HIPAA Compliance for Medical Practices
82.7K views | +35 today
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...

Think Your Practice is HIPAA Compliant? Think Again.

Think Your Practice is HIPAA Compliant? Think Again. | HIPAA Compliance for Medical Practices | Scoop.it

You may think you know HIPAA inside and out, but experts say many practices and physicians are making mistakes regarding protected health information (PHI) that could get them into big trouble with the law. Here are nine of the most common compliance missteps they say practices and physicians are making.


For most physicians, texting is an easy, convenient, and efficient way to communicate with patients and colleagues. But if a text contains unencrypted PHI, that could raise serious HIPAA problems.

"One of the big things people are doing these days is texting PHI, and people seem to be ignoring the fact that text messages can be read by anyone, they can be forwarded to anyone, [and] they're not encrypted in any fashion when they reside on a telecommunications provider's server," says Jim Hook, director of consulting services at healthcare consulting firm The Fox Group, LLC. "People really need to understand that [short message service (SMS)] text messaging is inherently nonsecure, and it's noncompliant with HIPAA."

That's not to say that texting PHI is never appropriate, it just means that physicians must find a way to do so securely. While the privacy and security rules don't provide explicit text messaging guidelines, they do state that covered entities must have "reasonable and appropriate safeguards to protect the confidentiality, availability, and integrity of protected health information," says Michelle Caswell, senior director, legal and compliance, at healthcare risk-management consulting firm Clearwater Compliance, LLC. As a result, Caswell, who formerly worked for HHS' Office for Civil Rights, says physicians must consider, "What would I put on my [smart] phone to reasonably and appropriately safeguard that information?" Most likely, the answer will be a secure messaging service with encryption, she says, adding that many inexpensive solutions are available to providers.


Similar to text messaging, many physicians are e-mailing unencrypted PHI to patients and colleagues. As Robert Tennant, senior policy adviser of government affairs for the Medical Group Management Association says, e-mailing is becoming ubiquitous in our society, and healthcare is no exception.

If your providers are e-mailing PHI, consider implementing a secure e-mail application; for instance, one that recognizes when content included in the e-mail contains sensitive information and therefore automatically encrypts the e-mail. Your practice could use the application to specify certain circumstances in which e-mails should be encrypted; such as the inclusion of social security numbers or credit card numbers. The application would then filter e-mails for that specified content, and when it finds that content, encrypt those e-mails automatically, says Caswell.

Another option is to use a secure e-mail application to set up filters to automatically encrypt e-mails sent with attachments, or encrypt e-mails when senders include a word like "sensitive" or "encrypt" in the subject line, she says. An added benefit of encrypting e-mail is if a potential breach occurs, like the theft of a laptop containing e-mails with PHI, that is not considered a reportable breach if the e-mails stored on the laptop are encrypted, says Tennant. "You don't need to go through all of the rigmarole in terms of reporting the breach to the affected individual, and ultimately, to the government," he says. "So it's sort of a get out of jail free card in that sense."

If your practice would rather prohibit the use of e-mail altogether, a great alternative might be a patient portal that enables secure messaging.

Finally, if patients insist on having PHI e-mailed to them despite the risks, get their permission in writing for you to send and receive their e-mails, says Tennant.


If your practice has not conducted a security risk analysis — and about 31 percent of you have not, according to our 2014 Technology Survey, Sponsored by Kareo — it is violating HIPAA. The security rule requires any covered entity creating or storing PHI electronically to perform one. Essentially, this means practices must go through a series of steps to assess potential risks and vulnerabilities to the confidentiality, integrity, and availability of their electronic protected health information (ePHI).

Though the security risk analysis requirement has been in place since the security rule was formally adopted in 2003, it's been pretty widely ignored by practices, says Hook. Part of the reason, he says, is lack of enforcement of the requirement until recently. Since conducting a security risk analysis is now an attestation requirement in the EHR incentive program, auditors are increasingly noting whether practices are in compliance.


If your practice has not updated its Notice of Privacy Practices (NPP) recently, it could be violating HIPAA. The HIPAA Omnibus Rule requires practices to update these policies and take additional steps to ensure patients are aware of them, says Tennant.

Some of the required updates to the NPP include:

• Information regarding uses and disclosures that require authorization;

• Information about an individual's right to restrict certain disclosures of PHI to a health plan; and

• Information regarding an affected individual's right to be notified following a privacy or security breach.

In addition to updating the NPP, a practice must post it prominently in its facility and on the website, and have new patients sign it and offer a copy to them, says Tennant. "I'd say of every 10 practices, hospitals, dental offices I go into, nine of them don't have their privacy notice in the waiting room," he says.


Don't hesitate to take action when patients request an amendment to information in their medical records, cautions Cindy Winn, deputy director of consulting services at The Fox Group, LLC. Under the HIPAA Privacy Rule, patients have the right to request a change to their records, and providers must act on those requests within 60 days, she says.

If you disagree with a patient's requested change, you must explain, in writing, why you are not making the requested change, says Hook. Then, share that reasoning with the patient and store a copy of it in the patient's medical record, as well as a copy of the patient's written request for the amendment.


The privacy and security rules require formal HIPAA education and training of staff. Though the rules don't provide detailed guidance regarding what training is required, Hook recommends training all the members of your workforce on policies and procedures that address privacy and security at the time of hire, and at least annually thereafter.

The HIPAA Security Rule also requires practices to provide "periodic security reminders" to staff, says Caswell, adding that many practices are unaware of this. Actions that might satisfy this requirement include sending e-mails to staff when privacy and security issues come up in the news, such as information about a recent malware outbreak; or inserting a regular "security awareness" column in staff e-newsletters.

Finally, be sure to document any HIPAA training provided to staff.


With few exceptions, the privacy rule requires practices to provide patients with copies of their medical records when requested. It also requires you to provide access to the record in the form requested by the individual, if it is readily producible in that manner.

While practices can charge for copies of records, some practices may be getting into trouble due to the fee they are charging, says Tennant. "HIPAA is pretty clear that you can only charge a cost-based fee and most of those are set by the state, so most states have [limits such as] 50 cents a page up to maybe $1 a page ... but you can't charge a $50 handling fee or processing fee; at least it's highly discouraged," says Tennant.

To ensure you are following the appropriate guidelines when dealing with record copy requests, review your state's regulations and consult an attorney. Also, keep in mind that though the privacy rule requires practices to provide copies within 30 days of the request, some states require even shorter timeframes.


If your practice does not have security controls in place regarding who can access what medical records and in what situations, it's setting itself up for a HIPAA violation. The privacy rule requires that only those who have a valid reason to access a patient's record — treatment purposes, payment purposes, or healthcare operations — should do so, says Caswell. "If none of those things exist, then a person shouldn't [access] an individual's chart."

Caswell says practices need to take steps to ensure that staff members do not participate in "record snooping" — inappropriately accessing a neighbor's record, a family member's record, or even their own record.

She recommends practices take the following precautions:

• Train staff on appropriate record access;

• Implement policies related to appropriate record access; and

• Run EHR audits regularly to determine whether inappropriate access is occurring.


Similar to providing too much access to staff, some practices provide too much access to outside entities, says Caswell. For instance, they release too much PHI when responding to requests such as subpoenas for medical records, requests for immunization information from schools, or requests for information from a payer.

"If there's, say, for instance, litigation going on and an attorney says, 'I need the record from December 2012 to February 2014,' it is your responsibility to only send that amount of information and not send anything else, so sort of applying what's called the minimum necessary standard," says Caswell. "When you receive outside requests for PHI, pay close attention to the dates for which information is requested, as well as the specific information requested."

No comment yet.

Criminal Attacks on Health Data Rising

Criminal Attacks on Health Data Rising | HIPAA Compliance for Medical Practices | Scoop.it

Criminal attacks in the healthcare sector - including those involving hackers and malicious insiders - have more than doubled in the last five years, according to a new study.

The "Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data" by the research firm Ponemon Institute concludes that criminal attacks in healthcare are up 125 percent since 2010. Cybercriminal incidents involving external and internal actors were the leading cause of a data breaches over the past two years, the study shows. In previous studies, lost or stolen computing devices had consistently had been the top breach culprit.

"The root cause for health data breaches had been mistakes and incompetency, but now criminal attacks are number one," Larry Ponemon, founder and chairman of the Ponemon Institute, tells Information Security Media Group. "Year to year, it's getting worse. We've seen it in large-scale incidents like Anthem," which in February revealed a hacker attack that compromised protected health information of 78.8 million individuals, he notes.

"A lot of organizations are easy targets," he says. "The combination of highly valuable information and easy access makes the sector a huge target."

Ponemon's research, conducted in February and March, generated responses from 90 healthcare organizations and, for the first time this year, 88 business associates. Under the HIPAA Omnibus Rule that went into effect in 2013, business associates and their subcontractors are directly liable for HIPAA compliance.

