HIPAA Compliance for Medical Practices
77.8K views | +19 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

How Do HIPAA Regulations Affect Judicial Proceedings?

How Do HIPAA Regulations Affect Judicial Proceedings? | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA regulations are designed to keep healthcare organizations compliant, ensuring that sensitive data - such as patient PHI - stays secure. Should a healthcare data breach occur, covered entities or their business associates will be held accountable, and will likely need to make adjustments to their data security approach to prevent the same type of incident from happening again.


However, there are often questions and concerns in how HIPAA regulations tie into certain judicial or administrative proceedings. For example, if there is a subpoena or search warrant issued to a hospital, is that organization obligated to supply the information? What if the information being sought qualifies as PHI? Can covered entities be held accountable if they release certain information, and then that data falls into unauthorized individuals’ control?


This week, HealthITSecurity.com will break down how judicial proceedings, and other types of legal action, could potentially be impacted by HIPAA regulations. We will discuss how PHI could possibly be disclosed, and review cases where search warrants and similar issues were affected by HIPAA.


What does HIPAA say about searches and legal inquiries?

The HIPAA Privacy Rule states that there are several permitted uses and disclosures of PHI. This does not mean that covered entities are required to disclose PHI without an individual’s permission, but healthcare organizations are permitted to do so under certain circumstances.


“Covered entities may rely on professional ethics and best judgments in deciding which of these permissive uses and disclosures to make,” the Privacy Rule explains.


The six examples of permitted uses and disclosures are the following:

  • To the Individual (unless required for access or accounting of disclosures)
  • Treatment, Payment, and Health Care Operations
  • Opportunity to Agree or Object
  • Incident to an otherwise permitted use and disclosure
  • Public Interest and Benefit Activities
  • Limited Data Set for the purposes of research, public health or health care operations.


Under the public interest and benefit activities, the Privacy Rule dictates that there are “important uses made of health information outside of the healthcare context.” Moreover, a balance must be found between individual privacy and the interest of the public.

There are several examples that relate to disclosing PHI due to types of legal action:


  • Required by law
  • Judicial and administrative proceedings
  • Law enforcement purposes


Covered entities and their business associates are permitted to disclose PHI as required by statute, regulation or court orders.

“Such information may also be disclosed in response to a subpoena or other lawful process if certain assurances regarding notice to the individual or a protective order are provided,” according to the HHS website.


For “law enforcement purposes” HIPAA regulations state that PHI can also be disclosed to help identify or locate a suspect, fugitive, material witness, or missing person. Law enforcement can also make requests for information if they are trying to learn more information about a victim - or suspected victim. Another important aspect to understand is that a covered entity can can disclose sensitive information if it believes that PHI is evidence of a crime that took place on the premises. Even if the organization does not think that a crime took place on its property, HIPAA regulations state that PHI can disclosed “when necessary to inform law enforcement about the commission and nature of a crime, the location of the crime or crime victims, and the perpetrator of the crime.”


Essentially, covered entities and business associates must use their own judgement when determining if it is an appropriate situation to release PHI without an individual’s knowledge. For example, if local law enforcement want more information from a hospital about a former patient whom they believe is dangerous, it is up to the hospital to weigh the options of releasing the information.

How have HIPAA regulations affected court rulings?

There have been several court rulings in the last year discussing HIPAA regulations and how covered entities are allowed to release PHI.


Connecticut: The Connecticut Supreme Court ruled in November 2014 that patients can sue a medical office for HIPAA negligence if it violates regulations that dictate how healthcare organizations must maintain patient confidentiality. In that case, a patient found out that she was pregnant in 2004 and asked her medical facility to not release the medical information to the child’s father. However, the organization released the patient’s information when it received a subpoena. The case claimed that the medical office was negligent in releasing the information, and that the child’s father used the information  for “a campaign of harm, ridicule, embarrassment and extortion” against the patient.


Florida: Just one month earlier, a Florida federal appeals court ruled that it is not a HIPAA violationfor physician defendants to have equal access to plaintiffs’ health information. In this case, a patient sued his doctor for medical negligence. Florida law states that the plaintiff must provide a health history, including copies of all medical records the plaintiff’s experts relied upon in forming their opinions and an “executed authorization form” permitting the release of medical information. However, the plaintiff claimed the move would violate his privacy. The appeals court ruled that two instances applied in this case where HIPAA regulations state that covered entities are permitted to release PHI.


As demonstrated in these two court cases, it is not always easy for covered entities to necessarily determine on their own when they are compromising patient privacy and when they are adhering to a court order. However, by seeking appropriate counsel, healthcare organizations can work on finding a solution that meets the needs of all parties involved.

more...
No comment yet.
Scoop.it!

Hospital with repeat security failures hit with $218K HIPAA fine

Hospital with repeat security failures hit with $218K HIPAA fine | HIPAA Compliance for Medical Practices | Scoop.it

Does your hospital permit employees to use a file-sharing app to store patients' protected health information? Better think again. A Massachusetts hospital is paying up and reevaluating its privacy and security policies after a file-sharing complaint and following a HIPAA breach. 


St. Elizabeth's Medical Center in Brighton, Mass. – a member hospital of Steward Health Care system – will pay $218,400 to the Office for Civil Rights for alleged HIPAA violations. The settlement resulted from a 2012 complaint filed by hospital employees, stating that the medical center was using a Web-based document-sharing application to store data containing protected health information. Without adequately analyzing the security risks of this application, it put the PHI of nearly 500 patients at risk.


"Organizations must pay particular attention to HIPAA's requirements when using Internet-based document sharing applications," said Jocelyn Samuels, OCR director, in a July 10 statement announcing the settlement. "In order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner."


It wasn't just the complaint that got St. Elizabeth's in hot water, however. A HIPAA breach reported by the medical center in 2014 also called attention to the lack of adequate security policies. The hospital notified OCR in August of last year of a breach involving unsecured PHI stored on the personal laptop and USB drive of a former hospital employee. The breach ultimately impacted 595 patients, according to a July 10 OCR bulletin.


As part of the settlement, St. Elizabeth's will also be required to "cure the gaps in the organization's HIPAA compliance program," OCR officials wrote in the bulletin. More specifically, this includes conducting a self-assessment of its employees' awareness and compliance with hospital privacy and security policies. Part of this assessment will involve "unannounced visits" to various hospital departments to assess policy implementations. Officials will also interview a total of 15 "randomly selected" employees with access to PHI. Additionally, at least three portable devices across each department with access to PHI will be inspected.


Then there's the policies and training piece part of the settlement. With this, St. Elizabeth's based on the assessment, will submit revised policies and training to HHS for approval.


In addition to the filed complaint and the 2014 breach, the medical center also reported an earlier HIPAA breach in 2012when paper records containing billing data, credit card numbers and security codes of nearly 7,000 patients were not properly shredded by the hospital. Some of the files containing the data were reportedly found blowing in a field nearby.


To date, OCR has levied nearly $26.4 million from covered entities and business associates found to have violated HIPAA privacy, security and breach notification rules.


The largest settlement to date was the whopping $4.8 million fine paid by New York Presbyterian Hospital and Columbia University Medical Center after a single physician accidentally deactivated an entire computer server, resulting in ePHI being posted on Internet search engines. 

more...
Gerard Dab's curator insight, July 16, 2015 8:05 PM

Security! Security! Security!

#medicoolhc #medicoollifeprotector

Scoop.it!

Shoring Up HealthCare.gov Security

Shoring Up HealthCare.gov Security | HIPAA Compliance for Medical Practices | Scoop.it

The future of Obamacare seems more certain now that the Supreme Court has upheld subsidies for consumers who purchase policies on the federal health insurance exchange. As a result, it's more critical than ever for the federal government to ensure that personally identifiable information is adequately safeguarded on the HealthCare.gov website for the program, as well as state insurance exchanges, as they gear up for open enrollment in the fall.


In recent months, hackers have increasingly focused their attacks on government and healthcare systems. Targets of attacks have included the U.S. Office of Personnel Management and the Internal Revenue Service, as well as health insurers Anthem Inc. and Premera Blue Cross


That's why many security experts are calling attention to the need to make certain that systems supporting the Affordable Care Act, or Obamacare, programs are secure.


"Affordable Care Act insurance exchanges are a hodgepodge of programs operated by states and the federal governments," notes privacy attorney David Holtzman, vice president of compliance at the security consulting firm CynergisTek. "With the recent news of discovery of coordinated, highly sophisticated attacks on large government operated databases, as well as incidents involving large health insurers, it stands to reason that the information systems serving as the backbone to the health insurance marketplaces are an attractive target because of their size and the sensitivity of the information they hold."


Lee Tien, a senior staff attorney at the Electronic Frontier Foundation, a civil liberties group, notes: "All large collections of sensitive personal data are at risk." When it comes to potential fraud, "healthcare data is considered more valuable on the open market," he says. "Obviously it matters how well they're protected."

