HIPAA Compliance for Medical Practices
83.7K views | +20 today
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...

ONC Updates its Privacy and Security Guide

ONC Updates its Privacy and Security Guide | HIPAA Compliance for Medical Practices | Scoop.it

Last week during the annual Healthcare Information and Management Systems Society (HIMSS) conference, the Office of the National Coordinator for Health IT (ONC) published a revised version of its “Guide to Privacy and Security of Electronic Health Information.”

In the foreword of the guide, ONC says that its intent is to help healthcare providers ―especially Health Insurance Portability and Accountability Act (HIPAA) covered entities (CEs) and Medicare eligible professionals (EPs) from smaller organizations―better understand how to integrate federal health information privacy and security requirements into their practices. The new version of the guide provides updated information about compliance with the Medicare and Medicaid Electronic Health Record (EHR) Incentive Programs’ privacy and security requirements as well as the HIPAA Privacy, security, and breach notification rules, says ONC.

In a blog post from Lucia Savage, chief privacy officer, ONC, she says that this is the first step towards fulfilling the commitment the federal agency made in its Interoperability Roadmap— helping individuals, providers, and the health and health IT community better understand how existing federal law, HIPAA, supports interoperable exchange of information for health.

According to Savage’s post, “the guide includes practical information on issues like cybersecurity, patient access through certified electronic health record technology (CEHRT), and other EHR technology features available under the 2014 Edition Certification rule. The guide also includes new, practical examples of the HIPAA privacy and security rules in action, to help everyone understand how those rules may impact their businesses and the people they serve.”

The guide additionally offers: many scenarios for anyone who has struggled to understand when someone is or is not a business associate; provides information about when a provider (or any HIPAA-covered entity) is permitted to exchange information about an individual for treatment, payment, or healthcare operations without being required to have the individual sign a piece of paper before the exchange occurs; and provides practical tips and information about security, Savage said.

No comment yet.

HIMSS15 Leaders Focus on Healthcare Privacy, HIPAA Rules

HIMSS15 Leaders Focus on Healthcare Privacy, HIPAA Rules | HIPAA Compliance for Medical Practices | Scoop.it

HIMSS15 took place this week in Chicago, and some of the highly discussed topics included healthcare privacy and security issues, such as HIPAA regulations. With more providers implementing EHRs, HIEs, and other forms of technology, ensuring that patient data remains secure whether in storage or transport is essential. Moreover, covered entities need to remain compliant with all federal, state, and local regulations as well.

Proving this point, 40 educational sessions over the five-day conference touched on everything from understanding HIPAA rules, to cybersecurity measures, to ensuring medical device security. HealthITSecurity.com spoke with several leaders in the industry who provided further insight on these topics.

Greg Slattery, CIO of Community Hospitals and Wellness Centers (CHWC), talked about how CHWC replaced its pagers with secure messaging options.

“Yes there were some security concerns [at first],” Slattery said. “However, once we talked to Imprivata and once we had a device in house and saw the encryption and how you can age the message, we have more control over it. And the auditing capabilities allow us are helpful.”

Greater Houston HealthConnect CTO and Privacy and Security Officer Phil Beckett, PhD, said in an interview how his facility has been using a secure cloud medical image exchange through DICOM Grid.

HealthConnect also has a federated model, which helps to keep information secure, Beckett said. Essentially, information is not moved unless it is requested, and that data is also encrypted and transferred through VPN tunnels. The two end points are both certified, Beckett explained, and the HIE’s web services have transport layer security (TLS).

“It’s critical that there is encryption both when the data is static and when it is in transport,” Beckett said.

Several educational sessions centered around HIPAA rules, and discussed best practices for covered entities when it comes to protecting patient data and remaining compliant. Marion Jenkins, PhD, FHIMSS, led the session HIPAA Security: A Decade of Breaches, which explained that understanding HIPAA regulations is a continuous process for facilities of all sizes.

“You don’t have to be a huge organization to end up on the [HHS reported breaches] list,” Jenkins said.

It is also important to see what the HIPAA rules do not outline, Jenkins explained. For example, HIPAA does not actually specify how long passwords must be, or say that employees must change their passwords after a certain amount of time. A timeout or logout interval, as well as the type of encryption used by an organization, are also not specified in HIPAA regulations.

Adam Greene, JD, MPH, partner at Davis Wright Tremaine LLP led a session titled Preparing for a New Level of HIPAA Enforcement. Greene discussed prior HHS data breach settlements, and what the agency’s top privacy and security enforcement issues have become.

Even though the OCR HIPAA audits continue to be delayed, Greene underlined the importance of covered entities being prepared. For example, the pilot audit program found that approximately 80 percent of providers and nearly 57 percent of health plans did not have a complete or accurate risk analysis, Green explained.

Currently, OCR data breach settlement trends show that there is an increased focus on risk analysis, the encryption of media, and security configurations. Moreover, the settlement size is more related to an entity’s size or to the number of affected individuals.