Hacking Trends

In recent months, the Department of Health and Human Services' "wall of shame" website tracking health data breaches affecting 500 or more individuals has shown a growing number of hacking incidents of various sizes - far more than in previous years. And the Anthem breach alone represents nearly 60 percent of the 133.2 million breach victims listed on the tally since September 2009, when the HIPAA breach notification rule went into effect.

Among the latest hacking breaches added to the wall of shame was an incident reported to HHS on May 1 by Partners HealthCare System, which operates several large hospitals in Boston.

"Unfortunately, the rise in both hacker attacks and criminal activities involving malicious insiders comes as no surprise," says Dan Berger, CEO of the consultancy Redspin, which was recently acquired by Auxilio. "A few years ago, I remember many people being surprised at how few hacker attacks there were in healthcare. We warned our clients of the 'risk of complacency' in this regard."

With more electronic health records than ever before, there's a growing awareness of their "exploitation value," Berger says. "At the same time, healthcare spending on IT security continues to lag almost all other industries. So with a greater amount of valuable data behind lower than average defenses, it should not be a surprise that PHI has become a favorite target of hackers. It is basic economics."

Hackers are the No. 1 "emerging" cyberthreat that healthcare entities are worried about this year, according to the 2015 Healthcare Information Security Today survey of 200 security and privacy leaders at healthcare organizations, which was conducted in December 2014 and January 2015 by ISMG. Coming in at a close second as the biggest "emerging threat" is business associates taking inadequate security precautions with PHI; that's also the top threat respondents are worried about "today." Complete results of that survey, and a webinar analyzing the results, will be available soon.

The Ponemon study found that nearly 45 percent of data breaches in healthcare are a result of criminal activity. However, the researchers found that criminal-based security incidents, such as malware or distributed denial-of-service attacks, don't necessarily result in breaches reportable under HIPAA. In fact, 78 percent of healthcare organizations and 82 percent of business associates had Web-borne malware attacks.

Breach Costs

Based on its study, the Ponemon Institute estimates that the average cost of a data breach for healthcare organizations is more than $2.1 million, while the average cost of a data breach to business associates is more than $1 million.

Rick Kam, U.S. president and co-founder of security software vendor ID Experts, which sponsored the Ponemon study, tells ISMG that stolen healthcare information is currently valued at about $60 to $70 per record by ID theft criminals, while the current value of credit card information is about 50 cents to $1 per record.

"We see recognition of medical ID theft being a problem, but we don't see many healthcare providers stepping up" in addressing the issue, he says. The Ponemon study found that nearly two-thirds of healthcare organizations and business associates do not offer any medical identity theft protection services for patients whose information has been breached.

The Ponemon study found that information most often stolen in these targeted healthcare sector attacks include medical files and billing and insurance records.

Privacy and security expert Kate Borten, founder of the consulting firm The Marblehead Group, offers a dire prediction: "I believe we will continue to see the number of reported breaches rise, despite stronger efforts to protect data. Personally identifiable health data continues to have high street value, leading to more attacks."

Scopidea's curator insight, June 22, 2015 3:03 AM

Many great points in this well written article.


Why Understanding HIPAA Rules Will Help With ONC Certification

Why Understanding HIPAA Rules Will Help With ONC Certification | HIPAA Compliance for Medical Practices | Scoop.it

Understanding HIPAA rules will have far reaching benefits for covered entities. Not only will they be compliant in terms of keeping patient PHI secure, but it will also ensure that those facilities are able to adhere to other federal certification programs. With the push for nationwide interoperability, it is extremely important that organizations of all sizes understand how they can exchange information in a secure and federally compliant way.

Earlier this year, the Office of the National Coordinator (ONC) released its proposal for the 2015 Health IT Certification Criteria. The ONC said that it will “ensure all health IT presented for certification possess the relevant privacy and security capabilities.” Moreover, certified health IT will be more transparent and reliable through surveillance and disclosure requirements.

ONC Senior Policy Analyst Michael Lipinski spoke with HealthITSecurity.com at HIMSS last week, and broke down why understanding HIPAA rules will help covered entities on their way to compliance and with ONC certification.

The ONC certification program has certain capabilities that it certifies to, Lipinski explained, and the way the ONC set up its approach depends on what a facility is bringing forward to be certified.

“What we’ve always said about our privacy and security criteria is that it helps support compliance, but it doesn’t guarantee compliance with the HIPAA Privacy or Security rules,” Lipinski said. “Or even with meeting your requirements under the EHR incentive program.”

One complaint that the ONC has received in terms of information sharing is that covered entities claim they cannot exchange data because of HIPAA rules. However, that likely stems from a lack of understanding what the HIPAA Privacy and Security Rules actually entail, Lipinski said. If that misunderstanding of what HIPAA compliance actually is exists, it can make it more difficult for healthcare organizations to move forward.

“I think that issue is not so much a certification issue, because it’s about payment, treatment, and operations, and you can exchange for those reasons,” Lipinski said. “I think maybe what they found is that there are those instances where they could do it, and they’re making the misinterpretation that they could have done that for treatment and exchange that information.”

Healthcare facilities are using that as an excuse not to exchange, when under HIPAA they could have done so for payment, treatment or operations options, he added.

“It’s not so much in the wheelhouse of certification, but more like we said in the report that we would work with OCR and make sure there’s appropriate guidance and understanding of the HIPAA Privacy and Security rules so that hopefully that will enable more free flow of the information.”

That sentiment echoes what ONC Chief Privacy Officer Lucia Savage said about interoperability and the future of information sharing for healthcare. In a HIMSS interview Savage explained that HIPAA supports information sharing, but that support depends on the decisions made by healthcare providers.

However, a difficult aspect of creating nationwide interoperability will be in relation to state law and state policies on health IT privacy, Savage said, mainly because states have diverse rules.

“That’s a very long dialogue, and has a very long time frame in where we can accomplish what we want to accomplish,” Savage said. “I think people are concerned about that.”

No comment yet.

Data Breaches Are Serious Exposures for Fitness Businesses

Data Breaches Are Serious Exposures for Fitness Businesses | HIPAA Compliance for Medical Practices | Scoop.it

Technology is a huge advantage for the fitness industry today, but it also has brought with it serious exposures as well. A data breach can destroy a fitness business by damaging its reputation and relationship with its members, clients and employees. Small and mid-sized business owners need to be aware that they are just as vulnerable to data breaches and hacking as large businesses. The personal information of members, clients and employees can be lost, stolen or destroyed by computer hackers, thieves and even dishonest employees. Sensitive data can be improperly exposed through accidental or inadvertent release.

With recent publicity about large data breaches of prominent organizations, concerns about cyber liability have grown to a point in which most state legislatures have passed laws requiring business owners to notify affected persons. In most states, a business must be able to notify all parties whose personal information may have been released or exposed, communicate the scope of the potential data breach to them, and provide access to credit monitoring assistance and identity restoration to them. In addition, the business owners may face legal defense and settlement costs if claims are brought against them because of the breach.

The first step to addressing the exposure is to understand what a data breach is. To do so, it is necessary to define the "personal information" that would compose a data breach. Personal information that can uniquely identify an individual is called Personal Identifying Information (PII) and includes an individual's first name or first initial and last name, in combination with any one of the following data:

  • Social Security number;
  • driver's license number;
  • bank account number;
  • credit or debit card number with personal identification number such as an access code, security codes or password that would permit access to an individual's account;
  • home address or email address; and
  • medical or health information.

A data breach makes PII available to unauthorized individuals inside or outside of the organization.

All fitness businesses collect PII on members and employees, as well as many prospects and guests. Please note that Health Insurance Portability and Accountability Act (HIPAA) compliance relates to an organization's need to comply with the privacy rules set out by the Health Insurance Portability and Accountability Act. This is not usually triggered unless a business receives direct insurance reimbursement for services. All fitness facilities have liability for data breach, but only those receiving insurance reimbursement will have the requirement to meet HIPPA guidelines for privacy as well.

The data breaches making media headlines right now are systems-related and have to do with computer hackers gaining unauthorized access to PII data electronically. It is important to remember that physical data breaches still occur as well and include misplaced backup files, paper files being lost or misplaced or a stolen laptop. Both types of data breach can result in an expensive variety of damages for a fitness business including:

  • interruption of ongoing operations;
  • destruction of hardware and software;
  • release of sensitive business information; or 
  • the exposure of the PII of members, clients, employees, vendors or partners.

Beyond the legal requirements imposed by state laws and the costs associated with meeting them, how a business owner responds to a data breach can mean the difference between preserving members verses losing them. When confronted with a data breach, many business owners make short-sighted or panicked mistakes that can significantly increase their cost of responding and put their reputation at risk as well. It is imperative to develop a data breach action plan before an incident occurs that will assist the business to address the situation one step at a time if it does occur. Unfortunately, in our present technology-driven environment, it is not a matter of "if" a data breach will occur but "when" for many fitness businesses.