Under Scrutiny

Certainly, security of the federal HealthCare.gov health insurance exchange, which facilitates the electronic health insurance marketplaces for 34 states, has been under intense scrutiny since its rollout in the fall of 2013 during the first open enrollment season for Obamacare.


Congress, as well as government watchdog agencies, including the Government Accountability Office and the Department of Health and Human Services' Office of Inspector General, have examined whether the federal health insurance exchanges - and the 16 state-operated health insurance exchanges - have in place the processes and technology to prevent breaches involving consumers' personal information, including Social Security numbers.


For instance, in April, the OIG issued a report reviewing California's health insurance exchange - Covered California - and the security controls that were in place as of June 2014. The OIG found that California had implemented security controls for its website and databases for its health insurance exchange, but the watchdog agency said more improvements were needed.


OIG determined that California had not performed a vulnerability scan in accordance with federal requirements. Also, the GAO said that Covered California's security plan did not meet some of the Centers for Medicare and Medicaid Services' minimum requirements for protection of marketplace systems, and that Covered California did not have security settings for some user accounts. California officials, in their response to the report, said they planned to implement the OIG's recommendations related to vulnerability scans, security plans and user account settings.


A September 2014 GAO report examining HealthCare.gov security found that CMS - the Department of Health and Human Services unit responsible for the federal insurance exchange - had not always required or enforced strong password controls, adequately restricted systems supporting HealthCare.gov from accessing the Internet, consistently implemented software patches and properly configured an administrative network.


In addition to the HealthCare.gov exchange, another related potential target for hackers is HHS' Multidimensional Insurance Data Analytics System, or MIDAS, which a federal IT budget planning document describes as a "perpetual central repository for capturing, aggregating and analyzing information on health insurance coverage."

The GAO noted in its September 2014 report that MIDAS is intended to create summary reporting and performance metrics related to the federally facilitated marketplace and otherHealthCare.gov-related systems by aggregating data, including PII, collected during the plan enrollment process. GAO found, however, that at the time of its review, CMS hadn't yet approved an impact analysis of MIDAS privacy risks "to demonstrate that it has assessed the potential for PII to be displayed to users, among other risks, and taken steps to ensure that the privacy of that data is protected."


In a recent report, the Associated Press noted a variety of concerns about MIDAS, including current plans for data to be retained indefinitely. "Despite [a] poor track record on protecting the private information of Americans, [the Obama administration] continues to use systems without adequately assessing these critical components," said Sen. Orrin Hatch, R-Utah.


CMS did not immediately respond to an Information Security Media Group request for an update on the security of the MIDAS system.

Data Risks

Health insurers, as well as health insurance exchanges and their related databases, are a potential target for hackers because "any collection of data that includes Social Security numbers is particularly vulnerable," notes security expert Tom Walsh, founder of the consulting firm tw-Security.


"Healthcare was doing a good job of eliminating Social Security numbers from our systems. In the old days, the SSN was a person's member number for their insurance. It was finally getting to the point where SSNs were less frequently collected and used in healthcare," he says.


However, under Obamacare, sensitive consumer data, including Social Security numbers and income information, is used on the insurance exchanges to help individuals enroll in insurance plans and qualify for subsidies, Walsh notes. "So healthcare is back in the SSN game again - especially insurance companies."


Ray Biondo, chief information security officer at insurer Health Care Services Corp. says that the federal government has been taking action to address cyberthreats.


"We have been partnering with the Department of Homeland Security and the FBI and sharing threat information," Biondo says. "They've been collaborative and cooperative and helping us in that space."

Still, all players in the healthcare arena are anxious about potential attacks, he admits. "Everyone is worried about being next."

Playing Politics

Holtzman, the consultant, says it's important that politics don't get in the way of government agencies making the investments that are needed to shore up the security of health insurance exchange data.

"Everyone agrees that the federal and state governments should take decisive action to test existing information security safeguards on the systems that support the health insurance marketplace, and to take appropriate measures to ensure that the data, wherever it is held, is secured from the cybersecurity threat," he says.


"What concerns me is that in the long-running political debate over ACA, Congress has said that the HHS may not spend federal funds to support the development and implementation of the ACA. Perhaps it would be in the public interest to ensure that the fight over whether ACA is good policy does not prevent critical funds needed for investment in protecting the government information systems holding the personal information of millions of Americans from the cybersecurity threat."


Walsh says that protecting the health insurance exchanges also comes down to basics. "I was surprised when I read that the OPM did not encrypt data at rest. The government should lead by example and implement better security practices."


Tien of the Electronic Frontier Foundation, sums up his concerns: "The OPM example shows how pathetically lax information security can be. [The government] needs to make defense a priority and spend money on it."

more...
No comment yet.
Scoop.it!

243 arrested in 10 states for healthcare fraud, false claims, kickbacks, medical ID theft

243 arrested in 10 states for healthcare fraud, false claims, kickbacks, medical ID theft | HIPAA Compliance for Medical Practices | Scoop.it
The Medicare Fraud Strike Force swept through 10 states and arrested 243 people—46 of them physicians, nurses, and other licensed medical professionals—for allegedly defrauding the government out of $712 million in false Medicare and Medicaid billings, federal officials announced June 18. In addition to targeting instances of false claims and kickbacks, the strike force also uncovered evidence of medical identity theft.
Among the defendants is Mariamma Viju of Garland, Texas, an RN and the co-owner and nursing director for Dallas Home Health, Inc. A federal indictment accuses Viju and a co-conspirator of stealing patient information from Dallas-area hospitals in order to then solicit those patients for her business, as well as submitting false Medicare and Medicaid claims, and paying out cash kickbacks to beneficiaries.
In total, the scheme netted Viju $2.5 million in fraudulently obtained payments between 2008 and 2013. She was arrested June 16 and charged with one count of conspiracy to commit healthcare fraud, five counts of healthcare fraud, and one count of wrongful disclosure of individually identifiable health information.
The indictment says Viju allegedly took patient information from Baylor University Medical Center at Dallas, where she worked as a nurse until she was fired in 2012. Dallas Home Health then billed Medicare and Texas Medicaid for home health services on behalf of beneficiaries who were not homebound or otherwise eligible for covered home health services.
Viju also allegedly falsified and exaggerated patients’ health conditions to increase the amounts billed to Medicare and Medicaid, and thereby boost payments to Dallas Home Health. The indictment says she paid kickbacks to Medicare beneficiaries as well to recruit and retain them as patients of Dallas Home Health.
Viju’s co-conspirator—a co-owner of Dallas Home Health—wasn’t named in the indictment, but in a news release from the U.S. Attorney’s Office for the Northern District of Texas, that person was identified as her husband Viju Mathew. He’s a former registration specialist at Parkland Hospital in Dallas and pleaded guilty in November 2014 to one count of fraud and related activity in connection with identity theft.
Prosecutors say he used his position to obtain PHI, including names, phone numbers, birthdates, Medicare information, and government-issued health insurance claim numbers, so he could use it to contact prospective patients for his home health care business. He is due to be sentenced in August 2015.
In another case in Maryland, Harry Crawford—owner of RX Resources and Solutions—and two of his employees—Elma Myles and Matthew Hightower—are all charged with aggravated identity theft in addition to healthcare fraud and conspiracy to commit healthcare fraud.
An indictment from a federal grand jury accuses Crawford, Myles, and Hightower of fraudulently using actual names, addresses, and unique insurance identification numbers of numerous Medicaid beneficiaries to submit fraudulent claims totaling approximately $900,000 between 2010 and 2014.
The alleged scheme used Crawford’s durable medical equipment and disposable medical supply company to bill insurers for equipment and supplies that were never provided to beneficiaries, bill for amounts far in excess of the services delivered, and bill for supplies that weren’t needed and were never prescribed by a physician.
These are just two examples of the criminal fraud uncovered by the strike force.
In other cases, defendants face similar fraud and conspiracy charges for fraudulent billing schemes as well as charges for cash kickbacks, and money laundering, according to the Department of Justice (DOJ). The DOJ says more than 40 defendants are accused of defrauding the Medicare prescription drug program.
This was the largest coordinated takedown, in terms of defendants and money, in the history of the Medicare Fraud Strike Force, according to the DOJ. CMS also suspended licenses for several healthcare providers with authority granted to the agency under the Affordable Care Act.
more...
No comment yet.
Scoop.it!

Four Common HIPAA Misconceptions

Four Common HIPAA Misconceptions | HIPAA Compliance for Medical Practices | Scoop.it

While practices must work hard to comply with HIPAA, some are taking HIPAA compliance efforts a bit too far. That's according to risk management experts, who say there are some common compliance misconceptions that are costing practices unnecessary time and resources.

Here's what they say many practices are avoiding that they don't necessarily need to avoid, and some extra steps they say practices are taking that they don't necessarily need to take.


