HIPAA Compliance for Medical Practices
69.7K views | +0 today
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...

UPMC data breach may affect as many as 27,000 employees

UPMC data breach may affect as many as 27,000 employees | HIPAA Compliance for Medical Practices | Scoop.it
UPMC data breach may affect as many as 27,000 employeesApril 17, 2014 9:11 PM
Share with others:

By Robert Zullo / Pittsburgh Post-Gazette

UPMC now says the personal information of as many as 27,000 of its employees may have been put at risk by a data breach that was first reported to the health care conglomerate in February.

“As of today, 788 employees have been the victims of tax fraud,” UPMC spokeswoman Gloria Kreps wrote in a statement. “We want to assure our patients that no patient information was breached. We are continuing to work with the IRS, Secret Service and FBI to determine the source of the breach. We continue to urge our employees to register with LifeLock as an important step to deter any additional fraudulent activity.”

The new figure, provided Thursday, was the latest increase by UPMC since employees began reporting instances of identity theft about two months ago.

At first, UPMC said the issue affected only a few dozen employees, then about 322.

“That’s what we were saying all along ... is that there are thousands,” said Michael Kraemer, a Pittsburgh lawyer who has filed a lawsuit seeking class-action status against UPMC for the breach on behalf of employees who had fraudulent bank accounts opened in their name and tax returns stolen. “The message for this huge number of people is you need to keep track of any out-of-pocket expenses and any time you spend dealing with this.”

The lawsuit alleges that vulnerabilities in UPMC’s computer system allowed for the breach and the company did not reasonably safeguard the sensitive information in its care.

In addition to the stolen tax refunds, Mr. Kraemer said he has heard from UPMC employees who say they have had bank accounts drained, though he has not yet been able to independently verify the claims.

He questioned why it has taken UPMC so long to identify the scope of the problem.

“It is extremely concerning that when this story broke in February, the response from UPMC was that ‘It’s OK, only 20 people were affected,’” Mr. Kraemer said. “This is something that arguably they should have known back in February. ... People are now exposed.”

Mr. Kraemer said UPMC sought and received a 30-day extension to respond to his suit, filed Feb. 27, and is still within that window.

The hospital group and its affiliates employee about 62,000 people and Mr. Kraemer said he has heard from employees in every facet of UPMC’s operations.

“Just from the sheer number of people I’ve talked to, I don’t see any department that’s been excluded,” Mr. Kraemer said. “Why isn’t it every single employee?”

A UPMC spokesperson said all employees who could have been potentially affected by the breach have been notified.

After the potential data theft was reported, the company set up a hot line for employees to call about their case, created a “comprehensive employee intranet site with information and resources,” hired a tax firm to help employees file the required IRS identity theft affidavit form and offered reimbursement if the employees have hired someone to do it for them. UPMC also offered credit monitoring services for the affected employees and reimbursement employees for costs associated with filing a police report, it has said.

In a letter, UPMC urged employees to contact their banks and check with the IRS to ensure that tax returns have not been fraudulently filed in their names as well as to prevent the potential for future incidents. UPMC also said it is providing LifeLock identity protection free of charge to employees who enroll by April 28.

“We are putting our full resources behind efforts to investigate and secure our systems,” UPMC Vice President John P. Houston wrote in the letter. “We recognize a situation like this creates stress and anxiety about the safety of your personal information and we want to provide you with all the tools and resources we can to help you deal with this all-too-common crime.”

Read more: http://www.post-gazette.com/business/finance/2014/04/17/UPMC-data-breach-may-affect-as-many-as-27-000-employees/stories/201404170277#ixzz2zXgXTyKl

No comment yet.

Security Risk Assessment | Providers & Professionals | HealthIT.gov

Security Risk Assessment | Providers & Professionals | HealthIT.gov | HIPAA Compliance for Medical Practices | Scoop.it
Technical Dr. Inc.'s insight:
What is Risk Assessment?

The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that covered entities conduct a risk assessment of their healthcare organization. A risk assessment helps your organization ensure it is compliant with HIPAA’s administrative, physical, and technical safeguards. A risk assessment also helps reveal areas where your organization’s protected health information (PHI) could be at risk. Watch the Security Risk Analysis video to learn more about the assessment process and how it benefits your organization or visit the Office for Civil Rights' official guidance.

Read the HHS Press Release.

No comment yet.

Is Your Health Insurance Portability and Accountability Act (HIPAA) Compliance Program Going Out the Window with XP? | The National Law Review

Is Your Health Insurance Portability and Accountability Act (HIPAA) Compliance Program Going Out the Window with XP? | The National Law Review | HIPAA Compliance for Medical Practices | Scoop.it
April 8, 2014 marks the end of Microsoft’s support for the Windows XP operating system, which means the end of security updates from Microsoft and the beginning of new vulnerability to hackers and other intruders into systems still utilizing the operating system. But does the end of Windows XP support mean that HIPAA covered entities and their business associates using Windows XP are automatically out of compliance with HIPAA as of April 8th? Not necessarily.

Is Your Health Insurance Portability and Accountability Act (HIPAA) Compliance ...
The National Law Review
But does the end of Windows XP support mean that HIPAA covered entities and their business associates using Windows XP are automatically out of compliance with HIPAA as of April 8th? Not necessarily. It is impossible to say with certainty that April ...
Microsoft to drop Windows XP support
Microsoft Is About To End Windows XP Support
Support for Windows XP ends today
No comment yet.

From AHIMA: Look Closer at Vendor HIPAA Compliance

From AHIMA: Look Closer at Vendor HIPAA Compliance | HIPAA Compliance for Medical Practices | Scoop.it

With stronger HIPAA privacy and security requirements now in effect, health care providers need to ensure that their information technology vendors and their business associates understand and are compliant with the provisions.

No comment yet.

5 things to remember about HIPAA in 2013

5 things to remember about HIPAA in 2013 | HIPAA Compliance for Medical Practices | Scoop.it

Make sure you know these basic facts.

 As competition between health care providers continues to surge, hospitals need to step up the pace when it comes to their marketing efforts.

But in the “world according to HIPAA,” many marketers feel like their hands are tied under stringent rules that define “marketing” as:

“A communication about a product or service that encourages recipients of the communication to purchase or use the product or service.”

With limited exceptions, the privacy rule requires an individual’s written authorization before a use or disclosure of his or her protected health information can be made for marketing. So how can marketers effectively market?

First and foremost, don’t let HIPAA become an excuse for tapering off on your marketing efforts. Knowledge is power. So take some time to familiarize (or re-familiarize) yourself with HIPAA’s marketing rules. Here are some general guidelines to keep in mind as you plan for the year ahead.


Patient testimonials can add credibility to many marketing campaigns. Obviously, a patient must approve the use of a specific testimonial before it can be used. But don’t stop with a “standard” release form. HIPAA regulations and release forms also apply. And be sure to keep all signed copies on file. Same goes with using patient photos. Be sure to get—and retain—photo releases.

Truth in advertising:

There’s not much room for vague statements under HIPAA. So if you can’t back it up, don’t make the statement. Advertising claims must be factual—and verifiable.

Mailing lists:

When it comes to direct marketing to consumers, do not use lists that originate from personal records, such as private practice information. Note: there is an exception to the marketing definition which permits communications by a covered entity about its own products or services.

For example, under this exception, it is not “marketing” when:

  • A hospital uses its patient list to announce the arrival of a new specialty group (e.g., orthopedic) or the acquisition of new equipment (e.g., x-ray machine or magnetic resonance image machine) through a general mailing or publication.
  • A health plan sends a mailing to subscribers approaching Medicare eligible age with materials describing its Medicare supplemental plan and an application form.

