HIPAA Compliance for Medical Practices
77.0K views | +6 today
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...

Texas Expands HIPAA Privacy Laws to Bolster EHR Security

Texas Expands HIPAA Privacy Laws to Bolster EHR Security | HIPAA Compliance for Medical Practices | Scoop.it

Governor of Texas, Rick Perry, has signed a new law to give Texas residents even greater protection than required by the Health Insurance Portability and Accountability Act and has increased penalties for healthcare organizations that fail to implement the appropriate security measures to protect the health data of patients.


Under the Health Information Technology for Economic and Clinical Health Act (HITECH), covered entities have a number of responsibilities including reporting data breaches to the Office for Civil Rights (OCR). Data breaches are reportable to the OCR, either in an end of year report or after an investigation, depending on the number of individuals affected.


HIPAA places a number of restrictions on how ePHI is used and stored, and all covered entities are required to conduct a full risk analysis to assess systems for security vulnerabilities to allow risk to be managed. It also lays down the procedures that must be followed after a data breach, such as notifying potential victims. Covered organizations are also required to conduct an investigation into how a breach occurred as well as a risk of harm analysis.


One of the main aims of HIPAA has been to improve the standard of data security and protect the privacy of patients. HIPAA and HITECH can be seen as minimum standards that must be followed, and states are allowed to increase data security rules, provided that all HIPAA requirements are met.


Texas has now exercised the right to tighten state privacy laws to ensure electronic Protected Health Information is kept private and confidential.


Greater Protection for Texas Residents
The new Texas law follows HITECH, although it makes a number of amendments to further restrict the use of ePHI. The penalties have been increased for wrongful disclosure, breach notifications have been updated and healthcare organizations must provide more training to staff. A new requirement is that data privacy and security training must now be provided to employees every two years. Training courses must be documented and all attendees must sign to confirm that they have received training. A 60-day time restriction has also now applies for providing new employees with training.


According to the new law, “an individual’s PHI may not be disclosed without the patient’s authorization, except for purposes of treatment, payment, healthcare operations, insurance purposes, and as otherwise authorized by state or federal law”


Harsher Penalties for Wrongful Disclosure of ePHI
Failure to comply with the new legislation will result in increased financial penalties and possibly criminal penalties – the theft of ePHI is now considered a felony – being applied for the wrongful disclosure of ePHI. The state is also able to revoke both professional and institutional licenses. Financial penalties have been increased to a maximum of $250,000 for intentional disclosure of ePHI for financial gain, $25,000 for intentional or knowing violation and $5,000 for each individual negligent violation, although the maximum penalty for repeat offenders is $1.5 million and enforced withdrawal from Medicaid, the Children’s Health Insurance Program and other state funded healthcare initiatives is also a possibility.


When assessing violations, the seriousness of the data breach will be considered along with significant risk of harm, past history of the organization, certification, the efforts made to mitigate any damage caused and the amount necessary to deter the organization from allowing further violations to occur. Failure to issue breach notifications to affected individuals will also be penalized at a rate of $100 per day, per individual, up to a maximum fine of $250,000.


HIPAA regulations require employers to provide training on data Privacy and Security Rules, although this is only required within a short time frame of the commencement of employment and after a material change in Privacy and security policies. Under the new Texas law there is a requirement for ongoing training to be provided to staff and this must also be tailored to the employee’s position within the company. Rules have also changed on breach notifications to include all HIPAA covered entities including business associates, as well as non HIPAA-covered entities that wrongfully disclose ePHI.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

Former Ind. dentist to pay $12K after allegedly violating HIPAA...

Former Ind. dentist to pay $12K after allegedly violating HIPAA... | HIPAA Compliance for Medical Practices | Scoop.it

Indiana Attorney General Greg Zoeller reached a $12,000 settlement with Joseph Beck over allegations that the former Kokomo dentist violated Health Insurance Portability and Accountability (HIPAA) laws by improperly disposing of patient records.

After the Indiana Board of Dentistry permanently revoked Beck's license to practice, more than 60 boxes from his Comfort Dental clinic were found in an Indianapolis trash dumpster in 2013. The boxes contained files that allegedly held private information on more than 5,600 patients dating from 2002 to 2007, which violated state privacy laws as well as HIPAA regulations, Zoeller said.

The information ranged from full names and phone numbers to addresses and social security numbers. No cases of identification theft were reported. 

Beck allegedly had hired Just the Connection, Inc., a third-party company to retrieve and dispose of the records.

“In an era when online data breaches are top of mind, we may forget that hard-copy paper files, especially in a medical context, can contain highly sensitive information that is ripe for identity theft or other crimes,” Zoeller said. “This file dump was an egregious violation of patient privacy and safety.”

Beck's license to practice in Indiana was revoked over allegations of neligence and fradulent billing practices.

No comment yet.

Fearing The Dreaded HIPAA Audit?

Fearing The Dreaded HIPAA Audit? | HIPAA Compliance for Medical Practices | Scoop.it

The HHS Office for Civil Rights plans to begin a random audit program this year to assess compliance with the HIPAA privacy, security and breach notification rules. David Holtzman, a former senior advisor at OCR and now vp of compliance services at security firm CynergisTek, offers the following outline of what providers selected for an audit can expect and how to prepare.


Red Flags

In a 2012 pilot audit program, security rule problems were seen twice as often as anticipated, so expect security issues addressed under a permanent audit program to be bumped up. OCR found through the pilot audits that many organizations had not conducted a security risk analysis or never updated an initial analysis-which signals that an organization is not taking HIPAA seriously. Other areas with significant deficiencies included access management, security incident procedures, contingency planning, audit controls, and movement and destruction of protected health information.


Getting Notified

OCR plans to send notification letters to 1,200 healthcare organizations to confirm their address, HIPAA officers, sizes and functions. This is not an audit notice, but the information will be used to build a list of those that will be audited. Organizations selected for audit by OCR will not receive email notification-they will receive a formal audit notification letter-so beware of scammers.


Desk Audits

About 200 covered entities and 300-400 business associates will receive notification of a "desk audit," which will include a request for submission of specific content and other documentation that demonstrates the scope and timeliness of an organization's efforts to comply with HIPAA rules. Focus areas for covered entities likely will include risk analysis and risk management, content and timeliness of breach notifications and notice of privacy practices updated to reflect changes in the HIPAA Omnibus rule implemented in 2013. The likely focus for breach audits will be risk analysis and risk management, and appropriate breach reporting to covered entities.


Follow Instructions

Under a desk audit, only documentation delivered on time will be reviewed. Send only the information required. Auditors likely will be looking for updated privacy practice notices, the ability of patients to get a copy of their health record and to access them electronically if desired, and how organizations treat requests to restrict access to sensitive treatment paid out-of-pocket. Desk audits, Holtzman says, are not an opportunity for a conversation or give-and-take. Auditors will not contact an organization again for clarifications or additional information; they will work only with what they get. Failure to respond to a desk audit notification likely will lead to a more formal compliance review. (Audit findings will not become a matter of public record.)


On-Site Audits

OCR this year and likely into 2016 will conduct on-site audits of an unspecified number of covered entities and business associates. This is more comprehensive than a desk audit, with a greater focus on privacy. Expect OCR in these on-site audits to look at security rule compliance in such areas as device and media controls, secure transmissions, encryption of data (including documented justification if you're not using encryption), facility access controls, administrative and physical safeguards, and workforce training. And expect an emphasis on training, as many organizations haven't trained since first required in 2003. "That really rubs [auditors] the wrong way," Holtzman says.


Plan Now

If your risk-analysis and risk-management plans are more than 2 years old, update now, Holtzman suggests. Select 10 focus areas covering both the privacy and security rules, and if vulnerabilities have not been addressed, address them. "The best process to prepare for an audit is to be prepared the day the letter arrives," Holtzman says. "Be honest with yourself. Don't paint a happy picture because you think you know what management wants to hear."

No comment yet.

What Will HIPAA Enforcer Do in 2015?

What Will HIPAA Enforcer Do in 2015? | HIPAA Compliance for Medical Practices | Scoop.it

Time to rub the dust off my crystal ball to predict what we might see from the Office for Civil Rights' in 2015 when it comes to regulatory activities and enforcement of the HIPAA privacy, security and breach notification rules.

