HIPAA Compliance for Medical Practices
82.5K views | +10 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

HIPAA Law Enforcement

HIPAA Law Enforcement | HIPAA Compliance for Medical Practices | Scoop.it

The battle between individuals’ privacy rights and the needs of law enforcement, has raged for centuries in one form or another. When the HIPAA Privacy Rule was implemented, the authors of this rule tried to appease, as it were, both sides.

 

The resulting “compromise” is that protected health information – the information the HIPAA Privacy Rule affords some protection from disclosure – can be disclosed when disclosure is needed by law enforcement.

 

There are limits, however, as to how, where, when, and why, law enforcement may obtain this information.

 

The HIPAA law enforcement exception to the general rule restricting use and disclosure of PHI (unless an exception permits or requires use or disclosure), is discussed below.

What is the HIPAA Law Enforcement Exception?

The HIPAA law enforcement exception can be found in the text of the HIPAA Privacy Rule. 

 

Did you vet your vendors? If not you’re at risk! Learn how to send your vendors risk assessments here.

 

The Privacy Rule provision that addresses whether PHI can be disclosed to law enforcement is 45 CFR § 164.512. This provision is entitled, “Uses and disclosures for which an authorization or opportunity to agree or object is not required.” 

 

The provision then lists circumstances under which PHI may be used or disclosed, despite the general rule. Circumstances allowing use of PHI without written authorization (or an opportunity to agree or object) include (among others):

 

  • A specific state or federal law requires the disclosure of PHI.
  • Public health activities, which include (among other things):
    • Reporting of disease or injury
    • Reporting vital events such as birth or death
    • Conducting of public health surveillance
    • Conducting of public health investigations
    • Conducting of public health interventions.
  • When a covered entity reasonably believes an individual is a victim of abuse, neglect, or domestic violence.
  • When a health oversight agency seeks to conduct health oversight activities authorized by law. These activities include: 
    • Inspections
    • Licensure or disciplinary actions
    • civil, administrative, or criminal proceedings or actions
    • Other activities necessary for appropriate oversight of the healthcare system, government benefit programs, and of:
      • Entities subject to government regulatory programs for which health information is necessary for determining compliance with program standards; or
      • Entities subject to civil rights laws for which health information is necessary for determining compliance.
      • Disclosures for judicial and administrative proceedings.
      • Law enforcement purposes

The HIPAA Law Enforcement Exception: What Does it Cover?

Covered entities may disclose protected health information to law enforcement officials for law enforcement purposes under the following six circumstances (subject to certain conditions): 

  • As required by law (including court orders, court-ordered warrants, subpoenas) and administrative requests; 
  • To identify or locate a suspect, fugitive, material witness, or missing person; 
  • In response to a law enforcement official’s request for information about a victim or suspected victim of a crime; 
  • To alert law enforcement of a person’s death, if the covered entity suspects that criminal activity caused the death; 
  • When a covered entity believes that protected health information is evidence of a crime that occurred on its premises; and 
  • By a covered health care provider in a medical emergency not occurring on its premises, when necessary to inform law enforcement about the commission and nature of a crime, the location of the crime or crime victims, and the perpetrator of the crime.
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

No comment yet.
Scoop.it!

What is a HIPAA Violation? What Are The Fines /Penalties? 

What is a HIPAA Violation? What Are The Fines /Penalties?  | HIPAA Compliance for Medical Practices | Scoop.it

Signed in 1996, the Health Insurance Portability and Accountability Act (HIPAA) is legislation that provides data privacy and security provisions for safeguarding medical information. Essentially, if you’re handling, transmitting, in possession of, or responsible for any health records; you’re going to need to be in compliance with HIPAA.

 

Regulation around HIPAA is strict and specific. However, what happens if HIPAA guidelines aren’t followed to the letter?

It’s important to know what constitutes a HIPAA violation for the sake of personal data.

 

Did you know that there are stiff penalties and fines for a violation? A breach could also destroy your business and your credibility within the healthcare community.

HIPAA Penalty & Fine Structure

What are the consequences of violating HIPAA?

There are four tiers of HIPAA violations:

 

    • Tier 1. Lack of awareness where a covered entity or individual was unaware that the act in question was a violation. Fines start at $100 and go up to $50,000 per violation, topping out at $1.5 million each year.
    • Tier 2. Reasonable cause to believe the individual or entity knew about the rule or regulation. Issues at this tier are considered a lack of due diligence. The fines range from $1,000 to $50,000 per violation. The maximum fine is $1.5 million per year.
    • Tier 3. The HIPAA violation was performed with willful neglect. The party then corrected the violation within the required time period of 30 days after discovery. Fines at this tier start at $10,000 and go to $50,000. The maximum penalty is $1.5 million per year.
    • Tier 4. At this tier, the violation was made with willful neglect of HIPAA Rules. Further, the entity made no effort to correct the violation. There is a standard $50,000 fine per violation at this tier with a maximum fine of $1.5 million each year.

 

There are also criminal penalties for HIPAA violations and potential jail sentences:

    • Unknowingly or with Reasonable Cause. The person may receive a jail sentence of up to one year.
    • False Pretenses may result in a five years’ maximum jail sentence and a fine increase to $100,000 per violation.
    • Personal Reasons or to Commit Fraud or a Crime. Malicious intent such as data breaches may lead to a jail sentence of up to 10 years and a fine up to $250,000 per violation.

 

As you can see from the HIPAA fines chart, the penalty structure for violations can act as a strong deterrent for healthcare organizations.

 

Recent HIPAA violations cases reported by federal law enforcement include:

    • Memorial Healthcare System received a fine of $5,500,000 in 2017
    • Children’s Medical Center of Dallas incurred a penalty of $3,200,000 in 2017
    • Advocate Health Care Network’s violation warranted a $5,500,000 fine in 2016
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

No comment yet.
Scoop.it!

Five common mistakes and how to avoid them for 2015 HIPAA audits

Five common mistakes and how to avoid them for 2015 HIPAA audits | HIPAA Compliance for Medical Practices | Scoop.it

2014 saw a rise in data breaches and HIPAA compliance failures within the healthcare industry. The Office for Civil Rights (OCR) takes privacy and security seriously, and more organizations have been fined for failure to comply with the Health Insurance Portability and Accountability Act (HIPAA). This year, the OCR will use the HIPAA audit program to randomly assess healthcare entities and business associates for compliance with the HIPAA privacy, security and breach notification rules. Here are five mistakes to avoid:  

  1. Failure to keep up with regulatory requirements

Gain a better understanding of specifications for standards as “required” versus “addressable.” Some covered entities must comply with every Security Rule standard. Covered entities must determine if the addressable section is reasonable after a risk assessment, and, if not, the Security Rule allows them to adopt an alternative measure. Be sure to document everything, particularly since the OCR may look at encryption with audits this year.  

  1. No documented security program

The OCR wants to know how you implement a security risk assessment program, so be sure your organization has a documented security awareness program. Once you know the requirements, assess your environment and your users. Does your organization have a security and compliance program in place? How well is it implemented? Who is involved? How often do you communicate? Everyone in your organization should be held responsible for ensuring the safety of data and following proper procedures. Have a plan and a point person in place, and ensure your compliance and security teams talk to each other. Create a committee with stakeholders and clear responsibility, and make sure the plan is documented, communicated and enforced across the organization.

  1. A reactive approach to audits

Once you establish a security program, proactively monitor security and performance indicators, as OCR audits will focus heavily on breach plans and the controls you have in place to protect them. Auditors will look for access to critical group memberships, so make sure you’re auditing and reporting on user activity – including your privileged users. Auditors are increasingly more interested in this area, due to the recent increase in insider incidents.

  1. Assumptions regarding business associates agreements

Contractors and subcontractors who process health insurance claims are liable for the protection of private patient information. Make sure you have an updated business associate agreement in place, and ensure the chain of responsibility is documented, agreed upon, and reviewed frequently by both parties. You can find sample contracts offered by the OCR to help you through this process. 

  1. A checkbox approach to compliance

Regulators want to discontinue the checkbox approach to compliance in favor of a risk-based security approach. Compliance and security must go hand-in-hand, and organizations will benefit from incorporating this mindset across both teams. Strong security measures make it easier to meet compliance regulations. By adopting an organizational self-discovery approach, you will have a higher level of visibility and awareness of internal issues, and achieve a more resilient business process and the next level of organizational maturity.


No comment yet.
Scoop.it!

Is healthcare prepared for data-sharing's security risks?

