HIPAA Compliance for Medical Practices
76.2K views | +31 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

The Benefits of Performing a HIPAA Risk Assessment

The Benefits of Performing a HIPAA Risk Assessment | HIPAA Compliance for Medical Practices | Scoop.it

The Health Insurance Portability and Accountability Act (HIPAA) Security Rule mandates that covered entities must conduct a risk assessment of their healthcare company.

 

 A wide range of organizations – from healthcare insurance providers to hospitals – fall into this covered entity group. While it may seem taxing and time-consuming to provide standardized training to your employees, there are many reasons doing so can behoove you. For one, it’s the law. Since 2009, Security Risk Assessments (SRAs) have been a required annual practice set forth by the HIPAA Security Rule.

 

Don’t wait to become a breach headline; nip breaches in bud by detecting security issues before they wreak havoc. You can’t be secure if you are not compliant; and a HIPAA Risk Assessment will safeguard your organization in more ways than one. Technology is a timesaver that has simplified the medical filing and billing processes, but it leaves the potential for leaks and hacking.

 

A risk analysis will identify and document potential threats and liabilities that can cause a breach of sensitive data. An IT security consulting company can check all portable media (laptops), desktops, and networks to ensure they’re ironclad. IT security measures, such as encryption and two-factor authentication2, will be addressed in order to make it challenging for unwanted eyes to get a glimpse of patient information.  

 

Employees are the greatest threat to HIPAA compliance, so it’s important to make sure they’re well informed on how to prevent breaches. Annual HIPAA Security Awareness Training Programs provide a thorough understanding of each person’s role in preventing breaches and protecting physical and electronic information.

 

HIPAA training is a regulatory requirement, many employee actions that go awry could easily be prevented. A consultant will offer tips and tricks for minimizing that risk; a few include never leaving work phones and laptops unattended, never sharing passwords or company credentials, choosing to shred files as opposed to trashing them, and overcoming the temptation to “snoop” on patient information without just cause.

 

While many of these suggestions seem like common sense, there are also many lesser known incidences that arise while working in the medical field. Did you know that you cannot access your own medical records using your login credentials? While it may seem innocent enough, everyone is required to submit a request to access medical materials. 

 

Don’t deter a Risk Assessment out of indolence. HIPAA Risk Assessments must be accurate and extremely thorough.  Questions about all the administrative, technical, and physical safeguards an organization has in place must be asked about.

 

If outsourcing your HIPAA Risk Assessment, choose a company that provides comprehensive training courses. No two companies are alike so cookie-cutter answers don’t exist for compliancy; a client-facing doctor’s office and corporate health insurance agency will require that different preventive measures be put into place.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

5 Breach Lawsuits Filed Against Premera

5 Breach Lawsuits Filed Against Premera | HIPAA Compliance for Medical Practices | Scoop.it

Five class action lawsuits have been filed in federal court against Premera Blue Cross in the wake of a data breach that affected 11 million individuals across the country. Meanwhile, its CEO has provided answers to questions from a U.S. senator regarding the hacker attack.

The five lawsuits filed last week in the U.S. District Court in Seattle make similar allegations - that the company failed to protect customers' confidential information, putting those affected at risk for identity theft. Among the complaints' allegations is that the data breach resulted from Premera's alleged "failures to follow HIPAA."


Two of the suits also note that Premera was warned in an April 2014 draft audit report by the U.S. Office of Personnel Management that its IT systems "were vulnerable to attack because of inadequate security precautions".

"That audit identified ... vulnerabilities related to Premera's failure to implement critical security patches and software updates, and warned that 'failure to promptly install important updates increases the risk that vulnerabilities will not be remediated and sensitive data could be breached,'" notes one lawsuit, Tennielle Cossey, et al vs. Premera.

That suit also states, "If the [OPM] audit were not enough, the events of 2014 alone should have placed Premera on notice of the need to improve its cyber security systems." The complaint notes that Community Health Systems in August 2014 also revealed a hacker breach that affected 4.5 million patients. "This prompted a 'flash warning' by the FBI to entities in the healthcare industry that it had observed 'malicious actors targeting health care related systems,'" the suit says.

The suits are seeking unspecified damages, both "actual and statutory." Among the allegations in some of the suits are violations of the Washington Consumer Protection Act.

A Premera spokeswoman declined to comment about the suits. She noted, however, that Premera "expected there would be class action lawsuits filed" against the company in the wake of the breach "because that's typically what happens."

Attorney John Yanchunis of the Tampa-based law firm Morgan & Morgan, which is representing plaintiffs in one of the Premera class action suits, says he expects that the cases eventually will be consolidated into one case in the federal court. The Premera breach "is more egregious than the Home Depot or Target breaches because those [credit] cards can be cancelled," he says. "Unlike those other breaches, the information involved in the Premera breach can be used to file fraudulent tax returns and fraudulently secure healthcare in someone else's name."

Congressional Scrutiny

In addition to the lawsuits, Premera is also dealing with Congressional scrutiny in the wake of the breach.

A March 20 letter to Premera CEO Jeffrey Roe, Sen. Patty Murray, D-Wash., on behalf of the Senate Committee on Health, Education, Labor and Pensions, asked the company to answer 15 questions related to the breach and the company's information security practices. Those questions range from why Premera waited six weeks to publicly announce the breach after its discovery, to whether the hacking incident is related to the Anthem Inc. hacking breach, to steps Premera is taking to bolster its information security in the wake of the incident.

In the March 27 response letter to Murray, which Premera provided to Information Security Media Group, Roe says the public announcement of the breach was delayed based on advice from Mandiant, a consulting firm it had hired to assist in the forensic investigation of the incident.

