HIPAA Compliance for Medical Practices
76.9K views | +6 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

The HIPAA Password Requirements

The HIPAA Password Requirements | HIPAA Compliance for Medical Practices | Scoop.it

The HIPAA password requirements stipulate procedures must be put in place for creating, changing and safeguarding passwords unless an alternative, equally-effective security measure is implemented. We suggest the best way to comply with the HIPAA password requirements is with two factor authentication.

 

The HIPAA password requirements can be found in the Administrative Safeguards of the HIPAA Security Rule. Under the section relating to Security Awareness and Training, §164.308(a)(5) stipulates Covered Entities must implement “procedures for creating, changing and safeguarding passwords”.

Experts Disagree on Best HIPAA Compliance Password Policy

Although all security experts agree the need for a strong password (the longest possible, including numbers, special characters, and a mixture of upper and lower case letters), many disagree on the best HIPAA compliance password policy, the frequency at which passwords should be changed (if at all) and the best way of safeguarding them.

 

Whereas some experts claim the best HIPAA compliance password policy involves changing passwords every sixty or ninety days, other experts say the effort is a waste of time. A competent hacker should be able to crack any user-generated password within ten minutes using a combination of technical, sociological, or subversive methods (i.e. social engineering).

 

There is more agreement between experts when it comes to safeguarding passwords. In respect of a best practice for a HIPAA compliance password policy, a large majority recommend the use of password management tools. Although these tools can also be hacked, the software saves passwords in encrypted format, making them unusable by hackers.

The HIPAA Password Requirements are Addressable Requirements

One important point to mention when discussing the HIPAA password requirements is that they are “addressable” requirements. This does not mean they can be put off to another date. It means Covered Entities can “implement one or more alternative security measures to accomplish the same purpose.”

In the context of the Administrative Safeguards, the purpose of the HIPAA password requirements is to “limit unnecessary or inappropriate access to and disclosure of Protected Health Information”. Therefore, if an alternative security measure can be implemented that accomplishes the same purpose as creating, changing and safeguarding passwords, the Covered Entity is in compliance with HIPAA.

 

Two-factor authentication fulfills this requirement perfectly. Whether by SMS notification or push notification, a person using a username and password to log into a database containing PHI also has to insert a PIN code to confirm their identity. As a unique PIN code is issued with each log in attempt, a compromised password alone will not give a hacker access to the secure database.

Two Factor Authentication is Already Used by Many Medical Facilities

Interestingly, two factor authentication is already used by many medical facilities, but not to safeguard the confidentiality, integrity and security of PHI. Instead it is used by medical facilities accepting credit card payments to comply with the Payment Card Industry Data Security Standard (PCI DSS) and by others to comply with the DEA´s Electronic Prescription for Controlled Substances Rules.

 

Healthcare IT professionals will be quick to stress that two factor authentication can slow workflows, but recent advances in the software allow for LDAP integration and Single Sign-On between healthcare technologies. As two factor authentication software only transmits PIN codes (and not PHI) the software does not need to be HIPAA compliant, and it is a far easier solution for compliance with the HIPAA Password requirements than frequent changes of passwords and password management tools.

 

Effectively, Covered Entities never need change a password again.

The only thing Covered Entities have to remember before implementing two factor authentication to protect PHI is that, because the HIPAA Password requirements are addressable safeguards, the reasons for implementing the alternative solution have to be documented. This will satisfy the HIPAA requirements for conducting a risk analysis and also satisfy auditors if the Covered Entity is chosen to be investigated as part of HHS´ HIPAA Audit Program.

Why an Alternative to the HIPAA Password Requirements should be Considered

It was mentioned above that most user-generated passwords can be cracked within ten minutes. That may seem an outrageous claim to some IT professionals, but this tool on the ramdom-ize password generating website will give you an idea of how long it could take a determined hacker to crack any password by brute force alone. Social engineering and phishing will likely accelerate the speed at which the hacker succeeds.

 

Randomized passwords containing numbers, symbols and a mixture of upper and lower case letters obviously take a longer to crack – but they are still crackable. They are also much harder for users to remember; and although secure password management tools exist to store passwords securely, if a user wants to access a password-protected account from another device, password management tools are ineffective. The only way for the user to access the account is to have the password written down or saved on another device – such as an unsecured smartphone.

 

Accessing password-protected accounts from secondary devices increases the risk of a data breach due to keylogging malware. This type of malware runs undetected on computers and mobile devices, secretly recording every keystroke in a file for later retrieval by a hacker. As this is a foreseeable risk to the security of Protected Health Information, Covered Entities must either introduce policies to limit users to the devices from which they can access password-protected accounts, or find an alternative to the HIPAA password requirements.  

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Training is not HIPAA Compliance

HIPAA Training is not HIPAA Compliance | HIPAA Compliance for Medical Practices | Scoop.it

We hear from so many doctors’ and dentists’ offices that they are “HIPAA-compliant” because they have completed the required annual HIPAA training for their staff.   FALSE! HIPAA Training is not HIPAA Compliance. HIPAA Training is only one of the components of HIPAA Compliance – thinking otherwise could lead to a false sense of security.

 

HIPAA law consists of various requirements in the areas of security and privacy, use and disclosure of PHI (protected health information) and in breach notification rules.

Minimum steps needed for HIPAA Compliance:

At the very minimum, a doctor’s or dentist’s office must do the following for HIPAA Compliance:

  1. Exercise privacy in the office everywhere.   Be careful about accidental disclosure of patient information.
  2. Display the Notice of Privacy Practices prominently in your office lobby and on your website.
  3. Exercise caution in the use and disclosure of PHI (Protected Health Information).     Patients have the right to review and obtain their PHI.   The onus falls on the medical practice to secure and protect PHI from unauthorized disclosure of any kind.
  4. Conduct the mandatory annual risk assessment, or hire an expert to conduct it for you.   The assessor must take into consideration all the security and privacy-related criteria while conducting the assessment, including all your administrative, physical and technical safeguards.   A detailed list of recommendations and action items should follow as a result of the risk assessment.
  5. Prepare and follow security and privacy policies and procedures.   Your risk assessment should highlight the minimum required policies and procedures that you would need to prepare or obtain.   Physicians and staff members should be familiar with and should follow these policies and procedures on a daily basis.
  6. Provide annual HIPAA Training to your staff and physicians.

Breach notification:

Breaches have unfortunately become only too common these days in an environment where medical records are extremely valuable in the black market.   HIPAA law also specifies strict breach notification requirements in the event of a breach.   The Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS) requires the practice to inform all individuals whose data might have been lost or stolen.  

 

A breach of more than 500 records is considered a reportable breach, that is, the practice must notify HHS.   This could result in an audit of the practice by federal agencies, and the first thing they are going to ask you for is a copy of your last annual risk assessment.

Small practices may be targets of breaches too:

Many small practices think that they are too small to be targeted.   False again!   If you look at the HHS "Wall of Shame" which lists reported breaches of more than 500 patient records, you will see several small practices listed there who have undergone breaches.   The reality is that smaller practices are likely to be even more affected by a breach considering the high expenses and workload that follow.    The Ponemon Institute has calculated the average healthcare data breach cost to be $380 per record - for 500 records, that comes to approximately $190,000, which can be highly damaging for a small healthcare practice.

 

We often hear from dentists that they do not believe they need to comply.   Also False!  In fact, just recently, on January 2018, Steven Yang, DDS of California and Zachary Adkins, DDS of New Mexico had breaches of 3000+ patient records each due to the theft of a laptop and other portable electronic devices respectively.   

 

Robert Smith, DMD of Tennessee reported 1500 records breached after a hack.  Several other providers such as physicians, hospitals, pharmacies, health plans, and business associates have experienced breaches in the recent past.   It can and will happen to anyone regardless of size - please do not think that it won't happen to you!

Culture of Security and Privacy:

HIPAA Training is not HIPAA Compliance.   Practices should take these requirements seriously as they are here to protect patients and medical professionals.   Protect yourself and your patients by incorporating a culture of security and privacy compliance in your medical practice.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Audits of Covered Entities and Business Associates

HIPAA Audits of Covered Entities and Business Associates | HIPAA Compliance for Medical Practices | Scoop.it

In August, Advocate Health Care Network agreed to pay a $5.55 million settlement with the U.S. Department of Health and Human Services Office for Civil Rights (OCR), for multiple HIPAA violations. In addition, HHS also recently announced a $650,000 resolution settlement against the Catholic Health Care Services of the Archdiocese of Philadelphia.

 

These multi-million dollar penalties should be a warning for all covered entities or business associates.  Especially, with the next phase of audits now underway. During this phase, OCR is reviewing the policies and procedures utilized by covered entities and their business associates to ensure they meet the standards and specifications of the Privacy, Security, and Breach Notification Rules. These will mostly be desk audits. However, there will be some on-site audits conducted as well.

 

The audit process began in May 2016 when OCR audit sent emails to verify entity’s address and contact information. The next step was a pre-audit questionnaire that was used to gather information about the size, type, and operations of the facilities. Those who participate in the desk audits are required to provide a list of their business associates and their contact information. Emails will go out to the chosen business associates, who are expected to respond promptly. The audits are expected to focus heavily on breach responses. If a business associate does not respond within the timeframe, they will be scheduled in January 2017 for the comprehensive audits.

 

Some frequently asked questions regarding audits include:

Who Will Be Audited?

 

Every covered entity and business associate are eligible for an audit, including covered individual and organizational providers of health services; health plans, health care clearinghouses; and a range of business associates of these entities.

 

What is a Business Associate?

Business associates are considered any third-party contractor that performs work or activities on behalf of a healthcare organization or covered entity that involve the use or disclosure of protected health information.  A few examples may include:

  • Example of business associates: lawyer’s working on a case, a medical transcription or medical billing companies, document storage or disposal companies, answering services, software vendors, and consultants, patient safety and accreditation organizations, health information exchanges, etc.)
  • Examples NOT typically considered business associates: an employee, maintenance or repair personnel, a financial or banking institution that only performs payment activities or a janitorial service. 

 

What are Business Associate Agreements?

HIPAA and HITECH require practices to sign a business associate agreement (BA) with business associates that ensures they will protect all patient's PHI. The contract protects personal health information (PHI) by HIPAA guidelines. Business associates can be held accountable for any data breach and penalized for noncompliance.

 

Why are Business Associates Agreements important?

Business associate contracts are not only necessary for staying in compliance; they are crucial for the adequate protection of patient PHI.  The following are HIPAA requirements for business associate agreements:

  1. Establish the permitted and required uses and disclosures of protected health information by the business associate.
  2. Provide that the business associate will not use or further disclose the information other than as permitted or required by the contract or as required by law.
  3. Require the business associate to implement appropriate safeguards to prevent unauthorized use or disclosure of the information, including implementing requirements of the HIPAA Security Rule about electronic protected health information.
  4. Require the business associate to report to the covered entity any use or disclosure of the information not provided for by its contract, including incidents that constitute breaches of unsecured protected health information.
  5. Require the business associate to disclose protected health information as specified in its contract to satisfy a covered entity’s obligation with respect to individuals' requests for copies of their protected health information, as well as make available protected health information for amendments (and incorporate any amendments, if required) and accountings.
  6. To the extent the business associate is to carry out a covered entity’s obligation under the Privacy Rule, require the business associate to comply with the requirements applicable to the obligation.
  7. Require the business associate to make available to HHS its internal practices, books, and records relating to the use and disclosure of protected health information received from, or created or received by the business associate on behalf of, the covered entity for purposes of HHS determining the covered entity’s compliance with the HIPAA Privacy Rule.
  8. At termination of the contract, if feasible, require the business associate to return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity.
  9. Require the business associate to ensure that any subcontractors it may engage on its behalf that will have access to protected health information agree to the same restrictions and conditions that apply to the business associate with respect to such information.
  10. Authorize termination of the contract by the covered entity if the business associate violates a material term of the contract.  Contracts between business associates and business associates that are subcontractors are subject to these same requirements. (1)

 

How Will Auditees Be Selected?

OCR is identifying groups of covered entities and business associates that represent a broad range of health care providers, health plans, health care clearinghouses and business associates.  According to HHS, the sampling criteria for selection will include the size of the entity, affiliation with other healthcare organizations, the type of entity and its relationship to individuals, whether an organization is public or private, geographic factors, and present enforcement activity with OCR. OCR will not audit entities with an open complaint investigation or that are currently undergoing a compliance review.

 

What If an Entity Doesn’t Respond to OCR’s Requests for Information?

