HIPAA Compliance for Medical Practices
83.7K views | +16 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

The UCLA Health System Data Breach: How Bad Could It Be…?

The UCLA Health System Data Breach: How Bad Could It Be…? | HIPAA Compliance for Medical Practices | Scoop.it

Just hours ago, a Los Angeles Times report broke the news that hackers had broken into the UCLA Health System, creating a data breach that may affect 4.5 million people. This may turn out to be one of the biggest breaches of its kind in a single patient care organization to date, in the U.S. healthcare system. And it follows by only a few months the enormous data breach at Anthem, one of the nation’s largest commercial health insurers, a breach that has potentially compromised the data of 4.5 million Americans.


The L.A. Times report, by Chad Terhune, noted that “The university said there was no evidence yet that patient data were taken, but it can't rule out that possibility while the investigation continues. And it quoted Dr. James Atkinson, interim president of the UCLA Hospital System, as saying “We take this attack on our systems extremely seriously. For patients that entrust us with their care, their privacy is our highest priority we deeply regret this has happened.”


But Terhune also was able to report a truly damning  fact. He writes, “The revelation that UCLA hadn't taken the basic step of encrypting this patient data drew swift criticism from security experts and patient advocates, particularly at a time when cybercriminals are targeting so many big players in healthcare, retail and government.” And he quotes Dr. Deborah Peel, founder of Patient Privacy Rights in Austin, Texas, as saying, “These breaches will keep happening because the healthcare industry has built so many systems with thousands of weak links.”


What’s startling is that the breach at the Indianapolis-based Anthem, revealed on Feb. 5, and which compromised the data of up to 80 million health plan members, shared two very important characteristics with the UCLA Health breach, so far as we know at this moment, hours after the UCLA breach. Both were created by hackers; and both involved unencrypted data. That’s right—according to the L.A. Times report, UCLA Health’s data was also unencrypted.


Unencrypted? Yes, really. And the reality is that, even though the majority of patient care organizations do not yet encrypt their core, identifiable, protected health information (PHI) within their electronic health records (EHRs) when not being clinically exchanged, this breach speaks to a transition that patient care organizations should consider making soon. That is particularly so in light of the Anthem case. Indeed, as I noted in a Feb. 9 blog on the subject, “[A]s presented in one of the class action lawsuits just recently filed against it,” the language of that suit “contains the seeds of what could evolve into a functional legal standard on what will be required for health plans—and providers—to avoid being hit with multi-million-dollar judgments in breach cases.”


As I further stated in that blog, “I think one of the key causes in the above complaint [lawsuits were filed against Anthem within a few days of the breach] is this one: ‘the imminent and certainly impending injury flowing from potential fraud and identity theft posed by their personal and financial information being placed in the hands of hackers; damages to and diminution in value of their personal and financial information entrusted to Anthem for the sole purpose of obtaining health insurance from Anthem and with the mutual understanding that Anthem would safeguard Plaintiff’s and Class members’ data against theft and not allow access and misuse of their data by others.’ In other words, simply by signing up, or being signed up by their employers, with Anthem, for health insurance, health plan members are relying on Anthem to fully safeguard their data, and a significant data breach is essentially what is known in the law as a tort.”


Now, I am not a torts or personal injury lawyer, and I don’t even play one on TV. But I can see where, soon, the failure to encrypt core PHI within EHRs may soon become a legal liability.


Per that, just consider a March 20 op-ed column in The Washington Post by Andrea Peterson, with the quite-compelling headline, “2015 is already the year of the health-care hack—and it’s going to get worse.” In it, Peterson,  who, according to her authoring information at the close of the column, “covers technology policy for The Washington Post, with an emphasis on cybersecurity, consumer privacy, transparency, surveillance and open government,” notes that “Last year, the fallout from a string of breaches at major retailers like Target and Home Depot had consumers on edge. But 2015 is shaping up to be the year consumers should be taking a closer look at who is guarding their health information.” Indeed, she notes, “Data about more than 120 million people has been compromised in more than 1,100 separate breaches at organizations handling protected health data since 2009, according to Department of Health and Human Services data reviewed by The Washington Post.” Well, at this point, that figure would now be about 124.5 million, if the UCLA Health breach turns out to be as bad as one imagines it might be.


Indeed, Peterson writes, “Most breaches of data from health organizations are small and don't involve hackers breaking into a company's computer system. Some involve a stolen laptop or the inappropriate disposal of paper records, for example -- and not all necessarily involve medical information. But hacking-related incidents disclosed this year have dramatically driven up the number of people exposed by breaches in this sector. When Anthem, the nation's second-largest health insurer, announced in February that hackers broke into a database containing the personal information of nearly 80 million records related to consumers, that one incident more than doubled the number of people affected by breaches in the health industry since the agency started publicly reporting on the issue in 2009.”


And she quotes Rachel Seeger, a spokesperson for the Office for Civil Rights in the Department of Health and Human Services, as saying in a statement, following the Anthem breach, “These incidents have the potential to affect very large numbers of health care consumers, as evidenced by the recent Anthem and Premera breaches."