1. Avoiding leaving phone messages


While it's true that a phone message from your practice to a patient could be overheard by the wrong party, phone messages that contain protected health information (PHI) don't need to be strictly off limits at your practice, says Jim Hook, director of consulting services at healthcare consulting firm The Fox Group, LLC."Many offices adopt a blanket policy of, well, 'We can't leave you any phone messages because HIPAA says we can't,' and, that's really not true," he says. "You can always get consent from a patient on how they want to be communicated with."


Hook recommends asking all of your patients to sign a form indicating in what manner you are permitted to communicate with them, such as by mail, e-mail, text, and phone message. "If the patient says, 'Yes, you can call and leave me phone messages at this phone number I'm giving you,' then it's not a HIPAA violation to use that method of communication," he says.


2. Avoiding discussing PHI


It's important to safeguard PHI as much as possible, but some practices are taking unnecessary precautions, says Michelle Caswell, senior director, legal and compliance, at healthcare risk-management consulting firm Clearwater Compliance, LLC.


"I think there's still a fear among small providers ... that they can't discuss protected health information anywhere in the [practice]," she says. "They feel that they have to almost build soundproof walls and put up bulletproof glass or soundproof glass to prevent any sort of disclosure of protected health information, and that's not what HIPAA requires at all. HIPAA allows for incidental disclosures, [which] are disclosures that happen [incidentally] around your job. So if you've got a nurse and a doctor talking, maybe at the nurses' station, and someone overhears that Mr. Smith has blood work today, that probably wouldn't be a violation because it's incidental to the job. Where else are the doctors and nurses going to talk?"


As long as you are applying "reasonable and appropriate" safeguards, Caswell says you should be in the clear.


3. Requiring unnecessary business associate agreements


HIPAA requires practices to have written agreements, often referred to as business associate agreements (BAAs), with other entities that receive or work with their PHI. Essentially, the agreements state that the business associates will appropriately safeguard the PHI they receive or create on behalf of the practice.


Still, some practices take unnecessary precautions when it comes to BAAs, says Robert Tennant, senior policy adviser of government affairs for the Medical Group Management Association. "A lot of practices are very concerned about people like janitorial services [and] plant maintenance folks, and they have them sign business associate agreements, but those folks are not business associates for the most part," says Tennant. "You may want to have them sign confidentiality agreements basically saying, 'If you do come across any information of a medical nature, protected health information, you are not permitted to look at it, copy it, keep it ...,' But, you do not need to sign a business associate agreement with anybody other than those folks that you actually give PHI to for a specific reason, like if you've got a law office or accounting office or a shredding company that is coming in to pick up PHI to destroy it."


4. Requiring unnecessary patient authorizations


While it's critical to comply with HIPAA's requirement that only those who have a valid reason to access a patient's medical record, such as treatment purposes, payment purposes, or healthcare operations, have access to it — some practices are misconstruing that rule, says Tennant. "They demand patient authorization before they transfer data to another provider for treatment purposes," he says. "I understand why they do it, but it's one of those things that … can cause delays and confusion, and even some acrimony between the patient and the provider. If it's for treatment purposes specifically, you do not need a patient authorization."

more...
No comment yet.
Scoop.it!

Drug kingpin imprisoned on numerous charges, including HIPAA violations

Drug kingpin imprisoned on numerous charges, including HIPAA violations | HIPAA Compliance for Medical Practices | Scoop.it

Drug kingpin Stuart Seugasala was just convicted and sentenced on a string of federal charges that includes HIPAA violations in the course of running a violent drug trafficking ring in Alaska. Authorities said the trafficking ring imported and distributed illicit drugs, perpetrated armed home invasions, drive-by shootings, kidnappings, and sexual assaults.

The Alaska U.S. Attorney’s Office said it was the state’s first HIPAA conviction and one of only a few such cases nationwide.


Seugasala, 40, was sentenced May 15 to three life terms in prison following his conviction on drug trafficking and kidnapping charges earlier this year, but separate from that sentence was another 20 years for unauthorized access to medical records of two victims he hospitalized in 2013.


On March 13, 2013, Seugasala and his associates kidnapped, tortured, and sexually assaulted two men with a hot curling iron because one of the men owed them a large, past due debt on heroin, according to prosecutors. They said Seugasala ordered the rape to be videotaped so he could use the footage to intimidate other debtors.

One of the victims was so badly injured after three hours of torture that he was admitted to Providence Hospital in Anchorage. Two days later, Seugasala shot and wounded another man in an unrelated incident. That man also checked himself in to the hospital.


At that point, Seugasala contacted a friend who worked at the hospital–Stacy Laulu–and asked her via a text message to find out the extent of the men’s injuries and whether they were cooperating with police, prosecutors said.


They said Laulu, who was then employed as a financial counselor, accessed both men’s medical files and reported back to Seugasala, violating the men’s privacy rights.


According to prosecutors, Laulu’s husband, who was in jail on unrelated murder charges, was a close associate of Seugasala and the couple was receiving drug money from Seugasala.


Laulu was also convicted in January on the HIPAA felony violations and is scheduled for sentencing May 29. The maximum sentence is 10 years for each of those convictions. Three other members of the drug ring have also been sentenced or are due for sentencing in June.


more...
No comment yet.
Scoop.it!

4 keys to HIPAA audit prep

4 keys to HIPAA audit prep | HIPAA Compliance for Medical Practices | Scoop.it

With the delay of the Office for Civil Rights (OCR) HIPAA audits, organizations would be wise to not push compliance further down the priority list. Yet many are woefully unprepared for both data breaches and the audits, writes Mark Fulford, partner at LBMC Security & Risk Services in an article at Health IT and Security Review.


"If organizations let down their guard, they will become vulnerable to both data breaches and the OCR audits themselves when they inevitably arrive," he says. "And all indications are that the audits will bring an unprecedented level of scrutiny and enforcement to healthcare security."


Being chosen for an audit means submitting documentation of your organization's compliance. Yet HIPAA guidance isn't specific, he says, allowing you to explain your reasoning behind your security approach.

Among his recommendations:

  1. Conduct a risk assessment. Evaluate your organization before OCR does, making sure you have everything covered including servers, personal computers, mobile devices and more
  2. Document everything. Keep detailed records of your security measures and procedures, as well as your incident response plans
  3. Identify your business associates. Verify that these entities also maintain appropriate security
  4. Train your team and stay-up-to-date. Security is a team effort; ensure that your employees are trained to respond to phishing, social engineering, malware and other attacks.


Despite a proliferation of healthcare breaches and warnings from the Office of Civil Rights that it plans to crack down on organizations that don't effectively protect patient data, research from ProPublica found that few organizations actually have been fined for it.


However, that's expected to change. Privacy attorney Adam Greene said he's heard that OCR has pipeline of "unprecedented" settlements in the works.


An OCR attorney made a similar statement nearly a year ago. Jerome B. Meites, OCR chief regional counsel for the Chicago area, said the HIPAA enforcement actions over the past year would pale in comparison to the following 12 months.


more...
No comment yet.
Scoop.it!

Doximity launching app for the Apple Watch

Doximity launching app for the Apple Watch | HIPAA Compliance for Medical Practices | Scoop.it

Doximity announced today that they are launching an app for the Apple Watch, which hits the shelves later this month.


Many physicians will be familiar with Doximity, now that more than half of us have become registered users. Designed as a social network for physicians, Doximity includes a number of features that physicians will find useful for a lot more than just staying in touch with colleagues. In the recent rush of registrations on Doximity related to their partnership with US News and World Report, we wrote a quick guide on those key features. Included was secure HIPAA compliant messaging as well as an e-fax number and a journal feed.


Doximity’s Apple Watch app will bring some of these key features to your wrist. In particular, you’ll be able to read messages sent to you and dictate messages to other – without taking out your phone or pager, jumping on a computer, or spending endless minutes on hold trying to reach a colleague. You can also get notifications when you have a new fax come in – you can automatically view the fax on your iPhone using the Handoff functionality.

This hits on one the key functionalities we put on our wish list of apps for the Apple Watch – HIPAA compliant messaging. There are some limitations here worth noting. In particular, Doximity is limited to physicians so this won’t help with communication among a multi-disciplinary healthcare team, such as in a hospital or clinic. I wouldn’t be able to let a nurse know about a new medication or a social worker about an at-risk patient. Other platforms, like TigerText, will hopefully step in to bring that functionality to wearables like Apple Watch. That being said, the ability to send messages more easily to colleagues both inside and outside my own institution can be incredibly helpful.


We’re excited to see big players in the digital health space like Doximity embracing the Apple Watch. One natural question that frequently comes up is “what about Android devices?” Well, as Doximity points out, 85% of their mobile traffic is from iPhones & iPads. Its well recognized that physicians have largely embraced Apple devices and so medical app developers are going to go there first. So while many solid options have been available for Android, we expect the Apple Watch to be a catalyst in the development of new tools for clinicians.

