HIPAA Compliance for Medical Practices
82.5K views | +13 today
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...

Seven Tips for Avoiding HIPAA Penalties in 2015

Seven Tips for Avoiding HIPAA Penalties in 2015 | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA violations may result in penalties of $100 to $50,000 per violation, depending on the conduct at issue.  If the violation results from “willful neglect” the party is subject to mandatory fines of $10,000 to $50,000 per violation. 

A single data breach may result in numerous violations.  For example, the loss of a laptop containing PHI of 2,000 patients may constitute 2,000 violations.  Additional penalties may be assessed if the breach resulted from failure to implement required policies or practices.  To make matters worse, covered entities must self-report breaches of unsecured protected health information (PHI) to the affected individual and HHS. 

The good news is that a covered entity may avoid HIPAA penalties if it does not act with “willful neglect” and corrects the violation within 30 days. 

Here are seven tips for avoiding “willful neglect” penalties, especially those arising from breaches of electronic PHI:

1. Conduct or update your security risk assessment required by the security rules.  This is a first step in identifying and preventing potential security breaches.  In 2014, HHS made available a risk assessment tool to help providers conduct and document their own risk analysis. 

2. Implement the administrative, technical, and physical safeguards required by the HIPAA security rule.  Most physician practices have polices required by the privacy rule, but comparatively few have properly addressed the safeguards required by the security rule.  Implementing the required safeguards is necessary not only for regulatory compliance; it is also simply a good business practice given the potentially disastrous consequences of system failures or cybercrimes.  Again, the government’s HealthIT website, HealthIT.gov, contains helpful tools and guides that practices may use to achieve compliance. 

3. Execute business associate agreements (BAAs) with business associates.  A good BAA is not only required by HIPAA; it will also help insulate the practice from HIPAA liability if its business associate violates HIPAA.  Ensure the BAA confirms that the business associate is acting as an independent contractor, not an agent of the practice.

4. Train your employees and monitor their performance.  According to HHS commentary, covered entities may avoid HIPAA penalties based on the misconduct of a rogue employee so long as the covered entity implemented appropriate policies and adequately trained the employee.  Unfortunately, there is no similar guarantee that policies and training will protect a provider from liability for state privacy claims:  An Indiana jury recently returned a $1.44 million verdict against Walgreens based on an employed pharmacist’s privacy violations despite Walgreens’ policies and training.  Thus, physician groups need to ensure their training is effective.

5. Respond immediately to any suspected breach. This is critical for several reasons. First, HIPAA requires covered entities and business associates to investigate privacy complaints, mitigate any breach, and impose appropriate sanctions against any agent who violates HIPAA.  Second, an entity may be able to prevent the data from being compromised by taking swift action, thereby avoiding the obligation to self-report HIPAA violations.  Third, a covered entity or business associate may avoid HIPAA penalties altogether if it does not act with willful neglect and corrects the violation within 30 days.  Corrective action may include modifying policies, implementing additional safeguards, disciplining employees, and providing additional training.

6. Report breaches in a timely manner. While the initial action resulting in the breach may not have been willful, the failure to timely report a reportable breach as required by the rules may constitute willful neglect. Under HIPAA, the unauthorized access, use, or disclosure of unsecured PHI is presumed to be reportable to the individual and HHS unless the covered entity can demonstrate there is a low probability that the data has been compromised based on factors such as the type of PHI disclosed; the recipient of the PHI; whether the PHI was actually accessed or disclosed; and steps taken to mitigate any breach. 

7. Document your actions. Documenting proper actions will help providers defend against HIPAA claims. Covered entities and business associates are required to maintain documentation required by HIPAA for six years.

Although there is no guarantee that these steps will protect against breaches, they will help physician groups mitigate resulting liability under the HIPAA rules.

No comment yet.

Hospitals likely to be cyberattack targets in 2015

Hospitals likely to be cyberattack targets in 2015 | HIPAA Compliance for Medical Practices | Scoop.it

As hospitals and health care providers continue to use more electronic records, they're increasingly becoming the targets of cybercriminals.