But first, note that 2014 represented a year of significant changes in leadership and approach for OCR, the unit of the Department of Health and Human Services that's responsible for HIPAA enforcement. Jocelyn Samuels joined OCR as its director in July. She was tapped to lead the agency by HHS Secretary Sylvia Mathews Burwell when Leon Rodriquez was confirmed as director of the U.S. Citizenship and Immigration Services.

 I expect the agency will launch more high-profile enforcement actions in 2015. 

Additionally, OCR's health information privacy division is being led by an acting deputy director following the retirement of Susan McAndrew.

The OCR division responsible for overseeing the work of its regional offices, including enforcement efforts, is also being led by an acting deputy director. In addition to the leadership changes in Washington, three of the 10 managers leading OCR's regional offices were newly appointed this year. That's a lot of leadership change in a short period.

Enforcement Actions

The recent OCR settlement in which an Alaska mental health organization paid a $150,000 fine and agreed to a corrective action plan over shortcomings in their security rule compliance program is the first since director Samuels took over the agency.

This resolution agreement could signal that OCR is regaining its footing after the transition to a new leadership team and will be moving ahead more aggressively to reach settlement agreements in cases where the agency finds serious violations of the privacy and security rules. According to OCR's website, there are more than 6,000 HIPAA privacy and security rule complaints and compliance reviews being investigated. I expect the agency will announce more high-profile enforcement actions in 2015.

Through the 2009 HITECH Act, Congress mandated HHS to make a number of significant changes to the privacy regulations, expanding the jurisdiction oversight to business associates, and encouraging the development of new tools for enhanced regulatory enforcement.

The tools include self-funding HIPAA enforcement authority from fines and penalties collected by OCR and an audit program to measure industry compliance. However, significant provisions of the HITECH Act have not been adopted or are in some stage of development. What are the prospects for the remaining provisions of HITECH to be enacted in 2015?

Accounting of Disclosures

The HITECH Act mandated an expansion of the HIPAA Privacy Rule's current standard for covered entities to provide individuals an accounting of unauthorized disclosures, which exempts disclosures made for purposes of treatment, payment or healthcare operations, or TPO. Congress called on HHS to revamp the standard by requiring accounting for disclosures to include TPO disclosures by covered entities and businesses using electronic health records.

In its 2011 proposed rulemaking, HHS sought to give individuals an accounting of uses in addition to expanding the disclosures to be reported. Under intense pressure to scale back the scope of the proposed rule, HHS had its panel of outside experts, the Privacy and Security Tiger Team, made recommendations in December 2013. The team has since disbanded with HHS taking no action on their recommendations. Nor does publication of a final rule appear to be in the offing anytime soon.

Monetary Settlements

Under HITECH, Congress called for HHS to develop a methodology to distribute a percentage of monetary settlements collected by OCR to individuals affected by breaches.

The first step was for the Government Accountability Office to make recommendations to HHS on a methodology to share a percentage of the proceeds from fines and penalties with consumers harmed by the unlawful uses or disclosures resolved through OCR's investigation. Although the GAO apparently has delivered its recommendations, the HHS regulatory agenda does not include a proposal under development or being reviewed.

With continuing pressures on federal spending restricting the growth of agency budgets and resources to support OCR's expansive mission, it seems unlikely that the office will aggressively pursue an initiative that would result in the sharing with consumers the proceeds from its monetary settlements from HIPAA enforcement actions.

HIPAA Audits

The HITECH Act also called on OCR to perform periodic audits of covered entities and business associates' compliance with the HIPAA rules. With funding provided through HITECH, OCR developed and implemented a pilot audit program through which 115 audits of covered entities were conducted.

Beginning in early 2015, OCR plans to audit 200 covered entities, including healthcare providers and group health plans, to measure their compliance with the HIPAA privacy, security and breach notification rules requirements. These audits of covered entities will be followed by up to 400 audits of business associates to measure their compliance with the security rule and how they intend to approach their obligations under the privacy and breach notification rules.

In comments at the the September 2014 HIPAA security conference hosted by OCR and the National Institute of Standards and Technology, OCR's Iliana Peters said it was the agency's intention to use the audit findings as a tool in the enforcement arsenal. Covered entities found to have significant gaps in their HIPAA compliance will be ripe for follow-up compliance reviews and could face penalties.

With millions of dollars of monetary penalties collected from covered entities since adoption of the HITECH Act changes, this is the one OCR initiative that seems on track. Don't wait for your notice from OCR to prepare for your HIPAA compliance audit. Take action now by going through the steps to ready your organization if it were to be randomly selected for one of those audits.

No comment yet.

Will 2015 be worst year yet for data breaches? | Government Health IT

Will 2015 be worst year yet for data breaches? | Government Health IT | HIPAA Compliance for Medical Practices | Scoop.it

This past year the FBI warned the entire healthcare realm that security practices are not keeping pace with other industries. And a new report is suggesting that healthcare organizations should expect even more data breaches in the New Year.

Indeed, that means bigger and more costly violations. Global information services firm Experian, in its second annual data breach forecast, cites the growing potential entry points to protected health information, wearables and other mobile devices as among the new technologies making healthcare vulnerable — while other studies in 2014 pointed to healthcare organizations’ widespread lack of confidence in securing PHI. 

Experian is not the only firm saying data privacy and security will get worse in healthcare.

Consultancy IDC’s Health Insights unit, in fact, included two interesting points in its yearly top 10 predictions for healthcare: First, healthcare entities will have experienced at least one and as many as five cyber attacks in the previous 12 months, with one-third of those considered successful, and, second, by 2020 approximately half of all digital health data will be unprotected.

At the same time, attacks will not only grow more sophisticated but, in some ways, be easier to pull off moving forward.

“From 2015 onward, we will see attackers use social media to hunt for high-value targets. They will no longer limit themselves to instigating watering-hole attacks and using spear-phishing emails,” security specialist Trend Micro wrote in its predictions. “They will dramatically expand the attack surface to include Wi-Fi-enabled wearable devices running vulnerable firmware.”

Such vulnerable firmware, it’s worth pointing out, resides in many medical devices of all sorts, not just wearables. 

Symantec, meanwhile, explained the growth in popularity of “crimeware-as-a-service,” on the black market.

“Attackers can easily rent the entire infrastructure needed to run a botnet or any other online scams,” Symantec wrote in a December blog post. “This makes cybercrime easily accessible for budding criminals who do not have the technical skills to run an attack campaign on their own.” 

Security vendor Websense, which focuses on a range of industries, laid down its own prognostications for 2015. The first one: “Call the IT doctor. My hospital is under attack – again!”

“The healthcare industry is a prime target for cybercriminals,” Carl Leonard, principal analyst of Websense Security Labs, said in a report. “With millions of patient records now in digital form, healthcare’s biggest security challenge in 2015 will be keeping personally identifiable information from falling through security cracks and into the hands of hackers.”

No comment yet.

Contractor's security flaw causes yet another VA breach

Contractor's security flaw causes yet another VA breach | HIPAA Compliance for Medical Practices | Scoop.it

A security flaw in a patient database managed by a third party may have exposed more than 7,000 veterans to identity theft, Federal News Radio reports.

A contractor managing home telehealth services alerted the Department of Veterans Affairs on Nov. 4 about the potential security flaw, which it has since confirmed. The contractor, however, stated that only its own staff and VA staff have accessed the information, which includes patients' names, addresses, dates of birth, phone numbers and VA patient identification numbers.

A VA spokesman said the flaw has been corrected and the agency is closely monitoring the situation. However, the agency has notified and offered credit protection to all 7,054 veterans in the database.

The VA announced in October that it provided remote care to more than 690,000 veterans using telemedicine during fiscal year 2014.

Lawmakers, however, continue to raise questions about how adequately the agency secures patient information. Though the VA has taken action to address previously identified IT vulnerabilities, it has not done enough to prevent future problems, according to a Government Accountability Office (GAO) report issued in November.

In a Dec. 15 letter, Rep. Jackie Walorski (R-Ind.) sought more details about the eBenefits website cyber breach in January that exposed the data of more than 5,000 veterans.

Rep. Mike Coffman (R-Colo.) sent a  Nov. 21 letter seeking copies of the Deloitte reports over the last two years that relate to cybersecurity, IT and information management issues, according to the article.

After the latest GAO report criticizing its cybersecurity practices, the VA announced plans to bolster its efforts by adding $60 million to its information security budget. That's in addition to the $160 million a year the VA already spends on cybersecurity,

No comment yet.