Authorization is a given—in most cases:

The HIPAA Privacy Rule requires an authorization for uses or disclosures of protected health information for all marketing communications, except in two circumstances:

  • When the communication occurs in a face-to-face encounter between the covered entity and the individual; or
  • The communication involves a promotional gift of nominal value.

When it doubt, check it out:

If you have questions, refer them to a legal professional who’s familiar with your state’s laws. Also be sure to check out the Marketing section on HHS.gov to review details about marketing under HIPAA. 

No comment yet.

Doctors: Stop worrying about negative comments and HIPAA violations

Doctors: Stop worrying about negative comments and HIPAA violations | HIPAA Compliance for Medical Practices | Scoop.it

r. Jeff Livingston takes a calm, relaxed approach to posting on social media.

 You could call Dr. Jeff Livingston, OB/GYN, a social media pioneer.

As I explained in earlier blog posts here and here, the Irving, Texas, physician has been using social media to educate and connect with his patients since his teenage daughter suggested he start a MySpace page to reach out to high school students struggling with pregnancy and STDs.

I know that many doctors are reluctant to embrace social media for fear of HIPAA violations and negative comments, so I asked him how he responds to those concerns.

Avoiding HIPAA violations in social media is natural

“I don’t think it’s that hard (to avoid HIPAA violations),” Livingston says. “If you step out of technology and just think about how doctors communicate throughout the day, they do it very naturally and never think about it.

“When you’re in a doctor’s lounge there’s a certain way of talking,” Livingston says. “When you get into the lobby, you change. And when you get on an elevator, you completely change. And you do that very naturally. The same thing applies on the internet. It’s a very big elevator with a lot of people on it. What you are already doing naturally can flow to the technology itself.”

Never disclose any kind of private health information

Livingston says the concept is simple.

“You can never disclose any kind of private, personal health information,” Livingston says. “You can’t diagnose. You can’t treat. But you can answer general questions. You can be helpful. You can provide lots of health information. You can provide guidance. Just don’t diagnose and treat patients.”

A couple of years ago a patient posted a question on the practice Facebook page.

Is it okay to go swimming while you’re pregnant?

There is a safe way to respond: Unless instructed by your doctor, there’s no reason why a pregnant woman can’t enjoy a swimming pool. Water is relaxing, it will take pressure off your back and it will cool you off in a hot Texas sun.

Or there is the illegal way: Because you have difficult labors and an abnormal placenta, it’s not a good idea for you to swim.

How do you respond to negative comments?

“To be honest, it doesn’t happen that much for us,” Livingston says. “I’m not going to engage in controversial discussions on Twitter or post controversial things on Facebook. We really haven’t had people put negative stuff on our Facebook page.”

He says patients know how to use social media.

“I have never had someone send me a tweet that said ‘I think I’m in labor,’” Livingston says. “I have never had someone put on our Facebook page, ‘I think my water broke.’ People who use these networks understand the public nature and act appropriately.” 

No comment yet.

HIPAA: What happens when you don't comply?

HIPAA: What happens when you don't comply? | HIPAA Compliance for Medical Practices | Scoop.it
Health care providers, learn how much violations can cost you and your employer.

 Most nurse practitioners understand the basics of HIPAA. But, with the abundance of social media and a newfound cultural acceptance of sharing your life online, HIPAA violations are frequent. What are the repercussions of a HIPAA slip-up?

With 77 percent of workers in the U.S. holding a Facebook account and two-thirds of these employees accessing their accounts on the job, it is now easier than ever to make a HIPAA-related lapse in judgment. Both employers and employees are liable when these lapses occur. What penalties do they face?

HIPAA violations will cost you and your employer

Individuals and entities such as hospitals and insurance companies face anywhere from a $100 to $50,000 government fine (maximum of $1.5 million per year) for negligence in handling private patient information. The real penalties, however, lie in civil lawsuits. Should a patient sue you for breaking HIPAA law, you could also be liable for thousands of dollars or more in monetary penalties paid to the patient. In extreme cases, HIPAA violations can result in jail time. Obtaining patient information for personal or commercial gain, for example, carries a maximum ten year prison sentence.

Companies lose big in HIPAA violations

Several major companies have paid large settlements in relation to HIPAA violations. Massachusetts Eye and Ear Infirmary was fined $1.5 million after a physician's laptop was stolen while he was traveling abroad. The laptop contained 3,500 patient health records. It was never confirmed that patient confidentiality was breached or that any individual patient suffered as a result of this incident. The hospital was still fined after informing the U.S. Department of Health and Human Services of the episode. CVS Caremark has also faced steep HIPAA-related penalties. They paid a $2.5 million dollar fine after employees disposed of patient health information in garbage bins.

Individual consequences of HIPAA infractions

On an individual level, many nurses and other providers have been charged with HIPAA violations. While most violations end in a lesser penalty such as termination or suspension of employment, one nurse found herself serving an eight day jail sentence for breaching patient privacy laws. She took photos of elderly patients and posted them on her Facebook wall (the photos were disturbing in nature, influencing her harsher punishment). Several employees at the University of California Los Angeles were found snooping into medical records of various celebs including Britney Spears and Tom Cruise. These employees were suspended and UCLA fined $875,000 for the incident.

So, what's the bottom-line? HIPAA law is strict. For the protection of your patients and your own legal security, it must be followed closely. Be smart with patient information. Keep patient records away from the prying eyes of others. Don't post information about your patients on Facebook or other social media channels. Never take pictures of anything involving patient care. Most of all, mind your own business! 

No comment yet.

HIPAA Theft and Fines - Technical Doctor Inc. - EHR Chicago, EMR Chicago, HIPAA Assessments

HIPAA Theft and Fines - Technical Doctor Inc. - EHR Chicago, EMR Chicago, HIPAA Assessments | HIPAA Compliance for Medical Practices | Scoop.it
No comment yet.

Some Linksys routers targeted by TheMoon malware

Some Linksys routers targeted by TheMoon malware | HIPAA Compliance for Medical Practices | Scoop.it

Security researchers have discovered a flaw in the firmware of some Linksys routers that could allow a hacker to gain control remotely, possibly turning a group of infected routers into a botnet.

The vulnerability has been exploited by malware dubbed TheMoon, according to a story at Computerworld, and the SANS Institute’s Internet Storm Center reports it has spotted Linksys E1000 and E1200 routers that were scanning the Net for other routers to infect.

Linksys routers have the ability to be managed remotely via a Web page or a smartphone app. The flaw involves a one or more scripts used in this process. Once the malware is installed, it tells the router to begin looking for others to infect in the same way. The malware also appears to contain code that may have it looking for a command and control server that would tell it what to do.

A PC World story lists these Linksys models as being potentially vulnerable, based on details posted to Reddit by a user who created a proof-of-concept exploit:

The following models are listed: E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000, E900, E300, WAG320N, WAP300N, WAP610N, WES610N, WET610N, WRT610N, WRT600N, WRT400N, WRT320N, WRT160N and WRT150N. However, Rew notes that the list might not be accurate or complete.

A spokesperson for Belkin – which now owns Linksys – confirmed the exploit to PC World, and said it can be prevented but making sure Remote Management Access is turned off. She said the routers ship with that feature disabled by default.

Linksys has posted information about how to update its routers to the latest firmware and make sure that Remote Management Access is turned off. If you’ve got a Linksys router, you should read it and take action ASAP.

No comment yet.

Easter Seals notifies 3,026 clients of health data breach | HealthITSecurity.com

Easter Seals notifies 3,026 clients of health data breach | HealthITSecurity.com | HIPAA Compliance for Medical Practices | Scoop.it

The Easter Seal Society of Superior California sent health data breach notification letters to 3,026 Easter Seals clients and potential clients on Friday after an employee’s work-issued laptop was stolen.

According to the release, the laptop was among the stolen items when the employee’s vehicle was broken into on December 10. Though not all patients had the same data compromised, the report said that there was some grouping of date of birth, health care provider information, patient identification number, health care billing information and therapy notes.

