HIPAA Compliance for Medical Practices
70.7K views | +8 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

HIPAA Risk Analysis Tip – Yes, Risk-Analyze Printers, Copiers and Scanners

HIPAA Risk Analysis Tip – Yes, Risk-Analyze Printers, Copiers and Scanners | HIPAA Compliance for Medical Practices | Scoop.it
HIPAA Risk Analysis Tip – Yes, Risk-Analyze Printers, Copiers and Scanners

Affinity Health Plan (AHP) is a not-for-profit managed care plan serving the New York metropolitan area.  Affinity estimated that up to 344,579 individuals may have been affected by this breach. OCR’s investigation indicated that Affinity impermissibly disclosed the electronic protected health information (ePHI) of these affected individuals when it returned multiple photocopiers to leasing agents without erasing the data contained on their copier hard drives.

The Problem

According the the AHP Settlement Agreement / Corrective Action Plan, OCR’s investigation indicated that the following conduct occurred (“Covered Conduct”):

  1. AHP impermissibly disclosed the ePHI of up to 344,579 individuals when it failed to properly erase photocopier hard drives prior to sending the photocopiers to a leasing company.
  2. AHP failed to assess and identify the potential security risks and vulnerabilities of ePHI stored in the photocopier hard drives.
  3. AHP failed to implement its policies for the disposal of ePHI with respect to the aforementioned photocopier hard drives.

Affinity indicated that it was informed by a representative of CBS Evening News that, as part of an investigatory report, CBS had purchased a photocopier previously leased by Affinity. CBS informed Affinity that the copier that Affinity had used contained confidential medical information on the hard drive.  Here’s a link to the 60 Minutes video story Digital Photocopiers Loaded With Secrets.

The Solution

HIPAA Covered Entities and Business Associates are statutorily obligated to fully comply with all standards and implementation specifications in the HIPAA Security Rule.  The Risk Analysis implementation specification at 45 CFR §164.308(a)(1)(ii)(A) requires that organizations identify and prioritize exposures that may compromise the confidentiality, integrity and availability of ePHI.

When conducting the Risk Analysis, an organization must consider exposures to all information assets that create, receive, maintain or transmit ePHI.  Copiers, scanners and printers that contain ePHI must me included in this analysis.

As with any other information asset and/or underlying media type, one needs to carefully consider the threats and vulnerabilities related to hard drives stored in copiers, scanners and printers.  For example, the absence of controls to prevent the “improper destruction, disposal or reuse of copier hard drives” could allow, as it did on the case of AHP, unauthorized access to ePHI.  Such access compromises the confidentiality of that ePHI; in this case, of roughly 345,000 health plan members.

Controls that might have been implemented had AHP completed a bona fide risk analysis might include, but not be limited to: encryption of the copier hard drives, media re-use and disposal policy and procedures, security/privacy awareness and training and change control processes.

The Results of Doing a Bona Fide Risk Analysis

According to NIST Special Publication 800-30 Revision 1 Guide for Conducting Risk Assessments , a Risk Analysis is “the process of identifying, prioritizing, and estimating risks to organizational operations”.  Done properly, all risks to all information assets and underlying media are identified so that an organization can make informed decisions about how to treat their risks.  I am sure the people at AHP are competent professionals who simply didn’t have the benefit of knowing about this specific exposure related to copier hard drives.  Don’t get caught in the same place — complete a robust, bona fide HIPAA Risk Analysis ASAP and update it on an annual basis.



more...
No comment yet.
Scoop.it!

Unencrpyted Laptops Prove Costly | HIPAA, HITECH & HIT

Unencrpyted Laptops Prove Costly | HIPAA, HITECH & HIT | HIPAA Compliance for Medical Practices | Scoop.it

Is the PHI on all your mobile devices encrypted?  If not, here’s another two million reasons to make encryption your top priority. The Office of Civil Rights (OCR) of the Department of Health and Human Services announced on April 22, 2014 that they had imposed nearly $2 million in penalties on two entities as a result of the theft of unencrypted laptops.

As previously noted in this blog, theft or loss of laptops or other portable electronic devices remains a predominant factor in HIPAA breaches, constituting 57.5% of the approximately 400 List Breaches that involved reported theft or loss as of August 2013.

In the first incident, Concentra Health Services was fined $1,725,220 and agreed to adopt a corrective action plan after an OCR investigation following a report of the theft of an unencrypted laptop from a physical therapy clinic.  According to the press release,

“OCR’s investigation revealed Concentra had previously recognized in multiple risk analyses that a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information (ePHI) was a critical risk.  While steps were taken to begin encryption, Concentra’s efforts were incomplete and inconsistent over time leaving patient PHI vulnerable throughout the organization. OCR’s investigation further found Concentra had insufficient security management processes in place to safeguard patient information.”

This isn’t Concentra’s first experience with laptop theft. The OCR list of Breaches Affecting 500 or More Individuals (also known as the “Wall of Shame”) includes two prior similar incidents, one in 2009 and another in 2011. (It is unclear whether this theft was related to the 2011 incident). Modern Healthcare reports that Concentra reported 16 additional breaches involving fewer than 500 individuals’ records.  So, although 434 out of 597 laptops had been encrypted according to HealthITSecurity.com, a batting average of .726 wasn’t good enough given their status as repeat offenders. Concentra’s resolution agreement, including the Corrective Action Plan, is available here and is worth reading.  Among other conditions, OCR requires that the company provide an update regarding its encryption status, including the percentage of all Concentra devices and equipment (laptops, desktops, medical equipment, tablets, and other storage devices) that are encrypted and an explanation for the percentage of devices and equipment that are not encrypted.

The company’s incomplete and inadequate implementation of compliance steps after known vulnerabilities had been identified may also have contributed to the severity of the penalty.  One of the worst things a covered entity or business associate can do is to engage in a half-hearted compliance effort that documents knowledge of uncorrected problems.

In the second case, Arkansas-based QCA Health Plan reported the theft of an unencrypted laptop containing records of 148 individuals. OCR noted that its investigation revealed that QCA failed to comply with multiple requirements of the HIPAA Privacy and Security Rules, beginning from the compliance date of the Security Rule in April 2005 and ending in June 2012. QCA agreed to pay $250,000 and implement upgraded security procedures and employee training. QCA’s Resolution Agreement and Corrective Action Plan is here. This case marks only the second time OCR has fined an entity for a breach involving less than 500 individuals’ PHI, following the Hospice of North Idaho settlement.

One lesson is clear from both incidents: if these laptops had been encrypted in accordance with NIST standards, neither entity would have been subjected to fines and additional government oversight.  As enforcement continues to ramp up and target both Covered Entities and Business Associates, and as the use of mobile devices continues to increase, there is no excuse to delay full implementation of encryption.  Encryption isn’t a panacea, but it’s as close as you can get in the HIPAA compliance world.

more...
No comment yet.
Scoop.it!

http://www.govhealthit.com/news/fed-privacy-enforcers-sock-health-org-17m-penalty

The HHS Office for Civil Rights has announced settlements today with two healthcare organizations for a combined $1,975,220 penalty after their unencrypted computers were stolen.
 
The biggest of the two fines, levied against Concentra Health Services, called for $1,725,220 to settle potential violations and required Concentra to "adopt a corrective action plan to evidence their remediation of these findings," according to HHS.
 
"Covered entities and business associates must understand that mobile device security is their obligation," OCR officials said in the settlement.
 
The mega-penalty is meant to drive home the point that unencrypted laptops and mobile devices pose significant risks to the security of patient information, said Susan McAndrew, OCR’s deputy director of health information privacy.
 
"Our message to these organizations is simple: Encryption is your best defense against these incidents," she said.
 
Concentra's OCR investigation followed a breach report that an unencrypted laptop was stolen from one of its facilities, the Springfield Missouri Physical Therapy Center.
 
The probe found that Concentra had previously recognized, in multiple risk analyses, that a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information was a critical risk.
 
Steps were taken to begin encryption, but Concentra’s efforts were "incomplete and inconsistent over time," according to an HHS press release, leaving patient PHI vulnerable throughout the organization.
 
In addition, OCR’s investigation found that Concentra had put in place sufficient security management processes to protect that information. 
 
Meanwhile, OCR received a breach notice in February 2012 from Arkansas-based QCA Health Plan, reporting that an unencrypted laptop with the PHI of 148 individuals was stolen from an employee's car.
 
QCA encrypted its devices following discovery of the breach, but OCR’s investigation revealed that QCA failed to comply with multiple requirements of the HIPAA Privacy and Security Rule, beginning from the compliance date of the security rule in April 2005 and ending in June 2012.
 
To make amends, QCA has agreed to a $250,000 settlement and is required to provide HHS with an updated risk analysis and corresponding risk management plan that includes specific security measures to reduce the risks to and vulnerabilities of its PHI. It is also required to retrain its workforce and document its ongoing compliance efforts.
 
Speaking earlier this year at HIMSS14, McAndrew made it clear that "compliance and enforcement is really where the action is going to be," in 2014.
 
After recounting whopping OCR settlements from the past year, such as WellPoint's $1.7 million fine for leaving PHI viewable online, and Affinity Health Plan's $1.2 million fine for failing to properly dispose of a photocopier, she said she expected more big settlement numbers would be in the offing.
 
But McAndrew had little sympathy for HIPAA transgressors. "This is just common IT stuff," she said, adding that stiff penalties could be avoided by simply "(paying) attention to details."
 
To help other health organizations avoid these fines, OCR has set up six educational programs for providers on compliance with various aspects of the HIPAA Privacy and Security Rule. Each is available with free continuing medical education credits for physicians and continuing education credits for healthcare professionals. Learn more here.
http://www.govhealthit.com/news/fed-privacy-enforcers-sock-health-org-17m-penalty
more...
No comment yet.
Scoop.it!