"Mandiant warned Premera about the dangers of making any public announcement about the attack until the following steps could be taken: 1) Mandiant completed scanning all servers and workstations for areas of infection to identify all attack vectors; 2) systems were remediated in a concentrated time to lock the attackers out of system; and, 3) remediation was followed by scanning to verify that the all backdoors were eliminated," the letter states.

Roe also describes in the letter some details about the breach: "Upon penetration of Premera's network, the attackers gained access to log-in credentials and then deployed other tools and tactics to gain broad access to Premera's network." He adds: "Mandiant's investigation to date has identified only intrusion but no exfiltration of information from Premera's systems. Mandiant has not conclusively determined the initial vector of compromise. That is, the [company doesn't] know if the malware came from a phishing email, a contaminated website, or another source of intrusion.

The letter also notes that Mandiant "found no evidence that the cyberattack on Premera was the result of, or was related to, any of the items identified in the [2014] OPM [audit] report." Plus, Roe notes: "Premera is not in a position to opine about whether the Premera and Anthem attacks were connected or which attack occurred first. Because these attacks are the subject of active FBI investigations, Premera encourages your office to contact the FBI for additional information."

Premera is implementing several Mandiant recommendations to bolster security moving forward, Roe says in the letter. In addition to removing all malware and backdoors from its IT systems in response to this cyberattack, Roe says Premera has implemented a number of system enhancements, including, among others:

  • Deploying multiple-factor authentication for remote access to Premera's network;
  • Scanning servers, desktops and laptops as a requirement for continued use of devices on the network;
  • Installing enhanced monitoring tools to provide reports of any new attacks on our computer networks;
  • Enhancing and expanding security and system event logging capabilities; and
  • Engaging a service provider for advanced monitoring services.
State Scrutiny

Besides the lawsuits and the Congressional scrutiny, Premera is also facing a probe from insurance officials in three states - Washington, Oregon and Alaska.

Washington Insurance Commissioner Michael Kreidler said that the states will conduct a "market conduct examination" of Premera related to the breach. The examination will include on-site reviews of the insurer's financial books, records, transactions and how they relate to its activities in the marketplace, Kreidler explained in a statement.


more...
Jan Vajda's curator insight, April 5, 2015 3:26 PM

Přidejte svůj pohled ...

Scoop.it!

IT Maintenance Crucial for HIPAA Compliance

The Department of Health and Human Services' (HHS) Office for Civil Rights (OCR) recently announced an agreement with a medical center to settle charges stemming from the center’s failure to prevent malware from infecting its computers. The malicious programming breached the electronic protected health information (ePHI) of 2,743 individuals in violation of the Health Insurance Portability and Accountability Act (HIPAA).

The medical center was fined $150,000 and agreed to implement a corrective action plan for violating the mandates of HIPAA’s Security Rule. Under the Security Rule, covered entities and business associates must implement appropriate administrative, physical and technical safeguards to protect the confidentiality, integrity and security of ePHI.

According to OCR, the medical center adopted policies to comply with the HIPAA Security Rule, but failed to follow them after putting them to paper. The medical center did not perform an accurate or thorough risk assessment for ePHI, nor did it implement the necessary policies, procedures or technical security measures to prevent unauthorized access to ePHI. Specifically, OCR maintains that the medical center’s failure to identify and address basic risks — e.g., not regularly updating firewalls and running outdated, unsupported software — was the direct cause of the introduction of malicious software into its systems.

In addition to the monetary fine, the medical center agreed to implement a two-year corrective action plan requiring it to —

  • Revise, adopt and distribute updated Security Rule policies and procedures approved by OCR;
  • Develop and provide updated security awareness training — based on training materials approved by OCR — to employees, and update and repeat such training annually;
  • Conduct annual assessments of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI in its possession and document the security measures implemented to address those risks and vulnerabilities;
  • Investigate and report to OCR any violations of its Security Rule policies and procedures by employees; and
  • Submit annual reports to OCR describing its compliance with the corrective action plan.
  • OCR used its announcement to highlight the fact that HIPAA compliance is a continuous process and requires more than establishing initial policies, procedures and systems. Rather, covered entities and business associates will only be able to avoid expensive HIPAA fines and penalties by conducting regular ePHI risk assessments, addressing identified security vulnerabilities and regularly updating HIPAA policies and procedures.

Although technological safeguards are vital to keeping ePHI secure, human error is also a significant threat to patient data security and privacy, making a knowledgeable workforce crucial to HIPAA compliance. Covered entities and business associates can ensure HIPAA compliance with Thomson Reuters’ online training courses on HIPAA Privacy and Security and U.S. Data Privacy and Security. Our online compliance training courses explain the essential principles of HIPAA requirements and of safeguarding individuals’ personal information.


more...
No comment yet.
Scoop.it!

Employees could leave health systems vulnerable to hacks

Employees could leave health systems vulnerable to hacks | HIPAA Compliance for Medical Practices | Scoop.it

Healthcare organizations are vulnerable to cyberattacks in many ways, with a big threat being a company or hospital's own employees, according to Ari Baranoff, assistant special agent in charge for the U.S. Secret Service's Criminal Investigative Division.

"Your workforce is a potential vulnerability to your network," Baranoff tells Healthcare IT Security. "Constantly educating your workforce and testing your workforce on their cyberhygiene is very important."

Even if employees mean no harm, just by browsing the Internet or checking their email they can put networks at risk, Baranoff says. It's especially dangerous if these activities are done using the same system that houses electronic health records or other hospital information.