Though Easter Seals doesn’t believe any sort of fraudulent activity has occurred to this point, it has hired forensics experts to assist in determining the scope of the incident. The charity advised clients to review healthcare insurer benefits to see if there are any disparities.

“Easter Seals also encourages all concerned individuals to remain vigilant, to review account statements, and to monitor credit reports for suspicious activity,” stated the press release.

Easter Seals didn’t indicate whether the laptop was encrypted or even password-protected. Because it’s an organization dedicated to services and education for those with disabilities and not a healthcare provider, it’s likely considered a HIPAA business associate in this case.

The charity serves children and adults in Alpine, Amador, Calaveras, El Dorado, Nevada, Placer, Sacramento, San Joaquin, Stanislaus, Sutter, Tuolumne, Yolo and Yuba counties. Easter Seals offers teachers, therapists and other health professionals help people with disabilities to speak, walk, work and care for themselves.


No comment yet.

HIPAA Risk Analysis Tip – FTC Exerting Data Security Authority | LabMD Case - HIPAA-HITECH Compliance Software & Consulting - Clearwater Compliance

HIPAA Risk Analysis Tip – FTC Exerting Data Security Authority | LabMD Case - HIPAA-HITECH Compliance Software & Consulting - Clearwater Compliance | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA Risk Analysis Tip – FTC Exerting Data Security Authority | LabMD Case

On August 29, 2013, The Federal Trade Commission filed a complaint against medical testing laboratory LabMD, Inc. alleging that the company failed to reasonably protect the security of consumers’ personal data, including medical information.

Less than six months later, in a letter dated January 6, LabMD president Michael Daugherty informed the company’s customers and workforce that the medical testing laboratory would no longer be accepting new specimens after January 11 and that the company’s phones and internet access would be discontinued shortly thereafter.   The company has decided to wind down operations according to its press release dated January 28, 2014, entitled FTC ACTIONS FORCE LABMD TO WIND DOWN OPERATIONS.

I spoke to Mr. Daugherty on Saturday, February 1st about the FTC actions and his plans. He recently wrote a book, “The Devil Inside the Beltway”, telling the story of LabMD’s journey through the FTC process. The book exposes a systematic and alarming investigation by one of the US Government’s most important agencies. Mr. Daugherty indicated he plans to speak out publicly on his ordeal and write additional books to help other small business avoid LabMD’s experience.

The original complaint alleged LabMD billing information for over 9,000 consumers was found on a peer-to-peer (P2P) file-sharing network and then, in 2012, LabMD documents containing sensitive personal information of more than 500 consumers were found in the hands of identity thieves.

The case is part of an ongoing effort by the Commission to ensure  companies take reasonable and appropriate measures to protect consumers’ personal data.  Many argue — including LabMD –the FTC is overstepping its bounds and becoming hyper-vigilant in the absence of FTC regulations around data security.

Mr. Daugherty responded, “The FTC does not know — –nor can they prove — if or where our file got out or else they are refusing to tell us.” He had further comments on what kind of P2P protections were available at the time in question. “Hindsight is always 20/20. P2P risks were not widely known in 2008 and millions of files leaked as late as 2009  per congressional testimony. This is a story about doing it right and still getting screwed.  Many vulnerabilities today are unknown and in 2018 the FTC will say you should have known them based on their term “reasonably foreseeable”. We believe in knowledgable power, not compliance by fear.”

The Biggest Lesson Learned: Covered Entities and Business Associates Need to Identify and Manage Risk Related to Any Personally Identifiable Information Stored, Maintained or Transferred

HIPAA Covered Entities and Business Associates need to consider all sources of risk and liability related to safeguarding sensitive information whether it is Protected Health Information (PHI) or any other Personally Identifiable Information (PII). Any such information stored, maintained or transferred is at risk. To identify potential liabilities and put an effective risk management plan in place it is important to ask the following kinds of questions:

Do you have compliance obligations which overlap with HIPAA Privacy, Security and Breach Notification Rules such as Meaningful Use Attestation, or CMS or Insurance Exchange privacy requirements?

Do you handle any “super PHI” (e.g., drug and alcohol addiction, STD, psychotherapy notes) which is subject to even more stringent requirements?

If your company is a publicly traded organization, is the company meeting Securities and Exchange Commission (SEC) requirements?

Could you be liable for enforcement action by the Federal Trade Commission (FTC) for unfair or deceptive practices under Section 5 of the FTC Act?

Is your State Attorney General active in enforcement of state and federal Privacy and Security regulations?

Are you subject to a whistleblower filing a complaint under the False Claim Act?

Have you completed pre-emption analyses for all states / jurisdictions in which you operate?

Are you compliant with all applicable state breach notification laws?

Are you or your colleagues subject to sanctions under professional ethics provisions of your associations or other affiliations?


Technical Dr. Inc.'s insight:

Yikes!  Is your practice using HIPAA compliant methods to store patient information?  Have you had a HIPAA Risk Assessment done this year?  Contact Technical Doctor today to schedule this immediately!  Email us at inquiry@technicaldr.com or call 877-910-0004 x300.

The Technical Doctor Team

No comment yet.

HIPAA Breach Exposes 42000 In Wisconsin

HIPAA Breach Exposes 42000 In Wisconsin | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA Breach Exposes 42,000 In Wisconsin

By Christine Kern


Unity Health Plans reveals breach of health care records, affects some 42,000 individuals

Healthcare IT News reports Unity Health Plans Insurance Corporation discovered an unencrypted portable computer hard drive containing individual health records was missing from the University of Wisconsin-Madison School of Pharmacy which had this information as part of a benefits program evaluation. As a result, Unity - which serves approximately 140,000 members - “has notified nearly 42,000 of its members that their protected health information may have been compromised following a HIPAA privacy breach.”

In a disclosure notice on Unity’s website, the company issued an apology to its members and an assurance that they are taking proper steps to correct the breach and protect the safety of member information. The missing hard drive did not contain the name, street address, Social Security Number, credit card, banking or financial information of any Unity member.

The Press release state, “The information on the hard drive included some protected health information relating to certain prescription drugs. The information on the hard drive was limited to the Unity member number, date of birth, city of residence, name of drug, and date of service, if any. We have identified 41,437 members who may have been affected. We are notifying each of those members by letters mailed January 29, 2014.”

Further, it assured that there is no reason to believe the hard drive was stolen to gain access to member information or that this information has been accessed or misused in any way. To date, only 17 of the more than 80,000 HIPAA breach cases OCR has received since 2003 have resulted in fines.

Just this past December, the five-hospital Riverside Health System in southeast Virginia announced that the PHI of nearly 1,000 patients had been compromised in a privacy breach that continued for four years. From September 2009 through October 2013, a former Riverside employee inappropriately accessed the Social Security numbers and electronic medical records of 919 patients. The breach wasn't discovered until Nov. 1 following a random company audit.


Technical Dr. Inc.'s insight:

Get your practice protected!  Call or email Technical Doctor today to learn about our HIPAA Risk Assessments.  



- The Technical Doctor Team

No comment yet.

North Country Hospital has second breach in 4 months

North Country Hospital has second breach in 4 months | HIPAA Compliance for Medical Practices | Scoop.it

The Centers for Medicare and Medicaid Services (CMS) issued a regulatory citation to North Country Hospital in Newport, Vermont after two unauthorized employees accessed confidential medical records, according to a report from WCAX.com. The incident was discovered during an unannounced CMS visit in the fall.

Prior to the incident, hospital employees worked on an honor system: upon hire they promise to follow confidentiality policies, and the hospital trusts that their employees will uphold this promise. Now the hospital is using an audit system to monitor patient record compliance and prevent future data breaches. The system is expected to be running by February 15. It is not known if the records viewed were paper or electronic.