Colleagues In Cuffs: When Employees Steal Patient Records - InformationWeek

Colleagues In Cuffs: When Employees Steal Patient Records - InformationWeek | HIPAA Compliance for Medical Practices | Scoop.it

The Queens County DA recently arrested two Jamaica Hospital employees for stealing patient data, a lucrative crime occurring at hospitals across the nation.

The Queens, N.Y., district attorney recently charged two employees of Jamaica Hospital Medical Center with illegally accessing emergency room patients' medical records and personal identification information, and selling that data to individuals who then solicited services such as outpatient care or legal assistance -- sometimes while patients were still in the ER.

“These defendants are accused of blatantly violating their HIPAA obligations and illegally trolling through confidential patient records. Their alleged actions led to patients who were seeking treatment for injuries unwittingly being victimized again with the illegal release of their personal information and medical records," said DA Richard Brown, in a statement.

Sponsor video, mouseover for sound
 

Defendants Maritza Amador, 44, and Dache Prawl, 45, were registrars at the Queens, N.Y., hospital's ER. Allegedly the duo illegally accessed personal information, including Social Security numbers and medical data, and passed that information to people who falsely represented themselves as representatives of the hospital to patients. These individuals offered transportation to outpatient therapy, attorney services related to car accident injuries, and follow-up medical treatment, the DA charges. They were released without bail and their next court date is May 20, the Queens County DA's office told InformationWeek.

[ Do you know where your data is? Read Healthcare Data Security: Focus On 'Business Associates'.]

The Health Insurance Portability and Accountability Act (HIPAA) and the regulations that have grown up around it set high standards. Yet this is not the first -- and, no doubt, won't be the last -- time employees allegedly stole patient data.

In May 2013, a physician and office worker reportedly quit Pensacola, Fla.-based Sight and Sun Eyeworks without notice; they allegedly took with them 9,000 patient records and Social Security numbers, which they used to reschedule patients' appointments at their new practice, local media reported.  



In San Francisco, a city employee allegedly sent the confidential data of about 2,500 Medi-Cal recipients to her home computer in an effort to combat her dismissal for "poor performance." The worker's attorneys and union representatives also saw the data, which included patient information and Social Security numbers. In another case, a former benefits clerk for United Healthcare Workers West was sentenced to 12 years and four months in prison for stealing the data of about 30,000 union employees of Kaiser Permanente in California. Crooks used the data to buy merchandise valued at more than $1 million, according to a published report.

A Miami respiratory therapist reportedly sold patients' personal information for up to $150 per person; buyers then used the data to illegally file and claim patients' tax returns, Florida media said. Tallahassee Memorial Hospital offered identity protection services to more than 100 patients after discovering a hospital employee illegally accessed data for a fraudulent tax scheme.

Despite many instances of malicious breaches, 75% of healthcare organizations believe employee negligence is their biggest security concern, according to the Fourth Annual Ponemon Report on Patient Privacy and Data Security. In 2013, 12% of organizations reported a malicious insider breached patient security, compared with 14% in both 2012 and 2011, the research firm said. The average cost of a data breach last year? Almost $2 million, down slightly from the prior year, Ponemon estimated.

Healthcare organizations will spend about $70 billion on security in 2017, a whopping 75% increase from $40 billion in 2012, according to the Boyd Company. Yet protecting data from greedy, careless, or disgruntled employees is, in some ways, more challenging than safeguarding records from external threats.

IT departments must ensure users only access records necessary for their roles and responsibilities, promptly changing authorizations when an employee's job changes and cutting off all access when an employee leaves the organization.

In addition, managers, colleagues, and human resource departments -- as well as monitoring tools and alarms -- must put extra focus on unhappy employees. A mindboggling 85% of employees are not satisfied with their jobs and only 13% are actively engaged, according to Gallup's "State of the Global Workplace" report. Of those dissatisfied employees, 24% are "actively disengaged," meaning they proactively undermine colleagues' work and, perhaps, help themselves to patient data to pad their bank accounts or wreak havoc on their employer.

Installing firewalls and locking down databases doesn't work if thieves have the keys or designed the infrastructure. To secure patient data, IT must ensure information is safe from everyone, even colleagues in the department across the hall. 

Medical data breaches seem to show up on the 6 o'clock news almost every week. If you think it wouldn't happen to you -- or the financial impact will be minor -- think again. Download the Healthcare Data Breaches Cost More Than You Think report today. (Free registration required.)



more...
No comment yet.
Scoop.it!

A Critique of the New HIPAA Audit Plans

A Critique of the New HIPAA Audit Plans | HIPAA Compliance for Medical Practices | Scoop.it

As the Department of Health and Human Services' Office for Civil Rights gears up to begin its next round of HIPAA compliance audits, security and privacy experts are giving OCR's plans mixed reviews.

When OCR resumes its audit program in the coming months, the agency plans a limited number of narrowly focused "desk audits." Comprehensive on-site audits will be performed only "as resources allow," says an OCR spokeswoman. OCR plans to audit 350 covered entities beginning in the fall and 50 business associates in 2015 (see HIPAA Audits: Round 2 Details Revealed).

Some security and privacy experts say OCR's new approach to offsite, highly focused audits could help the agency become more efficient in reviewing the compliance of covered entities and business associates. But others believe the plans will come up short in driving compliance, compared with more in-depth, on-site audits, as were conducted during a pilot in 2012.

Audit Plans

OCR's audits of covered entities will focus on specific areas of HIPAA compliance, according to a recent presentation at the Health Care Compliance Association Conference by Linda Sanches, OCR senior adviser for health information privacy. That includes 100 audits focused on the HIPAA privacy rule, especially privacy notices and compliance with individuals' right to access their protected health information; 100 audits on compliance with the HIPAA Omnibus breach notification rule; and 150 focused on the security rule, especially risk analysis.

The business associates audits will focus on compliance with the risk analysis and breach notification requirements, according to Sanches' presentation.

The first round of pilot audits conducted in 2012 by OCR's contractor, consulting firm KPMG, involved on-site visits that all examined a broad list of HIPAA compliance issues at 115 covered entities. In contrast, the next phase of desk audits will be conducted by OCR's staff.

Selected covered entities will receive notification and data requests in fall 2014, while business associates will be notified in 2015, the OCR spokeswoman says.

Onsite vs. Offsite Audits

Privacy and security expert Rebecca Herold, a partner at consulting firm Compliance Helper and CEO of The Privacy Professor, says OCR's new focus on desk audits is a good idea.

"It is a very good move to improve efficiency and widen the numbers of CEs, and BAs, that are being audited," she says. "I've done over 250 HIPAA audits since 2000. After you've gotten a good methodology down for performing HIPAA audits, you can then learn from your experiences, know the areas of most common non-compliance and risk, and then refine your audit methodology accordingly."

Security expert Brian Evans, principal consultant at Tom Walsh Consulting, offers a similar perspective. "I'm not surprised with OCR's new audit approach because I can appreciate their limited staffing and financial resources in addition to the fact that this is their first year of the program," he says. "Offsite 'desk audits' can still be a cost-effective way of gathering compliance data and cover more of the population than onsite audit."

But Jennings Aske, CISO at speech recognition software vendor Nuance, which is a business associate under HIPAA, is not sold on the idea of OCR concentrating on mostly desk audits, rather than onsite assessments.

"It's too bad they can't do both," he says. "Onsite audits allow a dialogue between regulators and healthcare providers," says Aske, who joined Nuance in January after leaving his post as chief information security and privacy officer at Partners HealthCare, an integrated health delivery network in Boston. "Remote audits will miss that dynamic.

"I understand that budgets are tight, but I'm surprised OCR isn't getting more funding for this, or can use enforcement money that's been collected" to expand the audit program, Aske says.


more...
No comment yet.
Scoop.it!

Reviewing Concentra Health and QCA HIPAA breach CAPs | HealthITSecurity.com

We learned yesterday that two HIPAA covered entities, Concentra Health Services and QCA Health Plan, had come to individual monetary agreements with the Office for Civil Rights (OCR) to settle HIPAA violations. Those resolutions included corrective action plans (CAPs) as well, but how do they compare with other recent OCR breach agreements?

HealthITSecurity.com reviewed the critical points of the Concentra Health and QCA CAPs and compared them to the HHS agreement with Skagit County of Northwest Washington that was announced in March.

Concentra CAP

OCR found that Concentra (1) failed to adequately remediate and manage its identified lack of encryption or, alternatively, document why it wasn’t appropriate; (2) Concentra failed to sufficiently implement policies and procedures to prevent, detect, contain, and correct security violations under the security management process standard when it failed to adequately execute risk management measures to reduce its identified lack of encryption to a reasonable and appropriate level.

As for Concentra’s CAP, OCR mandated that the organization update its risk analysis procedures, offer a detailed timeline of how it’s going to encrypt its devices, and explain how it will enhance security training. Concentra will offer:

A. A risk analysis to HHS which will include a thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all Concentra ePHI.

B. A risk management plan that explains Concentra’s strategy for implementing security measures sufficient to reduce the risks and vulnerabilities identified in the risk analysis to a reasonable and appropriate level based on Concentra’s circumstances. This shall include with it the following:

(i.) Material evidence of all implemented and all planned remediation actions associated with the risk management plan; (ii.) Specific timelines for their expected completion and identify the compensating controls that will be in place in the interim to safeguard Concentra ePHI.
Additionally, Concentra agreed to give documentation of any changes or updates to its organizational information technology (IT) infrastructure (security environment) that affect the risks and vulnerabilities to ePHI.

Seeing as the breach involved the theft of an unencrypted laptop, it follows that OCR also wanted encryption status updates from Concentra.

A. The percentage of all Concentra devices and equipment (laptops, desktops, medical equipment, tablets, and other storage devices) that are encrypted at that point in time.

B. Evidence that all new devices and equipment (laptops, desktops, medical equipment, tablets, and other storage devices) have been encrypted.