A thorough data breach action plan should start with preventive measures including training staff to properly handle PII data and maintaining appropriate protection software on all systems that store the data. Methods of containment to limit the scope of the data breach should be outlined in the data breach action plan. It will then address effective means of response, including immediate communication to those individuals affected and provide appropriate solutions for them, as well as restoring the safety of the systems going forward. The goal of the plan is to not only restore the systems so that data is once again safe, but to restore the reputation of the business by effectively addressing the well-being of the individuals affected. A well-communicated, timely and compassionate response will go a long way toward retaining the membership's confidence.

11 Paths's curator insight, April 8, 2015 4:31 AM

another great story


Breaking Down HIPAA: Health Data Encryption Requirements

Breaking Down HIPAA: Health Data Encryption Requirements | HIPAA Compliance for Medical Practices | Scoop.it
Health data encryption is becoming an increasingly important issue, especially in the wake of large scale data breaches like Anthem, Inc. and Premera Blue Cross. The HIPAA Omnibus Rule improved patient privacy protections, gave individuals new rights to their health information, and strengthened the government’s ability to enforce the law. However, health data encryption is considered an “addressable” aspect rather than a “required” part of HIPAA.

With close to 90 million Americans potentially having their personally identifiable information exposed in the last few months alone, including PHI in some cases, more people are wondering if enough is being done to keep that data safe. Should health data encryption be required? What exactly determines if an entity incorporated encryption methods into its privacy and security measures?2015-02-05-hhs-budget

We’ll take a closer look at what health data encryption is, why it’s beneficial, and how covered entities are currently required to use it.

What is health data encryption?

Health data encryption is when a covered entity converts the original form of the information into encoded text. Essentially, the health data is then unreadable unless an individual has the necessary key or code to decrypt it. This is a good way for electronic PHI (ePHI) to remain secure and ensure that unauthorized individuals are not able to “translate” the data for their own use.

In relation to the HIPAA Privacy Rule and the HIPAA Security Rule, data encryption is a method to protect PHI. In particular, the Security Rule was designed to protect all data that “a covered entity creates, receives, maintains or transmits in electronic form,” according to the Department of Health & Human Services’ (HHS) site.

Why would it be beneficial?

Theft continues to be one of the major causes of healthcare data breaches, including incidents that involve PHI. If a laptop or smartphone falls into the wrong hands, that individual could potentially cause major damage to patients if he or she had access to medical information or financial information. However, if that unauthorized user was unable to read the information on the devices, then some issues could potentially be avoided.

Health data encryption could be an important step in the privacy and security process. However, by itself, it will not be enough. For example, strong malware could break through a covered entity’s database security. From there, cyber attackers could get access to sensitive information, including PHI. Or, if an employee’s login credentials was stolen, an unauthorized user could gain access that way. In either of those examples, it would not necessarily matter if the health data was encrypted or not.

It is also important to consider if data is being encrypted at rest or in motion. For example, using a virtual private network (VPN) or a secure browser connection can be helpful for protecting data in motion. Or, using Transport Layer Security (TLS) could also work in this situation. This is a protocol ensuring there are mechanisms in place to protect and provide authentication, confidentiality and integrity of sensitive data during electronic communication.

Overall, a covered entity needs to ensure that it has comprehensive technical safeguards – that may include data encryption – along with strong administrative safeguards and physical safeguards. One of those measures by itself will not be enough. Health data encryption could be a beneficial addition to a security program, but it would need to be working with other protection measures.

Is data encryption required?

According to HIPAA, encrypting health data is “addressable” rather than “required.” However, this does not mean that covered entities can simply ignore health data encryption. Instead, healthcare organizations must determine which privacy and security measures will benefit its workflow.

“…it permits covered entities to determine whether the addressable implementation specification is reasonable and appropriate for that covered entity,” according to HHS. “If it is not, the Security Rule allows the covered entity to adopt an alternative measure that achieves the purpose of the standard, if the alternative measure is reasonable and appropriate.”

There are many different encryption methods available as well, so it’s important for covered entities to review their systems and policies to determine if encryption is appropriate, and what kind of encryption to use.

For example, the HHS HIPAA Security Series suggests that covered entities ask themselves the following two questions to help determine if data encryption is appropriate:

Which EPHI should be encrypted and decrypted to prevent access by persons or software programs that have not been granted access rights?
What encryption and decryption mechanisms are reasonable and appropriate to implement to prevent access to EPHI by persons or software programs that have not been granted access rights?

To that same extent, covered entities should determine who is accessing the data, and how they might be doing so. For example, if a facility has a BYOD policy, and employees can access ePHI through their phone, mobile data encryption might be appropriate.

It remains to be seen if the government will make adjustments on its requirements for health data encryption. Until then, facilities need to be thorough in their risk assessments so they can properly determine if data encryption is a necessary measure and then how best to incorporate it into their security. If a covered entity decides that data encryption is not necessary, it is essential to document the reasons why and then provide an acceptable alternative. Data breaches are unlikely to stop happening, so it is important that healthcare organizations remain diligent in making the necessary adjustments to remain as secure as possible.
Rêve's curator insight, March 24, 2015 12:16 AM



Should HIPAA require encryption of medical data?

Should HIPAA require encryption of medical data? | HIPAA Compliance for Medical Practices | Scoop.it
Dive Brief:
  • Even more surprising to some than the fact that Anthem did not encrypt its medical recordswhich made it easier to hack, according to expertswas the fact that HIPAA's regulations do not currently require that personal health data be encrypted by providers who manage those records. A report in HealthIT Security revealed that lawmakers are starting to address this issue.
  • The US Senate Health, Education, Labor and Pensions committee is taking up the debate, while New Jersey Gov. Chris Christie has already enacted a law requiring medical record encryption and Connecticut Democrats are apparently also seeking similar legislation in their state.
  • At present, HIPAA regs do not specifically require data encryption. Instead, HIPAA-covered entities get to choose, based on their situation, whether encryption is necessary or another approach is more appropriate.
Dive Insight:

The Anthem hack has become the cue for every agency, governmental body, consumer group, healthcare advocacy organization and technology forum to start pushing tougher cybersecurity requirements. While the strong reaction was expected, the stampede could generate more problems than solutions, with lawmakers and federal agencies duplicating efforts with state legislatures around the country.

What would make the aftermath of the Anthem hack even worse is a resulting mish-mash of regulations and laws that vary from state to state, from agency to agency. Any additional HIPAA security regs should at least attempt to coordinate bills being drafted by Congress and work to advise individual states so there can be some parity across all the different bodies with multiple approaches to the same goal.

No comment yet.

Maine man files $5 million class action suit over Anthem data breach

Maine man files $5 million class action suit over Anthem data breach | HIPAA Compliance for Medical Practices | Scoop.it

A Brunswick man on Thursday filed a $5 million class action suit against Anthem Health Plans of Maine, charging that the company failed to adequately protect the personal information of its clients before the data breach reported in February.

In a complaint filed Thursday in U.S. District Court in Portland, attorney Benjamin K. Grant of McTeague Higbee in Topsham wrote on behalf of his client, Brian Mason, that Anthem Inc. acted unreasonably by failing to encrypt clients’ confidential information, including Social Security numbers and medical and financial information.

On Feb. 4, Anthem disclosed the breach, announcing that it suspected hackers had stolen information belonging to tens of millions of current and former customers and employees, including at least 300,000 Maine residents, Reuters reported.

Social Security numbers, names, dates of birth, medical identification numbers, street and email addresses, and employment information including income data of approximately 80 million people was hacked between Dec. 10, 2014, and Jan. 27, 2015.

Although the breach was discovered on Dec. 10, Anthem did not announce it until Feb. 4, according to the suit, which notes, “The Maine Attorney General has joined attorneys general from other affected states in criticizing Anthem Inc.’s delay in notifying affected customers.”

Anthem is the second-largest health insurer in the country and conducts business in Maine as a wholly owned subsidiary, Anthem ME. According to the complaint, one in every nine Americans receives coverage through Anthem or an affiliated plan.

The suit alleges that Anthem also failed to maintain the information in an adequate computer system, failed to implement a process to detect a data breach in a timely way, failed to disclose the breach to consumers and failed to disclose that it could not adequately secure the personal information from theft or misuse.

In court documents, Grant refers to a 2014 FBI report in which the agency’s cyber division warned that health care companies were susceptible to cyberattacks.

According to Grant, had Anthem encrypted the data, “hackers would now possess electronic gibberish” instead of personal information that “is now freely readable by the hackers who acquired it and by whomever these hackers choose to sell the [information] to.”