Is healthcare prepared for data-sharing's security risks? | HIPAA Compliance for Medical Practices | Scoop.it

The data-sharing requirements for the Meaningful Use program and the Affordable Care Act pose significant security challenges to healthcare organizations, and Erik Devine, chief security officer at Riverside Medical Center, predicts organizations will learn this year just how prepared they are.

In an interview with HealthcareInfoSecurity, Devine says his 370-bed hospital in Kankakee, Illinois, will focus on employee training, making sure systems are patched and third-party review--"making sure we're doing what our policies say we're doing."

He foresees more persistent threats in 2015, such as the Sony hack and other breaches seen last year.

"I think healthcare is going to see a lot of attacks in ransomware," Devine says. "Employees leaking data unknowingly is a big threat to healthcare systems. Hackers are going to take advantage of that and look for the monetary value in return."

Health information exchanges will pose particular challenges, he adds.

"Are we prepared to manage all the information that's flowing in and out of the system? ... Trying to get information for the patient out there in the real world so they have better experiences at any hospital they visit will obviously will carry significant risks. Is healthcare ready for that change? That's what we're going to determine in 2015 and further."

In its 2015 Data Breach Industry Forecast, Experian called healthcare "a vulnerable and attractive target for cybercriminals." However, it noted that employees remain the leading cause of compromises, but receive the least attention from their employers.

Security experts foresee phishing and ransomware attacks posing particular challenges to healthcare organizations in the coming year.

To help protect against threats like those, the healthcare industry should make use of cyberthreat intelligence, according to Jeff Bell, HIMSS privacy and security committee chair.

Entities such as the U.S. Computer Emergency Readiness Team, the U.S. Department of Homeland Security National Cybersecurity and Communications Integration Center and the National Cyber-Forensics & Training Alliance provide information on threats, malware and vulnerabilities that organizations can use to increase their security systems, Bell says. Vendors of security products also often have their own intelligence feeds.

No comment yet.
Scoop.it!

Stolen Patient Information Prompts Data Breach Warning from Shoreview Company

Stolen Patient Information Prompts Data Breach Warning from Shoreview Company | HIPAA Compliance for Medical Practices | Scoop.it

An alert about a data breach involving an orthopedic medical device company in Shoreview affects not only Minnesotans, but others across the country as well.

A contractor for the company DJO Global went inside a coffee shop in Roseville on Nov. 7 and left a laptop containing private patient information in a backpack on the backseat of his car. A thief saw the backpack, smashed the window and stole it.

DJO Global notified patients in a letter that their private information stored on the computer had been stolen. The data included patients names, phone numbers, diagnosis code, surgery dates, health insurer, and clinic and doctor names. A handful of social security numbers were swiped, too. 

Worried individuals have contacted police.

"We received hundreds upon hundreds of phone calls from all over the country," Lt. Lorne Rosand with the Roseville Police Department said.

A spokesman for DJO told 5 EYEWITNESS News via email that no credit card information was taken. The information was in limbo from Nov. 7-21.

"If someone is able to glean information, name, dates, birth, social security information — that's a gold mine," Rosand said.

DJO says the laptop had password protection in place but wasn't encrypted. There were firewalls, tracking and remote software intact that allowed the data to eventually be erased remotely. DJO says it's doing an internal investigation and security assessment.  

Roseville police call this situation a reminder for everyone.

"When people leave valuables in vehicles such as laptops, there's only a piece of glass between the bad guy and your property; that glass can be shattered," Rosand said.

If you received a letter from DJO or believe your information might be at risk, you can set up a fraud alert with the three credit reporting agencies as a precaution. 

The thief has not been caught.


No comment yet.
Scoop.it!

HIPAA Hurdles in 2015 | HIPAA, HITECH & HIT

HIPAA Hurdles in 2015 | HIPAA, HITECH & HIT | HIPAA Compliance for Medical Practices | Scoop.it

Nearly a year ago, as described in an earlier blog post, one of my favorite health industry journalists, Marla Durben Hirsh, published an article in Medical Practice Compliance Alert predicting physician practice compliance trends for 2014.  Marla quoted Michael Kline’s prescient prediction that HIPAA would increasingly be used as “best practice” in actions brought in state court:  “People will [learn] that they can sue [for privacy and security] breaches,” despite the lack of a private right of action under HIPAA itself.  Now, peering ahead into 2015 and hoping to surpass Michael’s status as Fox Rothschild’s HIPAA soothsayer, I thought I would take a stab at predicting a few HIPAA hurdles that covered entities, business associates, and their advisors are likely to face in 2015.

1.         More sophisticated and detailed (and more frequently negotiated) Business Associate Agreement (BAA) terms.   For example, covered entities may require business associates to implement very specific security controls (which may relate to particular circumstances, such as limitations on the ability to use or disclose protected health information (PHI) outside of the U.S. and/or the use of cloud servers), comply with a specific state’s (or states’) law privacy and security requirements, limit the creation or use of de-identified data derived from the covered entity’s PHI, or purchase cybersecurity insurance.  The BAA may describe the types of security incidents that do not require per-incident notification (such as pings or attempted firewall attacks), but also identify or imply the many types of incidents, short of breaches, that do.  In short, the BAA will increasingly be seen as the net (holes, tangles, snags and all) through which the underlying business deal must flow.  As a matter of fact, the financial risks that can flow from a HIPAA breach can easily dwarf the value of the deal itself.

2.         More HIPAA complaints – and investigations.  As the number and scope of hacking and breach incidents increases, so will individual concerns about the proper use and disclosure of their PHI.  Use of the Office for Civil Rights (OCR) online complaint system will continue to increase (helping to justify the $2 million budgeted increase for OCR for FY 2015), resulting in an increase in OCR compliance investigations, audits, and enforcement actions.

3.         More PHI-Avoidance Efforts.  Entities and individuals who do not absolutely require PHI in order to do business will avoid it like the plague (or transmissible disease of the day), and business partners that in the past might have signed a BAA in the quick hand-shake spirit of cooperation will question whether it is necessary and prudent to do so in the future.  “I’m Not Your Business Associate” or “We Do Not Create, Receive, Maintain or Transmit PHI” notification letters may be sent and “Information You Provide is not HIPAA-Protected” warnings may appear on “Terms of Use” websites or applications.

The overall creation, receipt, maintenance and transmission of data will continue to grow exponentially and globally, and efforts to protect the privacy and security of one small subset of that data, PHI, will undoubtedly slip and sputter, tangle and trip.  But we will also undoubtedly repair and recast the HIPAA privacy and security net (and blog about it) many times in 2015.

Have a Happy and Healthy HIPAA New Year!


No comment yet.
Scoop.it!

Achieve Cybersecurity While Complying with HIPAA Standards | EMR and HIPAA

Achieve Cybersecurity While Complying with HIPAA Standards | EMR and HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

Within the past 24 months, nine out of 10 hospitals in the U.S. have fallen victim to an attack or data breach, according to a recent report from the Ponemon Institute. The landscape of the healthcare IT industry is transforming rapidly due to significant changes in patient information management and today’s evolving threat landscape. Advancements in technology and government regulations have powered an explosive growth in the creation and storage of protected healthcare information (PHI). To prepare for new attacks targeting sensitive patient data, healthcare organizations need to recognize the risks of noncompliance and how the deployment of certified, secure, and trusted technologies will help ensure compliance with Health Insurance Portability and Accountability Act (HIPAA) standards.

According to the 2012 National Preparedness Report conducted by the Federal Emergency Management Agency, the healthcare industry is already prepared for many types of emergencies and contingencies. However, the same study showed that healthcare organizations are overall still unprepared for most cyber attacks.

The report highlighted that cybersecurity “was the single core capability where states had made the least amount of overall progress.” Of the state officials surveyed, merely 42 percent feel they are adequately prepared. The report also showed that in the last six years, less than two-thirds of all companies in the U.S. have sustained cyberattacks. From 2006 to 2010, the number of reported attacks in the U.S. rose by 650 percent. During the Aspen Security Forum last year, Keith B. Alexander, head of the National Security Agency and the new United States Cyber Command, indicated that the U.S. has seen a 17-fold rise in attacks against its infrastructure from 2009 through 2011.

In such an environment, it is a top priority for healthcare organizations to comply with HIPAA standards. Before the signing of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009, it was understood industry-wide that HIPAA was not strictly enforced. Under HITECH, healthcare providers could be penalized for “willful neglect” if they failed to demonstrate reasonable compliance with the Act. The penalties could be as high as $250,000 with fines for uncorrected violations costing up to $1.5 million.