Doximity’s app is just the start.


more...
No comment yet.
Scoop.it!

Don't confuse EHR HIPAA compliance with total HIPAA compliance

Don't confuse EHR HIPAA compliance with total HIPAA compliance | HIPAA Compliance for Medical Practices | Scoop.it

Electronic health records (EHR) systems are revolutionizing the collection and standardization of patient medical information. Never before has it been so easy for healthcare practitioners to have patient information so readily available, allowing for more efficient and accurate care.


Unfortunately, what many organizations today don’t realize is, just because their EHR system is compliant with HIPAA security standards, their entity as a whole may not be fully compliant.

Every healthcare organization under HIPAA is responsible for the protection of patient data, regardless of whether they use a vendor to process or store their patient records. If your EHR vendor claims you don’t have to worry about HIPAA compliance, don’t believe them – it’s just not true.


Privacy and security are much more than simply having a HIPAA compliant EHR. It is truly frightening when I hear a healthcare company, or even worse, an EHR vendor, claim their EHR system covers all of a healthcare company’s HIPAA requirements. Even for cloud-based EHR systems, this simply is not the case.

Maintaining a secure EHR system

The newly revised HIPAA Security Rule requires providers to assess the security of their databases, applications, and systems that contain patient data against a list of 75 specific security controls. These controls include specific safeguards to be in place for the purpose of protecting PHI.


In our ever-changing digital environment, it’s critical that healthcare organizations regularly assess their security programs as a whole to ensure they have the policies, procedures, and security measures in place to better protect patient information and avoid costly regulatory enforcements.


Unfortunately, addressing risks to electronic patient data is not always a top priority.


We need to get the message out that HIPAA compliance (and the protection of patient data) cannot be relegated to simply checking a box (i.e., my EHR system is compliant, therefore, my practice is compliant, too). HIPAA compliance must, instead, be addressed across an organization wherever patient data is present.

Understand current security measures

The ongoing responsibility of managing patient data throughout an organization requires an organized, well-thought-out approach to risk management. No matter how small or long established, it’s critical for healthcare entities to understand what they are doing to protect patient data, what they are not doing, and what they should be doing in the future.


While some EHR systems and their related equipment have security features built into or provided as part of a service, they are not always configured or enabled properly. In addition, medical equipment is often web-enabled (can connect remotely to send information to a server), but that equipment may not be checked for proper security.

As the guardian of patient health information, it is up to each healthcare organization to learn and understand the basic features of their IT assets and medical devices, what security mechanisms are in place, and how to use them.


There are a number of actions an entity can take to make sure that their EHR systems and IT assets are secure. Such measures leverage an integrated use of data loss prevention tools, intrusion prevention, anti-malware, file integrity monitoring, robust identity management and authentication programs, role-based access and data security solutions.

The road to HIPAA compliance

Creating adequate safeguards does not happen overnight. While it may seem overwhelming and time-consuming at first (due to HIPAA’s complex nature), the biggest obstacle to overcome is actually getting the entire process started.


Begin by carving out a regular, weekly routine – perhaps starting at 30 minutes per week when your staff members who are responsible for HIPAA compliance can meet to discuss the privacy and security of patient data.


Here are some specific actions your entity should take when working to protect patient information:

  • Have a designated HIPAA-assigned compliance officer or team member. Clearly and specifically lay out the roles of everyone in your organization involved with HIPAA compliance responsibilities.
  • Ensure that access to ePHI is restricted based on an individual’s job roles and/or responsibilities.
  • Conduct an annual HIPAA security risk analysis (specifically required under HIPAA rules.) This can involve regularly engaging with a trusted provider that can remotely monitor and maintain your network and devices to ensure ongoing security.
  • Mitigate and address any risks identified during your HIPAA risk analysis including deficient security, administrative and physical controls, access to environments where ePHI is stored, and a disaster recovery plan.
  • Make sure your policies and procedures match up to the requirements of HIPAA.
  • Require user authentication, such as passwords or PIN numbers that limit access to patient information to authorized-only individuals.
  • Encrypt patient information using a key known or made available only to authorized individuals.
  • Incorporate audit trails, which record who accessed your information, what changes were made, and when they were made, providing an additional layer of security.
  • Implement workstation security, which ensures the computer terminals that access individual health records cannot be used by unauthorized persons.


Privacy and security concerns are key when it comes to HIPAA, but it’s also important to ensure your enterprise as a whole is protected. With 75 different requirements that fall under the HIPAA Security Rule umbrella, it’s critical to ensure all systems where ePHI resides are protected. Otherwise, organizations are placing themselves and their patients at serious risk.


more...
No comment yet.
Scoop.it!

States ramp up data security laws

States ramp up data security laws | HIPAA Compliance for Medical Practices | Scoop.it

Healthcare organizations not only must heed federal data security laws; they also have state laws to keep in mind. And a growing trend has states making these regulations tougher than ever. One state that currently has no laws requiring organizations to implement certain data security protections has proposed legislation that would hold entities fully responsible for failing to safeguard consumer data.  

 
As businesses continue to demonstrate grievous security failings, New York state has decided to join a growing number of states that have chosen to ramp up their data security laws. The announcement last week from the state's Attorney General Eric T. Schneiderman comes on the heels of a reportlast year, finding that nearly 23 million New Yorkers have had their personal records compromised since 2006. 
 
New York entities are only required to notify individuals of a data security breach if "private information" has been compromised. Private information, as state officials pointed out, has a very narrow definition and does not include email addresses and passwords; medical data and health insurance data, among other items. 
 
The proposed law would broaden the definition of private information to include email addresses, security questions and medical and health insurance data. The law would also establish a safe harbor rule for companies that implement specific data security plans and standards that officials say would minimize the chance of a breach. 
 
In 2013 – a "record-setting" breach year for New York – these data security breaches cost organizations a whopping $1.37 billion statewide. Some 40 percent of those breaches were hacking related, according to a 2014 N.Y. Attorney General report
 
What's more, healthcare organizations proved to be the biggest offenders, with healthcare data breaches being responsible for compromising the largest number of records of New Yorkers since 2006. "As the healthcare industry moves toward increasing digitization, it has become a repository for large troves of sensitive information, making the industry uniquely susceptible to data loss, particularly through lost or stolen electronic storage equipment," Schneiderman wrote in the report.  
 
"With some of the largest-ever data breaches occurring in just the last year, it's long past time we updated our data security laws and expanded protections for consumers," said Schneiderman in a Jan. 15 press release. "We must also remind ourselves that companies can be victims, and that those who take responsible steps to safeguard customer data deserve recognition and protection."
 
One of the state's biggest data breaches ever reported was announced by the New York City Health & Hospitals Corporation's North Bronx Healthcare Network, which compromised the health records of some 1.7 millionemployees, vendors and patients. 
 
In light of the increase in scope and frequency of these data security breaches, just last month, Oregon's AG Ellen Rosenblum called on the state's legislature to update and toughen Oregon's data breach law, which does not protect medical or health insurance data. Indiana's AG also in December proposed similar legislation that would tighten data security laws in the state. 


more...
No comment yet.
Scoop.it!

HIPAA-Related Fines Climb to $6.8 and $32.5 Million | Diagnostic Imaging

HIPAA-Related Fines Climb to $6.8 and $32.5 Million | Diagnostic Imaging | HIPAA Compliance for Medical Practices | Scoop.it
In 2014, there have been many "advances" in the amount and type of financial penalties related to HIPAA. In this article, I want to highlight two. The first relates to a sanction against an insurance company for HIPAA violations in Puerto Rico, with a promise for heftier fines. The second relates to a case, which was brought in state court in Louisiana against a major health system. Both are significant for two reasons: (1) the breaches stemmed from a non-IT incident; and (2) one was brought by a government agency and the other was brought via a state law case.

The case in Puerto Rico, which resulted in a record $6.8 million sanction, involved a mailing error impacting approximately 13,000 beneficiaries. The Puerto Rico Health Insurance Administration (ASES) signaled that the fine against Triple S Insurance was just the beginning and that other companies should be cognizant about safeguarding protected health information in order to avoid similar fines. Not surprisingly, a higher fine could have been imposed. Ricardo Rivera Cardona, a top official at ASES indicated, "[t]heir contact with us specifies that any contractual violation, including HIPAA, is subject to a fine of $500 to $100,000 per member."

The second case, which was a class action lawsuit filed in Louisiana State Court, stems back nearly 20 years, before the passage of HIPAA, and involved thousands of patient records from a psychiatric hospital being left in the parking lot of the psychiatric hospital owned by Tenet Healthcare. The case was based on an invasion of the plaintiffs' privacy and the settlement totaled $32.5 million.

These two items underscore the importance of protecting both paper and electronic protected health information. Make sure to have a cross-cut shredder that complies with the Privacy and Security Rules and read the contents of your insurance policies closely.
more...
No comment yet.
Scoop.it!