While the hospital’s Medicare and Medicaid programs are not affected by the incident, it is unclear if there was any disciplinary action taken against the two employees.

This is not the first patient privacy incident to involve North Country Hospital. In October, former IT employee Christian Cornelius claimed a broken laptop he was repairing contained protected health information (PHI) for 3,000 patients, but the hospital would not return his calls. The hospital claims that Cornelius refused to return the unencrypted laptop.

No comment yet.

Report: Breaches Up 138 Percent in 2013

Report: Breaches Up 138 Percent in 2013 | HIPAA Compliance for Medical Practices | Scoop.it

A new report reveals that in 2013, the number of protected health information (PHI) breaches were up 138 percent from 2012, with 199 incidents of breaches of PHI reported to the Department of Health and Human Services (HHS) impacting over 7 million patient records.

The report, the fourth annual from Redspin, Inc., a Carpinteria, Calif.-based provider of IT security assessments, revealed that nearly 30 million Americans have had their health information breached or inadvertently disclosed since 2009. Since the Health Information Technology for Economic and Clinical Health (HITECH) Act forced providers to notify HHS when they had a breach affecting 500 or more patients, there have been 804 large breaches of PHI.

Last year, in particular, was rough for providers. Over the course of four years, only one year has been higher in terms of total incidents and number of patients impacted.

"I think the 138 percent increase in patient records breached caught a lot of people by surprise," Daniel W. Berger, Redspin's President and CEO, said in a statement. "There was a sense that the government's 'carrot and stick' approach – requiring HIPAA security assessments to qualify for meaningful useincentives and increasing OCR enforcement initiatives – was driving real progress."

The five largest PHI breaches made up more than 85 percent of the total reported from the year. This includes the Advocate Health and Hospitals breach, where four desktop computers from an office were stolen, that affected more than four million patients. The second and third largest breaches were also caused by theft. In total, theft was the cause of nearly half of all breaches in 2013.

Laptops were the device on which the highest number of data breaches occurred, being involved in nearly 35 percent of all incidents. The lack of encryption on portable devices, the authors of the report say, is one of the highest risks to PHI.

"It's only going to get worse given the surge in the use of personally-owned mobile devices at work," Berger said. "We understand it can be painful to implement and enforce encryption but it's less painful than a large breach costing millions of dollars."

One positive area in the report was the impact of the HIPAA Omnibus Rule on covered entities and business associates (BAs). While the number of breach incidents involving BAs followed the norm in 2013, the number of patient records dropped dramatically from 2009-2012.

Technical Dr. Inc.'s insight:

Is your practice secure?  If you aren't sure, contact Technical Doctor today to schedule your Risk Assessment at inquiry@technicaldr.com or 877-910-0004 x3.

-The Technical Doctor Team

No comment yet.

Fourth HIPAA breach for Kaiser | Healthcare IT News

Fourth HIPAA breach for Kaiser | Healthcare IT News | HIPAA Compliance for Medical Practices | Scoop.it

Some 5,100 patients treated at Kaiser Permanente were sent HIPAA breach notification letters Friday after a KP research computer was found to have been infected with malicious software. Officials say the computer was infected with the malware for more than two and a half years before being discovered Feb. 12.    The computer was used by the Kaiser Permanente Northern California Division of Research to store research data. The breach, officials note, involved patients participating in specific research studies and may have compromised their names, birth dates, medical record numbers, lab results associated with research, addresses and additional medical research data.    [See also: Kaiser Permanente sends out breach letters after email gaffe.]   "We have confirmed that the infection was limited to this one compromised server, and that all other DOR servers were and are appropriately protected with anti-virus security measures," said Tracy Lieu, MD, director of the division of research at Kaiser Permanente, in an emailed statement to Healthcare IT News. "It is important to note that the compromised server is used specifically for research purposes at the DOR and is not connected to Kaiser Permanente's electronic health records system."   Lieu said the antivirus software on the server was not updated "due to human error related to the configuration of the software."    Added Lieu, "We value our members and take protecting the privacy and security of their information very seriously. We apologize that this unfortunate incident occurred."   According to data from the Department of Health and Human Services, this is the fourth large HIPAA breach for Kaiser Permanente, which includes Kaiser Foundation Health Plan, Kaiser Foundation Hospitals -- consisting of 32 hospitals -- and Permanente Medical Group.    Last November, in its second reported fall data breach last year, KP notified 49,000 of its Anaheim Medical Center patients that their protected health information had been compromised after an unencrypted USB drive containing their data went missing.    Back in September, some 670 patients received breach notification letters after an emailed attachment containing the protected health information of patients was sent to a recipient outside the Kaiser network. According to KP officials, the attachment was accidentally emailed by a Kaiser employee to a member of a pilot wellness screening competition back in May.     [See also: Advocate Health slapped with lawsuit after massive data breach.]   The third incident occurred at KP's Medical Care Program back in 2009 when an unencrypted portable drive was stolen from an employee's car, compromising the health data of some 15,500 patients.   Theft accounts for the lion's share of HIPAA privacy and security breaches, as HHS' Office for Civil Rights Deputy Director for health information privacy Susan McAndrew pointed out at HIMSS14, representing some 48 percent of all breaches reported.      "Pay attention to encryption," said McAndrew, particularly for any devices that can leave the office. "We're interested in protecting the data. You may be interested in protecting the property. We want to turn this into property losses as opposed to data losses."   To date, more than 30.6 million individuals have had their PHI compromised in a large HIPAA privacy or security breach -- breaches involving more than 500 people -- according to data from the Department of Health and Human Services.  

HIPAA-covered entities and, now, business associates, have handed over some $18.6 million to settle alleged federal HIPAA violations, with $3.7 million of that just from last year. And this isn't counting the state and private legal settlements.  
No comment yet.

Big Brother Or Best Friend? | EMR and HIPAA

Big Brother Or Best Friend? | EMR and HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

The premise of clinical decision support (CDS) is simple and powerful: humans can’t remember everything, so enter data into a computer and let the computer render judgement. So long as the data is accurate and the rules in the computer are valid, the computer will be correct the vast majority of the time.

CDS is commonly implemented in computerized provider order entry (CPOE) systems across most order types – labs, drugs, radiology, and more. A simple example: most pediatric drugs require weight-based dosing. When physicians order drugs for pediatric patients using CPOE, the computer should validate the dose of the drug against the patient’s weight to ensure the dose is in the acceptable range. Given that the computer has all of the information necessary to calculate acceptable dose ranges, and the fact that it’s easy to accidently enter the wrong dose into the computer, CDS at the point of ordering delivers clear benefits.

The general notion of CDS – checking to make sure things are being done correctly – is the same fundamental principle behind checklists. In The Checklist Manifesto, Dr. Atul Gawande successfully argues that the challenge in medicine today is not in ignorance, but in execution. Checklists (whether paper or digital) and CDS are realizations of that reality.

CDS in CPOE works because physicians need to enter orders to do their job. But checklists aren’t as fundamentally necessary for any given procedure or action. The checklist can be skipped, and the provider can perform the procedure at hand. Thus, the fundamental problem with checklists are that they insert a layer of friction into workflows: running through the checklist. If checklists could be implemented seamlessly without introducing any additional workflow friction, they would be more widely adopted and adhered to. The basic problem is that people don’t want to go back to the same repetitive formula for tasks they feel comfortable performing. Given the tradeoff between patient safety and efficiency, checklists have only been seriously discussed in high acuity, high risk settings such as surgery and ICUs. It’s simply not practical to implement checklists for low risk procedures. But even in high acuity environments, many organizations continue to struggle implementing checklists.

So…. what if we could make checklists seamless? How could that even be done?

