HIPAA Compliance for Medical Practices
84.6K views | +1 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

Making The Most Out Of HIPAA/HITECH Compliance Consulting

Making The Most Out Of HIPAA/HITECH Compliance Consulting | HIPAA Compliance for Medical Practices | Scoop.it

Times are changing, and as new laws affect the health care sector, you can’t afford any future issues due to non-compliance. Planning is essential to avoid unnecessary costs and save time.

 

Though a federal mandate, at iHealthOne we believe this proactive measure will enhance the privacy and security of your electronic health records.

 

If customers establish you are HIPAA/HITECH non-compliant, you risk affecting their willingness to disclose essential health information to you.

 

Thanks to HIPAA/HITECH compliance consultancy, you have no reason for any concerns. In this article, we’ll walk you through this essential regulatory process.

 

IS HIPAA/HITECH COMPLIANCE CONSULTANCY ESSENTIAL?

 

Whether a seasoned or new practice, it helps to accept guidance from a consultancy on all phases of compliance.

 

A consultancy does extra research on the necessary and up-to-date information your staff require for implementation. It can provide further training for stress-free self-administration and subsequent compliance.

 

Consultant professionals conduct a risk analysis and advise on setting up safeguards to avoid HIPAA/HITECH violations. They provide detailed reports on risk exposure, as well as checklists and customized forms that suit your company.

 

This includes breach notifications, disaster recovery, and risk management solutions. Consequently, this can play an important role in improving your health strategy plans for smooth operation.

 

WHO SHOULD CONSIDER HIPAA/HITECH COMPLIANCE CONSULTING?

 

If you’re an entity that covers or provides healthcare payments and treatments, and you have access to patient information, HIPAA/HITECH compliance consultancy is vital. This also includes subcontractors and healthcare business associates.

 

EXTRA TIPS ON COMPLIANCE

 

Ensure you always comply on time. This will pave the way for effective management of patient data security and assessment services. Also, it will save you unneeded lawsuits or hefty fines for non-compliance.

 

EHR1 has a compliance department that can help you recognize potential gaps while guaranteeing 100 percent client data security and confidentiality.

 

You gain the most out of our quality technical safeguards. With the EHR1 certified cloud-based dental software, we counsel you on corrective measures to adopt before a compliance review or OCR audit. You also have access to our:

• Vulnerability scans
• Network penetration testing
• Electronic health records software upgrades
• Effective incident response planning
• Implementation of an information security program
• Improved customer trust and organizational reputation services, among others.

 

Technical Dr. Inc.s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

No comment yet.
Scoop.it!

HIPAA Privacy Rules, Mental Health, and Addiction: When can PHI be shared without consent?

HIPAA Privacy Rules, Mental Health, and Addiction: When can PHI be shared without consent? | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA is designed to protect patient confidentiality.

What happens when patient confidentiality conflicts with a patient being able to receive the best care possible? 

 

In cases of mental health and addiction, such as the current opioid overdose crisis, there are situations in which a covered healthcare provider may share protected health information (PHI) to help the patient. 

 

In this post, we’ll share guidance on sharing protected information to prevent harm in both mental health and opioid overdose situations.

 

While HIPAA may permit disclosure of patient information, there may be other overlapping privacy laws related to individual states or other regulations that need to be taken into consideration before the information is shared.

Mental Health and Privacy

When addressing mental health issues, HIPAA rules provide guidance on sharing patient information to ensure that the patient receives the best treatment and care possible. Disclosure of information is also acceptable when the health and safety of the patient and others are at risk. 

 

Communicate with a patient’s family members, friends, and others involved in the patient’s care. If a patient is present and has the capacity to make decisions, and does not object; a healthcare professional can discuss treatment or payment issues. 

 

If not present or incapacitated (intoxicated or experiencing temporary psychosis, for example), the patient’s information can be shared if the provider, in his or her professional judgment, determines that doing so in the patient’s best interests. Section 164.510(b)(3) of the HIPAA Privacy Rule explains this permission.

 

Patient with mental illness not taking medication. If a patient doesn’t object, a provider can share patient information with family members.

 

If a patient does object, but the provider believes that the unmedicated patient poses a serious and imminent danger to herself or others, then the provider can share pertinent information, if consistent with applicable law and standards of ethical conduct. 

 

Communications with law enforcement. The Privacy Rule permits a doctor to contact family or law enforcement if the doctor believes that such a warning is needed to prevent or at least lessen an imminent threat to the health or safety of the patient or others.

 

For instance, if a patient makes a credible threat to do harm to someone, a mental health professional can alert police, school administrators, family, and others who may be able to intervene.

HIPAA Privacy and Opioid Overdose

Sadly, opioid addiction continues to hold sway across much of the United States. Despite HIPAA regulations that allow healthcare providers to share PHI with family members, confusion remains. 

 

Healthcare providers can share information related to the care and treatment of a patient in a crisis situation, such as a drug overdose.

 

If the provider determines that the best interests of an incapacitated or unconscious patient involve sharing information with family or close friends, they can do so. 

 

However, while they can share information about the overdose, a healthcare provider cannot share medical information unrelated to the ongoing care and treatment of the patient. 

HIPAA and Changes to Decision-Making Capacity

Regardless of whether a patient can or cannot make a decision due to mental health or an overdose issue, the situation can change. 

 

Because the inability to make a decision can be temporary, a healthcare provider must give the patient a chance to decide whether to continue to share information or not when the patient is once again able to make a decision.

 

For instance, someone intoxicated to the point of unconsciousness or incoherence will eventually become sober. The patient can then object to future information sharing. However, as already described, the provider can still share PHI if, in their professional judgment, the patient poses a serious and imminent threat to himself or others. 

Healthcare Power of Attorney

A patient’s “personal representative” has authority, under applicable law, to make healthcare decisions for a patient.

 

They have the same rights of access to health information as the patient. A provider may refuse to share information if they believe that the personal representative has subjected the patient to violence, abuse, or neglect. 

Patient Care Outweighs Patient Privacy

Simply stated, the rules around HIPAA privacy are designed to ensure the best possible healthcare outcome for the patient. For patients who are unable to make decisions for themselves, their PHI can be shared with loved ones to ensure care.

 

There is also a “duty to warn” in situations where the patient is a danger to him/herself or others. 

 

Technical Dr. Inc.s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

No comment yet.
Scoop.it!

HIPAA Social Media Rules

HIPAA Social Media Rules | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA was enacted several years before social media networks such as Facebook were launched, so there are no specific HIPAA social media rules; however, there are HIPAA laws and standards that apply to social media use by healthcare organizations and their employees. Healthcare organizations must therefore implement a HIPAA social media policy to reduce the risk of privacy violations.

 

There are many benefits to be gained from using social media. Social media channels allow healthcare organizations to interact with patients and get them more involved in their own healthcare. Healthcare organizations can quickly and easily communicate important messages or provide information about new services. Healthcare providers can attract new patients via social media websites. However, there is also considerable potential for HIPAA Rules and patient privacy to be violated on social media networks. So how can healthcare organizations and their employees use social media without violating HIPAA Rules?

HIPAA and Social Media

The first rule of using social media in healthcare is to never disclose protected health information on social media channels. The second rule is to never disclose protected health information on social media. (see the definition of protected health information for further information).

 

The HIPAA Privacy Rule prohibits the use of PHI on social media networks. That includes any text about specific patients as well as images or videos that could result in a patient being identified. PHI can only be included in social media posts if a patient has given their consent, in writing, to allow their PHI to be used and then only for the purpose specifically mentioned in the consent form.

Social media channels can be used for posting health tips, details of events, new medical research, bios of staff, and for marketing messages, provided no PHI is included in the posts.

Employees Must be Trained on HIPAA Social Media Rules

In 2017, 71% of all Internet users visited social media websites. The popularity of social media networks combined with the ease of sharing information means HIPAA training should include the use of social media. If employees are not specifically trained on HIPAA social media rules it is highly likely that violations will occur.

Training on HIPAA should be provided before an employee starts working for the company or as soon as is possible following appointment. Refresher training should also be provided at least once a year to ensure HIPAA social media rules are not forgotten.

HIPAA Violations on Social Media

In 2015, ProPublica published the results of an investigation into HIPAA social media violations by nurses and care home workers. The investigation primarily centered on photographs and videos of patients in compromising positions and patients being abused.

 

In some cases, images and videos were widely shared, in others photographs and videos were shared in private groups. ProPublica uncovered 47 HIPAA violations on social media since 2012, although there were undoubtedly many more that were not discovered and were never reported.

