HIPAA Compliance for Medical Practices
60.5K views | +2 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

http://www.govhealthit.com/news/fed-privacy-enforcers-sock-health-org-17m-penalty

The HHS Office for Civil Rights has announced settlements today with two healthcare organizations for a combined $1,975,220 penalty after their unencrypted computers were stolen.
 
The biggest of the two fines, levied against Concentra Health Services, called for $1,725,220 to settle potential violations and required Concentra to "adopt a corrective action plan to evidence their remediation of these findings," according to HHS.
 
"Covered entities and business associates must understand that mobile device security is their obligation," OCR officials said in the settlement.
 
The mega-penalty is meant to drive home the point that unencrypted laptops and mobile devices pose significant risks to the security of patient information, said Susan McAndrew, OCR’s deputy director of health information privacy.
 
"Our message to these organizations is simple: Encryption is your best defense against these incidents," she said.
 
Concentra's OCR investigation followed a breach report that an unencrypted laptop was stolen from one of its facilities, the Springfield Missouri Physical Therapy Center.
 
The probe found that Concentra had previously recognized, in multiple risk analyses, that a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information was a critical risk.
 
Steps were taken to begin encryption, but Concentra’s efforts were "incomplete and inconsistent over time," according to an HHS press release, leaving patient PHI vulnerable throughout the organization.
 
In addition, OCR’s investigation found that Concentra had put in place sufficient security management processes to protect that information. 
 
Meanwhile, OCR received a breach notice in February 2012 from Arkansas-based QCA Health Plan, reporting that an unencrypted laptop with the PHI of 148 individuals was stolen from an employee's car.
 
QCA encrypted its devices following discovery of the breach, but OCR’s investigation revealed that QCA failed to comply with multiple requirements of the HIPAA Privacy and Security Rule, beginning from the compliance date of the security rule in April 2005 and ending in June 2012.
 
To make amends, QCA has agreed to a $250,000 settlement and is required to provide HHS with an updated risk analysis and corresponding risk management plan that includes specific security measures to reduce the risks to and vulnerabilities of its PHI. It is also required to retrain its workforce and document its ongoing compliance efforts.
 
Speaking earlier this year at HIMSS14, McAndrew made it clear that "compliance and enforcement is really where the action is going to be," in 2014.
 
After recounting whopping OCR settlements from the past year, such as WellPoint's $1.7 million fine for leaving PHI viewable online, and Affinity Health Plan's $1.2 million fine for failing to properly dispose of a photocopier, she said she expected more big settlement numbers would be in the offing.
 
But McAndrew had little sympathy for HIPAA transgressors. "This is just common IT stuff," she said, adding that stiff penalties could be avoided by simply "(paying) attention to details."
 
To help other health organizations avoid these fines, OCR has set up six educational programs for providers on compliance with various aspects of the HIPAA Privacy and Security Rule. Each is available with free continuing medical education credits for physicians and continuing education credits for healthcare professionals. Learn more here.
http://www.govhealthit.com/news/fed-privacy-enforcers-sock-health-org-17m-penalty
more...
No comment yet.
Scoop.it!

Colleagues In Cuffs: When Employees Steal Patient Records - InformationWeek

Colleagues In Cuffs: When Employees Steal Patient Records - InformationWeek | HIPAA Compliance for Medical Practices | Scoop.it

The Queens County DA recently arrested two Jamaica Hospital employees for stealing patient data, a lucrative crime occurring at hospitals across the nation.

The Queens, N.Y., district attorney recently charged two employees of Jamaica Hospital Medical Center with illegally accessing emergency room patients' medical records and personal identification information, and selling that data to individuals who then solicited services such as outpatient care or legal assistance -- sometimes while patients were still in the ER.

“These defendants are accused of blatantly violating their HIPAA obligations and illegally trolling through confidential patient records. Their alleged actions led to patients who were seeking treatment for injuries unwittingly being victimized again with the illegal release of their personal information and medical records," said DA Richard Brown, in a statement.

Sponsor video, mouseover for sound
 

Defendants Maritza Amador, 44, and Dache Prawl, 45, were registrars at the Queens, N.Y., hospital's ER. Allegedly the duo illegally accessed personal information, including Social Security numbers and medical data, and passed that information to people who falsely represented themselves as representatives of the hospital to patients. These individuals offered transportation to outpatient therapy, attorney services related to car accident injuries, and follow-up medical treatment, the DA charges. They were released without bail and their next court date is May 20, the Queens County DA's office told InformationWeek.

[ Do you know where your data is? Read Healthcare Data Security: Focus On 'Business Associates'.]

The Health Insurance Portability and Accountability Act (HIPAA) and the regulations that have grown up around it set high standards. Yet this is not the first -- and, no doubt, won't be the last -- time employees allegedly stole patient data.

In May 2013, a physician and office worker reportedly quit Pensacola, Fla.-based Sight and Sun Eyeworks without notice; they allegedly took with them 9,000 patient records and Social Security numbers, which they used to reschedule patients' appointments at their new practice, local media reported.  



In San Francisco, a city employee allegedly sent the confidential data of about 2,500 Medi-Cal recipients to her home computer in an effort to combat her dismissal for "poor performance." The worker's attorneys and union representatives also saw the data, which included patient information and Social Security numbers. In another case, a former benefits clerk for United Healthcare Workers West was sentenced to 12 years and four months in prison for stealing the data of about 30,000 union employees of Kaiser Permanente in California. Crooks used the data to buy merchandise valued at more than $1 million, according to a published report.

A Miami respiratory therapist reportedly sold patients' personal information for up to $150 per person; buyers then used the data to illegally file and claim patients' tax returns, Florida media said. Tallahassee Memorial Hospital offered identity protection services to more than 100 patients after discovering a hospital employee illegally accessed data for a fraudulent tax scheme.

Despite many instances of malicious breaches, 75% of healthcare organizations believe employee negligence is their biggest security concern, according to the Fourth Annual Ponemon Report on Patient Privacy and Data Security. In 2013, 12% of organizations reported a malicious insider breached patient security, compared with 14% in both 2012 and 2011, the research firm said. The average cost of a data breach last year? Almost $2 million, down slightly from the prior year, Ponemon estimated.

Healthcare organizations will spend about $70 billion on security in 2017, a whopping 75% increase from $40 billion in 2012, according to the Boyd Company. Yet protecting data from greedy, careless, or disgruntled employees is, in some ways, more challenging than safeguarding records from external threats.

IT departments must ensure users only access records necessary for their roles and responsibilities, promptly changing authorizations when an employee's job changes and cutting off all access when an employee leaves the organization.

In addition, managers, colleagues, and human resource departments -- as well as monitoring tools and alarms -- must put extra focus on unhappy employees. A mindboggling 85% of employees are not satisfied with their jobs and only 13% are actively engaged, according to Gallup's "State of the Global Workplace" report. Of those dissatisfied employees, 24% are "actively disengaged," meaning they proactively undermine colleagues' work and, perhaps, help themselves to patient data to pad their bank accounts or wreak havoc on their employer.

Installing firewalls and locking down databases doesn't work if thieves have the keys or designed the infrastructure. To secure patient data, IT must ensure information is safe from everyone, even colleagues in the department across the hall. 

Medical data breaches seem to show up on the 6 o'clock news almost every week. If you think it wouldn't happen to you -- or the financial impact will be minor -- think again. Download the Healthcare Data Breaches Cost More Than You Think report today. (Free registration required.)



more...
No comment yet.
Scoop.it!

A Critique of the New HIPAA Audit Plans

A Critique of the New HIPAA Audit Plans | HIPAA Compliance for Medical Practices | Scoop.it

As the Department of Health and Human Services' Office for Civil Rights gears up to begin its next round of HIPAA compliance audits, security and privacy experts are giving OCR's plans mixed reviews.

When OCR resumes its audit program in the coming months, the agency plans a limited number of narrowly focused "desk audits." Comprehensive on-site audits will be performed only "as resources allow," says an OCR spokeswoman. OCR plans to audit 350 covered entities beginning in the fall and 50 business associates in 2015 (see HIPAA Audits: Round 2 Details Revealed).

Some security and privacy experts say OCR's new approach to offsite, highly focused audits could help the agency become more efficient in reviewing the compliance of covered entities and business associates. But others believe the plans will come up short in driving compliance, compared with more in-depth, on-site audits, as were conducted during a pilot in 2012.

Audit Plans

OCR's audits of covered entities will focus on specific areas of HIPAA compliance, according to a recent presentation at the Health Care Compliance Association Conference by Linda Sanches, OCR senior adviser for health information privacy. That includes 100 audits focused on the HIPAA privacy rule, especially privacy notices and compliance with individuals' right to access their protected health information; 100 audits on compliance with the HIPAA Omnibus breach notification rule; and 150 focused on the security rule, especially risk analysis.

The business associates audits will focus on compliance with the risk analysis and breach notification requirements, according to Sanches' presentation.

The first round of pilot audits conducted in 2012 by OCR's contractor, consulting firm KPMG, involved on-site visits that all examined a broad list of HIPAA compliance issues at 115 covered entities. In contrast, the next phase of desk audits will be conducted by OCR's staff.

Selected covered entities will receive notification and data requests in fall 2014, while business associates will be notified in 2015, the OCR spokeswoman says.

Onsite vs. Offsite Audits

Privacy and security expert Rebecca Herold, a partner at consulting firm Compliance Helper and CEO of The Privacy Professor, says OCR's new focus on desk audits is a good idea.

"It is a very good move to improve efficiency and widen the numbers of CEs, and BAs, that are being audited," she says. "I've done over 250 HIPAA audits since 2000. After you've gotten a good methodology down for performing HIPAA audits, you can then learn from your experiences, know the areas of most common non-compliance and risk, and then refine your audit methodology accordingly."