Looking at CPOE CDS as a foundation, there are two fundamental challenges: collecting data, and checking against rules.

Computers can already access EMRs to retrieve all sorts of information about the patient. But computers don’t yet have any ability to collect data about what providers are and aren’t physically doing at the point of are. Without knowing what’s physically happening, computers can’t present alerts based on skipped or incorrect steps of the checklist. The solution would likely be based on a Kinect-like system that can detect movements and actions. Once the computer knows what’s going on, it can cross reference what’s happening against what’s supposed to happen given the context of care delivery and issue alerts accordingly.

What’s described above is an extremely ambitious technical undertaking. It will take many years to get there. There are already a number of companies trying to addressing this in primitive forms: SwipeSense detects if providers clean their hands before seeing patients, and the CHARM system uses Kinect to detect hand movements and ensure surgeries are performed correctly.

These early examples are a harbinger of what’s to come. If preventable mistakes are the biggest killer within hospitals, hospitals need to implement systems to identify and prevent errors before they happen.

Let’s assume that the tech evolves for an omniscient benevolent computer that detects errors and issues warnings. Although this is clearly desirable for patients, what does this mean for providers? Will they become slaves to the computer? Providers already face challenges with CPOE alert fatigue. Just imagine do-anything alert fatigue.

There is an art to telling people that they’re wrong. In order to successfully prevent errors, computers will need to learn that art. Additionally, there must be a cultural shift to support the fact that when the computer speaks up, providers should listen. Many hospitals still struggle today with implementing checklists because of cultural issues. There will need to be a similar cultural shift to enable passive omniscient computers to identify errors and warn providers.

I’m not aware of any omniscient computers that watch people all day and warn them that they’re about to make a mistake. There could be such software for workers in nuclear power plants or other critical jobs in which the cost of being wrong is devastating. If you know of any such software, please leave a comment.

No comment yet.

HHS Spells Out Obama Budget's Impact

HHS Spells Out Obama Budget's Impact | HIPAA Compliance for Medical Practices | Scoop.it

The Obama administration's proposed fiscal 2015 budget calls for a 22 percent increase in funding for the office that oversees policies and standards for the HITECH Act's electronic health record incentive program and a 5 percent increase for the agency responsible for enforcing HIPAA compliance.

Obama's budget is a statement of the administration's spending priorities for the federal government. Ultimately, Congress must approve appropriation bills to fund the government. Fiscal 2015 begins on Oct. 1.

ONC FundingUnder Obama's budget proposal unveiled this week, the Department of Health and Human Services' Office of the National Coordinator for Health IT, which oversees the HITECH program, would have a budget of $75 million, up $14 million from the current year. Six additional full-time employees would be added, bringing ONC's headcount to 191.

The proposed ONC budget includes $27.2 million, or $8.5 million more than the current fiscal year, to fund development of standards supporting interoperable and secure health IT infrastructure. In addition, ONC's proposed budget includes $2.9 million for other privacy and security related activities, "ensuring that electronic health information is private and secure wherever it is transmitted, maintained, or received," says an additional ONC budget document, the Justification of Estimates for Appropriations Committee, released by HHS on March 7.

The extra money sought by ONC in fiscal 2015 would also help support a number of other efforts, including the creation of a new Health IT Safety Center, which in fiscal 2015 "will begin a robust collection and analysis of health IT-related adverse events, which will facilitate benchmark data on the types and frequencies of events," says an HHS "budget in brief" document. ONC is seeking $5 million to fund the new safety center in fiscal 2015.

The new center "will monitor and analyze data on patient-safety events, potentially unsafe conditions associated with health IT, and patient-safety events that could be prevented by health IT," the HHS document notes. ONC will work closely with the Agency for Healthcare Research and Quality, the Joint Commission, Food and Drug Administration and patient safety organizations on this effort, the HHS document notes.

The HHS document notes that in fiscal 2015, the FDA will continue to implement key new responsibilities authorized in the FDA Safety and Innovation Act.

The FDA has been collaborating over the last year with ONC and the Federal Communication Commission in developing a "risk-based regulatory framework" to address patient safety concerns around health IT, including potentially those involving cybersecurity issues (see Health IT: A Cybersecurity Framework).

An ONC spokesman says the new Health IT Safety Center "is part of our Safety Surveillance and Action Plan based on recommendations in the Institute of Medicine report," which in 2011 suggested the government and private sector improve transparency in the reporting of health IT safety incidents and enhance monitoring of health IT products. The new safety center will be aligned with the report on the FDA framework, "which we intend to release for comment in March," the ONC spokesman says.

OCR Funding

Meanwhile, under the proposed budget, the HHS Office for Civil Rights, which is responsible for HIPAA enforcement, would have a budget of $41 million, up $2 million from fiscal 2014. OCR would add 11 full-time staff members, increasing its workforce to 218 employees.

The funding increase will help support OCR's centralized case management operations and online complaint system, HHS notes. "The budget supports continued enforcement of the HIPAA security rule and OCR's expanded HIPAA responsibilities," the HHS document says. "OCR evaluates and ensures HIPAA and civil rights compliance through complaint investigations, compliance reviews, audits, resolution agreements, enforcement actions and monitoring, public education and technical assistance."

Among OCR's enforcement activities slated for 2014 is the resumption of HIPAA compliance audits, which have been on hiatus since the agency's pilot audit program wrapped up in 2012 (see HIPAA Audits a Step Closer to Resuming).

Unlike the pilot audits, which were conducted by the consulting firm, KPMG, the next wave of HIPAA audits will be performed by OCR's internal staff.

OCR officials recently confirmed the agency is taking the first steps to resuming the program. In a Feb. 24 notice in the Federal Register, OCR said it will survey "up to 1,200 HIPAA covered entities, including health plans, healthcare clearinghouses and certain healthcare providers, and business associates, to determine suitability for the OCR HIPAA audit program."

In fiscal 2013, OCR resolved more than 9,500 complaints of alleged HIPAA violations, and collected about $4 million in HIPAA settlements related to its enforcement activities, the HHS document notes. OCR projects that it will collect about $5.5 million from HIPAA settlements in fiscal 2014, which the agency will use to further fund its enforcement activities, according to the HHS document. Under HIPAA Omnibus, penalties for each HIPAA violation can range up to $1.5 million.

No comment yet.

Nurse practitioners: Consider 5 things before friending patients on Facebook

Nurse practitioners: Consider 5 things before friending patients on Facebook | HIPAA Compliance for Medical Practices | Scoop.it
The decision is up to you, but here’s what you need to think about.

 With the social media boom, lines between personal and professional lives become blurred. What is posted online stays online.

Even if your Facebook profile is labeled "private", I am certain there is still a way anyone persistent enough can see your information and photos. This is why I recommend removing all of your boozing party pics from college before sending out resumes (you should also leave them off of your profile for the remainder of your professional life—you can put them back up when you retire).

With this blurring of the personal and professional and the wealth of personal information online, naturally this question arises: should you become Facebook friends with your patients?

Ultimately, the decision is up to you, but here are some things to consider:

1. Social media is culturally relevant.

Your patients are all using social media—probably even in your office while they wait for their appointments. Twitter, LinkedIn and Facebook are places your patients get their information. By forming an online relationship with your patients, you will be able to reach them more effectively.

Are you trying to help many of your patients lose weight? Develop a Twitter account for weight loss tips and daily reminders to assist your patients with weight loss even when you can't be with them. This will make your preventative healthcare far better than that of other nurse practitioners (NPs) and MDs.

I must also mention the use of email in relation to cultural relevance. I believe willingness to email your patients is a necessity. Calling a medical office can be frustrating. Your patients want to be able to reach you easily. Email will take less time than you think and your patients will appreciate your efforts. The ability to schedule appointments online on your clinic's website is also a must!