BOSTON: Children's Hospital settles over data breach | Technology | The Bellingham Herald

BOSTON: Children's Hospital settles over data breach | Technology | The Bellingham Herald | HIPAA Compliance for Medical Practices | Scoop.it

Boston Children's Hospital has agreed to pay $40,000 and bolster its patient data security following a data breach that compromised the personal information of more than 2,100 patients, the state attorney general's office announced Friday.

The judgment, entered in Suffolk Superior Court, alleges the hospital failed to protect the health information of the patients, about 1,700 of whom were children.

The data — including names, birthdates, diagnoses and surgery dates — was on a hospital-issued unencrypted laptop stolen from a doctor on official business in Argentina in May 2012. The information had been sent in an email from a colleague.

Under the terms of the consent judgment, the hospital will pay a $30,000 civil penalty and a payment of $10,000 to a fund administered by the attorney general's office for educational programs concerning protected health information.

"Today's settlement will put in place and enforce important technological and physical security measures at Boston Children's Hospital to help prevent a breach like this from happening again," Attorney General Martha Coakley said.

The hospital said it has already toughened security protocols.

"After this incident, we worked closely with the federal and state governments, as well as security industry experts, to ensure that Boston Children's security policies and technologies are state-of-the-art," the hospital said in a statement. "Every device that is issued by Boston Children's is encrypted before it is used, and every employee must attest on an annual basis that his or her personal devices are also encrypted."

No comment yet.

Net Access Data Centers Achieve HIPAA And HITECH Compliance

Net Access Data Centers Achieve HIPAA And HITECH Compliance | HIPAA Compliance for Medical Practices | Scoop.it

Net Access, a leading provider of hybrid colocation, cloud and connectivity solutions, today announced the successful completion of  a voluntary 3rd party audit certifying that their data centers and cloud services comply with current federal and industry standards for protecting consumers' private health information.

The audit, which was conducted by BrightLine CPAs and Associates, Inc., a leading provider of attestation and compliance services, included in-depth review of Net Access' physical data center security management, IT security policies and procedures, data protection, network architecture, monitoring and other safeguards. Upon completion of the audit, BrightLine found Net Access had controls in place to meet federal Health Insurance Portability and Accountability Act (HIPAA) administrative, technical and physical security rule safeguards and Health Information Technology for Economic and Clinical Health Act (HITECH) breach notification safeguards. HIPAA and HITECH set standards to protect the privacy of electronic medical records, including guidelines that healthcare entities must follow to secure such information when it is processed, transmitted or stored in a data network.

"Achieving these independent third party validations underscores our ongoing commitment to provide secure, reliable and compliant data center solutions for our customers, while maintaining the highest standards for the protection of their data," says Raul Martynek, CEO of Net Access. "It's a testament to the hard work and dedication of our team that our facilities and cloud services meet the stringent HIPAA and HITECH security requirements set forth by the federal government."

"Partnering with Net Access allows us to leverage their technical expertise and experience operating HIPAA compliant data centers," says David Ulrich, President and HIPAA Security Officer of ITelagen. "That lets us focus our attention on our customers' needs and not on managing data center compliance and audit issues."

No comment yet.

Google cloud gets on board with HIPAA | Healthcare IT News

Google cloud gets on board with HIPAA | Healthcare IT News | HIPAA Compliance for Medical Practices | Scoop.it

To all the developers building applications in the cloud that need to comply with HIPAA privacy rules: You've just gained a big ally.    Internet behemoth Google recently announced its cloud platform will now be HIPAA-friendly and will support business associate agreements going forward.    Google started inking business associate agreements back in 2013 when the HIPAA Final Omnibus Rule went into effect, making BAs accountable for violating certain HIPAA privacy and security rules.
This February, the company went one step further.    "To serve developers who want to build these applications on Google's infrastructure, we're announcing support for business associates agreements for our customers," wrote Google Cloud Platform Product Manager Matthew O'Connor, in a Feb. 5 company post. "We’re looking forward to supporting customers who are subject to HIPAA regulations on Google Cloud Platform."   The HIPAA final omnibus rule took effect September 2013, and it made BAs directly liable for violations of HIPAA rules. The rule also expanded the definition of a BA to include health information organizations, e-prescribing gateways, PHR providers, patient safety organizations and subcontractors with access to protected health information. Moreover, subcontractors are now defined as business associates.    After the rule went into effect, many covered entities reported having difficulties getting BAs to actually sign business associate agreements.    Healthcare IT News spoke with BakerHostetler's Privacy and Security Attorney Ted Kobus back in August 2013, right before the HIPAA final rule took effect. He said that, overall, BAs have been less prepared.

"We see them asking for help with compliance issues, business associate agreements, questions about cloud computing and general compliance questions," Kobus said.
  Lynn Sessions, healthcare privacy attorney, also with BakerHostetler, works with many of the more sophisticated BAs on updating their agreements; she said the ones dragging their feet with HIPAA are the cloud providers.

Organizations "new to the party, like cloud providers who thought they were never business associates in the first place, are having to play catch up," said Sessions.

Cloud computing in healthcare is poised for explosive growth. By the end of 2013, analysts estimated the global market would hit nearly $4 billion, representing more than 21 percent growth from 2012, according to the findings of a September 2013 Kalorama report. In comparison, health IT spending over the year was only projected to increase by nearly 11 percent.

"EMR is driving this market," said Bruce Carlson, publisher of Kalorama Information, in a Sep. 19 press statement. "Hospitals are building great systems for gathering electronic records, but they need solutions to store all of that data, and it can't be a new server wing that might compete with needed space for care."

No comment yet.

Prison Term for ID Theft at Hospital

Prison Term for ID Theft at Hospital | HIPAA Compliance for Medical Practices | Scoop.it

A former Alabama hospital worker has been sentenced to serve two years in prison for his role in an identity theft case that led to federal tax refund fraud. The case also has resulted in a class action lawsuit.

The breach at 235-bed Flowers Hospital in Dothan, Ala., spotlights that "insider threats are a large challenge," says privacy attorney Adam Greene, of law firm Davis Wright Tremaine, who is not involved in the case. "Policies, procedures and training can influence good employees, but may have little impact on employees who are considering using information for criminal purposes," he says.

"Some good ways to reduce the risk include thorough background checks of employees, reducing the use of Social Security numbers and other risky information within the organization where possible, minimizing the types of employees who have access to such information, reviewing system activity to identify patterns that may demonstrate abuse of access, and considering technologies such as data loss prevention to reduce the risk of information leaving the network," the attorney adds.

But Greene notes that even with all the right controls in place, "it is virtually impossible to completely eliminate the threat of insiders abusing their access to information systems."

Restitution Required

The U.S. Department of Justice, in a Dec. 12 statement, said that in addition to his prison sentence, former hospital lab technician, Kamarian D. Millender was also ordered to pay about $19,000 in restitution after pleading guilty in July to one count of aggravated identity theft.

Flowers Hospital, where Millender formerly worked, is part of the Community Health Systems chain. But the breach involving Millender was unrelated to a larger hacker attack on Community Health Systems earlier this year that affected 4.5 million patients.

The Alabama hospital incident is listed on the Department of Health and Human Services' "wall of shame" list of major breaches as a theft of paper records occurring from June 2013 to February 2014 and affecting 629 individuals.

Fraud Scheme

In the criminal case against Millender, federal prosecutors say he and others stole patient medical records that contained personal identification information, which was then used to file more than 100 false tax returns, victimizing approximately 73 individuals. Prosecutors say the false tax returns attempted to defraud an estimated $536,000 from the IRS. However, "the IRS was able to stop the vast majority of the falsely claimed refunds, but approximately $18,915 in refunds were issued," according to the prosecutors' statement.

Meanwhile, the class action lawsuit filed against Flowers Hospital in May alleges that the breach affected "thousands" of plaintiffs.

"Flowers [Hospital] flagrantly disregarded plaintiffs' ... privacy rights by intentionally, willfully, recklessly and/or negligently failing to take the necessary precautions required to safeguard and protect their PII/PHI from unauthorized disclosure," the suit alleges. The suit claims the plaintiffs' personal information "was improperly handled and stored, and was otherwise not kept in accordance with applicable and appropriate security protocols, policies and procedures," which led to the theft.

The class action suit alleges that patient information affected by the breach includes names, addresses, dates of birth, Social Security numbers, treating physician and/or departments for each individual, medical diagnoses, medical record numbers, medical service codes, and health insurance information.