Security expert Brian Evans, principal consultant at Tom Walsh Consulting, offers a similar perspective. "I'm not surprised with OCR's new audit approach because I can appreciate their limited staffing and financial resources in addition to the fact that this is their first year of the program," he says. "Offsite 'desk audits' can still be a cost-effective way of gathering compliance data and cover more of the population than onsite audit."

But Jennings Aske, CISO at speech recognition software vendor Nuance, which is a business associate under HIPAA, is not sold on the idea of OCR concentrating on mostly desk audits, rather than onsite assessments.

"It's too bad they can't do both," he says. "Onsite audits allow a dialogue between regulators and healthcare providers," says Aske, who joined Nuance in January after leaving his post as chief information security and privacy officer at Partners HealthCare, an integrated health delivery network in Boston. "Remote audits will miss that dynamic.

"I understand that budgets are tight, but I'm surprised OCR isn't getting more funding for this, or can use enforcement money that's been collected" to expand the audit program, Aske says.


more...
No comment yet.
Scoop.it!

Reviewing Concentra Health and QCA HIPAA breach CAPs | HealthITSecurity.com

We learned yesterday that two HIPAA covered entities, Concentra Health Services and QCA Health Plan, had come to individual monetary agreements with the Office for Civil Rights (OCR) to settle HIPAA violations. Those resolutions included corrective action plans (CAPs) as well, but how do they compare with other recent OCR breach agreements?

HealthITSecurity.com reviewed the critical points of the Concentra Health and QCA CAPs and compared them to the HHS agreement with Skagit County of Northwest Washington that was announced in March.

Concentra CAP

OCR found that Concentra (1) failed to adequately remediate and manage its identified lack of encryption or, alternatively, document why it wasn’t appropriate; (2) Concentra failed to sufficiently implement policies and procedures to prevent, detect, contain, and correct security violations under the security management process standard when it failed to adequately execute risk management measures to reduce its identified lack of encryption to a reasonable and appropriate level.

As for Concentra’s CAP, OCR mandated that the organization update its risk analysis procedures, offer a detailed timeline of how it’s going to encrypt its devices, and explain how it will enhance security training. Concentra will offer:

A. A risk analysis to HHS which will include a thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all Concentra ePHI.

B. A risk management plan that explains Concentra’s strategy for implementing security measures sufficient to reduce the risks and vulnerabilities identified in the risk analysis to a reasonable and appropriate level based on Concentra’s circumstances. This shall include with it the following:

(i.) Material evidence of all implemented and all planned remediation actions associated with the risk management plan; (ii.) Specific timelines for their expected completion and identify the compensating controls that will be in place in the interim to safeguard Concentra ePHI.
Additionally, Concentra agreed to give documentation of any changes or updates to its organizational information technology (IT) infrastructure (security environment) that affect the risks and vulnerabilities to ePHI.

Seeing as the breach involved the theft of an unencrypted laptop, it follows that OCR also wanted encryption status updates from Concentra.

A. The percentage of all Concentra devices and equipment (laptops, desktops, medical equipment, tablets, and other storage devices) that are encrypted at that point in time.

B. Evidence that all new devices and equipment (laptops, desktops, medical equipment, tablets, and other storage devices) have been encrypted.

C. An explanation for the percentage of devices and equipment that are not encrypted.

D. A breakdown of the percentage of encrypted devices and equipment for each specific Concentra facility and worksite.

Lastly, Concentra will have to boost its security awareness training requirements by offering OCR “documentation to  indicate that all workforce members have completed security awareness training (to include training on Concentra’s Acceptable Use Policy), which shall also include all training materials used for the training, a summary of the topics covered, the length of the session(s), and a schedule of when the training session(s) were held.”

QCA CAP

When HHS investigated QCA Health’s unencrypted laptop breach, it found that (1) QCA did not implement policies and procedures to prevent, detect, contain, and correct security violations; (2) QCA did not implement physical safeguards for all workstations that access ePHI to restrict access to authorized users on October 8, 2011; (3) QCA impermissibly disclosed the ePHI of 148 individuals on October 8, 2011.

QCA Health’s CAP includes improvements to security management process, security awareness and training and prompter responses to reportable events.

QCA shall provide HHS with a risk analysis and corresponding risk management plan that includes security measures to reduce the risks and vulnerabilities to the electronic protected health information (ePHI) maintained by QCA to a reasonable and appropriate level. It will send to HHS for review and approval within 60 days of the Effective Date and any required changes will be made, including a revised risk analysis and risk management plan, and sent to HHS within 30 days.

QCA will also give HHS with its training materials relating to security awareness established to reduce the risks and vulnerabilities to ePHI as identified in its security management process. QCA shall provide the training materials to HHS for review and approval within 30 days of the date HHS has approved QCA’s risk analysis and risk management plan. After HHS approval, QCA shall provide documentation that all workforce members with access to ePHI have received such security awareness training within 60 days and will continue to receive such training on an on-going basis.

Lastly, in regards to reportable events, after hearing that a workforce member may have failed to comply with its Privacy and Security policies and procedures, promptly investigate the matter. If QCA determines, after review and investigation, that a member of its workforce has failed to comply with its Privacy and Security policies and procedures, QCA shall notify HHS in writing within thirty (30) days of its determination. QCA will provide a complete description of the event, as well as a description of the actions taken and any further steps needed.

CAP comparisons

While Concentra and QCA both have work to do in terms of their respective CAPs, Skagit County’s CAP was distinctive for a few reasons. First, seeing as this was the first time a county had been fined, HHS had no choice but to require a large CAP because of the sheer number of HIPAA violations the county experienced. Skagit’s CAP included submission of substitute breach notification, better accounting of disclosures, improved business associate (BA) documentation, improved security management, updated policies and procedures, training, and better response time to reportable events. Concentra and QCA had some of these elements in their CAPs, but they don’t have to essentially improve their privacy and security posture across the board like Skagit will have to do.

Second, in stipulating that Skagit provide substitute breach notification to affected individuals not previously notified, HHs made it clear that it’s going to hammer organizations that don’t notify patients of breaches. Check back with HealthITsecurity.com for more updates on OCR breach penalties.


Related White Papers:
Related Articles:



more...
No comment yet.
Scoop.it!

UPMC data breach may affect as many as 27,000 employees

UPMC data breach may affect as many as 27,000 employees | HIPAA Compliance for Medical Practices | Scoop.it

UPMC now says the personal information of as many as 27,000 of its employees may have been put at risk by a data breach that was first reported to the health care conglomerate in February.

“As of today, 788 employees have been the victims of tax fraud,” UPMC spokeswoman Gloria Kreps wrote in a statement. “We want to assure our patients that no patient information was breached. We are continuing to work with the IRS, Secret Service and FBI to determine the source of the breach. We continue to urge our employees to register with LifeLock as an important step to deter any additional fraudulent activity.”

The new figure, provided Thursday, was the latest increase by UPMC since employees began reporting instances of identity theft about two months ago.

At first, UPMC said the issue affected only a few dozen employees, then about 322.

“That’s what we were saying all along ... is that there are thousands,” said Michael Kraemer, a Pittsburgh lawyer who has filed a lawsuit seeking class-action status against UPMC for the breach on behalf of employees who had fraudulent bank accounts opened in their name and tax returns stolen. “The message for this huge number of people is you need to keep track of any out-of-pocket expenses and any time you spend dealing with this.”

The lawsuit alleges that vulnerabilities in UPMC’s computer system allowed for the breach and the company did not reasonably safeguard the sensitive information in its care.

In addition to the stolen tax refunds, Mr. Kraemer said he has heard from UPMC employees who say they have had bank accounts drained, though he has not yet been able to independently verify the claims.

He questioned why it has taken UPMC so long to identify the scope of the problem.

“It is extremely concerning that when this story broke in February, the response from UPMC was that ‘It’s OK, only 20 people were affected,’” Mr. Kraemer said. “This is something that arguably they should have known back in February. ... People are now exposed.”

Mr. Kraemer said UPMC sought and received a 30-day extension to respond to his suit, filed Feb. 27, and is still within that window.

The hospital group and its affiliates employee about 62,000 people and Mr. Kraemer said he has heard from employees in every facet of UPMC’s operations.

“Just from the sheer number of people I’ve talked to, I don’t see any department that’s been excluded,” Mr. Kraemer said. “Why isn’t it every single employee?”

A UPMC spokesperson said all employees who could have been potentially affected by the breach have been notified.

After the potential data theft was reported, the company set up a hot line for employees to call about their case, created a “comprehensive employee intranet site with information and resources,” hired a tax firm to help employees file the required IRS identity theft affidavit form and offered reimbursement if the employees have hired someone to do it for them. UPMC also offered credit monitoring services for the affected employees and reimbursement employees for costs associated with filing a police report, it has said.

In a letter, UPMC urged employees to contact their banks and check with the IRS to ensure that tax returns have not been fraudulently filed in their names as well as to prevent the potential for future incidents. UPMC also said it is providing LifeLock identity protection free of charge to employees who enroll by April 28.

“We are putting our full resources behind efforts to investigate and secure our systems,” UPMC Vice President John P. Houston wrote in the letter. “We recognize a situation like this creates stress and anxiety about the safety of your personal information and we want to provide you with all the tools and resources we can to help you deal with this all-too-common crime.”



more...
No comment yet.
Scoop.it!

Report: Breaches Up 138 Percent in 2013

Report: Breaches Up 138 Percent in 2013 | HIPAA Compliance for Medical Practices | Scoop.it

A new report reveals that in 2013, the number of protected health information (PHI) breaches were up 138 percent from 2012, with 199 incidents of breaches of PHI reported to the Department of Health and Human Services (HHS) impacting over 7 million patient records.