 

In most cases, the HIPAA violations on social media resulted in disciplinary action against the employees concerned, there were several terminations for violations of patient privacy, and in some cases, the violations resulted in criminal charges. A nursing assistant who shared a video of a patient in underwear on Snapchat was fired and served 30 days in jail.

 

It is not only employees that can be punished for violating HIPAA Rules. There are also severe penalties for HIPAA violations for healthcare providers.

Common Social Media HIPAA Violations

  • Posting of images and videos of patients without written consent
  • Posting of gossip about patients
  • Posting of any information that could allow an individual to be identified
  • Sharing of photographs or images taken inside a healthcare facility in which patients or PHI are visible
  • Sharing of photos, videos, or text on social media platforms within a private group

HIPAA Social Media Guidelines

Listed below are some basic HIPAA social media guidelines to follow in your organization, together with links to further information to help ensure compliance with HIPAA Rules.

  • Develop clear policies covering social media use and ensure all employees are aware of how HIPAA relates to social media platforms
  • Train all staff on acceptable social media use as part of HIPAA training and conduct refresher training sessions annually
  • Provide examples to staff on what is acceptable – and what is not – to improve understanding
  • Communicate the possible penalties for social media HIPAA violations – termination, loss of license, and criminal penalties
  • Ensure all new uses of social media sites are approved by your compliance department
  • Review and update your policies on social media annually
  • Develop policies and procedures on use of social media for marketing, including standardizing how marketing takes place on social media accounts
  • Develop a policy that requires personal and corporate accounts to be totally separated
  • Create a policy that requires all social media posts to be approved by your legal or compliance department prior to posting
  • Monitor your organization’s social media accounts and communications and implement controls that can flag potential HIPAA violations
  • Maintain a record of social media posts using your organization’s official accounts that preserves posts, edits, and the format of social media messages
  • Do not enter into social media discussions with patients who have disclosed PHI on social media.
  • Encourage staff to report any potential HIPAA violations
  • Ensure social media accounts are included in your organization’s risk assessments
  • Ensure appropriate access controls are in place to prevent unauthorized use of corporate social media accounts
  • Moderate all comments on social media platforms

 

The Department of Health and Human Services’ Office for Civil Rights has issued guidance on HIPAA social media regulations, detailing the specific aspects of HIPAA that apply to social media networks. A HIPAA compliance checklist for social media can be viewed on the HHS website.

Technical Dr. Inc.s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

No comment yet.
Scoop.it!

HIPAA Police –Are They Coming For You?

HIPAA Police –Are They Coming For You? | HIPAA Compliance for Medical Practices | Scoop.it

As reported by Health and Human Services (HHS) HIPAA fines and audits are significantly on the rise. 5% of practices are being audited against the HITECH Act and Omnibus Rule. Are you compliant?

 

“How do all these regulations affect me as a Healthcare Covered Entity or Business Associate?”

To answer that question, let’s first look at what the regulations are and get a brief description. Once we read and understand what we are facing, the steps to complying with the rules should be attainable. I would love to say attaining compliance is easy, but with anything in life, if you want success you will have to work for it.

 

HITECH ACT

The Health Information Technology for Economic and Clinical Health Act (HITECH Act) was created to motivate the implementation of electronic health records (EHR) and supporting technology in the United States. President Obama signed HITECH into law on February 17, 2009, as part of the American Recovery and Reinvestment Act of 2009 (ARRA).

 

The HITECH act specified that by the beginning of 2011, healthcare providers would be given monetary incentives for being able to demonstrate Meaningful Use (MU) of electronic health records (EHR). These monetary incentives, up to $44,000 per doctor, will be offered until 2016, after which time penalties will be levied for failing to demonstrate such use.

 

FYI, the main failure that the centers for Medicare and Medicaid have discovered when auditing providers who have implemented an EHR system is their failure to perform a proper Risk Analysis.

 

OMNIBUS RULE

The United States Government’s requirement to implement Electronic Medical Records and Health IT compliance has prompted the US Government to adopt the long-awaited HIPAA Omnibus Rule http://compliancy-group.com/hipaa-omnibus-rule

The Omnibus Rule was finalized by the Office for Civil Rights (OCR). The Office of Management and Budget (OMB) approved the final rule and subsequently published it in the Federal Register.

 

The rule effectively merges four separate rulemakings, which are as follows:

  • Amendments to HIPAA Privacy and Security rules requirements;
  • HIPAA and HIPAA HITECH under one rule now
  • Further requirements for data breach notifications and penalty enforcements
  • Approving the regulations in regards to the HITECH Act’s breach notification rule

 

It is apparent for this new rule that the health care industry will need to educate patients with regards to their privacy and disclosure rights. Patients will need to know how their information is used and disclosed, and how to submit complaints pertaining to privacy violations. Health Care providers should also try to better understand HIPAA requirements so that they are aware of their risks and responsibilities towards their patients.

 

In addition, the Omnibus Rule includes provisions that would govern the use of patient information in marketing; eliminates and modifies the “harm threshold” provision that presently allows healthcare providers to refrain from reporting data breaches that are deemed not harmful; ensures that business associates and subcontractors are liable for their own breaches and requires Business Associates to comply with HIPAA for the first time since HIPAA was first introduced. The rule also requires HIPAA privacy and security requirements to be employed by business associates and sub-contractors.

 

So, what does compliance with these rules look like? Is it a 3-ring binder on a shelf with some policies, is it an online training course, or is it my IT person telling me I am protected? Actually, it is a little of all three.

  1. RISK ANALYSIS– A true risk analysis covering Administrative, (Policies and Procedures), Technical, (How are your Network, Computers, Routers, protected), Physical, What safeguards have you put into place at your location? (Alarms, Shredding, Screen Protectors).
  2. RISK MANAGEMENT- The risk analysis is going to identify deficiencies. Risk Management is then put in place to track how your remediation plan will work to fix the deficiencies that were found during the Risk Analysis.
  3. VENDOR MANAGEMENT– Vendor Management tracks the companies and people that access your site where PHI or ePHI is stored and keeps track of who you share PHI or ePHI with. Depending on the relationship, you will want to have either a Business Associate Agreement (if they meet the requirements for being labeled a Business Associate) or a Confidentiality Agreement. Remember, for Business Associates, an agreement alone is not enough; you also need assurances that they are complying with the HIPAA Security Rule before you share or continue to share PHI or ePHI with them.
  4. DOCUMENT MANAGEMENT– It is hard to imagine compliance without a place to store policies, procedures, business associate agreements, or any other compliance documents. Why you ask? Because the rule specifically states that you must retain all compliance documents for a min of 6 years (depending on the state your business is in these rules may be more stringent).

5. TRAINING OF YOUR STAFF– One of the most important aspects of compliance is the tracking of not only HIPAA 101 training for your staff but also of your staff’s acknowledgment that they understand the HIPAA Privacy and Security Policies that you

 
 
Technical Dr. Inc.s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

No comment yet.
Scoop.it!

HIPAA audits to resume soon

HIPAA audits to resume soon | HIPAA Compliance for Medical Practices | Scoop.it

Long-term care providers should get ready for the second round of HIPAA compliance audits this year, but the agency in charge of them is keeping mum about the exact date.

And while Health & Human Services' Office for Civil Rights (OCR) expects to single out only around 110 providers, long-term care facilities are being urged to begin preparations as soon as possible, Kelly McLendon, managing director of CompliancePro Solutions, said during a recent Health Care Compliance Association webinar. That includes performing security and risk analyses, updating privacy and security incident response plans and automating privacy and security investigation, tracking and management protocols, according to published reports.

The agency has not announced specifics yet, but the coming round of audits could focus heavily on HIPAA security and privacy risk management, breach notification and Notice of Privacy practices.

OCR was scheduled to do the audits last year but went idle because of funding problems. Providers are advised not to rely on audit protocols issued in 2012, the last time OCR performed audits, and watch for phase two protocols to be posted on the OCR website. Audits will likely begin about 90 days after posting, McLendon said.

The news will do little to help a Denver-area pharmacy that specializes in compounded medications for area hospice agencies, according to published reports. The business will have to pay $125,000 and take corrective measures after local media notified the OCR it allegedly disposed of unsecured documents in an unlocked, open container. The documents reportedly contained private health data on more than 1,600 patients.


No comment yet.
Scoop.it!

HIPAA Audits Are Still on Hold

HIPAA Audits Are Still on Hold | HIPAA Compliance for Medical Practices | Scoop.it

`The unit of the Department of Health and Human Services that enforces HIPAA still has plenty of work to do before it can launch its long-promised next round of HIPAA compliance audits, as planned for this year.