C. An explanation for the percentage of devices and equipment that are not encrypted.

D. A breakdown of the percentage of encrypted devices and equipment for each specific Concentra facility and worksite.

Lastly, Concentra will have to boost its security awareness training requirements by offering OCR “documentation to  indicate that all workforce members have completed security awareness training (to include training on Concentra’s Acceptable Use Policy), which shall also include all training materials used for the training, a summary of the topics covered, the length of the session(s), and a schedule of when the training session(s) were held.”

QCA CAP

When HHS investigated QCA Health’s unencrypted laptop breach, it found that (1) QCA did not implement policies and procedures to prevent, detect, contain, and correct security violations; (2) QCA did not implement physical safeguards for all workstations that access ePHI to restrict access to authorized users on October 8, 2011; (3) QCA impermissibly disclosed the ePHI of 148 individuals on October 8, 2011.

QCA Health’s CAP includes improvements to security management process, security awareness and training and prompter responses to reportable events.

QCA shall provide HHS with a risk analysis and corresponding risk management plan that includes security measures to reduce the risks and vulnerabilities to the electronic protected health information (ePHI) maintained by QCA to a reasonable and appropriate level. It will send to HHS for review and approval within 60 days of the Effective Date and any required changes will be made, including a revised risk analysis and risk management plan, and sent to HHS within 30 days.

QCA will also give HHS with its training materials relating to security awareness established to reduce the risks and vulnerabilities to ePHI as identified in its security management process. QCA shall provide the training materials to HHS for review and approval within 30 days of the date HHS has approved QCA’s risk analysis and risk management plan. After HHS approval, QCA shall provide documentation that all workforce members with access to ePHI have received such security awareness training within 60 days and will continue to receive such training on an on-going basis.

Lastly, in regards to reportable events, after hearing that a workforce member may have failed to comply with its Privacy and Security policies and procedures, promptly investigate the matter. If QCA determines, after review and investigation, that a member of its workforce has failed to comply with its Privacy and Security policies and procedures, QCA shall notify HHS in writing within thirty (30) days of its determination. QCA will provide a complete description of the event, as well as a description of the actions taken and any further steps needed.

CAP comparisons

While Concentra and QCA both have work to do in terms of their respective CAPs, Skagit County’s CAP was distinctive for a few reasons. First, seeing as this was the first time a county had been fined, HHS had no choice but to require a large CAP because of the sheer number of HIPAA violations the county experienced. Skagit’s CAP included submission of substitute breach notification, better accounting of disclosures, improved business associate (BA) documentation, improved security management, updated policies and procedures, training, and better response time to reportable events. Concentra and QCA had some of these elements in their CAPs, but they don’t have to essentially improve their privacy and security posture across the board like Skagit will have to do.

Second, in stipulating that Skagit provide substitute breach notification to affected individuals not previously notified, HHs made it clear that it’s going to hammer organizations that don’t notify patients of breaches. Check back with HealthITsecurity.com for more updates on OCR breach penalties.


Related White Papers:
Related Articles:



more...
No comment yet.
Scoop.it!

UPMC data breach may affect as many as 27,000 employees

UPMC data breach may affect as many as 27,000 employees | HIPAA Compliance for Medical Practices | Scoop.it

UPMC now says the personal information of as many as 27,000 of its employees may have been put at risk by a data breach that was first reported to the health care conglomerate in February.

“As of today, 788 employees have been the victims of tax fraud,” UPMC spokeswoman Gloria Kreps wrote in a statement. “We want to assure our patients that no patient information was breached. We are continuing to work with the IRS, Secret Service and FBI to determine the source of the breach. We continue to urge our employees to register with LifeLock as an important step to deter any additional fraudulent activity.”

The new figure, provided Thursday, was the latest increase by UPMC since employees began reporting instances of identity theft about two months ago.

At first, UPMC said the issue affected only a few dozen employees, then about 322.

“That’s what we were saying all along ... is that there are thousands,” said Michael Kraemer, a Pittsburgh lawyer who has filed a lawsuit seeking class-action status against UPMC for the breach on behalf of employees who had fraudulent bank accounts opened in their name and tax returns stolen. “The message for this huge number of people is you need to keep track of any out-of-pocket expenses and any time you spend dealing with this.”

The lawsuit alleges that vulnerabilities in UPMC’s computer system allowed for the breach and the company did not reasonably safeguard the sensitive information in its care.

In addition to the stolen tax refunds, Mr. Kraemer said he has heard from UPMC employees who say they have had bank accounts drained, though he has not yet been able to independently verify the claims.

He questioned why it has taken UPMC so long to identify the scope of the problem.

“It is extremely concerning that when this story broke in February, the response from UPMC was that ‘It’s OK, only 20 people were affected,’” Mr. Kraemer said. “This is something that arguably they should have known back in February. ... People are now exposed.”

Mr. Kraemer said UPMC sought and received a 30-day extension to respond to his suit, filed Feb. 27, and is still within that window.

The hospital group and its affiliates employee about 62,000 people and Mr. Kraemer said he has heard from employees in every facet of UPMC’s operations.

“Just from the sheer number of people I’ve talked to, I don’t see any department that’s been excluded,” Mr. Kraemer said. “Why isn’t it every single employee?”

A UPMC spokesperson said all employees who could have been potentially affected by the breach have been notified.

After the potential data theft was reported, the company set up a hot line for employees to call about their case, created a “comprehensive employee intranet site with information and resources,” hired a tax firm to help employees file the required IRS identity theft affidavit form and offered reimbursement if the employees have hired someone to do it for them. UPMC also offered credit monitoring services for the affected employees and reimbursement employees for costs associated with filing a police report, it has said.

In a letter, UPMC urged employees to contact their banks and check with the IRS to ensure that tax returns have not been fraudulently filed in their names as well as to prevent the potential for future incidents. UPMC also said it is providing LifeLock identity protection free of charge to employees who enroll by April 28.

“We are putting our full resources behind efforts to investigate and secure our systems,” UPMC Vice President John P. Houston wrote in the letter. “We recognize a situation like this creates stress and anxiety about the safety of your personal information and we want to provide you with all the tools and resources we can to help you deal with this all-too-common crime.”



more...
No comment yet.
Scoop.it!

Report: Breaches Up 138 Percent in 2013

Report: Breaches Up 138 Percent in 2013 | HIPAA Compliance for Medical Practices | Scoop.it

A new report reveals that in 2013, the number of protected health information (PHI) breaches were up 138 percent from 2012, with 199 incidents of breaches of PHI reported to the Department of Health and Human Services (HHS) impacting over 7 million patient records.

The report, the fourth annual from Redspin, Inc., a Carpinteria, Calif.-based provider of IT security assessments, revealed that nearly 30 million Americans have had their health information breached or inadvertently disclosed since 2009. Since the Health Information Technology for Economic and Clinical Health (HITECH) Act forced providers to notify HHS when they had a breach affecting 500 or more patients, there have been 804 large breaches of PHI.

Last year, in particular, was rough for providers. Over the course of four years, only one year has been higher in terms of total incidents and number of patients impacted.

"I think the 138 percent increase in patient records breached caught a lot of people by surprise," Daniel W. Berger, Redspin's President and CEO, said in a statement. "There was a sense that the government's 'carrot and stick' approach – requiring HIPAA security assessments to qualify for meaningful useincentives and increasing OCR enforcement initiatives – was driving real progress."

The five largest PHI breaches made up more than 85 percent of the total reported from the year. This includes the Advocate Health and Hospitals breach, where four desktop computers from an office were stolen, that affected more than four million patients. The second and third largest breaches were also caused by theft. In total, theft was the cause of nearly half of all breaches in 2013.

Laptops were the device on which the highest number of data breaches occurred, being involved in nearly 35 percent of all incidents. The lack of encryption on portable devices, the authors of the report say, is one of the highest risks to PHI.

"It's only going to get worse given the surge in the use of personally-owned mobile devices at work," Berger said. "We understand it can be painful to implement and enforce encryption but it's less painful than a large breach costing millions of dollars."

One positive area in the report was the impact of the HIPAA Omnibus Rule on covered entities and business associates (BAs). While the number of breach incidents involving BAs followed the norm in 2013, the number of patient records dropped dramatically from 2009-2012.

Technical Dr. Inc.'s insight:

Is your practice secure?  If you aren't sure, contact Technical Doctor today to schedule your Risk Assessment at inquiry@technicaldr.com or 877-910-0004 x3.


-The Technical Doctor Team

more...
No comment yet.
Scoop.it!

Fourth HIPAA breach for Kaiser | Healthcare IT News

Fourth HIPAA breach for Kaiser | Healthcare IT News | HIPAA Compliance for Medical Practices | Scoop.it

Some 5,100 patients treated at Kaiser Permanente were sent HIPAA breach notification letters Friday after a KP research computer was found to have been infected with malicious software. Officials say the computer was infected with the malware for more than two and a half years before being discovered Feb. 12.    The computer was used by the Kaiser Permanente Northern California Division of Research to store research data. The breach, officials note, involved patients participating in specific research studies and may have compromised their names, birth dates, medical record numbers, lab results associated with research, addresses and additional medical research data.    [See also: Kaiser Permanente sends out breach letters after email gaffe.]   "We have confirmed that the infection was limited to this one compromised server, and that all other DOR servers were and are appropriately protected with anti-virus security measures," said Tracy Lieu, MD, director of the division of research at Kaiser Permanente, in an emailed statement to Healthcare IT News. "It is important to note that the compromised server is used specifically for research purposes at the DOR and is not connected to Kaiser Permanente's electronic health records system."   Lieu said the antivirus software on the server was not updated "due to human error related to the configuration of the software."    Added Lieu, "We value our members and take protecting the privacy and security of their information very seriously. We apologize that this unfortunate incident occurred."   According to data from the Department of Health and Human Services, this is the fourth large HIPAA breach for Kaiser Permanente, which includes Kaiser Foundation Health Plan, Kaiser Foundation Hospitals -- consisting of 32 hospitals -- and Permanente Medical Group.    Last November, in its second reported fall data breach last year, KP notified 49,000 of its Anaheim Medical Center patients that their protected health information had been compromised after an unencrypted USB drive containing their data went missing.    Back in September, some 670 patients received breach notification letters after an emailed attachment containing the protected health information of patients was sent to a recipient outside the Kaiser network. According to KP officials, the attachment was accidentally emailed by a Kaiser employee to a member of a pilot wellness screening competition back in May.     [See also: Advocate Health slapped with lawsuit after massive data breach.]   The third incident occurred at KP's Medical Care Program back in 2009 when an unencrypted portable drive was stolen from an employee's car, compromising the health data of some 15,500 patients.   Theft accounts for the lion's share of HIPAA privacy and security breaches, as HHS' Office for Civil Rights Deputy Director for health information privacy Susan McAndrew pointed out at HIMSS14, representing some 48 percent of all breaches reported.      "Pay attention to encryption," said McAndrew, particularly for any devices that can leave the office. "We're interested in protecting the data. You may be interested in protecting the property. We want to turn this into property losses as opposed to data losses."   To date, more than 30.6 million individuals have had their PHI compromised in a large HIPAA privacy or security breach -- breaches involving more than 500 people -- according to data from the Department of Health and Human Services.  