The report, the fourth annual from Redspin, Inc., a Carpinteria, Calif.-based provider of IT security assessments, revealed that nearly 30 million Americans have had their health information breached or inadvertently disclosed since 2009. Since the Health Information Technology for Economic and Clinical Health (HITECH) Act forced providers to notify HHS when they had a breach affecting 500 or more patients, there have been 804 large breaches of PHI.

Last year, in particular, was rough for providers. Over the course of four years, only one year has been higher in terms of total incidents and number of patients impacted.

"I think the 138 percent increase in patient records breached caught a lot of people by surprise," Daniel W. Berger, Redspin's President and CEO, said in a statement. "There was a sense that the government's 'carrot and stick' approach – requiring HIPAA security assessments to qualify for meaningful useincentives and increasing OCR enforcement initiatives – was driving real progress."

The five largest PHI breaches made up more than 85 percent of the total reported from the year. This includes the Advocate Health and Hospitals breach, where four desktop computers from an office were stolen, that affected more than four million patients. The second and third largest breaches were also caused by theft. In total, theft was the cause of nearly half of all breaches in 2013.

Laptops were the device on which the highest number of data breaches occurred, being involved in nearly 35 percent of all incidents. The lack of encryption on portable devices, the authors of the report say, is one of the highest risks to PHI.

"It's only going to get worse given the surge in the use of personally-owned mobile devices at work," Berger said. "We understand it can be painful to implement and enforce encryption but it's less painful than a large breach costing millions of dollars."

One positive area in the report was the impact of the HIPAA Omnibus Rule on covered entities and business associates (BAs). While the number of breach incidents involving BAs followed the norm in 2013, the number of patient records dropped dramatically from 2009-2012.

Technical Dr. Inc.'s insight:

Is your practice secure?  If you aren't sure, contact Technical Doctor today to schedule your Risk Assessment at inquiry@technicaldr.com or 877-910-0004 x3.


-The Technical Doctor Team

more...
No comment yet.
Scoop.it!

Fourth HIPAA breach for Kaiser | Healthcare IT News

Fourth HIPAA breach for Kaiser | Healthcare IT News | HIPAA Compliance for Medical Practices | Scoop.it

Some 5,100 patients treated at Kaiser Permanente were sent HIPAA breach notification letters Friday after a KP research computer was found to have been infected with malicious software. Officials say the computer was infected with the malware for more than two and a half years before being discovered Feb. 12.    The computer was used by the Kaiser Permanente Northern California Division of Research to store research data. The breach, officials note, involved patients participating in specific research studies and may have compromised their names, birth dates, medical record numbers, lab results associated with research, addresses and additional medical research data.    [See also: Kaiser Permanente sends out breach letters after email gaffe.]   "We have confirmed that the infection was limited to this one compromised server, and that all other DOR servers were and are appropriately protected with anti-virus security measures," said Tracy Lieu, MD, director of the division of research at Kaiser Permanente, in an emailed statement to Healthcare IT News. "It is important to note that the compromised server is used specifically for research purposes at the DOR and is not connected to Kaiser Permanente's electronic health records system."   Lieu said the antivirus software on the server was not updated "due to human error related to the configuration of the software."    Added Lieu, "We value our members and take protecting the privacy and security of their information very seriously. We apologize that this unfortunate incident occurred."   According to data from the Department of Health and Human Services, this is the fourth large HIPAA breach for Kaiser Permanente, which includes Kaiser Foundation Health Plan, Kaiser Foundation Hospitals -- consisting of 32 hospitals -- and Permanente Medical Group.    Last November, in its second reported fall data breach last year, KP notified 49,000 of its Anaheim Medical Center patients that their protected health information had been compromised after an unencrypted USB drive containing their data went missing.    Back in September, some 670 patients received breach notification letters after an emailed attachment containing the protected health information of patients was sent to a recipient outside the Kaiser network. According to KP officials, the attachment was accidentally emailed by a Kaiser employee to a member of a pilot wellness screening competition back in May.     [See also: Advocate Health slapped with lawsuit after massive data breach.]   The third incident occurred at KP's Medical Care Program back in 2009 when an unencrypted portable drive was stolen from an employee's car, compromising the health data of some 15,500 patients.   Theft accounts for the lion's share of HIPAA privacy and security breaches, as HHS' Office for Civil Rights Deputy Director for health information privacy Susan McAndrew pointed out at HIMSS14, representing some 48 percent of all breaches reported.      "Pay attention to encryption," said McAndrew, particularly for any devices that can leave the office. "We're interested in protecting the data. You may be interested in protecting the property. We want to turn this into property losses as opposed to data losses."   To date, more than 30.6 million individuals have had their PHI compromised in a large HIPAA privacy or security breach -- breaches involving more than 500 people -- according to data from the Department of Health and Human Services.  

HIPAA-covered entities and, now, business associates, have handed over some $18.6 million to settle alleged federal HIPAA violations, with $3.7 million of that just from last year. And this isn't counting the state and private legal settlements.  
more...
No comment yet.
Scoop.it!

Big Brother Or Best Friend? | EMR and HIPAA

Big Brother Or Best Friend? | EMR and HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

The premise of clinical decision support (CDS) is simple and powerful: humans can’t remember everything, so enter data into a computer and let the computer render judgement. So long as the data is accurate and the rules in the computer are valid, the computer will be correct the vast majority of the time.

CDS is commonly implemented in computerized provider order entry (CPOE) systems across most order types – labs, drugs, radiology, and more. A simple example: most pediatric drugs require weight-based dosing. When physicians order drugs for pediatric patients using CPOE, the computer should validate the dose of the drug against the patient’s weight to ensure the dose is in the acceptable range. Given that the computer has all of the information necessary to calculate acceptable dose ranges, and the fact that it’s easy to accidently enter the wrong dose into the computer, CDS at the point of ordering delivers clear benefits.

The general notion of CDS – checking to make sure things are being done correctly – is the same fundamental principle behind checklists. In The Checklist Manifesto, Dr. Atul Gawande successfully argues that the challenge in medicine today is not in ignorance, but in execution. Checklists (whether paper or digital) and CDS are realizations of that reality.

CDS in CPOE works because physicians need to enter orders to do their job. But checklists aren’t as fundamentally necessary for any given procedure or action. The checklist can be skipped, and the provider can perform the procedure at hand. Thus, the fundamental problem with checklists are that they insert a layer of friction into workflows: running through the checklist. If checklists could be implemented seamlessly without introducing any additional workflow friction, they would be more widely adopted and adhered to. The basic problem is that people don’t want to go back to the same repetitive formula for tasks they feel comfortable performing. Given the tradeoff between patient safety and efficiency, checklists have only been seriously discussed in high acuity, high risk settings such as surgery and ICUs. It’s simply not practical to implement checklists for low risk procedures. But even in high acuity environments, many organizations continue to struggle implementing checklists.

So…. what if we could make checklists seamless? How could that even be done?

Looking at CPOE CDS as a foundation, there are two fundamental challenges: collecting data, and checking against rules.

Computers can already access EMRs to retrieve all sorts of information about the patient. But computers don’t yet have any ability to collect data about what providers are and aren’t physically doing at the point of are. Without knowing what’s physically happening, computers can’t present alerts based on skipped or incorrect steps of the checklist. The solution would likely be based on a Kinect-like system that can detect movements and actions. Once the computer knows what’s going on, it can cross reference what’s happening against what’s supposed to happen given the context of care delivery and issue alerts accordingly.

What’s described above is an extremely ambitious technical undertaking. It will take many years to get there. There are already a number of companies trying to addressing this in primitive forms: SwipeSense detects if providers clean their hands before seeing patients, and the CHARM system uses Kinect to detect hand movements and ensure surgeries are performed correctly.

These early examples are a harbinger of what’s to come. If preventable mistakes are the biggest killer within hospitals, hospitals need to implement systems to identify and prevent errors before they happen.

Let’s assume that the tech evolves for an omniscient benevolent computer that detects errors and issues warnings. Although this is clearly desirable for patients, what does this mean for providers? Will they become slaves to the computer? Providers already face challenges with CPOE alert fatigue. Just imagine do-anything alert fatigue.

There is an art to telling people that they’re wrong. In order to successfully prevent errors, computers will need to learn that art. Additionally, there must be a cultural shift to support the fact that when the computer speaks up, providers should listen. Many hospitals still struggle today with implementing checklists because of cultural issues. There will need to be a similar cultural shift to enable passive omniscient computers to identify errors and warn providers.

I’m not aware of any omniscient computers that watch people all day and warn them that they’re about to make a mistake. There could be such software for workers in nuclear power plants or other critical jobs in which the cost of being wrong is devastating. If you know of any such software, please leave a comment.

more...
No comment yet.
Scoop.it!

HHS Spells Out Obama Budget's Impact

HHS Spells Out Obama Budget's Impact | HIPAA Compliance for Medical Practices | Scoop.it

The Obama administration's proposed fiscal 2015 budget calls for a 22 percent increase in funding for the office that oversees policies and standards for the HITECH Act's electronic health record incentive program and a 5 percent increase for the agency responsible for enforcing HIPAA compliance.


Obama's budget is a statement of the administration's spending priorities for the federal government. Ultimately, Congress must approve appropriation bills to fund the government. Fiscal 2015 begins on Oct. 1.

ONC FundingUnder Obama's budget proposal unveiled this week, the Department of Health and Human Services' Office of the National Coordinator for Health IT, which oversees the HITECH program, would have a budget of $75 million, up $14 million from the current year. Six additional full-time employees would be added, bringing ONC's headcount to 191.


The proposed ONC budget includes $27.2 million, or $8.5 million more than the current fiscal year, to fund development of standards supporting interoperable and secure health IT infrastructure. In addition, ONC's proposed budget includes $2.9 million for other privacy and security related activities, "ensuring that electronic health information is private and secure wherever it is transmitted, maintained, or received," says an additional ONC budget document, the Justification of Estimates for Appropriations Committee, released by HHS on March 7.