The HHS Office for Civil Rights has yet to develop a revised protocol for conducting the audits, OCR Director Jocelyn Samuels revealed during a Jan. 13 media briefing.


Samuels declined to offer a timeline for when OCR plans to resume its HIPAA audits, which Samuels says will include covered entities as well as business associates, who are now directly liable for HIPAA compliance under the HIPAA Omnibus Rule.

Early in 2014, OCR officials said the agency expected to resume compliance audits of covered entities in the fall of 2014, later expanding the program to include audits of business associates based on those vendors identified by covered entities in pre-audit surveys.

Then in September, OCR officials said the audit launch was stalled because of a delay in the rollout of technology to collect audit-related documents from covered entities and business associates.

In her comments Jan. 13, Samuels did not offer an explanation for the prolonged delay in resumption of HIPAA audits.

"OCR is committed to implementing an effective audit program, and audits will be an important compliance tool for OCR," Samuels said. The audits "will enable OCR to identify best practices and proactively uncover risks and vulnerabilities, like our other enforcement tools, such as complaints and compliance reviews; provide a proactive and systematic means to assess and improve industry compliance; enhance industry awareness of compliance obligations; and enable OCR to target its outreach and technical assistance to identified problems and to offer tools to the industry for self-evaluation and prevention. Organizations should continue to monitor the OCR website for future announcements on the program."

In 2012, OCR conducted a pilot HIPAA audit program for 115 covered entities that was carried out by a contractor, the consulting firm KPMG. It also issued an audit protocol offering a detailed breakdown of what was reviewed. OCR is revising the protocol to reflect changes brought by the HIPAA Omnibus Rule.

Rules In the Works

In addition to the pending audits, other HIPAA-related activities under way at OCR for 2015 include:

  • A final version of a proposed rule HHS issued last January to permit certain covered entities, including state agencies, to disclose to the National Instant Criminal Background Check System the identities of persons prohibited by federal law from possessing or receiving a firearm for reasons related to mental health;
  • An advanced notice of proposed rulemaking related to a HITECH Act mandate for HHS to develop a methodology to distribute a percentage of monetary settlements and penalties collected by OCR to individuals affected by breaches and other HIPAA violations;
  • A possible request for additional public input on OCR's proposed accounting of disclosures rule making. Samuels says OCR is still evaluating the comments it received on the proposed accounting of disclosures rule it issued in 2011, as well as recommendations from the HIT Policy Committee about refining the rule.

In a statement provided to Information Security Media Group, Samuels noted, "The [accounting of disclosures] rulemaking is still listed as a long-term action on our last published regulatory agenda. We are exploring ways to further solicit public input on this important issue."

OCR in May 2011 issued a notice of proposed rulemaking for updating accounting of disclosures requirements under HIPAA. The proposal generated hundreds of complaints from healthcare providers and others. Many of the complaints were aimed at a controversial "access report" provision. As proposed, the access report would need to contain the date and time of access to electronic records, the name of the person or entity accessing protected health information, and a description of the information and user action, such as whether information was created, modified or deleted. The proposal would also provide patients with the right for an accounting of disclosures of electronic PHI made up to three years prior to the request.

Other Enforcement Activities

OCR also has a number of other enforcement activities planned for 2015, Samuels said in the Jan. 13 briefing.

"We will continue to identify and bring to resolution high impact cases that send strong enforcement messages to the industry about compliance," she said. "These types of cases can include the lack of a comprehensive risk analysis and risk management practices, ignoring identified threats and hazards to systems containing electronic protected health information, and insufficient policies and procedures, and training of workforce members."

OCR also expects to provide policy clarification for a variety of topics, including cloud computing and the "minimum necessary" rule, which HHS says is based on the premise that protected health information should only be used or disclosed if it is necessary to satisfy a particular purpose or carry out a function.

"We will also continue dialogues with our stakeholders about issues on which they would like additional interpretation," Samuels says.


No comment yet.
Scoop.it!

HIPAA privacy and public health emergency situations

HIPAA privacy and public health emergency situations | HIPAA Compliance for Medical Practices | Scoop.it

In light of the Ebola outbreak, the U.S. Department of Health and Human Services (HHS), Office of Civil Rights (OCR) has issued a bulletin reminding health care providers that the protections under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule are not set aside during an emergency.  OCR reminds covered entities that “the protections of the Privacy Rule are not set aside during an emergency.”  OCR cautions that in an emergency situation, covered entities must continue to implement reasonable safeguards to protect patient information against impermissible uses and disclosures.  Thus, covered entities and their business associates should review the HIPAA Privacy Rule to ensure that uses and disclosures in emergency situations are appropriate, as well as provide training and reminders to employees.

HIPAA recognizes that under certain circumstances it may be necessary to share patient information without authorization.  OCR’s bulletin notes that covered entities may disclose protected health information without a patient’s authorization as necessary to treat the patient or a different patient.  HIPAA also allows covered entities to release patient information without authorization for certain public health activities.  A covered entity may disclose protected health information to a public health authority that is authorized by law to collect or receive the information for the purpose of preventing or controlling disease, injury, or disability.  Information may also be shared at the direction of a public health authority to a foreign government that is acting in collaboration with the public health authority.   In addition, health information may be shared with persons at risk of contracting or spreading a disease or condition if authorized by law.  Finally, health care providers may share patient information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public consistent with applicable law and ethical standards.

There are additional circumstances that allow the disclosure of protected health information.  A covered entity may disclose protected health information to a patient’s family members, relatives, friends, or other persons who the patient identifies as being involved in the patient’s care and disaster relief organizations.  Covered entities should review the specific circumstances that allow the release of this information.

Covered entities should also review whether the minimum necessary requirement applies.  For most disclosures, but notably not disclosures to health care providers for treatment purposes, a covered entity must make reasonable efforts to limit the information disclosed to the “minimum necessary” to accomplish the purpose.

Although the media has reported many details about Ebola patients, HIPAA is not suspended when providing information to the media about Ebola or other public health emergencies.  Therefore, covered entities should carefully review the rules surrounding disclosures to the media or others not involved in the care of the patient.  If the media requests information about a particular patient by name, a health care facility may release limited facility directory information to acknowledge that the individual is a patient and provide basic information about the patient’s condition in general terms, if the patient has not objected or restricted the release of this information, but information about an incapacitated patient may only be released if the disclosure is believed to be in the patient’s best interest and is consistent with the patient’s prior expressed preferences.   General information about a patient’s condition includes critical or stable, deceased, or treated and released.  OCR cautions that affirmative reporting or disclosure to the media or the public at large about an identifiable patient or  specific information may not be done without the patient’s or an authorized personal representative’s written authorization, unless one of the limited circumstances described elsewhere in OCR’s bulletin is applicable.

Although HIPAA is not suspended during a public health or other emergency, the HHS Secretary may waive certain provisions under the Project Bioshield Act of 2004 and section 1135(b)(7) of the Social Security Act.  The limited waiver applies to certain sanctions and penalties of the Privacy Rule if the President declares an emergency or disaster and the HHS Secretary declares a public emergency.  The waiver only applies in the emergency area and for the emergency period identified; to hospitals that have instituted a disaster protocol; and for up to 72 hours after the hospital implements its disaster protocol.  Once the Presidential or Secretarial declaration ends, a hospital must comply with the entire Privacy Rule, even if less than 72 hours have elapsed since the hospital implemented its disaster protocol.


No comment yet.
Scoop.it!

CHIME chairman calls for mixed approach to security

CHIME chairman calls for mixed approach to security | HIPAA Compliance for Medical Practices | Scoop.it

Healthcare organizations need a variety of strategies to address security threats, according to Charles Christian, CIO at Columbus, Georgia-based St. Francis Hospital and new chairman of the College of Healthcare Information Management Executives (CHIME).

That includes technology, education, policy and best practices, he says, in an interview with HealthcareInfoSecurity.

"We have to be diligent and constantly learn about what might occur so we can prepare for that," Christian says. "It's not just one or two things, it's a variety of things that we must do."

Beyond policy, it involves ensuring that employees are education about security, and auditing "to make sure the education is sticking," he says. On the technology side, it includes network access controls, firewalls and encryption.

CHIME is working with the Office of the National Coordinator for Health IT on interoperability, security and other issues.

"I'm really glad the ONC is looking at this," Christian says. "With their office's attention on this, it really raises the level of importance of cybersecurity up where it needs to be."

In an attempt to close a gap its members found in organizations focused on cybersecurity, CHIME created its own last summer--the Association for Executives in Healthcare Information Security, he explains.