HIPAA-covered entities and, now, business associates, have handed over some $18.6 million to settle alleged federal HIPAA violations, with $3.7 million of that just from last year. And this isn't counting the state and private legal settlements.  
more...
No comment yet.
Scoop.it!

Big Brother Or Best Friend? | EMR and HIPAA

Big Brother Or Best Friend? | EMR and HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

The premise of clinical decision support (CDS) is simple and powerful: humans can’t remember everything, so enter data into a computer and let the computer render judgement. So long as the data is accurate and the rules in the computer are valid, the computer will be correct the vast majority of the time.

CDS is commonly implemented in computerized provider order entry (CPOE) systems across most order types – labs, drugs, radiology, and more. A simple example: most pediatric drugs require weight-based dosing. When physicians order drugs for pediatric patients using CPOE, the computer should validate the dose of the drug against the patient’s weight to ensure the dose is in the acceptable range. Given that the computer has all of the information necessary to calculate acceptable dose ranges, and the fact that it’s easy to accidently enter the wrong dose into the computer, CDS at the point of ordering delivers clear benefits.

The general notion of CDS – checking to make sure things are being done correctly – is the same fundamental principle behind checklists. In The Checklist Manifesto, Dr. Atul Gawande successfully argues that the challenge in medicine today is not in ignorance, but in execution. Checklists (whether paper or digital) and CDS are realizations of that reality.

CDS in CPOE works because physicians need to enter orders to do their job. But checklists aren’t as fundamentally necessary for any given procedure or action. The checklist can be skipped, and the provider can perform the procedure at hand. Thus, the fundamental problem with checklists are that they insert a layer of friction into workflows: running through the checklist. If checklists could be implemented seamlessly without introducing any additional workflow friction, they would be more widely adopted and adhered to. The basic problem is that people don’t want to go back to the same repetitive formula for tasks they feel comfortable performing. Given the tradeoff between patient safety and efficiency, checklists have only been seriously discussed in high acuity, high risk settings such as surgery and ICUs. It’s simply not practical to implement checklists for low risk procedures. But even in high acuity environments, many organizations continue to struggle implementing checklists.

So…. what if we could make checklists seamless? How could that even be done?

Looking at CPOE CDS as a foundation, there are two fundamental challenges: collecting data, and checking against rules.

Computers can already access EMRs to retrieve all sorts of information about the patient. But computers don’t yet have any ability to collect data about what providers are and aren’t physically doing at the point of are. Without knowing what’s physically happening, computers can’t present alerts based on skipped or incorrect steps of the checklist. The solution would likely be based on a Kinect-like system that can detect movements and actions. Once the computer knows what’s going on, it can cross reference what’s happening against what’s supposed to happen given the context of care delivery and issue alerts accordingly.

What’s described above is an extremely ambitious technical undertaking. It will take many years to get there. There are already a number of companies trying to addressing this in primitive forms: SwipeSense detects if providers clean their hands before seeing patients, and the CHARM system uses Kinect to detect hand movements and ensure surgeries are performed correctly.

These early examples are a harbinger of what’s to come. If preventable mistakes are the biggest killer within hospitals, hospitals need to implement systems to identify and prevent errors before they happen.

Let’s assume that the tech evolves for an omniscient benevolent computer that detects errors and issues warnings. Although this is clearly desirable for patients, what does this mean for providers? Will they become slaves to the computer? Providers already face challenges with CPOE alert fatigue. Just imagine do-anything alert fatigue.

There is an art to telling people that they’re wrong. In order to successfully prevent errors, computers will need to learn that art. Additionally, there must be a cultural shift to support the fact that when the computer speaks up, providers should listen. Many hospitals still struggle today with implementing checklists because of cultural issues. There will need to be a similar cultural shift to enable passive omniscient computers to identify errors and warn providers.

I’m not aware of any omniscient computers that watch people all day and warn them that they’re about to make a mistake. There could be such software for workers in nuclear power plants or other critical jobs in which the cost of being wrong is devastating. If you know of any such software, please leave a comment.

more...
No comment yet.
Scoop.it!

HHS Spells Out Obama Budget's Impact

HHS Spells Out Obama Budget's Impact | HIPAA Compliance for Medical Practices | Scoop.it

The Obama administration's proposed fiscal 2015 budget calls for a 22 percent increase in funding for the office that oversees policies and standards for the HITECH Act's electronic health record incentive program and a 5 percent increase for the agency responsible for enforcing HIPAA compliance.


Obama's budget is a statement of the administration's spending priorities for the federal government. Ultimately, Congress must approve appropriation bills to fund the government. Fiscal 2015 begins on Oct. 1.

ONC FundingUnder Obama's budget proposal unveiled this week, the Department of Health and Human Services' Office of the National Coordinator for Health IT, which oversees the HITECH program, would have a budget of $75 million, up $14 million from the current year. Six additional full-time employees would be added, bringing ONC's headcount to 191.


The proposed ONC budget includes $27.2 million, or $8.5 million more than the current fiscal year, to fund development of standards supporting interoperable and secure health IT infrastructure. In addition, ONC's proposed budget includes $2.9 million for other privacy and security related activities, "ensuring that electronic health information is private and secure wherever it is transmitted, maintained, or received," says an additional ONC budget document, the Justification of Estimates for Appropriations Committee, released by HHS on March 7.


The extra money sought by ONC in fiscal 2015 would also help support a number of other efforts, including the creation of a new Health IT Safety Center, which in fiscal 2015 "will begin a robust collection and analysis of health IT-related adverse events, which will facilitate benchmark data on the types and frequencies of events," says an HHS "budget in brief" document. ONC is seeking $5 million to fund the new safety center in fiscal 2015.


The new center "will monitor and analyze data on patient-safety events, potentially unsafe conditions associated with health IT, and patient-safety events that could be prevented by health IT," the HHS document notes. ONC will work closely with the Agency for Healthcare Research and Quality, the Joint Commission, Food and Drug Administration and patient safety organizations on this effort, the HHS document notes.


The HHS document notes that in fiscal 2015, the FDA will continue to implement key new responsibilities authorized in the FDA Safety and Innovation Act.


The FDA has been collaborating over the last year with ONC and the Federal Communication Commission in developing a "risk-based regulatory framework" to address patient safety concerns around health IT, including potentially those involving cybersecurity issues (see Health IT: A Cybersecurity Framework).


An ONC spokesman says the new Health IT Safety Center "is part of our Safety Surveillance and Action Plan based on recommendations in the Institute of Medicine report," which in 2011 suggested the government and private sector improve transparency in the reporting of health IT safety incidents and enhance monitoring of health IT products. The new safety center will be aligned with the report on the FDA framework, "which we intend to release for comment in March," the ONC spokesman says.


OCR Funding


Meanwhile, under the proposed budget, the HHS Office for Civil Rights, which is responsible for HIPAA enforcement, would have a budget of $41 million, up $2 million from fiscal 2014. OCR would add 11 full-time staff members, increasing its workforce to 218 employees.


The funding increase will help support OCR's centralized case management operations and online complaint system, HHS notes. "The budget supports continued enforcement of the HIPAA security rule and OCR's expanded HIPAA responsibilities," the HHS document says. "OCR evaluates and ensures HIPAA and civil rights compliance through complaint investigations, compliance reviews, audits, resolution agreements, enforcement actions and monitoring, public education and technical assistance."


Among OCR's enforcement activities slated for 2014 is the resumption of HIPAA compliance audits, which have been on hiatus since the agency's pilot audit program wrapped up in 2012 (see HIPAA Audits a Step Closer to Resuming).


Unlike the pilot audits, which were conducted by the consulting firm, KPMG, the next wave of HIPAA audits will be performed by OCR's internal staff.


OCR officials recently confirmed the agency is taking the first steps to resuming the program. In a Feb. 24 notice in the Federal Register, OCR said it will survey "up to 1,200 HIPAA covered entities, including health plans, healthcare clearinghouses and certain healthcare providers, and business associates, to determine suitability for the OCR HIPAA audit program."


In fiscal 2013, OCR resolved more than 9,500 complaints of alleged HIPAA violations, and collected about $4 million in HIPAA settlements related to its enforcement activities, the HHS document notes. OCR projects that it will collect about $5.5 million from HIPAA settlements in fiscal 2014, which the agency will use to further fund its enforcement activities, according to the HHS document. Under HIPAA Omnibus, penalties for each HIPAA violation can range up to $1.5 million.

more...
No comment yet.
Scoop.it!

Nurse practitioners: Consider 5 things before friending patients on Facebook

Nurse practitioners: Consider 5 things before friending patients on Facebook | HIPAA Compliance for Medical Practices | Scoop.it
The decision is up to you, but here’s what you need to think about.


