HIPAA Compliance for Medical Practices
77.8K views | +5 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

What Closing the HIPAA Gaps Means for the Future of Healthcare Privacy

What Closing the HIPAA Gaps Means for the Future of Healthcare Privacy | HIPAA Compliance for Medical Practices | Scoop.it

By now, most people have felt the effects of the HIPAA Privacy Rule (from the Health Insurance Portability and Accountability Act). HIPAA has set the primary standard for the privacy of healthcare information in the United States since the rule went into effect in 2003. It’s an important rule that creates significant baseline privacy protections for healthcare information across the country.


Yet, from the beginning, important gaps have existed in HIPAA – the most significant involving its “scope.” The rule was driven by congressional decisions having little to do with privacy, but focused more on the portability of health insurance coverage and the transmission of standardized electronic transactions.


Because of the way the HIPAA law was crafted, the U.S. Department of Health and Human Services (HHS) could only write a privacy rule focused on HIPAA “covered entities” like healthcare providers and health insurers. This left certain segments of related industries that regularly use or create healthcare information—such as life insurers or workers compensation carriers— beyond the reach of the HIPAA rules. Therefore, the HIPAA has always had a limited scope that did not provide full protection for all medical privacy.


So why do we care about this now?


While the initial gaps in HIPAA were modest, in the past decade, we’ve seen a dramatic increase in the range of entities that create, use, and disclose healthcare information and an explosion in the creation of healthcare data that falls outside HIPAA.


For example, commercial websites like Web MD and patient support groups regularly gather and distribute healthcare information. We’ve also seen a significant expansion in mobile applications directed to healthcare data or offered in connection with health information. There’s a new range of “wearable” products that gather your health data. Virtually none of this information is covered by HIPAA.


At the same time, the growing popularity of Big Data is also spreading the potential impact from this unprotected healthcare data. A recent White House report found that Big Data analytics have the potential to eclipse longstanding civil rights protections in how personal information is used in many areas including healthcare. The report also stated that the privacy frameworks that currently cover healthcare information may not be well suited to address these developments. There is no indication that this explosion is slowing down.


We’ve reached (and passed) a tipping point on this issue, creating enormous concern over how the privacy interests of individuals are being protected (if at all) for this “non-HIPAA” healthcare data. So, what can be done to address this problem?


Debating the solutions


Healthcare leaders have called for broader controls to afford some level of privacy to all health information, regardless of its source. For example, FTC commissioner Julie Brill asks whether we should be “breaking down the legal silos to better protect that same health information when it is generated elsewhere.”


These risks also intersect with the goal of “patient engagement,” which has become an important theme of healthcare reform. There’s increased concern about how patients view this use of data, and whether there are meaningful ways for patients to understand how their data is being used. The complexity of the regulatory structure (where protections depend on sources of data rather than “kinds” of data), and the determining data sources (which is often difficult, if not impossible), has led to an increased call for broader but simplified regulation of healthcare data overall. This likely will call into question the lines that were drawn by the HIPAA statute, and easily could lead to a re-evaluation of the overall HIPAA framework.


Three options are being discussed on how to address non-HIPAA healthcare data:


  • Establishing a specific set of principles applicable only to “non-HIPAA healthcare data” (with an obvious ambiguity about what “healthcare data” would mean)
  • Developing a set of principles (through an amendment to the scope of HIPAA or otherwise) that would apply to all healthcare data
  • Creating a broader general privacy law that would apply to all personal data (with or without a carve-out for data currently covered by the HIPAA rules).


Conclusions


It’s clear that the debate and policymaking “noise” on this issue will be ongoing and extensive. Affected groups will make proposals, regulators will opine, and legislative hearings will be held. Industry groups may develop guidelines or standards to forestall federal legislation. We’re a long way from any agreement on defining new rules, despite the growing consensus that something must be done.

Therefore, companies that create, gather, use, or disclose any kind of healthcare data should evaluate how this debate might affect them and how their behavior might need to change in the future. The challenge for your company is to understand these issues, think carefully and strategically about your role in the debate, and anticipate how they could affect your business going forward.

more...
No comment yet.
Scoop.it!

Hospital with repeat security failures hit with $218K HIPAA fine

Hospital with repeat security failures hit with $218K HIPAA fine | HIPAA Compliance for Medical Practices | Scoop.it

Does your hospital permit employees to use a file-sharing app to store patients' protected health information? Better think again. A Massachusetts hospital is paying up and reevaluating its privacy and security policies after a file-sharing complaint and following a HIPAA breach. 


St. Elizabeth's Medical Center in Brighton, Mass. – a member hospital of Steward Health Care system – will pay $218,400 to the Office for Civil Rights for alleged HIPAA violations. The settlement resulted from a 2012 complaint filed by hospital employees, stating that the medical center was using a Web-based document-sharing application to store data containing protected health information. Without adequately analyzing the security risks of this application, it put the PHI of nearly 500 patients at risk.


"Organizations must pay particular attention to HIPAA's requirements when using Internet-based document sharing applications," said Jocelyn Samuels, OCR director, in a July 10 statement announcing the settlement. "In order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner."


It wasn't just the complaint that got St. Elizabeth's in hot water, however. A HIPAA breach reported by the medical center in 2014 also called attention to the lack of adequate security policies. The hospital notified OCR in August of last year of a breach involving unsecured PHI stored on the personal laptop and USB drive of a former hospital employee. The breach ultimately impacted 595 patients, according to a July 10 OCR bulletin.


As part of the settlement, St. Elizabeth's will also be required to "cure the gaps in the organization's HIPAA compliance program," OCR officials wrote in the bulletin. More specifically, this includes conducting a self-assessment of its employees' awareness and compliance with hospital privacy and security policies. Part of this assessment will involve "unannounced visits" to various hospital departments to assess policy implementations. Officials will also interview a total of 15 "randomly selected" employees with access to PHI. Additionally, at least three portable devices across each department with access to PHI will be inspected.


Then there's the policies and training piece part of the settlement. With this, St. Elizabeth's based on the assessment, will submit revised policies and training to HHS for approval.


In addition to the filed complaint and the 2014 breach, the medical center also reported an earlier HIPAA breach in 2012when paper records containing billing data, credit card numbers and security codes of nearly 7,000 patients were not properly shredded by the hospital. Some of the files containing the data were reportedly found blowing in a field nearby.


To date, OCR has levied nearly $26.4 million from covered entities and business associates found to have violated HIPAA privacy, security and breach notification rules.


The largest settlement to date was the whopping $4.8 million fine paid by New York Presbyterian Hospital and Columbia University Medical Center after a single physician accidentally deactivated an entire computer server, resulting in ePHI being posted on Internet search engines. 

more...
Gerard Dab's curator insight, July 16, 2015 8:05 PM

Security! Security! Security!

#medicoolhc #medicoollifeprotector

Scoop.it!

Six Potential HIPAA Threats for PHOs and Super Groups

Six Potential HIPAA Threats for PHOs and Super Groups | HIPAA Compliance for Medical Practices | Scoop.it

Physician Hospital Organizations (PHOs) and super groups are on the rise. About 40 percent of physicians either work for a hospital or a practice group owned by a hospital, or they ban together to form a super group. Individual practices share operations, billing, and other administrative functions, gain leverage with insurance companies, add specialist resources and increase referrals, improve patient outcomes with a cohesive care plan, and more. The benefits are plentiful.

But just like a negative restaurant review on Yelp can hurt customer patronage and the restaurant's reputation, one practice that commits a HIPAA violation can affect the entire group, and result in an expensive fine, cause distrust among patients, and in extreme cases, the data breach can lead to medical identity theft.


For PHOs and super groups, adherence to HIPAA rules becomes more complicated when compliance isn't consistent among the group's practices, and a compliance officer isn't on board to manage risks and respond to violations.


At a minimum, the group should identify the potential sources for exposure of electronic protected health information (ePHI) and take measures to avert them. For example:


Super groups include smaller practices that struggle with HIPAA compliance and associated time and costs. Although PHOs or super groups may be abundant in physicians, employees, and offices, these assets could come from a majority of smaller organizations. Historically smaller practices struggle with resources to comply with HIPAA and hiring expensive compliance consultants could be prohibitive at the individual practice level.


Each practice uses a different EHR, or the EHR is centralized but the ePHI is stored on different devices. It becomes difficult to assess HIPAA compliance as well as how patient data is being protected when there are various EHRs implemented across multiple practices. Some EHRs may be cloud based while other systems reside in an individual practice's office. Getting an accurate inventory of where ePHI is stored or accessed can be challenging.


Hospitals can't conduct thorough security risk assessments for each practice in the group. A PHO could have 20 or more individual practices and the time required to perform individual security risk assessments could be daunting. These risk assessments are labor intensive and could strain the resources of hospital compliance staff.


Meaningful use drives HIPAA compliance and grants from HHS could be significant, especially with a large number of providers. Along with these funds comes responsibility to comply with meaningful use objectives. One of the most frequent causes of failing a meaningful use audit is ignoring a HIPAA security risk assessment. If one practice fails an audit, it could open the door to other practices in the group being audited, which could result in a domino effect and a significant portion of EHR incentive funds having to be returned.


For physician groups that share patient information the security is only as strong as the weakest link — one practice or even one employee. A breach at one practice could expose patient information for many or all other practices. Security is then defined by the weakest link or the practice that has the weakest security implemented.


Untrained employees in the front office unwittingly violate HIPAA and a patient's right to privacy. An employee could fall for a phishing scam that gives criminals access to a practice's network, and compromises the security of many or all practices within the PHO or super group.


The best way to avoid a HIPAA violation and a patient data breach is to create a group policy that requires each practice to:


• Perform regular HIPAA security risk assessments;

 •Inventory location of patient information;

• Assess common threats;

• Identify additional security needs;

• Set up policies and procedures;

• Stay up to date on patient privacy rules and requisite patient forms; and

• Properly train employees in protecting both the privacy and security of ePHI.


Make sure every practice in the group treats HIPAA compliance with the same care as a patient's medical condition.

more...
Roger Steven's comment, July 10, 2015 6:34 AM
nice article www.mentorhealth.com
Scoop.it!

243 Charged in Medicare Fraud Schemes

243 Charged in Medicare Fraud Schemes | HIPAA Compliance for Medical Practices | Scoop.it

Federal authorities announced their largest national Medicare fraud takedown to date, involving criminal charges against 243 individuals allegedly responsible for false billing totaling approximately $712 million.


In a June 18 joint announcement, officials at the Department of Health and Human Services, Department of Justice and FBI said a "nationwide sweep" led by the Medicare Fraud Strike Force in 17 districts has resulted in charging 243 individuals, including 46 physicians, nurses and other licensed medical professionals, for their alleged participation in Medicare fraud schemes. As of June 18, 184 defendants had been taken into custody, a DOJ spokesman says.


Officials called "the coordinated takedown" the largest in strike force history, both in terms of the number of defendants charged and the loss amount.


The sweep also resulted the Centers for Medicare and Medicaid Services using its authority under the Affordable Care Act to suspend a number of healthcare providers from participating in the Medicare program.

Variety of Charges

The defendants in the takedown are charged with various healthcare fraud-related crimes, including conspiracy to commit healthcare fraud, violations of the anti-kickback statutes, money laundering and aggravated identity theft. The charges are based on a variety of alleged fraud schemes involving various medical treatments and services, including home healthcare, psychotherapy, physical and occupational therapy, durable medical equipment and pharmacy fraud.

More than 44 of the defendants are charged with fraud related to the Medicare prescription drug benefit program known as Part D, which regulators say is the fastest-growing component of the Medicare program.