If an entity does not respond to requests for information from OCR, they will utilize publicly available information about the entity to create its audit pool.  An entity that does not respond to OCR may still be selected for an audit or subject to a compliance review.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

No Exception to HIPAA Privacy Rules, Nurse Learns

No Exception to HIPAA Privacy Rules, Nurse Learns | HIPAA Compliance for Medical Practices | Scoop.it

Ms. P, 45, was a nurse working in the cardiology department of a large hospital. Her duties were varied, and included, among other things, accessing patient medical records to review lab values and other diagnostic tests ordered by physicians, and writing progress notes in patients' charts.

When she was originally hired by the hospital, she was given a lecture from human resources about the importance of patient confidentiality. Ms. P was required to sign an agreement stating that she would protect patient confidentiality by only seeking or obtaining information regarding a patient that was required to perform her duties.

Later, when the U.S. Health Insurance Portability and Accountability Act (HIPAA) went into effect, Ms. P was required to go to another human resources seminar and sign a revised confidentiality agreement.

 

The revised agreement stated that she would not access or view information other than what was required to do her job, and that she would immediately ask her supervisor for clarification if she had any questions about whether information was required for her job.

 

Finally, the agreement contained a section saying that Ms. P acknowledged that violation of the facility's confidentially policy could result in disciplinary action up to and including termination.

Ms. P understood the importance of patient confidentiality and would never look in the records of patients that weren't hers—with two exceptions. Ms. P's mother and sister both had serious chronic conditions that frequently resulted in hospital visits over the years.

 

Ms. P's mother had Parkinson's disease, was on numerous medications, and was prone to falls. Ms. P's older sister, who lived with her, had Down syndrome. Ms. P would periodically look up her mother's and sister's health records on the hospital computer to get information or to access their treatment plans. She didn't see anything wrong with this because it was her own family.

 

One of her colleagues, however, had noticed Ms. P looking at the records on more than one occasion, and anonymously reported her. The hospital's HIPAA compliance officer began an investigation that revealed that Ms. P had accessed her mother's charts on 44 separate occasions and her sister's charts on 28 occasions.

 

When the human resources director confronted her with the results of the investigation, Ms. P admitted that she had accessed the records, but that they were the records of her family members and therefore she didn't see anything wrong with it.

 

“Did you need to access information from their medical records in order to do your job as a clinical affiliate in the cardiology department?” the human resources director asked sternly.

“No,” Ms. P replied. “They were not cardiology patients.”

She was fired that day. Angered by the loss of her job, Ms. P sought the advice of an attorney to see if she could sue the hospital for wrongful termination. The attorney was skeptical.

“HIPAA violations are taken very seriously,” he said. “Did they give you training about patient privacy?”

 

Ms. P admitted that she'd had training.

“Were you asked to sign anything?” the attorney inquired.

“Well, yes,” Ms. P said. “I did sign a confidentiality agreement, and the hospital does have a policy that you could lose your job for violating it. But this was my mother and sister! They don't mind that I looked at their records!”

 

“That's irrelevant,” the attorney said. “It doesn't matter if they are family or not. You still didn't have the right to look at the records. I don't think we have a leg to stand on, unless…” the attorney trailed off, thinking.

 

“How old are you?” he suddenly asked.

When she told him, he smiled. “I think we may have an angle. We can try suing the hospital for age discrimination. We can claim that the privacy violation was merely a pretext to get rid of you – a higher paid experienced nurse – and replace you with a less expensive junior person.”

 

The attorney filed the papers against the hospital. The hospital's attorney promptly filed a motion to dismiss. The court, after reviewing all the facts, dismissed Ms. P's case.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Health insurer Reaches Settlements Over HIPAA Violations 

Health insurer Reaches Settlements Over HIPAA Violations  | HIPAA Compliance for Medical Practices | Scoop.it

Health insurer Aetna has reached settlements with a number of state attorney generals over HIPAA violations resulting from mailings to HIV/AIDS and cardiac patients, the New Jersey attorney general announced

 

The three states and district involved in the Aetna settlements are Connecticut, the District of Columbia (DC), New Jersey, and Washington. Aetna agreed to pay Connecticut around $100,000, DC around $175,000, and New Jersey $365,000. Washington has not yet disclosed how much it will receive from Aetna.

 

As part of the settlements, Aetna has agreed to implement policy, protocol, and training reforms designed to safeguard individuals’ PHI and ensure the confidentiality of mailings containing that information. The company has also agreed to hire an independent consultant to evaluate and report on its privacy protection practices and to monitor its compliance with the settlements’ terms.

 

 

“Companies entrusted with individuals’ protected health information have a duty to avoid improper disclosures,” said NJ Attorney General Gurbir Grewal. “Aetna fell short here, potentially subjecting thousands of individuals to the stigma and discrimination that, unfortunately, still may accompany disclosure of their HIV/AIDS status. I am pleased that our investigation has led Aetna to adopt measures to prevent this from happening again.”

 

The investigation revealed that Aetna disclosed HIV/AIDS-related information on about 12,000 individuals through a third-party mailing on July 28, 2017. The envelopes used in the mailing had a transparent address window, which revealed recipients’ names, addresses, and text that included the words “HIV medications.”

 

The second breach occurred in September 2017 and involved a mailing sent to 1,600 individuals about a study of patients with atrial fibrilation (AFib). The envelopes for the mailing included the name and logo for the study, IMPACT AFib, which could have been interpreted as indicating that the addressee had an AFib diagnosis.

 

DC Attorney General Karl Racine said in a statement: “Aetna failed to protect the health information of District residents and illegally disclosed their HIV status. Every patient should feel confident that their insurance company or health provider will safeguard their confidential medical information. Today’s action will prevent further disclosures and warns other insurance companies that they are responsible for protecting consumers’ private information.”

 

The three states and DC alleged that Aetna not only violated HIPAA but also state laws pertaining to the PHI of individuals in general and of persons with AIDS or HIV infection in particular.

 

In January 2018, Aetna settled a class action lawsuit that required it to pay $17 million in relief to the 12,000 individuals regarding the HIV mailing.

 

Lead plaintiff Andrew Beckett, which is a pseudonym, alleged in his original complaint that PHI and confidential HIV-related information “was disclosed improperly by Aetna and/or Aetna-related or affiliated entities, or on their behalf, to third parties, including, without limitation, Aetna’s legal counsel and a settlement administrator, and through a subsequent mailing of written notices that were required to be sent as part of a settlement of legal claims that had been filed against certain Aetna-related entities or affiliates.”

 

The letters from Aetna had originally been sent in response to a settlement over previous data privacy violation worry. The healthcare company had been sued in two separate class-action lawsuits in 2014 and 2015.

 

“Those lawsuits alleged that Aetna jeopardized the privacy of people taking HIV medications by requiring its insureds to receive their HIV medications through mail and not allowing them to pick up their medications in person at the pharmacy,” according to the 2017 lawsuit.

 

In response to the January 2018 lawsuit settlement, Aetna said that it is “implementing measures designed to ensure something like this does not happen again as part of our commitment to best practices in protecting sensitive health information.”

 

“Through our outreach efforts, immediate relief program and this settlement we have worked to address the potential impact to members following this unfortunate incident,” Aetna said in a statement.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

OCR Releases New HIPAA Breach Reporting Tool for “Wall of Shame”

OCR Releases New HIPAA Breach Reporting Tool for “Wall of Shame” | HIPAA Compliance for Medical Practices | Scoop.it

Earlier this week, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released a redesigned HIPAA Breach Reporting Tool on their site.

The HIPAA Breach Reporting Tool is commonly called the “Wall of Shame” because it lists all organizations that have had health care data breaches affecting more than 500 individuals that have occurred since enforcement began. The Wall of Shame is a searchable, permanent database of HIPAA violations maintained by OCR.

The new Breach Reporting Tool allows you to search the full archive of breaches, and gives access to an “Under Investigation” tab. The tool has been redesigned to make it easier than ever before to look through OCR’s investigation history. This makes the consequences of a data breach or HIPAA violation a permanent reputational issue for your organization–especially now that prospective patients are doing more and more research into behavioral health specialists they’re looking to work with.

Protecting your practice with a HIPAA compliance program is an essential way to keep your name off the Wall of Shame. Below, we take a look at exactly what the regulation requires so you know what to look for in a HIPAA compliance program for your practice.

The HIPAA Breach Notification Rule

HIPAA breach reporting and breach notification are essential parts of any organization’s HIPAA compliance. HIPAA breach reporting is regulated by the HIPAA Breach Notification Rule, which was first enacted in 2009 along with the HITECH Act.

The HIPAA Breach Notification Rule categorizes data breaches into two categories with specific requirements for follow-through on each. The two kinds of breaches that the Breach Notification Rule identifies are:

  • Minor Breach: any breach of protected health information that affects fewer than 500 individuals. Individuals must be notified of the breach within 60 days of discovery of the breach. ALL minor breaches that have occurred over the course of the year must be reported to OCR NO LATER than 60 days after the end of the calendar year. This date usually falls on March 1st or February 29th.
  • Meaningful Breach: any breach of protected health information that affects more than 500 individuals. Individuals must be notified within 30 days of the discovery of the breach, and local media must also be notified of the breach. Meaningful breaches must be reported to OCR immediately, within 60 days of the discovery of the breach itself.

Trends in HIPAA Enforcement

In January of 2017, OCR levied its first fine for a violation of the HIPAA Breach Notification Rule in the history of HIPAA enforcement.

The fine was levied against Presence Health, one of the largest health care networks in Illinois. The organization was fined $475,000 after more than 500 individuals were implicated in a meaningful breach. Over the course of its investigation, OCR found that Presence failed to notify the individuals within the 60 days mandated by the Breach Notification Rule.

This is just one example of the recent trend in unconventional HIPAA enforcement efforts that have been targeting health care professionals of all kind across the country.

The best way to mitigate your risk of being targeted by these breaches is to adopt a total HIPAA compliance program in your organization that addresses the full extent of the law. Don’t get caught unprepared!

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Survey Reveals A Reportable Benchmarking Breaches

HIPAA Survey Reveals A Reportable Benchmarking Breaches | HIPAA Compliance for Medical Practices | Scoop.it

In early, HCPro’s Medical Records Briefing (MRB)newsletter conducted a HIPAA benchmarking survey to gauge compliance with the HIPAA Omnibus Rule shortly after its September 23, implementation date. This year, MRBasked healthcare professionals to give us an update on their HIPAA compliance more than one year after implementation.

 

With the March 1 deadline for reporting breaches of PHI to HHS just around the corner, it seemed appropriate to ask respondents about breach notification. The percentage of respondents that said their organizations experienced a HIPAA breach in the past two years remained at 55% .However, more than half of respondents (54%) said their organizations have not experienced an increase in reportable breaches and do not anticipate an increase.

 

Some of this may be related to how organizations define a breach. In fact, one respondent said that his or her facility struggled most with determining whether an incident is a reportable breach.

 

The HIPAA Omnibus Rule eliminated the harm threshold and expanded the definition of a breach to include all PHI that is compromised, which some industry experts predicted would lead to an increase in reportable breaches.

 

The expansion of the definition of a breach may explain why some respondents say they have not experienced a breach in the last two years, says Chris Simons, MS, RHIA, HIM director and privacy officer at Cheshire Medical Center in Keene, New Hampshire. “I suspect they are not using the Omnibus standard for determining a breach, but instead relying on the old assessment of potential harm,” Simons says.

 

This year, 42% of respondents were HIM directors or managers, 30% were privacy officers, and 19% were compliance officers or managers. Based on this data, an increased number of HIM directors or managers appear to be serving as privacy officers at their facility. More specifically, 65% of HIM directors and managers responding to the survey also serve as the privacy officer.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

Did Doctor Violate HIPAA for Political Campaign?

Did Doctor Violate HIPAA for Political Campaign? | HIPAA Compliance for Medical Practices | Scoop.it

Federal regulators are reportedly investigating whether a physician in Richmond, Va., violatedHIPAA privacy regulations by using patient information to help her campaign for the state senate.


The Philadelphia office of the Department of Health and Human Services' Office for Civil Rights is investigating potential HIPAA violations by Siobhan Dunnavant, M.D., a Republican state senate candidate, after a complaint alleged the obstetrician-gynecologist used her patients' protected health information - including names and addresses - to solicit contributions, volunteers and votes, according to an NBC news report.