Mason and other plaintiffs “now face a lifelong battle against identity theft,” Grant wrote, quoting from various publications that labeled the stolen personal information “a treasure trove for cybercriminals” that can “easily be sold on underground markets within hours and used for a wide variety of identity fraud schemes” such as filing fraudulent tax returns and stealing refunds.

The suit seeks “damages, restitution, injunctive relief, and any other appropriate relief” on behalf of the plaintiff “and millions of Anthem’s customers in Maine and throughout the United States” whose information was stolen.

Reached by email Friday, Grant declined to comment on the suit, although he confirmed that more than 60 similar lawsuits have been filed in other states.

A spokesman for Anthem also did not offer immediate comment Friday, saying that the company’s policy is not to comment on pending litigation.

No comment yet.

Insider Threat: Mitigating the Risk

Insider Threat: Mitigating the Risk | HIPAA Compliance for Medical Practices | Scoop.it

You've screened your candidate, hired them into the position, assigned them resources and granted them access...now what? Hope they don't rob you blind? Trust them completely? The real job has just begun, now you have to:

  • Translate risk levels into appropriate levels of scrutiny, the greater the access, the greater the need for review;
  • Implement an ethical and legal approach to people security and protective monitoring;

SpectorSoft will present a practical approach to mitigating employee risk from hires to fires. Attend this webinar if you answer 'No' to the following question: Do you believe that, once a position is filled, the company should simply trust that the person in the position will not exceed or misuse that access in a way that could harm the company?


Employees are an organization's greatest asset and greatest risk. With a single click an employee can devastate a business by transferring or damaging huge amounts of data. Finding the balance between trust and scrutiny/control represents a tremendous challenge and a huge opportunity if executed correctly. Most organizations use intense pre-hire screening and background checks to ensure they are bringing in valuable talent that will benefit the organization without the propensity to do harm. Once the employee is hired they are given the "keys to the castle" to do great things for their new employer...or they could cause great damage.

No comment yet.

The Black Market For Stolen Health Care Data

The Black Market For Stolen Health Care Data | HIPAA Compliance for Medical Practices | Scoop.it

President Obama is at Stanford University today, hosting a cybersecurity summit. He and about a thousand guests are trying to figure out how to protect consumers online from hacks and data breaches.

Meanwhile, in the cyber underworld, criminals are trying to figure out how to turn every piece of our digital life into cash. The newest frontier: health records.

I grab a chair and sit down with Greg Virgin, CEO of the security firm RedJack.

"There are a lot of sites that have this information, and it's tough to tell the health records from the financial records," he says.

We're visiting sites that you can't find in a Google search. They have names that end with .su and .so, instead of the more familiar .com and .org.

After poking around for about an hour, we come across an advertisement by someone selling Medicare IDs.

We're not revealing the site address or name because we don't want the dealer to know we're watching.

According to the online rating system — similar to Yelp, but for criminal sales — the dealer delivers what's promised and gets 5 out of 5 stars. "He definitely seems legit" — to the underworld, Virgin says.

The dealer is selling a value pack that includes 10 people's Medicare numbers – only it's not cheap. It costs 22 bitcoin — about $4,700 according to today's exchange rate.

Security experts say health data is showing up in the black market more and more. While prices vary, this data is more expensive than stolen credit card numbers which, they say, typically go for a few quarters or dollars.

Health fraud is more complex. Records that contain your Social Security number or mother's maiden name are used for identity theft. Virgin predicts hackers could be using them for corporate extortion.

"A breach happens at one of these companies. The hackers go direct to that company and say, 'I have your data.' The cost of keeping this a secret is X dollars and the companies make the problems go away that way," he says.

Health care companies saw a 72 percent increase in cyberattacks from 2013 to 2014, according to the security firm Symantec. Companies are required to publicly disclose big health data breaches. And there have been more than 270 such disclosures in the last two years.

Jeanie Larson, a health care security expert, says cyber-standards are too low for hospitals, labs and insurers. "They don't have the internal cybersecurity operations."

Companies subject to federal HIPAA rules, which were designed to protect privacy, choose to interpret them loosely — in a way that gets around the basics, like encryption.

"A lot of health care organizations that I've talked to do not encrypt data within their own networks, in their internal networks," she says.

They assume, incorrectly, that the walls around the network are safe.

Larson is part of the industry group National Health ISAC which is trying to raise the bar and make hospitals more like banks when it comes to investing in security.

"The financial sector has done a lot with automating and creating fraud detection type technologies, and the health care industry's just not there," she says.

Orion Hindawi with Tanium, a firm that monitors computer networks, says health care providers are far from there. They've been racing to grow, to digitize health records, to make mobile apps, to acquire other companies — all this without having a basic handle on how big their networks even are.

"I was working with a customer recently, and I asked them how many computers they had. And they told me between 300,00 and 500,000 computers," Hindawi says.

Meaning his client basically didn't know.

"We see that often when we walk into a customer [office]," Hindawi says.

He wasn't surprised to hear that the health care company Anthem suffered a major cyberattack. Anthem revealed last week that as many as 80 million people's records may have been stolen. Hindawi says he expects to see many more Anthems.

No comment yet.

HIPAA Marketing Violation Affects 80,000

HIPAA Marketing Violation Affects 80,000 | HIPAA Compliance for Medical Practices | Scoop.it

The unauthorized use and disclosure of patient information for marketing purposes by an insurer in Tennessee offers a reminder of the importance of complying with HIPAA's marketing-related provisions.

TRH Health Plan of Columbia, Tenn. discovered the HIPAA violation in November, when it began receiving inquiries from some of its members about a mailing promoting a Medicare Advantage program they had received from BlueCross BlueShield of Tennessee, an administrative partner of TRH, according to a TRH spokeswoman.

TRH immediately launched an investigation into the matter, the company says in a statement. As a result of the mailing, TRH is notifying 80,000 of its members that a "limited amount" of their protected health information, specifically names, addresses, and subscriber IDs, was inappropriately used and disclosed by BCBS Tennessee for marketing purposes, the TRH spokeswoman says.

The PHI was inappropriately shared with a third-party vendor that BCBS Tennessee hired to print the documents and assist in the mailings, TRH says.

"We made a mistake and included TRH members in a BlueCross Medicare Advantage mail marketing campaign," a BCBS Tennessee spokeswoman tells Information Security Media Group. The PHI has been subsequently destroyed by the printing vendor, she says. In addition, "we've ensured that our marketing teams will receive additional training in the use of HIPAA protected data as it relates to marketing purposes."

In a statement, TRH says that it believes "the potential harm to its members has been mitigated" based on the limited amount of PHI involved and the steps taken by BCBS Tennessee and its vendor in response to the incident.

Marketing Provision

Before the HIPAA Omnibus Rule went into effect in 2013, HIPAA regulations generally required a covered entity to obtain authorization from an individual for any use or disclosure of PHI for marketing purposes, says privacy expert Rebecca Herold partner at HIPAA Compliance Tools and CEO of the consulting firm, The Privacy Professor. The Omnibus Rule added even more restrictions on the use or disclosure of PHI for marketing, she notes. It also expanded all the HIPAA requirements to apply to business associates.

"Even prior to this, though, a BA agreement should have stipulated that a BA could not use PHI for any other purposes than those for which they were contracted," she says. "All CEs and BAs need to document policies, and supporting procedures and processes, detailing how patients, as well as insureds in the case of health insurance companies, will be given the choice to consent [for authorizing use of their PHI], and then how to opt-out of any other already agreed-to marketing and fundraising activities when they choose to."

Privacy expert Kate Borten, president of consulting firm The Marblehead Group, suspects there have been other marketing breaches that haven't come to light "because individuals don't know the regulations."

Nonetheless, she adds, "I believe there's a difference between a technical error and an organization's failure to consider the marketing requirements. In the case of BCBSTN, the cause may have [theoretically] been a software coding error due to incomplete specifications. It's unfortunate, but not a high crime."

Covered entities and business associates are too often ignoring the HIPAA marketing restrictions or choosing to interpret them in favor of their business processes, she adds. "Although [HIPAA Omnibus] helped clarify marketing, the privacy rule leaves room for interpretation. Writing regulations is not as easy as some would think."

Regulatory Actions

In 2010, the Department of Health and Human Services imposed a $35,000 penalty in its enforcement action against a covered entity, Management Services Organization Washington, or MSO, for violations of HIPAA marketing regulations.

An OCR resolution agreement with MSO indicates that the company provided PHI of "numerous individuals" to a sister company, Washington Practice Management, in 2009, for the marketing of Medicare Advantage plans.

In addition to alleged violations of the HIPAA marketing provisions, an OCR investigation of MSO also uncovered other HIPAA privacy and security rule non-compliance, including a lack of "appropriate and reasonable administrative, technical and physical safeguards to protect the privacy of PHI."