In certain instances, HIPAA’s civil and criminal penalties now encompass business associates. While a citizen cannot directly sue their healthcare provider, the state attorney general could bring an action on behalf of state residents. In addition, the U.S. Department of Health and Human Services (HHS) is now required to periodically audit covered entities and business associates. This implies that healthcare providers are required to have systems in place to monitor relationships and business practices to guarantee consistent security for all medical data.

If information systems are left vulnerable to attack, providers face significant risks to their business. These targeted attacks in the healthcare industry can come in a variety of forms. In Bakerfield, CA, the Kern Medical Center was attacked by a virus that crippled its computer systems. The hospital took approximately 10 days to bring the doctors and nurses back online. A Chicago hospital was attacked by a piece of malware that forced the hospital’s computers into a botnet controlled by the hacker. A year later, the hospital was still dealing with the attack’s aftermath. Following the theft of a computer tape containing unencrypted personal health information from an employee’s automobile, the DoD faced a multi-billion-dollar lawsuit. The Veterans Administration (VA) fought a two-year battle against intrusions into wireless networks and medical devices, including picture archiving and communication systems (PACS), glucometers and pharmacy dispensing cabinets.

Patients are protected against identity theft if medical information is encrypted and secured. Simultaneously, information must be kept readily available when necessary, such as for emergency personnel. The subsequent benefits are important in order to keep businesses competitive, including better quality of patient care, improved patient outcomes, increased productivity and workflow efficiency, better information at the point of care and improved and integrated communications between doctors and patients.

The Key to HIPAA Compliance

In order to meet the HITECH Act requirements, encryption must be used on the main service provider network as well as its associated partner networks. Encryption uses an algorithm to convert data in a document or file into an indecipherable format prior to being delivered, and then decrypts the data once received to prevent unauthorized personnel from accessing it. Successful use of encryption depends on the strength of the algorithm and the security of the decryption “key” or process when data is in motion and moving through a network or data is at rest in databases, file systems, or other structured storage methods.

In order to achieve HIPAA compliance, healthcare providers should leverage verified, certified network security products and architectures. Recommended by the HHS and mandated by the U.S. Department of Defense (DoD) for encryption, Federal Information Process Standard (FIPS) 140-2 encryption certified products reliably safeguard healthcare data with reliable and proven security in order to diminish risks without increasing costs.

Technologies that are fully FIPS-140 certified provide organizations a level of security that will remain compliant through at least 2030, unlike legacy cryptographic systems.

A New Degree of Confidence

Today, closed networks are almost nonexistent as most offices have Internet access, at the minimum. With the use of electronic transactions increasing in healthcare, including e-prescriptions and electronic communication, many medical organizations use open systems that necessitate the use of encryption technologies.

Technology providers can easily assert that a system is secure by using the highest level of encryption technologies on the market. With the degree of public visibility of breaches of trust, organizations have no reason to risk exposure with technology systems that fail to meet the FIPS 140-2 standard for data encryption. Without this certification, the cryptography function on the network has demonstrated a less than 50 percent chance of being correctly implemented, which also implies there is a 50 percent chance that the cryptography can be cracked. By purchasing solutions with FIPS validation, healthcare organizations achieve a new degree of reassurance that their critical data is secure, allowing them to minimize risk without an increase in costs.


No comment yet.
Scoop.it!

What Can You Expect in 2015 Regarding HIPAA Enforcement? | The National Law Review

What Can You Expect in 2015 Regarding HIPAA Enforcement? | The National Law Review | HIPAA Compliance for Medical Practices | Scoop.it

As of earlier this month, 1,170 breaches involving 31 million records have been reported to the Department of Health and Human Services (HHS) since mandated reporting of breaches began in September 2009.  An increase in the number of breaches isn’t the only statistic on the rise.  Although 2014 data has not yet been released, the number of complaints in 2013 reached a new high (4,463).  It doesn’t take a crystal ball to predict that these numbers in 2015 will continue to rise.  We haven’t reached the apex yet.

The newly approved 2015 federal budget does not include an increase in funding for the federal agencies responsible for enforcing HIPAA, including the HHS Office of Civil Rights (OCR), but HHS isn’t viewing it as a setback.  Per an OCR spokeswoman “OCR’s strong enforcement of the HIPAA privacy, security, and breach notification rules, remains very much on track…”  Just a few weeks ago, HHS settled with the Alaska Department of Health and Humans Services for $1.7 million for potential HIPAA violations.

If enforcement efforts remain on track in 2015, so should compliance efforts next year.  Keep your HIPAA policies and procedures up to date and conduct regular risk assessments.  If your organization has not addressed security on mobile devices do so now.  Especially if you are contemplating a transaction in 2015, it’s time to take a deep dive regarding HIPAA compliance.


No comment yet.
Scoop.it!

AMIA’s Recent HIPAA Compliance Question: A Legal Perspective | HealthITSecurity.com

Last week an American Medical Informatics Association (AMIA) letter to state Representative Fred Upton was released. AMIA called for HIPAA compliance to be updated to allow for exemptions in terms of access to patient’s PHI, specifically for “observational or data research.”

Overall, many of the topics discussed in the letter are unlikely to cause too many disagreements in the healthcare industry, according to Brad Rostolsky, a partner at the Philadelphia-based law firm Reed Smith. Rostolsky specializes in healthcare regulatory and transactional law, and said in a recent interview with HealthITSecurity.com that the crux of the letter seems to be about asking to amend the definition of HIPAA operations to include data research.

With respect to that, the question that immediately comes to mind is “Do the patients get a say in whether their information is being used for this purpose?” Rostolsky said.

“There’s an implicit kind of assumed truth in this letter that uses for research purposes are necessary,” he explained. “All of the other uses that don’t require authorization, generally speaking, are things that the provider needs to do in order to be a provider.”

For example, healthcare providers need to do things for their own business purposes, such as engage billing companies, collection companies, and their EMR vendor. Patients’ information is likely to be involved in all of those scenarios. The AMIA letter is questioning whether or not research should be put into the group of things that HIPAA considers a necessary component of disclosure of information.

“To facilitate the discovery, development and delivery of new treatments and cures, AMIA believes that we must develop a ‘learning health system’ in which the data and information generated during routine delivery of health care is leveraged across clinics, hospitals and integrated networks…” the letter stated.

Moreover, AMIA recommended that Congress should convene a multi-stakeholder “HIPAA Barriers” working group to discuss the elimination of barriers that prevent data movement. A Health IT Safety Center could also be beneficial, so event reporting, education, data aggregation, and the creation of best practices could improve patient safety and the effective use of health IT, AMIA stated.

Few people will likely have a problem with a task force or working group to discuss certain healthcare issues, like HIPAA barriers, Rostolsky said. In fact, he said that it would be a good idea. However, he added that there are definitely going to be privacy concerns.

“I do think that some patients don’t want their information being used in that way,” Rostolsky said. “People can be private and, ultimately, I think the concern from a patient perspective would be whether or not there would be any unintended reaction by the patient if they’re aware of this to not be as likely to go to the physician or for [the organization] to be as forthright about things.”

It will likely come down to patient rights versus the benefits of research, according to Rostolsky. At a minimum, it’s certainly good that folks are talking about the issue and forcing the various stakeholders to ask questions, he said.

“Clearly people should have the right to largely control what happens with their information, outside of things necessary to provide them with a service,” Rostolsky said. “But at the same time, I think that everyone would hopefully agree that doing research to further medical advancements is a very important thing that could benefit everyone.”

While it’s difficult to predict how this would – and could – play out, Rostolsky explained that it will still be critical for healthcare organizations to remain vigilant in terms of keeping patient data secure.

“The more people who touch information and have the ability to access it uninhibited, the more likely a problem could occur,” he said, adding that the letter did speak to the importance of still adhering to all HIPAA data breach notification regulations.


No comment yet.
Scoop.it!

Are You Ready for a HIPAA Security Risk Assessment? | HealthITSecurity.com

There are numerous aspects of a HIPAA security risk assessment that healthcare organizations must keep in mind.

Even though the Department of Health and Human Services’ (HHS) HIPAA security risk assessment tool has not even had a full year of existence, experts in the industry have stated that it’s a great way for healthcare organizations to improve their risk analyses. Healthcare regulatory compliance is important for facilities for numerous reasons. Not only do providers want to avoid hefty fines for HIPAA violations, they also want to reassure patients that their electronic protected health information (ePHI) will remain secure.