That's according to Carl Leonard, a principal security analyst for Websense, who said hackers are breaking into the computer networks of health care facilities with increasing frequency and taking valuable personal information that is often secured improperly.

In 2015, Websense projects the health care industry will see a substantial increase in cyberattacks.

St. Louis is home to a large health care community, with more than 25 regional hospitals accounting for more than $7.6 billion in annual revenue, according to St. Louis Business Journal research.

The Websense report said medical records hold a trove of data that is more valuable than other records and can be used for various types of fraud.

"The healthcare industry is a prime target for cybercriminals," Leonard said in a statement. "With millions of patient records now in digital form, healthcare's biggest security challenge in 2015 will be keeping personally identifiable information from falling through the cracks and into the hands of hackers."

In Missouri, a majority of health records make their way through the Missouri Health Connection, a nonprofit organization that operates Missouri's statewide health information exchange. The MHC was established in 2009 and includes the records of St. Louis' three largest health-care providers, SSM Health Care, BJC HealthCare and Mercy.

The MHC uses an application suite called HealthShare from InterSystems, a Cambridge, Massachusetts-based software technology company that specializes in data management, to serve as the backbone for its health information exchange.

Mercy, in a previous statement to the Business Journal, said "protecting the personal health information of our patients is one of Mercy's highest priorities. We have information security policies and procedures in place as well as technical controls such as digital security measures. We consistently evaluate risks associated with security and continue to make investments to remediate those risks to maintain and improve Mercy's information security system."

Hard hit recently, U.S. retail stores saw the average cost of cybercrime reach $8.6 million in 2014, according to the Ponemon Institute— more than double the average cost in 2013.

St. Louis trails only Tampa and Orlando among the most-hacked cities in America.

No comment yet.

BA agreements likely a bigger target of 2015 OCR enforcement, attorneys say

BA agreements likely a bigger target of 2015 OCR enforcement, attorneys say | HIPAA Compliance for Medical Practices | Scoop.it

The $150,000 fine that U.S. Department of Health and Human Services' Office for Civil Rights levied against an Alaska mental health organization last month could be a sign that OCR is settling in after a wave of leadership changes in 2014 and gearing up to aggressively investigate HIPAA compliance complaints, according to a former federal attorney.

Ex-OCR lawyer David Holtzman notes that there are more than 6,000 HIPAA privacy and security rule complaints and compliance reviews under investigation in an article at HealthcareInfoSecurity. He predicts more high-profile enforcement actions in 2015.

Holtzman echoes a warning from Jerome B. Meites, OCR chief regional counsel for the Chicago area, who told an American Bar Association conference last summer that the whopping fines levied over the past year will "pale in comparison" to those expected to come.

Meanwhile, privacy and healthcare attorneys Alisa Chestler and Donna Fraiche of law firm Baker Donelson, in an interview with HealthcareInfoSecurity, urge healthcare organizations to conduct their own mock audits to determine any exposures and to do their best to fix those problems.

They also recommend keeping all such documentation in one place--including all records of HIPAA education programs conducted with staff, and evidence that they've reviewed all business associate agreements--and ensuring that it's up to date. Chestler and Fraiche foresee BA agreements being a bigger target of OCR enforcement actions in 2015.

In particular, Chestler and Fraiche say, organizations need to re-examine all bring-your-own-device policies and make sure they address any issues that have arisen since those policies were last reviewed.

In September, OCR announced it was delaying the start of the second round of audits in order get a web portal up an running through which entities could submit information. A specific start date has not been announced, only that the new audits will begin in early 2015.

Brett Short, chief compliance officer at the University of Kentucky HealthCare in Lexington, Kentucky, spoke with FierceHealthIT about receiving a call from an auditor when the organization had never received a letter saying it had 10 days to submit required documents.

No comment yet.

Will 2015 be worst year yet for data breaches? | Government Health IT

Will 2015 be worst year yet for data breaches? | Government Health IT | HIPAA Compliance for Medical Practices | Scoop.it

This past year the FBI warned the entire healthcare realm that security practices are not keeping pace with other industries. And a new report is suggesting that healthcare organizations should expect even more data breaches in the New Year.