So this latest breach is big, and it is scary. And it might be easy (and lazy blogging and journalism) to describe this UCLA Health data breach as a “wake-up call”; but honestly, we’ve already had a series of wake-up calls in the U.S. healthcare industry over the past year or so. How many “wake-up calls” do we need before hospitals and other patient care organizations move to impose strong encryption regimens on their core sensitive data? The mind boggles at the prospects for the next 12 months in healthcare—truly.

No comment yet.
Scoop.it!

CFO Gets Prison Time for HITECH Fraud

CFO Gets Prison Time for HITECH Fraud | HIPAA Compliance for Medical Practices | Scoop.it

A former Texas hospital CFO has been sentenced to 23 months in federal prison for submitting false documents so a medical center could receive payments under the HITECH Act electronic health records financial incentive program.


In addition to his prison sentence, Joe White, former CFO of the now-shuttered Shelby Regional Medical Center in East Texas, was ordered to pay restitution of nearly $4.5 million to the HITECH incentive payment program.


Court documents indicate that to help pay the restitution, White has been ordered to liquidate an IRA account and an annuity, which as of November 2014, had respective balances of about $115,000 and $2,500.


White, 68, of Cameron, Texas, pleaded guilty on Nov. 12, 2014, to making false statements in November 2012 to the Centers for Medicare and Medicaid Services that Shelby Regional Medical Center was a meaningful user of EHRs, when the hospital actually was primarily using paper records, according to the Department of Justice.


To obtain financial incentives from Medicare or Medicaid under the HITECH Act, hospitals and physicians must submit detailed documents that attest to meeting the requirements for the program, including conducting a HIPAAsecurity risk assessment.

Case Details

In a statement issued by the FBI on June 18, U.S. attorney John Bales said, "The EHR incentive program was designed to enhance the delivery of excellent medical care to all Americans and especially for those citizens who live in underserved, rural areas like Shelby County. There is no doubt that Mr. White understood that purpose and yet, he intentionally decided to steal taxpayer monies and in the process, undermine and abuse this important program."


According to information presented in court, White was CFO for Shelby Regional as well as other hospitals owned and operated by Tariq Mahmood, M.D., of Cedar Hill, Texas.


The 54-bed Shelby Regional closed last year amidst legal issues involving Mahmood, who was indicted by a federal grand jury on April 11, 2013. He was charged with conspiracy to commit healthcare fraud and seven counts of healthcare fraud.


Court documents indicate that Mahmood was sentenced on April 14 to 135 months in federal prison, and also ordered to pay restitution totaling nearly $100,000 to CMS, the Texas Department of Health and Human Services and Blue Cross Blue Shield.


White oversaw the implementation of EHRs for Shelby Regional and was responsible for attesting to the meaningful use of the EHRs to qualify to receive HITECH incentive payments from Medicare, according to the FBI.


As a result of White's false attestation, Shelby Regional Medical Center received nearly $786,000 from Medicare, the FBI statement says. In total, hospitals owned by Mahmood were paid more than $16 million under the Medicare and Medicaid EHR incentive program, the FBI says.


A Justice Department spokeswoman tells Information Security Media Group that the $4.5 million restitution that White was ordered to pay represents the EHR incentive money Shelby Regional received from CMS under false attestation, as well as EHR incentive money that other hospitals owned by Mahmood, for which White was also CFO, received from CMS. While White did not personally receive the incentive money from CMS, "restitution is mandatory pursuant to the Mandatory Victim Restitution Act of 1996," she explains, citing 18 USC 3663A(a)(1), which says, "Notwithstanding any other provision of law, when sentencing a defendant convicted of an offense described in subsection (c), the court shall order, in addition to...any other penalty authorized by law, that the defendant make restitution to the victim of the offense. ..."

More Cases to Come?

Healthcare attorney Brad Rostolsky of the law firm Reed Smith says that although most healthcare professionals and organizations participating in the HITECH meaningful use incentive program are trying to play by the rules, federal regulators must be on the look-out for potential fraudsters, considering the billions of dollars in incentives being paid.


"My sense is that the large majority of institutional and small/solo practice providers appreciate the context in which these meaningful use attestations are being made, and they focus on ensuring that the attestations are true and accurate," he says. "That said, in situations where the facts are as they are [in the Joe White case], it would not surprise me if the government continues to be aggressive in its enforcement."


Attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek, says he expects federal authorities will file more HITECH criminal cases. "The sense we have gotten from public statements by OIG and others involved in prosecuting healthcare fraud violations is that there are a number of investigations ongoing to determine if there has been fraud in obtaining funds through the EHR incentive payment program," he says.


Holtzman suggests that those organizations that have received HITECH incentives must keep thorough documentation to prove they met all the requirements.


"The key is to keep detailed documentation of the information that was used to support the representations in the attestation for seven years," he says. "An individual or organization can avoid criminal culpability through showing that a reasonable effort was made to support a belief that the provider or hospital had met the meaningful use requirements and was therefore eligible for receiving EHR incentive payments."

HITECH Audits

While criminal cases related to the HITECH Act EHR incentive program have been rare, federal regulators have been ratcheting up their audits of healthcare entities attesting to "meaningful use" of EHRs.