Mega-Mergers: The Security, Privacy Concerns

Mega-Mergers: The Security, Privacy Concerns | HIPAA Compliance for Medical Practices | Scoop.it

Mergers and acquisitions, such as two pending mega-deals in the health insurance sector, pose security and privacy risks that need to be addressed before the transactions are completed, during the integration process and over the long haul.


In recent weeks, Anthem Inc. announced plans to buy rival Cigna for $48 billion, and Aetna unveiled a proposed $37 billion purchase of Humana.


"I can't speak specifically to these mergers, but in general they share the same challenges as others going through M&As," says Mac McMillan, CEO of the security consulting firm CynergisTek. Interoperability of systems, consolidation or merging of databases, differing architectures, disparate platforms, consolidation of accounts and accesses conversion of users are among the potential hurdles these companies face, he notes.


"For organizations this large, there is nothing trivial about integrating their networks, systems or controls," McMillan says. "The biggest issues are always disparate systems, controls and interoperability and the privacy and security issues those challenges can create."


When it comes to mergers, privacy and security attorney Stephen Wu of the law firm Silicon Valley Law Group notes, "I'm most worried about companies not doing enough diligence about security when these acquisitions are being considered. ... It's becoming increasingly complex to integrate two companies IT infrastructures, and those transitions create new vulnerabilities."


Concerning Anthem's proposed purchase of Cigna, Wu says Anthem's recent hacker attack, which affected nearly 80 million individuals, "shouldn't be downplayed, but I'd be more concerned about Cigna and whether that company also potentially had a breach that perhaps hasn't been discovered yet."


Privacy attorney Kirk Nahra of the law firm Wiley Rein LLP notes that the transition period after two companies merge presents new risks. "Because of the tremendous concerns about data security and cybersecurity breaches, integration of overall security is a particular challenge," he says. "It is easier to attack a hybrid, half-integrated company than two separate companies."


Anthem's proposed acquisition of Cigna comes "at a time where Anthem is under a lot of pressure with respect to its information security, [and] the acquisition of another large insurer represents a lot more to add to its plate," notes privacy attorney Adam Greene of the law firm Davis Wright Tremaine.


"It will need to integrate its information security processes into a host of new systems, with each new, potentially unfamiliar system bringing new risks if not properly integrated," he says.

Critical Decisions

When mergers and acquisition are completed, a big challenge is picking and choosing whoseinformation security program will dominate after the transaction is completed.


"Often times, the information security program of the larger entity takes over the smaller," Greene notes. "In good situations, each entity learns from the other and the overall information security is improved, after a painful integration process. But sometimes the reverse happens, and good information security practices are abandoned because they are not practiced by the larger entity."


McMillan says merging organizations should "take an inventory of which set of controls, processes,technologies, etc. are either the most mature or the best overall." Then they can consider merging the programs, "the same way they merge organizations - capitalizing on the best of both."


While that best-of-breed-themed approach might work well in some mergers and acquisitions, typically things don't end up going that smoothly, Nahra contends.


"There are two kinds of challenges - inconsistencies in practices, either involving data security or privacy, and then operational implications of these inconsistencies, where one of the entities tries to apply its process or practices to the differing practices or operations of the other," Nahra says. "These challenges are exacerbated when there hasn't been a lot of due diligence on privacy/data security issues."

Access Control

One issue that's frequently overlooked during the blending IT networks of merging companies is access control, says Rebecca Herold, partner and co-founder of SIMBUS Security and Privacy Services.


When an organization is undergoing a merger, some employees typically lose their jobs because their role duplicates another's role, Herold says. "But the company keeps them on for a certain amount of time because they are training another person or finishing up on a project," she says. "However, during this time, I've seen disgruntled insiders who have access to information or administrative controls and have tried to sabotage the company that fired them."


Often executives don't have insight into all the risks that are involved with blending computer networks, says Herold, who's served as an adviser to merged organizations.


"They want to join or connect the networks in some way, but there are huge risks. When you start connecting one huge network with another one, and start sharing data without proper planning, there are new vulnerabilities and risks that emerge," she says.


If the companies involved in the latest wave of healthcare sector mergers and acquisitions get the regulatory and shareholder approval needed to complete their transactions, they need to keep a few security tips in mind, McMillan says.


"The biggest tip is common sense: Don't undo anything that is currently in place to ensure continuity until what's new is in place and backed up," he says.

more...
No comment yet.
Scoop.it!

State AGs clash with Congress over data breach laws

State AGs clash with Congress over data breach laws | HIPAA Compliance for Medical Practices | Scoop.it

Attorneys general from all 47 states with data breach notification laws are urging Congress not to preempt local rules with a federal standard.

“Any additional protections afforded consumers by a federal law must not diminish the important role states already play protecting consumers from data breaches and identity theft,” they wrote in a letter sent to congressional leaders on Tuesday.

Lawmakers have been weighing a number of measures that would create nationwide guidelines for notifying customers in the wake of a hack that exposes sensitive information. Industry groups have argued that complying with the patchwork set of rules in each state is burdensome and costly.


The rapidly rising number of breaches at retailers, banks and government agencies has only raised pressure on Congress to pass legislation.

While the concept of a federal standard has bipartisan appeal, the two parties have split over whether to totally preempt state laws.

Democrats fear a nationwide rubric that preempts state law could weaken standards in states that have moved aggressively on data breach laws. Republicans fear that an overly strict federal standard could empower overzealous government regulators.

Lawmakers also disagree on what type of breaches should trigger a notification.

The differing views have spawned a cavalcade of bills on Capitol Hill, many of which would preempt state laws.

“Given the almost constant stream of data security breaches, state attorneys general must be able to continue our robust enforcement of data breach laws,” said Virginia Attorney General William Sorrell, who oversees a law that requires companies to notify officials within 14 days of discovering a breach, in a statement. “A federal law is desirable, but only if it maintains the strong consumer protection provisions in place in many states.”

Many state attorneys general, including Sorrell, favor a Senate data breach offering from Sen. Patrick Leahy (D-Vt.) and co-sponsored by five other Democrats.

Notably the bill does not preempt state laws that are stricter than the standard delineated in Leahy’s bill.

It also provides a broad definition of what type of information would constitute a notification-worthy breach. It includes photos and videos in addition to more traditional sensitive data such as Social Security numbers or financial account information.

But most important for states is retaining their ability to set their own standards.

“States should also be assured continued flexibility to adapt their state laws to respond to changes in technology and data collection,” the letter said. “As we have seen over the past decade, states are better equipped to quickly adjust to the challenges presented by a data-driven economy.”

more...
No comment yet.
Scoop.it!

Website Error Leads to Data Breach

Website Error Leads to Data Breach | HIPAA Compliance for Medical Practices | Scoop.it

An error in a coding upgrade for a Blue Shield of California website resulted in a breach affecting 843 individuals. The incident is a reminder to all organizations about the importance of sound systems development life cycle practices.


In a notification letter being mailed by Blue Shield of California to affected members, the insurer says the breach involved a secure website that group health benefit plan adminstrators and brokers use to manage information about their own plans' members. "As the unintended result of a computer code update Blue Shield made to the website on May 9," the letter states, three users who logged into their own website accounts simultaneously were able to view member information associated with the other users' accounts. The problem was reported to Blue Shield's privacy office on May 18.


Blue Shield of California tells Information Security Media Group that the site affected was the company's Blue Shield Employer Portal. "This issue did not impact Blue Shield's public/member website," the company says. When the issue was discovered, the website was promptly taken offline to identify and fix the problem, according to the insurer.


"The website was returned to service on May 19, 2015," according to the notification letter. The insurer is offering all impacted individuals free credit monitoring and identity theft resolution services for one year.


Exposed information included names, Social Security numbers, Blue Shield identification numbers, dates of birth and home addresses. "None of your financial information was made available as a result of this incident," the notification letter says. "The users who had unauthorized access to PHI as a result of this incident have confirmed that they did not retain copies, they did not use or further disclose your PHI, and that they have deleted, returned to Blue Shield, and/or securely destroyed all records of the PHI they accessed without authorization."


The Blue Shield of California notification letter also notes that the company's investigation revealed that the breach "was the result of human error on the part of Blue Shield staff members, and the matter was not reported to law enforcement authorities for further investigation."

Similar Incidents

The coding error at Blue Shield of California that led to the users being able to view other individuals' information isn't a first in terms of programming mistakes on a healthcare-sector website leading to privacy concerns.


For example, in the early weeks of the launch of HealthCare.gov in the fall of 2013, a software glitch allowed a North Carolina consumer to access personal information of a South Carolina man. The Department of Health and Human Services' Centers for Medicare and Medicaid Services said at the time that the mistake was "immediately" fixed once the problem was reported. Still, the incident raised more concerns about the overall security of the Affordable Care Act health information exchange site.