In addition, employee information is also something that often is at risk and can raise problems for hospitals. The Secret Service has seen growing interest in extortion and ransomware campaigns in the healthcare industry, according to Baranoff.

However, a great deal of the threats to health systems come from the outside world, he adds.

For instance, recent breach at Sony Pictures, the health information of employees was hacked, including a memo with treatment and diagnosis details about an employee's child with special needs, as well as a spreadsheet from a human resources folder containing birth dates, health conditions and medical costs.

Data breaches are expected to increase in 2015, with healthcare "a vulnerable and attractive target for cybercriminals," according to Experian's 2015 Data Breach Industry Forecast.

Electronic medical records and consumer-generated data from wearables and other devices will continue to add to the vulnerability and complexity in securing personal health information, according to the report.

more...
No comment yet.
Scoop.it!

Tips For Reducing HIPAA Violation Risks

Tips For Reducing HIPAA Violation Risks | HIPAA Compliance for Medical Practices | Scoop.it

The need to attend to data security in increasing exponentially as enforcement tightens and the risk of significant financial penalties for HIPAA violations looms. To that end, a new white paper by Core Security provides some guidance for keeping data safe and avoiding risks of compromised patient information.

As Health IT Outcomes earlier noted, PwC report investigating the state of healthcare compliance found there is still much progress to be made in healthcare compliance across the board, and HIPAA privacy and security remain the top compliance concerns. Penalties for violations are increasing and reputations can be damaged, not to mention the imminent start of privacy audits from the HHS Office for Civil Rights. Compliance officers are challenged to fill gaps in their policies and procedures and be ready to demonstrate compliance with HIPAA requirements.

The cost of breaches can be crippling for healthcare organizations. For example, the OCR fined two health organizations almost $2 million in the wake of the theft of laptops, while Parkview Health paid out $800,000 in HIPAA fines and agreed to institute a corrective plan of action after it was alleged that the institution was dumping sensitive records.

These types of violations aren’t going away, either. A Redspin Breach Report found there was a 138 percent rise in the number of healthcare records breached in 2013, affecting some eight million records.

The Core Security whitepaper, Attack Intelligence: The Key To Reducing Risk in Healthcare, is designed to help healthcare institutions avoid these costly incidents. As the study asserts, “HIPAA-covered entities need to both identify their risks and take steps to mitigate that risk once they become aware of it.”

And yet, recent research demonstrates few healthcare industry professionals have a solid understanding of their own risks. A survey conducted by Healthcare Information Security found OCR audits have resulted in an increase in risk assessments, but that those assessments are often not complete. The data revealed 63 percent of respondents reported a data breach in 2014, and almost 50 percent acknowledged a data breach affecting a business partner. One contributing factor to these figures was that fewer than half of the 200 healthcare organizations surveyed had a documented risk assessment and risk management strategy in place and only 40 percent said they had one in the works.

While most healthcare organizations are cognizant of the need for basic security tools in assessing risk, the whitepaper asserts they do not provide the critical type of information necessary to manage risk – “actionable attack intelligence about sensitive IT assets like the medical record application servers or the backend databases that hold ePHI.”

“Healthcare organizations are familiar with risk management,” said Eric Cowperthwaite of Core Security, “But they aren’t necessarily thinking about how they’re going to be attacked. You may have a vulnerability management program. But the question is ‘How do you know which vulnerabilities matter? How do you know which possible attacks are likely – or not?’”


more...
No comment yet.
Scoop.it!

Electronic data breach planning: 4 tips for reducing liability risk | Lexology

Electronic data breach planning: 4 tips for reducing liability risk | Lexology | HIPAA Compliance for Medical Practices | Scoop.it

There is no doubt that electronic data breaches are a hot topic. The recent breach of Morgan Stanley’s customer data is a prime example and chilling reminder that businesses, no matter the amount of security measures, are at risk of an electronic data breach. Indeed, as nearly every state has passed its own set of unique electronic data breach laws, electronic data breaches are becoming a much larger liability concern for companies, in terms of both financial and reputational harm.

In 2014, Kentucky passed KRS 365.732 and joined 46 other states in quantifying and qualifying what constitutes a data breach and the obligations that arise from a breach. Like most states, Kentucky’s law does not include breaches of financial or health information which are covered under federal law in the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act.

Because of this increased liability, businesses should be proactive in trying to manage risk in the event a data breach occurs.

Is My Company at Risk for an Electronic Data Breach?

While the news has focused on large electronic data breaches of major retailers, electronic data breaches of a smaller scale are much more common. Even more problematic may be the reputational loss of consumer trust and confidence resulting from an electronic data breach. Any business or organization that electronically collects and/or stores personal information is susceptible to a breach. Consider the following five questions:

  1. Do you have customers’ or potential customers’ information stored electronically?
  2. Do you store or transmit electronic files with customers’ information?
  3. Do you have client information stored on a cloud or with a third party vendor?
  4. Do you process credit card transactions?
  5. Do you have wireless networks in your office?

If you answered yes to the first question, you are at risk of an electronic data breach. Answering yes to any of the questions that follow greatly increase your risk for a data breach.

What is a Data Breach?

In general, a data breach occurs when there is an unauthorized disclosure of personal information. There is no model rule for what constitutes a breach of someone’s personal information and each state can define what constitutes personal information.

In Kentucky, personal information is defined as a person’s name coupled with a social security number, driver’s license number, or credit/debit card or account number and passcode. However, some states define personal information much more broadly. For example, Texas defines personal information as any “sensitive” information.

