HIPAA Compliance for Medical Practices
82.6K views | +0 today
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...

Cyberattackers swipe data of 1.1M at CareFirst

Cyberattackers swipe data of 1.1M at CareFirst | HIPAA Compliance for Medical Practices | Scoop.it

It took a health insurance company almost a year to notify some 1.1 million of its members that their personal data had been swiped by hackers. What's more, the cyberattack wasn't even detected in-house.    The Baltimore, Md.-based CareFirst BlueCross BlueShield health plan announced the cyberattack May 20, despite the attack occurring back in June 2014.    According to a company news release, the cyberattack compromised the names, dates of birth, email addresses, member ID numbers and user names of 1.1 million members.    The cyberattack went undetected by the health plan itself. Rather, as CareFirst Chief Executive Officer Chet Burrell described in a statement, outside cybersecurity firm Mandiant "was the firm that actually discovered the attack."

Only after the health plan brought in cybersecurity firm Mandiant to conduct end-to-end IT security testing in the wake of the Anthem and Premera attacks, did CareFirst discover cyberattacks had gained access to a single database that stores members' online services data.    CareFirst officials described the breach as a "sophisticated cyberattack," but there are some security officials who question that general wording that was also used to describe the Anthem breach, which compromised the data of as many as 80 million.    As Kevin Johnson, founder of security consulting firm Secure Ideas, told Healthcare IT News this February following the Anthem breach: From his experience working with insurance companies on their security together with his seven years working at Blue Cross in Florida, "sophisticated" is an inaccurate word choice when used to describe a cyberattack at an insurance company. 

"I have never found an insurance company that required a sophisticated attacking incident," he said. "Period.   "They have tons of systems. They have tons of tests," he said. "It's a huge conglomeration of stuff."   As Ken Westin, security analyst at Tripwire, sees the CareFirst breach: "In general, healthcare organizations are not prepared for the level of sophistication associated with the attacks that will be coming at them. It's no surprise that  several organizations have been targeted and compromised."   Attackers look for system vulnerabilities, Westin continued, "vulnerabilities that are endemic within an industry through common tools, frameworks, data storage/sharing methods or business processes."

No comment yet.

Scope of HIPAA Compliance Remains Uneven

Scope of HIPAA Compliance Remains Uneven | HIPAA Compliance for Medical Practices | Scoop.it

A recent survey of HIPAA compliance conducted by NueMD revealed a startling range of knowledge and compliance with HIPAA. Even though HIPAA has been around since 1996 and was updated to include the HITECH Act modifications in 2009, many medical practices revealed they were unaware of the full scope of HIPAA requirements, did not necessarily understand what they did know, or have not implemented full compliance programs.

From the compliance perspective, only 58% of respondents indicated that they had a compliance plan. Even worse at this point in time, especially given the number of high profile violations and settlements, 23% responded that no plan was in place. Further, the percentage of practices that have a breach notification policy falls even further, with only 45% having a formal policy in place in the event that a breach occurs.

Diving deeper into questions related to electronic devices and use of social media continues the discomfort presented by the survey. For example, less than half of all staff or management associated with practices are confident that electronic devices or mobile devices are HIPAA compliant. There is a somewhat surprising confidence that electronic communications and social media are used in compliance with HIPAA though. Clearly, social media is a growing and new tool in healthcare, but 30% of office staff and non-owner providers and 34% management and owners were confident that social media is being used in a compliant manner.

The results of the survey should not be overly surprising. When the Office for Civil Rights (“OCR”) of the Department of Health and Human Services conducted its pilot round of HIPAA audits in 2012, the results were consistent with findings of the survey. HIPAA compliance was all over the place and did not present a rosy picture. Instead, the OCR found non-compliance with any number of issues, including basic misunderstandings of just what HIPAA actually does.

Given the constantly evolving nature of threats, the relatively low numbers of practices with robust compliance programs in place or even strong confidence that HIPAA is being properly followed raises a significant level of concern. The OCR has been very clear over the past couple of years that lack of preparedness is not well tolerated. When the settlements are examined, it becomes apparent that OCR is trying to teach lessons to all of those entities that are or may be subject to the requirements of HIPAA.

What can be done to address the widespread non-compliance with HIPAA and even general lack of knowledge or awareness of HIPAA? First, education on multiple fronts and a better understanding of its multiple goals is a necessary step. For one thing, education must include a basic introduction to HIPAA and how HIPAA is designed to protect and secure information. Once a general awareness is established, then it may be possible to demonstrate why compliance is so important. Further, once the first level of education is complete, then it will be possible to move to the next level, which would be grasping how HIPAA applies to a particular entity (i.e. a healthcare provider, health plan, employer, business associate and others) and what policies and procedures are needed to fully comply with all of HIPAA’s requirements. While this level of education may appear and sound very basic and fundamental, the survey and audit results support the view that education at this level is a necessity. It is also important to note that education is not a once and done proposition. Instead, education must be a constant because the healthcare world is always changing. Everyone should always be reminded of their HIPAA obligations and how HIPAA is impacted by new technology and practices.

