingly."

Security expert Brian Evans, principal consultant at Tom Walsh Consulting, offers a similar perspective. "I'm not surprised with OCR's new audit approach because I can appreciate their limited staffing and financial resources in addition to the fact that this is their first year of the program," he says. "Offsite 'desk audits' can still be a cost-effective way of gathering compliance data and cover more of the population than onsite audit."

But Jennings Aske, CISO at speech recognition software vendor Nuance, which is a business associate under HIPAA, is not sold on the idea of OCR concentrating on mostly desk audits, rather than onsite assessments.

"It's too bad they can't do both," he says. "Onsite audits allow a dialogue between regulators and healthcare providers," says Aske, who joined Nuance in January after leaving his post as chief information security and privacy officer at Partners HealthCare, an integrated health delivery network in Boston. "Remote audits will miss that dynamic.

"I understand that budgets are tight, but I'm surprised OCR isn't getting more funding for this, or can use enforcement money that's been collected" to expand the audit program, Aske says.


more...
No comment yet.
Scoop.it!

Reviewing Concentra Health and QCA HIPAA breach CAPs | HealthITSecurity.com

We learned yesterday that two HIPAA covered entities, Concentra Health Services and QCA Health Plan, had come to individual monetary agreements with the Office for Civil Rights (OCR) to settle HIPAA violations. Those resolutions included corrective action plans (CAPs) as well, but how do they compare with other recent OCR breach agreements?

HealthITSecurity.com reviewed the critical points of the Concentra Health and QCA CAPs and compared them to the HHS agreement with Skagit County of Northwest Washington that was announced in March.

Concentra CAP

OCR found that Concentra (1) failed to adequately remediate and manage its identified lack of encryption or, alternatively, document why it wasn’t appropriate; (2) Concentra failed to sufficiently implement policies and procedures to prevent, detect, contain, and correct security violations under the security management process standard when it failed to adequately execute risk management measures to reduce its identified lack of encryption to a reasonable and appropriate level.

As for Concentra’s CAP, OCR mandated that the organization update its risk analysis procedures, offer a detailed timeline of how it’s going to encrypt its devices, and explain how it will enhance security training. Concentra will offer:

A. A risk analysis to HHS which will include a thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all Concentra ePHI.

B. A risk management plan that explains Concentra’s strategy for implementing security measures sufficient to reduce the risks and vulnerabilities identified in the risk analysis to a reasonable and appropriate level based on Concentra’s circumstances. This shall include with it the following:

(i.) Material evidence of all implemented and all planned remediation actions associated with the risk management plan; (ii.) Specific timelines for their expected completion and identify the compensating controls that will be in place in the interim to safeguard Concentra ePHI.
Additionally, Concentra agreed to give documentation of any changes or updates to its organizational information technology (IT) infrastructure (security environment) that affect the risks and vulnerabilities to ePHI.

Seeing as the breach involved the theft of an unencrypted laptop, it follows that OCR also wanted encryption status updates from Concentra.

A. The percentage of all Concentra devices and equipment (laptops, desktops, medical equipment, tablets, and other storage devices) that are encrypted at that point in time.

B. Evidence that all new devices and equipment (laptops, desktops, medical equipment, tablets, and other storage devices) have been encrypted.

C. An explanation for the percentage of devices and equipment that are not encrypted.

D. A breakdown of the percentage of encrypted devices and equipment for each specific Concentra facility and worksite.

Lastly, Concentra will have to boost its security awareness training requirements by offering OCR “documentation to  indicate that all workforce members have completed security awareness training (to include training on Concentra’s Acceptable Use Policy), which shall also include all training materials used for the training, a summary of the topics covered, the length of the session(s), and a schedule of when the training session(s) were held.”

QCA CAP

When HHS investigated QCA Health’s unencrypted laptop breach, it found that (1) QCA did not implement policies and procedures to prevent, detect, contain, and correct security violations; (2) QCA did not implement physical safeguards for all workstations that access ePHI to restrict access to authorized users on October 8, 2011; (3) QCA impermissibly disclosed the ePHI of 148 individuals on October 8, 2011.