Software design and coding mistakes that leave PHI viewable on websites led to at least one healthcare entity paying a financial penalty to HHS' Office for Civil Rights.


An OCR investigation of Phoenix Cardiac Surgery P.C., with offices in Phoenix and Prescott, began in February 2009, following a report that the practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible.

The investigation determined the practice had implemented few policies and procedures to comply with the HIPAA privacy and security rules and had limited safeguards in place to protect patients' information, according to an HHS statement. The investigation led to the healthcare practice signing an OCR resolution agreement, which included a corrective action plan and a $100,000 financial penalty.


The corrective action plan required the physicians practice, among other measures, to conduct arisk assessment and implement appropriate policies and procedures.

Measures to Take

Security and privacy expert Andrew Hicks, director and healthcare practice lead at the risk management consulting firm Coalfire, says that to avoid website-related mistakes that can lead toprivacy breaches, it's important that entities implement appropriate controls as well as follow the right systems development steps.


"Organizations should have a sound systems development life cycle - SDLC - in place to assess all systems in a production environment, especially those that are externally facing," he says. "Components of a mature SDLC would include code reviews, user acceptance testing, change management, systems analysis, penetration testing, and application validation testing."


Healthcare entities and business associates need to strive for more than just HIPAA compliance to avoid similar mishaps, he notes.

"Organizations that are solely seeking HIPAA compliance - rather than a comprehensive information security program - will never have the assurance that website vulnerabilities have been mitigated through the implementation of appropriate controls," he says. "In other words, HIPAA does not explicitly require penetration testing, secure code reviews, change management, and patch management, to name a few. These concepts are fundamental to IT security, but absent from any OCR regulation, including HIPAA."

Earlier Blue Shield Breach

About a year ago, Blue Shield of California reported a data breach involving several spreadsheet reports that inadvertently contained the Social Security numbers of 18,000 physicians and other healthcare providers.


The spreadsheets submitted by the plan were released 10 times by the state's Department of Managed Health Care. In California, health plans electronically submit monthly to the state agency a roster of all physicians and other medical providers who have contracts with the insurers. Those rosters are supposed to contain the healthcare providers' names, business addresses, business phones, medical groups and practice areas - but not Social Security numbers. DMHC makes those rosters available to the public, upon request.

more...
No comment yet.
Scoop.it!

243 Charged in Medicare Fraud Schemes

243 Charged in Medicare Fraud Schemes | HIPAA Compliance for Medical Practices | Scoop.it

Federal authorities announced their largest national Medicare fraud takedown to date, involving criminal charges against 243 individuals allegedly responsible for false billing totaling approximately $712 million.


In a June 18 joint announcement, officials at the Department of Health and Human Services, Department of Justice and FBI said a "nationwide sweep" led by the Medicare Fraud Strike Force in 17 districts has resulted in charging 243 individuals, including 46 physicians, nurses and other licensed medical professionals, for their alleged participation in Medicare fraud schemes. As of June 18, 184 defendants had been taken into custody, a DOJ spokesman says.


Officials called "the coordinated takedown" the largest in strike force history, both in terms of the number of defendants charged and the loss amount.


The sweep also resulted the Centers for Medicare and Medicaid Services using its authority under the Affordable Care Act to suspend a number of healthcare providers from participating in the Medicare program.

Variety of Charges

The defendants in the takedown are charged with various healthcare fraud-related crimes, including conspiracy to commit healthcare fraud, violations of the anti-kickback statutes, money laundering and aggravated identity theft. The charges are based on a variety of alleged fraud schemes involving various medical treatments and services, including home healthcare, psychotherapy, physical and occupational therapy, durable medical equipment and pharmacy fraud.

More than 44 of the defendants are charged with fraud related to the Medicare prescription drug benefit program known as Part D, which regulators say is the fastest-growing component of the Medicare program.


"This takedown adds to the hundreds of millions we have saved through fraud prevention since the Affordable Care Act was passed," said HHS Secretary Sylvia Mathews Burwell. "With increased resources that have allowed the Strike Force to expand and new tools, like enhanced screening and enrollment requirements, tough new rules and sentences for criminals, and advanced predictive modeling technology, we have managed to better find and fight fraud as well as stop it before it starts."


The Medicare Fraud Strike Force, a multi-agency team of federal, state and local investigators and prosecutors designed to combat Medicare fraud through the use of Medicare data analysis techniques, coordinated the investigation. Since the program's inception in March 2007, Strike Force operations in nine locations have charged more than 2,300 defendants who collectively are alleged to have falsely billed the Medicare program for more than $7 billion, according to federal authorities.


Among the large Medicare busts was the May 2014 arrest of 90 individuals in six states who were allegedly tied to Medicare fraud schemes responsible for $260 million worth of false billings. Also, in October 2012, federal authorities announced a Medicare fraud crackdown that involved charges against 91 individuals in fraud schemes allegedly involving approximately $492 million in false billing.

A Wake-Up Call

Security expert Mac McMillan, CEO of the consultancy CynergisTek, says the magnitude of the most recent Medicare takedown is significant. "This should be a wake-up call to those healthcare professionals who think it is OK to fudge around the edges, or in some cases just outright steal from the system, that their days are numbered and the feds are serious about curbing this very important problem," he says. "Hopefully it will have some impact, but frankly, right now, it seems like someone declared open season on healthcare between this [type of fraud] and the hacks we've seen lately."


Healthcare entities can help in the battle against fraud by monitoring for criminal behavior within their own organizations, he says. "One of the simplest ways is to perform periodic audits of what workforce members involved in preparing or handling claims are doing, as well as audits of patients receiving discharge summaries and bills."


Additionally, more commercial health insurers should follow CMS's lead and implement analytical tools that can help detect suspicious activities, he says. "They are the only really effective tools for proactive monitoring and detection," he says. "Those committing fraud may not cause a compliance trigger to be activated, but generally fraud requires an abnormal event to occur. Monitor for those, and you have a better chance of detecting inappropriate behavior."

Fraud Scams Busted

Among those charged in the latest Medicare fraud takedown were individuals in six states:


  • Seventy-three defendants in Miami were charged with offenses relating to their alleged participation in various fraud schemes involving approximately $263 million in false billings for home healthcare, mental health services and pharmacy fraud. In one case, administrators in a mental health center billed close to $64 million between 2006 and 2012 for purported intensive mental health treatment to beneficiaries and allegedly paid kickbacks to patient recruiters and assisted living facility owners. Medicare paid approximately half of the claimed amount.
  • Twenty-two individuals in Houston and McAllen, Texas, were charged in cases involving more than $38 million in alleged fraud. One of these defendants allegedly coached beneficiaries on what to tell doctors to make them appear eligible for Medicare services and treatments and then received payment for those who qualified. The company that paid the defendant for recruiting patients to bill for medically unnecessary services submitted close to $16 million in claims to Medicare, more than $4 million of which was paid.
  • Seven people in Dallas were charged in connection with home healthcare schemes. In one scheme, six owners and operators of a physician house call company allegedly submitted nearly $43 million in billings under the name of a single doctor, regardless of who actually provided the service. The company also allegedly significantly exaggerated the length of physician visits, often billing for 90 minutes or more for an appointment that lasted only 15 or 20 minutes.
  • Eight individuals in Los Angeles were charged for their alleged roles in schemes to defraud Medicare of approximately $66 million. For example, a physician is charged with causing almost $23 million in losses to Medicare through his own fraudulent billing and referrals for durable medical equipment, including more than 1,000 power wheelchairs and home health services that were not medically necessary and often not provided.
  • Sixteen defendants in Detroit were charged for their alleged roles in fraud, kickback and money laundering schemes involving approximately $122 million in false claims for services that were medically unnecessary or never rendered, including home healthcare, physician visits and psychotherapy, as well as pharmaceuticals that were billed but not dispensed. Among those charged are three owners of a hospice service who allegedly paid kickbacks for referrals made by two doctors who defrauded Medicare Part D by issuing medically unnecessary prescriptions.
  • Five individuals in Tampa were charged with participating in a variety of alleged scams, ranging from fraudulent physical therapy billings to a scheme involving millions of dollars worth of clams for physician services and tests that never were provided. In one case, a licensed pain management physician sought reimbursement for nerve conduction studies and other services that he allegedly never performed. Medicare paid the defendant more than $1 million for these purported services.
  • Nine individuals in Brooklyn, N.Y., were charged in two separate criminal schemes allegedly involving physical and occupational therapy. Three of those defendants face charges for their roles in a previously charged $50 million physical therapy scheme.
  • Eleven people in New Orleans were charged in connection with $110 million worth of alleged home healthcare and psychotherapy schemes. In one case, four individuals who operated two companies - one in Louisiana and one in California - that mass-marketed talking glucose monitors across the country allegedly sent the devices to Medicare beneficiaries regardless of whether they were needed or requested. The companies billed Medicare approximately $38 million for the devices, and Medicare paid the companies more than $22 million.
more...
No comment yet.
Scoop.it!