The extra money sought by ONC in fiscal 2015 would also help support a number of other efforts, including the creation of a new Health IT Safety Center, which in fiscal 2015 "will begin a robust collection and analysis of health IT-related adverse events, which will facilitate benchmark data on the types and frequencies of events," says an HHS "budget in brief" document. ONC is seeking $5 million to fund the new safety center in fiscal 2015.


The new center "will monitor and analyze data on patient-safety events, potentially unsafe conditions associated with health IT, and patient-safety events that could be prevented by health IT," the HHS document notes. ONC will work closely with the Agency for Healthcare Research and Quality, the Joint Commission, Food and Drug Administration and patient safety organizations on this effort, the HHS document notes.


The HHS document notes that in fiscal 2015, the FDA will continue to implement key new responsibilities authorized in the FDA Safety and Innovation Act.


The FDA has been collaborating over the last year with ONC and the Federal Communication Commission in developing a "risk-based regulatory framework" to address patient safety concerns around health IT, including potentially those involving cybersecurity issues (see Health IT: A Cybersecurity Framework).


An ONC spokesman says the new Health IT Safety Center "is part of our Safety Surveillance and Action Plan based on recommendations in the Institute of Medicine report," which in 2011 suggested the government and private sector improve transparency in the reporting of health IT safety incidents and enhance monitoring of health IT products. The new safety center will be aligned with the report on the FDA framework, "which we intend to release for comment in March," the ONC spokesman says.


OCR Funding


Meanwhile, under the proposed budget, the HHS Office for Civil Rights, which is responsible for HIPAA enforcement, would have a budget of $41 million, up $2 million from fiscal 2014. OCR would add 11 full-time staff members, increasing its workforce to 218 employees.


The funding increase will help support OCR's centralized case management operations and online complaint system, HHS notes. "The budget supports continued enforcement of the HIPAA security rule and OCR's expanded HIPAA responsibilities," the HHS document says. "OCR evaluates and ensures HIPAA and civil rights compliance through complaint investigations, compliance reviews, audits, resolution agreements, enforcement actions and monitoring, public education and technical assistance."


Among OCR's enforcement activities slated for 2014 is the resumption of HIPAA compliance audits, which have been on hiatus since the agency's pilot audit program wrapped up in 2012 (see HIPAA Audits a Step Closer to Resuming).


Unlike the pilot audits, which were conducted by the consulting firm, KPMG, the next wave of HIPAA audits will be performed by OCR's internal staff.


OCR officials recently confirmed the agency is taking the first steps to resuming the program. In a Feb. 24 notice in the Federal Register, OCR said it will survey "up to 1,200 HIPAA covered entities, including health plans, healthcare clearinghouses and certain healthcare providers, and business associates, to determine suitability for the OCR HIPAA audit program."


In fiscal 2013, OCR resolved more than 9,500 complaints of alleged HIPAA violations, and collected about $4 million in HIPAA settlements related to its enforcement activities, the HHS document notes. OCR projects that it will collect about $5.5 million from HIPAA settlements in fiscal 2014, which the agency will use to further fund its enforcement activities, according to the HHS document. Under HIPAA Omnibus, penalties for each HIPAA violation can range up to $1.5 million.

more...
No comment yet.
Scoop.it!

Nurse practitioners: Consider 5 things before friending patients on Facebook

Nurse practitioners: Consider 5 things before friending patients on Facebook | HIPAA Compliance for Medical Practices | Scoop.it
The decision is up to you, but here’s what you need to think about.


 With the social media boom, lines between personal and professional lives become blurred. What is posted online stays online.


Even if your Facebook profile is labeled "private", I am certain there is still a way anyone persistent enough can see your information and photos. This is why I recommend removing all of your boozing party pics from college before sending out resumes (you should also leave them off of your profile for the remainder of your professional life—you can put them back up when you retire).


With this blurring of the personal and professional and the wealth of personal information online, naturally this question arises: should you become Facebook friends with your patients?


Ultimately, the decision is up to you, but here are some things to consider:


1. Social media is culturally relevant.


Your patients are all using social media—probably even in your office while they wait for their appointments. Twitter, LinkedIn and Facebook are places your patients get their information. By forming an online relationship with your patients, you will be able to reach them more effectively.


Are you trying to help many of your patients lose weight? Develop a Twitter account for weight loss tips and daily reminders to assist your patients with weight loss even when you can't be with them. This will make your preventative healthcare far better than that of other nurse practitioners (NPs) and MDs.


I must also mention the use of email in relation to cultural relevance. I believe willingness to email your patients is a necessity. Calling a medical office can be frustrating. Your patients want to be able to reach you easily. Email will take less time than you think and your patients will appreciate your efforts. The ability to schedule appointments online on your clinic's website is also a must!


2. Privacy and legal concerns with social media


We are all well aware of the infamous Health Insurance Portability and Accountability Act (HIPAA). Patient information is private. You cannot share it in any way shape or form.


Beware of posting anything at all about your work on your personal Facebook or Twitter account. It is so easy to mistakenly reveal a patient's private information online; I believe it is best not to post anything at all. All patient stories posted through MidlevelU are not "real" patients.


Legally, posting anything about your work as a nurse practitioner also puts you at risk. I have been advised not to post if I have had a "good day" or "bad day" at work. If a malpractice case is presented, these statements will be scrutinized and could be used against you or a co-worker.


3. Setting boundaries


An online relationship with your patients can help you view your patients as a "whole" rather than simply a medical diagnosis. Taking into consideration your patients' lifestyles and how their health affects their lives can help you become a better provider.


There are some things about your life, however, that you should probably keep private. According to the Seattle Times, a recent survey found that 90 percent of state medical boards reported at least one online professional standards violation by a doctor. Nurse practitioners who "friend" their patients must keep their social media profiles clean and appropriate.


4. Building your practice


Social media is an excellent business building tool. Your patients have chosen you as their health care provider. Using social media, you can communicate with them outside of the usual office visit increasing their confidence in and relationship with you as a health care provider. Social media also allows you to encourage new patients to visit your clinic, further expanding your practice.


5. Becoming personable


Most patients want to see you as a person. Because you are providing them and their families health care, they need to trust you. By giving glimpses of your personality and life as a whole, your patients will trust you more allowing you to have a greater impact on their health.


Given the benefits and drawbacks of involvement in social media among health care providers, I think there is an easy solution. Create a social media for your practice or specialty. Rather than "friending" your patients using your personal Facebook page, create a page for your practice or a page for you personally that you use only for professional use. This will allow to you extend your health care knowledge and advice to patients at home and give a glimpse of your personality to your patients without leaking any old sorority photos into your professional presence. 

more...
No comment yet.
Scoop.it!

Financial Penalty in Small Breach Case

Financial Penalty in Small Breach Case | HIPAA Compliance for Medical Practices | Scoop.it

An investigation by the Department of Health and Human Services into a relatively small breach at a county health department in Washington state has resulted in a $215,000 monetary settlement.


Skagit County, located in Northwest Washington and home to approximately 118,000 residents, has agreed to pay a $215,000 settlement and to work closely with the HHS Office for Civil Rights to correct deficiencies in its HIPAA compliance program, which were discovered during an OCR investigation into a December 2011 breach.


The Skagit County Public Health Department provides services to many individuals who would otherwise not be able to afford healthcare, according to an HHS statement about the settlement.


OCR says it opened its investigation upon receiving a breach report from Skagit County in December 2011 that noted money receipts with electronic protected health information of seven individuals were accessed by unknown parties after the information had been inadvertently moved to a publicly accessible server maintained by the county.


However, OCR's investigation into the matter revealed a broader exposure of data. The breach actually involved the ePHI of 1,581 individuals, not seven. "Many of the accessible files involved sensitive information, including protected health information concerning the testing and treatment of infectious diseases," HHS says.


OCR's investigation uncovered widespread non-compliance with the HIPAA privacy, security and breach notification rules, federal officials say.


"This case marks the first settlement with a county government and sends a strong message about the importance of HIPAA compliance to local and county governments, regardless of size," says Susan McAndrew, OCR deputy director of health information privacy. "These agencies need to adopt a meaningful compliance program to ensure the privacy and security of patients' information."


In the wake of the breach, an area of focus for the county is training department of health workers to use only the minimum necessary personal information of patients, Ron Wesen, county board of commissioners chair, tells Information Security Media Group. He explains that the county's breach investigation determined that department workers had been mistakenly posting onto a public website patient receipts containing personal information.

Government Breaches

While the settlement is the first with a county government, one of the largest OCR HIPAA settlements to date was in June 2012 with a unit of state government, the Alaska Department of Health and Social Services. That $1.7 million settlement was the result of an OCR investigation triggered by a stolen unencrypted USB storage drive potentially containing data about 500 Medicaid beneficiaries.


"This latest settlement indicates to me that OCR is investigating cases large and small, which is exactly what the industry needs to take HIPAA security compliance more seriously," says security expert Brian Evans, a principal at Tom Walsh Consulting.


Organizations need to take steps to ensure they don't underestimate the size of a breach, Evans stresses. "Nobody wants or expects OCR to show up and do a better job than you in investigating your organization's breach," he says.


"Small organizations like Skagit County should decide in advance whether they're going to use existing staff to build an incident response team or outsource it," Evans says. "If they're going to build it in-house, then they need to formally designate and train its team members on how to properly conduct incident investigations. Otherwise, cross your fingers and hope for the best."

Corrective Actions

As part of its settlement with OCR, Skagit County agreed to a corrective action plan to ensure it has in place written policies and procedures, training and other measures to comply with the HIPAA rules. The corrective action plan also requires the county to provide regular status reports to OCR.


The plan notes that among Skagit County's HIPAA deficiencies were failure to provide notification as required by the breach notification rule to all those impacted by the incident; failure to implement sufficient policies and procedures to prevent, detect, contain and correct security violations; failure to implement and maintain in written or electronic form policies and procedures reasonably designed to ensure compliance with the security rule; and failure to provide security training to all workforce members.