"There is a high likelihood that significant identity theft and/or identity fraud has not yet been discovered or reported and a high probability that criminals who may now possess plaintiffs' PII and PHI, but will do so later, or re-sell it," the lawsuit states. It alleges the hospital violated the Fair Credit Reporting Act and contains allegations of negligence and invasion of privacy by public disclosure of private facts. It seeks unspecified damages as well as reimbursement for legal expenses.

A Flowers Hospital spokeswoman declined to comment on the criminal case involving the former lab worker or the class action lawsuit.

An attorney representing the plaintiffs in the class action suit against Flowers did not reply to Information Security Media Group's request for comment. Federal prosecutors involved with the Millender criminal case also did not respond to ISMG's request for comment.

Preventing ID Theft

Privacy and information security expert Rebecca Herold points out that a big hurdle with preventing insider breaches is that, "many organizations don't want to accept that their employees would ever take information from patients or insureds and commit a crime with them, especially within healthcare provider settings, where the focus is on patient health and well-being."

Because of that trust, "organizations often do not have the policies, processes, training, awareness reminders, oversight and auditing in place to verify that employees truly are doing the right things and have not wandered off the path of compliance onto the criminal highway," says Herold, a co-owner of the consulting firm HIPAA Compliance Tools and CEO of The Privacy Professor.

While potential insider breaches will always pose a challenge for many healthcare related organizations, there is one key piece of advice that can go a long way in preventing these incidents, Herold says.

"It always starts from the top: there must be strong support for information security and privacy initiatives from the organization's top leader," she says. "Make sure all employees know that top management expects them to work in a legal and ethical manner, and that those violating the corporate policies, and applicable laws, will face appropriate sanctions, including the potential for termination and for legal actions and jail time."

No comment yet.

Employee health information compromised in Sony Pictures hack

Employee health information compromised in Sony Pictures hack | HIPAA Compliance for Medical Practices | Scoop.it

A recent cyberattack on Sony Pictures has sent, not only personal emails and employee salary information out across the Web--but sensitive health information, as well.

Documents obtained by the hackers include health information on dozens of employees, their children or spouses, according to a report from Bloomberg.

Some of the information leaked includes a memo with treatment and diagnosis details about an employee's child with special needs, as well as a spreadsheet from a human resources folder containing birth dates, health conditions and medical costs for more than 30 Sony employees, according to the report.

This is just the latest in a string of attacks compromising patients' health information, including a hack that impacted more than 4.5 million patients at Community Health Systems.

The release of this kind of information may be some of the most damaging, Deborah Peel, director of Patient Privacy Rights, tells Bloomberg.

Hackers who go by Guardians of Peace, according to the report, have been releasing documents onto the Internet since late November. Sony's internal probe currently links the attack to hackers known as DarkSeoul.

While security experts predict increased cyberattacks on healthcare organizations in 2015, they foresee phishing and ransomware posing particular challenges, according to John Moore, founder and managing partner at Chilmark Research.

In addition, healthcare information is becoming a vulnerable and attractive target for cybercriminals, according to Experian's 2015 Data Breach Industry Forecast.

No comment yet.

Is It Possible to be HIPAA Compliant? -

Is It Possible to be HIPAA Compliant? - | HIPAA Compliance for Medical Practices | Scoop.it

A recent article on Forbes by Dan Munro asked the question whether anyone is really HIPAA compliant in healthcare. As recognized in the article, answering this question is not a simple and direct matter. From one perspective, many entities are compliant with HIPAA requirements, others are clearly not compliant, and then some organizations may not even need to comply. Getting a clearer answer to this question will be necessary sooner rather than later though.

As has been well documented, the Office for Civil Rights at the Department of Health and Human Services has been issuing fines against organizations breaching their HIPAA requirements. The fines have been levied in a variety of circumstances and are often being used to provide lessons to healthcare entities. For example, one entity was fined for not implementing a breach notification policy, many for not encrypting mobile devices and others for not performing a risk analysis.

Another element impacting the ability to be HIPAA compliant is the expanding universe of where protected health information can be found. The growth of mobile applications and portable devices has exponentially increased the number of places where protected health information is both developed and stored. The numerous number of locations places compliance obligations not a similar variety of organizations from health care providers to app developers to data storage companies and others. A major issue is that not everyone is aware of what it takes to comply with HIPAA or claim to be certified when no such certification exists from the government.

However, instead of focusing on whether it is possible to be HIPAA compliant, it may be more appropriate to ask what does it mean to be HIPAA compliant. Determining what it means to be HIPAA compliant requires , in particular the Privacy Rule, the Security Rule and the Breach Notification Rule. These rules provide a framework to guide covered entities, business associates and others who may be swept under the ambit of HIPAA in establishing policies and procedures.

The Privacy Rule is designed to set standards for the protection of protected health information. Privacy is determined by controlling the use and disclosure of protected health information. Under the Privacy Rule, protected health information can only be used with an authorization in certain circumstances, after the individual received the opportunity to object and then without any need for authorization or objection in certain clearly defined instances. The Privacy Rule also affords individuals with certain qualified rights to access, amend or receiving accountings related to the use of their protected health information. As initially stated, the basic purpose is to protect the integrity of the data and limit how the information may be used.

From the compliance perspective, the Privacy Rule sets forth clear policies that must be put into place. When preparing policies, it is actually reasonable to take the language right from the regulations, to an extent. In somewhat of a rarity in the healthcare regulatory context, the Privacy Rule is relatively clear cut.

The second aspect of HIPAA compliance is satisfying the requirements of the Security Rule. Much like the Privacy Rule, the Security Rule is intended to protect the safety of protected health information. The Security Rule includes administrative, physical and technical safeguards. As such, while it primarily covers electronic information, there are aspects impacting physical information as well. Digging deeper into the Security Rule, its requirements are broken into two categories: required elements and addressable elements. As a result, it may not be necessary to implement a policy or procedure for every single element of the Security Rule.

From the compliance perspective, the Security Rule is meant to flexible and scalable. A large hospital system will need much different security policies and procedures than a physician’s offices with four providers. However, an essential first step is to perform a risk analysis. A risk analysis will reveal an entity’s vulnerabilities when it comes to the confidentiality, integrity and availability of protected health information. Once a risk analysis is performed, an entity can then take the results to formulate which policies and procedures it needs. Additionally, for those elements that are addressable, the risk analysis can help supply the support necessary to decide whether or not to implement that policy.

The third and last major component necessary under HIPAA now is to implement a breach notification policy. A breach notification policy is necessary to ensure a proper response when the privacy or security of protected health information is not maintained. Having a policy in place will help mitigate adverse effects and aid an entity in organizing a quick and appropriate response. In the event of a breach, a policy will guide the response, including determining who must be notified. Awareness of notification obligations may also aid in creating more safeguards.

Going back to my initial question, what does it mean to be HIPAA compliant, it means understanding what HIPAA requires and then conscientiously implementing those requirements. Every organization is human, and while the government may not admit the following statement, and as such cannot be fully compliant all of the time. The factors that will influence the outcome are what the entity has done to help reduce risks ahead of time and how it responds. With the prevalence of electronic information and the value placed upon medical records by hackers and others, in reality it is only a matter of time before every healthcare organization experiences a breach of some sort. But, if an entity has implemented a robust HIPAA compliance policy by reading and understanding the Privacy Rule, Security Rule and Breach Notification Rule, then it will be better able to re-secure information and reduce potential penalties from the government.

No comment yet.

HIPAA Compliance within Revenue Cycle Management

HIPAA Compliance within Revenue Cycle Management | HIPAA Compliance for Medical Practices | Scoop.it
The inclusion of HIPAA transactions intends to reduce administrative costs, but to do so, medical practices will need to strengthen their revenue cycle management processes.

The healthcare industry is constantly striving to prevent fraud and abuse within the system, and emphasize compliance and accuracy. Revenue cycle management (RCM), the process that include claims management processing, payment, and revenue generation, is a hospitals first line of defense against these issues. Still, the revenue cycle process could be flawed, causing further problems if not suitably standardized.