Conservative blogger Thomas White tells Information Security Media Group that he reported to HHS earlier this year that letters and emails about Dunnavant's candidacy were sent to her patients prior to the June primary race in the state's 12th district, which includes western Hanover County. White says he notified HHS after receiving a copy of a letter from a Dunnavant patient who was annoyed at receiving the campaign-related communications from her doctor.


"I would love for you to be involved," Dunnavant wrote to patients, also reassuring them that their care would not be impacted if she's elected, according to a copy of a campaign letter posted on the NBC website."You can connect and get information on my website. There you can sign up to get information, a bumper sticker or yard sign and volunteer," the posted letter states. Other campaign-related material included emails sent to patients that were signed by "Friends of Siobhan Dunnavant," NBC reports and White confirmed, citing reports from patients.


The physician is one of three candidates seeking the state senate seat in the Nov. 3 election.

Patient Confidentiality

A spokeswoman for Dunnavant's medical practice declined to confirm to Information Security Media Group whether OCR is investigating Dunnavant for alleged HIPAA privacyviolations. However, in a statement, the spokeswoman said, "We are aware of concerns regarding patient communication, and we are reviewing the issue with the highest rigor and diligence. Please be assured we hold confidentiality of patient information of paramount importance, and thank patients for entrusting us with their care."


A spokeswoman in OCR's Washington headquarters also declined to comment on the situation. "As a matter of policy, the Office for Civil Rights does not release information about current or potential investigations, nor can we opine on this case," she says.


White, editor of varight.com, says he first received a copy of one of Dunnavant's campaign letters in May, and that he was the first to report on the issues raised by the letters. He tells ISMG he filed a complaint with the federal government after he confirmed that the use of patient information for campaign purposes was a potential violation of privacy laws.


Nearly four months later, an investigator in OCR's regional office in Philadelphia, which is responsible for Virginia, on Sept. 29 responded to White's complaint, indicating the doctor's actions would be examined. White says he also confirmed again in a call to OCR on Oct. 28 that the case is still under investigation.


"You allege that Dr. Dunnavant impermissibly used the protected health information of her patients. We have carefully reviewed your allegation and are initiating an investigation to determine if there has been a failure to comply with the requirements of the applicable regulation," OCR wrote to White, according to a copy of the OCR letter that appears on White's website.

HIPAA Regulations

Privacy attorney Adam Greene of the law firm Davis Wright Tremaine says Dunnavant's alleged use of patient information raises several HIPAA compliance concerns.


"HHS interprets HIPAA to cover demographic information held by a HIPAA-covered healthcare provider if it is in a context that indicates that the individuals are patients of the provider," he notes. "Healthcare providers must be careful when using patient contact information to mail anything to the patient - even if no specific diagnostic or payment information is used. If a patient's address is used to send marketing communications or other communications unrelated to treatment, payment, or healthcare operations without the patient's authorization, then this may be an impermissible use of protected health information under HIPAA."


If patient contact information is shared with someone else, such as a political campaign, that also could be a HIPAA violation, Greene adds. "The same information that can be found in a phone book - to the extent anyone uses phone books - may be restricted in the hands of healthcare providers."


Privacy attorney David Holtzman, vice president of compliance at the security consulting firm CynergisTek, notes that the HIPAA Privacy Rule has "a blanket prohibition" on a HIPAA covered entity disclosing the protected health information of their patients without first seeking authorization of the individual - except where specifically permitted or required by the rule.


"There is no provision in the privacy rule where a healthcare provider who is a HIPAA covered entity can disclose patient information to a political campaign," he points out.


Because of those restrictions, federal regulators will carefully scrutinize the case, Holtzman predicts. "It is likely that OCR will look closely at the doctor's correspondence for its communication about her candidacy for political office, how to contact the campaign or obtain campaign products as well as the statement that the letter was paid for and authorized by the campaign organization."


An OCR investigation into the alleged violations of the HIPAA Privacy Rule could result in HHS imposing a civil monetary penalty, Holtzman notes. "There are criminal penalties under the HIPAA statute for 'knowingly obtaining or disclosing identifiable health information in violation of the HIPAA statute,'" he adds.

Potential Penalties

Offenses committed with the intent to view, transfer or use individually identifiable health information for commercial advantage, personal gain or malicious harm are punishable by a fine of up to $250,000 and imprisonment for up to 10 years, Holtzman notes.


"The Department of Justice is responsible for investigating and prosecuting criminal violations of the HIPAA statute," he says. "And changes in the HITECH Act clarified that a covered entity can face both civil penalties for violations of the privacy rule and criminal prosecution for the same incident involving the prohibited disclosure of patient health information."


The U.S. Department of Justice did not respond to ISMG's request for comment on whether it's planning to investigate the Dunnavant case.

more...
No comment yet.
Scoop.it!

HIPAA Compliance and EHR Access

HIPAA Compliance and EHR Access | HIPAA Compliance for Medical Practices | Scoop.it

In light of the recent massive security breaches at UCLA Medical Center and Anthem Blue Cross, keeping your EHR secure has become all the more important. However, as organizations work to prevent data breaches, it can be difficult to find a balance between improving security and maintaining accessibility. To that end, HIPAA Chat host Steve Spearman addresses digital access controls, common authentication problems, and how authentication meets HIPAA compliance and helps ensure the integrity of your EHR, even after multiple revisions.


Q: What are access controls?


A: Access controls are mechanisms that appropriately limit access to resources. This includes both physical controls in a building, such as security guards, and digital controls in information systems, such as firewalls. Having and maintaining access controls are a critical and required aspect of HIPAA compliance, and is the first technical HIPAA Security Standard.


Q: What’s the most common form of digital access control we see in healthcare?


A: The username and password is the most common form of access control by far. The Access Control Standard requires covered entities to give each user a distinct and unique user ID and password in order to access protected information. These unique credentials for each employee enable covered entities to confirm (“authenticate”) the identity of users and to track and audit information access.


Q: What are the most common problems with access controls and use of passwords in healthcare?


A: The most common problem is that covered entities often use multiple systems which each may require its own set of usernames and passwords along with varying requirements for these credentials, such as minimum character length or use of capital letters. Memorizing multiple sets of passwords and usernames for multiple systems is difficult for most people. In addition, there is a conundrum between password complexity and memorization. Complex passwords (longer with multiple required character types) are better for security but much harder to memorize. This is the conundrum.


Q: Are stricter password policies always more secure?


A: No, if passwords requirement are too strict, users then use coping mechanisms such as writing them down or re-using the same password over and over and across multiple systems. This compromises security rather than enhancing it. For example, a policy that required 14 digit passwords and required, lower-case, upper-case, numbers and symbols and expired every 30 days would create huge problems for most organizations. With these policies, staff would simply write down their passwords. But this compromises security. If a bad person gets a hold of a written list of passwords they have the “keys to the kingdom”, the ability to access the accounts on that written list. So passwords should not be written down.

In addition, overly strict password policies tend to overwhelm technical support staff with password reset requests.

So passwords should be sufficiently complex to make them hard to crack which also makes them hard to memorize.


Q: This sounds like a big problem. Do you have any suggestions to make things better?


A: At a minimum, organizations need to provide training to staff on straightforward techniques to create memorable but complex passwords. I have an exquisitely terrible memory. But I have great passwords using one particular technique. Just google “create good memorable passwords” and you can find dozens of videos demonstrating how to do it. But, of course, our favorite is the video featuring our very own, Gypsy, the InfoSec Wonderdog.


Enterprises should seriously consider additional technical solutions such as two factor authentication with single sign on (2FA/SSO).


Q: What is a good, reasonable password policy?


A: I recommend a policy that:


  • Requires a minimum of 8 characters
  • Requires two or three of the options of lower-case, upper-case, numbers and symbols
  • Expire every 3 to 6 months
  • And limit limit use of historical passwords so that the previous two cannot be used.


Q: You mentioned authentication before. What is that? What is two-factor or multi-factor authentication?


A: Authentication is the process of confirming the identity of a person before granting access to a resource. Computer geeks refer to the three factors of authentication:


  • What a user has (an ID badge or phone).
  • What a user knows (a PIN number)
  • Who a user is (biometrics)


For example, ATMs use two-factor authentication:

  1. What the user has: an ATM card and
  2. What they know: a PIN.


One of my favorite tools for two factor authentication is Google Authenticator which runs as an app on my mobile phone. Another common form of two factor authentication is text codes. With this method, the website or app, after entering a correct username and password, sends a text with a numeric code that expires after a few minutes to your phone that is entered into another field in the website before access is granted.


Everyone should enable two factor authentication on their most essential systems such as to online banking and to email accounts such as gmail.


In healthcare, there is a growing trend toward biometric authentication, the use of fingerprint readers or palm readers, etc. to authenticate into systems. Biometric authentication is generally very secure and is also very easy to use since there is nothing to memorize.


Q: What is SSO?


A: Single sign-on (SSO) lets users access multiple applications through one authentication event. In other words, one password allows access to multiple systems. It enhances security because users only have to remember one password. And because it is just one, it is commonly a good complex password. Once entered, it will allow access to all the core systems (if enabled) without having to re-authenticate.


Single sign-on combined with two factor authentication or biometrics work great together in tandem and are often sold together by vendors. The leading SSO/2FA vendor in healthcare is Imprivata, but there are other vendors making great in-roads into healthcare such as Duo Security2FA.com and Secureauth.com.


Q: What do you mean by “integrity” and what does it have to do with access control and authentication?


A: Integrity in System Standards is the practices used to track and verify all changes made to a health record. It is a condition that allows us to prevent editing or deleting of records without proper authorization.


Authentication and access controls are the primary means we use to preserve integrity of a record. If the information system is programmed to track its users’ activity, then it’s possible to track who made changes to a record and how they changed it.


This is why users should never share usernames and passwords with other users. Integrity becomes impossible if a username does not signify the same user every time it appears.


Q: Any final thoughts?


A: Finding that balance between HIPAA compliance, security and accessibility can be tricky. We recommend reducing digital access controls to a single multi-factor authentication or biometrics event. This single, secure method of authentication could be the balance between security and efficiency needed to keep your EHR secure and yet accessible. In addition to improving accessibility to your system, an MFA or biometrics sign-in method could help improve your organization’s EHR integrity.

more...
No comment yet.
Scoop.it!

5 keys to managing a data breach

5 keys to managing a data breach | HIPAA Compliance for Medical Practices | Scoop.it

Unfortunately, data breaches have become an extremely common occurrence. Not all of them have the high-profile of a Target, Ashley Madison, Home Depot or Anthem breach, but the damage to a company and its reputation is very real.


While companies can purchase cyber insurance to help manage the risks associated with a breach, there are also steps a business can take to maximize the relationship with their breach team and minimize the fallout following the cyber event.


Here are five factors to consider when it comes to managing a company’s cyber attack or data breach.


 1. Assess the risk

So how does a company prepare for such an eventuality and what steps should be taken after a breach occurs?


“Start with what you will face if a breach occurs,” advises Anthony Roman, president of Roman & Associates, a global investigation, risk management and computer security consultation firm. “Corporations of all sizes that hold any information that can be deemed private or personal are going to face a number of very serious hurtles in a breach that will encourage them to have a breach plan.”


Roman says this includes class action suits for the “undue release or allowing the release of personal and private information. The average class action suit is settling for $2.9 to $3 million.” He estimates the legal costs to defend a company in a class action suit will range anywhere from several hundred thousand dollars to well over one million.


“You may face government sanctions for local, state, federal or legal violations, some of which are criminal in nature and some which are civil in nature,” he explains. Criminal violations can pierce the corporate veil and involve specific individuals within the corporation.


There could also be regulatory sanctions if the company violated any Federal Communications Commission (FCC) regulations or any other regulatory agency’s regulations regarding cyber security. “That should be a wonderful motivator for anyone to have a robust and compliant breach program,” he adds.


Roman recommends that companies work with their brokers to craft coverage that will reduce their risk, review the policy exclusions, and ensure that they are insured to cover the types of information that will be affected and the resulting exposures from a breach.


2. Avoid these mistakes

The saying goes, “Fail to plan and plan to fail,” and nowhere is that more true than with cyberattacks and breaches. “Not having a well thought out and documented roadmap for the ‘what, when, where, who and how’ of responding to a suspected data breach is a recipe for disaster,” says Paul Nikhinson, Esq., privacy breach response services manager for Beazley.