"This takedown adds to the hundreds of millions we have saved through fraud prevention since the Affordable Care Act was passed," said HHS Secretary Sylvia Mathews Burwell. "With increased resources that have allowed the Strike Force to expand and new tools, like enhanced screening and enrollment requirements, tough new rules and sentences for criminals, and advanced predictive modeling technology, we have managed to better find and fight fraud as well as stop it before it starts."


The Medicare Fraud Strike Force, a multi-agency team of federal, state and local investigators and prosecutors designed to combat Medicare fraud through the use of Medicare data analysis techniques, coordinated the investigation. Since the program's inception in March 2007, Strike Force operations in nine locations have charged more than 2,300 defendants who collectively are alleged to have falsely billed the Medicare program for more than $7 billion, according to federal authorities.


Among the large Medicare busts was the May 2014 arrest of 90 individuals in six states who were allegedly tied to Medicare fraud schemes responsible for $260 million worth of false billings. Also, in October 2012, federal authorities announced a Medicare fraud crackdown that involved charges against 91 individuals in fraud schemes allegedly involving approximately $492 million in false billing.

A Wake-Up Call

Security expert Mac McMillan, CEO of the consultancy CynergisTek, says the magnitude of the most recent Medicare takedown is significant. "This should be a wake-up call to those healthcare professionals who think it is OK to fudge around the edges, or in some cases just outright steal from the system, that their days are numbered and the feds are serious about curbing this very important problem," he says. "Hopefully it will have some impact, but frankly, right now, it seems like someone declared open season on healthcare between this [type of fraud] and the hacks we've seen lately."


Healthcare entities can help in the battle against fraud by monitoring for criminal behavior within their own organizations, he says. "One of the simplest ways is to perform periodic audits of what workforce members involved in preparing or handling claims are doing, as well as audits of patients receiving discharge summaries and bills."


Additionally, more commercial health insurers should follow CMS's lead and implement analytical tools that can help detect suspicious activities, he says. "They are the only really effective tools for proactive monitoring and detection," he says. "Those committing fraud may not cause a compliance trigger to be activated, but generally fraud requires an abnormal event to occur. Monitor for those, and you have a better chance of detecting inappropriate behavior."

Fraud Scams Busted

Among those charged in the latest Medicare fraud takedown were individuals in six states:


  • Seventy-three defendants in Miami were charged with offenses relating to their alleged participation in various fraud schemes involving approximately $263 million in false billings for home healthcare, mental health services and pharmacy fraud. In one case, administrators in a mental health center billed close to $64 million between 2006 and 2012 for purported intensive mental health treatment to beneficiaries and allegedly paid kickbacks to patient recruiters and assisted living facility owners. Medicare paid approximately half of the claimed amount.
  • Twenty-two individuals in Houston and McAllen, Texas, were charged in cases involving more than $38 million in alleged fraud. One of these defendants allegedly coached beneficiaries on what to tell doctors to make them appear eligible for Medicare services and treatments and then received payment for those who qualified. The company that paid the defendant for recruiting patients to bill for medically unnecessary services submitted close to $16 million in claims to Medicare, more than $4 million of which was paid.
  • Seven people in Dallas were charged in connection with home healthcare schemes. In one scheme, six owners and operators of a physician house call company allegedly submitted nearly $43 million in billings under the name of a single doctor, regardless of who actually provided the service. The company also allegedly significantly exaggerated the length of physician visits, often billing for 90 minutes or more for an appointment that lasted only 15 or 20 minutes.
  • Eight individuals in Los Angeles were charged for their alleged roles in schemes to defraud Medicare of approximately $66 million. For example, a physician is charged with causing almost $23 million in losses to Medicare through his own fraudulent billing and referrals for durable medical equipment, including more than 1,000 power wheelchairs and home health services that were not medically necessary and often not provided.
  • Sixteen defendants in Detroit were charged for their alleged roles in fraud, kickback and money laundering schemes involving approximately $122 million in false claims for services that were medically unnecessary or never rendered, including home healthcare, physician visits and psychotherapy, as well as pharmaceuticals that were billed but not dispensed. Among those charged are three owners of a hospice service who allegedly paid kickbacks for referrals made by two doctors who defrauded Medicare Part D by issuing medically unnecessary prescriptions.
  • Five individuals in Tampa were charged with participating in a variety of alleged scams, ranging from fraudulent physical therapy billings to a scheme involving millions of dollars worth of clams for physician services and tests that never were provided. In one case, a licensed pain management physician sought reimbursement for nerve conduction studies and other services that he allegedly never performed. Medicare paid the defendant more than $1 million for these purported services.
  • Nine individuals in Brooklyn, N.Y., were charged in two separate criminal schemes allegedly involving physical and occupational therapy. Three of those defendants face charges for their roles in a previously charged $50 million physical therapy scheme.
  • Eleven people in New Orleans were charged in connection with $110 million worth of alleged home healthcare and psychotherapy schemes. In one case, four individuals who operated two companies - one in Louisiana and one in California - that mass-marketed talking glucose monitors across the country allegedly sent the devices to Medicare beneficiaries regardless of whether they were needed or requested. The companies billed Medicare approximately $38 million for the devices, and Medicare paid the companies more than $22 million.
more...
No comment yet.
Scoop.it!

Physicians: Protect Your Data from Hackers in 5 Steps

Physicians: Protect Your Data from Hackers in 5 Steps | HIPAA Compliance for Medical Practices | Scoop.it

According to a recent CNBC report, hackers may have stolen personnel data and Social Security numbers for every single federal employee last December. If true, the cyberattack on federal employee data is far worse than the Obama administration has acknowledged.

J. David Cox, president of the American Federal of Government Employees Union, believes "hackers stole military records and veterans' status information, address, birth date, job and pay history, health insurance, life insurance, and pension information; [as well as] age, gender, race data," according to the report. This would be all that is needed for cybercriminals to steal identities of the employees, divert funds from one account to another, submit fake healthcare claims, and create fake accounts for everything from credit cards to in-store credit card purchases.


Although physicians maintain personal and professional data which is especially valuable to thieves, you are not the federal government. Make it hard enough on cybercriminals, and they will move on for lower-hanging fruit. Readers Digest offers good advice in five simple steps in its article, "Internet Security, How not to Get Hacked":


1. Be aware of what you share.


On Facebook, Twitter, or social media, avoid posting birth dates, graduation years, or your mother's maiden name — info often used to answer security questions to access your accounts online or over the phone.


2. Pick a strong password.


Hackers guess passwords using a computer. The longer your password and the more nonsensical characters it contains, the longer it takes the computer. The idea here is that longer, more complicated passwords could take a computer 1,000 years to guess. Give 'em a challenge


3. Use a two-step password if offered.


Facebook and Gmail have an optional security feature that, once activated, requires you to enter two passwords: your normal password plus a code that the companies text to your phone-to access your account. "The added step is a slight inconvenience that's worth the trouble when the alternative can be getting hacked,"  CNET tech writer Matt Elliot told Readers Digest. To set up the verification on Gmail, click on Account, then Security. On Facebook, log in, click on the down icon next to Home, and then click on Account Setting, Security, and finally Login Approvals.


4. Use Wi-Fi hot spots sparingly.


By now, you probably know that Internet cafés and free hotspots are not secure. You shouldn't be doing your online banking from these spots. However, the little button that turns off your laptops Wi-Fi so that your laptop cannot be accessed remotely is also handy. In Windows, right click on the wireless icon in the taskbar to it off. On a Mac, click the Wi-Fi icon in the menu bar to turn off Wi-Fi.


5. Back up your data.


Hackers can delete years' worth of e-mails, photos, documents, and music from your computer in minutes. Protect your digital files by using a simple and free backup system available on websites such as Crashplan and Dropbox


Take this basic instruction and build on it yourself. Google, for example offers advice expanding on the concept of "stong passwords." The worst thing you can do is use "dictionary words," the word "password," and sequential keystrokes, such as "1234" or "qwerty," because the hacker's computers will try these first. For e-mail, pick a phrase, such as "[m]y friends Tom and Jasmine send me a funny e-mail once a day" and then use numbers and letters to recreate it as a cryptic password. "MfT&Jsmafe1ad."

more...
No comment yet.
Scoop.it!

Think Your Practice is HIPAA Compliant? Think Again.

Think Your Practice is HIPAA Compliant? Think Again. | HIPAA Compliance for Medical Practices | Scoop.it

You may think you know HIPAA inside and out, but experts say many practices and physicians are making mistakes regarding protected health information (PHI) that could get them into big trouble with the law. Here are nine of the most common compliance missteps they say practices and physicians are making.

1. TEXTING UNENCRYPTED PHI

For most physicians, texting is an easy, convenient, and efficient way to communicate with patients and colleagues. But if a text contains unencrypted PHI, that could raise serious HIPAA problems.


"One of the big things people are doing these days is texting PHI, and people seem to be ignoring the fact that text messages can be read by anyone, they can be forwarded to anyone, [and] they're not encrypted in any fashion when they reside on a telecommunications provider's server," says Jim Hook, director of consulting services at healthcare consulting firm The Fox Group, LLC. "People really need to understand that [short message service (SMS)] text messaging is inherently nonsecure, and it's noncompliant with HIPAA."


That's not to say that texting PHI is never appropriate, it just means that physicians must find a way to do so securely. While the privacy and security rules don't provide explicit text messaging guidelines, they do state that covered entities must have "reasonable and appropriate safeguards to protect the confidentiality, availability, and integrity of protected health information," says Michelle Caswell, senior director, legal and compliance, at healthcare risk-management consulting firm Clearwater Compliance, LLC. As a result, Caswell, who formerly worked for HHS' Office for Civil Rights, says physicians must consider, "What would I put on my [smart] phone to reasonably and appropriately safeguard that information?" Most likely, the answer will be a secure messaging service with encryption, she says, adding that many inexpensive solutions are available to providers.


2. E-MAILING UNENCRYPTED PHI

Similar to text messaging, many physicians are e-mailing unencrypted PHI to patients and colleagues. As Robert Tennant, senior policy adviser of government affairs for the Medical Group Management Association says, e-mailing is becoming ubiquitous in our society, and healthcare is no exception.


If your providers are e-mailing PHI, consider implementing a secure e-mail application; for instance, one that recognizes when content included in the e-mail contains sensitive information and therefore automatically encrypts the e-mail. Your practice could use the application to specify certain circumstances in which e-mails should be encrypted; such as the inclusion of social security numbers or credit card numbers. The application would then filter e-mails for that specified content, and when it finds that content, encrypt those e-mails automatically, says Caswell.


Another option is to use a secure e-mail application to set up filters to automatically encrypt e-mails sent with attachments, or encrypt e-mails when senders include a word like "sensitive" or "encrypt" in the subject line, she says. An added benefit of encrypting e-mail is if a potential breach occurs, like the theft of a laptop containing e-mails with PHI, that is not considered a reportable breach if the e-mails stored on the laptop are encrypted, says Tennant. "You don't need to go through all of the rigmarole in terms of reporting the breach to the affected individual, and ultimately, to the government," he says. "So it's sort of a get out of jail free card in that sense."


If your practice would rather prohibit the use of e-mail altogether, a great alternative might be a patient portal that enables secure messaging.


Finally, if patients insist on having PHI e-mailed to them despite the risks, get their permission in writing for you to send and receive their e-mails, says Tennant.


3. FAILING TO CONDUCT A RISK ANALYSIS

If your practice has not conducted a security risk analysis — and about 31 percent of you have not, according to our 2014 Technology Survey, Sponsored by Kareo — it is violating HIPAA. The security rule requires any covered entity creating or storing PHI electronically to perform one. Essentially, this means practices must go through a series of steps to assess potential risks and vulnerabilities to the confidentiality, integrity, and availability of their electronic protected health information (ePHI).