The HIPAA Security Rule, which was enacted on April 14, 2001, specifically focuses on the safeguarding of electronic protected health information. HIPAA started because of congressional concern about the portability and continuity of health coverage. Congress passed legislature, “In order to increase the efficiency, effectiveness, and cost savings through the use of electronic data interchange in the healthcare industry,”

HIPAA “requires all healthcare providers, healthcare clearinghouses, and health plans to implement and utilize standardized formats when transmitting electronic data.” The inclusion of HIPAA transactions intends to reduce administrative costs, but to do so, medical practices will need to strengthen their RCM processes.

The RCM process starts with patient scheduling. The key to this step is in gathering the most vital patient information as possible. Medical practices should ensure that any protected health information (PHI) is stored and catalogued appropriately. As required by the HIPAA law, practices must “Identify assets and information systems that create, receive, transmit, or maintain” PHI. Hardware in which PHI is stored or shared must be catalogued as required.

In addition to identifying these devices, a practice should have hardware and software firewalls in place and should maintain updates to these programs as needed. Data encryption is also an important way for a practice to remain HIPAA compliant within its RCM process. The following are examples of information that must be encrypted to assure HIPAA compliance:

  • Billing information
  • Case management data
  • Lab and clinical data
  • Patient reports and transcripts
  • Emails between patients and doctors, and between referral doctors

Once the patient is scheduled and appears for their appointment, medical documentation must take place. Maintaining clear and detailed patient files is an important part of a practice’s RCM. Without well-maintained documentation, services rendered to a patient may come into doubt as well as payments received. To prevent missing information and to remain HIPAA compliant, a practice should put a written set of standards in place to maintain accurate documentation.

A practice should then run a risk assessment of these standards and practices to confirm that they “are reasonable and appropriate to provide adequate protection against reasonably anticipated threats or hazards to the confidentiality, integrity, or availability” of PHI. If the risk assessment confirms the suitability of the standards, then they should be implemented.

After the patient’s medical data is recorded and the services are rendered, it’s time for a provider to be reimbursed. Yet, often claims can be denied, and bills go unpaid. To prevent this, a practice should implement additional standards to prevent revenue loss.

An example of revenue loss due to denied claims isn’t difficult to find, and each one leaves unhappy customers in its wake. In New York, a health insurance subcontractor allegedly mishandled the protected health information (PHI) data of approximately 500 patients, causing denial letters to be sent to the wrong members. The resolution required additional notification to be sent and cost valuable company time and money.

It’s not enough just for a practice to have these processes in place in order to be HIPAA compliant in their RCM. These processes need to be checked and re-checked regularly in order to ensure HIPPA compliance standards are maintained at all times. As the HIPAA law is being changed and amended regularly, a practice that fails to stay on top of these changes can suddenly find itself no longer HIPAA compliant.

The penalties for a practice not meeting HIPAA compliance standards can be fiscally damaging. A practice that violates HIPAA rules will be fined, with a cost ranging from $100 to $50,000 per violation (or per record), up to a maximum of $1.5 million per year and can carry criminal charges which could result in jail time.

These fines and charges are measured, and broken down into two different categories: Reasonable Cause and Willful Neglect. Reasonable Cause fines imposed upon a practice can range from $100 to $50,000 per incident (release of 500 medical records) and does not involve jail time. However, Willful Neglect fines on a practice range from $10,000 to $50,000 for each incident and can result in criminal charges and jail time.

With full patient records selling for about $500 on the black market, it’s not difficult to see why medical information is considered valuable to modern-day criminals. Along with the unpleasant possibility of steep fines and jail time, this is all the more incentive for medical providers to buckle down on their HIPAA compliance.

Remaining HIPAA compliant in their RCM will not only prevent a practice from the harsh penalties of non-compliance, but will also protect their patients from losing their personal information in a possible cybersecurity breach. In the long run, keeping HIPAA its RCM HIPAA complaint will increase a practice’s efficiency, and save them valuable time and cost.

No comment yet.

Five common mistakes and how to avoid them for 2015 HIPAA audits

Five common mistakes and how to avoid them for 2015 HIPAA audits | HIPAA Compliance for Medical Practices | Scoop.it

2014 saw a rise in data breaches and HIPAA compliance failures within the healthcare industry. The Office for Civil Rights (OCR) takes privacy and security seriously, and more organizations have been fined for failure to comply with the Health Insurance Portability and Accountability Act (HIPAA). This year, the OCR will use the HIPAA audit program to randomly assess healthcare entities and business associates for compliance with the HIPAA privacy, security and breach notification rules. Here are five mistakes to avoid:  

  1. Failure to keep up with regulatory requirements

Gain a better understanding of specifications for standards as “required” versus “addressable.” Some covered entities must comply with every Security Rule standard. Covered entities must determine if the addressable section is reasonable after a risk assessment, and, if not, the Security Rule allows them to adopt an alternative measure. Be sure to document everything, particularly since the OCR may look at encryption with audits this year.  

  1. No documented security program

The OCR wants to know how you implement a security risk assessment program, so be sure your organization has a documented security awareness program. Once you know the requirements, assess your environment and your users. Does your organization have a security and compliance program in place? How well is it implemented? Who is involved? How often do you communicate? Everyone in your organization should be held responsible for ensuring the safety of data and following proper procedures. Have a plan and a point person in place, and ensure your compliance and security teams talk to each other. Create a committee with stakeholders and clear responsibility, and make sure the plan is documented, communicated and enforced across the organization.

  1. A reactive approach to audits

Once you establish a security program, proactively monitor security and performance indicators, as OCR audits will focus heavily on breach plans and the controls you have in place to protect them. Auditors will look for access to critical group memberships, so make sure you’re auditing and reporting on user activity – including your privileged users. Auditors are increasingly more interested in this area, due to the recent increase in insider incidents.

  1. Assumptions regarding business associates agreements

Contractors and subcontractors who process health insurance claims are liable for the protection of private patient information. Make sure you have an updated business associate agreement in place, and ensure the chain of responsibility is documented, agreed upon, and reviewed frequently by both parties. You can find sample contracts offered by the OCR to help you through this process. 

  1. A checkbox approach to compliance

Regulators want to discontinue the checkbox approach to compliance in favor of a risk-based security approach. Compliance and security must go hand-in-hand, and organizations will benefit from incorporating this mindset across both teams. Strong security measures make it easier to meet compliance regulations. By adopting an organizational self-discovery approach, you will have a higher level of visibility and awareness of internal issues, and achieve a more resilient business process and the next level of organizational maturity.

No comment yet.

Is healthcare prepared for data-sharing's security risks?

Is healthcare prepared for data-sharing's security risks? | HIPAA Compliance for Medical Practices | Scoop.it

The data-sharing requirements for the Meaningful Use program and the Affordable Care Act pose significant security challenges to healthcare organizations, and Erik Devine, chief security officer at Riverside Medical Center, predicts organizations will learn this year just how prepared they are.

In an interview with HealthcareInfoSecurity, Devine says his 370-bed hospital in Kankakee, Illinois, will focus on employee training, making sure systems are patched and third-party review--"making sure we're doing what our policies say we're doing."

He foresees more persistent threats in 2015, such as the Sony hack and other breaches seen last year.

"I think healthcare is going to see a lot of attacks in ransomware," Devine says. "Employees leaking data unknowingly is a big threat to healthcare systems. Hackers are going to take advantage of that and look for the monetary value in return."

Health information exchanges will pose particular challenges, he adds.

"Are we prepared to manage all the information that's flowing in and out of the system? ... Trying to get information for the patient out there in the real world so they have better experiences at any hospital they visit will obviously will carry significant risks. Is healthcare ready for that change? That's what we're going to determine in 2015 and further."

In its 2015 Data Breach Industry Forecast, Experian called healthcare "a vulnerable and attractive target for cybercriminals." However, it noted that employees remain the leading cause of compromises, but receive the least attention from their employers.

Security experts foresee phishing and ransomware attacks posing particular challenges to healthcare organizations in the coming year.

To help protect against threats like those, the healthcare industry should make use of cyberthreat intelligence, according to Jeff Bell, HIMSS privacy and security committee chair.

Entities such as the U.S. Computer Emergency Readiness Team, the U.S. Department of Homeland Security National Cybersecurity and Communications Integration Center and the National Cyber-Forensics & Training Alliance provide information on threats, malware and vulnerabilities that organizations can use to increase their security systems, Bell says. Vendors of security products also often have their own intelligence feeds.

No comment yet.