Among those selected was Temple University Health System in Philadelphia, which recently passed an audit for meaningful use compliance at one of its hospitals, says CISO Mitch Parker. The area of attestation most closely scrutinized by CMS auditors was Temple's HIPAA security risk assessment, he says.


"You can't skimp on the risk assessment. That's the first and foremost item that they look for," he says. "And it can't be one of those cut-and-dry ones. You have to be very detailed about it. We had about 300 categories in ours."

No comment yet.
Scoop.it!

Think Your Practice is HIPAA Compliant? Think Again.

Think Your Practice is HIPAA Compliant? Think Again. | HIPAA Compliance for Medical Practices | Scoop.it

You may think you know HIPAA inside and out, but experts say many practices and physicians are making mistakes regarding protected health information (PHI) that could get them into big trouble with the law. Here are nine of the most common compliance missteps they say practices and physicians are making.

1. TEXTING UNENCRYPTED PHI


For most physicians, texting is an easy, convenient, and efficient way to communicate with patients and colleagues. But if a text contains unencrypted PHI, that could raise serious HIPAA problems.


"One of the big things people are doing these days is texting PHI, and people seem to be ignoring the fact that text messages can be read by anyone, they can be forwarded to anyone, [and] they're not encrypted in any fashion when they reside on a telecommunications provider's server," says Jim Hook, director of consulting services at healthcare consulting firm The Fox Group, LLC. "People really need to understand that [short message service (SMS)] text messaging is inherently nonsecure, and it's noncompliant with HIPAA."


That's not to say that texting PHI is never appropriate, it just means that physicians must find a way to do so securely. While the privacy and security rules don't provide explicit text messaging guidelines, they do state that covered entities must have "reasonable and appropriate safeguards to protect the confidentiality, availability, and integrity of protected health information," says Michelle Caswell, senior director, legal and compliance, at healthcare risk-management consulting firm Clearwater Compliance, LLC. As a result, Caswell, who formerly worked for HHS' Office for Civil Rights, says physicians must consider, "What would I put on my [smart] phone to reasonably and appropriately safeguard that information?" Most likely, the answer will be a secure messaging service with encryption, she says, adding that many inexpensive solutions are available to providers.


2. E-MAILING UNENCRYPTED PHI


Similar to text messaging, many physicians are e-mailing unencrypted PHI to patients and colleagues. As Robert Tennant, senior policy adviser of government affairs for the Medical Group Management Association says, e-mailing is becoming ubiquitous in our society, and healthcare is no exception.


If your providers are e-mailing PHI, consider implementing a secure e-mail application; for instance, one that recognizes when content included in the e-mail contains sensitive information and therefore automatically encrypts the e-mail. Your practice could use the application to specify certain circumstances in which e-mails should be encrypted; such as the inclusion of social security numbers or credit card numbers. The application would then filter e-mails for that specified content, and when it finds that content, encrypt those e-mails automatically, says Caswell.


Another option is to use a secure e-mail application to set up filters to automatically encrypt e-mails sent with attachments, or encrypt e-mails when senders include a word like "sensitive" or "encrypt" in the subject line, she says. An added benefit of encrypting e-mail is if a potential breach occurs, like the theft of a laptop containing e-mails with PHI, that is not considered a reportable breach if the e-mails stored on the laptop are encrypted, says Tennant. "You don't need to go through all of the rigmarole in terms of reporting the breach to the affected individual, and ultimately, to the government," he says. "So it's sort of a get out of jail free card in that sense."


If your practice would rather prohibit the use of e-mail altogether, a great alternative might be a patient portal that enables secure messaging.


Finally, if patients insist on having PHI e-mailed to them despite the risks, get their permission in writing for you to send and receive their e-mails, says Tennant.


3. FAILING TO CONDUCT A RISK ANALYSIS


If your practice has not conducted a security risk analysis — and about 31 percent of you have not, according to our 2014 Technology Survey, Sponsored by Kareo — it is violating HIPAA. The security rule requires any covered entity creating or storing PHI electronically to perform one. Essentially, this means practices must go through a series of steps to assess potential risks and vulnerabilities to the confidentiality, integrity, and availability of their electronic protected health information (ePHI).


Though the security risk analysis requirement has been in place since the security rule was formally adopted in 2003, it's been pretty widely ignored by practices, says Hook. Part of the reason, he says, is lack of enforcement of the requirement until recently. Since conducting a security risk analysis is now an attestation requirement in the EHR incentive program, auditors are increasingly noting whether practices are in compliance.


4. FAILING TO UPDATE THE NPP


If your practice has not updated its Notice of Privacy Practices (NPP) recently, it could be violating HIPAA. The HIPAA Omnibus Rule requires practices to update these policies and take additional steps to ensure patients are aware of them, says Tennant.

Some of the required updates to the NPP include:


• Information regarding uses and disclosures that require authorization;


• Information about an individual's right to restrict certain disclosures of PHI to a health plan; and


• Information regarding an affected individual's right to be notified following a privacy or security breach.


In addition to updating the NPP, a practice must post it prominently in its facility and on the website, and have new patients sign it and offer a copy to them, says Tennant. "I'd say of every 10 practices, hospitals, dental offices I go into, nine of them don't have their privacy notice in the waiting room," he says.