Indeed, that means bigger and more costly violations. Global information services firm Experian, in its second annual data breach forecast, cites the growing potential entry points to protected health information, wearables and other mobile devices as among the new technologies making healthcare vulnerable — while other studies in 2014 pointed to healthcare organizations’ widespread lack of confidence in securing PHI. 

Experian is not the only firm saying data privacy and security will get worse in healthcare.

Consultancy IDC’s Health Insights unit, in fact, included two interesting points in its yearly top 10 predictions for healthcare: First, healthcare entities will have experienced at least one and as many as five cyber attacks in the previous 12 months, with one-third of those considered successful, and, second, by 2020 approximately half of all digital health data will be unprotected.

At the same time, attacks will not only grow more sophisticated but, in some ways, be easier to pull off moving forward.

“From 2015 onward, we will see attackers use social media to hunt for high-value targets. They will no longer limit themselves to instigating watering-hole attacks and using spear-phishing emails,” security specialist Trend Micro wrote in its predictions. “They will dramatically expand the attack surface to include Wi-Fi-enabled wearable devices running vulnerable firmware.”

Such vulnerable firmware, it’s worth pointing out, resides in many medical devices of all sorts, not just wearables. 

Symantec, meanwhile, explained the growth in popularity of “crimeware-as-a-service,” on the black market.

“Attackers can easily rent the entire infrastructure needed to run a botnet or any other online scams,” Symantec wrote in a December blog post. “This makes cybercrime easily accessible for budding criminals who do not have the technical skills to run an attack campaign on their own.” 

Security vendor Websense, which focuses on a range of industries, laid down its own prognostications for 2015. The first one: “Call the IT doctor. My hospital is under attack – again!”

“The healthcare industry is a prime target for cybercriminals,” Carl Leonard, principal analyst of Websense Security Labs, said in a report. “With millions of patient records now in digital form, healthcare’s biggest security challenge in 2015 will be keeping personally identifiable information from falling through security cracks and into the hands of hackers.”

No comment yet.

What Can You Expect in 2015 Regarding HIPAA Enforcement? | The National Law Review

What Can You Expect in 2015 Regarding HIPAA Enforcement? | The National Law Review | HIPAA Compliance for Medical Practices | Scoop.it

As of earlier this month, 1,170 breaches involving 31 million records have been reported to the Department of Health and Human Services (HHS) since mandated reporting of breaches began in September 2009.  An increase in the number of breaches isn’t the only statistic on the rise.  Although 2014 data has not yet been released, the number of complaints in 2013 reached a new high (4,463).  It doesn’t take a crystal ball to predict that these numbers in 2015 will continue to rise.  We haven’t reached the apex yet.

The newly approved 2015 federal budget does not include an increase in funding for the federal agencies responsible for enforcing HIPAA, including the HHS Office of Civil Rights (OCR), but HHS isn’t viewing it as a setback.  Per an OCR spokeswoman “OCR’s strong enforcement of the HIPAA privacy, security, and breach notification rules, remains very much on track…”  Just a few weeks ago, HHS settled with the Alaska Department of Health and Humans Services for $1.7 million for potential HIPAA violations.

If enforcement efforts remain on track in 2015, so should compliance efforts next year.  Keep your HIPAA policies and procedures up to date and conduct regular risk assessments.  If your organization has not addressed security on mobile devices do so now.  Especially if you are contemplating a transaction in 2015, it’s time to take a deep dive regarding HIPAA compliance.

No comment yet.

Obama Unveils Cyberthreat Info Sharing Plan

Obama Unveils Cyberthreat Info Sharing Plan | HIPAA Compliance for Medical Practices | Scoop.it

It looks like 2015 is beginning where 2014 left off regarding cyberthreat information-sharing legislation.

President Obama on Jan. 13 unveiled his legislative proposal to promote cybersecurity information sharing between business and government, a proposal Congress has debated for years, but has been unable to enact.