QCA Health’s CAP includes improvements to security management process, security awareness and training and prompter responses to reportable events.

QCA shall provide HHS with a risk analysis and corresponding risk management plan that includes security measures to reduce the risks and vulnerabilities to the electronic protected health information (ePHI) maintained by QCA to a reasonable and appropriate level. It will send to HHS for review and approval within 60 days of the Effective Date and any required changes will be made, including a revised risk analysis and risk management plan, and sent to HHS within 30 days.

QCA will also give HHS with its training materials relating to security awareness established to reduce the risks and vulnerabilities to ePHI as identified in its security management process. QCA shall provide the training materials to HHS for review and approval within 30 days of the date HHS has approved QCA’s risk analysis and risk management plan. After HHS approval, QCA shall provide documentation that all workforce members with access to ePHI have received such security awareness training within 60 days and will continue to receive such training on an on-going basis.

Lastly, in regards to reportable events, after hearing that a workforce member may have failed to comply with its Privacy and Security policies and procedures, promptly investigate the matter. If QCA determines, after review and investigation, that a member of its workforce has failed to comply with its Privacy and Security policies and procedures, QCA shall notify HHS in writing within thirty (30) days of its determination. QCA will provide a complete description of the event, as well as a description of the actions taken and any further steps needed.

CAP comparisons

While Concentra and QCA both have work to do in terms of their respective CAPs, Skagit County’s CAP was distinctive for a few reasons. First, seeing as this was the first time a county had been fined, HHS had no choice but to require a large CAP because of the sheer number of HIPAA violations the county experienced. Skagit’s CAP included submission of substitute breach notification, better accounting of disclosures, improved business associate (BA) documentation, improved security management, updated policies and procedures, training, and better response time to reportable events. Concentra and QCA had some of these elements in their CAPs, but they don’t have to essentially improve their privacy and security posture across the board like Skagit will have to do.

Second, in stipulating that Skagit provide substitute breach notification to affected individuals not previously notified, HHs made it clear that it’s going to hammer organizations that don’t notify patients of breaches. Check back with HealthITsecurity.com for more updates on OCR breach penalties.


Related White Papers:
Related Articles:



more...
No comment yet.
Scoop.it!

UPMC data breach may affect as many as 27,000 employees

UPMC data breach may affect as many as 27,000 employees | HIPAA Compliance for Medical Practices | Scoop.it

UPMC now says the personal information of as many as 27,000 of its employees may have been put at risk by a data breach that was first reported to the health care conglomerate in February.

“As of today, 788 employees have been the victims of tax fraud,” UPMC spokeswoman Gloria Kreps wrote in a statement. “We want to assure our patients that no patient information was breached. We are continuing to work with the IRS, Secret Service and FBI to determine the source of the breach. We continue to urge our employees to register with LifeLock as an important step to deter any additional fraudulent activity.”

The new figure, provided Thursday, was the latest increase by UPMC since employees began reporting instances of identity theft about two months ago.

At first, UPMC said the issue affected only a few dozen employees, then about 322.

“That’s what we were saying all along ... is that there are thousands,” said Michael Kraemer, a Pittsburgh lawyer who has filed a lawsuit seeking class-action status against UPMC for the breach on behalf of employees who had fraudulent bank accounts opened in their name and tax returns stolen. “The message for this huge number of people is you need to keep track of any out-of-pocket expenses and any time you spend dealing with this.”

The lawsuit alleges that vulnerabilities in UPMC’s computer system allowed for the breach and the company did not reasonably safeguard the sensitive information in its care.

In addition to the stolen tax refunds, Mr. Kraemer said he has heard from UPMC employees who say they have had bank accounts drained, though he has not yet been able to independently verify the claims.

He questioned why it has taken UPMC so long to identify the scope of the problem.