Physicians: Protect Your Data from Hackers in 5 Steps

Physicians: Protect Your Data from Hackers in 5 Steps | HIPAA Compliance for Medical Practices | Scoop.it

According to a recent CNBC report, hackers may have stolen personnel data and Social Security numbers for every single federal employee last December. If true, the cyberattack on federal employee data is far worse than the Obama administration has acknowledged.

J. David Cox, president of the American Federal of Government Employees Union, believes "hackers stole military records and veterans' status information, address, birth date, job and pay history, health insurance, life insurance, and pension information; [as well as] age, gender, race data," according to the report. This would be all that is needed for cybercriminals to steal identities of the employees, divert funds from one account to another, submit fake healthcare claims, and create fake accounts for everything from credit cards to in-store credit card purchases.


Although physicians maintain personal and professional data which is especially valuable to thieves, you are not the federal government. Make it hard enough on cybercriminals, and they will move on for lower-hanging fruit. Readers Digest offers good advice in five simple steps in its article, "Internet Security, How not to Get Hacked":


1. Be aware of what you share.


On Facebook, Twitter, or social media, avoid posting birth dates, graduation years, or your mother's maiden name — info often used to answer security questions to access your accounts online or over the phone.


2. Pick a strong password.


Hackers guess passwords using a computer. The longer your password and the more nonsensical characters it contains, the longer it takes the computer. The idea here is that longer, more complicated passwords could take a computer 1,000 years to guess. Give 'em a challenge


3. Use a two-step password if offered.


Facebook and Gmail have an optional security feature that, once activated, requires you to enter two passwords: your normal password plus a code that the companies text to your phone-to access your account. "The added step is a slight inconvenience that's worth the trouble when the alternative can be getting hacked,"  CNET tech writer Matt Elliot told Readers Digest. To set up the verification on Gmail, click on Account, then Security. On Facebook, log in, click on the down icon next to Home, and then click on Account Setting, Security, and finally Login Approvals.


4. Use Wi-Fi hot spots sparingly.


By now, you probably know that Internet cafés and free hotspots are not secure. You shouldn't be doing your online banking from these spots. However, the little button that turns off your laptops Wi-Fi so that your laptop cannot be accessed remotely is also handy. In Windows, right click on the wireless icon in the taskbar to it off. On a Mac, click the Wi-Fi icon in the menu bar to turn off Wi-Fi.


5. Back up your data.


Hackers can delete years' worth of e-mails, photos, documents, and music from your computer in minutes. Protect your digital files by using a simple and free backup system available on websites such as Crashplan and Dropbox


Take this basic instruction and build on it yourself. Google, for example offers advice expanding on the concept of "stong passwords." The worst thing you can do is use "dictionary words," the word "password," and sequential keystrokes, such as "1234" or "qwerty," because the hacker's computers will try these first. For e-mail, pick a phrase, such as "[m]y friends Tom and Jasmine send me a funny e-mail once a day" and then use numbers and letters to recreate it as a cryptic password. "MfT&Jsmafe1ad."

more...
No comment yet.
Scoop.it!

Coast Guard called to task for insufficient health data privacy

Coast Guard called to task for insufficient health data privacy | HIPAA Compliance for Medical Practices | Scoop.it

The U.S. Coast Guard has made progress in developing a culture of privacy, but still faces challenges because it lacks a strong organizational approach to resolving health privacy issues, according to a reportfrom the Department of Homeland Security's Office of Inspector General (OIG).


The report is based on an audit to determine whether the Coast Guard complies with privacy regulations, including the Health Insurance Portability and Accountability Act.


The report cites five areas of concern:

  1. Coast Guard privacy and HIPAA officials do not formally communicate to improve privacy oversight and incident reporting, which limits USCG's ability to assess and mitigate the risks of future privacy or HIPAA breaches. The OIG urges a formal mechanism be set up to ensure that communication takes place.
  2. USCG does not have consistent instructions for managing and securing health records. The report calls for consistent instructions for managing health record retention and disposal.
  3. The Cost Guard's clinics have not completed contingency planning to safeguard privacy data from loss in case of disaster. The report shows photos of rooms full of paper records in tubs and others of water damage to a ceiling. OIG says the Coast Guard should make a plan of action and milestones to ensure it is safeguarding privacy data in the event of emergency or disaster.
  4. Clinics lack processes to periodically review physical security, placing privacy data at unnecessary risk. The OIG calls for an action plan and periodic review of physical safeguards to mitigate risks to protected health information at clinics.
  5. USCG has not assessed the merchant mariner credentialing program and processes to identify and reduce risk to merchant mariners' privacy data managed throughout its geographically dispersed program operations. The report says there needs to be a plan to improve controls to better protect this data.


The Coast Guard agreed with all recommendations made by the OIG. It is the only branch of the Department of Homeland Security that has an EHR system for its work force, FierceEMR previously reported. It adopted an Epic system in 2012. 


DHS has a system for immigrant detainees, but not its own employees. The system fully implemented earlier this year at U.S. Immigration and Customs Enforcement is considered one of the largest and "most robust" EHR systems in the federal government, according to an ICE announcement. It's sure to be eclipsed in size, though, by the $11 billion contract to be let later this year to modernize the Department of Defense system.


more...
No comment yet.
Scoop.it!

Stage 3 Meaningful Use: Breaking Down HIPAA Rules

Stage 3 Meaningful Use: Breaking Down HIPAA Rules | HIPAA Compliance for Medical Practices | Scoop.it

CMS released its Stage 3 Meaningful Use proposal last month, with numerous aspects that covered entities (CEs) need to be aware of and pay attention to. While the proposal has a large focus on EHR interoperability, it continues to build on the previously established frameworks in Stage 1 and Stage 2 – including keeping patient information secure.


HIPAA rules and regulations cannot be thrown out the window as CEs work toward meeting meaningful use requirements. We’ll break down the finer points of Stage 3 Meaningful Use as it relates to data security, and how organizations can remain HIPAA compliant while also make progress in the Meaningful Use program.


Stage 3 further protects patient information


One of the top objectives for Stage 3 Meaningful Use is to protect patient information. New technical, physical, and administrative safeguards are recommended that provide more strict and narrow requirements for keeping patient data secure.


The new proposal addresses how the encryption of patient electronic health information continues to be essential for the EHR Incentive Programs. Moreover, it explains that relevant entities will need to conduct risk analysis and risk management processes, as well as develop contingency plans and training programs.


In order to receive EHR incentive payments, covered entities must perform a security risk analysis. However, these analyses must go beyond just reviewing the data that is stored in an organization’s EHR. CEs need to address all electronic protected health information they maintain.


It is also important to remember that installing a certified EHR does not fulfill the Meaningful Use security analysis requirement. This security aspect ensures that all ePHI maintained by an organization is reviewed.  For example, any electronic device – tablets, laptops, mobile phones – that store, capture or modify ePHI need to be examined for security.

“Review all electronic devices that store, capture, or modify electronic protected health information,” states the ONC website. “Include your EHR hardware and software and devices that can access your EHR data (e.g., your tablet computer, your practice manager’s mobile phone). Remember that copiers also store data.”


It is also important to regularly review the existing security infrastructure, identify potential threats, and then prioritize the discovered risks. For example, a risk analysis could reveal that an organization needs to update its system software, change the workflow processes or storage methods, review and modify policies and procedures, schedule additional training for your staff, or take other necessary corrective action to eliminate identified security deficiency.

A security risk analysis does not necessarily need to be done every year. CEs only need to conduct one when they adopt an EHR. When a facility changes its setup or makes alterations to its electronic systems, for example, then it is time to review and make updates for any subsequent changes in risk.


Stage 3 works with HIPAA regulations


In terms of patient data security, it is important to understand that the Stage 3 Meaningful Use rule works with HIPAA – the two are able to compliment one another.


“Consistent with HIPAA and its implementing regulations, and as we stated under both the Stage 1 and Stage 2 final rules (75 FR 44368 through 44369 and 77 FR 54002 through 54003), protecting ePHI remains essential to all aspects of meaningful use under the EHR Incentive Programs,” CMS wrote in its proposal. “We remain cognizant that unintended or unlawful disclosures of ePHI could diminish consumer confidence in EHRs and the overall exchange of ePHI.”

As EHRs become more common, CMS explained that protecting ePHI becomes more instrumental in the EHR Incentive Program succeeding. However, CMS acknowledged that there had been some confusion in the previous rules when it came to HIPAA requirements and requirements for the meaningful use core objective:


For the proposed Stage 3 objective, we have added language to the security requirements for the implementation of appropriate technical, administrative, and physical safeguards. We propose to include administrative and physical safeguards because an entity would require technical, administrative, and physical safeguards to enable it to implement risk management security measures to reduce the risks and vulnerabilities identified.