The new organization will be focused on "supporting the professional development and peer-to-peer needs of CSOs," according to CHIME.

Small organizations, in particular, often can't afford to have a dedicated security person. To that end, the new organization is trying to provide needed security education so that such organizations don't have to rely on system or application vendors for this knowledge, Christian says.

Security experts foresee even more cyberattacks on healthcare organizations in 2015, especially increases in phishing and ransomware attacks.

Jeff Bell, HIMSS privacy and security committee chair, urges organizations to heed the cyberthreat intelligence provided by the U.S. Computer Emergency Readiness Team, the U.S. Department of Homeland Security National Cybersecurity and Communications Integration Center and others.


No comment yet.
Scoop.it!

Survey: Charging patients for EHR access may violate HIPAA

Survey: Charging patients for EHR access may violate HIPAA | HIPAA Compliance for Medical Practices | Scoop.it
Dive Brief:
  • A survey of healthcare providers has revealed that as much as 25% of those who charge patients for EHRs may be violating HIPAA rules by doing so, according to a report released by the American Health Information Management Association.
  • While it is permitted to charge patients a "reasonable, cost-based fee" to access their electronic medical records, the survey revealed that many providers simply mimic their individual state's photocopy policy for public records requests, charging around $1 per page. Because the fee being charged to the patient is not related to the cost of providing the record, it constitutes a violation of HIPAA policy, the report stated.
  • "Regarding charges for electronic and paper copies of records, more than half (52.6%) of respondents indicated that they charge patients for electronic copies of their medical records, and nearly two-thirds (64.7%) reported that they charge patients for paper copies of their medical records," the report stated. "Charges for electronic copies varied from a flat fee for a device to per-page fees or some combination of the two, and charges for paper copies were generally by page, with 65% reporting that they charged less than $1.00 per page. Nearly one in four respondents (23.6%) commented that they follow their state's rates for copies. Following the state rates would suggest that the fees are not uniquely based on the cost to the facility. This finding would appear to be inconsistent with HIPAA and HITECH requirements that patients may only be charged a 'reasonable cost-based fee' for copies of their medical records."
Dive Insight:

There is no doubt that the implementation of EHRs is one of the most expensive projects to hit the healthcare industry since its inception, and it's obvious that the cost of implementation is going to eventually be picked up by the consumer. Taxpayers are already footing the bill for the $28 billion already appropriated by Congress to facilitate EHR implementation through its meaningful use program, but that still doesn't cover all of their EHR expenses.

All that being said, what's at issue here is a patient's right to obtain his or her medical records. The whole point of the paperless revolution is to streamline health information and reduce costs associated with paper-only records. By that logic, HIPAA requirements are reasonable. They simply state that providers don't have the right to charge patients unreasonably to get electronic copies of their records.

Now, $1 a page (or even less) may not sound unreasonable on the surface, but with medical advances transforming many fatal conditions into chronic conditions, patients are living longer with proper treatment. It's not uncommon for a cancer patient in remission to have hundreds of pages in their medical records. And in the age of the ACA, many patients are changing doctors and plans, necessitating transfer of the EHRs. Is it fair to charge several hundred dollars for a process that is equivalent in many cases to pointing, clicking and sending an email?


No comment yet.
Scoop.it!

HIPAA Security Evaluation – HIPAA Risk Analysis – Explained -

HIPAA Security Evaluation – HIPAA Risk Analysis – Explained - | HIPAA Compliance for Medical Practices | Scoop.it

Compliance assessment? Security Evaluation? Risk Assessment? Risk Analysis? Compliance Analysis? Huh?

Lots of confusion continues to swirl around the difference between a HIPAA Security Evaluation versus HIPAA Security Risk Analysis.No wonder, the terms are often used interchangeably.

Let’s end the confusion…


Technically, one might argue when it comes to regulatory compliance of any type, three types of assessments can be completed:

1.Compliance Assessments (Evaluation, in HIPAA Security Final Rule parlance) answer questions like: “Where do we stand with respect to the regulations?” and “How well are we achieving ongoing compliance?”

2.Risk Assessments (Analysis, in HIPAA Security Final Rule parlance) answer questions like: “What is our risk exposure to information assets (e.g., PHI)?” and “What do we need to do to mitigate risks?”

3.Readiness Assessments answer questions like “Have we implemented adequate privacy safeguards?”, “Have we implemented adequate security safeguards?” and are we ready for audit.

We focus on the first two in this post because these are the ones you must complete.Both are Required by the HIPAA Security Final Rule.

A thorough HIPAA Security Compliance Evaluation broadly covers all aspects of the law including all 18 Standards and 42 Implementation specifications that comprise the Administrative, Physical and Technical Safeguards (CFR 164.308, 310, 312) in the HIPAA Security Final Rule.Additionally, this evaluation must cover CFR 164.314 and 316 related to Organizational Requirements, Policies and Procedures and Documentation.

As indicated above, completing this HIPAA Security Compliance Evaluation is required by every Covered Entity and Business Associate. The language of the law is in 45 C.F.R. § 164.308(a)(8):

Standard: Evaluation. Perform a periodic technical and non-technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, which establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart.

This type of assessment is a critical step and should be completed whether one is just starting a HIPAA Security Compliance program, rejuvenating an existing program and maintaining an existing program.The output of the evaluation establishes a baseline against which overall progress can be measured by the executive team, compliance or risk officer, audit committee or board.Think FOREST view. At the end of such an evaluation, one would have a Summary Compliance Indicator such as the one shown in the following Security Evaluation Compliance Summary:

A HIPAA Security Risk Analysis (§164.308(a)(1)(ii)(A)) is also required by law to be performed by every Covered Entity and Business Associate.Additionally, completion of the Risk Analysis is a core requirement to meet Meaningful Use objectives.Section 164.308(a)(1)(ii)(A) of the HIPAA Security Final Rule states:

RISK ANALYSIS (Required).

Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].

As required by The HITECH Act, the Office of Civil Rights, within the Department of Health and Human Services (HHS), has issued final “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”.This guidance was published on July 8, 2010.No specific methodology was indicated.However, the guidance describes nine (9) essential elements a Risk Analysis must incorporate, regardless of the risk analysis methodology employed.We have designed a Risk Analysis methodology and ToolKit around these elements while using industry best practices.

As an example, upon evaluation of each information asset that creates, receives, maintains or transmits electronic Protected Health Information (ePHI), one would have an asset-by-asset evaluation of risk, along with mitigation actions involving new safeguards or controls:

Upon completion of the Risk Analysis for all information assets, an overall Risk Analysis Project Tracking tool would be used to ensure ongoing project management of the implementation of safeguards:

So, when it comes to HIPAA Security Compliance Evaluation, think:

  • Forest-level view
  • Overall compliance with the HIPAA Security Final Rule
  • Establishing baseline evaluation score for measuring progress
  • Asking: Have we documented appropriate policies and procedures, etc?
  • Asking: Are we performing against our policies and procedures?

When it comes to HIPAA Security Risk Analysis, think:

  • Trees/Weeds-level view of each information asset with PHI
  • Meeting a specific step in the overall compliance process
  • Understanding current safeguards and controls in place
  • Asking: What are our specific risks and exposures to information assets?
  • Asking: What do we need to do to mitigate these risks?

Both the HIPAA Security Compliance Evaluation and the HIPAA Security Risk Analysis are, required by law and important and necessary steps on your HIPAA HITECH Security compliance journey.


No comment yet.
Scoop.it!

What Constitutes a HIPAA Violation? | HealthITSecurity.com

What Constitutes a HIPAA Violation? | HealthITSecurity.com | HIPAA Compliance for Medical Practices | Scoop.it

No individual wants his or her protected health information (PHI) to be unnecessarily made public. Not only is the information personal, but if it fell into the wrong hands, it could lead to many issues – personal and even medical – for the patient in question.

As technology continues to evolve, it also seems that the number of healthcare data breaches is on the rise. Rightfully so, more people are becoming aware of how their information is shared electronically. But are all concerns over electronic data sharing warranted? Is everything considered a HIPAA violation?

That concern is one reason why some hospitals are reportedly abandoning a long-held tradition: announcing the first birth of the new year. Community Health Systems recently ordered its facilities nationwide to stop publicizing the first baby born in the year, according to the Associated Press.

“We know the birth of the new year baby is a joyous and exciting event, but protecting patient safety and privacy is our most important responsibility,” Community Health spokeswoman Tomi Galin told the news source.