Under the resolution agreement with OCR, MSO agreed to a corrective action plan that included developing, maintaining, and revising, written policies and procedures with the HIPAA privacy and security rule, as well as implementing workforce training.

Preventing Breaches

Borten recommends that covered entities carefully monitor all uses and disclosures of PHI to ensure HIPAA Privacy Rule compliance. "BAs should do the same, but their BA contracts further limit what uses and disclosures are permitted," she adds.

"Whenever a new or modified process involving PHI use or disclosure is planned, privacy rule requirements must be explicitly reviewed. This should be a required component of each organization's project management process, along with considering security implications."

As for future OCR enforcement actions against organizations that violate the HIPAA marketing provisions, Herold says she think those actions are necessary. "Otherwise the misuse of PHI for unwanted marketing activities will continue to increase," she says.

Under HIPAA Omnibus, covered entities, as well as business associates, can be fined up to $1.5 million per HIPAA violation.

Previous BCBS HIPAA Violation

In another HIPAA-related incident, Blue Cross Blue Shield Tennessee was the first covered entity to get slapped with a monetary penalty from OCR under the HIPAA breach notification rule, which went into effect in 2009.

In March 2012, the insurer agreed to pay a $1.5 million settlement and carry out a corrective action plan in the wake of a 2009 breach affecting more than 1 million individuals that involved the theft of 57 unencrypted computer hard drives.

No comment yet.

$10 Million Fine in Improper Disposal Case

$10 Million Fine in Improper Disposal Case | HIPAA Compliance for Medical Practices | Scoop.it

The grocery store chain Safeway has been ordered to pay a $9.87 million penalty as part of a settlement with California prosecutors related to improper disposal of confidential pharmacy records and hazardous waste in dumpsters.

The settlement resolves allegations that Safeway unlawfully disposed of customer pharmacy records containing private medical information in violation of California's Confidentiality of Medical Information Act.

Prosecutors in California also alleged Safeway unlawfully disposed of various hazardous materials over a period of longer than seven years. Those materials included over-the-counter medications, pharmaceuticals, aerosol products, ignitable liquids, batteries, electronic devices and other toxic, ignitable and corrosive materials, according to a statement from the Alameda County District Attorney's Office. That office took the lead on the civil enforcement lawsuit filed on Dec. 31 by a coalition of 43 California district attorneys and two city attorneys.

Safeway operates about 500 stores and distribution centers in California under a number of brand names, including Von's, Pavilions and Pak 'n Save, and is in the process of merging with another large grocery chain, Albertsons, which operates stores in several states under brands that include ACME, Albertsons, Jewel-Osco, Lucky, Shaws, Star Market and Super Saver.

The case against Safeway by the California district attorneys was based on a series of waste inspections of dumpsters belonging to Safeway facilities conducted by state environmental regulators and other inspectors during 2012 and 2013.

Kenneth Mifsud, Alameda County assistant district attorney, tells Information Security Media Group that the inspections were conducted at dozens of Safeway stores about once a month during an 18-month period. Investigators - who examined retail store waste taken to landfills - found violations in about 40 percent of the stores inspected. In some cases, pharmacy documents, such as store summaries listing medical and personal information on dozens of patients, were found among the waste, he says.

"The inspections revealed that Safeway was routinely and systematically sending hazardous wastes to local landfills, and was failing to take measures to protect the privacy of their pharmacy customers' confidential medical information," says the Alameda County district attorney's statement. "Upon being notified by prosecutors of the widespread issues, Safeway worked cooperatively to remedy the issue, enhance its environmental compliance program and train its employees to properly handle such waste."

The case against Safeway spotlights the importance of retail pharmacy chains, hospitals and other healthcare entities properly shredding or "making indecipherable" patient and other consumer personal information before disposing it, Mifsud says.

"There's a risk of identity theft committed by dumpster divers, and unfortunately by some employees," he says.

Settlement Terms

According to settlement documents filed in the Superior Court in Alameda County on Dec. 31 - the same day the suit was filed by the district attorneys against Safeway - the $9.87 million in civil penalties and costs Safeway agreed to pay are mainly related to the environmental and unfair business claims against the company. The unfair business claims encompass the violations of California's medical confidentiality laws, Mifsud says.

Also as part of the settlement, the retailer must also "maintain and enhance, as necessary" its customer record destruction program to ensure that confidential medical information is disposed of in a manner that protects individuals' privacy. Plus, it must take several steps related to environmental compliance, including ensuring that its workforce is trained in properly disposing waste.

Court documents do not indicate how many customers' improperly dumped pharmacy records were found by inspectors. Mifsud says it's difficult to estimate the number of patients or pharmacy records that were affected by the improper disposal because the inspections only provided "a snapshot" of the some stores' activities.

Approximately 500 Safeway retail stores and distribution centers in the state must abide by the corrective action terms of the settlement, Mifsud says.

State attorneys started negotiations with Safeway in 2012, when the first violations were first discovered, he says. The suit and settlement documents were both filed in court the same day, Dec. 31, as a formality to those discussions, he explains.

In a statement to ISMG, Safeway says, "We have enhanced [our] programs and added new and supplementary training to ensure strict adherence to the law and to our policies. Safeway will continue to dedicate significant resources to these important programs."

Privacy and security attorney Kathryn Coburn, a partner at law firm Cooke Kobrick LLP, says that the Safeway case is a reminder to all organizations that having policies about protecting sensitive information of patients is not enough; they also need to have procedures for the workforce to follow and training to ensure those procedures are understood.

"Everyone I deal with has policies. But if there are no procedures, and no training, those policies aren't any good," she says.

Other Disposal Cases

The Safeway settlement is not the first time enforcement actions have been taken by regulators against a retailer charged with improper disposal of sensitive medical information.

In a 2010 settlement with the U.S. Department of Health and Human Services, Rite Aid Corp. agreed to pay a $1 million fine and take corrective action after some of its stores improperly disposed of prescription information in dumpsters. Also, a $2.25 million HHS settlement was reached in a similar case against CVS Caremark in February 2009.

And retail pharmacies aren't the only organizations that have been cited by regulators for improper disposal of medical information. For example, HHS' Office for Civil Rights last June announced an $800,000 HIPAA settlement with Parkview Health Systems, an Indiana community health system, after paper medical records for 5,000 to 8,000 patients were dumped in the driveway of a physician's home.

Security and privacy attorney Stephen Wu of the law firm Silicon Valley Law Group says OCR could decide to open a HIPAA non-compliance case against Safeway based on the findings by state regulators in their suit against the retailer.

"If I were Safeway's counsel, I'd be advising the company to look for another shoe to drop," Wu says.

Mifsud says he's unaware if OCR is investigating the Safeway matter. OCR did not respond to ISMG's request for comment.

No comment yet.

Congress must fix Obamacare if court guts it: U.S. official

Congress must fix Obamacare if court guts it: U.S. official | HIPAA Compliance for Medical Practices | Scoop.it

The U.S. Congress and states would have to fix Obamacare if the Supreme Court disallows its tax subsidies that help people pay for insurance coverage, U.S. Health and Human Services Secretary Sylvia Burwell said on Wednesday.

Anti-Obamacare libertarian activists are fighting to strip the subsidies from 6.4 million Americans in 34 states who use the plan and a ruling in their favor would mark a significant setback for President Barack Obama's signature healthcare law.

"If the court makes that decision, we're going to do everything we can," Burwell told the House of Representatives Ways and Means Committee, after she was asked in a hearing how the Obama administration would react if the court rules against it later this month in the case known as King v. Burwell.

But she added, "The critical decisions will sit with the Congress and states and governors to determine if those subsidies are available."

Burwell added she had not seen a plan in the Republican-led Congress that would repair problems that might follow if the court decides to scrap the subsidies, while at the same time protecting the basic tenets of the Affordable Care Act.

She said Obama would not sign into law proposed legislation by Senator Ron Johnson to extend the subsidies until August 2017, which has attracted the most support among other Senate Republicans.

The Supreme Court is expected to rule by the end of this month in King V. Burwell.

The plaintiffs are challenging subsidies that are paid to low- and middle-income Americans to help them afford insurance coverage on federal healthcare exchanges.

Thirteen states and the District of Columbia would not be affected by the ruling because they have their own health care exchanges. Obama has said there is no legal basis for the court to dismantle the subsidies. The administration has produced no "Plan B" in case he is wrong.

"They refuse to acknowledge that they even are thinking about a backup plan," House Ways and Means Chairman Paul Ryan, a Republican, said after the hearing.

Republicans in Congress have opposed the law since its inception. They say they will unveil a proposed solution after the court rules.

Burwell said the Johnson measure would take away the subsidies over time and repeal key parts of Obamacare, such as guaranteed coverage for people with pre-existing conditions.

No comment yet.