Looking ahead, Greene said that the audit program will likely focus on those trends, as well as the notice of privacy practices and breach notification policies and notification. Business associate relationships and vendor management will also be held to higher scrutiny, he said, and the Federal Trade Commission (FTC) even indicated that it will expect monitoring of vendors’ information security programs.

Healthcare privacy and security issues are not going to disappear anytime soon, especially as technology continues to evolve and be further integrated into covered entities workflow. Staying educated on the latest trends and data breach prevention measures is key, as is ensuring that a facility is HIPAA compliant. HIMSS15 pushed important information to the forefront, providing attendees with the means to find the necessary privacy and security options for their needs.

No comment yet.

Why health groups should make use of cyberthreat intelligence

Why health groups should make use of cyberthreat intelligence | HIPAA Compliance for Medical Practices | Scoop.it

As cyberattacks grow in number and organizations find more ways to access private data, the healthcare industry should make use of cyberthreat intelligence, according to Jeff Bell, HIMSS privacy and security committee chair.

Cyberthreat intelligence, Bell writes in a recent blog post, is actionable data about threats, malware and vulnerabilities that organizations can use to increase their security systems.

There are numerous sources for this kind of intelligence, including non-commercial entities like the U.S. Computer Emergency Readiness Team, the U.S. Department of Homeland Security National Cybersecurity and Communications Integration Center and the National Cyber-Forensics & Training Alliance, Bell says.

Vendors of security products also often have their own intelligence feeds, he adds.

This kind of intelligence is increasingly necessary as cyberattacks become more sophisticated, Bell says. Today there are advanced persistent threats, which he says are instances where hackers gain access to information without being detected for long periods of time. Operating system vulnerabilities, such as Shellshock and the Heartbleed bug, also are causing problems in the industry. 

"[H]ealthcare organizations should evaluate the effectiveness of their cybersecurity program and make improvements where appropriate," Bell writes. "Consider how cyberthreat intelligence can help your healthcare organization to improve the ability to prevent, detect, respond and recover from cyberattacks."

Throughout all industries, cyberattacks made headlines last year, with healthcare information one of the top targets.

One of the most recent attacks was on Sony Pictures, where documents obtained by the hackers include health information on dozens of employees, their children or spouses, FierceHealthIT previously reported.

For 2015, particular challenges to the healthcare industry could include an increase of phishing emails that try to lure recipients into giving out information such as usernames, passwords or credit card numbers. They also can give attackers ways to infiltrate the enterprise network.

No comment yet.

Is the HIPAA Security Rule Doing Enough for Healthcare?

Is the HIPAA Security Rule Doing Enough for Healthcare? | HIPAA Compliance for Medical Practices | Scoop.it
The HIPAA Security Rule created a national set of security standards designed to protect certain health information, either held or transferred in electronic form. However, technology has continued to evolve, and one healthcare security expert claims that a complete reboot of the Security Rule might be necessary to ensure the protection of sensitive healthcare data.

CynergisTek, Inc. co-founder and CEO Mac McMillan spoke with HealthITSecurity.com at HIMSS last week about the Security Rule, recent data breaches, and what healthcare organizations need to be prepared for in 2015.mac-mcmillan-photo

McMillan, who is also the Chair of the HIMSS Privacy & Security Policy Task Force, said that one of the big issues currently is vendor security management, and firms ensuring they have a strong grip on their vendors. It is also important for facilities to ensure that they have a handle on mobile devices, as well as the proliferation of devices between mobile, wearables, and other new technologies.

“If you’re a CIO today, you’ve got stuff coming to you from every direction,” McMillan said. “Everybody’s got a gadget, everybody has something they want to put on the network, and literally everything they have goes on the network or communicates with the network. And security and privacy are not always first and foremost in the developer’s mind when they’re developing the next greatest thing for some clinical purpose.”

Because of that, CIOs need to ensure that they implement things in a smart way, and stay ahead of the latest trends or they will be playing catch up instead.

Healthcare security, data breach prevention measures

Encrypting mobile media and mobile devices is also becoming more common, which McMillan says is definitely progress.

“More people are figuring out that if they’re going to let data go out there, they need to do a better job protecting that information,” he said.

More covered entities are also conducting risk assessments and takin the time to understand where their risk actually lies, McMillan added, which is a positive thing because “knowledge goes a long way.”

“We’re seeing more and more people begin to test their environments, which is also good,” McMillan said. “That means actually performing technical testing of their controls in the environment.”

Moreover, outsourcing security is also becoming more common. Facilities are becoming more aware of what privacy and security measures they’re capable of doing well, and also which measures they’re not capable of doing well, he said. Healthcare organization leaders realize that potentially solving certain security problems is not something they can always do on their own.

The push toward interoperability

There has been a large push recently toward interoperability, and the Office of the National Coordinator (ONC) also released an updated privacy and security guide on how covered entities can properly integrate the right privacy and security measures.

In general, McMillan said that he does not believe that security is an impediment for covered entities when it comes to information sharing. However, he added that it could be an issue in certain cases. For example, if a facility does not feel that another organization has security at a level that is equal to its own, then it might be reticent about sharing the data.