 With the social media boom, lines between personal and professional lives become blurred. What is posted online stays online.


Even if your Facebook profile is labeled "private", I am certain there is still a way anyone persistent enough can see your information and photos. This is why I recommend removing all of your boozing party pics from college before sending out resumes (you should also leave them off of your profile for the remainder of your professional life—you can put them back up when you retire).


With this blurring of the personal and professional and the wealth of personal information online, naturally this question arises: should you become Facebook friends with your patients?


Ultimately, the decision is up to you, but here are some things to consider:


1. Social media is culturally relevant.


Your patients are all using social media—probably even in your office while they wait for their appointments. Twitter, LinkedIn and Facebook are places your patients get their information. By forming an online relationship with your patients, you will be able to reach them more effectively.


Are you trying to help many of your patients lose weight? Develop a Twitter account for weight loss tips and daily reminders to assist your patients with weight loss even when you can't be with them. This will make your preventative healthcare far better than that of other nurse practitioners (NPs) and MDs.


I must also mention the use of email in relation to cultural relevance. I believe willingness to email your patients is a necessity. Calling a medical office can be frustrating. Your patients want to be able to reach you easily. Email will take less time than you think and your patients will appreciate your efforts. The ability to schedule appointments online on your clinic's website is also a must!


2. Privacy and legal concerns with social media


We are all well aware of the infamous Health Insurance Portability and Accountability Act (HIPAA). Patient information is private. You cannot share it in any way shape or form.


Beware of posting anything at all about your work on your personal Facebook or Twitter account. It is so easy to mistakenly reveal a patient's private information online; I believe it is best not to post anything at all. All patient stories posted through MidlevelU are not "real" patients.


Legally, posting anything about your work as a nurse practitioner also puts you at risk. I have been advised not to post if I have had a "good day" or "bad day" at work. If a malpractice case is presented, these statements will be scrutinized and could be used against you or a co-worker.


3. Setting boundaries


An online relationship with your patients can help you view your patients as a "whole" rather than simply a medical diagnosis. Taking into consideration your patients' lifestyles and how their health affects their lives can help you become a better provider.


There are some things about your life, however, that you should probably keep private. According to the Seattle Times, a recent survey found that 90 percent of state medical boards reported at least one online professional standards violation by a doctor. Nurse practitioners who "friend" their patients must keep their social media profiles clean and appropriate.


4. Building your practice


Social media is an excellent business building tool. Your patients have chosen you as their health care provider. Using social media, you can communicate with them outside of the usual office visit increasing their confidence in and relationship with you as a health care provider. Social media also allows you to encourage new patients to visit your clinic, further expanding your practice.


5. Becoming personable


Most patients want to see you as a person. Because you are providing them and their families health care, they need to trust you. By giving glimpses of your personality and life as a whole, your patients will trust you more allowing you to have a greater impact on their health.


Given the benefits and drawbacks of involvement in social media among health care providers, I think there is an easy solution. Create a social media for your practice or specialty. Rather than "friending" your patients using your personal Facebook page, create a page for your practice or a page for you personally that you use only for professional use. This will allow to you extend your health care knowledge and advice to patients at home and give a glimpse of your personality to your patients without leaking any old sorority photos into your professional presence. 

more...
No comment yet.
Scoop.it!

Financial Penalty in Small Breach Case

Financial Penalty in Small Breach Case | HIPAA Compliance for Medical Practices | Scoop.it

An investigation by the Department of Health and Human Services into a relatively small breach at a county health department in Washington state has resulted in a $215,000 monetary settlement.


Skagit County, located in Northwest Washington and home to approximately 118,000 residents, has agreed to pay a $215,000 settlement and to work closely with the HHS Office for Civil Rights to correct deficiencies in its HIPAA compliance program, which were discovered during an OCR investigation into a December 2011 breach.


The Skagit County Public Health Department provides services to many individuals who would otherwise not be able to afford healthcare, according to an HHS statement about the settlement.


OCR says it opened its investigation upon receiving a breach report from Skagit County in December 2011 that noted money receipts with electronic protected health information of seven individuals were accessed by unknown parties after the information had been inadvertently moved to a publicly accessible server maintained by the county.


However, OCR's investigation into the matter revealed a broader exposure of data. The breach actually involved the ePHI of 1,581 individuals, not seven. "Many of the accessible files involved sensitive information, including protected health information concerning the testing and treatment of infectious diseases," HHS says.


OCR's investigation uncovered widespread non-compliance with the HIPAA privacy, security and breach notification rules, federal officials say.


"This case marks the first settlement with a county government and sends a strong message about the importance of HIPAA compliance to local and county governments, regardless of size," says Susan McAndrew, OCR deputy director of health information privacy. "These agencies need to adopt a meaningful compliance program to ensure the privacy and security of patients' information."


In the wake of the breach, an area of focus for the county is training department of health workers to use only the minimum necessary personal information of patients, Ron Wesen, county board of commissioners chair, tells Information Security Media Group. He explains that the county's breach investigation determined that department workers had been mistakenly posting onto a public website patient receipts containing personal information.

Government Breaches

While the settlement is the first with a county government, one of the largest OCR HIPAA settlements to date was in June 2012 with a unit of state government, the Alaska Department of Health and Social Services. That $1.7 million settlement was the result of an OCR investigation triggered by a stolen unencrypted USB storage drive potentially containing data about 500 Medicaid beneficiaries.


"This latest settlement indicates to me that OCR is investigating cases large and small, which is exactly what the industry needs to take HIPAA security compliance more seriously," says security expert Brian Evans, a principal at Tom Walsh Consulting.


Organizations need to take steps to ensure they don't underestimate the size of a breach, Evans stresses. "Nobody wants or expects OCR to show up and do a better job than you in investigating your organization's breach," he says.


"Small organizations like Skagit County should decide in advance whether they're going to use existing staff to build an incident response team or outsource it," Evans says. "If they're going to build it in-house, then they need to formally designate and train its team members on how to properly conduct incident investigations. Otherwise, cross your fingers and hope for the best."

Corrective Actions

As part of its settlement with OCR, Skagit County agreed to a corrective action plan to ensure it has in place written policies and procedures, training and other measures to comply with the HIPAA rules. The corrective action plan also requires the county to provide regular status reports to OCR.


The plan notes that among Skagit County's HIPAA deficiencies were failure to provide notification as required by the breach notification rule to all those impacted by the incident; failure to implement sufficient policies and procedures to prevent, detect, contain and correct security violations; failure to implement and maintain in written or electronic form policies and procedures reasonably designed to ensure compliance with the security rule; and failure to provide security training to all workforce members.


Among the steps the county has agreed to take are:


  • Provide a new breach notification to HHS for review and approval, and then publish it in local media;
  • Provide to HHS a description of Skagit County's procedures that ensure the breach incident involving patient PHI is included in any accounting of disclosures provided to any individual impacted by the incident;
  • Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI;
  • Provide HIPAA training to members of the county's workforce who have access to ePHI.
more...
No comment yet.
Scoop.it!

HIPAA Privacy and Security Reminders – UT Physicians Laptop Goes Missing - HIPAA-HITECH Compliance Software & Consulting - Clearwater Compliance

HIPAA Privacy and Security Reminders – UT Physicians Laptop Goes Missing - HIPAA-HITECH Compliance Software & Consulting - Clearwater Compliance | HIPAA Compliance for Medical Practices | Scoop.it

What Happened?

On August 28, 2013, UT Physicians, the medical group practice of The University of Texas Health Science Center at Houston (UTHealth) Medical School, announced that an unencrypted laptop computer containing some patient information was discovered missing on Aug. 2 from a locked closet in a UT Physicians orthopedic clinic.

 

What Was the Nature of the Information and How Many Individuals Were Affected?

UT Physicians reported that 596 individuals’ information was stored on the laptop. The specialized laptop computer attached to an electromyography machine included hand and arm image data from February 2010 to July 13. Patient information stored on the computer included names, birth dates and medical record numbers. There were no addresses, social security numbers, or insurance or other financial information stored on the laptop.

What Was Done to Mitigate / Remediate?

  • UT Physicians began mailing letters today to 596 patients whose information was stored on the laptop on August 28th. 
  • Reportedly, encryption of all laptops has been the policy at UT Physicians and UTHealth for the last two years and all known laptops – more than 5,000 – have been encrypted. 
  • The medical group and UTHealth have taken steps to ensure that the missing laptop in the orthopedic clinic is an isolated incident.
  • UT Physicians and UTHealth officials continue to work with law enforcement in their investigation.
  • UT Physicians and UTHealth are conducting a physical search of all clinics and offices to ensure that there are no other unencrypted laptops or storage devices attached to medical equipment. 
  • They are tightening the processes for the purchase of medical equipment.
  • UT Physicians and UTHealth have initiated additional review processes and inventories and invested in hardware, software and personnel to ensure that all personal information on UT Physicians’ and UTHealth’s computers and hard drives is encrypted.

 

What Should Organizations Do Next?

  • Make sure all mobile devices containing PII and PHI (laptops, smartphones, portable USB drives, thumb drives, etc.) are encrypted
  • Ensure documented policies and procedures are in place, are being followed and reflect actual practices.
  • Implement a regular sampling audit of devices to ensure encryption is installed and operational.
  • Complete a thorough, bona fide risk analysis of all mobile devices to ensure that all threats, vulnerabilities and controls have been considered.

If you’d like keep up to date on HIPAA Security and Privacy reminders or HIPAA-HITECH in general, please also consider (all optional!):

more...
No comment yet.
Scoop.it!

Do Security and Privacy Concerns Drive Cloud Adoption? | EMR and HIPAA

Do Security and Privacy Concerns Drive Cloud Adoption? | EMR and HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

In one of my recent conversations with Dr. Andy Litt, Chief Medical Officer at Dell, he made a really interesting but possibly counter intuitive observation. While maybe not a direct quote from him, I took away this observation from Dr. Litt:

Security and privacy drives people to the cloud.