Obama's proposal, according to a summary released by the White House, would provide stronger privacy protections than did the Cyber Intelligence Sharing and Protection Act, the bill passed in the last Congress by the Republican-controlled House of Representatives and which the administration threatened to veto . Cyberthreat information-sharing legislation never came up for a vote in the then-Democratic-controlled Senate.

A senior administration official, speaking on background, says the White House's position on CISPA that led to the veto threat has not changed. The administration says its proposal would safeguard Americans' personal privacy by requiring businesses to comply with certain privacy restrictions, such as removing unnecessary personal information and taking measures to protect any personal information that must be shared, in order to qualify for liability protection. CISPA didn't do that, and that's one reason the White House threatened a veto. The White House also said CISPA provided too broad of liability protections for businesses. The new proposal offers targeted liability protection to businesses that share cyberthreat information.

Acting in Good Faith

That liability protection is important to businesses because they don't want to face lawsuits from disgruntled shareholders and others because the information they share might disclose vulnerabilities in their IT systems. "The president's proposal to grant targeted liability protections will foster greater industry participation, while helping to progress what has traditionally initiated the barriers to sound and meaningful threat-sharing policy," says Elizabeth Hyman, executive vice president of public advocacy at the high-tech industry group TechAmerica. "Organizations acting in good faith should be incentivized to partner with the federal government."

Obama's proposal also would require the Department of Homeland Security and the attorney general to develop guidelines governing the receipt, retention, use and disclosure of cyberthreat information received from businesses.

In addition, the administration plan would encourage businesses to share appropriate cyberthreat information with the National Cybersecurity and Communications Integration Center, the Homeland Security agency responsible for information sharing and analysis to protect the federal government and critical infrastructure. NCCIC (pronounced n-kick), as the center is known, would then share the information in as close to real time as practicable with relevant federal agencies and with private sector-developed and operated Information Sharing and Analysis Centers.

More ISACs

The White House proposal would encourage industries that do not have ISACs to form them. But to be most effective, the respective industries running the ISACs need to make sure they don't cede too much authority to the federal government, says Chris Blask, who chairs the Industrial Control System ISAC.

Too often, he says, ISACs are more about what the federal government wants rather than what industry needs. "This is not at all bad, but it does not intrinsically speak to the needs and interests of various private-sector demographics," Blask says.

Reaction to Obama's plan from business and privacy groups was generally cautious. The Financial Services Roundtable, in a statement, says it applauds Obama for raising "this important discussion on information sharing and looks forward to reviewing the details of the proposal."

Harley Greiger, senior counsel at the Center for Democracy and Technology, an online advocacy group, is taking a wait-and-see approach on the Obama plan. "The White House proposal relies heavily on privacy guidelines that are currently unwritten," he says. "What these guidelines say and when they are applied will be critical to protecting Internet users. Privacy protections and use restrictions must be in effect before information sharing occurs."

Partisan Rhetoric

In the Capitol, the partisan rhetoric of the 113th Congress reverberated in the new 114th Congress as some lawmakers responded to the president's plan with a bit of mockery. "While it took an attack on Hollywood for the president to re-engage Congress on cybersecurity, I welcome him to the conversation," says House Homeland Security Committee Chairman Mike McCaul, R-Texas, referring to the Sony Pictures Entertainment breach.

A more straightforward response came from Rep. David Nunes, the California Republican who's the new chairman of the House Intelligence Committee.

"I am glad to see President Obama putting forth his ideas to address this critical issue," he says. "They will receive close consideration as the House Intelligence Committee crafts a cyber-bill."

The senior administration official sounded more optimistic about prospects for passage of cyberthreat sharing legislation. "Everybody has indicated a willingness to talk and to move things forward and move beyond that straight-up piece of legislation," the official says. "The administration is serious about working on this issue and has clearly articulated its position going into those discussions with the Hill. And I look forward to some good, productive discussions with the folks up on various committees this spring."