Galin added that the move was a preventative measure, and not because of specific threats or abduction attempts. Moreover, the National Center for Missing & Exploited Children cautions healthcare providers how much information they give to the media, Galin said. For example, home addresses or other personally identifiable information does not need to be released.

Community Health made headlines last year when it reported that Chinese cyber criminals hacked into its database, compromising the information of 4.5 million patients. The data included names, addresses, birth dates, telephone numbers and Social Security numbers. However, no credit card or medical data were involved.

Another surprising area where a HIPAA violation concern arose was in Major League Baseball. Matt Kemp played for the Los Angeles Dodgers, and was involved in a trade deal that would send him to the San Diego Padres. However, there were concerns over Kemp’s physical condition, according to a Yahoo Sports story. Specifically, a USA Today article reported that Kemp’s physical showed severe arthritis in his hips.

Yahoo Sports quoted a tweet from Ken Rosenthal, which said it would not be good if the Padres had leaked the medical information.

“Information damages Kemp in public realm. Gives appearance of #Padres trying to leverage medical information. And is a violation of HIPAA,” read the tweet.

But what exactly constitutes a HIPAA violation? According to the Department of Health and Human Services (HHS), organizations defined as a HIPAA covered entity need to comply with the rule’s requirements to protect patients’ privacy and security.

“If a covered entity engages a business associate to help it carry out its health care activities and functions, the covered entity must have a written business associate contract or other arrangement with the business associate that establishes specifically what the business associate has been engaged to do and requires the business associate to comply with the Rules’ requirements to protect the privacy and security of protected health information,” according to HHS.

Something that is seemingly innocent, such as announcing the first baby born in a new year, will not always lead to things such as identity theft. However, too much personal information, or information that is given without written parental consent, might be enough for a criminal to take advantage of the situation.

In terms of professional athletes, their information is often in the public eye. But covered entities must remain diligent in keeping PHI safe, regardless of who the data belongs to. Neither of these situations is necessarily a HIPAA violation, but it is important for healthcare organizations – and their patients – to remain current on all regulations to best protect sensitive information.


No comment yet.
Scoop.it!

HIPAA Security Rule: Risk Analysis Review and Updating

HIPAA Security Rule: Risk Analysis Review and Updating | HIPAA Compliance for Medical Practices | Scoop.it

The HIPAA Security Rule requires that covered entities (health plans, healthcare clearinghouses, and healthcare providers who electronically transmit any health information in connection with a HIPAA related transaction), and business associates, implement security safeguards to protect the confidentiality, integrity, and availability of electronically protected health information (ePHI).

 

ePHI is any protected health information that is created, stored, transmitted, or received in any electronic format.

 

Performing a security risk analysis is the first step in identifying and implementing these safeguards.

 

A security risk analysis consists of conducting an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.

 

Once the analysis has been completed, organizations should periodically conduct a risk analysis review.

What is the Scope of a Security Risk Analysis?

According to guidance issued by the Department of Health and Human Services (HHS), the scope of security risk analysis includes potential risks and vulnerabilities to the confidentiality, availability, and integrity of all ePHI that an organization:

  • Creates;
  • Receives;
  • Maintains; and
  • Transmits

Security risk analysis includes six elements:

  • Collecting Data
  • Identifying and Documenting Potential Threats and Vulnerabilities
  • Assessing Current Security Measures
  • Determining the Likelihood of Threat Occurrence
  • Determining the Potential Impact of Threat Occurrence
  • Determining the Level of Risk

What is a Security Rule Risk Analysis Review?

Once all of the above six elements have been addressed, all documentation should be finalized. In addition, the security risk assessment should be periodically reviewed, and updated, as needed

 

Continuous risk analysis review allows an organization to identify when updates to risk assessment policies and procedures are needed. 

 

The Security Rule does not specify how frequently to perform risk analysis review. According to risk analysis guidance provided by the Department of Health and Human Services (HHS), some covered entities may perform risk analysis review annually or as needed (e.g., twice a year, every 3 years), depending on the circumstances of their environment.

What Factors Influence Whether Risk Analysis Review Should be Performed? 

Factors to consider include:

  • Changes in technology and business operations. When an entity implements new technologies and plans new business operations, the entity should consider performing a security risk analysis assessment. Adopting new technologies and new business operations may pose potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI; a risk analysis review can identify these risks and vulnerabilities.

 

  • An organization has experienced a recent security incident.  If a covered entity has recently experienced a security incident, such as a data breach, a risk analysis review should be conducted to determine whether and what additional security measures are needed.

 

  • An organization has experienced a change in ownership or turnover in key staff or management. An organization that undergoes a change in ownership or that experiences key staff turnover, should evaluate, in light of the expertise of the departed and incoming individuals, whether existing security measures are sufficient to protect against risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.  In addition, part of risk analysis consists of an assessment of current security measures. Important security measures include policies and procedures, contained in an employee handbook or similar document, that address data security and define staff obligations to protect ePHI. Before incoming workforce members begin their jobs, policies and procedures contained in the handbook should be evaluated for sufficiency and accuracy, so that when these policies and procedures are distributed, new employees have the most up-to-date information required for them to protect ePHI.

 

  • Regulatory and legislative changes. New legislation and regulations may impose additional or modified obligations under the Security Rule. If your risk assessment references a law or regulation, you should review that assessment to make sure it still complies with any changes made to the regulation. When new legislation is passed, or when new regulations become effective, the risk assessment should be reviewed and updated to incorporate the requirements of the new legislation or regulations.

 

Performing risk analysis review, and then making necessary updates to the risk analysis assessment, allows for your organization to reduce review identified risks to reasonable and appropriate levels.

Technical Dr. Inc.s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

No comment yet.
Scoop.it!

Why You Should Follow HIPAA Compliance For The Success Of Your Dental Practice

Why You Should Follow HIPAA Compliance For The Success Of Your Dental Practice | HIPAA Compliance for Medical Practices | Scoop.it

In 2018, ten companies had to pay $28.7 Million to HIPAA as fines. The United States law requires all covered entities to comply with HIPAA. Covered entities, in this case, refers to health care providers, such as hospitals, dental clinics, and pharmacies.

 

The American Dental Association conducted research which indicated a significant increase in dental practices, both in terms of size and number.

 

Statistics show that US Citizens who had access to dental care rose to 248 Million in 2016, from 170 Million in 2006.

 

The increase in dental practices across the States makes them prone to cyber hacking.

 

This is where HIPAA comes in. For dentists, the HIPAA rule is inclusive of;

 

• A Security Rule
• Privacy Rule
• Breach Notification Rule

 

WHAT IS HIPAA?

 

HIPAA compliance refers to the process through which covered entities and business associates adhere to set rules which seek to protect Protected Health Information.

 

In simple terms, it seeks to ensure a patient’s healthcare data remains private. Protected Health Information is anyone’s healthcare data. The privacy and security rule control what healthcare professionals such as dentists can, or cannot do with your PHI.

 

THE IMPORTANCE OF HIPAA

 

HIPAA was initially introduced in 1996 to address insurance coverage for people working two jobs. It also sought to avoid health care fraud, and protect patients’ health information.

 

FOR YOUR DENTAL PRACTICE, FOLLOWING HIPAA WILL;

 

• Immensely help you transition from manual to electronic health records.
• Streamline your administrative healthcare functions.
• Protect your client’s health information.
• Set boundaries regarding using and releasing health records.
• Boost the efficiency of your clinic.
• Hold violators answerable if they violate a patient’s rights, through both criminal and civil penalties.

 

FOR YOUR PATIENTS, FOLLOWING HIPAA WILL;

 

• Safeguard their personal and sensitive health information.
• Give them control over who gets access to their information.
• They get a right to obtain and go through their health records, and they get to request corrections when necessary.

Technical Dr. Inc.s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

No comment yet.
Scoop.it!

Protecting PHI: Managing HIPAA Risk with Outside Consultants 

Protecting PHI: Managing HIPAA Risk with Outside Consultants  | HIPAA Compliance for Medical Practices | Scoop.it

The rising complexity of healthcare, particularly as it relates to providers’ growing technical needs, is increasingly prompting healthcare organizations to seek the help of outside consultants. In engagements with healthcare entities, thought IT consultants try to minimize interaction with patient data, they often have access to protected health information (PHI). When working with HIPAA Covered Entities, consultants are treated as “business associates” and are required to comply with Privacy Rules designed to protect PHI.

 

Managing HIPAA compliance when engaging outside consultants requires that consultants enter into a Business Associate Agreement (BAA). The BAA must:

  • Describe the permitted and required uses of PHI by the business associate in the context of their role
  • Provide that the business associate will not use or further disclose the PHI, other than as permitted or required by the contract or by law
  • Require the business associate to use appropriate safeguards to prevent a use or disclosure of the PHI, other than as provided for by the contract

Here are several best practices to follow to ensure the protection of PHI in consulting arrangements.