Related: Many businesses unprepared for cyber attacks

“Most post-incident mistakes could be avoided or mitigated by implementing appropriate pre-incident prevention and response plans,” adds Kevin Kalinich at Aon. He says that some of the major mistakes companies make include:


  • Internal company denial regarding the potential magnitude of the incident. Appropriate resources and attention must be allocated immediately to determine the magnitude of the incident. The financial impact of cyber incidents is not always directly correlated with the size of the incident, but the financial statement impact is often correlated to the effectiveness of the response.
  • Automatically characterizing an “incident” (no immediate legal liability connotations) as a “breach” (immediate legal liability connotations under various laws, regulations and insurance policies).
  • Passing the buck rather than developing a comprehensive coordinated response.
  • Defensive reaction to regulators rather than an open and frank dialogue.
  • Failure to timely notify any and all potentially applicable insurance carriers.


Overreacting or underreacting to the event can also be a problem says Nikhinson. “Where there’s smoke, there’s fire; however, not every bit of smoke necessarily means a five-alarm fire. Going too quickly to the media and clients without an adequate command of the facts often causes far more harm than good.”


He also says that a company can’t just put its “head in the sand and hope for the best. This isn’t just an ‘IT’ problem. It’s something that could result in catastrophic financial and reputational damage to the company.”


Other problems include not having a plan at all, not following the established plan, not engaging a breach coach or team, and having poor communication between breach team members.


3. Working effectively with your breach team

After a company experiences a breach is not the time to be pulling together a team to address the problem. Assuming that a company already has a highly qualified team in place involving legal, IT, security, human resources, risk management and public relations professionals, experts recommend notifying legal counsel as soon as a cyber incident is discovered. “Counsel should handle retaining outside experts to maintain privilege, which puts the company in the best defensible position possible,” counsels Bob Parisi, Marsh’s cyber product leader

.

Kalinich concurs. “Legal counsel should be involved as soon as a cyber incident is identified for a variety of risk mitigation, contractual liability, privacy liability, legal compliance and financial statement impact reduction reasons. Thereafter, depending upon the nature of the incident, the chief information security officer (CISO), IT security, privacy officer and management responsible for cyber incident response should be simultaneously notified. Outside parties such as customers, partners, vendors, suppliers, etc. need not be notified until the entity understands what happened (subject to notification laws, of course).”


Roman recommends activating the company’s internal breach team as soon as a breach is revealed since most breaches occur way before they are discovered. “As you’re noticing it happened, it probably occurred earlier and they are sucking you dry of confidential information, client information, individuals’ personal information, corporate secrets and information that may be sensitive from a public relations perspective.”


There should also be a designated team leader and decision-maker says Roman, “Someone who can take all of the advice and says this is what we will do and has the authority to do it.” He also recommends that executives resist the urge to micromanage the problem. “They should assess the decisions made by the professionals and act accordingly.”


Communication between team members is critical to successfully managing the breach. “Do your best to break down internal information silos,” recommends Beazley’s Nikhinson. “Does legal know what IT/IS is investigating and how it is being documented? Does IS know that risk purchased a cyber-insurance policy and that it has certain reporting requirements? At what point do you bring in corporate communications? Coordination between all of the internal stakeholders is essential, and having someone akin to a project manager to facilitate that coordination can make all the difference in the world.”


4. Experience matters

Insurance brokers, legal counsel, public relations professionals and other vendors on the breach team should have extensive experience in cyber attacks and breaches. An experienced insurance broker can help a client find a cyber policy that best matches their needs and risks says Parisi. “The broker should have assisted the client in fully understanding coverage as well as the value-added services that are part of today’s cyber coverage. By doing that the client will be able to fully utilize the benefits of the coverage when a breach or event happens.”


Clients should report a breach to their broker or agent as soon as it occurs. According to Aon’s Kalinich, an experienced cyber broker will be able to:


  • Identify the applicable insurance policies.
  • Provide the insured with the required insurance notice requirements.
  • Detail any specific insurance policy requirements (i.e., third-party forensic experts must be selected from the insurance company panel in order to be covered by the insurance policy).
  • Arrange a call between insurance broker legal cyber incident claims specialist and the insured.
  • Determine whether, and in what manner, notice is required to insurers.
  • Describe past cyber incident best practices that reduce the total cost of risk.
  • Maintain consistent and timely communications between the insured and the insurers.


5. Practice makes perfect

Roman recommends that companies hold periodic breach rehearsals, which can be conducted by a firm outside of the business. “Surprise your team. Tell them this is a drill and there is a breach,” he advises. This gives executives an opportunity to see how quickly the breach team can be pulled together and how they will react to a real breach. It also gives them an opportunity to role play some of the critical elements of the plan.


Brokers can assist their clients by ensuring they have the right coverage for their business exposures as well as “a proactive relationship with their carrier’s breach response team so their first meeting doesn’t occur in the middle of a firefight,” adds Nikhinson.

Waiting until after a cyber breach occurs is too late to begin managing its effects, and can have dire consequences to a company’s reputation and its bottom line. Being proactive will help mitigate some of the damage and give the company a roadmap for successfully managing the breach.

more...
No comment yet.
Scoop.it!

Moving in Front of Healthcare’s Connectivity Curve

Moving in Front of Healthcare’s Connectivity Curve | HIPAA Compliance for Medical Practices | Scoop.it

As a clinician, technology is a significant interest in my life. I have always felt that one way in which to stay young is to embrace technology, and to understand how technology integrates into our professional and personal lives.


This past April, I was intrigued by the announcement of ResearchKit by Apple.. The first research apps developed covered five areas of study: Asthma, breast cancer, cardiovascular disease, diabetes, and Parkinson’s disease. However, the number of commercial and institutional research organizations using the open-source platform of ResearchKit is expanding daily.


More than 75,000 people have enrolled in ongoing health studies using ResearchKit apps to gather health data. Smartphones and wearable technology, with their microphones, cameras, motion sensors, and GPS devices, have unique advantages for gathering health data, and, in some cases, can serve as a valuable addition to regular care from a provider.


The possibilities for benefiting the body of health knowledge are endless. However, it is important for patients to be mindful and use these tools wisely in this modern world of connectivity.

More than a few people are commenting on the possible risks of gathering data in this way. As always in our modern society, available technology is way ahead of regulations. For example, we have strong laws and regulations regarding patient confidentiality enshrined in medical tradition and HIPAA.


Recognizing this vulnerability, Apple added the following to their app store submission guidelines: “All studies conducted via ResearchKit must obtain prior approval from an independent ethics review board.” Meaning, all studies must obtain Institutional Review Baords (IRB) approval. This is a good step in the right direction, but much more care is needed to gather data with the expanding number of ResearchKit apps, to ensure that personal health data is protected and that this technology is used in an ethical, and lawful, way.


Regardless of the all the caveats, I remain intrigued and hopeful that leveraging technology via tools such as smartphones and software like ResearchKit will be a great boon to the understanding of disease and treatments around the world.


I would recommend the following to put us ahead of the curve with these new tools:


  1. Ethical guidelines and procedures need to be developed by the research community in the U.S. to ensure that use of technology in research data gathering is done with the greatest protection of the patients’ individual health data.
  2. Laws and regulations need to be considered to ensure the integrity of the data as well as the protection of personal health information.
  3. Companies like Apple, who are leading the roll out of this technology, should not wait for state and federal governmental entities to regulate the use of technology in research and should be leaders in the ethical, responsible use of apps to gather and use health research data.


Technology in medicine is constantly evolving. We have to try to evolve with it, however, and recognize that the law of unintended consequences is always present, and will always present challenges as the vast universe of technology expands with every increasing speed in medicine and every other area of life.

more...
No comment yet.
Scoop.it!

Millions Potentially Affected by Premera Data Breach

Millions Potentially Affected by Premera Data Breach | HIPAA Compliance for Medical Practices | Scoop.it
With so many data breach lawsuits in the news lately, a person would think that companies that have access to private consumer or patient information would take cyber security seriously. Unfortunately, every day there seems to be more news about companies that have been hit by hackers and have allowed customer information to be made vulnerable. One of the more recent of the data breaches is the Premera data breach, in which approximately millions of patients had their private information compromised.

Lawsuits have followed, with plaintiffs alleging Premera Blue Cross did not properly or adequately secure customer information. The lawsuits allege negligence on Premera’s part. As of July 15, 2015, the number of lawsuits consolidated for pretrial proceedings sits at around 35, according to court documents. But the multidistrict litigation (MDL Number 2633) was only just approved, and more lawsuits could certainly be filed, given the massive number of patients affected by the cyber attack.

Reports indicate that up to 11 million customers may have had their information compromised, although some reports put that number affected at around 4.5 million. Still, for those whose information was accessed, the results can be disatrous.

That’s because information stored by companies such as Premera could be used to commit identity theft, where thieves file for credit or tax refunds under someone else’s name. That puts the victim at risk of having his or her credit negatively affected and having lenders come after the victim for bogus mortgages and lines of credit, not to mention the trouble he or she could face for a fraudulent tax return.

Even those who aren’t victims of large-scale identity theft face the time and hassle of sorting out the consequences of having credit

READ MORE PREMERA BLUE CROSS REPORTS DATA BREACH LEGAL NEWS
Premera Data Breach Lawyer: Companies Must Face Consequences for Failing to Protect Identifying Information
Premera Blue Cross Data Breach Results in Several Lawsuits, Class Actions
Patient health information is protected under the Health Insurance Portability and Accountability Act (HIPAA). HIPAA also requires timely notification of information breaches, which critics say was violated here. According to some attorneys, Premera allegedly knew about issues in its security systems from an audit, but did not adequately address those issues, leaving patient information vulnerable.

Furthermore, the data breach allegedly started back in May 2014, but Premera reportedly didn’t warn customers until March 2015. Patients were notified by a letter that their personal information might have been accessed.
more...
No comment yet.
Scoop.it!

HIPAA’s demands on the IT industry

HIPAA’s demands on the IT industry | HIPAA Compliance for Medical Practices | Scoop.it

We’re familiar with signing our lives away at the doctor’s office on HIPAA paperwork, but how is this policy affecting the IT industry?

Since the mid ’90s, the Health Insurance Portability and Accountability Act has regulated health insurance coverage and health care transactions. HIPAA protects patient privacy to ensure safekeeping of all medical information the patient may not wish to disclose. Long story short: HIPAA creates a higher standard to protect patient privacy and confidentiality. HIPAA holds institutions, organizations and offices responsible for protecting private patient information — and provides a framework for punishment when violators unlawfully access or share protected information.


In the past, HIPAA primarily affected hospital procedures. However, a large shift in policy created a ripple that stretched out to the IT industry. The Health Information Technology for Economic and Clinical Health Act of 2009 added technology and financial associates to the list of regulated parties. Things changed even more in 2013 when lawmakers added the Final Omnibus Rule, which significantly expanded the act's Protected Health Information regulations. This ruling greatly changed the relationship between HIPAA and the IT industry.


The rule’s provisions allowed HIPAA to administer new regulations on modern technology and the IT industry. The Final Omnibus Rule paid special attention to cloud storage, mobile devices and remote technologies that offer new ways to access patient information — and, consequently, provide more opportunities for privacy and security breaches. Formerly, a security breach was only considered a breach if the information contained birthdates or ZIP codes. Under the Final Omnibus Rule, all breaches of limited data must be handled the same, regardless of their content.


So, where does this leave the IT industry? When a cloud database administrator or independent IT consultant works directly with protected health information, the person or company automatically becomes a business associate who is subject to the rules and penalties of HIPAA. Since health care providers and their system administrators already know HIPAA regulations well, the IT industry and service providers are now playing catch-up. This means the IT industry has to learn the new regulations quickly and thoroughly to ensure the rules are being followed accordingly. For those still playing catch-up, or those that need a refresher course, allow us to summarize the rules of Title II:


The Privacy Rule  —Gives patients more control and protection over their confidential information.


The Transactions and Code Sets Rule — Keeps transactions standard throughout the industry.


The Security Rule — Updated to accommodate for the technological advances and thus the new forms of security breaches.


The Unique Identifiers Rule — Standardizes and protects the communication between health care providers and insurers.


The Enforcement Rule — Includes harsh penalties for HIPAA violations.


For people working with medical and patient data on a daily basis, HIPAA's privacy and security rules directly affect both the hardware and the software used to store and send data. According to the U.S. Department of Health & Human Services, everything from Drug Enforcement Administration numbers to vendor finances to patient identities can be subject to security breaches in health care databases. With so much at risk, the IT industry must be aware of the new regulations and be prepared to provide counsel on security and backup plans.