Stolen Patient Information Prompts Data Breach Warning from Shoreview Company

Stolen Patient Information Prompts Data Breach Warning from Shoreview Company | HIPAA Compliance for Medical Practices | Scoop.it

An alert about a data breach involving an orthopedic medical device company in Shoreview affects not only Minnesotans, but others across the country as well.

A contractor for the company DJO Global went inside a coffee shop in Roseville on Nov. 7 and left a laptop containing private patient information in a backpack on the backseat of his car. A thief saw the backpack, smashed the window and stole it.

DJO Global notified patients in a letter that their private information stored on the computer had been stolen. The data included patients names, phone numbers, diagnosis code, surgery dates, health insurer, and clinic and doctor names. A handful of social security numbers were swiped, too. 

Worried individuals have contacted police.

"We received hundreds upon hundreds of phone calls from all over the country," Lt. Lorne Rosand with the Roseville Police Department said.

A spokesman for DJO told 5 EYEWITNESS News via email that no credit card information was taken. The information was in limbo from Nov. 7-21.

"If someone is able to glean information, name, dates, birth, social security information — that's a gold mine," Rosand said.

DJO says the laptop had password protection in place but wasn't encrypted. There were firewalls, tracking and remote software intact that allowed the data to eventually be erased remotely. DJO says it's doing an internal investigation and security assessment.  

Roseville police call this situation a reminder for everyone.

"When people leave valuables in vehicles such as laptops, there's only a piece of glass between the bad guy and your property; that glass can be shattered," Rosand said.

If you received a letter from DJO or believe your information might be at risk, you can set up a fraud alert with the three credit reporting agencies as a precaution. 

The thief has not been caught.

No comment yet.

HIPAA Hurdles in 2015 | HIPAA, HITECH & HIT

HIPAA Hurdles in 2015 | HIPAA, HITECH & HIT | HIPAA Compliance for Medical Practices | Scoop.it

Nearly a year ago, as described in an earlier blog post, one of my favorite health industry journalists, Marla Durben Hirsh, published an article in Medical Practice Compliance Alert predicting physician practice compliance trends for 2014.  Marla quoted Michael Kline’s prescient prediction that HIPAA would increasingly be used as “best practice” in actions brought in state court:  “People will [learn] that they can sue [for privacy and security] breaches,” despite the lack of a private right of action under HIPAA itself.  Now, peering ahead into 2015 and hoping to surpass Michael’s status as Fox Rothschild’s HIPAA soothsayer, I thought I would take a stab at predicting a few HIPAA hurdles that covered entities, business associates, and their advisors are likely to face in 2015.

1.         More sophisticated and detailed (and more frequently negotiated) Business Associate Agreement (BAA) terms.   For example, covered entities may require business associates to implement very specific security controls (which may relate to particular circumstances, such as limitations on the ability to use or disclose protected health information (PHI) outside of the U.S. and/or the use of cloud servers), comply with a specific state’s (or states’) law privacy and security requirements, limit the creation or use of de-identified data derived from the covered entity’s PHI, or purchase cybersecurity insurance.  The BAA may describe the types of security incidents that do not require per-incident notification (such as pings or attempted firewall attacks), but also identify or imply the many types of incidents, short of breaches, that do.  In short, the BAA will increasingly be seen as the net (holes, tangles, snags and all) through which the underlying business deal must flow.  As a matter of fact, the financial risks that can flow from a HIPAA breach can easily dwarf the value of the deal itself.

2.         More HIPAA complaints – and investigations.  As the number and scope of hacking and breach incidents increases, so will individual concerns about the proper use and disclosure of their PHI.  Use of the Office for Civil Rights (OCR) online complaint system will continue to increase (helping to justify the $2 million budgeted increase for OCR for FY 2015), resulting in an increase in OCR compliance investigations, audits, and enforcement actions.

3.         More PHI-Avoidance Efforts.  Entities and individuals who do not absolutely require PHI in order to do business will avoid it like the plague (or transmissible disease of the day), and business partners that in the past might have signed a BAA in the quick hand-shake spirit of cooperation will question whether it is necessary and prudent to do so in the future.  “I’m Not Your Business Associate” or “We Do Not Create, Receive, Maintain or Transmit PHI” notification letters may be sent and “Information You Provide is not HIPAA-Protected” warnings may appear on “Terms of Use” websites or applications.

The overall creation, receipt, maintenance and transmission of data will continue to grow exponentially and globally, and efforts to protect the privacy and security of one small subset of that data, PHI, will undoubtedly slip and sputter, tangle and trip.  But we will also undoubtedly repair and recast the HIPAA privacy and security net (and blog about it) many times in 2015.

Have a Happy and Healthy HIPAA New Year!

No comment yet.

Achieve Cybersecurity While Complying with HIPAA Standards | EMR and HIPAA

Achieve Cybersecurity While Complying with HIPAA Standards | EMR and HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

Within the past 24 months, nine out of 10 hospitals in the U.S. have fallen victim to an attack or data breach, according to a recent report from the Ponemon Institute. The landscape of the healthcare IT industry is transforming rapidly due to significant changes in patient information management and today’s evolving threat landscape. Advancements in technology and government regulations have powered an explosive growth in the creation and storage of protected healthcare information (PHI). To prepare for new attacks targeting sensitive patient data, healthcare organizations need to recognize the risks of noncompliance and how the deployment of certified, secure, and trusted technologies will help ensure compliance with Health Insurance Portability and Accountability Act (HIPAA) standards.

According to the 2012 National Preparedness Report conducted by the Federal Emergency Management Agency, the healthcare industry is already prepared for many types of emergencies and contingencies. However, the same study showed that healthcare organizations are overall still unprepared for most cyber attacks.

The report highlighted that cybersecurity “was the single core capability where states had made the least amount of overall progress.” Of the state officials surveyed, merely 42 percent feel they are adequately prepared. The report also showed that in the last six years, less than two-thirds of all companies in the U.S. have sustained cyberattacks. From 2006 to 2010, the number of reported attacks in the U.S. rose by 650 percent. During the Aspen Security Forum last year, Keith B. Alexander, head of the National Security Agency and the new United States Cyber Command, indicated that the U.S. has seen a 17-fold rise in attacks against its infrastructure from 2009 through 2011.

In such an environment, it is a top priority for healthcare organizations to comply with HIPAA standards. Before the signing of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009, it was understood industry-wide that HIPAA was not strictly enforced. Under HITECH, healthcare providers could be penalized for “willful neglect” if they failed to demonstrate reasonable compliance with the Act. The penalties could be as high as $250,000 with fines for uncorrected violations costing up to $1.5 million.

In certain instances, HIPAA’s civil and criminal penalties now encompass business associates. While a citizen cannot directly sue their healthcare provider, the state attorney general could bring an action on behalf of state residents. In addition, the U.S. Department of Health and Human Services (HHS) is now required to periodically audit covered entities and business associates. This implies that healthcare providers are required to have systems in place to monitor relationships and business practices to guarantee consistent security for all medical data.

If information systems are left vulnerable to attack, providers face significant risks to their business. These targeted attacks in the healthcare industry can come in a variety of forms. In Bakerfield, CA, the Kern Medical Center was attacked by a virus that crippled its computer systems. The hospital took approximately 10 days to bring the doctors and nurses back online. A Chicago hospital was attacked by a piece of malware that forced the hospital’s computers into a botnet controlled by the hacker. A year later, the hospital was still dealing with the attack’s aftermath. Following the theft of a computer tape containing unencrypted personal health information from an employee’s automobile, the DoD faced a multi-billion-dollar lawsuit. The Veterans Administration (VA) fought a two-year battle against intrusions into wireless networks and medical devices, including picture archiving and communication systems (PACS), glucometers and pharmacy dispensing cabinets.

Patients are protected against identity theft if medical information is encrypted and secured. Simultaneously, information must be kept readily available when necessary, such as for emergency personnel. The subsequent benefits are important in order to keep businesses competitive, including better quality of patient care, improved patient outcomes, increased productivity and workflow efficiency, better information at the point of care and improved and integrated communications between doctors and patients.

The Key to HIPAA Compliance

In order to meet the HITECH Act requirements, encryption must be used on the main service provider network as well as its associated partner networks. Encryption uses an algorithm to convert data in a document or file into an indecipherable format prior to being delivered, and then decrypts the data once received to prevent unauthorized personnel from accessing it. Successful use of encryption depends on the strength of the algorithm and the security of the decryption “key” or process when data is in motion and moving through a network or data is at rest in databases, file systems, or other structured storage methods.