 

FTE Mentality

During the contract period, the expectation is that consultants act as if they were an employee of the hospital or provider organization and therefore treat PHI in this manner. It is important to know that consultant business associates could be held liable or equally responsible for a PHI data breach in the same way a full-time employee could be.

 

Role-Based Access Rules

Limit access to PHI based on role to ensure that only the parties that need PHI have access to it. An IT strategist, for example, does not need to see live patient data. Associates leading implementation projects, on the other hand, may need access to live PHI. Typically, this occurs late in the implementation process, when the time comes to test a system with live, identifiable patient data.

 

Safeguard Access Points

If a hospital wants a consultant to have regular access to PHI, it would be preferable that the hospital provides the consultant with a computer or device with appropriate access authorizations and restrictions in place. Avoid the use of personal devices whenever possible. Make sure that only approved and authorized devices can be used inside the firewall and require multi-factor authentication during log-in. Avoid inappropriate access to PHI by way of shared or public data access points. Don’t allow private access to PHI where others could intervene.

 

Keep it Local

Don’t take PHI away from the source of use. Consultants should avoid storing PHI on personal devices, including smart phones, which are particularly susceptible to theft and loss. Devices used to store or access PHI must be registered. Best practices often include controls giving IT staff advance permission to remotely wipe or lock a stolen registered device. Avoid leaving registered devices in cars or unprotected areas.

 

Paper-based reports also pose threat of PHI leak. Documents you take home over the weekend, for example, could be accessed by family members, lost, or stolen. Electronic, paper, verbal and image-based PHI should all be confidently secured. Of course the regulations also relate to visual and verbal protections. When accessing PHI avoid allowing others to view your screen over your shoulder. When discussing PHI make sure only those who need to know and have appropriate authority can hear the conversation.

 

The healthcare industry is making great strides in establishing digital infrastructure, much of which is cloud-based, putting new onus on providers and their business partners to ensure the security of that information. No one wants to make headlines for the latest data breach, least of all the IT consultants hired by providers to help guide their data management efforts. Rigorous attention to HIPAA Privacy Rule guidelines is not only required – it’s imperative to maintaining trust in the healthcare ecosystem.

Technical Dr. Inc.s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

No comment yet.
Scoop.it!

The Benefits of Performing a HIPAA Risk Assessment

The Benefits of Performing a HIPAA Risk Assessment | HIPAA Compliance for Medical Practices | Scoop.it

The Health Insurance Portability and Accountability Act (HIPAA) Security Rule mandates that covered entities must conduct a risk assessment of their healthcare company.

 

 A wide range of organizations – from healthcare insurance providers to hospitals – fall into this covered entity group. While it may seem taxing and time-consuming to provide standardized training to your employees, there are many reasons doing so can behoove you. For one, it’s the law. Since 2009, Security Risk Assessments (SRAs) have been a required annual practice set forth by the HIPAA Security Rule.

 

Don’t wait to become a breach headline; nip breaches in bud by detecting security issues before they wreak havoc. You can’t be secure if you are not compliant; and a HIPAA Risk Assessment will safeguard your organization in more ways than one. Technology is a timesaver that has simplified the medical filing and billing processes, but it leaves the potential for leaks and hacking.

 

A risk analysis will identify and document potential threats and liabilities that can cause a breach of sensitive data. An IT security consulting company can check all portable media (laptops), desktops, and networks to ensure they’re ironclad. IT security measures, such as encryption and two-factor authentication2, will be addressed in order to make it challenging for unwanted eyes to get a glimpse of patient information.  

 

Employees are the greatest threat to HIPAA compliance, so it’s important to make sure they’re well informed on how to prevent breaches. Annual HIPAA Security Awareness Training Programs provide a thorough understanding of each person’s role in preventing breaches and protecting physical and electronic information.

 

HIPAA training is a regulatory requirement, many employee actions that go awry could easily be prevented. A consultant will offer tips and tricks for minimizing that risk; a few include never leaving work phones and laptops unattended, never sharing passwords or company credentials, choosing to shred files as opposed to trashing them, and overcoming the temptation to “snoop” on patient information without just cause.

 

While many of these suggestions seem like common sense, there are also many lesser known incidences that arise while working in the medical field. Did you know that you cannot access your own medical records using your login credentials? While it may seem innocent enough, everyone is required to submit a request to access medical materials. 

 

Don’t deter a Risk Assessment out of indolence. HIPAA Risk Assessments must be accurate and extremely thorough.  Questions about all the administrative, technical, and physical safeguards an organization has in place must be asked about.

 

If outsourcing your HIPAA Risk Assessment, choose a company that provides comprehensive training courses. No two companies are alike so cookie-cutter answers don’t exist for compliancy; a client-facing doctor’s office and corporate health insurance agency will require that different preventive measures be put into place.

Technical Dr. Inc.s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

No comment yet.
Scoop.it!

5 Breach Lawsuits Filed Against Premera

5 Breach Lawsuits Filed Against Premera | HIPAA Compliance for Medical Practices | Scoop.it

Five class action lawsuits have been filed in federal court against Premera Blue Cross in the wake of a data breach that affected 11 million individuals across the country. Meanwhile, its CEO has provided answers to questions from a U.S. senator regarding the hacker attack.

The five lawsuits filed last week in the U.S. District Court in Seattle make similar allegations - that the company failed to protect customers' confidential information, putting those affected at risk for identity theft. Among the complaints' allegations is that the data breach resulted from Premera's alleged "failures to follow HIPAA."


Two of the suits also note that Premera was warned in an April 2014 draft audit report by the U.S. Office of Personnel Management that its IT systems "were vulnerable to attack because of inadequate security precautions".

"That audit identified ... vulnerabilities related to Premera's failure to implement critical security patches and software updates, and warned that 'failure to promptly install important updates increases the risk that vulnerabilities will not be remediated and sensitive data could be breached,'" notes one lawsuit, Tennielle Cossey, et al vs. Premera.

That suit also states, "If the [OPM] audit were not enough, the events of 2014 alone should have placed Premera on notice of the need to improve its cyber security systems." The complaint notes that Community Health Systems in August 2014 also revealed a hacker breach that affected 4.5 million patients. "This prompted a 'flash warning' by the FBI to entities in the healthcare industry that it had observed 'malicious actors targeting health care related systems,'" the suit says.

The suits are seeking unspecified damages, both "actual and statutory." Among the allegations in some of the suits are violations of the Washington Consumer Protection Act.

A Premera spokeswoman declined to comment about the suits. She noted, however, that Premera "expected there would be class action lawsuits filed" against the company in the wake of the breach "because that's typically what happens."

Attorney John Yanchunis of the Tampa-based law firm Morgan & Morgan, which is representing plaintiffs in one of the Premera class action suits, says he expects that the cases eventually will be consolidated into one case in the federal court. The Premera breach "is more egregious than the Home Depot or Target breaches because those [credit] cards can be cancelled," he says. "Unlike those other breaches, the information involved in the Premera breach can be used to file fraudulent tax returns and fraudulently secure healthcare in someone else's name."

Congressional Scrutiny

In addition to the lawsuits, Premera is also dealing with Congressional scrutiny in the wake of the breach.

A March 20 letter to Premera CEO Jeffrey Roe, Sen. Patty Murray, D-Wash., on behalf of the Senate Committee on Health, Education, Labor and Pensions, asked the company to answer 15 questions related to the breach and the company's information security practices. Those questions range from why Premera waited six weeks to publicly announce the breach after its discovery, to whether the hacking incident is related to the Anthem Inc. hacking breach, to steps Premera is taking to bolster its information security in the wake of the incident.

In the March 27 response letter to Murray, which Premera provided to Information Security Media Group, Roe says the public announcement of the breach was delayed based on advice from Mandiant, a consulting firm it had hired to assist in the forensic investigation of the incident.

"Mandiant warned Premera about the dangers of making any public announcement about the attack until the following steps could be taken: 1) Mandiant completed scanning all servers and workstations for areas of infection to identify all attack vectors; 2) systems were remediated in a concentrated time to lock the attackers out of system; and, 3) remediation was followed by scanning to verify that the all backdoors were eliminated," the letter states.