Once the initial education process is complete, then it should be easier to adopt and follow a comprehensive compliance program. A compliance program, which means policies and procedures, is the means by which a covered entity or business associate will satisfy its HIPAA obligations. A compliance program should not be feared, though. To the contrary, it may be viewed as an opportunity for an organization to put some best practices into place or otherwise help ensure that operations may flow more smoothly. While HIPAA can be seen as a barrier, it may be more appropriate to view it as a means of guiding a practice and offering a common set of expectations both to organizations within the healthcare field, but also to individuals or patients who interact with those entities.

While it seems there is a lot to do, the present state of affairs offers an opportunity to change how the future will play out. Now that HIPAA is becoming the center of attention, there is the chance for organizations that have not taken all of the necessary steps to now chart a course that takes HIPAA into account and positions the organization for compliance going forward. Organizations have received an inadvertent grace period by the delay of the newest audits to be conducted by the OCR. The opportunity should not be lost. Surveys, such as the one conducted by NueMD, present yet another learning opportunity and can start the dialogue in crafting and implementing a sound HIPAA compliance program.

No comment yet.

No Pre-Existing Condition Exclusions Means HIPAA Certificates No Longer Required | JD Supra

Earlier this year, the Departments of Health and Human Services, Labor and the Treasury issued a final rule implementing the Affordable Care Act (ACA) and revising the requirements of other healthcare laws and regulations affected by the ACA. One of the most significant changes made was to prohibit group health plans and issuers from imposing pre-existing condition exclusions on any enrollees in plans beginning on or after January 1, 2014. Consequently, as of December 31, 2014, health plans and issuers will no longer be required to issue the Certificates of Creditable Coverage previously required under the Health Insurance Portability and Accountability Act (HIPAA).

HIPAA guarantees continuous healthcare coverage for employees who change policies or jobs, or who retire and take advantage of the Consolidated Omnibus Budget Reconciliation Act (COBRA). These portability provisions required health plan and COBRA administrators to ease the burden of transitioning between healthcare policies by providing a Certificate of Continuous Coverage 30 days before the expiration of the plan's coverage or before the insured leaves employment to helpoffset a preexisting condition exclusion period under a new health plan.

The ACA’s prohibition on pre-existing condition exclusions for plan years beginning on or after January 1, 2014 makes these HIPAA Certificates unnecessary — and are therefore no longer required — for plans beginning in 2015 and later. For plans beginning before January 1, 2014, plans and issuers may place limited exclusions on pre-existing conditions and must still automatically provide HIPAA Certificates to individuals when they lose coverage or upon request for a period of 24 months following termination of coverage.

This is only one of many obligations imposed on employers and health care organizations under a law aimed at protecting individual health information. HIPAA violations can have serious consequences, from employment discipline or termination for employees to criminal prosecution and civil penalties up to $250,000 for healthcare professionals. The most effective way to prevent such violations is to provide employees with HIPAA training to keep protected health information confidential and follow proper security practices when handling such information.

No comment yet.

Don't Make the Same HIPAA Mistakes as Other Practices

Don't Make the Same HIPAA Mistakes as Other Practices | HIPAA Compliance for Medical Practices | Scoop.it

All practices should be working hard to ensure they are HIPAA compliant. But with so much to focus on, it can be difficult to determine what compliance areas deserve the most attention. 

One way to craft an effective, targeted compliance strategy is by identifying what's getting other practices into trouble most often, and taking steps to prevent similar mistakes at your practice.

At the Healthcare Information and Management Systems Society (HIMSS) conference in Chicago, Adam Greene, a partner at Davis Wright Tremaine LLP, a national business and litigation law firm, identified some of these common problem areas during his session, "Preparing for a New Level of HIPAA Enforcement."

Common Sources of HIPAA Breaches

To illustrate what's leading to breaches most often at practices and health systems, Greene shared top sources of HIPAA breaches involving 500 or more individuals by number of individuals affected.

He compiled the information in February 2015 from the HHS and its Office for Civil Rights (OCR) Breach Portal, which features information on breaches that occurred from the start of the breach reporting period in September 2009.