In order to achieve HIPAA compliance, healthcare providers should leverage verified, certified network security products and architectures. Recommended by the HHS and mandated by the U.S. Department of Defense (DoD) for encryption, Federal Information Process Standard (FIPS) 140-2 encryption certified products reliably safeguard healthcare data with reliable and proven security in order to diminish risks without increasing costs.

Technologies that are fully FIPS-140 certified provide organizations a level of security that will remain compliant through at least 2030, unlike legacy cryptographic systems.

A New Degree of Confidence

Today, closed networks are almost nonexistent as most offices have Internet access, at the minimum. With the use of electronic transactions increasing in healthcare, including e-prescriptions and electronic communication, many medical organizations use open systems that necessitate the use of encryption technologies.

Technology providers can easily assert that a system is secure by using the highest level of encryption technologies on the market. With the degree of public visibility of breaches of trust, organizations have no reason to risk exposure with technology systems that fail to meet the FIPS 140-2 standard for data encryption. Without this certification, the cryptography function on the network has demonstrated a less than 50 percent chance of being correctly implemented, which also implies there is a 50 percent chance that the cryptography can be cracked. By purchasing solutions with FIPS validation, healthcare organizations achieve a new degree of reassurance that their critical data is secure, allowing them to minimize risk without an increase in costs.

No comment yet.

What Can You Expect in 2015 Regarding HIPAA Enforcement? | The National Law Review

What Can You Expect in 2015 Regarding HIPAA Enforcement? | The National Law Review | HIPAA Compliance for Medical Practices | Scoop.it

As of earlier this month, 1,170 breaches involving 31 million records have been reported to the Department of Health and Human Services (HHS) since mandated reporting of breaches began in September 2009.  An increase in the number of breaches isn’t the only statistic on the rise.  Although 2014 data has not yet been released, the number of complaints in 2013 reached a new high (4,463).  It doesn’t take a crystal ball to predict that these numbers in 2015 will continue to rise.  We haven’t reached the apex yet.

The newly approved 2015 federal budget does not include an increase in funding for the federal agencies responsible for enforcing HIPAA, including the HHS Office of Civil Rights (OCR), but HHS isn’t viewing it as a setback.  Per an OCR spokeswoman “OCR’s strong enforcement of the HIPAA privacy, security, and breach notification rules, remains very much on track…”  Just a few weeks ago, HHS settled with the Alaska Department of Health and Humans Services for $1.7 million for potential HIPAA violations.

If enforcement efforts remain on track in 2015, so should compliance efforts next year.  Keep your HIPAA policies and procedures up to date and conduct regular risk assessments.  If your organization has not addressed security on mobile devices do so now.  Especially if you are contemplating a transaction in 2015, it’s time to take a deep dive regarding HIPAA compliance.

No comment yet.

AMIA’s Recent HIPAA Compliance Question: A Legal Perspective | HealthITSecurity.com

Last week an American Medical Informatics Association (AMIA) letter to state Representative Fred Upton was released. AMIA called for HIPAA compliance to be updated to allow for exemptions in terms of access to patient’s PHI, specifically for “observational or data research.”

Overall, many of the topics discussed in the letter are unlikely to cause too many disagreements in the healthcare industry, according to Brad Rostolsky, a partner at the Philadelphia-based law firm Reed Smith. Rostolsky specializes in healthcare regulatory and transactional law, and said in a recent interview with HealthITSecurity.com that the crux of the letter seems to be about asking to amend the definition of HIPAA operations to include data research.

With respect to that, the question that immediately comes to mind is “Do the patients get a say in whether their information is being used for this purpose?” Rostolsky said.

“There’s an implicit kind of assumed truth in this letter that uses for research purposes are necessary,” he explained. “All of the other uses that don’t require authorization, generally speaking, are things that the provider needs to do in order to be a provider.”

For example, healthcare providers need to do things for their own business purposes, such as engage billing companies, collection companies, and their EMR vendor. Patients’ information is likely to be involved in all of those scenarios. The AMIA letter is questioning whether or not research should be put into the group of things that HIPAA considers a necessary component of disclosure of information.

“To facilitate the discovery, development and delivery of new treatments and cures, AMIA believes that we must develop a ‘learning health system’ in which the data and information generated during routine delivery of health care is leveraged across clinics, hospitals and integrated networks…” the letter stated.

Moreover, AMIA recommended that Congress should convene a multi-stakeholder “HIPAA Barriers” working group to discuss the elimination of barriers that prevent data movement. A Health IT Safety Center could also be beneficial, so event reporting, education, data aggregation, and the creation of best practices could improve patient safety and the effective use of health IT, AMIA stated.

Few people will likely have a problem with a task force or working group to discuss certain healthcare issues, like HIPAA barriers, Rostolsky said. In fact, he said that it would be a good idea. However, he added that there are definitely going to be privacy concerns.

“I do think that some patients don’t want their information being used in that way,” Rostolsky said. “People can be private and, ultimately, I think the concern from a patient perspective would be whether or not there would be any unintended reaction by the patient if they’re aware of this to not be as likely to go to the physician or for [the organization] to be as forthright about things.”

It will likely come down to patient rights versus the benefits of research, according to Rostolsky. At a minimum, it’s certainly good that folks are talking about the issue and forcing the various stakeholders to ask questions, he said.

“Clearly people should have the right to largely control what happens with their information, outside of things necessary to provide them with a service,” Rostolsky said. “But at the same time, I think that everyone would hopefully agree that doing research to further medical advancements is a very important thing that could benefit everyone.”

While it’s difficult to predict how this would – and could – play out, Rostolsky explained that it will still be critical for healthcare organizations to remain vigilant in terms of keeping patient data secure.

“The more people who touch information and have the ability to access it uninhibited, the more likely a problem could occur,” he said, adding that the letter did speak to the importance of still adhering to all HIPAA data breach notification regulations.

No comment yet.

Are You Ready for a HIPAA Security Risk Assessment? | HealthITSecurity.com

There are numerous aspects of a HIPAA security risk assessment that healthcare organizations must keep in mind.

Even though the Department of Health and Human Services’ (HHS) HIPAA security risk assessment tool has not even had a full year of existence, experts in the industry have stated that it’s a great way for healthcare organizations to improve their risk analyses. Healthcare regulatory compliance is important for facilities for numerous reasons. Not only do providers want to avoid hefty fines for HIPAA violations, they also want to reassure patients that their electronic protected health information (ePHI) will remain secure.

But even with the HHS tool, do healthcare organizations understand what must be done to be fully prepared for a HIPAA security risk assessment? HealthITSecurity.com decided to pull together important points for facilities to keep in mind, ensuring that they are ready for a risk assessment.

Identify all ePHI

A risk assessment helps your organization ensure it is compliant with HIPAA’s administrative, physical, and technical safeguards. These overviews can also reveal areas where ePHI could be at risk. This is why it’s important for healthcare organizations to identify all ePHI that they create, maintain or transmit.

For example, are there any vendors or consultants that have access to ePHI? If so, what is their process? Covered entities must ensure that they understand how patients’ data is not only used, but how it is transmitted. Failing to account for one storage area could lead to regulatory fines.

Moreover, healthcare facilities need to account for all types of threats to the ePHI during a HIPAA security risk assessment. This includes human, natural, and environmental threats to information systems.

“All e-PHI created, received, maintained or transmitted by an organization is subject to the Security Rule,” according to HHS. “The Security Rule requires entities to evaluate risks and vulnerabilities in their environments and to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of ePHI. Risk analysis is the first step in that process.”

Specifically, the HIPAA Security Rule requires organizations to create and implement policies that “prevent, detect, contain, and correct security violations.” This process will be much easier after healthcare facilities know where all ePHI is located.

Identify threats, assess security measures

When all assets, including ePHI, have been identified, healthcare facilities should pinpoint any potential threats or security risks. From there, organizations can benefit from ranking those risks in terms of severity of impact and likelihood of occurrence. Cybersecurity might have a greater chance of affecting your facility, but a disgruntled employee could also pose an internal risk. No possibility should be ignored.

Moreover, healthcare facilities should review the types of protections currently in place. Is there up-to-date data encryption, firewalls or anti-malware protection? If not, are there areas that could benefit from such protections?

If any gaps are discovered, they must be immediately addressed. Should any data breaches occur, and it is proven that a facility did not properly assess its risks, heavy penalties could follow.