2. Privacy and legal concerns with social media

We are all well aware of the infamous Health Insurance Portability and Accountability Act (HIPAA). Patient information is private. You cannot share it in any way shape or form.

Beware of posting anything at all about your work on your personal Facebook or Twitter account. It is so easy to mistakenly reveal a patient's private information online; I believe it is best not to post anything at all. All patient stories posted through MidlevelU are not "real" patients.

Legally, posting anything about your work as a nurse practitioner also puts you at risk. I have been advised not to post if I have had a "good day" or "bad day" at work. If a malpractice case is presented, these statements will be scrutinized and could be used against you or a co-worker.

3. Setting boundaries

An online relationship with your patients can help you view your patients as a "whole" rather than simply a medical diagnosis. Taking into consideration your patients' lifestyles and how their health affects their lives can help you become a better provider.

There are some things about your life, however, that you should probably keep private. According to the Seattle Times, a recent survey found that 90 percent of state medical boards reported at least one online professional standards violation by a doctor. Nurse practitioners who "friend" their patients must keep their social media profiles clean and appropriate.

4. Building your practice

Social media is an excellent business building tool. Your patients have chosen you as their health care provider. Using social media, you can communicate with them outside of the usual office visit increasing their confidence in and relationship with you as a health care provider. Social media also allows you to encourage new patients to visit your clinic, further expanding your practice.

5. Becoming personable

Most patients want to see you as a person. Because you are providing them and their families health care, they need to trust you. By giving glimpses of your personality and life as a whole, your patients will trust you more allowing you to have a greater impact on their health.

Given the benefits and drawbacks of involvement in social media among health care providers, I think there is an easy solution. Create a social media for your practice or specialty. Rather than "friending" your patients using your personal Facebook page, create a page for your practice or a page for you personally that you use only for professional use. This will allow to you extend your health care knowledge and advice to patients at home and give a glimpse of your personality to your patients without leaking any old sorority photos into your professional presence. 

No comment yet.

Financial Penalty in Small Breach Case

Financial Penalty in Small Breach Case | HIPAA Compliance for Medical Practices | Scoop.it

An investigation by the Department of Health and Human Services into a relatively small breach at a county health department in Washington state has resulted in a $215,000 monetary settlement.

Skagit County, located in Northwest Washington and home to approximately 118,000 residents, has agreed to pay a $215,000 settlement and to work closely with the HHS Office for Civil Rights to correct deficiencies in its HIPAA compliance program, which were discovered during an OCR investigation into a December 2011 breach.

The Skagit County Public Health Department provides services to many individuals who would otherwise not be able to afford healthcare, according to an HHS statement about the settlement.

OCR says it opened its investigation upon receiving a breach report from Skagit County in December 2011 that noted money receipts with electronic protected health information of seven individuals were accessed by unknown parties after the information had been inadvertently moved to a publicly accessible server maintained by the county.

However, OCR's investigation into the matter revealed a broader exposure of data. The breach actually involved the ePHI of 1,581 individuals, not seven. "Many of the accessible files involved sensitive information, including protected health information concerning the testing and treatment of infectious diseases," HHS says.

OCR's investigation uncovered widespread non-compliance with the HIPAA privacy, security and breach notification rules, federal officials say.

"This case marks the first settlement with a county government and sends a strong message about the importance of HIPAA compliance to local and county governments, regardless of size," says Susan McAndrew, OCR deputy director of health information privacy. "These agencies need to adopt a meaningful compliance program to ensure the privacy and security of patients' information."

In the wake of the breach, an area of focus for the county is training department of health workers to use only the minimum necessary personal information of patients, Ron Wesen, county board of commissioners chair, tells Information Security Media Group. He explains that the county's breach investigation determined that department workers had been mistakenly posting onto a public website patient receipts containing personal information.

Government Breaches

While the settlement is the first with a county government, one of the largest OCR HIPAA settlements to date was in June 2012 with a unit of state government, the Alaska Department of Health and Social Services. That $1.7 million settlement was the result of an OCR investigation triggered by a stolen unencrypted USB storage drive potentially containing data about 500 Medicaid beneficiaries.

"This latest settlement indicates to me that OCR is investigating cases large and small, which is exactly what the industry needs to take HIPAA security compliance more seriously," says security expert Brian Evans, a principal at Tom Walsh Consulting.

Organizations need to take steps to ensure they don't underestimate the size of a breach, Evans stresses. "Nobody wants or expects OCR to show up and do a better job than you in investigating your organization's breach," he says.

"Small organizations like Skagit County should decide in advance whether they're going to use existing staff to build an incident response team or outsource it," Evans says. "If they're going to build it in-house, then they need to formally designate and train its team members on how to properly conduct incident investigations. Otherwise, cross your fingers and hope for the best."

Corrective Actions

As part of its settlement with OCR, Skagit County agreed to a corrective action plan to ensure it has in place written policies and procedures, training and other measures to comply with the HIPAA rules. The corrective action plan also requires the county to provide regular status reports to OCR.

The plan notes that among Skagit County's HIPAA deficiencies were failure to provide notification as required by the breach notification rule to all those impacted by the incident; failure to implement sufficient policies and procedures to prevent, detect, contain and correct security violations; failure to implement and maintain in written or electronic form policies and procedures reasonably designed to ensure compliance with the security rule; and failure to provide security training to all workforce members.

Among the steps the county has agreed to take are:

  • Provide a new breach notification to HHS for review and approval, and then publish it in local media;
  • Provide to HHS a description of Skagit County's procedures that ensure the breach incident involving patient PHI is included in any accounting of disclosures provided to any individual impacted by the incident;
  • Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI;
  • Provide HIPAA training to members of the county's workforce who have access to ePHI.
No comment yet.

25 Tips for Passing a HIPAA Risk Assessment

25 Tips for Passing a HIPAA Risk Assessment | HIPAA Compliance for Medical Practices | Scoop.it

Title II of the Health Insurance Portability and Affordability Act (HIPAA), known as the “Administrative Simplification Provisions,” requires medical practices to follow a set of national standards for electronic healthcare transactions and assigns national identifiers for providers, health insurance plans, and employers.

A checklist of security features is helpful in preparing for a HIPAA risk assessment.
Courtesy of Thinkstock

In addition, the requirements for meaningful use state that a practice must “conduct or review a security risk analysis and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.” Thus, to meet the Meaningful Use requirements, practices must conduct periodic risk assessments to prove that they are HIPAA-compliant.

What is a HIPAA risk assessment?
A HIPAA risk analysis is a process that helps ensure that the practice is following these national standards. It involves a thorough look at the practice, in particular the information technology standards. As part of the assessment, someone in the office, typically a physician or the practice manager, should be designated as the HIPAA security officer.

But what does a risk analysis entail, and what must be included in the report? According to the Department of Health and Human Services (HHS) Security Standards Guide, a risk analysis has nine mandatory components. Any healthcare or healthcare-related organization that stores or transmits electronic protected health information (ePHI) must include the following components in their risk analysis document:

  • Scope of the analysis—any potential risks and vulnerabilities to the privacy, availability, and integrity of ePHI
  • Data collection—where data is being stored, received, maintained, or transmitted
  • Potential threats and vulnerabilities—identifies and documents any anticipated threats and vulnerabilities that may lead to an ePHI breach
  • Current security measures—steps being taken to protect data, such as encryption
  • Likelihood of threat occurrence—the probability of potential risks to ePHI
  • Potential impact of threat occurrence—the impact of a data threat, as determined by using either qualitative or quantitative measures
  • Determination of level of risk—the average of the assigned likelihood of occurrence and the potential impact, plus a list of corrective actions that would be performed to mitigate risk
  • Documentation—the written analysis required by HHS
  • Reviews and updates—subsequent risk analyses whenever new technology or changes to business operations are planned or implemented

Although many practices may be able to conduct a risk assessment without using an outside vendor, others may decide that an outside vendor can be more objective and efficient. Asking other practices how they approached the project, searching the Internet, and checking with the practice’s current IT vendor are ways a practice can find companies that specialize in conducting risk assessments.