But even with the HHS tool, do healthcare organizations understand what must be done to be fully prepared for a HIPAA security risk assessment? HealthITSecurity.com decided to pull together important points for facilities to keep in mind, ensuring that they are ready for a risk assessment.

Identify all ePHI

A risk assessment helps your organization ensure it is compliant with HIPAA’s administrative, physical, and technical safeguards. These overviews can also reveal areas where ePHI could be at risk. This is why it’s important for healthcare organizations to identify all ePHI that they create, maintain or transmit.

For example, are there any vendors or consultants that have access to ePHI? If so, what is their process? Covered entities must ensure that they understand how patients’ data is not only used, but how it is transmitted. Failing to account for one storage area could lead to regulatory fines.

Moreover, healthcare facilities need to account for all types of threats to the ePHI during a HIPAA security risk assessment. This includes human, natural, and environmental threats to information systems.

“All e-PHI created, received, maintained or transmitted by an organization is subject to the Security Rule,” according to HHS. “The Security Rule requires entities to evaluate risks and vulnerabilities in their environments and to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of ePHI. Risk analysis is the first step in that process.”

Specifically, the HIPAA Security Rule requires organizations to create and implement policies that “prevent, detect, contain, and correct security violations.” This process will be much easier after healthcare facilities know where all ePHI is located.

Identify threats, assess security measures

When all assets, including ePHI, have been identified, healthcare facilities should pinpoint any potential threats or security risks. From there, organizations can benefit from ranking those risks in terms of severity of impact and likelihood of occurrence. Cybersecurity might have a greater chance of affecting your facility, but a disgruntled employee could also pose an internal risk. No possibility should be ignored.

Moreover, healthcare facilities should review the types of protections currently in place. Is there up-to-date data encryption, firewalls or anti-malware protection? If not, are there areas that could benefit from such protections?

If any gaps are discovered, they must be immediately addressed. Should any data breaches occur, and it is proven that a facility did not properly assess its risks, heavy penalties could follow.

“An organization must assess the magnitude of the potential impact resulting from a threat triggering or exploiting a specific vulnerability,” according to HHS’ “Guidance on Risk Analysis. “An entity may use either a qualitative or quantitative method or a combination of the two methods to measure the impact on the organization.”

Conduct periodic reviews

A crucial aspect that can be overlooked is that healthcare organizations need to update their risk analyses. Technology continues to evolve, and as such, so can the potential security risks. An ongoing risk analysis procedure will be much more helpful, and further decrease the likelihood of an area being overlooked.

“A truly integrated risk analysis and management process is performed as new technologies and business operations are planned, thus reducing the effort required to address risks identified after implementation,” HHS stated on its website.

Any of the following could be a reason for a new analysis:


  • The organization experienced a security incident
  • There is new ownership
  • A facility sees turnover in upper management or other key roles
  • New technology is introduced

“If it is determined that existing security measures are not sufficient to protect against the risks associated with the evolving threats or vulnerabilities, a changing business environment, or the introduction of new technology, then the entity must determine if additional security measures are needed,” according to HHS.

A risk analysis is a vital first step for proper healthcare security management. Organizations need to not only understand potential risks, but also be aware of what steps they can take to mitigate those risks. Moreover, it’s important to understand that different types of assessments will benefit different organizations. Methods can vary depending on facility size, along with its complexity and capabilities. For example, a small healthcare provider might not have ePHI stored with a third-party vendor. Instead, it is located within the main building. However, this does not mean that their ePHI servers are more or less secure than that of a large provider.

It cannot be guaranteed that a data breach will never occur at a facility, but by adhering to HIPAA security risk assessment requirements, the odds will be lower.


No comment yet.
Scoop.it!

OCR fines behavioral health service $150,000 | HIPAA Update

OCR fines behavioral health service $150,000 | HIPAA Update | HIPAA Compliance for Medical Practices | Scoop.it

The Office for Civil Rights (OCR) announced December 8 that it fined an Alaska behavioral health service $150,000 for potential HIPAA violations, according to a press release. 

OCR entered into a resolution agreement with Anchorage Community Mental Health Services (ACMHS), a nonprofit behavioral healthcare service. On March 12, 2012, ACMHS notified OCR of a breach affecting 2,743 individuals. The breach was the result of malware that compromised the security systems of the behavioral healthcare provider, according to OCR.

The resolution agreement states that ACMHS failed to:

  • Conduct an accurate and thorough risk assessment of ePHI from April 21, 2005, through March 12, 2012
  • Implement security policies and procedures to reduce risks and vulnerabilities to ePHI from April 21, 2005, through March 12, 2012
  • Implement technical security measures to safeguard against unauthorized access to ePHI by failing to ensure firewalls were in place and that information technology resources were supported and updated with patches from January 1, 2008, through March 29, 2012

In addition to the monetary settlement, as part of the corrective action plan with OCR, ACMHS agreed to:

  • Provide an updated version of its security policies and procedures
  • Adopt a revised version of OCR-approved security policies and procedures
  • Distribute revised security policies and procedures to workforce members who work with ePHI and provide security awareness training
  • Obtain signed written or electronic initial compliance certification from all workforce members stating that they read, understand, and will abide by security policies and procedures



No comment yet.
Scoop.it!

Are You Ready for a HIPAA Audit?

Are You Ready for a HIPAA Audit? | HIPAA Compliance for Medical Practices | Scoop.it

CynergisTek, a health information technology security consultancy, is offering a full-scale mock audit for HIPAA privacy, security and breach notification compliance to prepare covered entities for real audits from the HHS Office for Civil Rights.

The mock audit will apply OCR timeliness and follow the government’s process starting with receiving an audit notification letter. Other areas covered include complying required documentation and reviewing them for deficiencies, onsite interviews with staff, draft and final audit reports, a workshop of findings and lessons learned, and a performance evaluation presentation with senior executives.

“CynergisTek will hold your staff to OCR standards when assessing your organization’s ability to demonstrate HIPAA compliance and will identify your organization’s readiness and ability to respond,” according to information from the company. The audit may be disruptive to normal operations, as would a real one, it warns.



No comment yet.
Scoop.it!

Latest HIPAA Settlement – Unpatched And Unsupported Software | The National Law Review

Latest HIPAA Settlement – Unpatched And Unsupported Software | The National Law Review | HIPAA Compliance for Medical Practices | Scoop.it

The latest Office for Civil Rights (OCR) HIPAA settlement announced on December 8, 2014 highlights the OCR’s recent and continuing focus on the Security Rule. Anchorage Community Mental Health Services (ACMHS) agreed to settle potential HIPAA violations with a $150,000 fine and the adoption of a corrective action plan. This matter was prompted by ACMHS’ report to OCR of a breach of electronic protected health information (PHI) affecting about 2,700 individuals. The OCR determined that the incident was the direct result of ACMHS’ failure to identify and address basic risks such as running outdated and unsupported software, and failure to regularly update software patches. The OCR also noted that while ACMHS had adopted “sample” Security Rule policies and procedures in 2005, such policies and procedures were not followed.

This latest settlement provides the following key reminders to those subject to HIPAA:

  • The Security Rule, which relates to electronic PHI, continues to be a focus of the OCR;

  • A basic requirement of the Security Rule is that Covered Entities and Business Associates should regularly conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the security of electronic PHI;

  • Covered Entities and Business Associates should remain current on software and software patches to help avoid malware and other hacking incidents; and

  • HIPAA policies and procedures should be meaningful to your organization and should be regularly used, reviewed, and revised as necessary.



No comment yet.
Scoop.it!

Why You Should Follow HIPAA Compliance For The Success Of Your Dental Practice

Why You Should Follow HIPAA Compliance For The Success Of Your Dental Practice | HIPAA Compliance for Medical Practices | Scoop.it

In 2018, ten companies had to pay $28.7 Million to HIPAA as fines. The United States law requires all covered entities to comply with HIPAA. Covered entities, in this case, refers to health care providers, such as hospitals, dental clinics, and pharmacies.

 

The American Dental Association conducted research which indicated a significant increase in dental practices, both in terms of size and number.

 

Statistics show that US Citizens who had access to dental care rose to 248 Million in 2016, from 170 Million in 2006.

 

The increase in dental practices across the States makes them prone to cyber hacking.

 

This is where HIPAA comes in. For dentists, the HIPAA rule is inclusive of;

 

• A Security Rule
• Privacy Rule
• Breach Notification Rule

 

WHAT IS HIPAA?