CMS added that even as it worked to clarify security requirements under Stage 3, their proposal was not designed “to supersede or satisfy the broader, separate requirements under the HIPAA Security Rule and other rulemaking.”


For example, the CMS proposal narrows the requirements for a security risk analysis in terms of meaningful use requirements. Stage 3 states that the analysis must be done when CEHRT is installed or when a facility upgrades to a new certified EHR technology edition. From there, providers need to review the CEHRT security risk analysis, as well as the implemented safeguards, “as necessary, but at least once per EHR reporting period.”


However, CMS points out that HIPAA requirements “must assess the potential risks and vulnerabilities to the confidentiality, availability, and integrity of all ePHI that an organization creates, receives, maintains, or transmits” in all electronic forms.


Working toward exchange securely


The Stage 3 Meaningful Use proposal encourages CEs to work toward health information exchange and to focus on better health outcomes for patients. As healthcare facilities work toward both of these goals, it is essential that health data security still remains a priority and that PHI stays safe.


While HIPAA compliance ensures that CEs avoid any federal fines, it also ensures that those facilities are keeping patient information out of the wrong hands. The right balance needs to be found between health information security and health information exchange.


more...
No comment yet.
Scoop.it!

HIPAA Regulations Create Communication Obstacle, Says Survey

HIPAA Regulations Create Communication Obstacle, Says Survey | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA regulations are a necessity for covered entities, but if a recent survey is any indication, they could also be creating issues for providers.


The majority of surveyed providers – 61 percent – stated that HIPAA regulations pose an obstacle to communication and collaboration within the care team, according to a PerfectServe survey. However, respondents also indicated that working to improve secure communications was a goal for their organization. Specifically, 83 percent said that secure communication was a top priority, while 69 percent stated that they already have several applications and technologies in place.


The survey was conducted online by the Harris Poll, on behalf of PerfectServe. A total of 955 doctors, nurses, case managers and healthcare administrators were interviewed, the majority of which – 65 percent – were in hospital-based practices. Thirty-five percent of respondents worked in an office-based organization or a private practice.

The survey also showed the provider-patient communication breakdown, finding that the majority of respondents use follow-up phone calls with patient and online patient portals to communicate with patients. The most common methods of communication are below:


  • 83 percent of respondents use follow-up patient calls
  • 74 percent of those surveyed utilize online patient portals
  • 46 percent use a unified communication platform
  • 41 percent of respondents use patient text reminders/updates
  • 39 percent engage in telemedicine


In terms of patient care, respondents stated that communication breakdowns often hinder their ability to properly care for patients. Seventy-one percent of physicians, specialists, and hospitalists said they either strongly agree or agree that they have wasted valuable time when trying to communicate with the broader care team. Moreover, 71 percent of nurses and case managers said that time is often wasted when they try to communicate with the right physician for a particular situation.


The majority of respondents – 69 percent – also stated that patient care is often delayed while waiting for important information about the patient, while 67 percent of those surveyed admitted that they often receive pages or calls that low priority and disrupt patient care.

A unified communication system could potentially be the answer to some of those issues, according to the survey. Of the 29 percent who stated that they are not satisfied with the secure technology utilized by their organization, 68 percent explained that the dissatisfaction largely arises because different members of the community use different technologies. Moreover, 55 percent of those who were dissatisfied said that not all team members have access to secure communication technology.


Similar results were found in a recent Peak10 survey, where C-level executives and information technology professionals were interviewed. In that report, 60 percent of respondents said that government mandates are having a negative effect on their industry, while 94 percent said complying with regulations influences IT strategy and decision-making.


Additionally, 70 percent of respondents said that in terms of healthcare security, they need partners to assist with those concerns, along with data privacy issues.


more...
No comment yet.
Scoop.it!

Is Your Medical Practice's Social Media Policy Adequate?

Is Your Medical Practice's Social Media Policy Adequate? | HIPAA Compliance for Medical Practices | Scoop.it

By now every physician should be aware of the benefits that can be bestowed upon their practice as a result of social media. Indeed many practices are engaging in one or more social media platforms on a regular basis. Moreover, staff members are most definitely active in social media, and probably use it while at work.

Physicians and practice managers must be smart about training employees on what they should and should not share online. Staff in your practice could incur liability on behalf of your practice as a result of their comments on social media. Because of the confidentiality rules in HIPAA, staff training is important. You should constantly remind employees that they are representatives of the practice.

You should also have some sort of social media policy in place. Here are a few key items your policy should include:

1. Guidelines and expectations. Your policy should set clear expectations for how team members (as representatives of your practice) must conduct themselves online.

Your policy should clearly state that there will be no posting of protected health information (PHI) and that employees are not allowed to use social media in work areas near patients. Be specific in training your employees and inform them to avoid identifying patients in any way on social media — this includes names, unique characteristics, etc.

Some practices do not allow employees to use social media for personal reasons on work time. While that is fine as a policy, it does not circumvent the need to appropriately train your staff. Moreover, it can be hard to police.

It is advisable to discourage team members from engaging with patients on social media. If they do engage patients, they certainly should not be discussing patient-related matters.

Lastly, someone (most likely the practice administrator) should be designated as the spokesperson responsible for answering questions about your practice on social media.

2. Penalties and consequences. Penalties for data breaches increased under the American Recovery and Reinvestment Act so your policy should make it clear to employees about the consequences of their actions on social media sites.

An individual claiming he did not know he violated HIPAA is subject to a minimum of $100 per violation. A HIPAA violation due to reasonable cause and not due to willful neglect carries a minimum fine of $1,000 per violation. A HIPAA violation that is due to willful neglect (but corrected in short order) is subject to a minimum of $10,000 per violation. Lastly, a HIPAA violation that is due to willful neglect and not corrected carries a minimum fine of $50,000 per violation. The maximum fine for each of these four categories is $50,000 per violation.

3. Explanations of rules and regulations. The social media policy should outline what is illegal, what is considered confidential information of the practice, and what is protected health information.

It’s not enough to have a social media policy — employers should put in just as much time and effort in training their employees on the ins and outs of the policy. Make it a separate document from the employee handbook.

more...
No comment yet.
Scoop.it!

Why health IT companies may not take HIPAA seriously until 2016 | mHealthNews

Why health IT companies may not take HIPAA seriously until 2016 | mHealthNews | HIPAA Compliance for Medical Practices | Scoop.it

When the Final Omnibus Rule came into effect on March 23, 2013, the intent was to make business associates (BAs) more accountable for the protection of the data they were managing on behalf of covered entities (CEs) such as hospitals or health plans. Prior to this, BAs were only liable for whatever was put into a Business Associates Agreement (BAA) by the CE, and even then that liability was restricted to any civil action that may be taken by the CE. 

However, the Final Omnibus Rule extended the same federal provisions to BAs that had previously been restricted to CEs, meaning that whether a business associate signed a BA or not, they were federally required to operate in accordance with the Security, Privacy and Breach Notification rules. Failure to do so could result in federal penalties of up to $1.5 million per breach type, and even criminal prosecution.

This change was driven by the fact that an increasing percentage of heathcare data is being managed by BAs such as health IT vendors. While covered entities still account for the majority of breach incidents, BAs are responsible for most of the records breached.

However, after an initial flurry of activity before and after this date, most business associates have responded to this change with general apathy. Being in a position to talk to companies every day who operate as business associates, I am repeatedly underwhelmed by their efforts to take security and compliance seriously, despite this change in the law. Indeed, even when offered the chance to enhance their security posture and, by extension, their compliance to HIPAA regulations in a simple an affordable manner, many decline to do so, stating a conflict of priorities. It's not that they are necessarily unaware of the potential consequences – rather, they simply do not see it as a sufficient priority. They often see themselves as being too small, or that they first need to build a business before worrying about protecting it. And the reality is they see no immediate consequence to their procrastination.

It's like the speed limit being reduced from 65 mph to 55 mph. While notices are posted, after initial caution by drivers, they see no police cars on the side of the road or any evidence that anyone is being pulled over, so they don’t reduce their speed. Indeed, as more cars come onto the freeway some start to go faster, which encourages others to follow suit. Everyone knows they are speeding, but then everyone else is doing it and no one seems to be getting penalized for it.

The challenge for companies is that while there may not be visible enforcement right now, that is because it takes a while for breaches to be discovered, investigated and adjudicated – on average about three years. Most HIPAA judgments being pronounced today relate to breaches that occurred in 2011.

So to extend the previous analogy, while there may not be police visible on the side of the road, there are speed cameras. The violators will not receive their speeding ticket until a considerable time after the offence was committed, meaning they continue to speed long after their first offence.

In terms of HIPAA enforcement that means most judgments will not become public until 2016, at which time I would hope most BAs will already have realized that it can happen to them, and will have started making adequate protections an imperative.  But until they do, they will need to hope they do not drive past an OCR speed camera.



more...
No comment yet.