Talk about an ironic statement. I imagine if I were to talk to a dozen CIOs, they would be more concerned about the security and privacy implications of the cloud. I don’t imagine most would look at the cloud as the solution to some of their security and privacy problems.

However, Dr. Litt is right. Many times a cloud based EHR or other software is much more secure than a server hosted in a doctors office. The reality is that many healthcare organizations large or small just can’t invest the same money in securing their data as compared with a cloud provider.

It’s not for lack of desire to make sure the data is secure and private. However, if you’re a small doctor’s office, you can only apply so many resources to the problem. Even a small EHR vendor with a few hundred doctors can invest more money in the security and privacy of their data than a solo practice. Although, this is true for even very large practices and even many hospitals.

One reason why I think many will disagree with this notion is because there’s a difference between a cloud provider who can be more secure and private and one who actually executes on that possibility. It’s a fair question that everyone should ask. Although, this can be verified. You can audit your cloud provider and see that they’re indeed putting in security and privacy capabilities that are beyond what you’d be able to do on your own.

more...
No comment yet.
Scoop.it!

12 Tips to Prevent a Healthcare Data Breach

12 Tips to Prevent a Healthcare Data Breach | HIPAA Compliance for Medical Practices | Scoop.it

Privacy and security have always been priorities for healthcare CIOs, but changes to HIPAA under the HITECH ACT of 2009 put the issues squarely in the spotlight. Providers that suffer data breaches that affect more than 500 patients must notify the Department of Health and Human Services, which maintains a public list of all breaches, and are subject to fines of up to $1.5 million (on top of mitigation costs). These 12 tips can help you avoid the costly, and embarrassing, consequences of suffering a healthcare data breach.

Conduct a Risk Assessment

The HIPAA Security Rule, passed in 2003, required health care organizations to conduct a risk assessment but didn't penalize noncompliance, so few providers did it. The HITECH Act changed that by making security risk analysis a core, or mandatory, requirement under Stage 1 of the meaningful use of electronic health record software. (Meaningful use provides financial incentives to organizations using EHR by 2014 and penalties to those who aren't.) The Office for Civil Rights' guidance on conducting a risk analysis says providers should identify vulnerabilities in information systems or security policies as well as natural, human and environmental threats to the security of protected health information (PHI).

Educate Employees About HIPAA

Knowledge is power, after all. Make sure all employees know what personal health information (PHI) can and cannot be shared with patients, caregivers and outsiders—bearing in mind that, in addition to federal HIPAA regulations, individual states have their own rules. This training should happen on a regular basis, not just when an employee is hired. Use high-profile data breaches to illustrate worst practices and discuss what should have been done differently. Set a social media policy that clearly defines what is and is not appropriate, and share it with all employees, whether they see patients or not.

Tell Employees to Watch Their Stuff

Hackers are responsible for fewer than 10 percent of the healthcare data breaches that have been reported to date. Most, it turns out, are the result or lost or stolen laptops, backup tapes, CDs, thumb drives or other types of portable electronic devices. These devices have been stolen from a physician's home, taken from a car or misplaced. Yes, it is IT's responsibility to secure the devices it issues employees—and that will be covered later—but employees need to understand the repercussions of their forgetfulness.

Keep an Eye on Paper Records

Many providers are ditching paper charts for EHR technology, largely because the HITECH Act requires them to do so. The HITECH Act says nothing about paper records, though. They remain plentiful—and prone to loss, having been involved in one in four breaches. Medical records and X-rays been left on the train 70 miles away. Whether paper records go offsite or stay onsite, visit their location regularly and make sure physical security passes muster. Or take the final step—scan all paper records, import them into your EHR and get rid of paper once and for all.

Encrypt Data at Rest and in Motion

HIPAA doesn’t require encryption per se, but the HITECH Act states that if encrypted data falls into the wrong hands, the incident does not constitute a data breach. Centrally managed data encryption technology adhering to the Advanced Encryption Standard is the best starting point, since it's the data that's most important to thieves and malicious hackers. Be sure to encrypt data in transmission, too; only decrypt data after a user has been authenticated, and encrypt it again once it arrives at its destination (Side note: When you're engaging in health information exchange, get patients' permission to send and receive data—and consider letting them opt out if they feel the process threatens their privacy.)

Encrypt Hardware, Too

Remember those lost laptops from the fourth slide? They're why you shouldn't solely settle for data encryption. Lock up the servers your data sits on, the mobile devices employees use to move data around and the network endpoints through which data is exchanged. Store encryption keys for backup tapes separately from the tapes themselves, and don't lose the keys. Same goes for the transparent data encryption product you're using on your database. Consider "on-the-fly" server encryption as a way to encrypt and decrypt data before it's loaded or saved and unbeknownst to the end user. Finally, don't forget about medical devices that regularly collect and transmit data. If they're too old to be encrypted, either replace them or shore up network security.

Subnet Wireless Networks

If patients can get free Wi-Fi at McDonald's, they'll expect it when they're at the hospital. The key, of course, is to give patients what they want without exposing PHI and other sensitive information. Subnetting, or creating subnetworks, is the best way to do this. Set aside part of your network for public use; limit guest activity to the browser. Use separate, more secure subnets for business applications, any app that touches PHI and any app that's involved with credit card transactions. Another subnet for those old medical devices may be a good idea, too. As stated, encrypt each subnet in accordance with Wi-Fi Protected Access 2 protocols, and change WPA2 keys frequently.

Take Identity and Access Management Seriously

Many people, with many different job titles, need access to patient data. What a physician needs to see will differ dramatically from what an attending nurse, bill collector or fundraising coordinator needs to see. Use IAM technology to give employees access to only the data that's relevant to their role within the healthcare organization. Automate this process, so all the new residents who start July 1 have individual accounts. Make it easy for one user to log off a shared machine and another user to log on, too. That way, employees actually use their own login credentials, which makes audit trails easier to follow, and applications aren't carelessly left unattended just because no one logs off when they walk away from a computer.

Create an Airtight BYOD Policy

Mobile devices such as the iPad will make their way into healthcare facilities whether you like it or not. It's only a matter of time before doctors want access to PHI on them. In your BYOD policy, prevent users from storing data locally, lest the device fall into the wrong hands, and insist upon bidirectional authentication to verify a password and a token whenever access to PHI is requested. (An extra step, yes, but it ensures that the correct person is viewing the data.) Consider measures that prevent devices from connecting to healthcare apps beyond a certain distance from the medical campus or after a certain length of time. Finally, maintain remote wipe and autolock capabilities and forbid the use of cellphone cameras.

Examine Service-Level Agreements With a Fine-Toothed Comb

The cloud is an increasingly attractive option for healthcare organizations that need to archive years' worth of patient data but lack the space (or expertise) to do it onsite. If you go to the cloud, keep several things in mind. Your SLA should clearly state that you, not the cloud service provider (CSP), own your data. The SLA should also spell out how the CSP will comply with HIPAA, PCI DSS and relevant state data privacy laws and how you will be granted access to your data. Examine the provider's backup, disaster preparedness, disaster recovery and uptime guarantees carefully. This is especially true if you've decided to move mission- and life-critical data to the cloud, as this places a premium on application recovery.

Nag Business Associates

Under revised HIPAA rules, HIPAA business associates are held to the same standards as HIPAA covered entities when it comes to protecting patient data and being fined for failing to do so. Update your business associate agreements to reflect this—and do so regularly. Force business associates to create processes for discovering and reporting data breaches to you. Work with them to explicitly state who's responsible for what in the event of a data breach, and remember that state breach notification laws may differ from HIPAA. Make your BAs responsible for their subcontractors' actions, since a healthcare data breach caused by the subcontractor will eventually get back to you.

Hire a Good Lawyer

If you do suffer a breach, expect to hear from the Office for Civil Rights within the U.S. Department of Health and Human Services; the OCR investigates and hands out fines for HIPAA violations. Expect to hear from lawyers representing patients, too. Law firms see big money in healthcare breach cases, which isn't surprising since there have been more than 500 since 2009—many of them preventable. Proving negligence can be difficult, though, since even organizations in full compliance with the law have suffered a breach. Whatever happens, play nice. Cignet Health, recipient of the largest HIPAA violation to date ($4.3 million), was hit so hard because it withheld patient records and didn't cooperate with OCR.

 

Technical Dr. Inc.'s insight:

Have you had a Risk Assessment performed on your practice?  This is an annual requirement, so contact the experts to have your assessment scheduled today.  inquiry@technicaldr.com or 877-910-0004


-The Technical Doctor Team

more...
No comment yet.
Scoop.it!

Should you care about HIPAA compliance? | Healthcare IT News

Should you care about HIPAA compliance? | Healthcare IT News | HIPAA Compliance for Medical Practices | Scoop.it

The HIPAA/HITECH Omnibus Rule became effective just over one year ago. The compliance date was just over six months ago. Within about another six months (plus or minus), Federal regulators – at the Office for Civil Rights at the US Department of Health and Human Services – will begin a new round of HIPAA compliance audits. They are already actively involved in complaint investigations governed by the “new” HIPAA rules. Other Federal, state and territorial authorities are actively involved in HIPAA and related health data privacy and security enforcement activity: the Federal Trade Commission, the Secret Service, the Puerto Rico Health Insurance Administration, state attorneys general. The “Wall of Shame” on the OCR website adds information about newly disclosed data breaches on a regular basis. Fines under the new HIPAA rules may hit $1.5 million or more. Fines under other regulatory schemes have climbed significantly higher. Compliance agreements, follow-up audits and more await those covered entities (healthcare providers or payers) (CEs) or business associates (everyone else in the healthcare ecosystem – billing services, marketing agencies, consultants, shredding contractors, attorneys, accountants, etc.) (BAs) unfortunate enough to experience a lapse in their HIPAA compliance programs and to have occasion to file a breach notification, or to be the subject of a complaint investigation or random audit.