Roe also describes in the letter some details about the breach: "Upon penetration of Premera's network, the attackers gained access to log-in credentials and then deployed other tools and tactics to gain broad access to Premera's network." He adds: "Mandiant's investigation to date has identified only intrusion but no exfiltration of information from Premera's systems. Mandiant has not conclusively determined the initial vector of compromise. That is, the [company doesn't] know if the malware came from a phishing email, a contaminated website, or another source of intrusion.

The letter also notes that Mandiant "found no evidence that the cyberattack on Premera was the result of, or was related to, any of the items identified in the [2014] OPM [audit] report." Plus, Roe notes: "Premera is not in a position to opine about whether the Premera and Anthem attacks were connected or which attack occurred first. Because these attacks are the subject of active FBI investigations, Premera encourages your office to contact the FBI for additional information."

Premera is implementing several Mandiant recommendations to bolster security moving forward, Roe says in the letter. In addition to removing all malware and backdoors from its IT systems in response to this cyberattack, Roe says Premera has implemented a number of system enhancements, including, among others:

  • Deploying multiple-factor authentication for remote access to Premera's network;
  • Scanning servers, desktops and laptops as a requirement for continued use of devices on the network;
  • Installing enhanced monitoring tools to provide reports of any new attacks on our computer networks;
  • Enhancing and expanding security and system event logging capabilities; and
  • Engaging a service provider for advanced monitoring services.
State Scrutiny

Besides the lawsuits and the Congressional scrutiny, Premera is also facing a probe from insurance officials in three states - Washington, Oregon and Alaska.

Washington Insurance Commissioner Michael Kreidler said that the states will conduct a "market conduct examination" of Premera related to the breach. The examination will include on-site reviews of the insurer's financial books, records, transactions and how they relate to its activities in the marketplace, Kreidler explained in a statement.


No comment yet.
Scoop.it!

IT Maintenance Crucial for HIPAA Compliance

The Department of Health and Human Services' (HHS) Office for Civil Rights (OCR) recently announced an agreement with a medical center to settle charges stemming from the center’s failure to prevent malware from infecting its computers. The malicious programming breached the electronic protected health information (ePHI) of 2,743 individuals in violation of the Health Insurance Portability and Accountability Act (HIPAA).

The medical center was fined $150,000 and agreed to implement a corrective action plan for violating the mandates of HIPAA’s Security Rule. Under the Security Rule, covered entities and business associates must implement appropriate administrative, physical and technical safeguards to protect the confidentiality, integrity and security of ePHI.

According to OCR, the medical center adopted policies to comply with the HIPAA Security Rule, but failed to follow them after putting them to paper. The medical center did not perform an accurate or thorough risk assessment for ePHI, nor did it implement the necessary policies, procedures or technical security measures to prevent unauthorized access to ePHI. Specifically, OCR maintains that the medical center’s failure to identify and address basic risks — e.g., not regularly updating firewalls and running outdated, unsupported software — was the direct cause of the introduction of malicious software into its systems.

In addition to the monetary fine, the medical center agreed to implement a two-year corrective action plan requiring it to —

  • Revise, adopt and distribute updated Security Rule policies and procedures approved by OCR;
  • Develop and provide updated security awareness training — based on training materials approved by OCR — to employees, and update and repeat such training annually;
  • Conduct annual assessments of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI in its possession and document the security measures implemented to address those risks and vulnerabilities;
  • Investigate and report to OCR any violations of its Security Rule policies and procedures by employees; and
  • Submit annual reports to OCR describing its compliance with the corrective action plan.
  • OCR used its announcement to highlight the fact that HIPAA compliance is a continuous process and requires more than establishing initial policies, procedures and systems. Rather, covered entities and business associates will only be able to avoid expensive HIPAA fines and penalties by conducting regular ePHI risk assessments, addressing identified security vulnerabilities and regularly updating HIPAA policies and procedures.

Although technological safeguards are vital to keeping ePHI secure, human error is also a significant threat to patient data security and privacy, making a knowledgeable workforce crucial to HIPAA compliance. Covered entities and business associates can ensure HIPAA compliance with Thomson Reuters’ online training courses on HIPAA Privacy and Security and U.S. Data Privacy and Security. Our online compliance training courses explain the essential principles of HIPAA requirements and of safeguarding individuals’ personal information.


No comment yet.
Scoop.it!

Employees could leave health systems vulnerable to hacks

Employees could leave health systems vulnerable to hacks | HIPAA Compliance for Medical Practices | Scoop.it

Healthcare organizations are vulnerable to cyberattacks in many ways, with a big threat being a company or hospital's own employees, according to Ari Baranoff, assistant special agent in charge for the U.S. Secret Service's Criminal Investigative Division.

"Your workforce is a potential vulnerability to your network," Baranoff tells Healthcare IT Security. "Constantly educating your workforce and testing your workforce on their cyberhygiene is very important."

Even if employees mean no harm, just by browsing the Internet or checking their email they can put networks at risk, Baranoff says. It's especially dangerous if these activities are done using the same system that houses electronic health records or other hospital information.

In addition, employee information is also something that often is at risk and can raise problems for hospitals. The Secret Service has seen growing interest in extortion and ransomware campaigns in the healthcare industry, according to Baranoff.

However, a great deal of the threats to health systems come from the outside world, he adds.

For instance, recent breach at Sony Pictures, the health information of employees was hacked, including a memo with treatment and diagnosis details about an employee's child with special needs, as well as a spreadsheet from a human resources folder containing birth dates, health conditions and medical costs.

Data breaches are expected to increase in 2015, with healthcare "a vulnerable and attractive target for cybercriminals," according to Experian's 2015 Data Breach Industry Forecast.

Electronic medical records and consumer-generated data from wearables and other devices will continue to add to the vulnerability and complexity in securing personal health information, according to the report.

No comment yet.
Scoop.it!

Tips For Reducing HIPAA Violation Risks

Tips For Reducing HIPAA Violation Risks | HIPAA Compliance for Medical Practices | Scoop.it

The need to attend to data security in increasing exponentially as enforcement tightens and the risk of significant financial penalties for HIPAA violations looms. To that end, a new white paper by Core Security provides some guidance for keeping data safe and avoiding risks of compromised patient information.

As Health IT Outcomes earlier noted, PwC report investigating the state of healthcare compliance found there is still much progress to be made in healthcare compliance across the board, and HIPAA privacy and security remain the top compliance concerns. Penalties for violations are increasing and reputations can be damaged, not to mention the imminent start of privacy audits from the HHS Office for Civil Rights. Compliance officers are challenged to fill gaps in their policies and procedures and be ready to demonstrate compliance with HIPAA requirements.

The cost of breaches can be crippling for healthcare organizations. For example, the OCR fined two health organizations almost $2 million in the wake of the theft of laptops, while Parkview Health paid out $800,000 in HIPAA fines and agreed to institute a corrective plan of action after it was alleged that the institution was dumping sensitive records.

These types of violations aren’t going away, either. A Redspin Breach Report found there was a 138 percent rise in the number of healthcare records breached in 2013, affecting some eight million records.

The Core Security whitepaper, Attack Intelligence: The Key To Reducing Risk in Healthcare, is designed to help healthcare institutions avoid these costly incidents. As the study asserts, “HIPAA-covered entities need to both identify their risks and take steps to mitigate that risk once they become aware of it.”

And yet, recent research demonstrates few healthcare industry professionals have a solid understanding of their own risks. A survey conducted by Healthcare Information Security found OCR audits have resulted in an increase in risk assessments, but that those assessments are often not complete. The data revealed 63 percent of respondents reported a data breach in 2014, and almost 50 percent acknowledged a data breach affecting a business partner. One contributing factor to these figures was that fewer than half of the 200 healthcare organizations surveyed had a documented risk assessment and risk management strategy in place and only 40 percent said they had one in the works.

While most healthcare organizations are cognizant of the need for basic security tools in assessing risk, the whitepaper asserts they do not provide the critical type of information necessary to manage risk – “actionable attack intelligence about sensitive IT assets like the medical record application servers or the backend databases that hold ePHI.”

“Healthcare organizations are familiar with risk management,” said Eric Cowperthwaite of Core Security, “But they aren’t necessarily thinking about how they’re going to be attacked. You may have a vulnerability management program. But the question is ‘How do you know which vulnerabilities matter? How do you know which possible attacks are likely – or not?’”


No comment yet.
Scoop.it!

Electronic data breach planning: 4 tips for reducing liability risk | Lexology

Electronic data breach planning: 4 tips for reducing liability risk | Lexology | HIPAA Compliance for Medical Practices | Scoop.it

There is no doubt that electronic data breaches are a hot topic. The recent breach of Morgan Stanley’s customer data is a prime example and chilling reminder that businesses, no matter the amount of security measures, are at risk of an electronic data breach. Indeed, as nearly every state has passed its own set of unique electronic data breach laws, electronic data breaches are becoming a much larger liability concern for companies, in terms of both financial and reputational harm.