A data breach is commonly thought of in context of computer hacking, however, data breaches can occur in a number of more innocuous ways. In fact, most statutes are defined so broadly that a data breach occurs if an employee loses his/her cellphone containing personal information of a customer. As such, most companies today, no matter size, are at risk.

Decreasing Your Company’s Electronic Data Breach Liability

Planning for and proactively adopting preventative measures in the event of an electronic data breach is the most important thing you can do to protect against potential liability. Being prepared can save you time, likely a significant amount of money, and any reputational harm associated with the data breach.

Most state laws require actual damages to bring a claim for a breach of data. Not surprisingly, in reviewing cases in which customers brought a claim for a breach of data, damages were less or non-existent when companies reacted and notified their customers quickly of the breach. (See generally Giordano v. Wachovia Sec., 2006 U.S. Dist. LEXIS 52266, Civ. No. 06-476JBS, 2006 WL 2177036 (D.N.J. July 31, 2006); Key v. DSW, Inc., 454 F. Supp. 2d 684 (S.D. Ohio 2006).

4 Tips for Reducing Liability Risk

While the type and amount of data a company collects or has access to will lead to varying plans, the following are some general tips that all businesses should know:

#1: Know what type of information is electronically stored. If a breach occurs, the information compromised may not be considered “personal information” under certain state laws. In addition, many state laws do not require action or impose liability if data is compromised that is encrypted. Further, take a hard look at the personal information you are collecting and determine whether such information is necessary to serve and know your customer. If the answer is no, not collecting that data would reduce your liability, as well as save valuable server or cloud space.

#2: Know where that information is stored. Most businesses use “clouds” to store their data on a remote server. Clouds offer different types of data storage, services and security levels. Many cloud vendors actually rely on subcontractors to hold their customers’ information. In many cases, these subcontractors are located overseas making any attempt to seek indemnification for a breach very difficult and expensive.

#3: Be ready to react. Have your notification template in place to communicate and know who is making that communication if a data breach occurs. Figuring out what should be done and communicated and who should lead this charge should occur before a breach occurs. Not having a plan of action will delay a reaction and likely lead to increased liability and reputational harm.

#4: Test your systems and your plan. A data breach does not have to mean that you breached the duty of care to your customers. Showing that you are using the best in class systems to prevent a breach and that you test your systems for a breach in a consistent manner, will assist in showing that you are meeting your duty of care owed to your customers.

Not only will the steps above help in limiting any liability your company may face if a data breach occurs, but it will also likely allow you to identify potential gaps in your data security, therefore, preventing a breach from occurring. Data breaches are inevitable these days, which is why having a well-defined incident response plan and team in place is important.

If you do believe customer data has been compromised, you should contact an attorney immediately to help you understand what duties you may have to notify and further protect your customers’ information. As stated above, reacting quickly can help reduce any liability that may be caused by the breach.

more...
No comment yet.
Scoop.it!

FTC's Edith Ramirez: Connected health devices create bevy of privacy risks

FTC's Edith Ramirez: Connected health devices create bevy of privacy risks | HIPAA Compliance for Medical Practices | Scoop.it

For much of 2014, the Federal Trade Commission made it a point to be a prominent voice regarding the protection of consumer health information. Last May, for instance, it published a report recommending that Congress force data brokers to be more transparent about how they use the personal information of consumers, including health information.

And in July, FTC Commissioner Julie Brill spoke about how consumers should be given more choices from developers when it comes to data sharing by smartphone apps gathering health information.

That trend continued Tuesday at the International Consumer Electronics Show in Las Vegas, where FTC Chairwoman Edith Ramirez spoke about privacy protection, including for health data. Ramirez noted, for instance, that while the Internet of Things has the potential to improve global health, the risks are massive.

"Connected devices that provide increased convenience and improve health services are also collecting, transmitting, storing and often sharing vast amounts of consumer data, some of it highly personal, thereby creating a number of privacy risks," Ramirez said. "These risks to privacy and security undermine consumer trust."

Ramirez outlined three challenges to consumer privacy presented by the Internet of Things:

  • Ubiquitous data collection
  • Unexpected data use resulting in adverse consequences
  • Increased security risks

Additionally, she said that technology developers must take three steps to ensure consumer privacy:

  • Adopt "security by design"
  • Engage in data minimization
  • Boost transparency and offer consumers choices for data usage

"[T]he risks that unauthorized access create intensify as we adopt more and more devices linked to our physical safety, such as our cars, medical care and homes," Ramirez said.

Members of the House Committee on Oversight and Government Reform questioned the FTC's health data and cybersecurity authority at a hearing last summer. Committee Chairman Darrell Issa (R-Calif.) said that safeguards are needed to guide the FTC's processes in determining entities subject to security enforcement.

Last January, the agency ruled that entities covered under the Health Insurance Portability and Accountability Act may also be subject to security enforcement by the FTC.


more...
No comment yet.
Scoop.it!

BA agreements likely a bigger target of 2015 OCR enforcement, attorneys say

BA agreements likely a bigger target of 2015 OCR enforcement, attorneys say | HIPAA Compliance for Medical Practices | Scoop.it

The $150,000 fine that U.S. Department of Health and Human Services' Office for Civil Rights levied against an Alaska mental health organization last month could be a sign that OCR is settling in after a wave of leadership changes in 2014 and gearing up to aggressively investigate HIPAA compliance complaints, according to a former federal attorney.

Ex-OCR lawyer David Holtzman notes that there are more than 6,000 HIPAA privacy and security rule complaints and compliance reviews under investigation in an article at HealthcareInfoSecurity. He predicts more high-profile enforcement actions in 2015.