There are innumerable clinical, financial and compliance issues to be concerned about in this watershed era for the American healthcare system. However, do not forget about HIPAA.

Long before becoming covered entities under HIPAA, physician practices have been aware of their responsibilities regarding privacy and security of protected health information (PHI in HIPAA-speak). The HIPAA rules have added a layer of compliance requirements to a pre-existing landscape of patient records privacy laws. Some of the regulatory changes affect the ways in which physician practices may market to new and established patients, but many of the changes that took effect last year relate to the obligations of business associates – “downstream contractors” that deal in PHI on behalf of physician practices. BAs are now explicitly subject to the same compliance requirements applicable to CEs. And it is the responsibility of each CE to ensure that downstream contractors are doing what they are supposed to be doing in the realm of HIPAA compliance – or risk being held liable for the failings of their BAs. It is therefore a good time for physician practices to re-examine their HIPAA compliance plans, the scrutiny applied to their BAs’ HIPAA compliance programs, and their contractual agreements with BAs. The bottom line is, well, the bottom line; Covered Entities are now explicitly liable for the HIPAA compliance of their Business Associates.

What does this mean in practice?

1. Tailor-made compliance plans. Unlike other regulatory schemes, which envision compliance with specific rules and regulations, and allow for certification of compliance, HIPAA is a much looser construct. There are standards, but adherence with all of them is not mandatory. Some standards are “addressable” – which means that regulated entities may address certain regulatory concerns in ways other than full compliance with the methods outlined in the rule. The idea is that this is not a one-size-fits-all program; rather, HIPAA compliance programs need to be tailored to the privacy and security needs of an individual CE or BA.

2. Adoption of policies; review of policies and related documents. Privacy and security policies must be revised and updated on a regular basis, particularly in connection with a major regulatory overhaul such as the promulgation of the Omnibus Rule, but also on an annual basis. Grandfathered Business Associate Agreements (BAAs) should be reviewed for compliance with the new regulations as well. More and more CEs are looking for indemnification provisions in their BAAs. In the end, though, the indemnities are only as good as the BA’s HIPAA compliance program and insurance, both of which bear closer examination.

3. Workforce training. Once appropriate policies, agreements and insurance are in place, the workforce must be trained, and tested, on the HIPAA compliance material.

4. Risk assessments. Annual risk assessments – preferably handled by outside data security experts – must be conducted on an annual basis. A good risk assessment will uncover room for improvement even in an organization that is highly attuned to HIPAA compliance. Why? Because this is more of a continuous improvement exercise addressing evolving realities than it is check-the-box compliance with a static rule.

Are there things other than HIPAA compliance that demand investment of staff and other resources? Of course there are. But the costs associated with failing to invest appropriately in this realm can be significant. Multi-million-dollar fines and imposition of compliance monitoring agreements – to say nothing of the attendant negative publicity – may be devastating. It seems clear that the investment in HIPAA compliance is one that is likely to pay dividends over the years.

A well-developed, well-documented and well-implemented privacy and security policy, where training and testing of staff is documented, where key agreements are in place and easily producible for review when your friendly neighborhood government agent comes knocking, will go a long way towards minimizing potential sanctions when (not if) your organization experiences a breach of privacy or security of protected health information.

more...
No comment yet.
Scoop.it!

4 ways to ensure HIPAA compliance | Government Health IT

The HIPAA/HITECH Omnibus Rule became effective just over one year ago. The compliance date was just over six months ago. Within about another six months (plus or minus), Federal regulators – at the Office for Civil Rights at the US Department of Health and Human Services – will begin a new round of HIPAA compliance audits.

Regulators are already actively involved in complaint investigations governed by the “new” HIPAA rules. Other Federal, state and territorial authorities are actively involved in HIPAA and related health data privacy and security enforcement activity: the Federal Trade Commission, the Secret Service, the Puerto Rico Health Insurance Administration, state attorneys general.

The “Wall of Shame” on the OCR website adds information about newly disclosed data breaches on a regular basis. Fines under the new HIPAA rules may hit $1.5 million or more. Fines under other regulatory schemes have climbed significantly higher. Compliance agreements, follow-up audits and more await those covered entities (healthcare providers or payers) (CEs) or business associates (everyone else in the healthcare ecosystem – billing services, marketing agencies, consultants, shredding contractors, attorneys, accountants, etc.) unfortunate enough to experience a lapse in their HIPAA compliance programs and to have occasion to file a breach notification, or to be the subject of a complaint investigation or random audit.

Long before becoming covered entities under HIPAA, physician practices have been aware of their responsibilities regarding privacy and security of protected health information (PHI in HIPAA-speak). The HIPAA rules have added a layer of compliance requirements to a pre-existing landscape of patient records privacy laws. Some of the regulatory changes affect the ways in which physician practices may market to new and established patients, but many of the changes that took effect last year relate to the obligations of business associates – “downstream contractors” that deal in PHI on behalf of physician practices.

BAs are now explicitly subject to the same compliance requirements applicable to CEs. And it is the responsibility of each CE to ensure that downstream contractors are doing what they are supposed to be doing in the realm of HIPAA compliance – or risk being held liable for the failings of their BAs. It is therefore a good time for physician practices to re-examine their HIPAA compliance plans, the scrutiny applied to their BAs’ HIPAA compliance programs, and their contractual agreements with BAs. The bottom line is, well, the bottom line; covered entities are now explicitly liable for the HIPAA compliance of their business associates.

What does this mean in practice?

1. Tailor-made compliance plans. Unlike other regulatory schemes, which envision compliance with specific rules and regulations, and allow for certification of compliance, HIPAA is a much looser construct. There are standards, but adherence with all of them is not mandatory. Some standards are “addressable” – which means that regulated entities may address certain regulatory concerns in ways other than full compliance with the methods outlined in the rule. The idea is that this is not a one-size-fits-all program; rather, HIPAA compliance programs need to be tailored to the privacy and security needs of an individual CE or BA.

2. Adoption of policies; review of policies and related documents. Privacy and security policies must be revised and updated on a regular basis, particularly in connection with a major regulatory overhaul such as the promulgation of the Omnibus Rule, but also on an annual basis. Grandfathered Business Associate Agreements (BAAs) should be reviewed for compliance with the new regulations as well. More and more CEs are looking for indemnification provisions in their BAAs. In the end, though, the indemnities are only as good as the BA’s HIPAA compliance program and insurance, both of which bear closer examination.

3. Workforce training. Once appropriate policies, agreements and insurance are in place, the workforce must be trained, and tested, on the HIPAA compliance material.

4. Risk assessments. Annual risk assessments – preferably handled by outside data security experts – must be conducted on an annual basis. A good risk assessment will uncover room for improvement even in an organization that is highly attuned to HIPAA compliance. Why? Because this is more of a continuous improvement exercise addressing evolving realities than it is check-the-box compliance with a static rule.

Are there things other than HIPAA compliance that demand investment of staff and other resources? Of course there are. But the costs associated with failing to invest appropriately in this realm can be significant. Multi-million-dollar fines and imposition of compliance monitoring agreements – to say nothing of the attendant negative publicity – may be devastating. It seems clear that the investment in HIPAA compliance is one that is likely to pay dividends over the years.

A well-developed, well-documented and well-implemented privacy and security policy, where training and testing of staff is documented, where key agreements are in place and easily producible for review when your friendly neighborhood government agent comes knocking, will go a long way towards minimizing potential sanctions when (not if) your organization experiences a breach of privacy or security of protected health information.

David Harlow is Principal of The Harlow Group LLC, a health care law and consulting firm based in Boston, MA. He blogs regularly at HealthBlawg, where this post originally appeared. Follow him on Twitter.

See also:

The future of health IT security

What health orgs need to know about Heartbleed



more...
No comment yet.
Scoop.it!

Life as a Healthcare CIO: HIPAA and Fundraising

Life as a Healthcare CIO: HIPAA and Fundraising | HIPAA Compliance for Medical Practices | Scoop.it
+Tag

I was recently asked about using patient identified data for fundraising.

The HIPAA Omnibus rule does permit the use of  department of service, treating physician, and outcomes information in fund raising activities with an understanding that a patient can opt out and their wishes must be respected.

*The Notice of Privacy Practices must disclose fundraising and right to opt out.
*The covered entity or business associate must not send further communications to those individuals who have opted out, but opt out can be limited to a specific campaign.
*If PHI not used (e.g., a purchased list) notice and opt out do not apply.

Here’s an excellent overview of the regulation and best practices related to fundraising

How do I think about supporting healthcare fundraising activities with IT?

*Keep all data centrally managed so that no shadow databases of patient identified information are stored in departments or on mobile storage systems.

*Ensure that experts perform all queries and create “minimal need to know” views of patient information.

*Create audit trails of all lookups

*Support the Development department with business intelligence tools that enable them to do their work but eliminate the need to access clinical systems

*Ensure that opt out requirements are respected.

As with most things involving privacy and security, it is possible to balance business needs and regulatory compliance.   Centrally managing the process requires close collaboration between IT and the fundraising business owners.    Strong policies, communication and relationships are just as important as the technology.

more...
No comment yet.
Scoop.it!

UPMC data breach may affect as many as 27,000 employees

UPMC data breach may affect as many as 27,000 employees | HIPAA Compliance for Medical Practices | Scoop.it
UPMC data breach may affect as many as 27,000 employeesApril 17, 2014 9:11 PM
Share with others:

By Robert Zullo / Pittsburgh Post-Gazette

UPMC now says the personal information of as many as 27,000 of its employees may have been put at risk by a data breach that was first reported to the health care conglomerate in February.

“As of today, 788 employees have been the victims of tax fraud,” UPMC spokeswoman Gloria Kreps wrote in a statement. “We want to assure our patients that no patient information was breached. We are continuing to work with the IRS, Secret Service and FBI to determine the source of the breach. We continue to urge our employees to register with LifeLock as an important step to deter any additional fraudulent activity.”