 

HIPAA compliance refers to the process through which covered entities and business associates adhere to set rules which seek to protect Protected Health Information.

 

In simple terms, it seeks to ensure a patient’s healthcare data remains private. Protected Health Information is anyone’s healthcare data. The privacy and security rule control what healthcare professionals such as dentists can, or cannot do with your PHI.

 

THE IMPORTANCE OF HIPAA

 

HIPAA was initially introduced in 1996 to address insurance coverage for people working two jobs. It also sought to avoid health care fraud, and protect patients’ health information.

 

FOR YOUR DENTAL PRACTICE, FOLLOWING HIPAA WILL;

 

• Immensely help you transition from manual to electronic health records.
• Streamline your administrative healthcare functions.
• Protect your client’s health information.
• Set boundaries regarding using and releasing health records.
• Boost the efficiency of your clinic.
• Hold violators answerable if they violate a patient’s rights, through both criminal and civil penalties.

 

FOR YOUR PATIENTS, FOLLOWING HIPAA WILL;

 

• Safeguard their personal and sensitive health information.
• Give them control over who gets access to their information.
• They get a right to obtain and go through their health records, and they get to request corrections when necessary.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

mark's curator insight, May 3, 10:58 AM
Oxy Best Pharmacy, ship and do home delivery World Wide

BUY VYVANSE ONLINE, can be a smart move. It saves you money many times, as you remove the cost of a physical retailer. Online prices for medications are almost always lower, and when it comes to medications you require, any savings you can get can really help. You’ll often have to buy these medications regularly, and those costs can really add up. So buying online gives you an opportunity to save a little time for you to buy will add up to substantial savings in time as you buy from home you need not take a drive to a pharmacy. If you want to buy Vyvanse online, then you’ve come to the right place visit Our Shop Page. To buy this medication from us you do not need a prescription and also it will be good if you have one as it will be way easy to make delivery without doing much on security. We’ll get the drug to you quickly, safely and you will pay online prices that easily beat out what you would pay at a physical pharmacy.

Why Us?

Payment methods: We take Western Union Money Gram, Bitcoin, Cashapp, and Zelle Payments. Order your medications from the best online pharmacy in the USA Here.

WE OFFER MONEY BACK GUARANTEE TO EVERYONE PURCHASING MEDICINES FROM US YOU CAN LOOK AT SOME FEW QUESTIONS THAT HAVE BEEN ANSWERED TO BACK THIS POINT HERE

If your package is not delivered to you because of our error, we will offer you a reshipment. We will ship a similar request for nothing out of your pocket. Inform us quickly in that regard so we solve the issue.

Buy Vyvanse Online HERE Now and have it delivered right at your doorsteps. Oxy Best Pharmacy is the best and secure place to order painkillers online. Customer satisfaction is our highest priority, and we never fail to exceed the customer’s expectations! Contact Oxy Best Pharmacy today for all of your meds. Order Vyvanse and other highly controlled pills like BOTOXMORPHINECODEINEDIAZEPAM DILAUDIDSUBUTEXFENTANYL PATCHESXANAXNEUROBLOCOXYCODONEOXYCONTINOPANAROXICODONESUBOXONEOXYNORM AND RITALIN Online without Prescription. You are always welcome to our pharmacy at any time to enjoy from our best online services feel free to contact our pharmacy HERE

 

 

Scoop.it!

Texas Expands HIPAA Privacy Laws to Bolster EHR Security

Texas Expands HIPAA Privacy Laws to Bolster EHR Security | HIPAA Compliance for Medical Practices | Scoop.it

Governor of Texas, Rick Perry, has signed a new law to give Texas residents even greater protection than required by the Health Insurance Portability and Accountability Act and has increased penalties for healthcare organizations that fail to implement the appropriate security measures to protect the health data of patients.

 

Under the Health Information Technology for Economic and Clinical Health Act (HITECH), covered entities have a number of responsibilities including reporting data breaches to the Office for Civil Rights (OCR). Data breaches are reportable to the OCR, either in an end of year report or after an investigation, depending on the number of individuals affected.

 

HIPAA places a number of restrictions on how ePHI is used and stored, and all covered entities are required to conduct a full risk analysis to assess systems for security vulnerabilities to allow risk to be managed. It also lays down the procedures that must be followed after a data breach, such as notifying potential victims. Covered organizations are also required to conduct an investigation into how a breach occurred as well as a risk of harm analysis.

 

One of the main aims of HIPAA has been to improve the standard of data security and protect the privacy of patients. HIPAA and HITECH can be seen as minimum standards that must be followed, and states are allowed to increase data security rules, provided that all HIPAA requirements are met.

 

Texas has now exercised the right to tighten state privacy laws to ensure electronic Protected Health Information is kept private and confidential.

 

Greater Protection for Texas Residents
The new Texas law follows HITECH, although it makes a number of amendments to further restrict the use of ePHI. The penalties have been increased for wrongful disclosure, breach notifications have been updated and healthcare organizations must provide more training to staff. A new requirement is that data privacy and security training must now be provided to employees every two years. Training courses must be documented and all attendees must sign to confirm that they have received training. A 60-day time restriction has also now applies for providing new employees with training.

 

According to the new law, “an individual’s PHI may not be disclosed without the patient’s authorization, except for purposes of treatment, payment, healthcare operations, insurance purposes, and as otherwise authorized by state or federal law”

 

Harsher Penalties for Wrongful Disclosure of ePHI
Failure to comply with the new legislation will result in increased financial penalties and possibly criminal penalties – the theft of ePHI is now considered a felony – being applied for the wrongful disclosure of ePHI. The state is also able to revoke both professional and institutional licenses. Financial penalties have been increased to a maximum of $250,000 for intentional disclosure of ePHI for financial gain, $25,000 for intentional or knowing violation and $5,000 for each individual negligent violation, although the maximum penalty for repeat offenders is $1.5 million and enforced withdrawal from Medicaid, the Children’s Health Insurance Program and other state funded healthcare initiatives is also a possibility.

 

When assessing violations, the seriousness of the data breach will be considered along with significant risk of harm, past history of the organization, certification, the efforts made to mitigate any damage caused and the amount necessary to deter the organization from allowing further violations to occur. Failure to issue breach notifications to affected individuals will also be penalized at a rate of $100 per day, per individual, up to a maximum fine of $250,000.

 

HIPAA regulations require employers to provide training on data Privacy and Security Rules, although this is only required within a short time frame of the commencement of employment and after a material change in Privacy and security policies. Under the new Texas law there is a requirement for ongoing training to be provided to staff and this must also be tailored to the employee’s position within the company. Rules have also changed on breach notifications to include all HIPAA covered entities including business associates, as well as non HIPAA-covered entities that wrongfully disclose ePHI.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

mark's curator insight, May 3, 1:25 PM
Oxy Best Pharmacy, ship and do home delivery World Wide

BUY VYVANSE ONLINE, can be a smart move. It saves you money many times, as you remove the cost of a physical retailer. Online prices for medications are almost always lower, and when it comes to medications you require, any savings you can get can really help. You’ll often have to buy these medications regularly, and those costs can really add up. So buy drugs online gives you an opportunity to save a little time for you to buy will add up to substantial savings in time as you buy from home you need not take a drive to a pharmacy. If you want to buy Vyvanse online, then you’ve come to the right place visit Our Shop Page. To buy this medication from us you do not need a prescription and also it will be good if you have one as it will be way easy to make delivery without doing much on security. We’ll get the drug to you quickly, safely and you will pay online prices that easily beat out what you would pay at a physical pharmacy.

Why Us?

Payment methods: We take Western Union Money Gram, Bitcoin, Cashapp, and Zelle Payments. Order medications online from the best online pharmacy in the USA Here.

WE OFFER MONEY BACK GUARANTEE TO EVERYONE PURCHASING MEDICINES FROM US YOU CAN LOOK AT SOME FEW QUESTIONS THAT HAVE BEEN ANSWERED TO BACK THIS POINT HERE

If your package is not delivered to you because of our error, we will offer you a reshipment. We will ship a similar request for nothing out of your pocket. Inform us quickly in that regard so we solve the issue.