IT companies have come up with several solutions for security and backup that are HIPAA compliant, due to an increased need after 2013. Cloud computing offers ease of access, reliable backups and streamlined communication. Additional private cloud options were created with HIPAA regulations in mind — making sure all operations are secure, smart and compliant. With a private cloud, data is separate, safe and in an identifiable location. Only the particular client has access to the data in private clouds, perfectly complying with HIPAA policy.


New regulations are always a headache for database administrators, but HIPAA might settle the score with its new rules by preventing many more problems in the future. Hopefully, stricter privacy regulations and more defensive systems will emphasize the importance of innovative, up-to-date storage centers and solutions.

more...
No comment yet.
Scoop.it!

Protecting PHI: Managing HIPAA Risk with Outside Consultants 

Protecting PHI: Managing HIPAA Risk with Outside Consultants  | HIPAA Compliance for Medical Practices | Scoop.it

The rising complexity of healthcare, particularly as it relates to providers’ growing technical needs, is increasingly prompting healthcare organizations to seek the help of outside consultants. In engagements with healthcare entities, thought IT consultants try to minimize interaction with patient data, they often have access to protected health information (PHI). When working with HIPAA Covered Entities, consultants are treated as “business associates” and are required to comply with Privacy Rules designed to protect PHI.

 

Managing HIPAA compliance when engaging outside consultants requires that consultants enter into a Business Associate Agreement (BAA). The BAA must:

  • Describe the permitted and required uses of PHI by the business associate in the context of their role
  • Provide that the business associate will not use or further disclose the PHI, other than as permitted or required by the contract or by law
  • Require the business associate to use appropriate safeguards to prevent a use or disclosure of the PHI, other than as provided for by the contract

Here are several best practices to follow to ensure the protection of PHI in consulting arrangements.

 

FTE Mentality

During the contract period, the expectation is that consultants act as if they were an employee of the hospital or provider organization and therefore treat PHI in this manner. It is important to know that consultant business associates could be held liable or equally responsible for a PHI data breach in the same way a full-time employee could be.

 

Role-Based Access Rules

Limit access to PHI based on role to ensure that only the parties that need PHI have access to it. An IT strategist, for example, does not need to see live patient data. Associates leading implementation projects, on the other hand, may need access to live PHI. Typically, this occurs late in the implementation process, when the time comes to test a system with live, identifiable patient data.

 

Safeguard Access Points

If a hospital wants a consultant to have regular access to PHI, it would be preferable that the hospital provides the consultant with a computer or device with appropriate access authorizations and restrictions in place. Avoid the use of personal devices whenever possible. Make sure that only approved and authorized devices can be used inside the firewall and require multi-factor authentication during log-in. Avoid inappropriate access to PHI by way of shared or public data access points. Don’t allow private access to PHI where others could intervene.

 

Keep it Local

Don’t take PHI away from the source of use. Consultants should avoid storing PHI on personal devices, including smart phones, which are particularly susceptible to theft and loss. Devices used to store or access PHI must be registered. Best practices often include controls giving IT staff advance permission to remotely wipe or lock a stolen registered device. Avoid leaving registered devices in cars or unprotected areas.

 

Paper-based reports also pose threat of PHI leak. Documents you take home over the weekend, for example, could be accessed by family members, lost, or stolen. Electronic, paper, verbal and image-based PHI should all be confidently secured. Of course the regulations also relate to visual and verbal protections. When accessing PHI avoid allowing others to view your screen over your shoulder. When discussing PHI make sure only those who need to know and have appropriate authority can hear the conversation.

 

The healthcare industry is making great strides in establishing digital infrastructure, much of which is cloud-based, putting new onus on providers and their business partners to ensure the security of that information. No one wants to make headlines for the latest data breach, least of all the IT consultants hired by providers to help guide their data management efforts. Rigorous attention to HIPAA Privacy Rule guidelines is not only required – it’s imperative to maintaining trust in the healthcare ecosystem.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

How Do I Become HIPAA Compliant?

How Do I Become HIPAA Compliant? | HIPAA Compliance for Medical Practices | Scoop.it

For healthcare providers, HIPAA compliance is a must. HIPAA guidelines protect patients’ health information, ensuring that it is stored securely, and used correctly.

 

Sensitive data that can reveal a patient’s identity must be kept confidential to adhere to HIPAA rules. These rules work on multiple levels and require a specific organizational method to implement comprehensive privacy and security policies to achieve compliance.

 

Most organizations find this to be a daunting task. We have put together a HIPAA compliance checklist to make the process easier.

 

The first is to understand how HIPAA applies to your organization. The second is to learn how to implement an active process, technology, and training to prevent a HIPAA-related data breach or accidental disclosure. Finally, the third is to put physical and technical safeguards in place to protect patient data.

By the time you’re done with our list, you will know what you need to consider to have a better conversation with your compliance advisors.

What is HIPAA?

Before talking about compliance, let’s recap the basics of HIPAA.

Signed into law by President Bill Clinton in 1996, the Health Insurance Portability and Accountability Act provides rules and regulations for medical data protection.

HIPAA does several important things. It reduces health care abuse and fraud and sets security standards for electronic billing of healthcare. It also does the same for the storage of patients’ healthcare information. The Act mandates the protection and handling of medical data, ensuring that healthcare data is kept private.

The part of HIPAA we are concerned with relates to healthcare cybersecurity. To be compliant, you must protect patients’ confidential records.

HIPAA rules have evolved. When the law was first enacted, it did not mention specific technology. As the HIPAA compliant cloud has become commonplace, it has inspired additional solutions. For example, our Data Security Cloud (DSC) is being developed to create a base infrastructure for a HIPAA compliant solution. Providing a secure infrastructure platform to ride on top of, DSC makes creating a HIPAA-compliant environment easier.

Secure infrastructure handles things at the lowest technical level that creates data, providing the key features to keep data safe. These features include separation/segmentation, encryption at rest, a secure facility at the SOC2 level of compliance, and strict admin controls among other required security capabilities.

 
 

Why Is HIPAA Compliance Important?

HIPAA compliance guidelines are incredibly essential. Failure to comply can put patients’ health information at risk. Breaches can have a disastrous impact on a company’s reputation, and you could be subject to disciplinary action and strict violation fines and penalties by CMS/OCR.

Last year’s Wannacry ransomware attack affected more than 200,000 computers worldwide, including many healthcare organizations. Most notably, it affected Britain’s National Health Service, causing serious disruptions in the delivery of health services across the country.

To gain access to the systems, hackers exploited vulnerabilities in outdated versions of Windows that are still commonly used in many healthcare organizations. With medical software providers offering inadequate support for new OS’s and with medical devices such as MRIs lacking security controls, the attack was easy to carry out.

The attack demonstrated the strength of today’s hackers, highlighting the extent to which outdated technologies can pose a problem in modern organizations. This is precisely why HIPAA also regulates some aspects of technology systems used to store, manage, and transfer healthcare information.

The institutions that fail to implement adequate systems can suffer significant damage. If a breach takes place, the law requires affected organizations to submit various disclosure documents, which can include sending every subject a mailed letter. They may also be required to offer patients a year of identity protection services.  This can add up to significant dollars, even before confirming the extent of the breach.

 

What is the HIPAA Privacy Rule?

The HIPAA Privacy Rule creates national standards. Their goal is to protect medical records and other personally identifiable health information (PHI).

It applies to three types of companies: providers, supply chain (contractors, vendors, etc.) and now service providers (such as data centers and cloud services providers). All health plans and healthcare clearinghouses must be HIPAA compliant.

The rules also apply to healthcare providers who conduct electronic health-related transactions.

The Privacy Rule requires that providers put safeguards in place to protect their patients’ privacy. The safeguards must shield their PHI. The HIPAA Privacy Rule also sets limits on the disclosure of ePHI.

It’s because of the Privacy Rule that patients have legal rights over their health information.

These include three fundamental rights.

    • First, the right to authorize disclosure of their health information and records.
    • Second, the right to request and examine a copy of their health records at any time.
    • Third, patients have the right to request corrections to their records as needed.

The HIPAA Privacy Act requires providers to protect patients’ information. It also provides patients with rights regarding their health information.

 

What Is The HIPAA Security Rule

The HIPAA Security Rule is a subset of the HIPAA Privacy Rule. It applies to electronic protected health information (ePHI), which should be protected if it is created, maintained, received, or used by a covered entity.

The safeguards of the HIPAA Security Rule are broken down into three main sections. These include technical, physical, and administrative safeguards.

Entities affected by HIPAA must adhere to all safeguards to be compliant.

Technical Safeguards

The technical safeguards included in the HIPAA Security Rule break down into four categories.

    • First is access control. These controls are designed to limit access to ePHI. Only authorized persons may access confidential information.
    • Second is audit control. Covered entities must use hardware, software, and procedures to record ePHI. Audit controls also ensure that they are monitoring access and activity in all systems that use ePHI.
    • Third are integrity controls. Entities must have procedures in place to make sure that ePHI is not destroyed or altered improperly. These must include electronic measures to confirm compliance.
    • Finally, there must be transmission security. Covered entities must protect ePHI whenever they transmit or receive it over an electronic network.

The technical safeguards require HIPAA-compliant entities to put policies and procedures in place to make sure that ePHI is secure. They apply whether the ePHI is being stored, used, or transmitted.

Physical Safeguards

Covered entities must also implement physical safeguards to protect ePHI. The physical safeguards cover the facilities where data is stored, and the devices used to access them.

Facility access must be limited to authorized personnel. Many companies already have security measures in place. If you don’t, you’ll be required to add them. Anybody who is not considered an authorized will be prohibited from entry.

Workstation and device security are also essential. Only authorized personnel should have access to and use of electronic media and workstations.

Security of electronic media must also include policies for the disposal of these items. The removal, transfer, destruction, or re-use of such devices must be processed in a way that protects ePHI.

Administrative Safeguards

The third type of required safeguard is administrative. These include five different specifics.

    • First, there must be a security management process. The covered entity must identify all potential security risks to ePHI. It must analyze them. Then, it must implement security measures to reduce the risks to an appropriate level.
    • Second, there must be security personnel in place. Covered entities must have a designated security official. The official’s job is to develop and implement HIPAA-related security policies and procedures.
    • Third, covered entities must have an information access management system. The Privacy Rule limits the uses and disclosures of ePHI. Covered entities must put procedures in place that restrict access to ePHI to when it is appropriate based on the user’s role.
    • Fourth, covered entities must provide workforce training and management. They must authorize and supervise any employees who work with ePHI. These employees must get training in the entity’s security policies. Likewise, the entity must sanction employees who violate these policies.
    • Fifth, there must be an evaluation system in place. Covered entities must periodically assess their security policies and procedures.

Who Must Be HIPAA complaint?

There are four classes of business that must adhere to HIPAA rules. If your company fits one of them, you must take steps to comply.

The first class is health plans. These include HMOs, employer health plans, and health maintenance companies. This class contains schools who handle PHI for students and teachers. It also covers both Medicare and Medicaid.

The second class is healthcare clearinghouses. These include healthcare billing services and community, health management information systems. Also included are any entities that collect information from healthcare entities and process it into an industry-standard format.

The third class is healthcare providers. That means any individual or organization that treats patients. Examples include doctors, surgeons, dentists, podiatrists, and optometrists. It also includes lab technicians, hospitals, group practices, pharmacies, and clinics.

The final class is for business associates of the other three levels. It covers any company that handles ePHI such as contractors, and infrastructure services providers. Most companies’ HR departments also fall into this category because they handle ePHI of their employees. Additional examples include data processing firms and data transmission providers. This class also includes companies that store or shred documents. Medical equipment companies, transcription services, accountants, and auditors must also comply.

If your entity fits one of these descriptions, then you must take steps to comply with HIPAA rules.

What is the HIPAA Breach Notification Rule?

Even when security measures are in place, it’s possible that a breach may occur. If it does, the HIPAA Breach Notification Rule specifies how covered entities should deal with it.

The first thing you need to know is how to define a breach. A breach is a use or disclosure of PHI forbidden by the Privacy Rule.

The covered entity must assess the risk using these criteria:

    1. The nature of the PHI involved, including identifying information and the likelihood of re-identification;
    2. The identity of the unauthorized person who received or used the PHI;
    3. Whether the PHI was viewed or acquired; and
    4. The extent to which the risk to the PHI has been mitigated.

Sometimes, PHI may be acquired or disclosed without a breach.

The HIPAA rules specify three examples.