Holtzman echoes a warning from Jerome B. Meites, OCR chief regional counsel for the Chicago area, who told an American Bar Association conference last summer that the whopping fines levied over the past year will "pale in comparison" to those expected to come.

Meanwhile, privacy and healthcare attorneys Alisa Chestler and Donna Fraiche of law firm Baker Donelson, in an interview with HealthcareInfoSecurity, urge healthcare organizations to conduct their own mock audits to determine any exposures and to do their best to fix those problems.

They also recommend keeping all such documentation in one place--including all records of HIPAA education programs conducted with staff, and evidence that they've reviewed all business associate agreements--and ensuring that it's up to date. Chestler and Fraiche foresee BA agreements being a bigger target of OCR enforcement actions in 2015.

In particular, Chestler and Fraiche say, organizations need to re-examine all bring-your-own-device policies and make sure they address any issues that have arisen since those policies were last reviewed.

In September, OCR announced it was delaying the start of the second round of audits in order get a web portal up an running through which entities could submit information. A specific start date has not been announced, only that the new audits will begin in early 2015.

Brett Short, chief compliance officer at the University of Kentucky HealthCare in Lexington, Kentucky, spoke with FierceHealthIT about receiving a call from an auditor when the organization had never received a letter saying it had 10 days to submit required documents.


more...
No comment yet.
Scoop.it!

HIPAA audits to resume soon

HIPAA audits to resume soon | HIPAA Compliance for Medical Practices | Scoop.it

Long-term care providers should get ready for the second round of HIPAA compliance audits this year, but the agency in charge of them is keeping mum about the exact date.

And while Health & Human Services' Office for Civil Rights (OCR) expects to single out only around 110 providers, long-term care facilities are being urged to begin preparations as soon as possible, Kelly McLendon, managing director of CompliancePro Solutions, said during a recent Health Care Compliance Association webinar. That includes performing security and risk analyses, updating privacy and security incident response plans and automating privacy and security investigation, tracking and management protocols, according to published reports.

The agency has not announced specifics yet, but the coming round of audits could focus heavily on HIPAA security and privacy risk management, breach notification and Notice of Privacy practices.

OCR was scheduled to do the audits last year but went idle because of funding problems. Providers are advised not to rely on audit protocols issued in 2012, the last time OCR performed audits, and watch for phase two protocols to be posted on the OCR website. Audits will likely begin about 90 days after posting, McLendon said.

The news will do little to help a Denver-area pharmacy that specializes in compounded medications for area hospice agencies, according to published reports. The business will have to pay $125,000 and take corrective measures after local media notified the OCR it allegedly disposed of unsecured documents in an unlocked, open container. The documents reportedly contained private health data on more than 1,600 patients.


more...
No comment yet.
Scoop.it!

HIPAA Audits Are Still on Hold

HIPAA Audits Are Still on Hold | HIPAA Compliance for Medical Practices | Scoop.it

`The unit of the Department of Health and Human Services that enforces HIPAA still has plenty of work to do before it can launch its long-promised next round of HIPAA compliance audits, as planned for this year.

The HHS Office for Civil Rights has yet to develop a revised protocol for conducting the audits, OCR Director Jocelyn Samuels revealed during a Jan. 13 media briefing.


Samuels declined to offer a timeline for when OCR plans to resume its HIPAA audits, which Samuels says will include covered entities as well as business associates, who are now directly liable for HIPAA compliance under the HIPAA Omnibus Rule.

Early in 2014, OCR officials said the agency expected to resume compliance audits of covered entities in the fall of 2014, later expanding the program to include audits of business associates based on those vendors identified by covered entities in pre-audit surveys.

Then in September, OCR officials said the audit launch was stalled because of a delay in the rollout of technology to collect audit-related documents from covered entities and business associates.

In her comments Jan. 13, Samuels did not offer an explanation for the prolonged delay in resumption of HIPAA audits.

"OCR is committed to implementing an effective audit program, and audits will be an important compliance tool for OCR," Samuels said. The audits "will enable OCR to identify best practices and proactively uncover risks and vulnerabilities, like our other enforcement tools, such as complaints and compliance reviews; provide a proactive and systematic means to assess and improve industry compliance; enhance industry awareness of compliance obligations; and enable OCR to target its outreach and technical assistance to identified problems and to offer tools to the industry for self-evaluation and prevention. Organizations should continue to monitor the OCR website for future announcements on the program."

In 2012, OCR conducted a pilot HIPAA audit program for 115 covered entities that was carried out by a contractor, the consulting firm KPMG. It also issued an audit protocol offering a detailed breakdown of what was reviewed. OCR is revising the protocol to reflect changes brought by the HIPAA Omnibus Rule.

Rules In the Works

In addition to the pending audits, other HIPAA-related activities under way at OCR for 2015 include:

  • A final version of a proposed rule HHS issued last January to permit certain covered entities, including state agencies, to disclose to the National Instant Criminal Background Check System the identities of persons prohibited by federal law from possessing or receiving a firearm for reasons related to mental health;
  • An advanced notice of proposed rulemaking related to a HITECH Act mandate for HHS to develop a methodology to distribute a percentage of monetary settlements and penalties collected by OCR to individuals affected by breaches and other HIPAA violations;
  • A possible request for additional public input on OCR's proposed accounting of disclosures rule making. Samuels says OCR is still evaluating the comments it received on the proposed accounting of disclosures rule it issued in 2011, as well as recommendations from the HIT Policy Committee about refining the rule.

In a statement provided to Information Security Media Group, Samuels noted, "The [accounting of disclosures] rulemaking is still listed as a long-term action on our last published regulatory agenda. We are exploring ways to further solicit public input on this important issue."