Among the steps the county has agreed to take are:


  • Provide a new breach notification to HHS for review and approval, and then publish it in local media;
  • Provide to HHS a description of Skagit County's procedures that ensure the breach incident involving patient PHI is included in any accounting of disclosures provided to any individual impacted by the incident;
  • Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI;
  • Provide HIPAA training to members of the county's workforce who have access to ePHI.
more...
No comment yet.
Scoop.it!

25 Tips for Passing a HIPAA Risk Assessment

25 Tips for Passing a HIPAA Risk Assessment | HIPAA Compliance for Medical Practices | Scoop.it

Title II of the Health Insurance Portability and Affordability Act (HIPAA), known as the “Administrative Simplification Provisions,” requires medical practices to follow a set of national standards for electronic healthcare transactions and assigns national identifiers for providers, health insurance plans, and employers.


A checklist of security features is helpful in preparing for a HIPAA risk assessment.
Courtesy of Thinkstock

In addition, the requirements for meaningful use state that a practice must “conduct or review a security risk analysis and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.” Thus, to meet the Meaningful Use requirements, practices must conduct periodic risk assessments to prove that they are HIPAA-compliant.

What is a HIPAA risk assessment?
A HIPAA risk analysis is a process that helps ensure that the practice is following these national standards. It involves a thorough look at the practice, in particular the information technology standards. As part of the assessment, someone in the office, typically a physician or the practice manager, should be designated as the HIPAA security officer.

But what does a risk analysis entail, and what must be included in the report? According to the Department of Health and Human Services (HHS) Security Standards Guide, a risk analysis has nine mandatory components. Any healthcare or healthcare-related organization that stores or transmits electronic protected health information (ePHI) must include the following components in their risk analysis document:

  • Scope of the analysis—any potential risks and vulnerabilities to the privacy, availability, and integrity of ePHI
  • Data collection—where data is being stored, received, maintained, or transmitted
  • Potential threats and vulnerabilities—identifies and documents any anticipated threats and vulnerabilities that may lead to an ePHI breach
  • Current security measures—steps being taken to protect data, such as encryption
  • Likelihood of threat occurrence—the probability of potential risks to ePHI
  • Potential impact of threat occurrence—the impact of a data threat, as determined by using either qualitative or quantitative measures
  • Determination of level of risk—the average of the assigned likelihood of occurrence and the potential impact, plus a list of corrective actions that would be performed to mitigate risk
  • Documentation—the written analysis required by HHS
  • Reviews and updates—subsequent risk analyses whenever new technology or changes to business operations are planned or implemented

Although many practices may be able to conduct a risk assessment without using an outside vendor, others may decide that an outside vendor can be more objective and efficient. Asking other practices how they approached the project, searching the Internet, and checking with the practice’s current IT vendor are ways a practice can find companies that specialize in conducting risk assessments.

Any vendor selected should provide a certificate that states the practice has had a HIPAA risk assessment. If the assessment is completed by practice physicians and staff, it is important to document each activity in the process.

25 tips 
The following list will help you prepare for a risk assessment (and are also good habits to form):

  1. Always follow HIPAA guidelines and rules.
  2. Keep all paper medical records under lock and key and make sure only authorized personnel have access to them.
  3. Ensure that any paper records that are past their required storage date or have been digitized and are no longer needed are properly destroyed.
  4. Install antivirus and firewall software on all personal computers, laptops, tablets, and the practice’s internal network. If possible, the internal network should have only limited Internet access.
  5. Make sure that computer screens do not face the reception room or any direction within view of unauthorized personnel. In addition, be sure that password locks are used when staff step away from their computers.
  6. Train staff to always log out of the electronic health record system when they leave the computer.
  7. Do not use social security numbers as unique patient identifiers.
  8. Because patients have the right to revoke access to any health information network the practice is part of, be sure that proper written consent is obtained before any information is shared.
  9. Require that passwords be changed on a regular basis. Ensure that passwords are not exchanged, written down, or posted in places where others can see them.
  10. Keep portable hardware containing data secure and locked away when not in use.
  11. Keep all hardware—including servers—in a clean environment, with minimal or no access by unauthorized personnel.
  12. Train all staff members on data security policies and procedures. Make sure everyone in the practice understands and observes the policies and procedures for protecting patient health information.
  13. Ensure that staffing policies and procedures are up to date. If an employee leaves the practice, change his or her user status to inactive on the last day of employment.
  14. Review audit trails on a regular and periodic basis to identify potential system abuse or misuse.
  15. Have a disaster recovery procedure.
  16. Make sure data are backed up every day.
  17. Ensure that the computer(s) that stores the patient data is encrypted.
  18. Keep a list of the practice’s third-party vendors and ensure that they all sign a Business Associates Agreement stating that they won’t disclose any practice information.
  19. Designate a staff member to be a “security officer,” who is in charge of making sure the practice is HIPAA-compliant.
  20. Provide all employees with badges or other form of identification that proves they work for the practice.
  21. Train the staff on proper Internet use, including avoiding the use of the practice’s computers for personal business.
  22. Do not include any information that can identify a person as a patient in records that are not part of the EHR system.
  23. Do not allow flash drives or any external data device used in the practice to be removed from the practice or used on computers that are not owned by the practice.
  24. Notify the security officer immediately if a computer shows signs of being infected.
  25. Never put flash drives or external media found on the ground into a practice’s computer.

Dave Kunz is vice president, sales, for Technical Doctor, Inc., Arlington Heights, Ill., a healthcare IT company that specializes in HIPAA-compliant solutions. For more information, visit www.technicaldr.com

AAOS Now
March 2014 Issue
http://www.aaos.org/news/aaosnow/mar14/managing1.asp

more...
No comment yet.
Scoop.it!

Group slapped with $6.8M HIPAA fine | Healthcare IT News

Group slapped with $6.8M HIPAA fine | Healthcare IT News | HIPAA Compliance for Medical Practices | Scoop.it

Federal HIPAA violation penalties may be capped at $1.5 million per incident per year, but there's also state and regional fines for those disregarding privacy and security laws.

 

Case in point, Triple-S Management Corp., a San Juan-based insurance holding company, who was recently slapped with $6.8 million in penalties for improperly handling the medical records of some 70,000 individuals, according to HHS data and a Caribbean Business report. 

 

Triple-S reportedly mailed letters to its Medicare Advantage patients with the Medicare numbers visible from the outside.

 

Puerto Rico's Health Insurance Administration slapped with company with the fines, based on a breach that occurred September of last year. This is the second big HIPAA breach for Triple-S -- who currently handles the benefits for some 2.2 million people -- according to HHS data.

 

Federal HIPAA requirements require HIPAA-covered entities and business associates to provide breach notification to affected individuals no more than 60 days upon discovering the breach.

 

As far as federal investigations underway, HHS spokesperson Rachel Seeger told Healthcare IT News the investigations involving the breaches at Triple-S Salud are still open and under investigation. "We cannot comment further on the status of these cases at this time," she said.

 

"The (Puerto Rico Health Insurance Administration) in its obligation to ensure the privacy and integrity of your protected health information reiterates its commitment to comply with its affiliates to prevent situations like this from recurring in the future," read a notice on Puerto Rico's Health Insurance Administration website.

 

Puerto Rico HIPAA-covered entities and business associates have been responsible for breaching the medical records of nearly 699,000 individuals since 2008.

 

Nationwide, some 29.3 million individuals have been affected by a HIPAA privacy or security breach.

 

Technical Dr. Inc.'s insight:

Is your practice HIPAA Compliant?  Have a risk assessment done today by Technical Doctor to find out.  Contact inquiry@technicaldr.com for more information.  


- The Technical Doctor Team

more...
No comment yet.
Scoop.it!

12 Tips to Prevent a Healthcare Data Breach

12 Tips to Prevent a Healthcare Data Breach | HIPAA Compliance for Medical Practices | Scoop.it

Privacy and security have always been priorities for healthcare CIOs, but changes to HIPAA under the HITECH ACT of 2009 put the issues squarely in the spotlight. Providers that suffer data breaches that affect more than 500 patients must notify the Department of Health and Human Services, which maintains a public list of all breaches, and are subject to fines of up to $1.5 million (on top of mitigation costs). These 12 tips can help you avoid the costly, and embarrassing, consequences of suffering a healthcare data breach.

Conduct a Risk Assessment

The HIPAA Security Rule, passed in 2003, required health care organizations to conduct a risk assessment but didn't penalize noncompliance, so few providers did it. The HITECH Act changed that by making security risk analysis a core, or mandatory, requirement under Stage 1 of the meaningful use of electronic health record software. (Meaningful use provides financial incentives to organizations using EHR by 2014 and penalties to those who aren't.) The Office for Civil Rights' guidance on conducting a risk analysis says providers should identify vulnerabilities in information systems or security policies as well as natural, human and environmental threats to the security of protected health information (PHI).

Educate Employees About HIPAA

Knowledge is power, after all. Make sure all employees know what personal health information (PHI) can and cannot be shared with patients, caregivers and outsiders—bearing in mind that, in addition to federal HIPAA regulations, individual states have their own rules. This training should happen on a regular basis, not just when an employee is hired. Use high-profile data breaches to illustrate worst practices and discuss what should have been done differently. Set a social media policy that clearly defines what is and is not appropriate, and share it with all employees, whether they see patients or not.

Tell Employees to Watch Their Stuff

Hackers are responsible for fewer than 10 percent of the healthcare data breaches that have been reported to date. Most, it turns out, are the result or lost or stolen laptops, backup tapes, CDs, thumb drives or other types of portable electronic devices. These devices have been stolen from a physician's home, taken from a car or misplaced. Yes, it is IT's responsibility to secure the devices it issues employees—and that will be covered later—but employees need to understand the repercussions of their forgetfulness.