  • The first is when PHI is unintentionally acquired by an employee or person who acted in good faith and within the scope of their authority.
  • The second is inadvertent disclosure of PHI by one authorized person to another. The information must not be further disclosed or used in a way not covered by the Privacy Rule.
  • The third occurs if the covered entity determines that the unauthorized person who received the disclosure would not be able to retain the PHI.

 

If there is a breach as defined above, the entity must disclose it. The disclosures advise individuals and HHS that the breach has occurred.

 

Personal disclosures must be mailed or emailed to those affected by the breach. A media disclosure must be made in some circumstances. If more than 500 people in one area are affected, the media must be notified.

 

Finally, there must also be a disclosure to the HHS Secretary.

The HIPAA Breach Notification Rule protects PHI by holding covered entities accountable. It also ensures that patients are notified if their personal health information has been compromised.

 

What Are The HIPAA Requirements for Compliance

The common question is, how to become HIPAA compliant?

The key to HIPAA compliance certification is to take a systematic approach. If your entity is covered by HIPAA rules, you must be compliant. You must also perform regular audits and updates as needed.

 

With that in mind, we’ve compiled a comprehensive checklist for use in creating your HIPAA compliance policy.

HIPAA Compliance Checklist

These questions cover the components to make you are HIPAA-compliant. You can use the checklist to mark each task as you accomplish it. The list is intended to be used for self-evaluation.

Have you conducted the necessary audits and assessments according to National Institutes of Standards and Technology (NIST) Guidelines?

 

The audits in question involve security risk assessments, privacy assessments, and administrative assessments.

Have you identified all the deficiencies and issues discovered during the three audits?

 

There are several things to consider before doing the self-audit checklist. You need to ensure that all security, privacy, and administrative deficiencies and issues are appropriately addressed.

 

Have you created thorough remediation plans to address the deficiencies you have identified?

After covering the deficiencies and issues mentioned above, you need to provide remediation for each group.

Do you have policies and procedures in place that are relevant to the HIPAA Privacy Rule, the HIPAA Security Rule, and the HIPAA Breach Notification Rule?

 

You must be aware of these three critical aspects of a HIPAA compliance program and ensure each is adequately addressed.

    • Have you distributed the policies and procedures specified to all staff members?
      • Have all staff members read and attested to the HIPAA policies and procedures you have put in place?
      • Have you documented their attestation, so you can prove that you have distributed the rules?
      • Do you have documentation for annual reviews of your HIPAA policies and procedures?
    • Have all your staff members gone through basic HIPAA compliance training?
      • Have all staff members completed HIPAA training for employees?
      • Do you have documentation of their training?
      • Have you designated a staff member as the HIPAA Compliance, Privacy, or Security Officer as required by law?
    • Have you identified all business associates as defined under HIPAA rules?
      • Have you identified all associates who may receive, transmit, maintain, process, or have access to ePHI?
      • Do you have a Business Associate Agreement (Business Associate Contract) in place with each identify you have identified as a Business Associate?
      • Have you audited your Business Associates to make sure they are compliant with HIPAA rules?
      • Do you have written reports to prove your due diligence regarding your Business Associates?
    • Do you have a management system in place to handle security incidents or breaches?
      • Do you have systems in place to allow you to track and manage investigations of any incidents that impact the security of PHI?
      • Can you demonstrate that you have investigated each incident?
      • Can you provide reporting of all breaches and incidents, whether they are minor or meaningful?
      • Is there a system in place so staff members may anonymously report an incident if the need arises?

As you work your way through this checklist, remember to be thorough. You must be able to provide proper documentation of your audits, procedures, policies, training, and breaches.

As a final addition to our checklist, here is a review of the general instructions regarding a HIPAA compliance audit.

    • If a document refers to an entity, it means both the covered entity and all business associates unless otherwise specified
    • Management refers to the appropriate officials designated by the covered entity to implement policies, procedures, and standards under HIPAA rules.
    • The covered entity must provide all specified documents to the auditor. A compendium of all entity policies is not acceptable. It is not the auditor’s job to search for the requested information.
    • Any documents provided must be the versions in use as of the audit notification and document request unless otherwise specified.
    • Covered entities or business associates must submit all documents via OCR’s secure online web portal in PDF, MS Word, or MS Excel.
    • If the appropriate documentation of implementation is not available, the covered entity must provide examples from “equivalent previous time periods” to complete the sample. If no such documentation is available, a written statement must be provided.
    • Workforce members include:
      • Entity employees
      • On-site contractors
      • Students
      • Volunteers
    • Information systems include:
      • Hardware
      • Software
      • Information
      • Data
      • Applications
      • Communications
      • People

Proper adherence to audit rules is necessary. A lack of compliance will impact your ability to do business.

In Closing, HIPAA Questions and Answers

HIPAA rules are designed to ensure that any entity that collects, maintains, or uses confidential patient information handles it appropriately. It may be time-consuming to work your way through this free HIPAA self-audit checklist. However, it is essential that you cover every single aspect of it. Your compliance is mandated by law and is also the right thing to do to ensure that patients can trust you with their personal health information.

One thing to understand is that it is an incredible challenge to try to do this by yourself. You need professional help such as a HIPAA technology consultant. Gone are the days you can have a server in your closet at the office, along with your office supplies. The cleaning personnel seeing a print out of a patient’s file constitutes a ‘disclosable’ event.

Screen servers, privacy screens, and professionally-managed technology solutions are a must. Just because you use a SAS-based MR (Medical Records) solution, does not mean you are no longer responsible for the privacy of that data. If they have lax security, it is still the providers’ responsibility to protect that data. Therefore the burden of due diligence is still on the provider.

Phoenix NAP’s HIPAA compliant hosting solutions have safeguards in place, as audited in its SOC2 certifications. We provide 100% uptime guarantees and compliance-ready platform that you can use to build secure healthcare infrastructure.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA liability protections: business associate agreements are must for effective risk management

HIPAA liability protections: business associate agreements are must for effective risk management | HIPAA Compliance for Medical Practices | Scoop.it

The first step for a physician, known under the language of HIPAA as a “covered entity,” is to determine the need for a BAA with a vendor. A vendor is considered a “business associate” under HIPAA if the vendor creates, receives, maintains, or transmits patient health information (PHI) on the provider’s behalf.

 

Common services performed by a business associate (BA) include claims processing, data analysis, quality assurance, billing and collection, practice management, legal, accounting, and consulting.

 

Entities that only serve as conduits, such as the post office or Internet service providers, are not considered BAs even though they handle patient information.

 

What BAs must include

If a business associate is providing services to a covered entity, the parties must enter into a written BAA that:

 

  • establishes the permitted uses/disclosures of PHI,
  • stipulates that the BA must use appropriate safeguards to prevent unauthorized PHI uses and disclosures,
  • spells out that the BA reports to the covered entity any unauthorized uses and disclosures,
  • extends the terms of the BAA to its subcontracts, and
  • establishes that upon termination of the BAA, the vendor must either return or destroy all PHI.

 

The consequences of not having a written BAA can be severe. The Office of Civil Rights (OCR) could request a copy of a covered entity’s BAA if there is a complaint registered over a covered entity or if a breach occurs.

 

Violations under HIPAA can be penalized at anywhere between $100 to $50,000 per violation, up to a calendar year maximum penalty of $1,500,000 for a single violation. The OCR could take the position that every day that the BA and covered entity did not have a business associate agreement is a violation, and multiply the fine by the number of days no BAA penalty was in place, so the penalties can be steep.

 

Liability of agents

Under HIPAA, a covered entity is liable for the acts of its agents, which can include a BA.

 

Whether an agency relationship exists is determined case by case, with the essential factor being whether the provider has the right or authority to control the BA’s conduct. The authority of a provider to give instructions or directions is the control that can result in an agency relationship.

 

The language in the BAA will be considered in determining whether an agency relationship is present. If a covered entity is controlling the performance of its BA, the covered entity should closely monitor the BA’s performance since the covered entity will be held accountable for its performance.

 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Strategies for Measuring HIPAA Compliance Efforts

Strategies for Measuring HIPAA Compliance Efforts | HIPAA Compliance for Medical Practices | Scoop.it

About 40% of large health care organizations do not take the time to measure how well their HIPAA compliance measures are working, according to Brian Wells, Chief Technology Officer of the cybersecurity firm Merlin International, headquartered in Vienna, Virginia. Most are unaware if they have thwarted cyberattacks, blocked malicious emails or kept staff from releasing inappropriate information.

 

“If they can't report that to the board, then they may stop giving them money to do more,” Wells said.

 

Measuring an organization's HIPAA strategy can be challenging. It is difficult to know if efforts to thwart cyberattacks have actually prevented breaches. “When ransomware like WannaCry comes out, it may be possible to say you protected yourselves,” he said. “If nothing bad has happened in a while, you can assume you are either doing a good job or just haven't been a target.”

 

How are providers supposed to measure HIPAA compliance effectiveness? Here are a few strategies for determining if an organization is on the right path using both internal and external resources.

 

A human touch
Wells works with hospitals now, but when he was on the medical practice side, his group performed annual testing on HIPAA regulations. The test was not hard, but everyone in the practice had to pass it. This not only lets a provider know where education is slipping through the cracks, but also provides a paper trail to point to should a practice get audited.

 

Adam Greene, a partner with Seattle-based Davis Wright Tremaine, also recommends informal testing to make sure people

 

understand their obligations under HIPAA. For example, the person in charge of HIPAA security can make a checklist to ask staff that includes questions like: “If someone wants to see something in their medical record, how would you respond?” Staff should know the patient has a right to records and the process involved in turning them over, be it filling out a form or directing the patient to the staff member who handles requests.

 

Another option is to assign an individual who would be accountable for walking around an office to ensure protected health information is secured properly. A few points to include would be ensuring computers are not facing toward patients; locked cabinets do not have the key hanging next to them; and people are logging out when they leave their computers.

“There could be a 10- to 20-question checklist and they can use it to see how they are doing and compare it over time,” said Marti Arvin, Vice President of Audit Strategy for CynergisTek, which is headquartered in Mission Viejo, California.

 

Arvin said an internal audit can be used to make sure staff members know where privacy policies are and that they are understood; whether all patients at their initial visit are provided with notices of privacy procedures; and if all of the staff members are receiving HIPAA training as they should.

 

Technology testing
Because health IT is constantly under attack, it would be difficult, expensive, and “voluminous” to show all of the attacks an organization has defended against, Greene said.

One option instead is to perform vulnerability scanning on a regular basis to examine if a system has unpatched software or other vulnerabilities. Another good practice is a phishing test. Here, an organization generates its own malware link and sends it to staff to see if anyone clicks.

 

Wells said an IT department can put in place a program that will check to see that people are only doing what they are supposed to be doing with their devices. It can also detect unmanaged devices that appear in the system. Electronic audit logs can be monitored to ensure people are not abusing their access.

 

Encryption is a must-have under HIPAA, and Greene said the best way to look at it is demonstrating that laptops are encrypted and will remain that way. For instance, someone with administrative rights can turn off encryption if they choose. But technical measures can be used to limit someone's ability to turn it off and to maintain compliance.

 

“Those things are really more to let you know how compliant you think you are,” Wells said. “For a full security audit, you are typically going to have to hire out.”

Keep it simple


Most physician practices are “dramatically under-resourced” in HIPAA staffing, Greene said. “The office administrator might be the privacy officer and maybe the security officer, too,” he said. “That is a lot of responsibilities, so providers need to give it some thought … and be careful about laying [extra responsibilities] on an office administrator who doesn't have enough time to do their regular job.”

 

Some of these auditing duties may need to be spread throughout an organization or hired out, but practices need to have an individual who is held accountable for auditing HIPAA policies. “There should be some oversight,” Arvin said. “Lots of practices give the title of security officer, but don't give resources or educate them on the responsibilities of overseeing the program.”

Greene also recommends making this a long-term endeavor. Instead of trying to look at all areas of compliance at once, he recommends starting with places where an office has had problems, where similar practices have had settlements, or where the Office for Civil Rights offers guidance.

 

For example, an individual responsible for HIPAA compliance might first spend some time ensuring staff members are providing patients with access to their records and if they are charging the right amount for them. Then he or she could move to other areas, such as disclosure of privacy practice guidelines.

“You can ultimately look at different regulatory requirements and create a master plan for how you are going to audit them,” he said. “Prioritize some immediately and others next year or the year after because they are seemingly lower risk.”

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Hospitals Fail at HIPAA Compliance Re Medical Records Requests

Hospitals Fail at HIPAA Compliance Re Medical Records Requests | HIPAA Compliance for Medical Practices | Scoop.it

Many hospitals failed at HIPAA compliance in response to simulated patients’ requests for medical records, according to a study by Yale researchers published in the JAMA Network Open.