OCR in May 2011 issued a notice of proposed rulemaking for updating accounting of disclosures requirements under HIPAA. The proposal generated hundreds of complaints from healthcare providers and others. Many of the complaints were aimed at a controversial "access report" provision. As proposed, the access report would need to contain the date and time of access to electronic records, the name of the person or entity accessing protected health information, and a description of the information and user action, such as whether information was created, modified or deleted. The proposal would also provide patients with the right for an accounting of disclosures of electronic PHI made up to three years prior to the request.

Other Enforcement Activities

OCR also has a number of other enforcement activities planned for 2015, Samuels said in the Jan. 13 briefing.

"We will continue to identify and bring to resolution high impact cases that send strong enforcement messages to the industry about compliance," she said. "These types of cases can include the lack of a comprehensive risk analysis and risk management practices, ignoring identified threats and hazards to systems containing electronic protected health information, and insufficient policies and procedures, and training of workforce members."

OCR also expects to provide policy clarification for a variety of topics, including cloud computing and the "minimum necessary" rule, which HHS says is based on the premise that protected health information should only be used or disclosed if it is necessary to satisfy a particular purpose or carry out a function.

"We will also continue dialogues with our stakeholders about issues on which they would like additional interpretation," Samuels says.


more...
No comment yet.
Scoop.it!

HIPAA privacy and public health emergency situations

HIPAA privacy and public health emergency situations | HIPAA Compliance for Medical Practices | Scoop.it

In light of the Ebola outbreak, the U.S. Department of Health and Human Services (HHS), Office of Civil Rights (OCR) has issued a bulletin reminding health care providers that the protections under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule are not set aside during an emergency.  OCR reminds covered entities that “the protections of the Privacy Rule are not set aside during an emergency.”  OCR cautions that in an emergency situation, covered entities must continue to implement reasonable safeguards to protect patient information against impermissible uses and disclosures.  Thus, covered entities and their business associates should review the HIPAA Privacy Rule to ensure that uses and disclosures in emergency situations are appropriate, as well as provide training and reminders to employees.

HIPAA recognizes that under certain circumstances it may be necessary to share patient information without authorization.  OCR’s bulletin notes that covered entities may disclose protected health information without a patient’s authorization as necessary to treat the patient or a different patient.  HIPAA also allows covered entities to release patient information without authorization for certain public health activities.  A covered entity may disclose protected health information to a public health authority that is authorized by law to collect or receive the information for the purpose of preventing or controlling disease, injury, or disability.  Information may also be shared at the direction of a public health authority to a foreign government that is acting in collaboration with the public health authority.   In addition, health information may be shared with persons at risk of contracting or spreading a disease or condition if authorized by law.  Finally, health care providers may share patient information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public consistent with applicable law and ethical standards.

There are additional circumstances that allow the disclosure of protected health information.  A covered entity may disclose protected health information to a patient’s family members, relatives, friends, or other persons who the patient identifies as being involved in the patient’s care and disaster relief organizations.  Covered entities should review the specific circumstances that allow the release of this information.

Covered entities should also review whether the minimum necessary requirement applies.  For most disclosures, but notably not disclosures to health care providers for treatment purposes, a covered entity must make reasonable efforts to limit the information disclosed to the “minimum necessary” to accomplish the purpose.

Although the media has reported many details about Ebola patients, HIPAA is not suspended when providing information to the media about Ebola or other public health emergencies.  Therefore, covered entities should carefully review the rules surrounding disclosures to the media or others not involved in the care of the patient.  If the media requests information about a particular patient by name, a health care facility may release limited facility directory information to acknowledge that the individual is a patient and provide basic information about the patient’s condition in general terms, if the patient has not objected or restricted the release of this information, but information about an incapacitated patient may only be released if the disclosure is believed to be in the patient’s best interest and is consistent with the patient’s prior expressed preferences.   General information about a patient’s condition includes critical or stable, deceased, or treated and released.  OCR cautions that affirmative reporting or disclosure to the media or the public at large about an identifiable patient or  specific information may not be done without the patient’s or an authorized personal representative’s written authorization, unless one of the limited circumstances described elsewhere in OCR’s bulletin is applicable.

Although HIPAA is not suspended during a public health or other emergency, the HHS Secretary may waive certain provisions under the Project Bioshield Act of 2004 and section 1135(b)(7) of the Social Security Act.  The limited waiver applies to certain sanctions and penalties of the Privacy Rule if the President declares an emergency or disaster and the HHS Secretary declares a public emergency.  The waiver only applies in the emergency area and for the emergency period identified; to hospitals that have instituted a disaster protocol; and for up to 72 hours after the hospital implements its disaster protocol.  Once the Presidential or Secretarial declaration ends, a hospital must comply with the entire Privacy Rule, even if less than 72 hours have elapsed since the hospital implemented its disaster protocol.


more...
No comment yet.
Scoop.it!

CHIME chairman calls for mixed approach to security

CHIME chairman calls for mixed approach to security | HIPAA Compliance for Medical Practices | Scoop.it

Healthcare organizations need a variety of strategies to address security threats, according to Charles Christian, CIO at Columbus, Georgia-based St. Francis Hospital and new chairman of the College of Healthcare Information Management Executives (CHIME).

That includes technology, education, policy and best practices, he says, in an interview with HealthcareInfoSecurity.

"We have to be diligent and constantly learn about what might occur so we can prepare for that," Christian says. "It's not just one or two things, it's a variety of things that we must do."