5. IGNORING RECORD AMMENDMENT REQUESTS


Don't hesitate to take action when patients request an amendment to information in their medical records, cautions Cindy Winn, deputy director of consulting services at The Fox Group, LLC. Under the HIPAA Privacy Rule, patients have the right to request a change to their records, and providers must act on those requests within 60 days, she says.


If you disagree with a patient's requested change, you must explain, in writing, why you are not making the requested change, says Hook. Then, share that reasoning with the patient and store a copy of it in the patient's medical record, as well as a copy of the patient's written request for the amendment.


6. NOT PROVIDING ENOUGH TRAINING


The privacy and security rules require formal HIPAA education and training of staff. Though the rules don't provide detailed guidance regarding what training is required, Hook recommends training all the members of your workforce on policies and procedures that address privacy and security at the time of hire, and at least annually thereafter.


The HIPAA Security Rule also requires practices to provide "periodic security reminders" to staff, says Caswell, adding that many practices are unaware of this. Actions that might satisfy this requirement include sending e-mails to staff when privacy and security issues come up in the news, such as information about a recent malware outbreak; or inserting a regular "security awareness" column in staff e-newsletters.

Finally, be sure to document any HIPAA training provided to staff.


7. OVERCHARING FOR RECORD COPIES


With few exceptions, the privacy rule requires practices to provide patients with copies of their medical records when requested. It also requires you to provide access to the record in the form requested by the individual, if it is readily producible in that manner.


While practices can charge for copies of records, some practices may be getting into trouble due to the fee they are charging, says Tennant. "HIPAA is pretty clear that you can only charge a cost-based fee and most of those are set by the state, so most states have [limits such as] 50 cents a page up to maybe $1 a page ... but you can't charge a $50 handling fee or processing fee; at least it's highly discouraged," says Tennant.


To ensure you are following the appropriate guidelines when dealing with record copy requests, review your state's regulations and consult an attorney. Also, keep in mind that though the privacy rule requires practices to provide copies within 30 days of the request, some states require even shorter timeframes.


8. BEING TOO OPEN WITH ACCESS


If your practice does not have security controls in place regarding who can access what medical records and in what situations, it's setting itself up for a HIPAA violation. The privacy rule requires that only those who have a valid reason to access a patient's record — treatment purposes, payment purposes, or healthcare operations — should do so, says Caswell. "If none of those things exist, then a person shouldn't [access] an individual's chart."


Caswell says practices need to take steps to ensure that staff members do not participate in "record snooping" — inappropriately accessing a neighbor's record, a family member's record, or even their own record.


She recommends practices take the following precautions:

• Train staff on appropriate record access;

• Implement policies related to appropriate record access; and

• Run EHR audits regularly to determine whether inappropriate access is occurring.


9. RELEASING TOO MUCH INFORMATION


Similar to providing too much access to staff, some practices provide too much access to outside entities, says Caswell. For instance, they release too much PHI when responding to requests such as subpoenas for medical records, requests for immunization information from schools, or requests for information from a payer.


"If there's, say, for instance, litigation going on and an attorney says, 'I need the record from December 2012 to February 2014,' it is your responsibility to only send that amount of information and not send anything else, so sort of applying what's called the minimum necessary standard," says Caswell. "When you receive outside requests for PHI, pay close attention to the dates for which information is requested, as well as the specific information requested."

No comment yet.
Scoop.it!

The New World of Healthcare Cybercrime

The New World of Healthcare Cybercrime | HIPAA Compliance for Medical Practices | Scoop.it

In healthcare, the number and volume of the breaches are ever increasing. For many of these breaches, phishing is the initial point of compromise. The human tends to be the weakest link and so hackers tend to exploit the low hanging fruit. Much of the information which is exfiltrated ends up on the black market (e.g., medical identity information, intellectual property, financial information, etc.).


We often hear about healthcare information being very valuable on the black market. But, for anyone who may dare to look at the dark web or even public dump sites, the black market can indeed be somewhat of a scary place—or at least, eye opening. The type of information which is traded on the black market includes healthcare and related identity information and bad actors may use the stolen information to commit medical identity theft and fraud. Indeed, the Medical Identity Fraud Alliance has a lot of information on this subject, including a survey on point.


And, now, law firms that support healthcare organizations and other entities are the target of hackers. Law firms have valuable information, such as data on mergers and acquisitions, intellectual property, protected health information, and other types of sensitive information which they are entrusted to safeguard on behalf of their clients. Indeed, several law firms have reportedly been considering standing up a law firm information sharing and analysis center “to share and analyze information and would permit firms to share anonymously information about hackings and threats on computer networks in much the same way that bank and brokerage firms share similar information with the financial services group.”


All businesses, including healthcare organizations, need to make cybersecurity a business priority. Just like other kinds of risk management, cybersecurity needs to be part of the equation. Reacting to incidents, in the long run, will only prove to be very costly for your organization, in terms of expenditure, manpower, and damage to your organization’s goodwill. Instead, appropriate investment needs to be made in technology and skilled personnel to detect and remove hackers from systems and to make it more difficult for hackers to infiltrate into the systems.