Buy Vyvanse Online HERE Now and have it delivered right at your doorsteps. Oxy Best Pharmacy is the best and secure place to order painkillers online. Customer satisfaction is our highest priority, and we never fail to exceed the customer’s expectations! Contact Oxy Best Pharmacy today for all of your meds. Order Vyvanse online and other highly controlled pills like BOTOX, MORPHINE, CODEINE, DIAZEPAM DILAUDID, SUBUTEX, FENTANYL PATCHES, XANAX, NEUROBLOC, OXYCODONE, OXYCONTIN, OPANA, ROXICODONE, SUBOXONE, OXYNORM AND RITALIN Online without Prescription. You are always welcome to our pharmacy at any time to enjoy from our best online services feel free to contact our pharmacy HERE

 

 

Scoop.it!

Former Ind. dentist to pay $12K after allegedly violating HIPAA...

Former Ind. dentist to pay $12K after allegedly violating HIPAA... | HIPAA Compliance for Medical Practices | Scoop.it

Indiana Attorney General Greg Zoeller reached a $12,000 settlement with Joseph Beck over allegations that the former Kokomo dentist violated Health Insurance Portability and Accountability (HIPAA) laws by improperly disposing of patient records.

After the Indiana Board of Dentistry permanently revoked Beck's license to practice, more than 60 boxes from his Comfort Dental clinic were found in an Indianapolis trash dumpster in 2013. The boxes contained files that allegedly held private information on more than 5,600 patients dating from 2002 to 2007, which violated state privacy laws as well as HIPAA regulations, Zoeller said.


The information ranged from full names and phone numbers to addresses and social security numbers. No cases of identification theft were reported. 

Beck allegedly had hired Just the Connection, Inc., a third-party company to retrieve and dispose of the records.

“In an era when online data breaches are top of mind, we may forget that hard-copy paper files, especially in a medical context, can contain highly sensitive information that is ripe for identity theft or other crimes,” Zoeller said. “This file dump was an egregious violation of patient privacy and safety.”

Beck's license to practice in Indiana was revoked over allegations of neligence and fradulent billing practices.


No comment yet.
Scoop.it!

Fearing The Dreaded HIPAA Audit?

Fearing The Dreaded HIPAA Audit? | HIPAA Compliance for Medical Practices | Scoop.it

The HHS Office for Civil Rights plans to begin a random audit program this year to assess compliance with the HIPAA privacy, security and breach notification rules. David Holtzman, a former senior advisor at OCR and now vp of compliance services at security firm CynergisTek, offers the following outline of what providers selected for an audit can expect and how to prepare.

 

Red Flags

In a 2012 pilot audit program, security rule problems were seen twice as often as anticipated, so expect security issues addressed under a permanent audit program to be bumped up. OCR found through the pilot audits that many organizations had not conducted a security risk analysis or never updated an initial analysis-which signals that an organization is not taking HIPAA seriously. Other areas with significant deficiencies included access management, security incident procedures, contingency planning, audit controls, and movement and destruction of protected health information.

 

Getting Notified

OCR plans to send notification letters to 1,200 healthcare organizations to confirm their address, HIPAA officers, sizes and functions. This is not an audit notice, but the information will be used to build a list of those that will be audited. Organizations selected for audit by OCR will not receive email notification-they will receive a formal audit notification letter-so beware of scammers.

 

Desk Audits

About 200 covered entities and 300-400 business associates will receive notification of a "desk audit," which will include a request for submission of specific content and other documentation that demonstrates the scope and timeliness of an organization's efforts to comply with HIPAA rules. Focus areas for covered entities likely will include risk analysis and risk management, content and timeliness of breach notifications and notice of privacy practices updated to reflect changes in the HIPAA Omnibus rule implemented in 2013. The likely focus for breach audits will be risk analysis and risk management, and appropriate breach reporting to covered entities.

 

Follow Instructions

Under a desk audit, only documentation delivered on time will be reviewed. Send only the information required. Auditors likely will be looking for updated privacy practice notices, the ability of patients to get a copy of their health record and to access them electronically if desired, and how organizations treat requests to restrict access to sensitive treatment paid out-of-pocket. Desk audits, Holtzman says, are not an opportunity for a conversation or give-and-take. Auditors will not contact an organization again for clarifications or additional information; they will work only with what they get. Failure to respond to a desk audit notification likely will lead to a more formal compliance review. (Audit findings will not become a matter of public record.)

 

On-Site Audits

OCR this year and likely into 2016 will conduct on-site audits of an unspecified number of covered entities and business associates. This is more comprehensive than a desk audit, with a greater focus on privacy. Expect OCR in these on-site audits to look at security rule compliance in such areas as device and media controls, secure transmissions, encryption of data (including documented justification if you're not using encryption), facility access controls, administrative and physical safeguards, and workforce training. And expect an emphasis on training, as many organizations haven't trained since first required in 2003. "That really rubs [auditors] the wrong way," Holtzman says.

 

Plan Now

If your risk-analysis and risk-management plans are more than 2 years old, update now, Holtzman suggests. Select 10 focus areas covering both the privacy and security rules, and if vulnerabilities have not been addressed, address them. "The best process to prepare for an audit is to be prepared the day the letter arrives," Holtzman says. "Be honest with yourself. Don't paint a happy picture because you think you know what management wants to hear."


No comment yet.
Scoop.it!

What Will HIPAA Enforcer Do in 2015?

What Will HIPAA Enforcer Do in 2015? | HIPAA Compliance for Medical Practices | Scoop.it

Time to rub the dust off my crystal ball to predict what we might see from the Office for Civil Rights' in 2015 when it comes to regulatory activities and enforcement of the HIPAA privacy, security and breach notification rules.

But first, note that 2014 represented a year of significant changes in leadership and approach for OCR, the unit of the Department of Health and Human Services that's responsible for HIPAA enforcement. Jocelyn Samuels joined OCR as its director in July. She was tapped to lead the agency by HHS Secretary Sylvia Mathews Burwell when Leon Rodriquez was confirmed as director of the U.S. Citizenship and Immigration Services.

 I expect the agency will launch more high-profile enforcement actions in 2015. 


Additionally, OCR's health information privacy division is being led by an acting deputy director following the retirement of Susan McAndrew.

The OCR division responsible for overseeing the work of its regional offices, including enforcement efforts, is also being led by an acting deputy director. In addition to the leadership changes in Washington, three of the 10 managers leading OCR's regional offices were newly appointed this year. That's a lot of leadership change in a short period.

Enforcement Actions

The recent OCR settlement in which an Alaska mental health organization paid a $150,000 fine and agreed to a corrective action plan over shortcomings in their security rule compliance program is the first since director Samuels took over the agency.

This resolution agreement could signal that OCR is regaining its footing after the transition to a new leadership team and will be moving ahead more aggressively to reach settlement agreements in cases where the agency finds serious violations of the privacy and security rules. According to OCR's website, there are more than 6,000 HIPAA privacy and security rule complaints and compliance reviews being investigated. I expect the agency will announce more high-profile enforcement actions in 2015.

Through the 2009 HITECH Act, Congress mandated HHS to make a number of significant changes to the privacy regulations, expanding the jurisdiction oversight to business associates, and encouraging the development of new tools for enhanced regulatory enforcement.

The tools include self-funding HIPAA enforcement authority from fines and penalties collected by OCR and an audit program to measure industry compliance. However, significant provisions of the HITECH Act have not been adopted or are in some stage of development. What are the prospects for the remaining provisions of HITECH to be enacted in 2015?

Accounting of Disclosures

The HITECH Act mandated an expansion of the HIPAA Privacy Rule's current standard for covered entities to provide individuals an accounting of unauthorized disclosures, which exempts disclosures made for purposes of treatment, payment or healthcare operations, or TPO. Congress called on HHS to revamp the standard by requiring accounting for disclosures to include TPO disclosures by covered entities and businesses using electronic health records.

In its 2011 proposed rulemaking, HHS sought to give individuals an accounting of uses in addition to expanding the disclosures to be reported. Under intense pressure to scale back the scope of the proposed rule, HHS had its panel of outside experts, the Privacy and Security Tiger Team, made recommendations in December 2013. The team has since disbanded with HHS taking no action on their recommendations. Nor does publication of a final rule appear to be in the offing anytime soon.

Monetary Settlements

Under HITECH, Congress called for HHS to develop a methodology to distribute a percentage of monetary settlements collected by OCR to individuals affected by breaches.

The first step was for the Government Accountability Office to make recommendations to HHS on a methodology to share a percentage of the proceeds from fines and penalties with consumers harmed by the unlawful uses or disclosures resolved through OCR's investigation. Although the GAO apparently has delivered its recommendations, the HHS regulatory agenda does not include a proposal under development or being reviewed.