Beyond policy, it involves ensuring that employees are education about security, and auditing "to make sure the education is sticking," he says. On the technology side, it includes network access controls, firewalls and encryption.

CHIME is working with the Office of the National Coordinator for Health IT on interoperability, security and other issues.

"I'm really glad the ONC is looking at this," Christian says. "With their office's attention on this, it really raises the level of importance of cybersecurity up where it needs to be."

In an attempt to close a gap its members found in organizations focused on cybersecurity, CHIME created its own last summer--the Association for Executives in Healthcare Information Security, he explains.

The new organization will be focused on "supporting the professional development and peer-to-peer needs of CSOs," according to CHIME.

Small organizations, in particular, often can't afford to have a dedicated security person. To that end, the new organization is trying to provide needed security education so that such organizations don't have to rely on system or application vendors for this knowledge, Christian says.

Security experts foresee even more cyberattacks on healthcare organizations in 2015, especially increases in phishing and ransomware attacks.

Jeff Bell, HIMSS privacy and security committee chair, urges organizations to heed the cyberthreat intelligence provided by the U.S. Computer Emergency Readiness Team, the U.S. Department of Homeland Security National Cybersecurity and Communications Integration Center and others.


more...
No comment yet.
Scoop.it!

Survey: Charging patients for EHR access may violate HIPAA

Survey: Charging patients for EHR access may violate HIPAA | HIPAA Compliance for Medical Practices | Scoop.it
Dive Brief:
  • A survey of healthcare providers has revealed that as much as 25% of those who charge patients for EHRs may be violating HIPAA rules by doing so, according to a report released by the American Health Information Management Association.
  • While it is permitted to charge patients a "reasonable, cost-based fee" to access their electronic medical records, the survey revealed that many providers simply mimic their individual state's photocopy policy for public records requests, charging around $1 per page. Because the fee being charged to the patient is not related to the cost of providing the record, it constitutes a violation of HIPAA policy, the report stated.
  • "Regarding charges for electronic and paper copies of records, more than half (52.6%) of respondents indicated that they charge patients for electronic copies of their medical records, and nearly two-thirds (64.7%) reported that they charge patients for paper copies of their medical records," the report stated. "Charges for electronic copies varied from a flat fee for a device to per-page fees or some combination of the two, and charges for paper copies were generally by page, with 65% reporting that they charged less than $1.00 per page. Nearly one in four respondents (23.6%) commented that they follow their state's rates for copies. Following the state rates would suggest that the fees are not uniquely based on the cost to the facility. This finding would appear to be inconsistent with HIPAA and HITECH requirements that patients may only be charged a 'reasonable cost-based fee' for copies of their medical records."
Dive Insight:

There is no doubt that the implementation of EHRs is one of the most expensive projects to hit the healthcare industry since its inception, and it's obvious that the cost of implementation is going to eventually be picked up by the consumer. Taxpayers are already footing the bill for the $28 billion already appropriated by Congress to facilitate EHR implementation through its meaningful use program, but that still doesn't cover all of their EHR expenses.

All that being said, what's at issue here is a patient's right to obtain his or her medical records. The whole point of the paperless revolution is to streamline health information and reduce costs associated with paper-only records. By that logic, HIPAA requirements are reasonable. They simply state that providers don't have the right to charge patients unreasonably to get electronic copies of their records.

Now, $1 a page (or even less) may not sound unreasonable on the surface, but with medical advances transforming many fatal conditions into chronic conditions, patients are living longer with proper treatment. It's not uncommon for a cancer patient in remission to have hundreds of pages in their medical records. And in the age of the ACA, many patients are changing doctors and plans, necessitating transfer of the EHRs. Is it fair to charge several hundred dollars for a process that is equivalent in many cases to pointing, clicking and sending an email?


more...
No comment yet.
Scoop.it!

HIPAA Security Evaluation – HIPAA Risk Analysis – Explained -

HIPAA Security Evaluation – HIPAA Risk Analysis – Explained - | HIPAA Compliance for Medical Practices | Scoop.it

Compliance assessment? Security Evaluation? Risk Assessment? Risk Analysis? Compliance Analysis? Huh?

Lots of confusion continues to swirl around the difference between a HIPAA Security Evaluation versus HIPAA Security Risk Analysis.No wonder, the terms are often used interchangeably.

Let’s end the confusion…


Technically, one might argue when it comes to regulatory compliance of any type, three types of assessments can be completed:

1.Compliance Assessments (Evaluation, in HIPAA Security Final Rule parlance) answer questions like: “Where do we stand with respect to the regulations?” and “How well are we achieving ongoing compliance?”

2.Risk Assessments (Analysis, in HIPAA Security Final Rule parlance) answer questions like: “What is our risk exposure to information assets (e.g., PHI)?” and “What do we need to do to mitigate risks?”

3.Readiness Assessments answer questions like “Have we implemented adequate privacy safeguards?”, “Have we implemented adequate security safeguards?” and are we ready for audit.

We focus on the first two in this post because these are the ones you must complete.Both are Required by the HIPAA Security Final Rule.

A thorough HIPAA Security Compliance Evaluation broadly covers all aspects of the law including all 18 Standards and 42 Implementation specifications that comprise the Administrative, Physical and Technical Safeguards (CFR 164.308, 310, 312) in the HIPAA Security Final Rule.Additionally, this evaluation must cover CFR 164.314 and 316 related to Organizational Requirements, Policies and Procedures and Documentation.

As indicated above, completing this HIPAA Security Compliance Evaluation is required by every Covered Entity and Business Associate. The language of the law is in 45 C.F.R. § 164.308(a)(8):

Standard: Evaluation. Perform a periodic technical and non-technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, which establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart.