“An organization must assess the magnitude of the potential impact resulting from a threat triggering or exploiting a specific vulnerability,” according to HHS’ “Guidance on Risk Analysis. “An entity may use either a qualitative or quantitative method or a combination of the two methods to measure the impact on the organization.”

Conduct periodic reviews

A crucial aspect that can be overlooked is that healthcare organizations need to update their risk analyses. Technology continues to evolve, and as such, so can the potential security risks. An ongoing risk analysis procedure will be much more helpful, and further decrease the likelihood of an area being overlooked.

“A truly integrated risk analysis and management process is performed as new technologies and business operations are planned, thus reducing the effort required to address risks identified after implementation,” HHS stated on its website.

Any of the following could be a reason for a new analysis:

  • The organization experienced a security incident
  • There is new ownership
  • A facility sees turnover in upper management or other key roles
  • New technology is introduced

“If it is determined that existing security measures are not sufficient to protect against the risks associated with the evolving threats or vulnerabilities, a changing business environment, or the introduction of new technology, then the entity must determine if additional security measures are needed,” according to HHS.

A risk analysis is a vital first step for proper healthcare security management. Organizations need to not only understand potential risks, but also be aware of what steps they can take to mitigate those risks. Moreover, it’s important to understand that different types of assessments will benefit different organizations. Methods can vary depending on facility size, along with its complexity and capabilities. For example, a small healthcare provider might not have ePHI stored with a third-party vendor. Instead, it is located within the main building. However, this does not mean that their ePHI servers are more or less secure than that of a large provider.

It cannot be guaranteed that a data breach will never occur at a facility, but by adhering to HIPAA security risk assessment requirements, the odds will be lower.

No comment yet.

OCR fines behavioral health service $150,000 | HIPAA Update

OCR fines behavioral health service $150,000 | HIPAA Update | HIPAA Compliance for Medical Practices | Scoop.it

The Office for Civil Rights (OCR) announced December 8 that it fined an Alaska behavioral health service $150,000 for potential HIPAA violations, according to a press release. 

OCR entered into a resolution agreement with Anchorage Community Mental Health Services (ACMHS), a nonprofit behavioral healthcare service. On March 12, 2012, ACMHS notified OCR of a breach affecting 2,743 individuals. The breach was the result of malware that compromised the security systems of the behavioral healthcare provider, according to OCR.

The resolution agreement states that ACMHS failed to:

  • Conduct an accurate and thorough risk assessment of ePHI from April 21, 2005, through March 12, 2012
  • Implement security policies and procedures to reduce risks and vulnerabilities to ePHI from April 21, 2005, through March 12, 2012
  • Implement technical security measures to safeguard against unauthorized access to ePHI by failing to ensure firewalls were in place and that information technology resources were supported and updated with patches from January 1, 2008, through March 29, 2012

In addition to the monetary settlement, as part of the corrective action plan with OCR, ACMHS agreed to:

  • Provide an updated version of its security policies and procedures
  • Adopt a revised version of OCR-approved security policies and procedures
  • Distribute revised security policies and procedures to workforce members who work with ePHI and provide security awareness training
  • Obtain signed written or electronic initial compliance certification from all workforce members stating that they read, understand, and will abide by security policies and procedures


Are You Ready for a HIPAA Audit?

Are You Ready for a HIPAA Audit? | HIPAA Compliance for Medical Practices | Scoop.it

CynergisTek, a health information technology security consultancy, is offering a full-scale mock audit for HIPAA privacy, security and breach notification compliance to prepare covered entities for real audits from the HHS Office for Civil Rights.

The mock audit will apply OCR timeliness and follow the government’s process starting with receiving an audit notification letter. Other areas covered include complying required documentation and reviewing them for deficiencies, onsite interviews with staff, draft and final audit reports, a workshop of findings and lessons learned, and a performance evaluation presentation with senior executives.

“CynergisTek will hold your staff to OCR standards when assessing your organization’s ability to demonstrate HIPAA compliance and will identify your organization’s readiness and ability to respond,” according to information from the company. The audit may be disruptive to normal operations, as would a real one, it warns.

No comment yet.

Latest HIPAA Settlement – Unpatched And Unsupported Software | The National Law Review

Latest HIPAA Settlement – Unpatched And Unsupported Software | The National Law Review | HIPAA Compliance for Medical Practices | Scoop.it

The latest Office for Civil Rights (OCR) HIPAA settlement announced on December 8, 2014 highlights the OCR’s recent and continuing focus on the Security Rule. Anchorage Community Mental Health Services (ACMHS) agreed to settle potential HIPAA violations with a $150,000 fine and the adoption of a corrective action plan. This matter was prompted by ACMHS’ report to OCR of a breach of electronic protected health information (PHI) affecting about 2,700 individuals. The OCR determined that the incident was the direct result of ACMHS’ failure to identify and address basic risks such as running outdated and unsupported software, and failure to regularly update software patches. The OCR also noted that while ACMHS had adopted “sample” Security Rule policies and procedures in 2005, such policies and procedures were not followed.

This latest settlement provides the following key reminders to those subject to HIPAA:

  • The Security Rule, which relates to electronic PHI, continues to be a focus of the OCR;

  • A basic requirement of the Security Rule is that Covered Entities and Business Associates should regularly conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the security of electronic PHI;

  • Covered Entities and Business Associates should remain current on software and software patches to help avoid malware and other hacking incidents; and

  • HIPAA policies and procedures should be meaningful to your organization and should be regularly used, reviewed, and revised as necessary.

No comment yet.

Don’t Forget to Update Your Software -

Don’t Forget to Update Your Software - | HIPAA Compliance for Medical Practices | Scoop.it

On Monday, December 8th, the Office for Civil Rights (“OCR”) at the Department of Health and Human Services announced another new HIPAA settlement. As with most recent settlements, the latest settlement is being used to set up an example of what not to do.

This time, Anchorage Community Mental Health Services (“ACMHS”) has agreed to pay $150,000 after failing to follow the requirements of the HIPAA Security Rule. The settlement is the result of a self-notification filed by ACMHS that malware infected its information technology systems, resulting in a breach impacting approximately 2,743 individuals. When OCR went to investigate, OCR found that ACMHS had implemented security policies. However, ACMHS did not tailor the policies to its own operations, nor did ACMHS actually follow the policies adopted. The lack of adherence resulted in ACMHS not identifying or addressing basic security risks, which deficiencies included not updated its technology resources. The lack of updates left the systems vulnerable to malware.

In addition to paying the fine, ACMHS is required to implement a corrective action plan as prepared by OCR. The corrective action plan last remains in place for 2 years, but should act as the baseline for a good HIPAA compliance plan going forward. The terms of the corrective action plan are fairly straightforward and do not contain any surprises. The requirements are essentially to comply with the HIPAA Privacy and Security Rules, which all covered entities and business associates should do anyway.

As indicated above, the breach in this case was caused by a failure to update software and install patches as necessary. This demonstrates the need to evaluate information technology systems to ensure that the system remains current and up to date. An organization cannot install a piece of software or hardware and expect that it will always serve its purposes. Attacks on systems and exploitation of vulnerabilities are always evolving, which means the systems being attacked must do the same thing.

With regard to the HIPAA Security Rule, organizations should remember that compliance is customizable. The Security Rule recognizes and acknowledges that all organizations are different. As such, certain elements are required and others are addressable. The required elements must be put into place and organizations need to make a case by case assessment on how to deal with the addressable items. A risk analysis is the essential first step as the analysis will identify areas of weakness for an organization.

It is not enough just to do a risk analysis once and then prepare and implement policies though. HIPAA Security Policies must be living, breathing documents that adapt to changing circumstances. An area of high vulnerability in the year of adoption can drop by the wayside a few years down the road while a new, unknown area at first becomes a major risk. The changing environment is why organizations must constantly monitor and evaluate policies to ensure good coverage.

Lastly, putting policies into place and not following them, as was done by ACMHS, is a big problem. When a breach or other instance of non-compliance arises, having unfollowed policies will be a major red flag for the government. If policies are adopted, then an organization is arguably aware of what it had to do in order to comply. Willful or negligent failure to follow the policies then could be ground for a higher fine and other pain being imposed. Education and awareness are essential. Compliance can take up time and it is not always easy to measure the return on investment, but the money that can be saved down the road is likely incalculable.

No comment yet.