The New World of Healthcare Cybercrime

The New World of Healthcare Cybercrime | HIPAA Compliance for Medical Practices | Scoop.it

In healthcare, the number and volume of the breaches are ever increasing. For many of these breaches, phishing is the initial point of compromise. The human tends to be the weakest link and so hackers tend to exploit the low hanging fruit. Much of the information which is exfiltrated ends up on the black market (e.g., medical identity information, intellectual property, financial information, etc.).

We often hear about healthcare information being very valuable on the black market. But, for anyone who may dare to look at the dark web or even public dump sites, the black market can indeed be somewhat of a scary place—or at least, eye opening. The type of information which is traded on the black market includes healthcare and related identity information and bad actors may use the stolen information to commit medical identity theft and fraud. Indeed, the Medical Identity Fraud Alliance has a lot of information on this subject, including a survey on point.

And, now, law firms that support healthcare organizations and other entities are the target of hackers. Law firms have valuable information, such as data on mergers and acquisitions, intellectual property, protected health information, and other types of sensitive information which they are entrusted to safeguard on behalf of their clients. Indeed, several law firms have reportedly been considering standing up a law firm information sharing and analysis center “to share and analyze information and would permit firms to share anonymously information about hackings and threats on computer networks in much the same way that bank and brokerage firms share similar information with the financial services group.”

All businesses, including healthcare organizations, need to make cybersecurity a business priority. Just like other kinds of risk management, cybersecurity needs to be part of the equation. Reacting to incidents, in the long run, will only prove to be very costly for your organization, in terms of expenditure, manpower, and damage to your organization’s goodwill. Instead, appropriate investment needs to be made in technology and skilled personnel to detect and remove hackers from systems and to make it more difficult for hackers to infiltrate into the systems.

In addition, avoid being low hanging fruit for the hackers. Practice good cyber hygiene, adopt and implement an appropriate security framework for your organization and best practices, have a culture which embraces information security, be vigilant, and call in the good guys when you are in need of help (or even before there is a problem). The importance of information security has increased as a priority for many organizations—it should have a high priority for yours as well. The cyber threat is real and we all need to stay ahead of it.

No comment yet.

Doximity launching app for the Apple Watch

Doximity launching app for the Apple Watch | HIPAA Compliance for Medical Practices | Scoop.it

Doximity announced today that they are launching an app for the Apple Watch, which hits the shelves later this month.

Many physicians will be familiar with Doximity, now that more than half of us have become registered users. Designed as a social network for physicians, Doximity includes a number of features that physicians will find useful for a lot more than just staying in touch with colleagues. In the recent rush of registrations on Doximity related to their partnership with US News and World Report, we wrote a quick guide on those key features. Included was secure HIPAA compliant messaging as well as an e-fax number and a journal feed.

Doximity’s Apple Watch app will bring some of these key features to your wrist. In particular, you’ll be able to read messages sent to you and dictate messages to other – without taking out your phone or pager, jumping on a computer, or spending endless minutes on hold trying to reach a colleague. You can also get notifications when you have a new fax come in – you can automatically view the fax on your iPhone using the Handoff functionality.

This hits on one the key functionalities we put on our wish list of apps for the Apple Watch – HIPAA compliant messaging. There are some limitations here worth noting. In particular, Doximity is limited to physicians so this won’t help with communication among a multi-disciplinary healthcare team, such as in a hospital or clinic. I wouldn’t be able to let a nurse know about a new medication or a social worker about an at-risk patient. Other platforms, like TigerText, will hopefully step in to bring that functionality to wearables like Apple Watch. That being said, the ability to send messages more easily to colleagues both inside and outside my own institution can be incredibly helpful.

We’re excited to see big players in the digital health space like Doximity embracing the Apple Watch. One natural question that frequently comes up is “what about Android devices?” Well, as Doximity points out, 85% of their mobile traffic is from iPhones & iPads. Its well recognized that physicians have largely embraced Apple devices and so medical app developers are going to go there first. So while many solid options have been available for Android, we expect the Apple Watch to be a catalyst in the development of new tools for clinicians.

Doximity’s app is just the start.

No comment yet.

Hattiesburg Clinic issues statement regarding HIPAA breach

A viewer reached out to WDAM with concerns of a possible security breach at Hattiesburg Clinic. The clinic responded to WDAM after we inquired about the breach.

The statement is as followed: 

"In January 2015, Hattiesburg Clinic became aware of unauthorized access to medical records by an optometry provider who left clinic employment. The investigation revealed that he obtained patient demographic information. It was determined that he used the information to mail letters in order to inform patients of his new employer. All information obtained by the provider has been retrieved and Hattiesburg Clinic has not received any indication that the information accessed was for reasons other than sending the letters. Patients affected by the breach were notified and the matter has been addressed as the law requires. We are not aware of any damages caused.

Hattiesburg Clinic is committed to protecting your personal information and we want to assure you that we have policies in place to protect your privacy."

This incident spurs from a letter sent from Scott Paladichuk, OD to patients. According to the letter, Paladichuk was reaching out to patients to introduce himself as a new doctor to the community. 

On March 20, The Hattiesburg Clinic notified its patients that there was unauthorized access to medical records by Paladichuk. 

The Hattiesburg Clinic letter states that it is possible while Paladichuk was copying demographic information for his letter, that he may have also viewed medical information. 

The letter says that the clinic has not received any indication that the information accessed by Paladichuk was used for anything other than sending announcement letters. 

Paladichuk is no longer in possession of any medical information and also no longer works for Hattiesburg Clinic. 

Hattiesburg Clinic issued an apology to patients, and urged that all necessary steps were taken to rectify the situation, including formally notifying the U.S. Department of Health and Human Services.

No comment yet.

Advantage Dental reports data breach

Advantage Dental reports data breach | HIPAA Compliance for Medical Practices | Scoop.it

Advantage Dental, a Redmond-based provider that serves low-income patients at more than 30 clinics in Oregon, announced Monday an intruder had breached its internal membership database in late February and accessed information on more than 151,000 patients.

Compromised data included names, Social Security numbers, birthdates, phone numbers and home addresses, but not treatment or financial information. So far, no patients have reported their information was used for criminal activity, but Advantage says it’s covering the cost of an identify theft monitoring service for those affected and is working with law enforcement to determine the scope of the incident.

Jeff Dover, Advantage’s compliance manager, said the theft occurred when malware gained access to an Advantage employee’s computer and obtained a username and password that allows access to the membership database, which is separate from the database that contains financial and treatment information.

All Advantage computers are equipped with anti-virus software, but sometimes software does not detect new variations of a virus, he said.

“Unfortunately this happened,” he said. “What you can do is be as transparent as you can, take responsibility for it, learn from it and then move on.”

The intruder accessed the information between Feb. 23-26, when Advantage’s internal IT specialists detected the security breach. Dover said Advantage’s robust, in-house IT team allowed it to identify the breach quickly.

“In other situations, hackers are running around in these databases for months on end,” he said.

Advantage is working to notify the affected patients. According to its website, Advantage serves nearly 250,000 patients per year, but Dover said the database that was breached contains 1.5 million total records. It has also reported the incident to the Oregon Attorney General’s office, the Oregon State Police and the U.S. Secret Service, Dover said. There are no suspects at this time.

Among the changes Advantage has made to prevent future breaches is no longer allowing access to its internal patient database from computers that are not within Advantage clinics or its headquarters in Redmond. It also controls the Internet sites its employees are able to use, although there is no indication the employee whose computer had malware was “surfing nefarious websites,” Dover said. The company also requires employees change their passwords regularly and tracks all the traffic that comes into its database.

Mosaic Medical, a community health center that serves low-income patients in Central Oregon, reported a security breach Thursday. In that situation, the personal information — including insurance information, phone numbers and email addresses — of more than 2,200 patients may have been accessed during an overnight break-in at a temporary administrative office in Bend, where patient records are being stored.

Security breaches are new for Advantage, Dover said, but hackers are constantly trying to gain access to health care providers.

“Ninety-nine point nine percent of them are rebuffed, but you always have that one out of however-many that actually gets through,” he said.

No comment yet.

69,000 Oregonians Hit by Health Data Breaches

69,000 Oregonians Hit by Health Data Breaches | HIPAA Compliance for Medical Practices | Scoop.it

Over 69,000 Oregonians have been affected by health data security breaches since 2010, according to data maintained by the U.S. Department of Health and Human Services' Office for Civil Rights.  

Fifteen businesses, including Oregon Health and Science University, Portland Veteran Affairs Medical Center, and Lower Umpqua Hospital, each compromised private information for over 500 of their clients. However, some breaches affected as much as 17,000 people.  

SLIDES:  See the Security Breaches BELOW

Health data breaches can lead to medical identity theft, a growing problem with serious consequences for victims, according to Bob Gregg, CEO of ID Experts, a company specializing in data breach prevention and response. 