Keep an Eye on Paper Records

Many providers are ditching paper charts for EHR technology, largely because the HITECH Act requires them to do so. The HITECH Act says nothing about paper records, though. They remain plentiful—and prone to loss, having been involved in one in four breaches. Medical records and X-rays been left on the train 70 miles away. Whether paper records go offsite or stay onsite, visit their location regularly and make sure physical security passes muster. Or take the final step—scan all paper records, import them into your EHR and get rid of paper once and for all.

Encrypt Data at Rest and in Motion

HIPAA doesn’t require encryption per se, but the HITECH Act states that if encrypted data falls into the wrong hands, the incident does not constitute a data breach. Centrally managed data encryption technology adhering to the Advanced Encryption Standard is the best starting point, since it's the data that's most important to thieves and malicious hackers. Be sure to encrypt data in transmission, too; only decrypt data after a user has been authenticated, and encrypt it again once it arrives at its destination (Side note: When you're engaging in health information exchange, get patients' permission to send and receive data—and consider letting them opt out if they feel the process threatens their privacy.)

Encrypt Hardware, Too

Remember those lost laptops from the fourth slide? They're why you shouldn't solely settle for data encryption. Lock up the servers your data sits on, the mobile devices employees use to move data around and the network endpoints through which data is exchanged. Store encryption keys for backup tapes separately from the tapes themselves, and don't lose the keys. Same goes for the transparent data encryption product you're using on your database. Consider "on-the-fly" server encryption as a way to encrypt and decrypt data before it's loaded or saved and unbeknownst to the end user. Finally, don't forget about medical devices that regularly collect and transmit data. If they're too old to be encrypted, either replace them or shore up network security.

Subnet Wireless Networks

If patients can get free Wi-Fi at McDonald's, they'll expect it when they're at the hospital. The key, of course, is to give patients what they want without exposing PHI and other sensitive information. Subnetting, or creating subnetworks, is the best way to do this. Set aside part of your network for public use; limit guest activity to the browser. Use separate, more secure subnets for business applications, any app that touches PHI and any app that's involved with credit card transactions. Another subnet for those old medical devices may be a good idea, too. As stated, encrypt each subnet in accordance with Wi-Fi Protected Access 2 protocols, and change WPA2 keys frequently.

Take Identity and Access Management Seriously

Many people, with many different job titles, need access to patient data. What a physician needs to see will differ dramatically from what an attending nurse, bill collector or fundraising coordinator needs to see. Use IAM technology to give employees access to only the data that's relevant to their role within the healthcare organization. Automate this process, so all the new residents who start July 1 have individual accounts. Make it easy for one user to log off a shared machine and another user to log on, too. That way, employees actually use their own login credentials, which makes audit trails easier to follow, and applications aren't carelessly left unattended just because no one logs off when they walk away from a computer.

Create an Airtight BYOD Policy

Mobile devices such as the iPad will make their way into healthcare facilities whether you like it or not. It's only a matter of time before doctors want access to PHI on them. In your BYOD policy, prevent users from storing data locally, lest the device fall into the wrong hands, and insist upon bidirectional authentication to verify a password and a token whenever access to PHI is requested. (An extra step, yes, but it ensures that the correct person is viewing the data.) Consider measures that prevent devices from connecting to healthcare apps beyond a certain distance from the medical campus or after a certain length of time. Finally, maintain remote wipe and autolock capabilities and forbid the use of cellphone cameras.

Examine Service-Level Agreements With a Fine-Toothed Comb

The cloud is an increasingly attractive option for healthcare organizations that need to archive years' worth of patient data but lack the space (or expertise) to do it onsite. If you go to the cloud, keep several things in mind. Your SLA should clearly state that you, not the cloud service provider (CSP), own your data. The SLA should also spell out how the CSP will comply with HIPAA, PCI DSS and relevant state data privacy laws and how you will be granted access to your data. Examine the provider's backup, disaster preparedness, disaster recovery and uptime guarantees carefully. This is especially true if you've decided to move mission- and life-critical data to the cloud, as this places a premium on application recovery.

Nag Business Associates

Under revised HIPAA rules, HIPAA business associates are held to the same standards as HIPAA covered entities when it comes to protecting patient data and being fined for failing to do so. Update your business associate agreements to reflect this—and do so regularly. Force business associates to create processes for discovering and reporting data breaches to you. Work with them to explicitly state who's responsible for what in the event of a data breach, and remember that state breach notification laws may differ from HIPAA. Make your BAs responsible for their subcontractors' actions, since a healthcare data breach caused by the subcontractor will eventually get back to you.

Hire a Good Lawyer

If you do suffer a breach, expect to hear from the Office for Civil Rights within the U.S. Department of Health and Human Services; the OCR investigates and hands out fines for HIPAA violations. Expect to hear from lawyers representing patients, too. Law firms see big money in healthcare breach cases, which isn't surprising since there have been more than 500 since 2009—many of them preventable. Proving negligence can be difficult, though, since even organizations in full compliance with the law have suffered a breach. Whatever happens, play nice. Cignet Health, recipient of the largest HIPAA violation to date ($4.3 million), was hit so hard because it withheld patient records and didn't cooperate with OCR.

 

Technical Dr. Inc.'s insight:

Have you had a Risk Assessment performed on your practice?  This is an annual requirement, so contact the experts to have your assessment scheduled today.  inquiry@technicaldr.com or 877-910-0004


-The Technical Doctor Team

more...
No comment yet.
Scoop.it!

Should you care about HIPAA compliance? | Healthcare IT News

Should you care about HIPAA compliance? | Healthcare IT News | HIPAA Compliance for Medical Practices | Scoop.it

The HIPAA/HITECH Omnibus Rule became effective just over one year ago. The compliance date was just over six months ago. Within about another six months (plus or minus), Federal regulators – at the Office for Civil Rights at the US Department of Health and Human Services – will begin a new round of HIPAA compliance audits. They are already actively involved in complaint investigations governed by the “new” HIPAA rules. Other Federal, state and territorial authorities are actively involved in HIPAA and related health data privacy and security enforcement activity: the Federal Trade Commission, the Secret Service, the Puerto Rico Health Insurance Administration, state attorneys general. The “Wall of Shame” on the OCR website adds information about newly disclosed data breaches on a regular basis. Fines under the new HIPAA rules may hit $1.5 million or more. Fines under other regulatory schemes have climbed significantly higher. Compliance agreements, follow-up audits and more await those covered entities (healthcare providers or payers) (CEs) or business associates (everyone else in the healthcare ecosystem – billing services, marketing agencies, consultants, shredding contractors, attorneys, accountants, etc.) (BAs) unfortunate enough to experience a lapse in their HIPAA compliance programs and to have occasion to file a breach notification, or to be the subject of a complaint investigation or random audit.

There are innumerable clinical, financial and compliance issues to be concerned about in this watershed era for the American healthcare system. However, do not forget about HIPAA.

Long before becoming covered entities under HIPAA, physician practices have been aware of their responsibilities regarding privacy and security of protected health information (PHI in HIPAA-speak). The HIPAA rules have added a layer of compliance requirements to a pre-existing landscape of patient records privacy laws. Some of the regulatory changes affect the ways in which physician practices may market to new and established patients, but many of the changes that took effect last year relate to the obligations of business associates – “downstream contractors” that deal in PHI on behalf of physician practices. BAs are now explicitly subject to the same compliance requirements applicable to CEs. And it is the responsibility of each CE to ensure that downstream contractors are doing what they are supposed to be doing in the realm of HIPAA compliance – or risk being held liable for the failings of their BAs. It is therefore a good time for physician practices to re-examine their HIPAA compliance plans, the scrutiny applied to their BAs’ HIPAA compliance programs, and their contractual agreements with BAs. The bottom line is, well, the bottom line; Covered Entities are now explicitly liable for the HIPAA compliance of their Business Associates.

What does this mean in practice?

1. Tailor-made compliance plans. Unlike other regulatory schemes, which envision compliance with specific rules and regulations, and allow for certification of compliance, HIPAA is a much looser construct. There are standards, but adherence with all of them is not mandatory. Some standards are “addressable” – which means that regulated entities may address certain regulatory concerns in ways other than full compliance with the methods outlined in the rule. The idea is that this is not a one-size-fits-all program; rather, HIPAA compliance programs need to be tailored to the privacy and security needs of an individual CE or BA.

2. Adoption of policies; review of policies and related documents. Privacy and security policies must be revised and updated on a regular basis, particularly in connection with a major regulatory overhaul such as the promulgation of the Omnibus Rule, but also on an annual basis. Grandfathered Business Associate Agreements (BAAs) should be reviewed for compliance with the new regulations as well. More and more CEs are looking for indemnification provisions in their BAAs. In the end, though, the indemnities are only as good as the BA’s HIPAA compliance program and insurance, both of which bear closer examination.

3. Workforce training. Once appropriate policies, agreements and insurance are in place, the workforce must be trained, and tested, on the HIPAA compliance material.

4. Risk assessments. Annual risk assessments – preferably handled by outside data security experts – must be conducted on an annual basis. A good risk assessment will uncover room for improvement even in an organization that is highly attuned to HIPAA compliance. Why? Because this is more of a continuous improvement exercise addressing evolving realities than it is check-the-box compliance with a static rule.

Are there things other than HIPAA compliance that demand investment of staff and other resources? Of course there are. But the costs associated with failing to invest appropriately in this realm can be significant. Multi-million-dollar fines and imposition of compliance monitoring agreements – to say nothing of the attendant negative publicity – may be devastating. It seems clear that the investment in HIPAA compliance is one that is likely to pay dividends over the years.

A well-developed, well-documented and well-implemented privacy and security policy, where training and testing of staff is documented, where key agreements are in place and easily producible for review when your friendly neighborhood government agent comes knocking, will go a long way towards minimizing potential sanctions when (not if) your organization experiences a breach of privacy or security of protected health information.

more...
No comment yet.
Scoop.it!