Though the security risk analysis requirement has been in place since the security rule was formally adopted in 2003, it's been pretty widely ignored by practices, says Hook. Part of the reason, he says, is lack of enforcement of the requirement until recently. Since conducting a security risk analysis is now an attestation requirement in the EHR incentive program, auditors are increasingly noting whether practices are in compliance.


4. FAILING TO UPDATE THE NPP

If your practice has not updated its Notice of Privacy Practices (NPP) recently, it could be violating HIPAA. The HIPAA Omnibus Rule requires practices to update these policies and take additional steps to ensure patients are aware of them, says Tennant.

Some of the required updates to the NPP include:


• Information regarding uses and disclosures that require authorization;

• Information about an individual's right to restrict certain disclosures of PHI to a health plan; and

• Information regarding an affected individual's right to be notified following a privacy or security breach.


In addition to updating the NPP, a practice must post it prominently in its facility and on the website, and have new patients sign it and offer a copy to them, says Tennant. "I'd say of every 10 practices, hospitals, dental offices I go into, nine of them don't have their privacy notice in the waiting room," he says.


5. IGNORING RECORD AMMENDMENT REQUESTS

Don't hesitate to take action when patients request an amendment to information in their medical records, cautions Cindy Winn, deputy director of consulting services at The Fox Group, LLC. Under the HIPAA Privacy Rule, patients have the right to request a change to their records, and providers must act on those requests within 60 days, she says.


If you disagree with a patient's requested change, you must explain, in writing, why you are not making the requested change, says Hook. Then, share that reasoning with the patient and store a copy of it in the patient's medical record, as well as a copy of the patient's written request for the amendment.


6. NOT PROVIDING ENOUGH TRAINING

The privacy and security rules require formal HIPAA education and training of staff. Though the rules don't provide detailed guidance regarding what training is required, Hook recommends training all the members of your workforce on policies and procedures that address privacy and security at the time of hire, and at least annually thereafter.


The HIPAA Security Rule also requires practices to provide "periodic security reminders" to staff, says Caswell, adding that many practices are unaware of this. Actions that might satisfy this requirement include sending e-mails to staff when privacy and security issues come up in the news, such as information about a recent malware outbreak; or inserting a regular "security awareness" column in staff e-newsletters.

Finally, be sure to document any HIPAA training provided to staff.


7. OVERCHARING FOR RECORD COPIES

With few exceptions, the privacy rule requires practices to provide patients with copies of their medical records when requested. It also requires you to provide access to the record in the form requested by the individual, if it is readily producible in that manner.


While practices can charge for copies of records, some practices may be getting into trouble due to the fee they are charging, says Tennant. "HIPAA is pretty clear that you can only charge a cost-based fee and most of those are set by the state, so most states have [limits such as] 50 cents a page up to maybe $1 a page ... but you can't charge a $50 handling fee or processing fee; at least it's highly discouraged," says Tennant.


To ensure you are following the appropriate guidelines when dealing with record copy requests, review your state's regulations and consult an attorney. Also, keep in mind that though the privacy rule requires practices to provide copies within 30 days of the request, some states require even shorter timeframes.


8. BEING TOO OPEN WITH ACCESS

If your practice does not have security controls in place regarding who can access what medical records and in what situations, it's setting itself up for a HIPAA violation. The privacy rule requires that only those who have a valid reason to access a patient's record — treatment purposes, payment purposes, or healthcare operations — should do so, says Caswell. "If none of those things exist, then a person shouldn't [access] an individual's chart."


Caswell says practices need to take steps to ensure that staff members do not participate in "record snooping" — inappropriately accessing a neighbor's record, a family member's record, or even their own record.


She recommends practices take the following precautions:


• Train staff on appropriate record access;

• Implement policies related to appropriate record access; and

• Run EHR audits regularly to determine whether inappropriate access is occurring.


9. RELEASING TOO MUCH INFORMATION

Similar to providing too much access to staff, some practices provide too much access to outside entities, says Caswell. For instance, they release too much PHI when responding to requests such as subpoenas for medical records, requests for immunization information from schools, or requests for information from a payer.


"If there's, say, for instance, litigation going on and an attorney says, 'I need the record from December 2012 to February 2014,' it is your responsibility to only send that amount of information and not send anything else, so sort of applying what's called the minimum necessary standard," says Caswell. "When you receive outside requests for PHI, pay close attention to the dates for which information is requested, as well as the specific information requested."

more...
No comment yet.
Scoop.it!

HITECH Act Stage 3: Security Concerns

HITECH Act Stage 3: Security Concerns | HIPAA Compliance for Medical Practices | Scoop.it

Some healthcare associations, including those representing IT and security leaders, are seeking more clarity from federal regulators about proposed security and privacy requirements for Stage 3 of the HITECH Act "meaningful use" incentive program for electronic health records. Among the concerns raised were issues related to EHR risk assessments and patients' electronic access to their health information.


Stage 3 of the HITECH Act incentive program is slated to begin in 2017 or 2018. Beginning in January 2018, healthcare providers lacking a certified EHR system will begin to face financial penalties.

The concerns cited by the various healthcare associations echoed some of the worries expressed by security and privacy experts shortly after the proposed rules were issued in March.


May 29 was the deadline for public comment on proposed rulemaking by the Department of Health and Human Services. On March 20, HHS' Centers for Medicare and Medicaid Services issued a notice of proposed rulemaking for Stage 3 of the Medicare and Medicaid EHR incentive program. Meanwhile, HHS' Office of the National Coordinator for Health IT issued a proposed rule spelling out updated requirements for EHR software that qualifies for the incentive program: 2015 Edition Health Information Technology Certification Criteria.

Security Assessment Concerns

Under Stage 3 of the HITECH incentive program, which already has provided nearly $30 billion in incentives to eligible hospitals and healthcare professionals for "meaningfully" using EHRs, these healthcare providers can qualify to receive additional incentives by achieving a proposed new list of objectives. One of those proposed requirements deals with risk assessments.


While healthcare providers are still expected to conduct a broader HIPAA security risk analysis, the Stage 3 proposal states that healthcare providers must conduct an assessment that specifically looks at risks to information maintained by the certified EHR technology.


Here's the language in the HHS proposal, which some commenters found confusing, or even unnecessary, in light of existing HIPAA requirements: "The requirement of this proposed measure is limited to annually conducting or reviewing a security risk analysis to assess whether the technical, administrative and physical safeguards and risk management strategies are sufficient to reduce the potential risks and vulnerabilities to the confidentiality, availability and integrity of ePHI created by or maintained in [the certified EHR technology]."


The College of Healthcare Information Management Executives, an association of healthcare CIOs and other IT leaders, in its comments to HHS called the risk assessment proposal "superfluous, given the fact that the HIPAA privacy and security requirements already apply to providers and we see no need to impose any additional requirements through the EHR meaningful use program."


But CHIME added in its comments to HHS: "We understand and agree with the need to protect electronic personal health information. As such, our concern is that providers may be confused over the timing of required assessments or reviews."


To clarify and simplify the objective, CHIME suggested HHS rework the proposal to state that eligible healthcare providers must conduct the security risk analysis upon initial installation of certified EHR technology or upon upgrade to a new edition of certified EHR technology.


CHIMS contends that this clarification "will help providers understand their responsibilities vis-à-vis this objective and avoid any possible misunderstanding that reviews be required every time a provider receives a patch or other update to their EHR from a vendor."

Guidance Sought

Meanwhile, another association of health IT professionals, the Healthcare Information and Systems Management Systems Society, said it generally supports the government's risk assessment proposal, but that more guidance is still needed by many healthcare sector organizations on how to conduct a risk analysis.


"HIMSS observes that providers today likely need to increase the frequency of their security risk analysis," the organization says in its feedback. "However, merely doing the security risk analysis without addressing the risks may not lead to adequate safeguarding of the ePHI. Accordingly, risk management should be done as well, and providers need to be educated on how to manage risk in today's electronic environment."


HIMSS recommends the proposed requirement for Stage 3 be modified "so that providers not only do the security risk analysis, but also address the risks themselves." HIMSS also recommends that providers receive guidance on where to obtain security updates and how to correct deficiencies. "HIMSS recommends that providers need guidance on what an acceptable baseline is for a security risk analysis - without such guidance, some providers may conduct [minimal] security risk analysis, expending only a handful of hours to do such a task."

Other Concerns

Some healthcare associations also wrote in their feedback that they were concerned about a Stage 3 proposal regarding providing patients with access electronic access to their records.


Under the HHS proposal, patients may either be provided access to view online, download, and transmit their health information through a patient Web portal or provided access to an application program interface certified by ONC. Those APIs can be used by third-party applications or devices.


In its comments, CHIME says it opposes the API provision. "There is tremendous uncertainty regarding APIs, including potential security and authentication issues, and even whether they will be readily available in [technology] vendor products by 2018."


Similarly, the American Hospital Association wrote in its comments: "Stage 3 proposals, such as relying on third-party applications to access sensitive patient data in EHRs, may be a successful mechanism for the exchange of patient data information, but they raise important questions about patient privacy and information security that must be carefully considered."


An HHS spokesman tells Information Security Media Group that ONC and CMS "are now reconciling and beginning to review all of the comments. We don't yet have a total count of the number of comments, nor have we had time to separate them by issue. We are now beginning the process to get us to the issuance of the final rules, which we expect to be later this summer."

more...
No comment yet.
Scoop.it!

Your Cyber-Risk Policy: What it Covers and What it Doesn't

Your Cyber-Risk Policy: What it Covers and What it Doesn't | HIPAA Compliance for Medical Practices | Scoop.it

In healthcare, we deal with highly sensitive and very private electronic information, so of course our ears perk up every time we see headlines about the latest cyber threat or breach. The natural question is whether this could happen to us. This is constructive if it leads to cyber risk-prevention. But all too often, folks are responding with, "it could not happen to me," or "my insurance policy covers this so I'm prepared." These folks are ignoring the growing cyber threat around all of us. They are whistling past the "cyber" graveyard.

We live in a digital age where almost everything is accessible — even more now with the evolution of EHRs — so we have to run our businesses as though we are all at risk. To be prepared, we must first understand the common sources of cyber risk. Second, we must understand the basics of cyber insurance policies we may or may not have in place.


There are several ways breaches at small healthcare organizations may occur:


1. Disgruntled employees are one of the leading reasons for cyber attacks. They know your systems — likely better than you do — so keep a close watch on them and what type of data they have access to. Really pay close attention to new staff and those that may be on their way out. Also make sure they know they are monitored.

2. Cyber criminals are looking for remote Internet access services with weak passwords. Require and enforce more complex passwords and require employees to change their passwords regularly.


A smart form of cyber protection is a cyber-risk insurance policy. These provide bundled services designed to help you quickly respond to a data breach. However, there are many cyber insurance product options to consider. These range from standalone policies with high limits and comprehensive services to policy add-on coverages typically offering less coverage.


Rather than stumbling through a maze of complicated cyber-related insurance rhetoric, do yourself a favor and review your options with an experienced broker:


• Carefully scrutinize "free" cyber coverage or riders added onto your base coverage. While not totally worthless, the majority come nowhere near covering the exposure of a potential cyber breach (which explains why they are typically thrown in at no additional cost). In reviewing your insurance coverages with your broker, it's easy to brush by this one and mentally check off the fact that you have cyber coverage. Drill into the details of what's covered, as outlined below.