“It’s not an overstatement to say medical identity theft could kill you,” said Gregg. “It’s the fastest growing identity crime in the country.”  

When records gathered by health organizations are breached, information on medical history and insurance is compromised. Gregg said this information is used to purchase medical supplies and services, or harvested by health providers who use it to bill Medicare or Medicare for services never rendered. 

However, Gregg said the consequences for medical identity theft victims are more serious than having to cancel a credit card. 

“If you got to the ER and you’re unconscious, you can’t talk to the doctors when they pull up your record and your drug allergies or even blood type has been changed,” Gregg said. 

In 2014, 2.3 million Americans were victim to some form of medical identity theft, a 23 percent increase from the previous year, according to a study by the Ponemon Institute. 
The growth is because the montaryvalue of the medical information is 10 to 50 times more valuable than Social Security numbers, according to Gregg. 

Protecting your information
If personal information is compromised in a data breach, it is important to act quickly. Paul Stephens is the Director of Policy and Advocacy at Privacy Rights Clearinghouse, a nonprofit consumer rights and privacy advocate.  

“If it involves your Social Security number, you need to look into a credit report freeze and Social Security freeze. If it’s medical information, you want to monitor the explanation of benefits from your insurance carrier,” Stephens said. 

Of the sixteen health data breaches in Oregon since 2010, 11 resulted from thefts of papers or laptops. Stephens said these cases are generally carelessness on the company or employer’s part. 
“They’ll lose a laptop and it won’t be encrypted,” Stephens said.  

The Government’s Role
Under the federal HITECH Act, health security breaches that affect 500 people or more must be reported to the Secretary of Health and Human Services. 

In Oregon, businesses are required to notify anyone whose information may have been compromised in a breach. However, they do not have to report it to any state regulators, such as the Oregon Attorney General. 
Last December, Oregon Attorney General Ellen Rosenblum urged the Oregon Senate and House Judiciary Committee to expand the state's data breach law and require breaches be reported to her office, giving her enforcment power.  

“As technology changes, so must the legal infrastructure which protects that technology. Oregonians want—and should—know who is collecting their personal information and data, how it is being used and protected, as well as to whom it is being sold,”  Rosenblum said in her testimony.

Only fifteen states have laws that require data breaches be reported to state police. 

Gregg said he has been lobbying this year in Salem, urging legislators to require medical identity monitoring in the case of a breach, along with financial monitoring.  

“90 percent of the public has no clue what medical identity theft is,” Gregg said. “They have to start understanding the biggest risk for citizens of Oregon in breaches of this kind.”

No comment yet.

Anthem Refuses Full IT Security Audit

Anthem Refuses Full IT Security Audit | HIPAA Compliance for Medical Practices | Scoop.it

A federal watchdog agency says Anthem Inc. has refused to allow it to conduct vulnerability scans of the health insurer's systems in the wake of its recent massive data breach affecting 78.8 million individuals. Anthem also refused to allow scans by the same agency in 2013.

The Office of Personnel Management's Office of Inspector General, in a statement provided to Information Security Media Group, says Anthem has refused to allow the agency to perform "standard vulnerability scans and configuration compliance tests" this summer, as requested by the OIG. The health insurer also refused to allow the OIG to conduct those vulnerability tests in 2013 as part of an IT security audit that was performed by the agency on its systems.

"What we had attempted to schedule for the summer of 2015 was a sort of 'partial audit' - what we call a 'limited scope audit' - that would have consisted only of the work we were prevented from conducting in 2013," an OIG spokeswoman explains. "So this is the second time that Anthem has refused to permit us to perform our standard vulnerability scans and configuration compliance tests."

OPM's OIG performs a variety of audits on health insurers that provide health plans to federal employees under the Federal Employee Health Benefits Program, or FEHBP. Under the standard FEHBP contract that OPM has with insurers, however, insurers are not mandated to cooperate with security audits, the OIG spokeswoman tells ISMG. Sometimes, however, amendments are made to insurers' federal contracts to specifically require the full audits, she says. In fact, the OIG is now seeking such an amendment to Anthem's FEHBP contract, she adds.

The OIG says in a statement that after the recent breach was announced by Anthem, "we attempted to schedule a new IT audit of Anthem for this summer. Anthem recently informed us that, once again, it will not permit our auditors to perform our standard vulnerability scans and configuration compliance tests. Again, the reason cited is 'corporate policy.'"

In its statement, the OIG also notes: "We have conducted vulnerability scans and configuration compliance tests at numerous health insurance carriers without incident. We do not know why Anthem refuses to cooperate with the OIG."

Anthem did not respond to ISMG's request for comment.

2013 Audit

In January 2013, when the OIG initiated an IT security audit, Anthem imposed restrictions that prevented auditors from adequately testing whether it appropriately secured its computer information systems, according to the agency's statement.

"One of our standard IT audit steps is to perform automated vulnerability scans and configuration compliance audits on a small sample of an organization's computer servers. These scans are designed to identify security vulnerabilities and misconfigurations that could be exploited in a malicious cyber-attack," the OIG says.

The agency says its objective in conducting scans "is not to identify every vulnerability that exists in a technical environment, but rather to form an opinion on the organization's overall process to securely configure its computers."

When the OIG requested to perform this test at Anthem in 2013, "we were informed that a corporate policy prohibited external entities from connecting to the Anthem network," the agency said.

"In an effort to meet our audit objective, we attempted to obtain additional information about Anthem's own internal practices for performing this type of work," the OIG says regarding the 2013 audit. "However, Anthem provided us with conflicting statements about its procedures, and ultimately was unable to provide satisfactory evidence that it has ever had a program in place to routinely monitor the configuration of its servers."

Earlier Findings

Although Anthem refused to allow OIG auditors to conduct the vulnerability testing, the insurer did allow the watchdog agency to conduct an information systems general and application control audit in 2013.

Among the findings of that more general 2013 audit, OIG found that Anthem, formerly known as Wellpoint, "has established a series of IT policies and procedures to create an awareness of IT security at the plan. We also verified that WellPoint has adequate human resources policies related to the security aspects of hiring, training, transferring, and terminating employees," according to the OIG audit report released in September 2013.

That more limited audit report also said in summary: "Nothing came to our attention to indicate that WellPoint does not have an adequate security management program."

However, the OIG says in its March 4 statement, "As a result of the scope limitation on our audit work and Anthem's inability to provide additional supporting documentation, our final audit report stated that we were unable to independently attest that Anthem's computer servers maintain a secure configuration."

After the 2013 partial audit, the OIG says it contacted OPM management about its concerns regarding auditors' limited access to Anthem systems. "After discussions with our office, OPM amended the FEHBP contract to allow a certain degree of auditor access. Since that time, this provision has proven to be insufficient, and we are currently working with OPM to further amend the contract."

No comment yet.

Getting the balance right with privacy and e-health

Getting the balance right with privacy and e-health | HIPAA Compliance for Medical Practices | Scoop.it
Recent advances in data management and analysis, such as the introduction of Electronic Health Records (EHRs) have the potential to save lives – and on a huge scale. However, it is increasingly clear that such innovations will only be realised if we can overcome a significant hurdle: the public’s concern that private medical data could fall into the wrong hands. To do that, we must convince people to play a more active role in establishing which information they want to keep private and which they are willing to share.

EHRs and the transformation of patient outcomes

Before we look at privacy, it is worth discussing just how transformative EHRs promise to be for the prevention and treatment of illnesses.

EHRs are much more than just a digital version of the paper-based health records of the past. In fact, EHRs embody a totally new approach to healthcare in which the wider ecosystem expands the centre of gravity beyond hospital borders. In this ecosystem, care becomes more distributed, with the burden shared by an extended family of health providers – GPs; physiotherapists; pharmacists; home-carers; family members; private health clinics; gyms; etc.

The patient is at the centre of a network bound together by his or her data, which in turn is shared and managed across all members of the healthcare web through the EHR. The EHR therefore is the main source of a comprehensive view of patient information.

> See also: Tackling the scourge of paper-based patient data

The advantages of this approach are compelling: primary care givers are provided with an unprecedented view of the patient, allowing them to come to more accurate decisions in shorter timeframes and improving patient outcomes.

The empowered patient

Importantly, however, the same data innovations that are driving connected healthcare are also empowering patients to play a much more direct role in managing their own health. This is due in great part to the proliferation of wireless health devices and apps as well as social media platforms.

In the IDC/EMC Whitepaper ‘Taking-On the Chronic Disease Burden in the Hyper-Connected Patient Era’ the analysts Massimiliano Claps and Nino Giguashvili discuss how through smartphones and tablets, patients can monitor their daily activities, such as exercise and diet, and share results with their healthcare network. They can also, if they choose to, share their results through social networks, using gamification to drive health benefits.