 

The researchers surveyed 83 top-ranked US hospitals with independent medical records request processes and medical records departments reachable by telephone.

 

According to HIPAA, patient requests for medical record must be fulfilled within 30 days of receipt in the format requested by the patient if the records are readily producible in that format. OCR guidance says that hospitals can charge a cost-based fee to provide those records.

 

The researchers conducted scripted interviews with medical records departments in a simulated patient experience and also collected medical records release authorization forms. There was wide variation in the information provided on the authorization forms and from the telephone calls in terms of what data could be requested, release formats, costs, and processing times.

 

On the authorization forms, only 44 hospitals (53%) provided patients the option to acquire the entire medical record. On telephone calls, all 83 hospitals stated that they were able to release entire medical records to patients.

 

There were discrepancies in information given in telephone calls versus authorization forms among the formats hospitals said that they could use to release information: 69 versus 40 for pick up in person, 20 versus 14 for fax, 39 versus 27 for email, 55 versus 35 for CD, and 21 versus 33 for online patient portals. These results demonstrated noncompliance with HIPAA in refusing to provide records in the format requested by the patient, the study noted.

 

There were 48 hospitals that had costs of release above the federal recommendation of $6.50 for electronically maintained records. In one case, a hospital charged $541.50 for a 200-page medical record. At least seven of the hospitals were noncompliant with state requirements for processing times.

 

“Discrepancies in information provided to patients regarding medical records request processes and noncompliance with regulations appear to indicate the need for stricter enforcement of policies relating to patients’ access to their protected health information,” the researchers concluded.

 

The study is timely because the Trump administration has launched the MyHealthEData initiative, which is designed to improve EHR patient data access and use. MyHealthEData is intended to break down the barriers that prevent patients from having electronic access and control over their own health records from the device or application of their choice.

 

In 2017, President Donald Trump issued an executive order in which he directed government agencies to “improve access to and the quality of information that Americans need to make informed healthcare decisions, including data about healthcare prices and outcomes, while minimizing reporting burdens on affected plans, providers, or payers.” The order was part of a broader effort to increase market competition in the healthcare market.

 

“The MyHealthEData initiative will work to make clear that patients deserve to not only electronically receive a copy of their entire health record, but also be able to share their data with whomever they want, making the patient the center of the healthcare system. Patients can use their information to actively seek out providers and services that meet their unique healthcare needs, have a better understanding of their overall health, prevent disease, and make more informed decisions about their care,” explained a March 2018 CMS press release.

 

While the goals of MyHealthEData are lofty, the results of this Yale study call into question the ability of private healthcare organizations to fulfill the Trump administration’s initiative, never mind comply with existing HIPAA patient access requirements.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

4 Steps to Assess a Possible HIPAA Data Breach

4 Steps to Assess a Possible HIPAA Data Breach | HIPAA Compliance for Medical Practices | Scoop.it


The HIPAA Omnibus Rules dramatically elevated your risk of data breaches. From lowering the breach standard to requiring documentation on why you think that you didn’t commit a breach, your practice needs to diligently work to avoid problems and properly handle a breach. An event that compromises the security or privacy of Protected Health Information (PHI) is considered an impermissible use or disclosure of PHI. Impermissible use or disclosure is a breach unless you can show that there was a low probability that the PHI was compromised. This is not an academic discussion since you are required to properly notify patients and the Department of Health and Human Services (HHS) about breaches, and you are subject to fines for breaches. For example, mailing patient information to the wrong party, and unauthorised access to your electronically stored patient records are breaches unless you can show that there is low probability that PHI was compromised.

There are three exceptions to the breach trigger: unintentional acquisition, access, or use of PHI while employees are performing their jobs, inadvertent disclosure to someone authorised to access PHI, and situations where you have a good faith belief that the recipient will not be able to retain the information. For example, a fleeting view of some PHI on a computer screen may not be considered a relevant incident. Using a “good faith evaluation” and “reasonable conclusion”, you evaluate the incident based on four factors:

  1. PHI Nature and Extent: The sensitivity of the information and ability to identify the patient as well as presentation options are factors in determining the probability. Deidentifying PHI is not easy or straightforward. In addition to name and phone numbers, a picture of a face or a free form text note about the patient could easily lead to identifying the patient. For example, a list of dated deidentified lab results with a separate list of patient appointments for the day of the lab would not present a low probability of compromise. On the other hand, loss of electronically stored diagnostic data that requires special software from the device manufacturer may present a low probability of compromise. This answer would be different if the lost information was PHI contained in an unsecured PDF file.
  2. Unauthorised Person Received or Used PHI: The status of the recipient of the PHI may offer a reasonable way to avoid a breach. For example, sending the patient report to the wrong doctor may lead to a low probability of compromise since the receiving doctor has been properly trained in HIPAA Privacy and Security.
  3. Actual Acquisition or Viewing of PHI: If your organization quickly uncovered the incident, you may be able to prevent the viewing or even possession of the PHI. For example, contacting the receiving party and recovering the information before the other people open the information may present a low probability of compromise. Similarly, if an envelope with PHI was lost, but upon recovery, you determine that the envelope was never opened, you may have a low probability of disclosure or use.
  4. Mitigation Factors: In the final step of your evaluation, you can determine if there were mitigating issues that lead you to a good faith and reasonable conclusion that the information was not disclosed. For example, a thumb drive containing PHI on a patient lost in a healthcare facility but recovered in a nonpublic area may present a mitigating factor.

If you determine that the probability of compromised PHI is low, you do not have a problem. Otherwise, you have a breach and have to respond according to the breach notification requirements. If you have encountered a breach, within 60 days of discovery of the breach, you have to:

  • Contact the Patients: You have to mail a letter to the last known address of the affected patients. If you cannot contact more than 10 patients, your website or public media with an 800 number should be publically presented for 90 days.
  • Inform HHS: You have to maintain a log of breaches to send to HHS annually. If a breach involves over 500 patients, you have to directly contact the Office of Civil Rights.
Technical Dr. Inc.'s insight:
Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

Make Sure Business Associates Don’t Violate HIPAA

Make Sure Business Associates Don’t Violate HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

A violation of HIPAA by a practice’s business associate underscores the importance for conducting adequate due diligence, having business associate agreements (BAAs) in place, and ensuring that the level of encryption is adequate.


The U.S. Federal Trade Commission (FTC) recently released a statement indicating that a business associate, Henry Schein Practice Solutions, Inc. (“Schein”), a dental practice software company, will pay the government $250,000 for false advertising associated with what was relayed to the public and what was actually used in its products in relation to the level of encryption. While the fine is not considered large by any means, the implications for medical professionals, business associates, and subcontractors alike, are significant. 


The ramifications to the company, in relation to the issuance of the administrative complaint and the consent agreement are:


• Pay a $250,000 fine;

• Prohibition on “misleading customers about the extent to which its products use industry-standard encryption or how its products are used to ensure regulatory compliance”;

• Prohibition on claims that patient data was protected; and

• Schein needs notify all of its clients who purchased during the period when the material misstatements were made; and

• That the consent agreement will be published in the Federal Register.


Of equal or greater significance is the “NOTE” on the FTC’s press release, which states:


NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions for twenty years. Each violation of such an order may result in a civil penalty of up to $16,000.


The takeaways for providers and business associates alike are significant. All government agencies are taking a hard look at material misrepresentations related to HIPAA compliance. The potential implications are significant and underscore the importance of not cutting corners in relation to risk assessments and compliance.

more...
No comment yet.
Scoop.it!

HIPAA Compliance is a Business Risk

HIPAA Compliance is a Business Risk | HIPAA Compliance for Medical Practices | Scoop.it

Medicine is Risky


The practice of medicine is a risky business. There is always the risk that a certain treatment will fail to help a patient. There is a risk of being accused of malpractice. There is a risk of being accused of incorrectly billing a patient, insurance company or government agency. There is a risk of being sued by an employee or ex-employee for HR related issues. The list of risks goes on and on.


Healthcare is not unique when it comes to risk. Lawyers, accountants, architects and engineers all have associated business risk. In fact, it can be argued that every business has associated risk. The risk of a business failing is with every business no matter what vertical that business operates in. Just ask Enron and RadioShack and Joe’s pizza.


Manage Risk


The key to business risk is how an organization manages the risk. Healthcare organizations have malpractice insurance which usually comes with a malpractice risk management program. The program identifies areas of risk, provides steps to reduce risk and defines steps to minimize impact of losses when they occur 


Risk management refers to strategies that reduce and minimize the possibility of an adverse outcome, harm, or a loss. The systematic gathering and utilization of data are essential to loss prevention. Good risk management techniques improve the quality of patient care and reduce the probability of an adverse outcome or a medical malpractice claim. This core curriculum outlines the attitudes, knowledge, and skills currently recommended for residents in the area of risk management. The primary goal of a successful risk management is to reduce untoward events to patients. Risk management programs are designed to reduce the risk to patients and resulting liability to the health care provider. Standard of care is the foundation for risk management. The main factors in risk management include the following.


Nonmedical and medical risk management is a three-step process which involves: 1) identifying risk; 2) avoiding or minimizing the risk of loss; and 3) reducing the impact of losses when they occur. Medical risk management focuses on risk reduction through improvement of patient care.


Patient Data Risk


The practice of creating, storing and accessing electronic patient data brings with it new risks to healthcare organizations. Sure in the past there was a risk of someone breaking into an office and stealing patients’ paper charts but the risk exponentially increases now that a majority of new patient data is electronic. All this data is spread across electronic health records (EHRs), patient portals, digital x-ray machines, email, desktops, laptops, USB drives, smartphones and tablets. There are risks of an employee mistake like losing a laptop with patient information or falling for a fake email that tricks them into giving up information that thieves can use to access and steal patient data.


Like any other business risk, the risk to patient data needs to be properly managed. Just like with a malpractice risk management program, the risk to patient data needs to be addresses with 3 steps:


  1. Identifying Risk – it is critical that organizations understand what risks are associated with electronic patient data. Where is the data stored or accessed? As mentioned previously, the data could be stored on servers in an office, in a cloud-based EHR, on laptops or mobile devices. It is critical to get a thorough inventory of all patient data that is created, stored or accessed. The next step is understanding the risk to all of this patient data. The risk to data stored on a digital ultrasound machine is much different than data stored on laptops that leave an office.
  2. Minimize Risk – once the various risks are identified to patient data, it is critical to take steps to reduce the risk. Implementing the proper safeguards such as security policies and procedures and employee training can go a long way to lower the risk to patient data.
  3. Reduce the Impact – unfortunately it is very difficult to eliminate the risk to patient data. Steps can be taken to lower the risk but the amount of patient data is increasing every day and the risk of employee mistakes or criminals stealing the data increases as well. Organizations need to have a plan in place to respond to a patient data breach. That plan may include a breach response program that defines the steps the organization will take if there is a breach, or ensuring that an organization’s IT department or company is prepared to respond and/or stop a suspected data breach. Reducing the impact of a patient data breach might include cyber insurance that will provide financial resources to help the organization in the event of a data breach.


Don’t Hate HIPAA


Many people I talk to tell me they hate HIPAA regulations. I don’t blame them. Most people don’t like forced government regulations that have the threat of audits and fines. But HIPAA regulations are really just a risk management program for patient data. HIPAA calls for organizations to take inventory of where patient information is created, stored or accessed. It requires organizations to identify and manage associated risk to patient data. And it calls for organizations to be prepared to respond and lower the impact if patient data is lost, stolen or breached. When compared to a malpractice risk management program, the HIPAA risk management program is very similar.


When I talk to people about HIPAA I make it clear that the risk of a random HIPAA audit is very low. But the risk that patient data is lost, stolen or breached is increasing every day. Patient data needs to be thought of as a business risk that needs to be properly managed.

more...
No comment yet.
Scoop.it!

OCR launches new HIPAA resource on mobile app development

OCR launches new HIPAA resource on mobile app development | HIPAA Compliance for Medical Practices | Scoop.it

The Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS) recently launched a new resource: a platform for mobile health developers and “others interested in the intersection of health information technology and HIPAA privacy protection.”


In the announcement of this platform, OCR noted that there has been an “explosion” of technology using data regarding the health of individuals in innovative ways to improve health outcomes. However, OCR said that “many mHealth developers are not familiar with the HIPAA Rules and how the rules would apply to their products,” and that “[b]uilding privacy and security protections into technology products enhances their value by providing some assurance to users that the information is safe and secure and will be used and disclosed only as approved or expected.”