Prosecuting Botnet Sales

Another legislative initiative proposed by Obama would strengthen law enforcement to combat cybercrime. If enacted, the legislation would:

  • Allow the prosecution of those who sell botnets;
  • Expand federal law enforcement authority to deter the sale of spyware used to stalk or commit identity theft;
  • Give courts the authority to shut down botnets engaged in distributed denial-of-service attacks and other criminal activity.

"Much like possession of robbery tools is a criminal offense for those who are arrested trying to break and enter into a house, this proposal focuses on the tools - botnets, spyware, etc. - that are used in furtherance of breaches, IP theft and identity theft," says Christopher Pierson, former president of the Phoenix chapter of InfraGard, an FBI-private sector partnership that shares threat information. "This is a step in the right direction, but, of course, the application depends on the ability to capture and prosecute the persons involved in the crime."

Obama's proposal also would apply to cybercriminals the Racketeering Influenced and Corrupt Organizations Act, the statute known as RICO that government lawyers use to prosecute those involved in organized crime. It also would clarify the penalties for computer crimes, and ensures these penalties are in line with other similar non-cybercrimes.

The cybercrime legislative proposal would criminalize the overseas sale of stolen U.S. financial information, such as credit card and bank account numbers. But some security experts question the effectiveness of such a law. "For it to be effective, we need to have cooperation of the law enforcement authorities in the countries where the data is being sold and purchased," says cybersecurity expert Gene Spafford of Purdue University. "We do not have authority to shut down sites or arrest people in other countries, even if what they are doing is illegal here. We need international cooperation."

No comment yet.

Obama's data-breach initiative has privacy advocates optimistic, cautious

Obama's data-breach initiative has privacy advocates optimistic, cautious | HIPAA Compliance for Medical Practices | Scoop.it

There may finally be a standard set of rules for how US companies protect customer's data in the aftermath of a breach, if new proposed rules from the president become law.

For years, companies in America have contended with a patchwork of laws regarding how they treat customer information. Some states have strict rules, designed to ensure consumer protection. Others have none.

President Barack Obama wants that to change, and so do consumers. A Pew Research study conducted last year found 18 percent of consumers have seen their credit card, bank account, or Social Security number stolen, up from 11 percent only six months earlier.

They have reason to be concerned. The Identity Theft Resource Center said data breaches in the US were up 27.5 percent in 2014 over the year before. The past couple of years have been filled with headlines about catastrophic data breaches from Target and Home Depot, as well as arts and crafts chain Michaels and restaurant chain P.F. Chang's. In November, Sony Pictures suffered one of the worst hacks in corporate history.

Now, the government may step in, at least to ensure consumers are protected. President Obama on Monday proposed a new law called the Personal Data Notification and Protection Act, which would create a basic set of rules for how companies handle their customer information. It also would criminalize international trade in stolen personal identity information.

Aside from one specific rule that would require companies to notify customers within 30 days of the discovery of a data breach, there aren't many other details available yet about Obama's proposal. The president is expected to outline more specifics in his State of the Union speech next week.

In the mean time, tech industry executives and privacy advocates are excited at the prospect of a renewed effort to create a national standard. They say the bills that succeed are typically aimed at the government and how it handles information, rather than corporations.

Now that could change.

"This is a huge shot in the arm to a much-needed advancement for our legislative protections," said Scott Talbott, who heads up government relations for the trade group Electronic Transactions Association.

Some, like Alvaro Bedoya, the executive director of the Center on Privacy and Technology at Georgetown University, are cautiously optimistic. "Some states tend to have very strong data breach laws," he said. "We're going to need to put the Obama proposal side-by-side with those states' laws and see how they stack up."

Many questions still remain

While 47 states have laws requiring companies to at least notify consumers of security breaches involving their personal information, according to the National Conference of State Legislatures, the similarities often end there.

The toughest state laws, said Bedoya, have strong provisions for credit monitoring, requiring companies give affected consumers at least a year of free credit protection. Companies must notify consumers that their information has been compromised within 30 days. California, for example, lets its residents attempt to recover damages, making it one of most aggressive.