With continuing pressures on federal spending restricting the growth of agency budgets and resources to support OCR's expansive mission, it seems unlikely that the office will aggressively pursue an initiative that would result in the sharing with consumers the proceeds from its monetary settlements from HIPAA enforcement actions.

HIPAA Audits

The HITECH Act also called on OCR to perform periodic audits of covered entities and business associates' compliance with the HIPAA rules. With funding provided through HITECH, OCR developed and implemented a pilot audit program through which 115 audits of covered entities were conducted.

Beginning in early 2015, OCR plans to audit 200 covered entities, including healthcare providers and group health plans, to measure their compliance with the HIPAA privacy, security and breach notification rules requirements. These audits of covered entities will be followed by up to 400 audits of business associates to measure their compliance with the security rule and how they intend to approach their obligations under the privacy and breach notification rules.

In comments at the the September 2014 HIPAA security conference hosted by OCR and the National Institute of Standards and Technology, OCR's Iliana Peters said it was the agency's intention to use the audit findings as a tool in the enforcement arsenal. Covered entities found to have significant gaps in their HIPAA compliance will be ripe for follow-up compliance reviews and could face penalties.

With millions of dollars of monetary penalties collected from covered entities since adoption of the HITECH Act changes, this is the one OCR initiative that seems on track. Don't wait for your notice from OCR to prepare for your HIPAA compliance audit. Take action now by going through the steps to ready your organization if it were to be randomly selected for one of those audits.


No comment yet.
Scoop.it!

Will 2015 be worst year yet for data breaches? | Government Health IT

Will 2015 be worst year yet for data breaches? | Government Health IT | HIPAA Compliance for Medical Practices | Scoop.it

This past year the FBI warned the entire healthcare realm that security practices are not keeping pace with other industries. And a new report is suggesting that healthcare organizations should expect even more data breaches in the New Year.

Indeed, that means bigger and more costly violations. Global information services firm Experian, in its second annual data breach forecast, cites the growing potential entry points to protected health information, wearables and other mobile devices as among the new technologies making healthcare vulnerable — while other studies in 2014 pointed to healthcare organizations’ widespread lack of confidence in securing PHI. 

Experian is not the only firm saying data privacy and security will get worse in healthcare.

Consultancy IDC’s Health Insights unit, in fact, included two interesting points in its yearly top 10 predictions for healthcare: First, healthcare entities will have experienced at least one and as many as five cyber attacks in the previous 12 months, with one-third of those considered successful, and, second, by 2020 approximately half of all digital health data will be unprotected.


At the same time, attacks will not only grow more sophisticated but, in some ways, be easier to pull off moving forward.

“From 2015 onward, we will see attackers use social media to hunt for high-value targets. They will no longer limit themselves to instigating watering-hole attacks and using spear-phishing emails,” security specialist Trend Micro wrote in its predictions. “They will dramatically expand the attack surface to include Wi-Fi-enabled wearable devices running vulnerable firmware.”

Such vulnerable firmware, it’s worth pointing out, resides in many medical devices of all sorts, not just wearables. 

Symantec, meanwhile, explained the growth in popularity of “crimeware-as-a-service,” on the black market.

“Attackers can easily rent the entire infrastructure needed to run a botnet or any other online scams,” Symantec wrote in a December blog post. “This makes cybercrime easily accessible for budding criminals who do not have the technical skills to run an attack campaign on their own.” 

Security vendor Websense, which focuses on a range of industries, laid down its own prognostications for 2015. The first one: “Call the IT doctor. My hospital is under attack – again!”

“The healthcare industry is a prime target for cybercriminals,” Carl Leonard, principal analyst of Websense Security Labs, said in a report. “With millions of patient records now in digital form, healthcare’s biggest security challenge in 2015 will be keeping personally identifiable information from falling through security cracks and into the hands of hackers.”


No comment yet.
Scoop.it!

Contractor's security flaw causes yet another VA breach

Contractor's security flaw causes yet another VA breach | HIPAA Compliance for Medical Practices | Scoop.it

A security flaw in a patient database managed by a third party may have exposed more than 7,000 veterans to identity theft, Federal News Radio reports.

A contractor managing home telehealth services alerted the Department of Veterans Affairs on Nov. 4 about the potential security flaw, which it has since confirmed. The contractor, however, stated that only its own staff and VA staff have accessed the information, which includes patients' names, addresses, dates of birth, phone numbers and VA patient identification numbers.

A VA spokesman said the flaw has been corrected and the agency is closely monitoring the situation. However, the agency has notified and offered credit protection to all 7,054 veterans in the database.

The VA announced in October that it provided remote care to more than 690,000 veterans using telemedicine during fiscal year 2014.

Lawmakers, however, continue to raise questions about how adequately the agency secures patient information. Though the VA has taken action to address previously identified IT vulnerabilities, it has not done enough to prevent future problems, according to a Government Accountability Office (GAO) report issued in November.

In a Dec. 15 letter, Rep. Jackie Walorski (R-Ind.) sought more details about the eBenefits website cyber breach in January that exposed the data of more than 5,000 veterans.

Rep. Mike Coffman (R-Colo.) sent a  Nov. 21 letter seeking copies of the Deloitte reports over the last two years that relate to cybersecurity, IT and information management issues, according to the article.

After the latest GAO report criticizing its cybersecurity practices, the VA announced plans to bolster its efforts by adding $60 million to its information security budget. That's in addition to the $160 million a year the VA already spends on cybersecurity,


No comment yet.
Scoop.it!

BOSTON: Children's Hospital settles over data breach | Technology | The Bellingham Herald

BOSTON: Children's Hospital settles over data breach | Technology | The Bellingham Herald | HIPAA Compliance for Medical Practices | Scoop.it

Boston Children's Hospital has agreed to pay $40,000 and bolster its patient data security following a data breach that compromised the personal information of more than 2,100 patients, the state attorney general's office announced Friday.

The judgment, entered in Suffolk Superior Court, alleges the hospital failed to protect the health information of the patients, about 1,700 of whom were children.

The data — including names, birthdates, diagnoses and surgery dates — was on a hospital-issued unencrypted laptop stolen from a doctor on official business in Argentina in May 2012. The information had been sent in an email from a colleague.

Under the terms of the consent judgment, the hospital will pay a $30,000 civil penalty and a payment of $10,000 to a fund administered by the attorney general's office for educational programs concerning protected health information.

"Today's settlement will put in place and enforce important technological and physical security measures at Boston Children's Hospital to help prevent a breach like this from happening again," Attorney General Martha Coakley said.

The hospital said it has already toughened security protocols.

"After this incident, we worked closely with the federal and state governments, as well as security industry experts, to ensure that Boston Children's security policies and technologies are state-of-the-art," the hospital said in a statement. "Every device that is issued by Boston Children's is encrypted before it is used, and every employee must attest on an annual basis that his or her personal devices are also encrypted."


No comment yet.
Scoop.it!

Net Access Data Centers Achieve HIPAA And HITECH Compliance

Net Access Data Centers Achieve HIPAA And HITECH Compliance | HIPAA Compliance for Medical Practices | Scoop.it

Net Access, a leading provider of hybrid colocation, cloud and connectivity solutions, today announced the successful completion of  a voluntary 3rd party audit certifying that their data centers and cloud services comply with current federal and industry standards for protecting consumers' private health information.

The audit, which was conducted by BrightLine CPAs and Associates, Inc., a leading provider of attestation and compliance services, included in-depth review of Net Access' physical data center security management, IT security policies and procedures, data protection, network architecture, monitoring and other safeguards. Upon completion of the audit, BrightLine found Net Access had controls in place to meet federal Health Insurance Portability and Accountability Act (HIPAA) administrative, technical and physical security rule safeguards and Health Information Technology for Economic and Clinical Health Act (HITECH) breach notification safeguards. HIPAA and HITECH set standards to protect the privacy of electronic medical records, including guidelines that healthcare entities must follow to secure such information when it is processed, transmitted or stored in a data network.

"Achieving these independent third party validations underscores our ongoing commitment to provide secure, reliable and compliant data center solutions for our customers, while maintaining the highest standards for the protection of their data," says Raul Martynek, CEO of Net Access. "It's a testament to the hard work and dedication of our team that our facilities and cloud services meet the stringent HIPAA and HITECH security requirements set forth by the federal government."

"Partnering with Net Access allows us to leverage their technical expertise and experience operating HIPAA compliant data centers," says David Ulrich, President and HIPAA Security Officer of ITelagen. "That lets us focus our attention on our customers' needs and not on managing data center compliance and audit issues."