It is not just through smartphones that such data can be shared; today a wide range of wearable devices such as smart watches, wristbands and even clothing can track wearers’ physical activity, calorie intake and other vital statistics. These data sources can be used by the wearer to manage their lifestyle, helping to prevent illness. Through EHRs moreover, this data can be shared with the user’s healthcare web, enabling their healthcare providers to deliver the best possible treatments over the course of the patient’s life.

As IDC puts it: 'The vast amount, wide variety, and velocity of data that is pushed to and pulled from the hyper-connected patient ecosystem represents an unprecedented opportunity to generate insights that can enhance the appropriateness of prevention and care.'

This is, of course, only if the patient is willing to share such information.

Privacy – a stumbling block to integrated healthcare?

EMC’s recent Privacy Index revealed that when it comes to privacy in the healthcare sector people have some major worries. In fact, a full 72% of people around the world are concerned about the future of the privacy of their medical data. While this figure is less than for other sectors – such as finance or retail – it is still intolerably high.

People do not, it appears, trust healthcare organisations with their data. This is largely understandable. People have a natural anxiety about organisations collecting too much data about them – it has a whiff of ‘big brother’ about it. With a news agenda that is full of stories of privacy breaches, data loss and the misuse of data by businesses it is understandable why people may wish to keep their medical data private.

The digital world is still very new and it is evolving rapidly. The evolution of what we can do with data is moving so fast that many people have been caught unprepared. Fundamentally, allowing a select group of medical professionals to access data in order to help you is a very different proposition to businesses or governments accessing/using your data without your consent. Unfortunately at present the two things are often conflated.

As we grow used to our digital world however we will soon begin to understand that we can both ensure privacy while also enjoying the full benefits that a free flow of information promises. Technologies already exist to make digital records more secure than paper – it is now our behaviours that need to change.

Taking control of digital privacy

The change will come when people take more control of their online selves and take more steps to protect their own privacy.

People are already able to protect their privacy on social media sites through privacy settings, although far too few currently choose to do so. This needs to change.

When it comes to EHRs, privacy settings can easily be enabled. Patients need to select exactly who can access what portions of their health record. To that extent they will make decisions on how much of their privacy they are willing to trade off in order to receive better treatment. They will in short be empowered to use their own data as a discretionary tool.

> See also: How big data can turn around our National Health Service

This has implications beyond the health sector too. For example, if I am a fitness fanatic who exercises every day and only eats the healthiest of foods, I will be able to input this information into my EHR via my smart devices. Then, if I so chose, I could allow my life insurance company access to this data in order to help lower the premiums I pay each month. The key here is that it would be my choice to do so. I would have made a conscious and positive choice to trade a small portion of privacy for a clear benefit.

The future is in our hands

The promise of EHRs is not illusory. Already today innovative projects are improving the lives of people worldwide. Take Finland where its ePrescription service allows doctors to dispense with paper prescriptions and instead communicate electronically with pharmacies. Crucially, Finland has also implemented consent management and patients are therefore able to filter exactly what information is viewed by whom.

Implementations such as these will gather in pace and as they do so patients will better understand why the controlled sharing of private information benefits them – as long as the control rests firmly with them.

Secure EHRs really do have the power to transform healthcare, but it is important patients are aware and ready to make decisions about who has access to their data. Part of these decisions will be made on how secure the systems are that hold their data. Part will be based on what benefit they can receive from allowing access to this data. Through this process patients will be empowered to take greater ownership of their data and given the chance to improve their wellbeing through a more efficient approach to healthcare. While a new concept, we would argue that this is something patients should embrace rather than be concerned about.
No comment yet.

Anthem health insurance hack exposes data of over 80 million

Anthem health insurance hack exposes data of over 80 million | HIPAA Compliance for Medical Practices | Scoop.it

Hackers have accessed millions of customer and employee details from US-based health insurance firm Anthem, including name addresses and social security numbers. The database that was accessed included details for roughly 80 million people, but Anthem, the second biggest insurer in the country, believes that the hack likely affected a fraction in the "tens of millions". Its Chief Information Officer said that they didn't yet know how hackers were able to pull off the attack. In a statement on Anthem's site, CEO Joseph Swedish said that the company was the target of "a very sophisticated external cyberattack" -- although medical and financial details were apparently not breached.

Notably, the company decided to reveal it had been attacked just days after it had, even as their internal investigation continues. It also managed to detect the breach itself - something that also doesn't happen so often. The health insurer is the latest in a list of big companies targeted by a cyberattack, including the likes of Target, Sony, eBay and Home Depot. Anthem plans to reach out to everyone whose information was stored in the hacked database through letters and email.

No comment yet.

Report Suggests Ways To Improve Clinical Documentation in EHRs

Report Suggests Ways To Improve Clinical Documentation in EHRs | HIPAA Compliance for Medical Practices | Scoop.it

On Tuesday, the American College of Physicians released a report that details how to improve electronic health record clinical documentation and how to use technology to enhance patient care, EHR Intelligence reports (Reardon, EHR Intelligence, 1/13).

Details of Report

The authors compiled the report with input from ACP constituencies and non-member experts, as well as a literature review, according to Health Data Management.

In the report, the authors noted that "computers and EHRs can facilitate and even improve clinical documentation" (Slabodkin, Health Data Management, 1/13).

However, they also wrote that the use of technology could increase "inappropriate or even fraudulent documentation." In addition, they wrote that "many physicians and other health care professionals have argued that the quality of the systems being used for clinical documentation is inadequate" (Walsh, Clinical Innovation & Technology, 1/13).


To address such concerns, the authors outlined seven policy recommendations related to clinical documentation within EHRs:

  • Patient care support and improvement of clinical outcomes should be the primary focus of clinical documentation software;
  • Providers should define professional standards for clinical documentation practices within their organizations;
  • EHR systems should serve to improve care outcomes while contributing to data collection as value-based and accountable care models become more prevalent;
  • Structured data should be captured only where they are useful in care delivery or necessary for quality assessment and reporting;
  • Prior authorizations should no longer be unique in their data content and format requirements;
  • Giving patients access to their medical records, including progress notes, would improve patient engagement and care quality; and
  • Further research should be done to identify best practices for clinical documentation, develop automated tools, improve medical education related to EHR documentation and determine the most effective ways to disseminate professional standards for clinical documentation.

The authors also outlined five policy recommendations related to EHR design:

  • EHR developers should optimize systems for care delivery over time, as well as for care that involves teams of clinicians and patients;
  • Clinical documentation within EHR systems should be intuitive for clinicians;
  • EHRs should support a "write once, reuse many times" approach and use embedded tags to identify the original source of data;
  • EHR systems should not require clinicians to indicate whether an action has been taken if the data in the record already substantiate the action; and
  • EHR systems should enable the integration of patient-generated data (Kuhn et al., Annals of Internal Medicine, 1/13).

No comment yet.

FTC's Edith Ramirez: Connected health devices create bevy of privacy risks

FTC's Edith Ramirez: Connected health devices create bevy of privacy risks | HIPAA Compliance for Medical Practices | Scoop.it

For much of 2014, the Federal Trade Commission made it a point to be a prominent voice regarding the protection of consumer health information. Last May, for instance, it published a report recommending that Congress force data brokers to be more transparent about how they use the personal information of consumers, including health information.

And in July, FTC Commissioner Julie Brill spoke about how consumers should be given more choices from developers when it comes to data sharing by smartphone apps gathering health information.

That trend continued Tuesday at the International Consumer Electronics Show in Las Vegas, where FTC Chairwoman Edith Ramirez spoke about privacy protection, including for health data. Ramirez noted, for instance, that while the Internet of Things has the potential to improve global health, the risks are massive.

"Connected devices that provide increased convenience and improve health services are also collecting, transmitting, storing and often sharing vast amounts of consumer data, some of it highly personal, thereby creating a number of privacy risks," Ramirez said. "These risks to privacy and security undermine consumer trust."

Ramirez outlined three challenges to consumer privacy presented by the Internet of Things:

  • Ubiquitous data collection
  • Unexpected data use resulting in adverse consequences
  • Increased security risks

Additionally, she said that technology developers must take three steps to ensure consumer privacy:

  • Adopt "security by design"
  • Engage in data minimization
  • Boost transparency and offer consumers choices for data usage

"[T]he risks that unauthorized access create intensify as we adopt more and more devices linked to our physical safety, such as our cars, medical care and homes," Ramirez said.

Members of the House Committee on Oversight and Government Reform questioned the FTC's health data and cybersecurity authority at a hearing last summer. Committee Chairman Darrell Issa (R-Calif.) said that safeguards are needed to guide the FTC's processes in determining entities subject to security enforcement.

Last January, the agency ruled that entities covered under the Health Insurance Portability and Accountability Act may also be subject to security enforcement by the FTC.

No comment yet.