This type of assessment is a critical step and should be completed whether one is just starting a HIPAA Security Compliance program, rejuvenating an existing program and maintaining an existing program.The output of the evaluation establishes a baseline against which overall progress can be measured by the executive team, compliance or risk officer, audit committee or board.Think FOREST view. At the end of such an evaluation, one would have a Summary Compliance Indicator such as the one shown in the following Security Evaluation Compliance Summary:

A HIPAA Security Risk Analysis (§164.308(a)(1)(ii)(A)) is also required by law to be performed by every Covered Entity and Business Associate.Additionally, completion of the Risk Analysis is a core requirement to meet Meaningful Use objectives.Section 164.308(a)(1)(ii)(A) of the HIPAA Security Final Rule states:

RISK ANALYSIS (Required).

Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].

As required by The HITECH Act, the Office of Civil Rights, within the Department of Health and Human Services (HHS), has issued final “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”.This guidance was published on July 8, 2010.No specific methodology was indicated.However, the guidance describes nine (9) essential elements a Risk Analysis must incorporate, regardless of the risk analysis methodology employed.We have designed a Risk Analysis methodology and ToolKit around these elements while using industry best practices.

As an example, upon evaluation of each information asset that creates, receives, maintains or transmits electronic Protected Health Information (ePHI), one would have an asset-by-asset evaluation of risk, along with mitigation actions involving new safeguards or controls:

Upon completion of the Risk Analysis for all information assets, an overall Risk Analysis Project Tracking tool would be used to ensure ongoing project management of the implementation of safeguards:

So, when it comes to HIPAA Security Compliance Evaluation, think:

  • Forest-level view
  • Overall compliance with the HIPAA Security Final Rule
  • Establishing baseline evaluation score for measuring progress
  • Asking: Have we documented appropriate policies and procedures, etc?
  • Asking: Are we performing against our policies and procedures?

When it comes to HIPAA Security Risk Analysis, think:

  • Trees/Weeds-level view of each information asset with PHI
  • Meeting a specific step in the overall compliance process
  • Understanding current safeguards and controls in place
  • Asking: What are our specific risks and exposures to information assets?
  • Asking: What do we need to do to mitigate these risks?

Both the HIPAA Security Compliance Evaluation and the HIPAA Security Risk Analysis are, required by law and important and necessary steps on your HIPAA HITECH Security compliance journey.


more...
No comment yet.
Scoop.it!

What Constitutes a HIPAA Violation? | HealthITSecurity.com

What Constitutes a HIPAA Violation? | HealthITSecurity.com | HIPAA Compliance for Medical Practices | Scoop.it

No individual wants his or her protected health information (PHI) to be unnecessarily made public. Not only is the information personal, but if it fell into the wrong hands, it could lead to many issues – personal and even medical – for the patient in question.

As technology continues to evolve, it also seems that the number of healthcare data breaches is on the rise. Rightfully so, more people are becoming aware of how their information is shared electronically. But are all concerns over electronic data sharing warranted? Is everything considered a HIPAA violation?

That concern is one reason why some hospitals are reportedly abandoning a long-held tradition: announcing the first birth of the new year. Community Health Systems recently ordered its facilities nationwide to stop publicizing the first baby born in the year, according to the Associated Press.

“We know the birth of the new year baby is a joyous and exciting event, but protecting patient safety and privacy is our most important responsibility,” Community Health spokeswoman Tomi Galin told the news source.

Galin added that the move was a preventative measure, and not because of specific threats or abduction attempts. Moreover, the National Center for Missing & Exploited Children cautions healthcare providers how much information they give to the media, Galin said. For example, home addresses or other personally identifiable information does not need to be released.

Community Health made headlines last year when it reported that Chinese cyber criminals hacked into its database, compromising the information of 4.5 million patients. The data included names, addresses, birth dates, telephone numbers and Social Security numbers. However, no credit card or medical data were involved.

Another surprising area where a HIPAA violation concern arose was in Major League Baseball. Matt Kemp played for the Los Angeles Dodgers, and was involved in a trade deal that would send him to the San Diego Padres. However, there were concerns over Kemp’s physical condition, according to a Yahoo Sports story. Specifically, a USA Today article reported that Kemp’s physical showed severe arthritis in his hips.

Yahoo Sports quoted a tweet from Ken Rosenthal, which said it would not be good if the Padres had leaked the medical information.

“Information damages Kemp in public realm. Gives appearance of #Padres trying to leverage medical information. And is a violation of HIPAA,” read the tweet.

But what exactly constitutes a HIPAA violation? According to the Department of Health and Human Services (HHS), organizations defined as a HIPAA covered entity need to comply with the rule’s requirements to protect patients’ privacy and security.

“If a covered entity engages a business associate to help it carry out its health care activities and functions, the covered entity must have a written business associate contract or other arrangement with the business associate that establishes specifically what the business associate has been engaged to do and requires the business associate to comply with the Rules’ requirements to protect the privacy and security of protected health information,” according to HHS.

Something that is seemingly innocent, such as announcing the first baby born in a new year, will not always lead to things such as identity theft. However, too much personal information, or information that is given without written parental consent, might be enough for a criminal to take advantage of the situation.

In terms of professional athletes, their information is often in the public eye. But covered entities must remain diligent in keeping PHI safe, regardless of who the data belongs to. Neither of these situations is necessarily a HIPAA violation, but it is important for healthcare organizations – and their patients – to remain current on all regulations to best protect sensitive information.


more...
No comment yet.