In addition, avoid being low hanging fruit for the hackers. Practice good cyber hygiene, adopt and implement an appropriate security framework for your organization and best practices, have a culture which embraces information security, be vigilant, and call in the good guys when you are in need of help (or even before there is a problem). The importance of information security has increased as a priority for many organizations—it should have a high priority for yours as well. The cyber threat is real and we all need to stay ahead of it.


No comment yet.
Scoop.it!

Protect Your Practice Data Against a Breach

Protect Your Practice Data Against a Breach | HIPAA Compliance for Medical Practices | Scoop.it

Technology has changed the face of patient care. But it has also opened a Pandora's Box of lurid and potentially expensive data breaches. Don't be lulled into a false sense of security because you may think your practice is too small to be a target for hackers. The lessons for large health systems are as relevant as those for small, independent practices. Data security can't be left to chance.

Ike Devji an Arizona-based asset protection and risk-management attorney works with physicians to help them develop policies to protect their practice data and minimize liability risk. He says most doctors suffer from what he calls "risk myopia," meaning that they are focused too intently on mitigating malpractice risk. But what about identity theft or HIPAA violations or securing patient financial data? "If [data breaches] could happen to the most sophisticated companies in the world, who have entire dedicated teams of IT security professionals, believe me, it can happen to your medical practice," cautions Devji.

So what should you do? There are many ways that your practice can protect itself against data breaches, even if your technology budget is slim. Here's how our experts say you should start.


TAKE DATA SECURITY SERIOUSLY


Even before you invest in software and support services to protect your patient data, you need to be clear about how your practice will approach data security. Too often, practice policies are absent or left up to individuals to haphazardly carry out. According to Devji, that is asking for trouble.

Devji's experience has taught him that practices often don't take cybersecurity seriously enough. He says that crimes happen most often when there is opportunity — it is easier for hackers to target a small practice and steal patient credit card numbers, than it is to, say, break into American Express.

Another concern for practices is making sure they are compliant with HIPAA regulations. In 2013, HHS released the HIPAA Omnibus Rule that strengthened the original provisions in HIPAA, bringing the total number of regulations up to 49, says Marion Jenkins, chief strategy officer at 3t Systems, a healthcare consulting company. He says the regulatory landscape is complex, and even a small practice could be looking at hundreds of thousands of dollars in fines for an unintentional HIPAA violation.

Devji says his firm makes sure that clients have an appropriate data security plan in place that includes HIPAA protections, limits staff access to protected health information (PHI), and also identifies the individual(s) who will be responsible for implementing and monitoring the plan. Here are five other key provisions that should be part of any data security plan.


FIND QUALIFIED IT SUPPORT


Because smaller practices don't generally have an IT support budget, they tend to gravitate to free tools and solutions, which can be problematic, says Boatner Blankenstein, senior director of solutions engineering for Bomgar, an enterprise technology solutions company. "Without having IT resources, there's just a lot of opportunity for misuse of technology. Scams and things — people calling and saying they're here to help you and they are really not," he says.

Jenkins says that the strongest leg of your risk-prevention strategy should be finding professional IT support that you can trust. "I have a three-question quiz that [practices] can give to an IT provider … The quiz has to be given orally, because the first question is 'How do you spell HIPAA?' The second question is 'What does it stand for?' and the third question is 'What is the difference between HIPAA security and HIPAA privacy?' If they can't answer those three questions, then you probably have a HIPAA problem waiting to happen," he says.

PROVIDE STAFF TRAINING AND EDUCATION

Your staff members are not able to learn your data security policies through osmosis. So, you must make data security a priority and teach them how to approach it. Devji says many times HIPAA violations occur through simple mistakes, like failing to lock computers and mobile devices with passwords, and copying sensitive data to an unencrypted USB drive.

Your staff training should cover at a minimum:

• The use of practice computers for personal e-mails and Internet surfing;

• Transporting data offsite using mobile devices;

• Protocols for departing staff members, e.g. changing passwords and network access;

• Educating staff on HIPAA requirements;

• The use of mobile devices at home and work; and

• Encrypting all patient data, regardless of the device.

INSTALL AND UPDATE ANTI-VIRUS SOFTWARE

In the course of a normal business day, practices are communicating electronically with multiple websites and healthcare networks, like CMS, third-party payers, and the CDC, for example. It is vital to have adequate virus and malware protection programs installed on all desk-top computers and mobile devices, especially if they are used to access the practice's EHR system.

"[Anti-malware, anti-virus protection, anti-spam] are absolutely required by HIPAA. One of the 49 requirements is you have to protect your systems from malicious software," says Jenkins.

But don't stop there. Your software must be updated on a continuous basis. How many times have you skipped over software updates for your computer because you are too busy to stop what you are doing? Unfortunately, when you do that, you are missing out on critical security patches. Devji says "many of those updates are security specific and are continually patching vulnerabilities that are found in those programs." Skipping updates just makes it that much easier for hackers to access your computer system.