• Find out how much you are covered for and what out-of-pocket expenses you could expect. A data breach at a small physician practice could run into the hundreds of thousands of dollars or even higher. This type of uncovered damage could put a small practice out of business. Some expenses physicians can expect to incur when a breach occurs include legal fees, IT forensic costs, notification costs, credit monitoring costs, and public relations and advertising expenses to reclaim patient goodwill as well as making the public aware of the steps taken to address the breach.


Cyber risk is not just a technology issue. It affects all elements of the healthcare business and needs to be well-planned and mitigated through ongoing education and risk-management programs.

more...
No comment yet.
Scoop.it!

Hacker Attacks: Not Just Insurers at Risk

Hacker Attacks: Not Just Insurers at Risk | HIPAA Compliance for Medical Practices | Scoop.it

The recently revealed breach of a database at CareFirst BlueCross BlueShield containing information on more than 1.1 million individuals is the latest evidence that hackers are targeting health insurers, and especially Blue Cross and Blue Shield organizations, for the vast amount of protected health information they hold. Security experts warn, however, that other types of organizations, including health information exchanges and large integrated delivery systems, as well as hospitals with electronic health records systems, could be the next targets.


Health insurers "are known to have very large databases of rich personal data that can be sold for identity theft purposes and fraud," says privacy and security expert Kate Borten, founder of The Marblehead Group consultancy. "Midsize and large healthcare provider organizations should also be on high alert for the same reason."


Baltimore-based CareFirst BlueCross BlueShield disclosed on May 20 that an "unauthorized intrusion" into a database dating back to June 2014 resulted in a breach affecting 1.1 million individuals. Other Blues plans that have recently reported cyber-attacks are Anthem Inc., which says its breach impacted 78.8 million individuals, and Premera Blue Cross, which says 11 million were affected by its hacking incident.

Other Targets

Katherine Keefe, who heads breach response at the cyber-insurance company Beazley plc, predicts that health information exchange organizations, due to the large volume of data they handle, as well as electronic health record systems at hospitals - which are often configured to provide easy access to harried clinicians in healthcare settings, could be the next targets for hackers.


"The goal of EHRs in a hospital setting is to help make clinical decision-making more efficient and effective, and provide access to clinicians who need this information quickly," she says. Also, role-based access controls, advanced authentication, and encryption aren't typically part of the equation for many of these systems, she says. "That technology is perceived to slow down access for clinicians, who'd rather err on the side of good clinical decisions," rather than worry about data breaches, she adds.

M&A Risks?

One reason why health insurers have proven to be prime targets for hackers, Keefe says, is that many of these companies have grown rapidly through mergers and acquisition, with a patchwork of systems and security practices and "treasure troves" of data.


That's also true for many large integrated healthcare delivery systems, she adds. "There's been a lot of consolidation in the healthcare industry," she notes. For instance, Community Health System, a provider organizations that last August revealed a hacker breach affecting 4.5 million individuals, has also grown in recent years through mergers and acquisitions, she says.


Meanwhile, some health insurers also boast about the tens of millions of enrollees they cover, which also catches the attention of cybercriminals, Keefe says. "It's like saying, 'come and get us'," she says. Data security needs to be "more front and center" at many healthcare organizations, she stresses.


While Blue Cross and Blue Shield affiliates, such as Anthem and Premera Blue Cross, are independent companies, they are linked together through the Blue Card program, in which these plans process each other's members' insurance claims, Keefe says.


"The Blue Cross Blue Shield [network] is simply so large that they are a 'rich' environment filled with some of the most valuable data when it comes to identity theft," says Brad Cyprus, chief of security and compliance at Netsurion, a provider of cloud-based services. "It is also possible that by being one of their affiliates, there is some common technology that has an issue that has not been identified or fixed.

"However, hackers are very much like sharks smelling blood. When one successful attack happens and sensitive data is exposed, every other hacker starts focusing on those systems in an effort to reap some rewards before things are fixed while potential vulnerabilities are still exposed. In BCBS's case, that leads to a perfect storm for continued attention from the hacker community."

Data Segmentation

In the CareFirst breach, it appears that segmentation of information helped minimize the amount of data the hackers were able to access. And that's an important lesson for others to learn, security specialists say.


"Segmentation of information is the name of the game in our modern threat landscape," says Marcin Kleczynski, CEO of Malwarebytes, a provider of anti-malware solutions. "Attackers are constantly increasing their ability to compromise secure networks, be it through new technologies or old- fashioned social engineering. To that end, treating a breach less like an 'it won't happen to me' scenario in favor of a stance that expects it can help those who are charged with securing the information make a more effective battle plan."


CareFirst, in a statement on its breach information website, says the attackers gained "limited, unauthorized access to a single CareFirst database." It notes: "Evidence suggests the attackers could have potentially acquired member-created user names created by individuals to access CareFirst's website, as well as members' names, birth dates, email addresses and subscriber identification number. However, CareFirst user names must be used in conjunction with a member-created password to gain access to underlying member data through CareFirst's website.


"The database in question did not include these passwords because they are fully encrypted and stored in a separate system as a safeguard against such attacks. The database accessed by attackers contained no member Social Security numbers, medical claims, employment, credit card or financial information."

Delayed Discovery

CareFirst said the intrusion occurred in June 2014, but wasn't discovered until April 2015 after the insurer commissioned forensics vendor Mandiant to do a security review of the health plan's systems. Keefe of Beazley notes, however, that delayed breach discovery is common.


"Security technology is trying valiantly to keep up with hackers. Malware has the ability to cover its tracks, and often morphs into something that's hard to detect," she says. Nonetheless, many healthcare sector entities, "need to re-order their priorities" and allocate more resources to breach prevention and detection, she adds.

Security and privacy expert Rebecca Herold, CEO of The Privacy Professor, notes: "I believe it is almost a certainty that many covered entities and business associates are hacked and don't know it. From what I've seen in the largest of hospital systems down to the one-doctor healthcare clinic, and in many healthcare insurance companies, there are often large numbers of PHI repositories that do not have access logs established."


Too many organizations have little to no network monitoring, a lack of comprehensive risk management practices, and too few security tools, including those for detecting security problems and logging access for everywhere PHI is stored, she says.


"Also, a lack of proper funding for security, and lack of ongoing training for information security staff," contribute to the problem, she notes. "Health insurance executives need to realize that is it significantly less expensive to invest more in information security than it is to continually clean up after privacy breaches; information security cost is a fraction of the costs of breaches."




more...
No comment yet.
Scoop.it!

Kareo Announces Apple Watch App To Improve Medical Practice Efficiency

Kareo Announces Apple Watch App To Improve Medical Practice Efficiency | HIPAA Compliance for Medical Practices | Scoop.it

Kareo, the leading provider of cloud-based medical office software for independent medical practices, today announced the launch of its Apple Watch App. Kareo’s most recent innovation extends the functionality of the company’s EHR to Apple Watch, streamlining care delivery and enhancing the patient experience by improving communications, reducing patient wait times, and increasing practice efficiency.


Kareo is launching this new Apple Watch App in response to the growing demands on physicians to increase their focus on all aspects of patient engagement. “Physicians are on their feet attending to the needs of patients for the majority of the day, leaving little time to check their schedules and prepare for the next appointment,” said Dr. Tom Giannulli, CMIO of Kareo. “Recognizing this demanding care delivery environment, Kareo’s Apple Watch App will help doctors better manage their schedule while enabling enhanced communication throughout the day, improving their ability to deliver a great patient experience.”

Kareo’s Apple Watch App provides the most relevant, practice-oriented information necessary to improve care and increase practice efficiency. Key functionalities of the App include:


  • Secure messaging that allows the user to send, reply, and read messages via dictation. Messages can be sent to staff or patients using Kareo’s secure messaging system, improving overall patient engagement and practice communication.
  • An agenda that allows the provider to quickly reference their schedule and see the status of appointments checked-in, no show, late, checked out, etc., helping reduce wait times and improve practice efficiency.
  • Appointment reminders that can be sent five minutes before the next scheduled appointment. The notification subtly vibrates the watch, indicating that the doctor has an impending appointment.
  • Appointment information that is accessible within a notification or through the agenda, allowing the provider to review details such as the patient’s name, time of appointment, visit type, and reason for the visit.
  • “I’m Running Late” pre-set messages that allow the doctor inform other staff members when they are running behind and how much longer they expect to be. This improves practice communication and enables the front desk to give patients a more accurate wait time estimate.
  • Apple “Glances” that provide a quick overview of key practice metrics, including how many patients are scheduled throughout the day, how many patients are waiting to be seen, and which patients are currently waiting in an exam room.


All features of Kareo’s Apple Watch App are HIPAA compliant and secure, ensuring all data are private, yet easily accessible.

“Independent physicians need new tools to grow strong, patient-centered practices, and Kareo’s Apple Watch App is another example of Kareo’s focus on helping physicians leverage innovative technology to drive their success,” said Dan Rodrigues, founder and CEO of Kareo. “With key practice and patient information accessible on their wrists, physicians are able to discreetly and efficiently provide updates to staff while staying focused on what matters most – the patient.”


more...
No comment yet.
Scoop.it!

Athena & Eprocates launch app for HIPAA-compliant messaging, includes Apple Watch support

Athena & Eprocates launch app for HIPAA-compliant messaging, includes Apple Watch support | HIPAA Compliance for Medical Practices | Scoop.it

Athena Health, which counts among its holdings the popular Epocrates app, announced the launch of athenaTextfor iPhone and Android smartphones. The app will provide physicians with yet another option for HIPAA compliant messaging. And it includes support for the Apple Watch.

The app lets you send secure, HIPAA compliant messages, including images, to colleagues who are registered. For physicians and healthcare providers, athenaText verifies your identity through a series of questions when signing up. That allows you to “claim” your profile in their physician directory, similar to what Doximity does.


Contacts can be added by searching their physician directory. Right now, most of the colleagues I searched would need to be “invited” to athenaText (and presumably verified) before they can be messaged.

One key difference between athenaText and Doximity is that the former includes non-physicians. athenaText lets you invite others to join by email, phone number, and from your contact list entry.

So you could include social workers, case managers, and other members of the care team. That could make this platform more practical for, say, a small to medium size outpatient practice where you want to simplify communication among a multidisciplinary care team. In that way, it’s more like TigerText.


There are also a couple of particularly interesting features worth noting. First, it’s linked to Epocrates. So if I suggest starting atorvastatin in a message, tapping on the drug name in the message will automatically pull up the entry in Epocrates. You can also form groups within the app, another feature that could make the app useful for small to medium size clinics. It could also be useful if you have a group of colleagues that tend to curbside each other.

The app will include Apple Watch support, delivering notifications and message previews. It doesn’t appear to include the ability to dictate responses.


Right now, the app almost certainly doesn’t have enough users on board to make it useful if you’re trying to reach a colleague. And its user interface isn’t quite as friendly as TigerText. That said, the integration with Epocrates is an interesting, unique feature and this is an early version. Depending on where Athena and Epocrates take it from here, athenaText certainly has potential to become a really useful tool for improving communication in healthcare.


more...
Kristin Waldby's curator insight, May 13, 2015 9:12 PM

With the popularity and convenience of the Internet, most major industries in the United States have adapted to integrating the Internet into their fields. In many cases it has increased productivity, simplified procedures, enhanced communication, and broken down geographical barriers. These are all true of how the healthcare industry has adapted to the Internet. Now, more than ever before, most healthcare practices keep protected health information (PHI) in an online medical record system, making them easier to look up and access. Doctors and other healthcare providers can communicate with one another through e-mail or video chat, enhancing communication. And now, with new technology, through an instant messaging application for smartphones and even the apple watch, called athenaText.