“In most cases, they have no clue what the other guy has with respect to security,” McMillan said. “Part of the reason for that is that we don’t have a common standard for what security means.”

Calling back to when he worked in various defense agencies, McMillan explained that the Department of Defense found itself in a similar situation in terms of sharing information. Different agencies were starting to connect together, and it was difficult to pinpoint what the security was like at another agency.

One of the things that had to happen was create “the definition of a trusted environment,” he said, meaning there was a certain level of security that everyone had to be able to demonstrate. That way, organizations knew that there were certain things other agencies had to do because it was the same things they had to undertake.

“In healthcare today, we don’t have that,” McMillan said. “There’s nothing in healthcare that says you have to maintain your environment at the same level of security controls respect that another facility uses to maintain theirs.”

Part of the interoperability program that the ONC should be promoting is addressing the fundamental baseline for security. That baseline then says that in order for an organization to have a truly interoperable system and connect to others in a trusted relationship, certain security features must be part of its architecture. However, McMillan said that trust is key before a facility feels good about sharing its information.

Key takeaways from large scale health data breaches

After the Anthem data breach and Premera data breach, healthcare privacy measures and the data breach notification process have been pushed into the public’s eye. McMillan was quick to say that neither organization is a “poster child for what somebody did wrong,” and that the issue wasn’t that they didn’t necessarily have adequate security. Rather, what happened to Anthem and Premera could have happened to anybody, especially in the healthcare industry.

“We need to do a better job of being able to detect and react to incidents,” McMillan said. “People should take away that even with all the money in the world, even large organizations that probably have large security budgets or spend a lot of money on security and are trying to do it right [can have problems].”

Moreover, the right cyber attacker who has the necessary knowledge, motivation, and right amount of time will succeed nine out of 10 times, he said, adding that that’s what happened to Anthem and Premera. Healthcare needs to do a better job of detecting what’s going on in the environment, and do a better job of monitoring what’s going on, he said.

“The bottom line that those incidents taught us is that we need to step our game up with respect to how we address security,” McMillan said. “Just approaching security from a HIPAA compliance perspective is no longer effective. It never was to begin with, but it’s even less today.”

McMillan added that the HIPAA Security Rule has not changed since its final version was produced in 2003. However, security frameworks, such as the one at the National Institute of Standards and Technology (NIST), continue to go through revisions.

“We’re behind,” McMillan said. “Basically what we really need to do is scrap the HIPAA Security Rule and just let organizations select the framework that they want to work with, whether it’s NIST, whether it’s ISO, but a legitimate framework. From there, they build their program and we hold them accountable for protecting the data.”

McMillan added that NIST has come out with guidelines for mobile devices and cloud security, among others. Neither of those topics were addressed in the HIPAA Security Rule, he said.

“The problem is HIPAA is antiquated,” McMillan said. “It’s behind the times and we need to take a new approach.”
No comment yet.

BA agreements likely a bigger target of 2015 OCR enforcement, attorneys say

BA agreements likely a bigger target of 2015 OCR enforcement, attorneys say | HIPAA Compliance for Medical Practices | Scoop.it

The $150,000 fine that U.S. Department of Health and Human Services' Office for Civil Rights levied against an Alaska mental health organization last month could be a sign that OCR is settling in after a wave of leadership changes in 2014 and gearing up to aggressively investigate HIPAA compliance complaints, according to a former federal attorney.

Ex-OCR lawyer David Holtzman notes that there are more than 6,000 HIPAA privacy and security rule complaints and compliance reviews under investigation in an article at HealthcareInfoSecurity. He predicts more high-profile enforcement actions in 2015.

Holtzman echoes a warning from Jerome B. Meites, OCR chief regional counsel for the Chicago area, who told an American Bar Association conference last summer that the whopping fines levied over the past year will "pale in comparison" to those expected to come.

Meanwhile, privacy and healthcare attorneys Alisa Chestler and Donna Fraiche of law firm Baker Donelson, in an interview with HealthcareInfoSecurity, urge healthcare organizations to conduct their own mock audits to determine any exposures and to do their best to fix those problems.

They also recommend keeping all such documentation in one place--including all records of HIPAA education programs conducted with staff, and evidence that they've reviewed all business associate agreements--and ensuring that it's up to date. Chestler and Fraiche foresee BA agreements being a bigger target of OCR enforcement actions in 2015.

In particular, Chestler and Fraiche say, organizations need to re-examine all bring-your-own-device policies and make sure they address any issues that have arisen since those policies were last reviewed.

In September, OCR announced it was delaying the start of the second round of audits in order get a web portal up an running through which entities could submit information. A specific start date has not been announced, only that the new audits will begin in early 2015.

Brett Short, chief compliance officer at the University of Kentucky HealthCare in Lexington, Kentucky, spoke with FierceHealthIT about receiving a call from an auditor when the organization had never received a letter saying it had 10 days to submit required documents.

No comment yet.