But South Dakota, Alabama and New Mexico have no data breach protections at all for consumers, according to Heidi Shey, a security and risk analyst at research firm Forrester.

The Electronic Privacy Information Center, a research group that tracks privacy and civil liberties issues, said the proposal would greatly impact consumers in those places, while also creating a minimum set of rules that all companies would have to follow.

President Obama isn't the first to propose such nationwide measures. In the previous session of Congress alone, which lasted from 2013 to 2015, there were four similar bills in the House of Representatives and two in the Senate. All of them went nowhere.

But that was before the latest string of privacy breaches. "It's important to have this in place from a consumer perspective," said Forrester's Shey. "If we have 50 separate laws, it makes it so much harder for a company to respond. It gets easy to drop the ball."

No comment yet.

What Will HIPAA Enforcer Do in 2015?

What Will HIPAA Enforcer Do in 2015? | HIPAA Compliance for Medical Practices | Scoop.it

Time to rub the dust off my crystal ball to predict what we might see from the Office for Civil Rights' in 2015 when it comes to regulatory activities and enforcement of the HIPAA privacy, security and breach notification rules.

But first, note that 2014 represented a year of significant changes in leadership and approach for OCR, the unit of the Department of Health and Human Services that's responsible for HIPAA enforcement. Jocelyn Samuels joined OCR as its director in July. She was tapped to lead the agency by HHS Secretary Sylvia Mathews Burwell when Leon Rodriquez was confirmed as director of the U.S. Citizenship and Immigration Services.

 I expect the agency will launch more high-profile enforcement actions in 2015. 

Additionally, OCR's health information privacy division is being led by an acting deputy director following the retirement of Susan McAndrew.

The OCR division responsible for overseeing the work of its regional offices, including enforcement efforts, is also being led by an acting deputy director. In addition to the leadership changes in Washington, three of the 10 managers leading OCR's regional offices were newly appointed this year. That's a lot of leadership change in a short period.

Enforcement Actions

The recent OCR settlement in which an Alaska mental health organization paid a $150,000 fine and agreed to a corrective action plan over shortcomings in their security rule compliance program is the first since director Samuels took over the agency.

This resolution agreement could signal that OCR is regaining its footing after the transition to a new leadership team and will be moving ahead more aggressively to reach settlement agreements in cases where the agency finds serious violations of the privacy and security rules. According to OCR's website, there are more than 6,000 HIPAA privacy and security rule complaints and compliance reviews being investigated. I expect the agency will announce more high-profile enforcement actions in 2015.

Through the 2009 HITECH Act, Congress mandated HHS to make a number of significant changes to the privacy regulations, expanding the jurisdiction oversight to business associates, and encouraging the development of new tools for enhanced regulatory enforcement.

The tools include self-funding HIPAA enforcement authority from fines and penalties collected by OCR and an audit program to measure industry compliance. However, significant provisions of the HITECH Act have not been adopted or are in some stage of development. What are the prospects for the remaining provisions of HITECH to be enacted in 2015?

Accounting of Disclosures

The HITECH Act mandated an expansion of the HIPAA Privacy Rule's current standard for covered entities to provide individuals an accounting of unauthorized disclosures, which exempts disclosures made for purposes of treatment, payment or healthcare operations, or TPO. Congress called on HHS to revamp the standard by requiring accounting for disclosures to include TPO disclosures by covered entities and businesses using electronic health records.

In its 2011 proposed rulemaking, HHS sought to give individuals an accounting of uses in addition to expanding the disclosures to be reported. Under intense pressure to scale back the scope of the proposed rule, HHS had its panel of outside experts, the Privacy and Security Tiger Team, made recommendations in December 2013. The team has since disbanded with HHS taking no action on their recommendations. Nor does publication of a final rule appear to be in the offing anytime soon.

Monetary Settlements

Under HITECH, Congress called for HHS to develop a methodology to distribute a percentage of monetary settlements collected by OCR to individuals affected by breaches.