 

Potentially the most important part of the healthcare industry adopting the Internet as a communication tool, is in the need to keep protected health information safe, secure, and confidential. AthenaText is compliant with HIPPA regulations and is safe for health care providers to send protected health information, verbal and visual, to one another. The app remains a safe tool to use because it requires health care providers, social workers, and other case managers to register with the app and be approved before sending messages. They can only send messages to other approved individuals as well. Even with these precautions some may be concerned that a doctor's phone could be stolen, broken into, and that patient information could be vulnerable to exposure to the public. Another precaution athenaText takes, is to require users to answer a series of questions when signing in to prove their identity to grant access to the application. These precautions along with HIPPA compliance are essential when using the Internet to communicate protected health information.

 

So what are the benefits of communicating through athenaText as opposed to email? How does this new technology enhance the work of healthcare providers? One feature of this application, is that it allows users to create groups to communicate with. This may be helpful in particularly for those working with patients with complicated or multiple illnesses and aliments. It provides for more collaborative care for patients and may prevent one doctor from contradicting another in a patient care. It also allows for social workers, case workers, psychologists, and others who work in the care of patients to collaborate with doctors. This is particularly helpful in cases in which patients do not comply with all of a doctor's orders and social workers, case workers, and psychologists can explain why that may be from their experience with the patient, and help the doctor to come up with harm reduction strategies or alternative treatments.

 

A unique feature of athenaText is that it works with the Apple Watch. When healthcare providers are away from their smartphones, but are wearing the watch, they can receive notifications and see previews of the messages they are receiving. If there is a time-sensative case this may be helpful in alerting doctors of new information that they can check on through their phone. Currently the app does not allow for healthcare providers to give a response through the Apple Watch, but as this new app is updated, I'm confident it will allow for response through the Apple Watch in the future, allowing healthcare providers yet another way to make their work more efficient and to benefit patients.

 

Scoop.it!

Health system sees 7th HIPAA data breach

Health system sees 7th HIPAA data breach | HIPAA Compliance for Medical Practices | Scoop.it

How many breaches, how many compromises of patients' confidential medical information does it take before there are some questions asked of an organization and its security policies? One health system recently announced its seventh large HIPAA breach.

 
The 20-hospital St. Vincent health system in Indianapolis, part of Ascension Health, most recently notified 760 of its medical group patients that their Social Security numbers and clinicaldata was compromised in an email phishing incident. The breach, which was discovered by hospital officials back in December 2014, marked the seventh breach for the health system in a less than five years.
 
It wasn't until March 12, 2015, that officials said they discovered which patients were impacted by the breach, which involved the compromise of an employee's network username and password. 
 
"St.Vincent Medical Group sincerely apologizes for any inconvenience this unfortunate incident may cause," St. Vincent officials wrote in the patient notification letter. 
 
According to data from the Office for Civil Rights, which keeps track of HIPAA breaches involving 500 people or more, St. Vincent health system has been a repeat HIPAA offender. Its most recent breach, reported in July 2014, compromised the health data of 63,325 patients after a clerical error sent patients letters to the wrong patients. 
 
The health system has also reported two breaches involving the theft of unencrypted laptops, which collectively compromised the health data of 2,341 patients. 


more...
No comment yet.
Scoop.it!

Why Understanding HIPAA Rules Will Help With ONC Certification

Why Understanding HIPAA Rules Will Help With ONC Certification | HIPAA Compliance for Medical Practices | Scoop.it

Understanding HIPAA rules will have far reaching benefits for covered entities. Not only will they be compliant in terms of keeping patient PHI secure, but it will also ensure that those facilities are able to adhere to other federal certification programs. With the push for nationwide interoperability, it is extremely important that organizations of all sizes understand how they can exchange information in a secure and federally compliant way.


Earlier this year, the Office of the National Coordinator (ONC) released its proposal for the 2015 Health IT Certification Criteria. The ONC said that it will “ensure all health IT presented for certification possess the relevant privacy and security capabilities.” Moreover, certified health IT will be more transparent and reliable through surveillance and disclosure requirements.


ONC Senior Policy Analyst Michael Lipinski spoke with HealthITSecurity.com at HIMSS last week, and broke down why understanding HIPAA rules will help covered entities on their way to compliance and with ONC certification.


The ONC certification program has certain capabilities that it certifies to, Lipinski explained, and the way the ONC set up its approach depends on what a facility is bringing forward to be certified.

“What we’ve always said about our privacy and security criteria is that it helps support compliance, but it doesn’t guarantee compliance with the HIPAA Privacy or Security rules,” Lipinski said. “Or even with meeting your requirements under the EHR incentive program.”


One complaint that the ONC has received in terms of information sharing is that covered entities claim they cannot exchange data because of HIPAA rules. However, that likely stems from a lack of understanding what the HIPAA Privacy and Security Rules actually entail, Lipinski said. If that misunderstanding of what HIPAA compliance actually is exists, it can make it more difficult for healthcare organizations to move forward.


“I think that issue is not so much a certification issue, because it’s about payment, treatment, and operations, and you can exchange for those reasons,” Lipinski said. “I think maybe what they found is that there are those instances where they could do it, and they’re making the misinterpretation that they could have done that for treatment and exchange that information.”


Healthcare facilities are using that as an excuse not to exchange, when under HIPAA they could have done so for payment, treatment or operations options, he added.


“It’s not so much in the wheelhouse of certification, but more like we said in the report that we would work with OCR and make sure there’s appropriate guidance and understanding of the HIPAA Privacy and Security rules so that hopefully that will enable more free flow of the information.”


That sentiment echoes what ONC Chief Privacy Officer Lucia Savage said about interoperability and the future of information sharing for healthcare. In a HIMSS interview Savage explained that HIPAA supports information sharing, but that support depends on the decisions made by healthcare providers.


However, a difficult aspect of creating nationwide interoperability will be in relation to state law and state policies on health IT privacy, Savage said, mainly because states have diverse rules.


“That’s a very long dialogue, and has a very long time frame in where we can accomplish what we want to accomplish,” Savage said. “I think people are concerned about that.”


more...
No comment yet.
Scoop.it!

Avoid this little-known but costly HIPAA trap

Avoid this little-known but costly HIPAA trap | HIPAA Compliance for Medical Practices | Scoop.it

Healthcare providers who call patients or send automated calls or text messages may be running afoul of federal law.


The law in question, the Telephone Consumer Protection Act (TCPA), was enacted in the 1990s to protect consumers against unwanted automated calls sent to residences or cellphones. The Federal Communications Commission recently established an exemption for healthcare messages that are regulated through HIPAA.


The problem? According to Christine Reilly, co-chair of the TCPA Compliance and Class Action Defense group at the law firm of Manatt, Phelps & Philips, HIPAA doesn't specifically define a "healthcare message."


"There really is not a lot there about those requirements," she told mHealth News. "It is not exactly a model of clarity."


The TCPA, Reilly says, was designed primarily to eliminate unwanted solicitations, and gave birth to the more-well-known Do Not Call Registry in 2003. But how does that translate to a healthcare message that may or may not be selling the provider's services – such as reminders for screenings or appointments, prescription refills and general health and wellness information?


"Those are a little bit more hybrid," Reilly said. "TCPA might consider it marketing, but with a healthcare message it likely falls under HIPAA."

Healthcare providers risk falling into the "TCPA trap," Reilly says, if they enable these types of messages without examining the legal implications. And those are costly – fines of between $500 and $1,500 per message.


Reilly, who will be presenting a webinar in July 30 on the TCPA, suggests healthcare providers check with legal counsel on whether their messaging protocols conform to TCPA or fall under HIPAA.

"Providers want to know what, in fact, qualifies as a healthcare message and what qualifies as an exemption," Reilly says. "A lot of the questions we're getting are about how this works in practical terms."

more...
Gerard Dab's curator insight, July 16, 2015 8:03 PM

Technology still meets resistance!

Scoop.it!

Hospital Slammed With $218,000 HIPAA Fine

Hospital Slammed With $218,000 HIPAA Fine | HIPAA Compliance for Medical Practices | Scoop.it

Federal regulators have slapped a Boston area hospital with a $218,000 HIPAA penalty after an investigation following two security incidents. One involved staff members using an Internet site to share documents containing patient data without first assessing risks. The other involved the theft of a worker's personally owned unencrypted laptop and storage device.


The Department of Health and Human Services' Office for Civil Rights says it has entered a resolution agreement with St. Elizabeth's Medical Center that also includes a "robust" corrective action plan to correct deficiencies in the hospital's HIPAA compliance program.

The Brighton, Mass.-based medical center is part of Steward Health Care System.


Privacy and security experts say the OCR settlement offers a number of valuable lessons, including the importance of the workforce knowing how to report security issues internally, as well as the need to have strong policies and procedures for safeguarding PHI in the cloud.

Complaint Filed

On Nov. 16, 2012, OCR received a complaint alleging noncompliance with the HIPAA by medical center workforce members. "Specifically, the complaint alleged that workforce members used an Internet-based document sharing application to store documents containing electronic protected health information of at least 498 individuals without having analyzed the risks associated with such a practice," the OCR statement says.


OCR's subsequent investigation determined that the medical center "failed to timely identify and respond to the known security incident, mitigate the harmful effects of the security incident and document the security incident and its outcome."


"Organizations must pay particular attention to HIPAA's requirements when using internet-based document sharing applications," says Jocelyn Samuels, OCR director in the statement. "In order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner."


Separately, on Aug. 25, 2014, St. Elizabeth's Medical Center submitted notification to OCR regarding a breach involving unencrypted ePHI stored on a former hospital workforce member's personal laptop and USB flash drive, affecting 595 individuals. The OCR "wall of shame" website of health data breaches impacting 500 or more individuals says the incident involved a theft.

Corrective Action Plan

In addition to the financial penalty - which OCR says takes into consideration the circumstances of the complaint and breach, the size of the entity, and the type of PHI disclosed - the agreement includes a corrective action plan "to cure gaps in the organization's HIPAA compliance program raised by both the complaint and the breach."

The plan calls for the medical center to:


  • Conduct a "self-assessment" of workforce members' familiarity and compliance with the hospital's policies and procedures that address issues including transmission and storage of ePHI;
  • Review and revise policies and procedures related to ePHI; and
  • Revise workforce training related to HIPAA and protection of PHI.


Lessons Learned

Other healthcare organizations and their business associates need to heed some lessons from OCR's latest HIPAA enforcement action, two compliance experts say.


Privacy attorney Adam Greene of the law firm Davis Wright Tremaine notes: "The settlement indicates that OCR first learned of alleged noncompliance through complaints by the covered entity's workforce members. Entities should consider whether their employees know how to report HIPAA issues internally to the privacy and security officers and ensure that any concerns are adequately addressed. Otherwise, the employees' next stop may be complaining to the government."

The settlement also highlights the importance of having a cloud computing strategy, Greene points out. That strategy, he says, should include "policies, training and potential technical safeguards to keep PHI off of unauthorized online file-sharing services."


The enforcement action spotlights the continuing challenge of preventing unencrypted PHI from ending up on personal devices, where it may become the subject of a breach, he notes.


The case also sheds light on how OCR evaluates compliance issues, he says. "The settlement highlights that OCR will look at multiple HIPAA incidents together, as it is not clear that OCR would have entered into a settlement agreement if there had only been the incident involving online file sharing software, but took action after an unrelated second incident involving PHI ending up on personal devices."


Privacy attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek, says the settlement "serves as an important reminder that a covered entity or a business associate must make sure that the organization's risk assessment takes into account any relationship where PHI has been disclosed to a contractor or vendor so as to ensure that appropriate safeguards to protect the data are in place."