Any vendor selected should provide a certificate that states the practice has had a HIPAA risk assessment. If the assessment is completed by practice physicians and staff, it is important to document each activity in the process.

25 tips 
The following list will help you prepare for a risk assessment (and are also good habits to form):

  1. Always follow HIPAA guidelines and rules.
  2. Keep all paper medical records under lock and key and make sure only authorized personnel have access to them.
  3. Ensure that any paper records that are past their required storage date or have been digitized and are no longer needed are properly destroyed.
  4. Install antivirus and firewall software on all personal computers, laptops, tablets, and the practice’s internal network. If possible, the internal network should have only limited Internet access.
  5. Make sure that computer screens do not face the reception room or any direction within view of unauthorized personnel. In addition, be sure that password locks are used when staff step away from their computers.
  6. Train staff to always log out of the electronic health record system when they leave the computer.
  7. Do not use social security numbers as unique patient identifiers.
  8. Because patients have the right to revoke access to any health information network the practice is part of, be sure that proper written consent is obtained before any information is shared.
  9. Require that passwords be changed on a regular basis. Ensure that passwords are not exchanged, written down, or posted in places where others can see them.
  10. Keep portable hardware containing data secure and locked away when not in use.
  11. Keep all hardware—including servers—in a clean environment, with minimal or no access by unauthorized personnel.
  12. Train all staff members on data security policies and procedures. Make sure everyone in the practice understands and observes the policies and procedures for protecting patient health information.
  13. Ensure that staffing policies and procedures are up to date. If an employee leaves the practice, change his or her user status to inactive on the last day of employment.
  14. Review audit trails on a regular and periodic basis to identify potential system abuse or misuse.
  15. Have a disaster recovery procedure.
  16. Make sure data are backed up every day.
  17. Ensure that the computer(s) that stores the patient data is encrypted.
  18. Keep a list of the practice’s third-party vendors and ensure that they all sign a Business Associates Agreement stating that they won’t disclose any practice information.
  19. Designate a staff member to be a “security officer,” who is in charge of making sure the practice is HIPAA-compliant.
  20. Provide all employees with badges or other form of identification that proves they work for the practice.
  21. Train the staff on proper Internet use, including avoiding the use of the practice’s computers for personal business.
  22. Do not include any information that can identify a person as a patient in records that are not part of the EHR system.
  23. Do not allow flash drives or any external data device used in the practice to be removed from the practice or used on computers that are not owned by the practice.
  24. Notify the security officer immediately if a computer shows signs of being infected.
  25. Never put flash drives or external media found on the ground into a practice’s computer.

Dave Kunz is vice president, sales, for Technical Doctor, Inc., Arlington Heights, Ill., a healthcare IT company that specializes in HIPAA-compliant solutions. For more information, visit www.technicaldr.com

March 2014 Issue

No comment yet.

Group slapped with $6.8M HIPAA fine | Healthcare IT News

Group slapped with $6.8M HIPAA fine | Healthcare IT News | HIPAA Compliance for Medical Practices | Scoop.it

Federal HIPAA violation penalties may be capped at $1.5 million per incident per year, but there's also state and regional fines for those disregarding privacy and security laws.


Case in point, Triple-S Management Corp., a San Juan-based insurance holding company, who was recently slapped with $6.8 million in penalties for improperly handling the medical records of some 70,000 individuals, according to HHS data and a Caribbean Business report. 


Triple-S reportedly mailed letters to its Medicare Advantage patients with the Medicare numbers visible from the outside.


Puerto Rico's Health Insurance Administration slapped with company with the fines, based on a breach that occurred September of last year. This is the second big HIPAA breach for Triple-S -- who currently handles the benefits for some 2.2 million people -- according to HHS data.


Federal HIPAA requirements require HIPAA-covered entities and business associates to provide breach notification to affected individuals no more than 60 days upon discovering the breach.


As far as federal investigations underway, HHS spokesperson Rachel Seeger told Healthcare IT News the investigations involving the breaches at Triple-S Salud are still open and under investigation. "We cannot comment further on the status of these cases at this time," she said.


"The (Puerto Rico Health Insurance Administration) in its obligation to ensure the privacy and integrity of your protected health information reiterates its commitment to comply with its affiliates to prevent situations like this from recurring in the future," read a notice on Puerto Rico's Health Insurance Administration website.


Puerto Rico HIPAA-covered entities and business associates have been responsible for breaching the medical records of nearly 699,000 individuals since 2008.


Nationwide, some 29.3 million individuals have been affected by a HIPAA privacy or security breach.


Technical Dr. Inc.'s insight:

Is your practice HIPAA Compliant?  Have a risk assessment done today by Technical Doctor to find out.  Contact inquiry@technicaldr.com for more information.  

- The Technical Doctor Team

No comment yet.

University of Miami Health System loses patient records | HealthITSecurity.com

University of Miami Health System loses patient records | HealthITSecurity.com | HIPAA Compliance for Medical Practices | Scoop.it

The University of Miami Health System (UHealth) has lost patient records containing protected health information (PHI), according to a report by Miami New Times. The Health System, which is one of Southern Florida’s largest health providers, learned of the missing records on June 27, 2013, but has only recently begun to notify patients.

While the UHealth has not disclosed the number of missing records, they have announced that the files contained patient names, dates of birth, physician’s name, insurance company name, medical record name, visited facility, visit number, procedures, diagnostic codes, and Social Security numbers. The records were described as billing vouchers, and medical were records were not believed to be at risk.

In June, the Department of Otolaryngology contacted an off-site storage vendor to locate the records, but the vendor was unable to do so. After searching for the records, the health system confirmed on August 28, 2013 that the files were lost. Affected patients were notified this week.

UHealth has not received any reports of misused information, but they are offering affected patients credit monitoring services. However, considering the fact that patients are only being notified of the event over six months later, it is unlikely that affected patients would have connected any potential fraud to the hospital prior to notification.

According to UHealth’s statement, it will report the incident to the Department of Health and Human Services (HHS):

"At the University of Miami Health System, we take the privacy and security of our patients’ information very seriously. We continue to review and refine our physical and electronic safeguards to enhance protection of all patient data. We are committed to protecting all information entrusted to us, and pursuant to the Federal HITECH Breach Notification Rule, we will report this incident to the U.S. Department of Health and Human Services."

No comment yet.

Top 10 Myths of Security Risk Analysis | Providers & Professionals | HealthIT.gov

Top 10 Myths of Security Risk Analysis | Providers & Professionals | HealthIT.gov | HIPAA Compliance for Medical Practices | Scoop.it

As with any new program or regulation, there may be misinformation making the rounds. The following is a top 10 list distinguishing fact from fiction.

1. The security risk analysis is optional for small providers.

  • False. All providers who are “covered entities” under HIPAA are required to perform a risk analysis. In addition, all providers who want to receive EHR incentive payments must conduct a risk analysis.

2. Simply installing a certified EHR fulfills the security risk analysis MU requirement.

  • False. Even with a certified EHR, you must perform a full security risk analysis. Security requirements address all electronic protected health information you maintain, not just what is in your EHR.

3. My EHR vendor took care of everything I need to do about privacy and security.

  • False. Your EHR vendor may be able to provide information, assistance, and training on the privacy and security aspects of the EHR product. However, EHR vendors are not responsible for making their products compliant with HIPAA Privacy and Security Rules. It is solely your responsibility to have a complete risk analysis conducted.

4. I have to outsource the security risk analysis.

  • False. It is possible for small practices to do risk analysis themselves using self-help tools. However, doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional.