The first step was for the Government Accountability Office to make recommendations to HHS on a methodology to share a percentage of the proceeds from fines and penalties with consumers harmed by the unlawful uses or disclosures resolved through OCR's investigation. Although the GAO apparently has delivered its recommendations, the HHS regulatory agenda does not include a proposal under development or being reviewed.

With continuing pressures on federal spending restricting the growth of agency budgets and resources to support OCR's expansive mission, it seems unlikely that the office will aggressively pursue an initiative that would result in the sharing with consumers the proceeds from its monetary settlements from HIPAA enforcement actions.

HIPAA Audits

The HITECH Act also called on OCR to perform periodic audits of covered entities and business associates' compliance with the HIPAA rules. With funding provided through HITECH, OCR developed and implemented a pilot audit program through which 115 audits of covered entities were conducted.

Beginning in early 2015, OCR plans to audit 200 covered entities, including healthcare providers and group health plans, to measure their compliance with the HIPAA privacy, security and breach notification rules requirements. These audits of covered entities will be followed by up to 400 audits of business associates to measure their compliance with the security rule and how they intend to approach their obligations under the privacy and breach notification rules.

In comments at the the September 2014 HIPAA security conference hosted by OCR and the National Institute of Standards and Technology, OCR's Iliana Peters said it was the agency's intention to use the audit findings as a tool in the enforcement arsenal. Covered entities found to have significant gaps in their HIPAA compliance will be ripe for follow-up compliance reviews and could face penalties.

With millions of dollars of monetary penalties collected from covered entities since adoption of the HITECH Act changes, this is the one OCR initiative that seems on track. Don't wait for your notice from OCR to prepare for your HIPAA compliance audit. Take action now by going through the steps to ready your organization if it were to be randomly selected for one of those audits.

No comment yet.

Data Breach Cost Of $5.6 Billion Predicted For Healthcare In 2015

Data Breach Cost Of $5.6 Billion Predicted For Healthcare In 2015 | HIPAA Compliance for Medical Practices | Scoop.it

Experian has released its 2015 Second Annual Data Breach Industry Forecast, a report that provides insight into the changing state of healthcare data security as the industry faces a new year. Reports like this one will be of increasing interest to your clients, as organizational leaders begin to realize the impact that data security and breaches have on their overall organizational health. The report states: “Board members and the C-suite can no longer ignore the drastic impact a data breach has on company reputation. Meanwhile, consumers are demanding more communication and remedies from businesses after a data breach occurs. As a result, the topic is one of the highest priorities facing businesses and regulators in 2015.”

The Threat To Healthcare

Healthcare, as an industry, is opening its doors to more attacks, just as information is becoming more valuable on the criminal circuit. The advent of EHRs (electronic health records) and increase in use of wearable technology has meant amazing new uses of data in regard to health, but it’s also meant more access points for cybercriminals.

The report indicates that it fully expects breaches to increase in 2015, and that many organizations (doctors’ offices, hospitals, and clinics) simply may not have enough resources to properly protect PHI (protected health information) — and they know it. According to a survey by the Ponemon institute, 72 percent of healthcare organizations indicated they are only “somewhat confident” or “not confident” in the security and privacy of patient data that travels via HIE. It’s expected that the cost of breaches next year could reach $5.6 billion.

Experian recommends that healthcare organizations “step up their security posture and data breach preparedness,” or face the risk of not only breaches, but increased attention and scrutiny from federal regulators who are beginning to turn an eye the costly danger of an unprotected healthcare system.

Medical Identity Theft

The report makes a special call-out to the dangers of medical identity theft on page seven. Experian is working with organizations like the Medical Identity Fraud Alliance (MIFA) to start making headway in addressing this issue.

Ann Patterson, senior vice president of the alliance, weighs in: “Medical identity theft is a serious threat that needs to be prioritized by healthcare organizations, regulatory groups and consumers. There is no single solution for fraud prevention, meaning we must take a collaborative approach to solving the issue. Industry and government must work together to develop holistic strategies pertinent to the fight against fraud, and consumers should take an active role in advocating for system-wide reform.”

No comment yet.