The OCR platform for mobile app developers has its own website. Anyone – not just mobile app developers – may browse and use the website. Users may submit questions, offer comments on other submissions and vote on a topic's relevance. OCR noted that to do so users will need to sign in using their email address, “but their identities and addresses will be anonymous to OCR.” 


OCR asked stakeholders to provide input on the following issues related to mobile app development: What topics should we address in guidance? What current provisions leave you scratching your heads? How should this guidance look in order to make it more understandable and more accessible?


Users can also submit questions about HIPAA or use cases through this website. OCR explained that, “we cannot respond individually to questions, we will try to post links to existing relevant resources when we can.” Finally, in the announcement OCR stated that posting or commenting on a question on this website, “will not subject anyone to enforcement action.” 

more...
No comment yet.
Scoop.it!

Suits pile up after U.S. reveals data breach affected millions

Suits pile up after U.S. reveals data breach affected millions | HIPAA Compliance for Medical Practices | Scoop.it

On Friday, Labaton Sucharow filed a class action on behalf of about 21.5 million (!) federal employees, contractors and job applicants whose personal information was exposed in an epic breach of security at the U.S. Office of Personnel Management, which screens applicants for federal government jobs and conducts security clearance on employees and contractors. Labaton’s complaint is at least the seventh class action against OPM and its private contractor, KeyPoint Government Solutions, including two suits by government employee unions and one with a federal administrative law judge as the lead plaintiff.

Although there is some variation in the alleged causes of action, the suits mostly assert violations of the Privacy Act and the Administrative Procedures Act, as well as negligence against KeyPoint. Late last month, the Justice Department asked the Judicial Panel on Multidistrict Litigation to consolidate the cases and transfer all of them to U.S. District JudgeAmy Jackson of Washington, D.C., who is already presiding over the American Federation of Government Employees’ class action against OPM and KeyPoint.

The JPML said Friday that it would hear oral arguments on Oct. 1 on the government’s motion. Briefs are due before Sept. 14.

It certainly seems likely that the JPML will consolidate the suits, but where they end up transferring them could make a big difference in how this case turns out. The threshold question in data breach suits, as I’ve written many times, is constitutional standing: Can plaintiffs whose personal information has been stolen allege an actual or “certainly impending” threat of injury? That is the standard the U.S. Supreme Court set out in its 2013 decision in Clapper v. Amnesty International, and data breach defendants have since used the Clapper definition to knock out at least 10 class actions by plaintiffs who claimed – like the plaintiffs in the OPM suits – that they have been injured by the increased risk their personal information will be misused.

One of the cases that foundered under Clapper was In re Science Applications International Corp (SAIC) Backup Tape Data Theft Litigation, an MDL consolidated for pretrial proceedings in federal district court in the District of Columbia. The case involved the theft of SAIC data tapes containing personal information, including Social Security numbers, on about 4.7 million members of the U.S. military and their families. U.S. District Judge James Boasberg of Washington concluded in May 2014 that under the Supreme Court’s ruling in Clapper, plaintiffs do not meet constitutional standing requirements when their only alleged injury is the loss of their data and the risk it will be misused.

He did hold plaintiffs had standing when they could plausibly allege their personal information was stolen and misused – one plaintiff, for instance, asserted he had received letters from a credit card company thanking him for a loan application he said he never filed – but Judge Boasberg’s dismissal opinion gutted the case. Plaintiffs ended up voluntarily dismissing what remained.

Plaintiffs’ lawyers have gotten savvier about pleading data breach cases after the initial wave of Clapper dismissals, framing complaints around class members who can show that their information has been misused or that their bank accounts or credit ratings have been impacted by the data theft. But cases redrawn to satisfy standing requirements present cramped damages theories, as we’ve seen in the Target and Sony data breach cases, if the only plaintiffs who can recover are those whose injury is more concrete than the mere loss of personal data and risk that it will be exploited. You can see why the Justice Department wants the OPM case litigated in a district skeptical of standing based on the risk of data misuse.

In one jurisdiction, however, all 21.5 million alleged victims of the OPM data breach may have standing. Last month, a three-judge panel of the 7th Circuit ruled in a data breach case against Neiman Marcus that plaintiffs have standing if they can show they incurred reasonable costs or spent considerable time to mitigate a “substantial risk” of harm. Under the 7th Circuit’s decision, just about anyone whose data has been stolen by hackers can sue because their information may be misappropriated.

Neiman Marcus’ lawyers at Sidley Austin filed a petition for rehearing earlier this month, but unless and until the 7th Circuit grants its motion, the panel’s ruling is the only post-Clapper federal appellate decision on standing in a data breach class action. It’s binding on trial judges in Illinois, Wisconsin and Indiana.

So far, none of the OPM class actions have been filed in those states. Two were brought in Washington, D.C., which, as the Justice Department pointed out in its request for consolidation in that court, is the district of universal venue for the Privacy Act claim at the heart of the OPM suits. Two other plaintiffs filed in California. Others sued in Idaho, Colorado and Kansas. It’s going to be very interesting to see which court plaintiffs ask the JPML to send the OPM litigation to.

more...
No comment yet.
Scoop.it!

Data Breaches Expose Nearly 140 Million Records

Data Breaches Expose Nearly 140 Million Records | HIPAA Compliance for Medical Practices | Scoop.it

The latest report from the Identity Theft Resource Center (ITRC) reveals that there has been a total of 472 data breaches recorded through August 11, 2015, and more than 139 million records have been exposed. The annual total includes 21.5 million records exposed in the attack on the U.S. Office of Personnel Management in June and 78.8 million health care customer records exposed at Anthem in February.

A June report by cybersecurity firm Trustwave said that of the 574 hacking incidents and data breaches the company was asked to investigate in 2014, 43% came in the retail industry, 13% came from the food and beverage industry and 12% from the hospitality industry. More striking, perhaps: 81% of victims did not discover on their own that they had been hacked. In cases where a company discovers the attack on its own, it takes about two weeks to stop it. When companies do not run their own security programs, it takes more than five months to contain the breach.


E-commerce sites were compromised in 42% of attacks and point-of-sales systems were hit in 40%. The totals were up 7% and 13%, respectively, from 2013.


The total number of data breaches increased by six in the week, according to the ITRC. The business sector accounts for about 645,000 exposed records in 184 incidents so far in 2015. That represents 39% of the incidents, but just 0.5% of the exposed records.


The medical/health care sector posted the second-largest percentage of the total breaches so far this year, 35.6% (168) out of the total of 472. The number of records exposed in these breaches totaled 109.5 million, or 78.6% of the total so far in 2015.


The number of banking/credit/financial breaches totals 45 for the year to date and involves more than 411,000 records, some 9.7% of the total number of breaches and 0.3% of the records exposed. These numbers are unchanged from the prior week.


The government/military sector has suffered 36 data breaches so far this year, just 7.7% of the total, but about 20% of the total number of records exposed. These numbers were also unchanged from the prior week.


The educational sector has seen 39 data breaches in 2015, accounting for 8.3% of all breaches for the year. Nearly 740,000 records have been exposed, about 0.5% of the total so far in 2015.

In all of 2014, ITRC tracked an annual record number of 783 data breaches, up 27.5% year over year. The previous high was 662 breaches in 2010. Since beginning to track data breaches in 2005, ITRC had counted 5,497 breaches through August 11, 2015, involving more than 818 million records. Compared with 2014, the number of data breaches is about 2.3% lower to date in 2015.

more...
No comment yet.
Scoop.it!

Reminders for HIPAA Compliance with Business Associates

Reminders for HIPAA Compliance with Business Associates | HIPAA Compliance for Medical Practices | Scoop.it

Maintaining HIPAA compliance is clearly a top priority for covered entities. With technology evolving, third-party partnerships are also becoming more common, which means that more healthcare organizations are likely working with business associates.


Whether a covered entity is working with a cloud services provider, or a company to assist in handling their financials, it is critical that HIPAA compliance stays a top priority. The HIPAA Omnibus Rule even changed how business associates can be held liable for potential HIPAA violations. All parties should have a thorough understanding of their relationship, and how they are expected to maintain patient data security.


This week, HealthITSecurity.com will discuss the intricacies of the relationship between a coverd entity and a business associate. Moreover, the importance of a comprehensive business associate agreement will be explained, and examples will be given of what the consequences could be should either entity violate HIPAA.

What is a business associate?


A business associate could be any organization that works on behalf of, or for, a covered entity. For example, if a hospital employs a company to assist with its claims processing, then that third-party becomes a business associate. Or, an attorney who is working for a healthcare provider and has access to patients’ PHI, would also be considered a business associate.


“Covered entities may disclose protected health information to an entity in its role as a business associate only to help the covered entity carry out its health care functions – not for the business associate’s independent use or purposes, except as needed for the proper management and administration of the business associate,” according to the Department of Health and Human Services (HHS).


The business associate agreement must also include the following information, according to HHS:


  • Describe the permitted and required PHI uses by the business associate
  • Provide that the business associate will not use or further disclose PHI other than as permitted or required by the contract or as required by law;
  • Require the business associate to use appropriate safeguards to prevent inappropriate PHI use or disclosure


Essentially, business associates are also responsible for the protection of PHI. As previously mentioned, the HIPAA Omnibus Rule made this a federal requirement. Let’s go back to the example of a claims processing firm. The business associate agreement between that firm and a hospital should outline requirements for how the claims processing firm is expected to keep PHI secure while it is working with the hospital. Should a health data breach occur, the claims processing firm could face serious consequences if it is determined that it violated the business associate agreement.


Not only does the business associate agreement dictate how and when PHI could be disclosed, it also outlines the potential consequences should sensitive information be exposed:


“A business associate may use or disclose protected health information only as permitted or required by its business associate contract or as required by law. A business associate is directly liable under the HIPAA Rules and subject to civil and, in some cases, criminal penalties for making uses and disclosures of protected health information that are not authorized by its contract or required by law. A business associate also is directly liable and subject to civil penalties for failing to safeguard electronic protected health information in accordance with the HIPAA Security Rule.”


The contract between a covered entity and business associate can also have a termination date. For example, perhaps a medical transcriptionist was hired for six months. At the end of that six month period, the business associate agreement can require that any PHI that had been received in that time to be destroyed.


Moreover, the covered entity can require that medical transcriptionist to make “internal practices, books, and records relating to the use and disclosure” of received PHI available to HHS to ensure that the covered entity is HIPAA compliant. It is also important to note that any contract can be terminated if the business associate is found to have violated “a material term.”


What happens if a business associate exposes PHI?


When a covered entity experiences a health data breach, it will likely have to deal with a federal and state investigation, as well as potential public backlash. There may even be potential fines due to possible HIPAA violations. Business associates will go through the same process should they suffer from their own data breach that potentially puts patients’ PHI at risk.


For example, in June 2015, Medical Informatics Engineering (MIE) announced that it had been the victim of a “sophisticated cyber attack,” and some of its clients may be affected. Affected clients included Concentra, Fort Wayne Neurological Center, Franciscan St. Francis Health Indianapolis, Gynecology Center, Inc. Fort Wayne, and Rochester Medical Group.


Possibly exposed information included patient names, mailing addresses, email addresses, and dates of birth. Some patients may have also had Social Security numbers, lab results, dictated reports, and medical conditions exposed.


Not long after, a class action lawsuit was filed against MIE, alleging that MIE failed “to take adequate and reasonable measures to ensure its data systems were protected,” and also failed “to take available steps to prevent and stop the breach from ever happening.”


Similarly, third party facility Medical Management LLC reported that approximately 2,200 patients at one of its healthcare providers may have had their records exposed by a Medical Management employee. Medical Management handles the billing for numerous healthcare providers across the country, and organizations in several states notified patients of the incident.


The data breach occurred when a now former Medical Management employee copied individuals’ personal information from the billing system over the past two years. That former employee then illegally disclosed that information to a third party.


“MML takes this matter very seriously and terminated this employee after being informed of this criminal investigation,” Medical Management said in a statement. “MML is cooperating with federal law enforcement authorities in their criminal investigation.”


Covered entities and business associates must be able to work together when it comes to patient PHI security. Health data breaches can happen at any organization, regardless of size. By keeping health data security policies current, and regularly reviewing them, both types of facilities have a better chance of detecting potential weaknesses. Having comprehensive business associate agreements in place will also ensure that all parties understand how they are required to keep PHI secure.

more...
No comment yet.