No comment yet.
Scoop.it!

Google cloud gets on board with HIPAA | Healthcare IT News

Google cloud gets on board with HIPAA | Healthcare IT News | HIPAA Compliance for Medical Practices | Scoop.it

To all the developers building applications in the cloud that need to comply with HIPAA privacy rules: You've just gained a big ally.    Internet behemoth Google recently announced its cloud platform will now be HIPAA-friendly and will support business associate agreements going forward.    Google started inking business associate agreements back in 2013 when the HIPAA Final Omnibus Rule went into effect, making BAs accountable for violating certain HIPAA privacy and security rules.
This February, the company went one step further.    "To serve developers who want to build these applications on Google's infrastructure, we're announcing support for business associates agreements for our customers," wrote Google Cloud Platform Product Manager Matthew O'Connor, in a Feb. 5 company post. "We’re looking forward to supporting customers who are subject to HIPAA regulations on Google Cloud Platform."   The HIPAA final omnibus rule took effect September 2013, and it made BAs directly liable for violations of HIPAA rules. The rule also expanded the definition of a BA to include health information organizations, e-prescribing gateways, PHR providers, patient safety organizations and subcontractors with access to protected health information. Moreover, subcontractors are now defined as business associates.    After the rule went into effect, many covered entities reported having difficulties getting BAs to actually sign business associate agreements.    Healthcare IT News spoke with BakerHostetler's Privacy and Security Attorney Ted Kobus back in August 2013, right before the HIPAA final rule took effect. He said that, overall, BAs have been less prepared.

"We see them asking for help with compliance issues, business associate agreements, questions about cloud computing and general compliance questions," Kobus said.
  Lynn Sessions, healthcare privacy attorney, also with BakerHostetler, works with many of the more sophisticated BAs on updating their agreements; she said the ones dragging their feet with HIPAA are the cloud providers.

Organizations "new to the party, like cloud providers who thought they were never business associates in the first place, are having to play catch up," said Sessions.
 

Cloud computing in healthcare is poised for explosive growth. By the end of 2013, analysts estimated the global market would hit nearly $4 billion, representing more than 21 percent growth from 2012, according to the findings of a September 2013 Kalorama report. In comparison, health IT spending over the year was only projected to increase by nearly 11 percent.

"EMR is driving this market," said Bruce Carlson, publisher of Kalorama Information, in a Sep. 19 press statement. "Hospitals are building great systems for gathering electronic records, but they need solutions to store all of that data, and it can't be a new server wing that might compete with needed space for care."



No comment yet.
Scoop.it!

Prison Term for ID Theft at Hospital

Prison Term for ID Theft at Hospital | HIPAA Compliance for Medical Practices | Scoop.it

A former Alabama hospital worker has been sentenced to serve two years in prison for his role in an identity theft case that led to federal tax refund fraud. The case also has resulted in a class action lawsuit.

The breach at 235-bed Flowers Hospital in Dothan, Ala., spotlights that "insider threats are a large challenge," says privacy attorney Adam Greene, of law firm Davis Wright Tremaine, who is not involved in the case. "Policies, procedures and training can influence good employees, but may have little impact on employees who are considering using information for criminal purposes," he says.


"Some good ways to reduce the risk include thorough background checks of employees, reducing the use of Social Security numbers and other risky information within the organization where possible, minimizing the types of employees who have access to such information, reviewing system activity to identify patterns that may demonstrate abuse of access, and considering technologies such as data loss prevention to reduce the risk of information leaving the network," the attorney adds.

But Greene notes that even with all the right controls in place, "it is virtually impossible to completely eliminate the threat of insiders abusing their access to information systems."

Restitution Required

The U.S. Department of Justice, in a Dec. 12 statement, said that in addition to his prison sentence, former hospital lab technician, Kamarian D. Millender was also ordered to pay about $19,000 in restitution after pleading guilty in July to one count of aggravated identity theft.

Flowers Hospital, where Millender formerly worked, is part of the Community Health Systems chain. But the breach involving Millender was unrelated to a larger hacker attack on Community Health Systems earlier this year that affected 4.5 million patients.

The Alabama hospital incident is listed on the Department of Health and Human Services' "wall of shame" list of major breaches as a theft of paper records occurring from June 2013 to February 2014 and affecting 629 individuals.

Fraud Scheme

In the criminal case against Millender, federal prosecutors say he and others stole patient medical records that contained personal identification information, which was then used to file more than 100 false tax returns, victimizing approximately 73 individuals. Prosecutors say the false tax returns attempted to defraud an estimated $536,000 from the IRS. However, "the IRS was able to stop the vast majority of the falsely claimed refunds, but approximately $18,915 in refunds were issued," according to the prosecutors' statement.

Meanwhile, the class action lawsuit filed against Flowers Hospital in May alleges that the breach affected "thousands" of plaintiffs.

"Flowers [Hospital] flagrantly disregarded plaintiffs' ... privacy rights by intentionally, willfully, recklessly and/or negligently failing to take the necessary precautions required to safeguard and protect their PII/PHI from unauthorized disclosure," the suit alleges. The suit claims the plaintiffs' personal information "was improperly handled and stored, and was otherwise not kept in accordance with applicable and appropriate security protocols, policies and procedures," which led to the theft.


The class action suit alleges that patient information affected by the breach includes names, addresses, dates of birth, Social Security numbers, treating physician and/or departments for each individual, medical diagnoses, medical record numbers, medical service codes, and health insurance information.

"There is a high likelihood that significant identity theft and/or identity fraud has not yet been discovered or reported and a high probability that criminals who may now possess plaintiffs' PII and PHI, but will do so later, or re-sell it," the lawsuit states. It alleges the hospital violated the Fair Credit Reporting Act and contains allegations of negligence and invasion of privacy by public disclosure of private facts. It seeks unspecified damages as well as reimbursement for legal expenses.

A Flowers Hospital spokeswoman declined to comment on the criminal case involving the former lab worker or the class action lawsuit.

An attorney representing the plaintiffs in the class action suit against Flowers did not reply to Information Security Media Group's request for comment. Federal prosecutors involved with the Millender criminal case also did not respond to ISMG's request for comment.

Preventing ID Theft

Privacy and information security expert Rebecca Herold points out that a big hurdle with preventing insider breaches is that, "many organizations don't want to accept that their employees would ever take information from patients or insureds and commit a crime with them, especially within healthcare provider settings, where the focus is on patient health and well-being."

Because of that trust, "organizations often do not have the policies, processes, training, awareness reminders, oversight and auditing in place to verify that employees truly are doing the right things and have not wandered off the path of compliance onto the criminal highway," says Herold, a co-owner of the consulting firm HIPAA Compliance Tools and CEO of The Privacy Professor.

While potential insider breaches will always pose a challenge for many healthcare related organizations, there is one key piece of advice that can go a long way in preventing these incidents, Herold says.

"It always starts from the top: there must be strong support for information security and privacy initiatives from the organization's top leader," she says. "Make sure all employees know that top management expects them to work in a legal and ethical manner, and that those violating the corporate policies, and applicable laws, will face appropriate sanctions, including the potential for termination and for legal actions and jail time."

No comment yet.
Scoop.it!

Employee health information compromised in Sony Pictures hack

Employee health information compromised in Sony Pictures hack | HIPAA Compliance for Medical Practices | Scoop.it

A recent cyberattack on Sony Pictures has sent, not only personal emails and employee salary information out across the Web--but sensitive health information, as well.

Documents obtained by the hackers include health information on dozens of employees, their children or spouses, according to a report from Bloomberg.

Some of the information leaked includes a memo with treatment and diagnosis details about an employee's child with special needs, as well as a spreadsheet from a human resources folder containing birth dates, health conditions and medical costs for more than 30 Sony employees, according to the report.

This is just the latest in a string of attacks compromising patients' health information, including a hack that impacted more than 4.5 million patients at Community Health Systems.

The release of this kind of information may be some of the most damaging, Deborah Peel, director of Patient Privacy Rights, tells Bloomberg.

Hackers who go by Guardians of Peace, according to the report, have been releasing documents onto the Internet since late November. Sony's internal probe currently links the attack to hackers known as DarkSeoul.

While security experts predict increased cyberattacks on healthcare organizations in 2015, they foresee phishing and ransomware posing particular challenges, according to John Moore, founder and managing partner at Chilmark Research.

In addition, healthcare information is becoming a vulnerable and attractive target for cybercriminals, according to Experian's 2015 Data Breach Industry Forecast.


No comment yet.