ADOPT DATA ENCRYPTION


Protecting your patient data doesn't always require a sophisticated security solution. The safest thing a practice can do is guard against the loss or theft of mobile devices and make sure that all data is encrypted — both at rest and in motion. The Verizon 2014 Data Breach Investigations Report found that together, insider misuse, miscellaneous errors, and physical theft and loss accounted for 73 percent of security breaches in the healthcare industry.

The report recommends:

• Encrypting mobile devices, like laptops and USB drives;

• Backing up sensitive data; and

• Securing mobile devices with locks to immovable fixtures, like cabinets, when not in use.


CONDUCT SECURITY AUDITS


Many practices are not aware that conducting an internal risk assessment is required by HIPAA, says Jenkins. He says he has conducted over 100 HIPAA security assessments, and the number of practices that have passed is "less than 5 percent." He says that while there are templates available through the HHS Office of the National Coordinator for Health Information Technology's website, practices should consider soliciting professional help, as "some of [the assessment] is pretty technical."

Some key action points here are:

• Engage an IT security expert or EHR vendor to audit your networks, equipment, and processes.

• Make sure that software upgrades are current on all equipment and devices.

• Review your anti-virus software to make sure it provides adequate protection.

IN SUMMARY

Medical practice data security can't be left to chance; the stakes are just too high. Fortunately, after securing professional advice, there are simple things you can do to secure your information.

Take these steps to ward off loss of data and equipment:

• Create a practice data security plan

• Provide staff training on data security

• Install anti-virus and anti-malpractice software

• Adopt data encryption

• Conduct security audits


No comment yet.
Scoop.it!

Six Potential HIPAA Threats for PHOs and Super Groups

Six Potential HIPAA Threats for PHOs and Super Groups | HIPAA Compliance for Medical Practices | Scoop.it

Physician Hospital Organizations (PHOs) and super groups are on the rise. About 40 percent of physicians either work for a hospital or a practice group owned by a hospital, or they ban together to form a super group. Individual practices share operations, billing, and other administrative functions, gain leverage with insurance companies, add specialist resources and increase referrals, improve patient outcomes with a cohesive care plan, and more. The benefits are plentiful.

But just like a negative restaurant review on Yelp can hurt customer patronage and the restaurant's reputation, one practice that commits a HIPAA violation can affect the entire group, and result in an expensive fine, cause distrust among patients, and in extreme cases, the data breach can lead to medical identity theft.


For PHOs and super groups, adherence to HIPAA rules becomes more complicated when compliance isn't consistent among the group's practices, and a compliance officer isn't on board to manage risks and respond to violations.


At a minimum, the group should identify the potential sources for exposure of electronic protected health information (ePHI) and take measures to avert them. For example:


Super groups include smaller practices that struggle with HIPAA compliance and associated time and costs. Although PHOs or super groups may be abundant in physicians, employees, and offices, these assets could come from a majority of smaller organizations. Historically smaller practices struggle with resources to comply with HIPAA and hiring expensive compliance consultants could be prohibitive at the individual practice level.


Each practice uses a different EHR, or the EHR is centralized but the ePHI is stored on different devices. It becomes difficult to assess HIPAA compliance as well as how patient data is being protected when there are various EHRs implemented across multiple practices. Some EHRs may be cloud based while other systems reside in an individual practice's office. Getting an accurate inventory of where ePHI is stored or accessed can be challenging.


Hospitals can't conduct thorough security risk assessments for each practice in the group. A PHO could have 20 or more individual practices and the time required to perform individual security risk assessments could be daunting. These risk assessments are labor intensive and could strain the resources of hospital compliance staff.


Meaningful use drives HIPAA compliance and grants from HHS could be significant, especially with a large number of providers. Along with these funds comes responsibility to comply with meaningful use objectives. One of the most frequent causes of failing a meaningful use audit is ignoring a HIPAA security risk assessment. If one practice fails an audit, it could open the door to other practices in the group being audited, which could result in a domino effect and a significant portion of EHR incentive funds having to be returned.


For physician groups that share patient information the security is only as strong as the weakest link — one practice or even one employee. A breach at one practice could expose patient information for many or all other practices. Security is then defined by the weakest link or the practice that has the weakest security implemented.


Untrained employees in the front office unwittingly violate HIPAA and a patient's right to privacy. An employee could fall for a phishing scam that gives criminals access to a practice's network, and compromises the security of many or all practices within the PHO or super group.


The best way to avoid a HIPAA violation and a patient data breach is to create a group policy that requires each practice to:


• Perform regular HIPAA security risk assessments;

 •Inventory location of patient information;

• Assess common threats;

• Identify additional security needs;

• Set up policies and procedures;

• Stay up to date on patient privacy rules and requisite patient forms; and

• Properly train employees in protecting both the privacy and security of ePHI.


Make sure every practice in the group treats HIPAA compliance with the same care as a patient's medical condition.

Roger Steven's comment, July 10, 2015 6:34 AM
nice article www.mentorhealth.com
Scoop.it!

Chip-powered credit cards to challenge providers this fall

Chip-powered credit cards to challenge providers this fall | HIPAA Compliance for Medical Practices | Scoop.it

In an effort to improve security, America's banks and credit-card issuers will switch in the next few months from strip-based to microchip-based cards. That means healthcare providers will face another significant financial-systems conversion, in addition to the looming ICD-10 switchover

More than half a billion of these “EMV” cards, so-named for the initials of the major card issuers that developed them—Europay, MasterCard and Visa—are expected to be issued and in use by the end of 2015.