The alleged violations involving the document sharing vendor, he says, "involve failure to have a BA agreement in place prior to disclosing PHI to the vendor, as well as failing to have appropriate security management processes in place to evaluate when a BA agreement is needed when bringing on a new contractor that will handle PHI."

St. Elizabeth's Medical Center did not immediately respond to an Information Security Media Group request for comment.

Previous Settlements

The settlement with the Boston-area medical center is the second HIPAA resolution agreement signed by OCR so far this year. In April, the agency OK'd an agreement with Cornell Prescription Pharmacyfor an incident related to unsecure disposal of paper records containing PHI. In that agreement, Cornell was fined $125,000 and also adopted a corrective action plan to correct deficiencies in its HIPAA compliance program.


The settlement with St. Elizabeth is OCR's 25th HIPAA enforcement action involving a financial penalty and/or resolution agreement that OCR has taken since 2008.


But privacy advocate Deborah Peel, M.D., founder of Patient Privacy Rights, says OCR isn't doing enough to crack down on organizations involved in HIPAA privacy breaches.


"Assessing penalties that low - St. Elizabeth will pay $218,400 - guarantees that virtually no organizations will fix their destructive practices," she says. "Industry views low fines as simply a cost of doing business. They'll take their chances and see if they're caught."

The largest HIPAA financial penalty to date issued by OCR was a $4.8 million settlement with New York-Presbyterian Hospital and Columbia University for incidents tied to the same 2010 breach that affected about 6,800 patients. The incidents involved unsecured patient data on a network.

more...
No comment yet.
Scoop.it!

243 arrested in 10 states for healthcare fraud, false claims, kickbacks, medical ID theft

243 arrested in 10 states for healthcare fraud, false claims, kickbacks, medical ID theft | HIPAA Compliance for Medical Practices | Scoop.it
The Medicare Fraud Strike Force swept through 10 states and arrested 243 people—46 of them physicians, nurses, and other licensed medical professionals—for allegedly defrauding the government out of $712 million in false Medicare and Medicaid billings, federal officials announced June 18. In addition to targeting instances of false claims and kickbacks, the strike force also uncovered evidence of medical identity theft.
Among the defendants is Mariamma Viju of Garland, Texas, an RN and the co-owner and nursing director for Dallas Home Health, Inc. A federal indictment accuses Viju and a co-conspirator of stealing patient information from Dallas-area hospitals in order to then solicit those patients for her business, as well as submitting false Medicare and Medicaid claims, and paying out cash kickbacks to beneficiaries.
In total, the scheme netted Viju $2.5 million in fraudulently obtained payments between 2008 and 2013. She was arrested June 16 and charged with one count of conspiracy to commit healthcare fraud, five counts of healthcare fraud, and one count of wrongful disclosure of individually identifiable health information.
The indictment says Viju allegedly took patient information from Baylor University Medical Center at Dallas, where she worked as a nurse until she was fired in 2012. Dallas Home Health then billed Medicare and Texas Medicaid for home health services on behalf of beneficiaries who were not homebound or otherwise eligible for covered home health services.
Viju also allegedly falsified and exaggerated patients’ health conditions to increase the amounts billed to Medicare and Medicaid, and thereby boost payments to Dallas Home Health. The indictment says she paid kickbacks to Medicare beneficiaries as well to recruit and retain them as patients of Dallas Home Health.
Viju’s co-conspirator—a co-owner of Dallas Home Health—wasn’t named in the indictment, but in a news release from the U.S. Attorney’s Office for the Northern District of Texas, that person was identified as her husband Viju Mathew. He’s a former registration specialist at Parkland Hospital in Dallas and pleaded guilty in November 2014 to one count of fraud and related activity in connection with identity theft.
Prosecutors say he used his position to obtain PHI, including names, phone numbers, birthdates, Medicare information, and government-issued health insurance claim numbers, so he could use it to contact prospective patients for his home health care business. He is due to be sentenced in August 2015.
In another case in Maryland, Harry Crawford—owner of RX Resources and Solutions—and two of his employees—Elma Myles and Matthew Hightower—are all charged with aggravated identity theft in addition to healthcare fraud and conspiracy to commit healthcare fraud.
An indictment from a federal grand jury accuses Crawford, Myles, and Hightower of fraudulently using actual names, addresses, and unique insurance identification numbers of numerous Medicaid beneficiaries to submit fraudulent claims totaling approximately $900,000 between 2010 and 2014.
The alleged scheme used Crawford’s durable medical equipment and disposable medical supply company to bill insurers for equipment and supplies that were never provided to beneficiaries, bill for amounts far in excess of the services delivered, and bill for supplies that weren’t needed and were never prescribed by a physician.
These are just two examples of the criminal fraud uncovered by the strike force.
In other cases, defendants face similar fraud and conspiracy charges for fraudulent billing schemes as well as charges for cash kickbacks, and money laundering, according to the Department of Justice (DOJ). The DOJ says more than 40 defendants are accused of defrauding the Medicare prescription drug program.
This was the largest coordinated takedown, in terms of defendants and money, in the history of the Medicare Fraud Strike Force, according to the DOJ. CMS also suspended licenses for several healthcare providers with authority granted to the agency under the Affordable Care Act.
more...
No comment yet.
Scoop.it!

Four Common HIPAA Misconceptions

Four Common HIPAA Misconceptions | HIPAA Compliance for Medical Practices | Scoop.it

While practices must work hard to comply with HIPAA, some are taking HIPAA compliance efforts a bit too far. That's according to risk management experts, who say there are some common compliance misconceptions that are costing practices unnecessary time and resources.

Here's what they say many practices are avoiding that they don't necessarily need to avoid, and some extra steps they say practices are taking that they don't necessarily need to take.


1. Avoiding leaving phone messages


While it's true that a phone message from your practice to a patient could be overheard by the wrong party, phone messages that contain protected health information (PHI) don't need to be strictly off limits at your practice, says Jim Hook, director of consulting services at healthcare consulting firm The Fox Group, LLC."Many offices adopt a blanket policy of, well, 'We can't leave you any phone messages because HIPAA says we can't,' and, that's really not true," he says. "You can always get consent from a patient on how they want to be communicated with."


Hook recommends asking all of your patients to sign a form indicating in what manner you are permitted to communicate with them, such as by mail, e-mail, text, and phone message. "If the patient says, 'Yes, you can call and leave me phone messages at this phone number I'm giving you,' then it's not a HIPAA violation to use that method of communication," he says.


2. Avoiding discussing PHI


It's important to safeguard PHI as much as possible, but some practices are taking unnecessary precautions, says Michelle Caswell, senior director, legal and compliance, at healthcare risk-management consulting firm Clearwater Compliance, LLC.


"I think there's still a fear among small providers ... that they can't discuss protected health information anywhere in the [practice]," she says. "They feel that they have to almost build soundproof walls and put up bulletproof glass or soundproof glass to prevent any sort of disclosure of protected health information, and that's not what HIPAA requires at all. HIPAA allows for incidental disclosures, [which] are disclosures that happen [incidentally] around your job. So if you've got a nurse and a doctor talking, maybe at the nurses' station, and someone overhears that Mr. Smith has blood work today, that probably wouldn't be a violation because it's incidental to the job. Where else are the doctors and nurses going to talk?"


As long as you are applying "reasonable and appropriate" safeguards, Caswell says you should be in the clear.


3. Requiring unnecessary business associate agreements


HIPAA requires practices to have written agreements, often referred to as business associate agreements (BAAs), with other entities that receive or work with their PHI. Essentially, the agreements state that the business associates will appropriately safeguard the PHI they receive or create on behalf of the practice.


Still, some practices take unnecessary precautions when it comes to BAAs, says Robert Tennant, senior policy adviser of government affairs for the Medical Group Management Association. "A lot of practices are very concerned about people like janitorial services [and] plant maintenance folks, and they have them sign business associate agreements, but those folks are not business associates for the most part," says Tennant. "You may want to have them sign confidentiality agreements basically saying, 'If you do come across any information of a medical nature, protected health information, you are not permitted to look at it, copy it, keep it ...,' But, you do not need to sign a business associate agreement with anybody other than those folks that you actually give PHI to for a specific reason, like if you've got a law office or accounting office or a shredding company that is coming in to pick up PHI to destroy it."


4. Requiring unnecessary patient authorizations


While it's critical to comply with HIPAA's requirement that only those who have a valid reason to access a patient's medical record, such as treatment purposes, payment purposes, or healthcare operations, have access to it — some practices are misconstruing that rule, says Tennant. "They demand patient authorization before they transfer data to another provider for treatment purposes," he says. "I understand why they do it, but it's one of those things that … can cause delays and confusion, and even some acrimony between the patient and the provider. If it's for treatment purposes specifically, you do not need a patient authorization."

more...
No comment yet.
Scoop.it!

Four Common HIPAA Misconceptions

Four Common HIPAA Misconceptions | HIPAA Compliance for Medical Practices | Scoop.it

While practices must work hard to comply with HIPAA, some are taking HIPAA compliance efforts a bit too far. That's according to risk management experts, who say there are some common compliance misconceptions that are costing practices unnecessary time and resources.

Here's what they say many practices are avoiding that they don't necessarily need to avoid, and some extra steps they say practices are taking that they don't necessarily need to take.


1. Avoiding leaving phone messages

While it's true that a phone message from your practice to a patient could be overheard by the wrong party, phone messages that contain protected health information (PHI) don't need to be strictly off limits at your practice, says Jim Hook, director of consulting services at healthcare consulting firm The Fox Group, LLC."Many offices adopt a blanket policy of, well, 'We can't leave you any phone messages because HIPAA says we can't,' and, that's really not true," he says. "You can always get consent from a patient on how they want to be communicated with."


Hook recommends asking all of your patients to sign a form indicating in what manner you are permitted to communicate with them, such as by mail, e-mail, text, and phone message. "If the patient says, 'Yes, you can call and leave me phone messages at this phone number I'm giving you,' then it's not a HIPAA violation to use that method of communication," he says.


2. Avoiding discussing PHI

It's important to safeguard PHI as much as possible, but some practices are taking unnecessary precautions, says Michelle Caswell, senior director, legal and compliance, at healthcare risk-management consulting firm Clearwater Compliance, LLC.


"I think there's still a fear among small providers ... that they can't discuss protected health information anywhere in the [practice]," she says. "They feel that they have to almost build soundproof walls and put up bulletproof glass or soundproof glass to prevent any sort of disclosure of protected health information, and that's not what HIPAA requires at all. HIPAA allows for incidental disclosures, [which] are disclosures that happen [incidentally] around your job. So if you've got a nurse and a doctor talking, maybe at the nurses' station, and someone overhears that Mr. Smith has blood work today, that probably wouldn't be a violation because it's incidental to the job. Where else are the doctors and nurses going to talk?"


As long as you are applying "reasonable and appropriate" safeguards, Caswell says you should be in the clear.


3. Requiring unnecessary business associate agreements

HIPAA requires practices to have written agreements, often referred to as business associate agreements (BAAs), with other entities that receive or work with their PHI. Essentially, the agreements state that the business associates will appropriately safeguard the PHI they receive or create on behalf of the practice.