The new figure, provided Thursday, was the latest increase by UPMC since employees began reporting instances of identity theft about two months ago.

At first, UPMC said the issue affected only a few dozen employees, then about 322.

“That’s what we were saying all along ... is that there are thousands,” said Michael Kraemer, a Pittsburgh lawyer who has filed a lawsuit seeking class-action status against UPMC for the breach on behalf of employees who had fraudulent bank accounts opened in their name and tax returns stolen. “The message for this huge number of people is you need to keep track of any out-of-pocket expenses and any time you spend dealing with this.”

The lawsuit alleges that vulnerabilities in UPMC’s computer system allowed for the breach and the company did not reasonably safeguard the sensitive information in its care.

In addition to the stolen tax refunds, Mr. Kraemer said he has heard from UPMC employees who say they have had bank accounts drained, though he has not yet been able to independently verify the claims.

He questioned why it has taken UPMC so long to identify the scope of the problem.

“It is extremely concerning that when this story broke in February, the response from UPMC was that ‘It’s OK, only 20 people were affected,’” Mr. Kraemer said. “This is something that arguably they should have known back in February. ... People are now exposed.”

Mr. Kraemer said UPMC sought and received a 30-day extension to respond to his suit, filed Feb. 27, and is still within that window.

The hospital group and its affiliates employee about 62,000 people and Mr. Kraemer said he has heard from employees in every facet of UPMC’s operations.

“Just from the sheer number of people I’ve talked to, I don’t see any department that’s been excluded,” Mr. Kraemer said. “Why isn’t it every single employee?”

A UPMC spokesperson said all employees who could have been potentially affected by the breach have been notified.

After the potential data theft was reported, the company set up a hot line for employees to call about their case, created a “comprehensive employee intranet site with information and resources,” hired a tax firm to help employees file the required IRS identity theft affidavit form and offered reimbursement if the employees have hired someone to do it for them. UPMC also offered credit monitoring services for the affected employees and reimbursement employees for costs associated with filing a police report, it has said.

In a letter, UPMC urged employees to contact their banks and check with the IRS to ensure that tax returns have not been fraudulently filed in their names as well as to prevent the potential for future incidents. UPMC also said it is providing LifeLock identity protection free of charge to employees who enroll by April 28.

“We are putting our full resources behind efforts to investigate and secure our systems,” UPMC Vice President John P. Houston wrote in the letter. “We recognize a situation like this creates stress and anxiety about the safety of your personal information and we want to provide you with all the tools and resources we can to help you deal with this all-too-common crime.”


Read more: http://www.post-gazette.com/business/finance/2014/04/17/UPMC-data-breach-may-affect-as-many-as-27-000-employees/stories/201404170277#ixzz2zXgXTyKl



more...
No comment yet.
Scoop.it!

Security Risk Assessment | Providers & Professionals | HealthIT.gov

Security Risk Assessment | Providers & Professionals | HealthIT.gov | HIPAA Compliance for Medical Practices | Scoop.it
Technical Dr. Inc.'s insight:
Subtitle: 
What is Risk Assessment?
Description: 

The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that covered entities conduct a risk assessment of their healthcare organization. A risk assessment helps your organization ensure it is compliant with HIPAA’s administrative, physical, and technical safeguards. A risk assessment also helps reveal areas where your organization’s protected health information (PHI) could be at risk. Watch the Security Risk Analysis video to learn more about the assessment process and how it benefits your organization or visit the Office for Civil Rights' official guidance.

Read the HHS Press Release.

more...
No comment yet.
Scoop.it!

Is Your Health Insurance Portability and Accountability Act (HIPAA) Compliance Program Going Out the Window with XP? | The National Law Review

Is Your Health Insurance Portability and Accountability Act (HIPAA) Compliance Program Going Out the Window with XP? | The National Law Review | HIPAA Compliance for Medical Practices | Scoop.it
April 8, 2014 marks the end of Microsoft’s support for the Windows XP operating system, which means the end of security updates from Microsoft and the beginning of new vulnerability to hackers and other intruders into systems still utilizing the operating system. But does the end of Windows XP support mean that HIPAA covered entities and their business associates using Windows XP are automatically out of compliance with HIPAA as of April 8th? Not necessarily.


MiamiHerald.com
Is Your Health Insurance Portability and Accountability Act (HIPAA) Compliance ...
The National Law Review
But does the end of Windows XP support mean that HIPAA covered entities and their business associates using Windows XP are automatically out of compliance with HIPAA as of April 8th? Not necessarily. It is impossible to say with certainty that April ...
Microsoft to drop Windows XP support
Microsoft Is About To End Windows XP Support
Support for Windows XP ends today
more...
No comment yet.
Scoop.it!

From AHIMA: Look Closer at Vendor HIPAA Compliance

From AHIMA: Look Closer at Vendor HIPAA Compliance | HIPAA Compliance for Medical Practices | Scoop.it

With stronger HIPAA privacy and security requirements now in effect, health care providers need to ensure that their information technology vendors and their business associates understand and are compliant with the provisions.

more...
No comment yet.
Scoop.it!

5 things to remember about HIPAA in 2013

5 things to remember about HIPAA in 2013 | HIPAA Compliance for Medical Practices | Scoop.it

Make sure you know these basic facts.


 As competition between health care providers continues to surge, hospitals need to step up the pace when it comes to their marketing efforts.


But in the “world according to HIPAA,” many marketers feel like their hands are tied under stringent rules that define “marketing” as:


“A communication about a product or service that encourages recipients of the communication to purchase or use the product or service.”


With limited exceptions, the privacy rule requires an individual’s written authorization before a use or disclosure of his or her protected health information can be made for marketing. So how can marketers effectively market?


First and foremost, don’t let HIPAA become an excuse for tapering off on your marketing efforts. Knowledge is power. So take some time to familiarize (or re-familiarize) yourself with HIPAA’s marketing rules. Here are some general guidelines to keep in mind as you plan for the year ahead.


Testimonials:

Patient testimonials can add credibility to many marketing campaigns. Obviously, a patient must approve the use of a specific testimonial before it can be used. But don’t stop with a “standard” release form. HIPAA regulations and release forms also apply. And be sure to keep all signed copies on file. Same goes with using patient photos. Be sure to get—and retain—photo releases.


Truth in advertising:

There’s not much room for vague statements under HIPAA. So if you can’t back it up, don’t make the statement. Advertising claims must be factual—and verifiable.


Mailing lists:

When it comes to direct marketing to consumers, do not use lists that originate from personal records, such as private practice information. Note: there is an exception to the marketing definition which permits communications by a covered entity about its own products or services.


For example, under this exception, it is not “marketing” when:


  • A hospital uses its patient list to announce the arrival of a new specialty group (e.g., orthopedic) or the acquisition of new equipment (e.g., x-ray machine or magnetic resonance image machine) through a general mailing or publication.
  • A health plan sends a mailing to subscribers approaching Medicare eligible age with materials describing its Medicare supplemental plan and an application form.

Authorization is a given—in most cases:

The HIPAA Privacy Rule requires an authorization for uses or disclosures of protected health information for all marketing communications, except in two circumstances:


  • When the communication occurs in a face-to-face encounter between the covered entity and the individual; or
  • The communication involves a promotional gift of nominal value.

When it doubt, check it out:

If you have questions, refer them to a legal professional who’s familiar with your state’s laws. Also be sure to check out the Marketing section on HHS.gov to review details about marketing under HIPAA. 

more...
No comment yet.
Scoop.it!

Doctors: Stop worrying about negative comments and HIPAA violations

Doctors: Stop worrying about negative comments and HIPAA violations | HIPAA Compliance for Medical Practices | Scoop.it

r. Jeff Livingston takes a calm, relaxed approach to posting on social media.


 You could call Dr. Jeff Livingston, OB/GYN, a social media pioneer.


As I explained in earlier blog posts here and here, the Irving, Texas, physician has been using social media to educate and connect with his patients since his teenage daughter suggested he start a MySpace page to reach out to high school students struggling with pregnancy and STDs.


I know that many doctors are reluctant to embrace social media for fear of HIPAA violations and negative comments, so I asked him how he responds to those concerns.


Avoiding HIPAA violations in social media is natural


“I don’t think it’s that hard (to avoid HIPAA violations),” Livingston says. “If you step out of technology and just think about how doctors communicate throughout the day, they do it very naturally and never think about it.


“When you’re in a doctor’s lounge there’s a certain way of talking,” Livingston says. “When you get into the lobby, you change. And when you get on an elevator, you completely change. And you do that very naturally. The same thing applies on the internet. It’s a very big elevator with a lot of people on it. What you are already doing naturally can flow to the technology itself.”


Never disclose any kind of private health information


Livingston says the concept is simple.


“You can never disclose any kind of private, personal health information,” Livingston says. “You can’t diagnose. You can’t treat. But you can answer general questions. You can be helpful. You can provide lots of health information. You can provide guidance. Just don’t diagnose and treat patients.”


A couple of years ago a patient posted a question on the practice Facebook page.


Is it okay to go swimming while you’re pregnant?


There is a safe way to respond: Unless instructed by your doctor, there’s no reason why a pregnant woman can’t enjoy a swimming pool. Water is relaxing, it will take pressure off your back and it will cool you off in a hot Texas sun.


Or there is the illegal way: Because you have difficult labors and an abnormal placenta, it’s not a good idea for you to swim.


How do you respond to negative comments?


“To be honest, it doesn’t happen that much for us,” Livingston says. “I’m not going to engage in controversial discussions on Twitter or post controversial things on Facebook. We really haven’t had people put negative stuff on our Facebook page.”


He says patients know how to use social media.


“I have never had someone send me a tweet that said ‘I think I’m in labor,’” Livingston says. “I have never had someone put on our Facebook page, ‘I think my water broke.’ People who use these networks understand the public nature and act appropriately.” 

more...
No comment yet.