4 ways to ensure HIPAA compliance | Government Health IT

The HIPAA/HITECH Omnibus Rule became effective just over one year ago. The compliance date was just over six months ago. Within about another six months (plus or minus), Federal regulators – at the Office for Civil Rights at the US Department of Health and Human Services – will begin a new round of HIPAA compliance audits.

Regulators are already actively involved in complaint investigations governed by the “new” HIPAA rules. Other Federal, state and territorial authorities are actively involved in HIPAA and related health data privacy and security enforcement activity: the Federal Trade Commission, the Secret Service, the Puerto Rico Health Insurance Administration, state attorneys general.

The “Wall of Shame” on the OCR website adds information about newly disclosed data breaches on a regular basis. Fines under the new HIPAA rules may hit $1.5 million or more. Fines under other regulatory schemes have climbed significantly higher. Compliance agreements, follow-up audits and more await those covered entities (healthcare providers or payers) (CEs) or business associates (everyone else in the healthcare ecosystem – billing services, marketing agencies, consultants, shredding contractors, attorneys, accountants, etc.) unfortunate enough to experience a lapse in their HIPAA compliance programs and to have occasion to file a breach notification, or to be the subject of a complaint investigation or random audit.

Long before becoming covered entities under HIPAA, physician practices have been aware of their responsibilities regarding privacy and security of protected health information (PHI in HIPAA-speak). The HIPAA rules have added a layer of compliance requirements to a pre-existing landscape of patient records privacy laws. Some of the regulatory changes affect the ways in which physician practices may market to new and established patients, but many of the changes that took effect last year relate to the obligations of business associates – “downstream contractors” that deal in PHI on behalf of physician practices.

BAs are now explicitly subject to the same compliance requirements applicable to CEs. And it is the responsibility of each CE to ensure that downstream contractors are doing what they are supposed to be doing in the realm of HIPAA compliance – or risk being held liable for the failings of their BAs. It is therefore a good time for physician practices to re-examine their HIPAA compliance plans, the scrutiny applied to their BAs’ HIPAA compliance programs, and their contractual agreements with BAs. The bottom line is, well, the bottom line; covered entities are now explicitly liable for the HIPAA compliance of their business associates.

What does this mean in practice?

1. Tailor-made compliance plans. Unlike other regulatory schemes, which envision compliance with specific rules and regulations, and allow for certification of compliance, HIPAA is a much looser construct. There are standards, but adherence with all of them is not mandatory. Some standards are “addressable” – which means that regulated entities may address certain regulatory concerns in ways other than full compliance with the methods outlined in the rule. The idea is that this is not a one-size-fits-all program; rather, HIPAA compliance programs need to be tailored to the privacy and security needs of an individual CE or BA.

2. Adoption of policies; review of policies and related documents. Privacy and security policies must be revised and updated on a regular basis, particularly in connection with a major regulatory overhaul such as the promulgation of the Omnibus Rule, but also on an annual basis. Grandfathered Business Associate Agreements (BAAs) should be reviewed for compliance with the new regulations as well. More and more CEs are looking for indemnification provisions in their BAAs. In the end, though, the indemnities are only as good as the BA’s HIPAA compliance program and insurance, both of which bear closer examination.

3. Workforce training. Once appropriate policies, agreements and insurance are in place, the workforce must be trained, and tested, on the HIPAA compliance material.

4. Risk assessments. Annual risk assessments – preferably handled by outside data security experts – must be conducted on an annual basis. A good risk assessment will uncover room for improvement even in an organization that is highly attuned to HIPAA compliance. Why? Because this is more of a continuous improvement exercise addressing evolving realities than it is check-the-box compliance with a static rule.

Are there things other than HIPAA compliance that demand investment of staff and other resources? Of course there are. But the costs associated with failing to invest appropriately in this realm can be significant. Multi-million-dollar fines and imposition of compliance monitoring agreements – to say nothing of the attendant negative publicity – may be devastating. It seems clear that the investment in HIPAA compliance is one that is likely to pay dividends over the years.

A well-developed, well-documented and well-implemented privacy and security policy, where training and testing of staff is documented, where key agreements are in place and easily producible for review when your friendly neighborhood government agent comes knocking, will go a long way towards minimizing potential sanctions when (not if) your organization experiences a breach of privacy or security of protected health information.

David Harlow is Principal of The Harlow Group LLC, a health care law and consulting firm based in Boston, MA. He blogs regularly at HealthBlawg, where this post originally appeared. Follow him on Twitter.

See also:

The future of health IT security

What health orgs need to know about Heartbleed



more...
No comment yet.
Scoop.it!

Life as a Healthcare CIO: HIPAA and Fundraising

Life as a Healthcare CIO: HIPAA and Fundraising | HIPAA Compliance for Medical Practices | Scoop.it
+Tag

I was recently asked about using patient identified data for fundraising.

The HIPAA Omnibus rule does permit the use of  department of service, treating physician, and outcomes information in fund raising activities with an understanding that a patient can opt out and their wishes must be respected.

*The Notice of Privacy Practices must disclose fundraising and right to opt out.
*The covered entity or business associate must not send further communications to those individuals who have opted out, but opt out can be limited to a specific campaign.
*If PHI not used (e.g., a purchased list) notice and opt out do not apply.

Here’s an excellent overview of the regulation and best practices related to fundraising

How do I think about supporting healthcare fundraising activities with IT?

*Keep all data centrally managed so that no shadow databases of patient identified information are stored in departments or on mobile storage systems.

*Ensure that experts perform all queries and create “minimal need to know” views of patient information.

*Create audit trails of all lookups

*Support the Development department with business intelligence tools that enable them to do their work but eliminate the need to access clinical systems

*Ensure that opt out requirements are respected.

As with most things involving privacy and security, it is possible to balance business needs and regulatory compliance.   Centrally managing the process requires close collaboration between IT and the fundraising business owners.    Strong policies, communication and relationships are just as important as the technology.

more...
No comment yet.
Scoop.it!

UPMC data breach may affect as many as 27,000 employees

UPMC data breach may affect as many as 27,000 employees | HIPAA Compliance for Medical Practices | Scoop.it
UPMC data breach may affect as many as 27,000 employeesApril 17, 2014 9:11 PM
Share with others:

By Robert Zullo / Pittsburgh Post-Gazette

UPMC now says the personal information of as many as 27,000 of its employees may have been put at risk by a data breach that was first reported to the health care conglomerate in February.

“As of today, 788 employees have been the victims of tax fraud,” UPMC spokeswoman Gloria Kreps wrote in a statement. “We want to assure our patients that no patient information was breached. We are continuing to work with the IRS, Secret Service and FBI to determine the source of the breach. We continue to urge our employees to register with LifeLock as an important step to deter any additional fraudulent activity.”

The new figure, provided Thursday, was the latest increase by UPMC since employees began reporting instances of identity theft about two months ago.

At first, UPMC said the issue affected only a few dozen employees, then about 322.

“That’s what we were saying all along ... is that there are thousands,” said Michael Kraemer, a Pittsburgh lawyer who has filed a lawsuit seeking class-action status against UPMC for the breach on behalf of employees who had fraudulent bank accounts opened in their name and tax returns stolen. “The message for this huge number of people is you need to keep track of any out-of-pocket expenses and any time you spend dealing with this.”

The lawsuit alleges that vulnerabilities in UPMC’s computer system allowed for the breach and the company did not reasonably safeguard the sensitive information in its care.

In addition to the stolen tax refunds, Mr. Kraemer said he has heard from UPMC employees who say they have had bank accounts drained, though he has not yet been able to independently verify the claims.

He questioned why it has taken UPMC so long to identify the scope of the problem.

“It is extremely concerning that when this story broke in February, the response from UPMC was that ‘It’s OK, only 20 people were affected,’” Mr. Kraemer said. “This is something that arguably they should have known back in February. ... People are now exposed.”

Mr. Kraemer said UPMC sought and received a 30-day extension to respond to his suit, filed Feb. 27, and is still within that window.

The hospital group and its affiliates employee about 62,000 people and Mr. Kraemer said he has heard from employees in every facet of UPMC’s operations.

“Just from the sheer number of people I’ve talked to, I don’t see any department that’s been excluded,” Mr. Kraemer said. “Why isn’t it every single employee?”

A UPMC spokesperson said all employees who could have been potentially affected by the breach have been notified.

After the potential data theft was reported, the company set up a hot line for employees to call about their case, created a “comprehensive employee intranet site with information and resources,” hired a tax firm to help employees file the required IRS identity theft affidavit form and offered reimbursement if the employees have hired someone to do it for them. UPMC also offered credit monitoring services for the affected employees and reimbursement employees for costs associated with filing a police report, it has said.

In a letter, UPMC urged employees to contact their banks and check with the IRS to ensure that tax returns have not been fraudulently filed in their names as well as to prevent the potential for future incidents. UPMC also said it is providing LifeLock identity protection free of charge to employees who enroll by April 28.

“We are putting our full resources behind efforts to investigate and secure our systems,” UPMC Vice President John P. Houston wrote in the letter. “We recognize a situation like this creates stress and anxiety about the safety of your personal information and we want to provide you with all the tools and resources we can to help you deal with this all-too-common crime.”


Read more: http://www.post-gazette.com/business/finance/2014/04/17/UPMC-data-breach-may-affect-as-many-as-27-000-employees/stories/201404170277#ixzz2zXgXTyKl



more...
No comment yet.
Scoop.it!