In 2014, Kentucky passed KRS 365.732 and joined 46 other states in quantifying and qualifying what constitutes a data breach and the obligations that arise from a breach. Like most states, Kentucky’s law does not include breaches of financial or health information which are covered under federal law in the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act.

Because of this increased liability, businesses should be proactive in trying to manage risk in the event a data breach occurs.

Is My Company at Risk for an Electronic Data Breach?

While the news has focused on large electronic data breaches of major retailers, electronic data breaches of a smaller scale are much more common. Even more problematic may be the reputational loss of consumer trust and confidence resulting from an electronic data breach. Any business or organization that electronically collects and/or stores personal information is susceptible to a breach. Consider the following five questions:

  1. Do you have customers’ or potential customers’ information stored electronically?
  2. Do you store or transmit electronic files with customers’ information?
  3. Do you have client information stored on a cloud or with a third party vendor?
  4. Do you process credit card transactions?
  5. Do you have wireless networks in your office?

If you answered yes to the first question, you are at risk of an electronic data breach. Answering yes to any of the questions that follow greatly increase your risk for a data breach.

What is a Data Breach?

In general, a data breach occurs when there is an unauthorized disclosure of personal information. There is no model rule for what constitutes a breach of someone’s personal information and each state can define what constitutes personal information.

In Kentucky, personal information is defined as a person’s name coupled with a social security number, driver’s license number, or credit/debit card or account number and passcode. However, some states define personal information much more broadly. For example, Texas defines personal information as any “sensitive” information.

A data breach is commonly thought of in context of computer hacking, however, data breaches can occur in a number of more innocuous ways. In fact, most statutes are defined so broadly that a data breach occurs if an employee loses his/her cellphone containing personal information of a customer. As such, most companies today, no matter size, are at risk.

Decreasing Your Company’s Electronic Data Breach Liability

Planning for and proactively adopting preventative measures in the event of an electronic data breach is the most important thing you can do to protect against potential liability. Being prepared can save you time, likely a significant amount of money, and any reputational harm associated with the data breach.

Most state laws require actual damages to bring a claim for a breach of data. Not surprisingly, in reviewing cases in which customers brought a claim for a breach of data, damages were less or non-existent when companies reacted and notified their customers quickly of the breach. (See generally Giordano v. Wachovia Sec., 2006 U.S. Dist. LEXIS 52266, Civ. No. 06-476JBS, 2006 WL 2177036 (D.N.J. July 31, 2006); Key v. DSW, Inc., 454 F. Supp. 2d 684 (S.D. Ohio 2006).

4 Tips for Reducing Liability Risk

While the type and amount of data a company collects or has access to will lead to varying plans, the following are some general tips that all businesses should know:

#1: Know what type of information is electronically stored. If a breach occurs, the information compromised may not be considered “personal information” under certain state laws. In addition, many state laws do not require action or impose liability if data is compromised that is encrypted. Further, take a hard look at the personal information you are collecting and determine whether such information is necessary to serve and know your customer. If the answer is no, not collecting that data would reduce your liability, as well as save valuable server or cloud space.

#2: Know where that information is stored. Most businesses use “clouds” to store their data on a remote server. Clouds offer different types of data storage, services and security levels. Many cloud vendors actually rely on subcontractors to hold their customers’ information. In many cases, these subcontractors are located overseas making any attempt to seek indemnification for a breach very difficult and expensive.

#3: Be ready to react. Have your notification template in place to communicate and know who is making that communication if a data breach occurs. Figuring out what should be done and communicated and who should lead this charge should occur before a breach occurs. Not having a plan of action will delay a reaction and likely lead to increased liability and reputational harm.

#4: Test your systems and your plan. A data breach does not have to mean that you breached the duty of care to your customers. Showing that you are using the best in class systems to prevent a breach and that you test your systems for a breach in a consistent manner, will assist in showing that you are meeting your duty of care owed to your customers.

Not only will the steps above help in limiting any liability your company may face if a data breach occurs, but it will also likely allow you to identify potential gaps in your data security, therefore, preventing a breach from occurring. Data breaches are inevitable these days, which is why having a well-defined incident response plan and team in place is important.

If you do believe customer data has been compromised, you should contact an attorney immediately to help you understand what duties you may have to notify and further protect your customers’ information. As stated above, reacting quickly can help reduce any liability that may be caused by the breach.

No comment yet.
Scoop.it!

FTC's Edith Ramirez: Connected health devices create bevy of privacy risks

FTC's Edith Ramirez: Connected health devices create bevy of privacy risks | HIPAA Compliance for Medical Practices | Scoop.it

For much of 2014, the Federal Trade Commission made it a point to be a prominent voice regarding the protection of consumer health information. Last May, for instance, it published a report recommending that Congress force data brokers to be more transparent about how they use the personal information of consumers, including health information.

And in July, FTC Commissioner Julie Brill spoke about how consumers should be given more choices from developers when it comes to data sharing by smartphone apps gathering health information.

That trend continued Tuesday at the International Consumer Electronics Show in Las Vegas, where FTC Chairwoman Edith Ramirez spoke about privacy protection, including for health data. Ramirez noted, for instance, that while the Internet of Things has the potential to improve global health, the risks are massive.

"Connected devices that provide increased convenience and improve health services are also collecting, transmitting, storing and often sharing vast amounts of consumer data, some of it highly personal, thereby creating a number of privacy risks," Ramirez said. "These risks to privacy and security undermine consumer trust."

Ramirez outlined three challenges to consumer privacy presented by the Internet of Things:

  • Ubiquitous data collection
  • Unexpected data use resulting in adverse consequences
  • Increased security risks

Additionally, she said that technology developers must take three steps to ensure consumer privacy:

  • Adopt "security by design"
  • Engage in data minimization
  • Boost transparency and offer consumers choices for data usage

"[T]he risks that unauthorized access create intensify as we adopt more and more devices linked to our physical safety, such as our cars, medical care and homes," Ramirez said.

Members of the House Committee on Oversight and Government Reform questioned the FTC's health data and cybersecurity authority at a hearing last summer. Committee Chairman Darrell Issa (R-Calif.) said that safeguards are needed to guide the FTC's processes in determining entities subject to security enforcement.

Last January, the agency ruled that entities covered under the Health Insurance Portability and Accountability Act may also be subject to security enforcement by the FTC.


No comment yet.
Scoop.it!

BA agreements likely a bigger target of 2015 OCR enforcement, attorneys say

BA agreements likely a bigger target of 2015 OCR enforcement, attorneys say | HIPAA Compliance for Medical Practices | Scoop.it

The $150,000 fine that U.S. Department of Health and Human Services' Office for Civil Rights levied against an Alaska mental health organization last month could be a sign that OCR is settling in after a wave of leadership changes in 2014 and gearing up to aggressively investigate HIPAA compliance complaints, according to a former federal attorney.

Ex-OCR lawyer David Holtzman notes that there are more than 6,000 HIPAA privacy and security rule complaints and compliance reviews under investigation in an article at HealthcareInfoSecurity. He predicts more high-profile enforcement actions in 2015.

Holtzman echoes a warning from Jerome B. Meites, OCR chief regional counsel for the Chicago area, who told an American Bar Association conference last summer that the whopping fines levied over the past year will "pale in comparison" to those expected to come.

Meanwhile, privacy and healthcare attorneys Alisa Chestler and Donna Fraiche of law firm Baker Donelson, in an interview with HealthcareInfoSecurity, urge healthcare organizations to conduct their own mock audits to determine any exposures and to do their best to fix those problems.

They also recommend keeping all such documentation in one place--including all records of HIPAA education programs conducted with staff, and evidence that they've reviewed all business associate agreements--and ensuring that it's up to date. Chestler and Fraiche foresee BA agreements being a bigger target of OCR enforcement actions in 2015.

In particular, Chestler and Fraiche say, organizations need to re-examine all bring-your-own-device policies and make sure they address any issues that have arisen since those policies were last reviewed.

In September, OCR announced it was delaying the start of the second round of audits in order get a web portal up an running through which entities could submit information. A specific start date has not been announced, only that the new audits will begin in early 2015.

Brett Short, chief compliance officer at the University of Kentucky HealthCare in Lexington, Kentucky, spoke with FierceHealthIT about receiving a call from an auditor when the organization had never received a letter saying it had 10 days to submit required documents.


No comment yet.