5. A checklist will suffice for the risk analysis requirement.

  • False. Checklists can be useful tools, especially when starting a risk analysis, but they fall short of performing a systematic security risk analysis or documenting that one has been performed.

6. There is a specific risk analysis method that I must follow.

  • False. A risk analysis can be performed in countless ways. OCR has issued Guidance on Risk Analysis Requirements of the Security Rule. This guidance assists organizations in identifying and implementing the most effective and appropriate safeguards to secure e-PHI.

7. My security risk analysis only needs to look at my EHR.

  • False. Review all electronic devices that store, capture, or modify electronic protected health information. Include your EHR hardware and software and devices that can access your EHR data (e.g., your tablet computer, your practice manager’s mobile phone). Remember that copiers also store data. Please see U.S. Department of Health and Human Services (HHS) guidance on remote use.

8. I only need to do a risk analysis once.

  • False. To comply with HIPAA, you must continue to review, correct or modify, and update security protections. For more on reassessing your security practices, please see the Reassessing Your Security Practice in a Health IT Environment.

9. Before I attest for an EHR incentive program, I must fully mitigate all risks.

  • False. The EHR incentive program requires correcting any deficiencies (identified during the risk analysis) during the reporting period, as part of its risk management process.

10. Each year, I’ll have to completely redo my security risk analysis.

  • False. Perform the full security risk analysis as you adopt an EHR. Each year or when changes to your practice or electronic systems occur, review and update the prior analysis for changes in risks. Under the Meaningful Use Programs, reviews are required for each EHR reporting period. For EPs, the EHR reporting period will be 90 days or a full calendar year, depending on the EP’s year of participation in the program.


Technical Dr. Inc.'s insight:

Have you had a Risk Analysis done yet?  As a required item for Meaningful Use, it is important to get this taken care of immediately.  Contact us at inquiry@technicaldr.com today to get your risk analysis scheduled!

- The Technical Doctor Team

No comment yet.

How a stolen USB memory stick led to $150k HIPAA settlement for a small practice

How a stolen USB memory stick led to $150k HIPAA settlement for a small practice | HIPAA Compliance for Medical Practices | Scoop.it

As we start 2014, HIPAA compliance remains an important and ongoing concern for dental practices large and small. Last year was an active one for publicized security breaches and, despite frequent admonitions from the gurus, all signs point to more HIPAA news for the coming year.

Many security breaches happened as a result of relatively mundane situations made worse by a lack of properly implemented security controls. One common culprit is encryption (or more precisely, lack thereof), which remains an under-implemented safeguard no matter an organization’s size or sophistication. This is especially true for portable devices such as USB memory sticks, external hard drives, smartphones, tablets, and others.

Case in point: In late 2011, a small dermatology practice based in Massachusetts notified the Department of Health and Human Services (HHS) following the theft of an unencrypted USB memory drive containing electronic protected health information (ePHI) of about 2,200 individuals.

Though there is no evidence that the ePHI contained on the USB device was accessed or disclosed by an unauthorized person, HHS announced at the end of 2013 a $150,000 dollar settlement with the practice for alleged HIPAA violations discovered during an investigation following the reported breach. The proposed settlement also included an aggressive corrective action plan (CAP) to bring the practice into compliance.

Unfortunately for the practice, the investigation following the breach uncovered additional alleged HIPAA violations, and these findings ultimately led to the costly settlement.

Did you notice how things escalated when this incident came to the regulators’ attention? HIPAA breaches are like that. It reminds us to make the investment in time and resources. Whether it’s portable storage devices, copier machines, or laptops, nothing is immaterial when it comes to safeguarding sensitive patient data.


What can your organization do to avoid a similar outcome?

• Conduct a review of the types of portable devices (USB drives, external hard drives, laptops, tablets, smartphones) you use to store PHI. Are these devices properly encrypted? If not, are the files encrypted?

• Ensure documented policies and procedures are in place, being followed, and reflect actual practices.

• Make sure to regularly train your workforce on all relevant HIPAA compliance topics.

• Regularly review your organization’s portable devices to ensure encryption is installed and operational.

• Complete a thorough, bona fide risk analysis of all mobile devices to ensure that all threats, vulnerabilities, and controls have been considered.

Technical Dr. Inc.'s insight:

HIPAA Compliance is no joking matter.  If you haven't had a HIPAA Risk Assessment done on your practice, contact Technical Doctor today to get that scheduled.  You can reach us at inquiry@technicaldr.com or 877-910-0004.

-The Technical Doctor Team

No comment yet.

Of Meaningful Use – I wouldn’t remove anything! | EMR and HIPAA

Of Meaningful Use – I wouldn’t remove anything! | EMR and HIPAA | HIPAA Compliance for Medical Practices | Scoop.it
Of Meaningful Use – I wouldn’t remove anything!

The following is a guest blog post by Joel Kanick in response to the question I posed in my “State of the Meaningful Use” call to action.

If MU were gone (ie. no more EHR incentive money or penalties), which parts of MU would you remove from your EHR immediately and which parts would you keep?

Joel Kanick
President and CEO of Kanick And Company and Lead Developer and Chief Architect of interfaceMD

In fact, the pursuit of Meaningful Use (MU) certification has given our company many new ideas that allowed us to go above and beyond the bar MU already set.

Initially, doctors bought into EMRs for the financial incentive. Now that they are educated consumers, they want everything that was promised to them to work for them. Doctors have learned that EMRs are only one small part of the Healthcare Information Technology (HIT) puzzle. They need help putting the rest of the puzzle together.

No one is complaining about MU regarding the direction it is taking healthcare or HIT industries.

Any complaining that comes from a vendor is usually because their technology is outdated and behind the technology curve. They are angry because MU is calling them out. So, shame on vendors for becoming rich, fat and lazy, and not keeping with current technology.

Of the complaints I hear from providers, there are two scenarios:

First scenario: the providers who resent the government telling them how to practice medicine. However and upon deeper review, these providers already ask and track most of all these data points. They just don’t like the way it has been required and thus crammed into their current systems. I understand their anger, they were not consulted as to how to fit all this into their workflow and so it is cumbersome to use.

Second scenario, the providers’ office is still using fax machines, some required by their EMR vendor. They are still dictating (PCs, iPhone apps, phone recorders) all their exam data and still relying on paper charts. In practices of all sizes, providers complain of MU because they don’t want to change how they operate their business. After all, they have been doing it this way for many years, successfully. They complain of this change because they fear the unknown.

They are doctors; highly skilled and highly educated in medicine but not in business or technology. I see so many doctors closing their privately held medical practices to join a group practice or a hospital setting. Most will freely admit that it’s because they don’t want to address the fear and go through the anticipated pain of migrating to a paperless environment. They don’t know how to choose or maintain the system, with or without MU.

What I know MU is positively doing:

  • Setting a standard language (ie: XML)
  • Setting a standard format (ie: HL7)
  • Setting a secure communication channel (ie: Direct Protocol)
  • Requiring patient portals to potentially aid in convenience to the patient and lower the workload on office staff
  • Creating a standard method to share data electronically (ie: CCDA)
  • Demanding security and encryption and planning for emergency scenarios
  • Utilizing eRx to reduce fraud, abuse and increase safety in drugs that are prescribed
  • Reducing paperwork (eg: lab requests), speeding-up information delivery (eg: lab results electronically instead of by paper delivery)
  • Promoting communication to educate patients
  • Demanding reconciliation of data when exchanged between two organizations to make certain correct information is gained

Selfishly, from my point of view, the largest complaint regarding MU2 is that it requires all pertinent health information be exported and imported in a standard format allowing providers to easily change EMR vendors. This MU requirement should scare some EMR vendors!

Effectually, MU is pushing change and as a result it is getting a bad rap.

No comment yet.