Security Risk Assessment | Providers & Professionals | HealthIT.gov

Security Risk Assessment | Providers & Professionals | HealthIT.gov | HIPAA Compliance for Medical Practices | Scoop.it
Technical Dr. Inc.'s insight:
Subtitle: 
What is Risk Assessment?
Description: 

The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that covered entities conduct a risk assessment of their healthcare organization. A risk assessment helps your organization ensure it is compliant with HIPAA’s administrative, physical, and technical safeguards. A risk assessment also helps reveal areas where your organization’s protected health information (PHI) could be at risk. Watch the Security Risk Analysis video to learn more about the assessment process and how it benefits your organization or visit the Office for Civil Rights' official guidance.

Read the HHS Press Release.

more...
No comment yet.
Scoop.it!

Is Your Health Insurance Portability and Accountability Act (HIPAA) Compliance Program Going Out the Window with XP? | The National Law Review

Is Your Health Insurance Portability and Accountability Act (HIPAA) Compliance Program Going Out the Window with XP? | The National Law Review | HIPAA Compliance for Medical Practices | Scoop.it
April 8, 2014 marks the end of Microsoft’s support for the Windows XP operating system, which means the end of security updates from Microsoft and the beginning of new vulnerability to hackers and other intruders into systems still utilizing the operating system. But does the end of Windows XP support mean that HIPAA covered entities and their business associates using Windows XP are automatically out of compliance with HIPAA as of April 8th? Not necessarily.


MiamiHerald.com
Is Your Health Insurance Portability and Accountability Act (HIPAA) Compliance ...
The National Law Review
But does the end of Windows XP support mean that HIPAA covered entities and their business associates using Windows XP are automatically out of compliance with HIPAA as of April 8th? Not necessarily. It is impossible to say with certainty that April ...
Microsoft to drop Windows XP support
Microsoft Is About To End Windows XP Support
Support for Windows XP ends today
more...
No comment yet.
Scoop.it!

From AHIMA: Look Closer at Vendor HIPAA Compliance

From AHIMA: Look Closer at Vendor HIPAA Compliance | HIPAA Compliance for Medical Practices | Scoop.it

With stronger HIPAA privacy and security requirements now in effect, health care providers need to ensure that their information technology vendors and their business associates understand and are compliant with the provisions.

more...
No comment yet.
Scoop.it!

5 things to remember about HIPAA in 2013

5 things to remember about HIPAA in 2013 | HIPAA Compliance for Medical Practices | Scoop.it

Make sure you know these basic facts.


 As competition between health care providers continues to surge, hospitals need to step up the pace when it comes to their marketing efforts.


But in the “world according to HIPAA,” many marketers feel like their hands are tied under stringent rules that define “marketing” as:


“A communication about a product or service that encourages recipients of the communication to purchase or use the product or service.”


With limited exceptions, the privacy rule requires an individual’s written authorization before a use or disclosure of his or her protected health information can be made for marketing. So how can marketers effectively market?


First and foremost, don’t let HIPAA become an excuse for tapering off on your marketing efforts. Knowledge is power. So take some time to familiarize (or re-familiarize) yourself with HIPAA’s marketing rules. Here are some general guidelines to keep in mind as you plan for the year ahead.


Testimonials:

Patient testimonials can add credibility to many marketing campaigns. Obviously, a patient must approve the use of a specific testimonial before it can be used. But don’t stop with a “standard” release form. HIPAA regulations and release forms also apply. And be sure to keep all signed copies on file. Same goes with using patient photos. Be sure to get—and retain—photo releases.


Truth in advertising:

There’s not much room for vague statements under HIPAA. So if you can’t back it up, don’t make the statement. Advertising claims must be factual—and verifiable.


Mailing lists:

When it comes to direct marketing to consumers, do not use lists that originate from personal records, such as private practice information. Note: there is an exception to the marketing definition which permits communications by a covered entity about its own products or services.


For example, under this exception, it is not “marketing” when:


  • A hospital uses its patient list to announce the arrival of a new specialty group (e.g., orthopedic) or the acquisition of new equipment (e.g., x-ray machine or magnetic resonance image machine) through a general mailing or publication.
  • A health plan sends a mailing to subscribers approaching Medicare eligible age with materials describing its Medicare supplemental plan and an application form.

Authorization is a given—in most cases:

The HIPAA Privacy Rule requires an authorization for uses or disclosures of protected health information for all marketing communications, except in two circumstances:


  • When the communication occurs in a face-to-face encounter between the covered entity and the individual; or
  • The communication involves a promotional gift of nominal value.

When it doubt, check it out:

If you have questions, refer them to a legal professional who’s familiar with your state’s laws. Also be sure to check out the Marketing section on HHS.gov to review details about marketing under HIPAA. 

more...
No comment yet.
Scoop.it!

Doctors: Stop worrying about negative comments and HIPAA violations

Doctors: Stop worrying about negative comments and HIPAA violations | HIPAA Compliance for Medical Practices | Scoop.it

r. Jeff Livingston takes a calm, relaxed approach to posting on social media.


 You could call Dr. Jeff Livingston, OB/GYN, a social media pioneer.


As I explained in earlier blog posts here and here, the Irving, Texas, physician has been using social media to educate and connect with his patients since his teenage daughter suggested he start a MySpace page to reach out to high school students struggling with pregnancy and STDs.


I know that many doctors are reluctant to embrace social media for fear of HIPAA violations and negative comments, so I asked him how he responds to those concerns.


Avoiding HIPAA violations in social media is natural


“I don’t think it’s that hard (to avoid HIPAA violations),” Livingston says. “If you step out of technology and just think about how doctors communicate throughout the day, they do it very naturally and never think about it.


“When you’re in a doctor’s lounge there’s a certain way of talking,” Livingston says. “When you get into the lobby, you change. And when you get on an elevator, you completely change. And you do that very naturally. The same thing applies on the internet. It’s a very big elevator with a lot of people on it. What you are already doing naturally can flow to the technology itself.”


Never disclose any kind of private health information


Livingston says the concept is simple.


“You can never disclose any kind of private, personal health information,” Livingston says. “You can’t diagnose. You can’t treat. But you can answer general questions. You can be helpful. You can provide lots of health information. You can provide guidance. Just don’t diagnose and treat patients.”


A couple of years ago a patient posted a question on the practice Facebook page.


Is it okay to go swimming while you’re pregnant?


There is a safe way to respond: Unless instructed by your doctor, there’s no reason why a pregnant woman can’t enjoy a swimming pool. Water is relaxing, it will take pressure off your back and it will cool you off in a hot Texas sun.


Or there is the illegal way: Because you have difficult labors and an abnormal placenta, it’s not a good idea for you to swim.


How do you respond to negative comments?


“To be honest, it doesn’t happen that much for us,” Livingston says. “I’m not going to engage in controversial discussions on Twitter or post controversial things on Facebook. We really haven’t had people put negative stuff on our Facebook page.”


He says patients know how to use social media.


“I have never had someone send me a tweet that said ‘I think I’m in labor,’” Livingston says. “I have never had someone put on our Facebook page, ‘I think my water broke.’ People who use these networks understand the public nature and act appropriately.” 

more...
No comment yet.
Scoop.it!

HIPAA: What happens when you don't comply?

HIPAA: What happens when you don't comply? | HIPAA Compliance for Medical Practices | Scoop.it
Health care providers, learn how much violations can cost you and your employer.


 Most nurse practitioners understand the basics of HIPAA. But, with the abundance of social media and a newfound cultural acceptance of sharing your life online, HIPAA violations are frequent. What are the repercussions of a HIPAA slip-up?

With 77 percent of workers in the U.S. holding a Facebook account and two-thirds of these employees accessing their accounts on the job, it is now easier than ever to make a HIPAA-related lapse in judgment. Both employers and employees are liable when these lapses occur. What penalties do they face?


HIPAA violations will cost you and your employer

Individuals and entities such as hospitals and insurance companies face anywhere from a $100 to $50,000 government fine (maximum of $1.5 million per year) for negligence in handling private patient information. The real penalties, however, lie in civil lawsuits. Should a patient sue you for breaking HIPAA law, you could also be liable for thousands of dollars or more in monetary penalties paid to the patient. In extreme cases, HIPAA violations can result in jail time. Obtaining patient information for personal or commercial gain, for example, carries a maximum ten year prison sentence.


Companies lose big in HIPAA violations

Several major companies have paid large settlements in relation to HIPAA violations. Massachusetts Eye and Ear Infirmary was fined $1.5 million after a physician's laptop was stolen while he was traveling abroad. The laptop contained 3,500 patient health records. It was never confirmed that patient confidentiality was breached or that any individual patient suffered as a result of this incident. The hospital was still fined after informing the U.S. Department of Health and Human Services of the episode. CVS Caremark has also faced steep HIPAA-related penalties. They paid a $2.5 million dollar fine after employees disposed of patient health information in garbage bins.


Individual consequences of HIPAA infractions

On an individual level, many nurses and other providers have been charged with HIPAA violations. While most violations end in a lesser penalty such as termination or suspension of employment, one nurse found herself serving an eight day jail sentence for breaching patient privacy laws. She took photos of elderly patients and posted them on her Facebook wall (the photos were disturbing in nature, influencing her harsher punishment). Several employees at the University of California Los Angeles were found snooping into medical records of various celebs including Britney Spears and Tom Cruise. These employees were suspended and UCLA fined $875,000 for the incident.

So, what's the bottom-line? HIPAA law is strict. For the protection of your patients and your own legal security, it must be followed closely. Be smart with patient information. Keep patient records away from the prying eyes of others. Don't post information about your patients on Facebook or other social media channels. Never take pictures of anything involving patient care. Most of all, mind your own business! 

more...
No comment yet.
Scoop.it!

HIPAA Theft and Fines - Technical Doctor Inc. - EHR Chicago, EMR Chicago, HIPAA Assessments

HIPAA Theft and Fines - Technical Doctor Inc. - EHR Chicago, EMR Chicago, HIPAA Assessments | HIPAA Compliance for Medical Practices | Scoop.it
more...
No comment yet.