The cards already are in use in Europe and Canada. Canada started a slow rollout of EMV cards in 2006, and now about 95% of Canadian merchants have converted to chip card readers, said Karen Cox, vice president of payments and retail solutions for Moneris Solutions, a Toronto-based provider of financial processing systems, owned by Canada's two largest banks, Royal Bank of Canada and Bank of Montreal. 

According to research estimates, by October, 63% of U.S. cards and 47% of terminals used across all industries to process transactions will be converted to EMV technology, she said.

Unlike the planned, industry-wide and federally mandated Oct. 1 upgrade to ICD-10 diagnostic and procedural codes, which is creating a big lift for everyone in the healthcare claims stream, there is no federal requirement that any U.S. business, including hospitals and office-based physician practices, switch to EMV cards. 

But efforts to reduce fraud will drive the conversion to chip cards, Cox said. 

In the U.S., a shift in financial liability for fraudulent charges will drive merchant adoption of chip-card technology, or at least that's the intention, Cox said. The change in liability will be enforceable by the credit-card issuers through their agreements with businesses that accept credit card payments, Cox said. 

“After October, if someone (a fraudster) with a chip card would hit a chip terminal, the merchant is protected from charge back,” by the card issuer, Cox said. But if the merchant, hospital or medical practice is still using an older magnetic strip reader, the liability for charge-backs falls on the business still using the older technology. 

Cox says providers shouldn't worry about the expense of new card readers.

“Your typical countertop terminal is $200 to $300 for one that does everything,” Cox said. The rub more likely will come with software conversions for hospital financial and office-practice management systems, she said.

Cox says not all vendors are ready for the conversion and no one should take on the task of writing EMV interface themselves.

The Electronic Health Records Association, a trade group for EHR developers, many of which also have financial systems, declined to comment. 

The linchpin for chip-card technology adoption going forward—as it has been in the past—remains with the banks, not the vendors, said Robert Tennant, senior policy advisor with the Medical Group Management Association, who recently received a smart-chipped American Express card in the mail. “The vendor's argument is, 'Why should we build in the technology when the financial vendors haven't switched over?' ” he said.

According to Tennant, the switch to chip-based technology will be “an enormous change” for the retail sector, and a somewhat of a lift for medical groups, who will have to buy and reconfigure their credit-card processing equipment and software at their pay windows. But there could be long-term benefits, too. 

“Nothing is ever foolproof, but as far as it goes, I think it's significantly more security than what we have now,” Tennant said.

The MGMA also is part of a 40-member industry collaboration formed last year, and led by the Workgroup for Electronic Data Interchange, to automate the patient registration and intake process. The group is hoping to hammer out an industry consensus around the component parts of a so-called “digital clipboard”containing basic patient demographic and payer or payment information used at registration. 

“On the healthcare side, it opens up a lot more opportunities for data movement,” Tennant said. “If we're going to be moving to this technology, it's a very short step toward using that technology for other purposes.”

Hopes for using smart-card technology in healthcare have risen and fallen several times over the past decade. Last month, the Government Accountability Office recommended that Medicare ought to consider issuing smart cards to beneficiaries to speed patient identification and eligibility verification.

No comment yet.
Scoop.it!

EHR Vendor Target of Latest Hack

EHR Vendor Target of Latest Hack | HIPAA Compliance for Medical Practices | Scoop.it

Web-based electronic health record vendor Medical Informatics Engineering, and its personal health records subsidiary, NoMoreClipBoard, say a cyber-attack has resulted in a data breach affecting some healthcare clients and an undisclosed number of patients.


In a statement, Medical Informatics Engineering says that on May 26, it discovered suspicious activity on one of its servers.


A forensics investigation by the company's internal team and an independent forensics expert determined that a "sophisticated cyber-attack" involving unauthorized access to its network began on May 7. The breach resulted in the compromise of protected health information relating to certain patients affiliated with certain clients, the company says.


"We emphasize that the patients of only certain clients of Medical Informatics Engineering were affected by this compromise and those clients have all been notified," the company says. Clients include: Concentra, a nationwide chain of healthcare clinics; Fort Wayne (Ind.) Neurological Center; Franciscan St. Francis Health Indianapolis; Gynecology Center, Inc. Fort Wayne; and Rochester Medical Group, Rochester Hills, Mich.


Information exposed in the breach affecting the Web-basedEHR system includes patient's name, mailing address, email address, date of birth, and for some patients a Social Security number, lab results, dictated reports and medical conditions. "No financial or credit card information has been compromised, as we do not collect or store this information," the company says.

PHR Also Breached

Medical Informatics Engineering says it also determined that the cyber-attack compromised PHI of its NoMoreClipboard subsidiary, which serves patients who assemble personal health records. A separate notice was issued for affected clients and patients. Information exposed for individuals who use a NoMoreClipboard portal/personal health record, includes name, home address, username, hashed password, security question and answer, email address, date of birth, health information and Social Security number.