53 percent of breaches occurred due to theft of protected health information (PHI). "We're not talking about mission impossible hanging from a wire kind of theft," said Greene. Instead, he said, most of the thefts appear to be "crimes of opportunity," such as a thief breaking into a window or car and stealing a laptop.
• 18 percent of breaches occurred due to unauthorized access or disclosure of PHI.
• 8 percent of breaches occurred due to loss of PHI.
• 4 percent of breaches occurred due to improper disposal of PHI.
13 percent of breaches occurred due to unknown causes and unknown causes.

Common Types of Media Involved in HIPAA Breaches

Greene also shared the most common types of media involved in HIPAA breaches. Again, the information is based on data he pulled from the HHS and OCR Breach Portal involving 500 or more individuals by number of individuals affected.

• 23 percent of breaches related to PHI stored on paper/films. Of this statistic, Greene said it's clear that amidst the push for electronic information, paper-based media should not be overlooked when it comes to HIPAA compliance. "We really need to be more focused on paper," he said.
• 21 percent of breaches related to PHI stored on laptops.
• 12 percent of breaches related to PHI on a network or server.
11 percent of breaches related to information stored on a desktop computer.
9 percent of breaches related to information stored on other electronic devices.
• 6 percent of breaches related to information included in e-mails.
• 4 percent of breaches related to information in EHRs.
• 14 percent of breaches related to other types of media.

Common HIPAA Compliance Problem Areas

For more insight into the HIPAA compliance areas that practices are most struggling with, Greene shared some of the top issues identified during the HIPAA Pilot Audit Program, which took place between 2011 and 2012.

• In relation to the HIPAA Security Rule, the program found that 80 percent of providers did not have a complete or accurate risk analysis. Other issues found in audits included lack of access management (such as failure to put appropriate role-based access safeguards in place); failure to have appropriate security incident procedures in place (such as those related to workstation security); and failure to encrypt PHI.

In relation to the HIPAA Privacy Rule, common problems identified in the audit program included: Inadequate procedures related to the Notice of Privacy Practices (such as not giving the notice out appropriately or failing to post it appropriately); and failure to have appropriate procedures related to patients' right to request privacy protections.

• In relation to the HIPAA Breach Notification Rule, common problems identified in the audit program included failing to provide breach notification appropriately (such as failing to include the proper content in the notification); and failure to comply with timelines regarding notification.

No comment yet.

NYC businesses need to focus on HIPAA training in 2015

NYC businesses need to focus on HIPAA training in 2015 | HIPAA Compliance for Medical Practices | Scoop.it

As more people get health insurance in accordance with the current requirements, there will be an increased volume of medical records to process. Accuracy and timeliness are essential when dealing with patients' medical records. As a result of updated regulations, NYC businesses will need to focus on updated HIPAA training in 2015.

Facts About HIPAA

In 1996, Congress passed the Health Insurance Portability and Accountability Act (HIPAA). The act is meant to streamline procedures and ensure optimum protection for patient records. HIPPA makes it possible for American workers and their families to transfer and continue health insurance coverage when they lose or change their employment.

HIPAA also establishes standards for health care information on electronic billing and other process as well as minimizes fraud and abuse. Finally, it requires confidential handling of protected health info to protect patients' privacy. Health care providers, medical billing agencies and other health-related industries must be in compliance with HIPAA.


In 2010, President Obama signed the Affordable Care Act (ACA). In 2013, the U.S. Health and Human Services' Office for Civil Rights released is final regulations pertaining to privacy rights for patients. As a result, there have been major changes related required of health care providers in accordance with two federal laws, HIPAA and the Health Information Technology for Economic and Clinical Health Act (HITECH), which was enacted in 2009.

Changes include direct regulation of subcontractors as well as health plans being prohibited from using generic information for underwriting, among many others. People have new rights to their health info and the government has a greater ability to enforce the law. As a result, NYC businesses need to ensure their staff is properly trained to fully understand the ramifications of these regulations.

Updated HIPAA Training

There are options when it comes to HIPAA training for employees. The U.S. Department of Health and Human Services Office of Civil Rights offers six educational programs for health care providers that cover various compliance aspects of HIPAA rules. Private providers, such as Global Learning Systems, offer updated HIPAA training to satisfy the mandatory HIPAA an HITECH training components for a business' staff. Learners are updated about security and privacy requirements mandated in Title II of HIPAA, HITECH amendments and the Final Omnibus Rule to provide enhanced privacy protection to patients.

Recently Renal & Urology News stated training is a cost-effective and easy HIPAA safeguard. As the workload increases in 2015, it creates a greater likelihood of errors being made. Organizations in NYC must consider staff training to ensure compliance, reduce the risk of costly mistakes and ensure the proper level of privacy for each patient.

No comment yet.