“It is extremely concerning that when this story broke in February, the response from UPMC was that ‘It’s OK, only 20 people were affected,’” Mr. Kraemer said. “This is something that arguably they should have known back in February. ... People are now exposed.”

Mr. Kraemer said UPMC sought and received a 30-day extension to respond to his suit, filed Feb. 27, and is still within that window.

The hospital group and its affiliates employee about 62,000 people and Mr. Kraemer said he has heard from employees in every facet of UPMC’s operations.

“Just from the sheer number of people I’ve talked to, I don’t see any department that’s been excluded,” Mr. Kraemer said. “Why isn’t it every single employee?”

A UPMC spokesperson said all employees who could have been potentially affected by the breach have been notified.

After the potential data theft was reported, the company set up a hot line for employees to call about their case, created a “comprehensive employee intranet site with information and resources,” hired a tax firm to help employees file the required IRS identity theft affidavit form and offered reimbursement if the employees have hired someone to do it for them. UPMC also offered credit monitoring services for the affected employees and reimbursement employees for costs associated with filing a police report, it has said.

In a letter, UPMC urged employees to contact their banks and check with the IRS to ensure that tax returns have not been fraudulently filed in their names as well as to prevent the potential for future incidents. UPMC also said it is providing LifeLock identity protection free of charge to employees who enroll by April 28.

“We are putting our full resources behind efforts to investigate and secure our systems,” UPMC Vice President John P. Houston wrote in the letter. “We recognize a situation like this creates stress and anxiety about the safety of your personal information and we want to provide you with all the tools and resources we can to help you deal with this all-too-common crime.”



more...
No comment yet.
Scoop.it!

Report: Breaches Up 138 Percent in 2013

Report: Breaches Up 138 Percent in 2013 | HIPAA Compliance for Medical Practices | Scoop.it

A new report reveals that in 2013, the number of protected health information (PHI) breaches were up 138 percent from 2012, with 199 incidents of breaches of PHI reported to the Department of Health and Human Services (HHS) impacting over 7 million patient records.

The report, the fourth annual from Redspin, Inc., a Carpinteria, Calif.-based provider of IT security assessments, revealed that nearly 30 million Americans have had their health information breached or inadvertently disclosed since 2009. Since the Health Information Technology for Economic and Clinical Health (HITECH) Act forced providers to notify HHS when they had a breach affecting 500 or more patients, there have been 804 large breaches of PHI.

Last year, in particular, was rough for providers. Over the course of four years, only one year has been higher in terms of total incidents and number of patients impacted.

"I think the 138 percent increase in patient records breached caught a lot of people by surprise," Daniel W. Berger, Redspin's President and CEO, said in a statement. "There was a sense that the government's 'carrot and stick' approach – requiring HIPAA security assessments to qualify for meaningful useincentives and increasing OCR enforcement initiatives – was driving real progress."

The five largest PHI breaches made up more than 85 percent of the total reported from the year. This includes the Advocate Health and Hospitals breach, where four desktop computers from an office were stolen, that affected more than four million patients. The second and third largest breaches were also caused by theft. In total, theft was the cause of nearly half of all breaches in 2013.

Laptops were the device on which the highest number of data breaches occurred, being involved in nearly 35 percent of all incidents. The lack of encryption on portable devices, the authors of the report say, is one of the highest risks to PHI.

"It's only going to get worse given the surge in the use of personally-owned mobile devices at work," Berger said. "We understand it can be painful to implement and enforce encryption but it's less painful than a large breach costing millions of dollars."

One positive area in the report was the impact of the HIPAA Omnibus Rule on covered entities and business associates (BAs). While the number of breach incidents involving BAs followed the norm in 2013, the number of patient records dropped dramatically from 2009-2012.

Technical Dr. Inc.'s insight:

Is your practice secure?  If you aren't sure, contact Technical Doctor today to schedule your Risk Assessment at inquiry@technicaldr.com or 877-910-0004 x3.


-The Technical Doctor Team

more...
No comment yet.