"We strongly encourage all NoMoreClipboard users to change their passwords," the company says in its statement. "We also strongly encourage everyone to use different passwords for each of their various accounts. Do not use the same password twice. The next time a NoMoreClipboard user logs in, we will prompt a password change."

As part of the password change process, the company says it will send a five-digit PIN code to a cell phone, via an automated phone call, or to an email address already associated with the NoMoreClipboard account. "Users will have to enter this five-digit code to reset their password," the company says. "We are also emailing NoMoreClipboard users to encourage this password change."


Medical Informatics Engineering says the breach has been reported to law enforcement, including the FBI, and the company is cooperating with the investigation. Upon discovering the breach, the company says it "immediately began an investigation to identify and remediate any identified security vulnerability."


Medical Informatics Engineering and its NoMoreClipBoard subsidary are offering affected individuals free credit monitoring and identity protection services for the next 24 months.


The company did not immediately reply to a request for comment.

Going After Patient Data

This incident shows that any healthcare-related company or business associate is a target for attackers, says security and privacy expert Kate Borten, founder and CEO of The Marblehead Group consultancy.

"Assuming the attack was targeted, this is just another example of going after a big chunk of patient data," she says. "I don't think it matters to an attacker whether the company is a health plan/insurer or a health information exchange, or a provider. It's just an organization with a significant volume of PHI."

No comment yet.
Scoop.it!

ONC releases updated privacy and security guide

ONC releases updated privacy and security guide | HIPAA Compliance for Medical Practices | Scoop.it

The Office of the National Coordinator (ONC) released the revised “Guide to Privacy and Security of Electronic Health Information”April 13 to help organizations integrate federal health information privacy and security requirements.

The guide is geared toward HIPAA covered entities and Medicare eligible professionals from smaller organizations. The updated version features information about compliance with the privacy and security requirements of CMS’ Electronic Health Record (EHR) Incentive Programs as well as compliance with HIPAA Privacy, Security, and Breach Notification Rules.

The guide covers such topics as:

  • Increasing patient trust through privacy and security
  • Provider responsibilities under HIPAA
  • Health information rights of patients
  • Security patient information in EHRs
  • Meaningful Use core objectives that address privacy and security
  • A seven-step approach for implementing a security management process
  • Breach notification and HIPAA enforcement



No comment yet.
Scoop.it!

Why health IT companies may not take HIPAA seriously until 2016 | mHealthNews

Why health IT companies may not take HIPAA seriously until 2016 | mHealthNews | HIPAA Compliance for Medical Practices | Scoop.it

When the Final Omnibus Rule came into effect on March 23, 2013, the intent was to make business associates (BAs) more accountable for the protection of the data they were managing on behalf of covered entities (CEs) such as hospitals or health plans. Prior to this, BAs were only liable for whatever was put into a Business Associates Agreement (BAA) by the CE, and even then that liability was restricted to any civil action that may be taken by the CE. 

However, the Final Omnibus Rule extended the same federal provisions to BAs that had previously been restricted to CEs, meaning that whether a business associate signed a BA or not, they were federally required to operate in accordance with the Security, Privacy and Breach Notification rules. Failure to do so could result in federal penalties of up to $1.5 million per breach type, and even criminal prosecution.

This change was driven by the fact that an increasing percentage of heathcare data is being managed by BAs such as health IT vendors. While covered entities still account for the majority of breach incidents, BAs are responsible for most of the records breached.

However, after an initial flurry of activity before and after this date, most business associates have responded to this change with general apathy. Being in a position to talk to companies every day who operate as business associates, I am repeatedly underwhelmed by their efforts to take security and compliance seriously, despite this change in the law. Indeed, even when offered the chance to enhance their security posture and, by extension, their compliance to HIPAA regulations in a simple an affordable manner, many decline to do so, stating a conflict of priorities. It's not that they are necessarily unaware of the potential consequences – rather, they simply do not see it as a sufficient priority. They often see themselves as being too small, or that they first need to build a business before worrying about protecting it. And the reality is they see no immediate consequence to their procrastination.

It's like the speed limit being reduced from 65 mph to 55 mph. While notices are posted, after initial caution by drivers, they see no police cars on the side of the road or any evidence that anyone is being pulled over, so they don’t reduce their speed. Indeed, as more cars come onto the freeway some start to go faster, which encourages others to follow suit. Everyone knows they are speeding, but then everyone else is doing it and no one seems to be getting penalized for it.

The challenge for companies is that while there may not be visible enforcement right now, that is because it takes a while for breaches to be discovered, investigated and adjudicated – on average about three years. Most HIPAA judgments being pronounced today relate to breaches that occurred in 2011.

So to extend the previous analogy, while there may not be police visible on the side of the road, there are speed cameras. The violators will not receive their speeding ticket until a considerable time after the offence was committed, meaning they continue to speed long after their first offence.

In terms of HIPAA enforcement that means most judgments will not become public until 2016, at which time I would hope most BAs will already have realized that it can happen to them, and will have started making adequate protections an imperative.  But until they do, they will need to hope they do not drive past an OCR speed camera.



No comment yet.