Still, some practices take unnecessary precautions when it comes to BAAs, says Robert Tennant, senior policy adviser of government affairs for the Medical Group Management Association. "A lot of practices are very concerned about people like janitorial services [and] plant maintenance folks, and they have them sign business associate agreements, but those folks are not business associates for the most part," says Tennant. "You may want to have them sign confidentiality agreements basically saying, 'If you do come across any information of a medical nature, protected health information, you are not permitted to look at it, copy it, keep it ...,' But, you do not need to sign a business associate agreement with anybody other than those folks that you actually give PHI to for a specific reason, like if you've got a law office or accounting office or a shredding company that is coming in to pick up PHI to destroy it."


4. Requiring unnecessary patient authorizations

While it's critical to comply with HIPAA's requirement that only those who have a valid reason to access a patient's medical record, such as treatment purposes, payment purposes, or healthcare operations, have access to it — some practices are misconstruing that rule, says Tennant. "They demand patient authorization before they transfer data to another provider for treatment purposes," he says. "I understand why they do it, but it's one of those things that … can cause delays and confusion, and even some acrimony between the patient and the provider. If it's for treatment purposes specifically, you do not need a patient authorization."

more...
No comment yet.
Scoop.it!

Unencrypted Laptop Leads To US HealthWorks Data Breach

Unencrypted Laptop Leads To US HealthWorks Data Breach | HIPAA Compliance for Medical Practices | Scoop.it

U.S. HealthWorks, a California-based health care service provider specializing in urgent care and occupational medicine, recently alerted employees to a data breach after a password protected (but unencrypted) laptop was stolen in April.


According to its website, the company operates over 200 locations in 20 states and has 3,600 employees, but it was unclear in the notification of the breach exactly how many people may be affected.


The letter explains how an internal investigation began shortly after the company was notified on April 22, 2015, that a laptop issued to an employee was stolen from their vehicle overnight.


“On May 5, 2015, we determined that the employee’s laptop was password protected, but it was not encrypted. After conducting a thorough review, we determined that the laptop may have contained files that included your name, address, date of birth, job title, and Social Security number. Although we continue to work with law enforcement, at this time, the computer has not been located,” U.S. HealthWorks said in its notice letter to employees.


The company did not confirm whether any personal information has been accessed or used inappropriately, but it said it will offer employees free enrollment in identity protection services for one year as a precautionary measure. U.S. HealthWorks reported efforts to ensure compliance to its laptop encryption policy going forward, including an enhancement to deployment procedures for laptops and full disk encryption.


With the number of security breaches on the rise, the importance of organizations controlling and protecting data is critical.

“If you have laptops in your enterprise environment, and let’s face it who doesn’t, you need to address this issue. In this day and age there really isn’t a good reason to not encrypt the hard drives on your laptops,” wrote Forbes contributor Dave Lewis in a post Monday (June 1).


While the scope and effects of this particular breach are unclear, U.S. HealthWorks does not need to look far to see that data breaches can wreak havoc. Anthem Inc.TargetHome Depot and many others have learned the hard way about the ongoing financial impacts associated with data breaches. A recent study by Ponemon Institute found that the average cost of a data breaches is now more than $3.8 million on average, a 23 percent increase from the levels seen two years ago.

more...
No comment yet.
Scoop.it!

Beacon Health Is Latest Hacker Victim

Beacon Health Is Latest Hacker Victim | HIPAA Compliance for Medical Practices | Scoop.it

Yet another large hacker attack has been revealed in the healthcare sector. But unlike three recent cyber-attacks, which targeted health insurers, this latest breach, which affected nearly a quarter-million individuals, involved a healthcare provider organization.


South Bend, Ind.-based Beacon Health System recently began notifying 220,000 patients that their protected health information was exposed as a result of phishing attacks on some employees that started in November 2013, leading to hackers accessing "email boxes" that contained patient data.


The Beacon Health incident is a reminder that healthcare organizations should step up staff training about phishing threats as well as consider adopting multi-factor authentication, shifting to encrypted email and avoiding the use of email to share PHI.

"Email - or at least any confidential email - going outside the organization's local network should be encrypted. And increasingly, healthcare organizations are doing just that," says security and privacy expert Kate Borten.


Unfortunately, in cases where phishing attacks fool employees into giving up their email logon credentials, encryption is moot, she says. "Although encryption is an essential protection when PHI is sent over public networks, and stored somewhere other than within IT control, it is only one of many, many security controls. There's no silver bullet."

At the University of Vermont Medical Center, which has seen an uptick in phishing scams in recent months, the organization has taken a number of steps to bolster security, including implementing two-factor authentication "for anything facing the Web, because that can pretty much render phishing attacks that are designed to steal credentials useless," says CISO Heather Roszkowski.

The Latest Hacker Attack

On March 26, Beacon Health's forensic team discovered the unauthorized access to the employees' email accounts while investigating a cyber-attack. On May 1, the team determined that the affected email accounts contained PHI. The last unauthorized access to any employee email account was on Jan. 26, the health system says.


"While there is no evidence that any sensitive information was actually viewed or removed from the email boxes, Beacon confirmed that patient information was located within certain email boxes," Beacon Health says in a statement posted on its website. "The majority of accessible information related only to patient name, doctor's name, internal patient ID number, and patient status (either active or inactive). The accessible information, which was different for different individuals, included: Social Security number, date of birth, driver's license number, diagnosis, date of service, and treatment and other medical record information."


The provider organization says it has reported the incident to the U.S. Department of Health and Human Services, various state regulators, and the FBI.

Hospital Patients Affected

A Beacon Health spokeswoman tells Information Security Media Group that the majority of those affected by the breach were patients of Memorial Hospital of South Bend or Elkhart General Hospital, which combined have more than 1,000 beds. The two facilities merged in 2012 to form the health system. Individuals who became patients of Beacon Health after Jan. 26 were not affected by the breach, she says.


The breach investigation is being conducted by the organization's own forensics team, the spokeswoman says.

Affected individuals are being offered one year of identity and credit monitoring.


The news about similar hacker attacks earlier this year that targeted health insurers Anthem Inc. and Premera Blue Cross prompted Beacon's forensics investigation team to "closely review" the organization's systems after discovering it was the target of a cyber-attack, the Beacon spokeswoman says.


In the wake of the incident, the organization has been bolstering its security, including making employees better aware of "the sophisticated tactics that are used by attackers," she says. That includes instructing employees to change passwords and warning staff to be careful about the websites and email attachments they click on.

The Phishing Threat

Security experts say other healthcare entities are also vulnerable to phishing.


"The important takeaway is that criminals are using fake email messages - phishing - to trick recipients into clicking links taking them to fake websites where they are prompted to provide their computer account information," says Keith Fricke, principle consultant at consulting firm tw-Security. "Consequently, the fake website captures those credentials for intended unauthorized use. Or they are tricked into opening attachments of these fake emails and the attachment infects their computer with a virus that steals their login credentials."

As for having PHI in email, that's something that, while common, is not recommended, Fricke notes. "Generally speaking, most employees of healthcare organizations do not have PHI in email. In fact, many healthcare organizations do not provide an email account to all of their clinical staff; usually managers and directors of clinical departments have email," he says. "However, for those workers that have a company-issued email account, some may choose to send and receive PHI depending on business process and business need."

Recent Hacker Attacks

As of May 28, the Beacon Health incident was not yet posted on the HHS' Office for Civil Rights'"wall of shame" of health data breaches affecting 500 or more individuals.


OCR did not immediately respond to an ISMG request to comment on the recent string of hacker attacks in the healthcare sector.

Other recent hacker attacks, which targeted health insurers, include:


  • An attack on Anthem Inc. , which affected 78.8 million individuals, and is the largest breach listed on OCR's tally.
  • A cyber-assault on Premera Blue Cross announced on March 17, that resulted in a breach affecting 11 million individuals.
  • An "unauthorized intrusion" on a CareFirst BlueCross BlueShield database disclosed on May 20. The Baltimore-based insurer says the attack dated back to June 2014, but wasn't discovered until April 2015. The incident resulted in a breach affecting 1.1 million individuals.


But the recent attack on Beacon Health is yet another important reminder to healthcare provider organizations that it's not just insurers that are targets. Last year, a hacking assault on healthcare provider Community Health System affected 4.5 million individuals.

Smaller hacker attacks have also been disclosed recently by other healthcare providers, includingPartners HealthCare. And a number of other healthcare organizations in recent months have also reported breaches involving phishing attacks. That includes a breach affecting nearly 760 patients at St. Vincent Medical Group.


"Healthcare provider organizations are also big targets - [they have] more complex environments, and so have more vulnerabilities that the hackers can exploit," says security and privacy expert Rebecca Herold, CEO of The Privacy Professor. "Another contributing factor is insufficient funding for security within most healthcare organizations, resulting in insufficient safeguards for PHI in all locations where it can be stored and accessed."

Delayed Detection

A delay in detecting hacker attacks seems to be a common theme in the healthcare sector. Security experts say several factors contribute to the delayed detection.


"Attacks that compromise an organization's network and systems are harder to detect these days for a few reasons," says Fricke, the consultant. "Criminals wait longer periods of time before taking action once they successfully penetrate an organization's security defenses. In addition, the attack trend is to compromise the accounts of legitimate users rather than gaining unauthorized access to a system via a brute force attack."


When criminals access a system with an authorized account, it's more difficult to detect the intrusion, Fricke notes. "Network security devices and computer systems generate huge volumes of audit log events daily. Proactively searching for indicators of compromise in that volume of log information challenges all organizations today."

As organizations step up their security efforts in the wake of other healthcare breaches, it's likely more incidents will be discovered and revealed, says privacy attorney Adam Greene of the law firm Davis Wright Tremaine.


"The challenge that many healthcare entities face is that oftentimes, the better they do at information security, the more likely it is they find potential problems. Implementing new information security tools sometimes can detect problems that may be years old," he says. "But the alternative - keeping your head in the sand - can lead to far worst results for patients and the organization."


However, as more of these delayed-detection incidents are discovered, "regulators and plaintiffs may question why any particular security issue was not identified and corrected earlier," he warns.

Accordingly, organizations should consider if there were reasonable issues that led to any delays in identifying or correcting any security lapses and maintain any related documentation supporting the cause of any delays, he suggests.


"Hindsight is 20-20, and it is always easy for regulators to question why more wasn't done sooner, and it could be challenging for the organization if it is asked to justify why it spent resources on other projects," Greene says.

more...
No comment yet.
Scoop.it!

Doctors Going the Distance (In Education)

Doctors Going the Distance (In Education) | HIPAA Compliance for Medical Practices | Scoop.it

We need more doctors.


Between older care providers retiring, and the general population shift that is the aging of the Baby Boomers, we are running into a massive demographic of more, older patients, living longer and managing more chronic conditions. This puts incredible pressure not just on the remaining doctors and nurses to make up the gap, but strains the capacity of schools to recruit, train, and produce competent medical professionals.


So how can schools do more to reach students and empower them to enter the healthcare field?


The increasing popularity of online programs (particularly at the Masters level, among working professionals looking for a boost to their career advancement) has called forth a litany of studies and commentaries questioning everything from their technology to their academics,compared to traditional, on-campus programs. More productive would be questioning the structure and measuring the outcomes of degree programs in general, rather than judging the value of a new delivery mechanism against an alternative more rooted in tradition than science.


In terms of sheer practicality, though, a distance education—yes, even for doctors and surgeons—makes a certain amount of sense. One of the hottest topics in the medical community right now is Electronic Health Records (EHRs) and the ongoing struggle to fully implement and realize the utility of such technology.


Rolling out in October of 2015, comes the sidecar for the EHR vehicle: ICD-10, the international medical coding language that the U.S. has long postponed adopting. While the digital nature of modern records platforms at least makes ICD-10 viable, it still represents a sharp learning curve for current care providers.


Then there is the intriguing promise of pharmacogenetics, whereby medication is developed, tested, and prescribed, all on the basis of a patient’s individual genetic profile. Combined with an EHR and a personal genetic profile, a patient could be observed, screened, diagnosed, referred to a pharmacist, and able to order and receive a prescription, all without leaving home. Taking into consideration the growing need for medication therapy management—driven by the Baby Boomers living longer with more conditions under care—the value of such a high-tech system is clear.


This draws on what is perhaps the most lucrative (in terms of health outcomes and large-scale care delivery) set of possibilities enabled by the shift to digital: telemedicine. From consultations to check-ups, telehealth in the digital age no longer necessitates sacrificing face-to-face interaction; streaming video chat means patients and doctors can still look one another in the eye, albeit through the aid of cameras.


Proponents of the technology take it further, declaiming that world-class surgeons will no longer be anchored to a single facility—human-guided robotic surgery (telesurgery) will bring expertise to even the most remote locations.


If industry leaders anticipate so much being done remotely, why then are others squeamish about delivering an education online? It would seem that the medical skillset of the future requires greater comfort and competence in dealing with virtual settings, online interaction, and digital record-keeping.


The problem many have is not with online med school in particular so much as online degree programs in general. How can a virtual setting possibly hope to compete with the unique, collaborative, community-oriented environment of the college campus—whatever the area of study?


Forward-thinking professors like Sharon Stoerger at Rutgers have pioneered at least one possible answer to this question. Adopting the online immersive social platform known as Second Life, Stoerger and her like-minded peers have constructed virtual classrooms with accompanying courses, and successfully guided several cohorts (of students as well as instructors) through the experience.


For the aspects of learning that simply require hands-on practice, of course, there are limits to the promise of such virtual environments. Then again, synthetic patient models, known as Human Patient Simulators (HPS), are already proving their merits as an efficient, effective way to let students gain practical experience in a controlled environment. While Ohio Universityinstructors have pioneered the use of HPS in the school’s nursing programs, advancing technology continues to push the functional limits of such systems.


In order to realize the potential of modern delivery of patient care, we first need to realize the potential of modern instructional delivery. The technology is already showing that the real limits of online learning are not practical considerations; they are attitudes and assumptions about what learning ought to look like.


more...
No comment yet.
Scoop.it!

Shocks and surprises in new breach trend studies

Shocks and surprises in new breach trend studies | HIPAA Compliance for Medical Practices | Scoop.it

Since 2010, HHS has documented more than 1,000 major data breaches (where each incident involved the compromise of more than 500 patient records). Now we’re starting to see some in-depth analyses of those breaches.


In the new issue of the Journal of the American Medical Association (JAMA), there’s a study that concludes that 29 million medical records were compromised between 2010 and 2013.

The JAMA study also found that six of the breaches involved at least one million records each – and more than one third of all breaches occurred in just five states: California, Texas, Florida, New York and Illinois.


The study was accompanied by an earnest editorial subtitled “The Importance of Good Data Hygiene.” The authors called for a total overhaul of HIPAA, which they described as “antiquated and inadequate.” They noted that HIPAA doesn’t adequately regulate the use of Protected Health Information (PHI) by “digital behemoths” like Apple, Google, Facebook and Twitter.


In addition to the JAMA report, our company did an extensive analysis of 2014 data breach trends summarized here. We thoroughly documented 89 of those breaches, and we excluded the huge Community Health Systems breach so it wouldn’t skew the other data. Here are the most important trends we spotted:

Non-digital breaches still a problem

In the 89 incidents, paper breaches accounted for 9 percent of compromised records in the first half of 2014 – and 31 percent in the second half. Nearly 200,000 paper records were compromised, plus about 60,000 pieces of individually identifiable health information ranging from lab specimens to x-rays. Obviously, it’s still vitally important to safeguard the confidentiality of non-digital health records. Organizations must clarify and enforce policies and procedures to achieve that goal.

Theft of portables still a concern

We confirmed the loss or theft of 12 portable computing devices last year – and the lack of appropriate physical safeguards was a major contributing factor. In addition to taking greater common-sense precautions, organizations should use whole-disk encryption and other technical safeguards to render PHI unusable, unreadable or indecipherable to unauthorized people. Policies and procedures for portable device security need to be clearly communicated to all employees – and workforce training needs to involve much more than a dry online tutorial.

Watch out for rogue employees and business associates

We uncovered 45 incidents involving company insiders that resulted in the compromise of nearly half a million records. In other words, about half of all the data breaches were the result of mistakes or malice by an organization’s own people. It’s impossible to prevent every workforce-related breach, but everyone in the organization needs to be on the lookout for unusual activities that could spell trouble. All employees and BAs need to know that the hammer will come down – swiftly and consistently – on insiders who intentionally compromise patient data.

No organization should shout “hooray” simply for avoiding an Anthem-scale breach. There are many other incidents – improper disposal of paper records, misplaced x-rays, employee snooping, and more – that can still do a lot of financial and reputational damage. Those are the types of breaches that even a HIPAA tech-fix can’t solve.

These breach trend summaries agree on one main point: healthcare organizations need to constantly assess the maturity of their information risk management programs – and not view them as a narrowly defined “HIPAA compliance” duty.


more...
No comment yet.
Scoop.it!

Criminal Attacks on Health Data Rising

Criminal Attacks on Health Data Rising | HIPAA Compliance for Medical Practices | Scoop.it

Criminal attacks in the healthcare sector - including those involving hackers and malicious insiders - have more than doubled in the last five years, according to a new study.


The "Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data" by the research firm Ponemon Institute concludes that criminal attacks in healthcare are up 125 percent since 2010. Cybercriminal incidents involving external and internal actors were the leading cause of a data breaches over the past two years, the study shows. In previous studies, lost or stolen computing devices had consistently had been the top breach culprit.


"The root cause for health data breaches had been mistakes and incompetency, but now criminal attacks are number one," Larry Ponemon, founder and chairman of the Ponemon Institute, tells Information Security Media Group. "Year to year, it's getting worse. We've seen it in large-scale incidents like Anthem," which in February revealed a hacker attack that compromised protected health information of 78.8 million individuals, he notes.


"A lot of organizations are easy targets," he says. "The combination of highly valuable information and easy access makes the sector a huge target."


Ponemon's research, conducted in February and March, generated responses from 90 healthcare organizations and, for the first time this year, 88 business associates. Under the HIPAA Omnibus Rule that went into effect in 2013, business associates and their subcontractors are directly liable for HIPAA compliance.

Hacking Trends

In recent months, the Department of Health and Human Services' "wall of shame" website tracking health data breaches affecting 500 or more individuals has shown a growing number of hacking incidents of various sizes - far more than in previous years. And the Anthem breach alone represents nearly 60 percent of the 133.2 million breach victims listed on the tally since September 2009, when the HIPAA breach notification rule went into effect.


Among the latest hacking breaches added to the wall of shame was an incident reported to HHS on May 1 by Partners HealthCare System, which operates several large hospitals in Boston.


"Unfortunately, the rise in both hacker attacks and criminal activities involving malicious insiders comes as no surprise," says Dan Berger, CEO of the consultancy Redspin, which was recently acquired by Auxilio. "A few years ago, I remember many people being surprised at how few hacker attacks there were in healthcare. We warned our clients of the 'risk of complacency' in this regard."


With more electronic health records than ever before, there's a growing awareness of their "exploitation value," Berger says. "At the same time, healthcare spending on IT security continues to lag almost all other industries. So with a greater amount of valuable data behind lower than average defenses, it should not be a surprise that PHI has become a favorite target of hackers. It is basic economics."


Hackers are the No. 1 "emerging" cyberthreat that healthcare entities are worried about this year, according to the 2015 Healthcare Information Security Today survey of 200 security and privacy leaders at healthcare organizations, which was conducted in December 2014 and January 2015 by ISMG. Coming in at a close second as the biggest "emerging threat" is business associates taking inadequate security precautions with PHI; that's also the top threat respondents are worried about "today." Complete results of that survey, and a webinar analyzing the results, will be available soon.


The Ponemon study found that nearly 45 percent of data breaches in healthcare are a result of criminal activity. However, the researchers found that criminal-based security incidents, such as malware or distributed denial-of-service attacks, don't necessarily result in breaches reportable under HIPAA. In fact, 78 percent of healthcare organizations and 82 percent of business associates had Web-borne malware attacks.

Breach Costs

Based on its study, the Ponemon Institute estimates that the average cost of a data breach for healthcare organizations is more than $2.1 million, while the average cost of a data breach to business associates is more than $1 million.


Rick Kam, U.S. president and co-founder of security software vendor ID Experts, which sponsored the Ponemon study, tells ISMG that stolen healthcare information is currently valued at about $60 to $70 per record by ID theft criminals, while the current value of credit card information is about 50 cents to $1 per record.


"We see recognition of medical ID theft being a problem, but we don't see many healthcare providers stepping up" in addressing the issue, he says. The Ponemon study found that nearly two-thirds of healthcare organizations and business associates do not offer any medical identity theft protection services for patients whose information has been breached.


The Ponemon study found that information most often stolen in these targeted healthcare sector attacks include medical files and billing and insurance records.


Privacy and security expert Kate Borten, founder of the consulting firm The Marblehead Group, offers a dire prediction: "I believe we will continue to see the number of reported breaches rise, despite stronger efforts to protect data. Personally identifiable health data continues to have high street value, leading to more attacks."


more...
Scopidea's curator insight, June 22, 2015 3:03 AM

Many great points in this well written article.

Scoop.it!

HIPAA audits to resume soon

HIPAA audits to resume soon | HIPAA Compliance for Medical Practices | Scoop.it

Long-term care providers should get ready for the second round of HIPAA compliance audits this year, but the agency in charge of them is keeping mum about the exact date.

And while Health & Human Services' Office for Civil Rights (OCR) expects to single out only around 110 providers, long-term care facilities are being urged to begin preparations as soon as possible, Kelly McLendon, managing director of CompliancePro Solutions, said during a recent Health Care Compliance Association webinar. That includes performing security and risk analyses, updating privacy and security incident response plans and automating privacy and security investigation, tracking and management protocols, according to published reports.

The agency has not announced specifics yet, but the coming round of audits could focus heavily on HIPAA security and privacy risk management, breach notification and Notice of Privacy practices.

OCR was scheduled to do the audits last year but went idle because of funding problems. Providers are advised not to rely on audit protocols issued in 2012, the last time OCR performed audits, and watch for phase two protocols to be posted on the OCR website. Audits will likely begin about 90 days after posting, McLendon said.

The news will do little to help a Denver-area pharmacy that specializes in compounded medications for area hospice agencies, according to published reports. The business will have to pay $125,000 and take corrective measures after local media notified the OCR it allegedly disposed of unsecured documents in an unlocked, open container. The documents reportedly contained private health data on more than 1,600 patients.


more...
No comment yet.
Scoop.it!

Misplaced USB drive leads to county health department breach

Misplaced USB drive leads to county health department breach | HIPAA Compliance for Medical Practices | Scoop.it

The Denton County (Texas) Health Department began notifying tuberculosis (TB) clinic patients of a breach that occurred in February when a health department employee left a USB drive containing PHI at a printing store, according to a press release.


The USB drive contained the names, dates of birth, addresses, and test results of 874 patients seen at a TB clinic associated with the county health department. The employee left the USB drive unattended at the printing store for approximately one hour, according to the press release.


The department launched an internal investigation after the employee voluntarily reported the potential breach. The press release states that the department does not believe the records were accessed during the time the USB drive was left unattended. However, it is notifying affected patients by mail and recommending that they obtain a credit report and monitor financial statements.


more...
No comment yet.