HIPAA Compliance for Medical Practices
82.5K views | +5 today
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...

Audits Are Only One Way of Coming Under the HIPAA Microscope

Audits Are Only One Way of Coming Under the HIPAA Microscope | HIPAA Compliance for Medical Practices | Scoop.it

Now that the 2015 HIPAA Audits have begun, organizations are reevaluating their HIPAA compliance posture. This is a good thing being that an organization will have very little time to respond to pre-audit and audit inquiries from the Office of Civil Rights (OCR).

On the other hand, some organizations are evaluating the risk of being selected and might conclude that the risk is low. These organizations might decide that the low risk is not worth the effort to ensure HIPAA compliance. The risk of being selected by the IRS to audit your tax return is very low but most people and organizations file their taxes.

Why is this the case? People fear the IRS. They fear the hassle associated with an IRS audit, they fear the penalty associated with an IRS audit and they fear the consequences of failing an IRS audit.

Right now people don’t really fear OCR or HIPAA audits. I am pretty confident that people didn’t fear the IRS audits when they first started. It took a few years and some very high profile cases, including putting people in jail, to get people to worry about IRS audits and ensuring that they are properly filing their tax returns. It is not hard to see an analogy with the start of the HIPAA audits. The question that organizations need to ask themselves is:

Do I want to be a high profile example if my organization is selected for a HIPAA audit?

Other concerns

There is no denying that the chance of being selected for a HIPAA audit is low. But a random audit is only one of the ways that OCR could investigate an organization. Let’s take a look at some of the other ways that an organization can come under the HIPAA microscope.

Data Breaches

If an organization has a data breach (lost laptop or hacker steals protected health information -PHI) OCR may decide to investigate the incident. If OCR starts an investigation, they will want to see what safeguards the organization had in place prior to the data breach. It is almost guaranteed that OCR will want to see the following:

  • The most recent HIPAA Security Risk Assessment (SRA) and documented work plan to address any issues discovered in the SRA
  • Evidence of documented HIPAA Security and Privacy Policies and Procedures (including evidence that the organization has implemented and is following the Policies)
  • Evidence that employees have received periodic HIPAA Security and Privacy training (this should be ongoing training that occurs at least once a year)
  • Evidence of a security incident response plan

Business Associate Data Breaches

A data breach by a Business Associate may cause OCR to investigate the Covered Entity. If a billing company or IT support organization has a data breach there is a good chance that OCR will investigate both the Business Associate as well as the Covered Entity. The question that organizations need to ask themselves is:

Besides signing a Business Associate Agreement, do I have any proof that my Business Associate is protecting PHI that we disclose to them?

Patient Complaints

Another way that OCR may open an investigation into an organization’s HIPAA compliance is if a patient or former patient files a complaint. The patient may feel that their privacy or the security of their data has been breached and can file a complaint with OCR. OCR evaluates each of the complaints that have been filed and decides if they will investigate the organization.

Employee Complaints

Employees or former employees may feel that their employer is not protecting PHI and could file a complaint against the organization.

Meaningful Use

Organizations that are participating or have participated in the CMS Meaningful Use (MU) Incentive Program can be audited by CMS or the Office of Inspector General (OIG). A common reason of failing a MU audit is the lack of a Security Risk Assessment (SRA) or the lack of a thorough SRA and documented work plan to address any issues discovered in the SRA.


With over 100 million patient record breaches in the last few years it should come as no surprise that the government is increasing HIPAA enforcement. We have an epidemic of patient records breaches and the need to protect this very sensitive information is apparent.

Organizations can no longer ignore HIPAA. Proper safeguards and increased security is needed to protect PHI. It is a lot easier and cheaper to proactively implement HIPAA requirements than it is to respond when OCR comes knocking on your door.


Is healthcare prepared for data-sharing's security risks?

Is healthcare prepared for data-sharing's security risks? | HIPAA Compliance for Medical Practices | Scoop.it

The data-sharing requirements for the Meaningful Use program and the Affordable Care Act pose significant security challenges to healthcare organizations, and Erik Devine, chief security officer at Riverside Medical Center, predicts organizations will learn this year just how prepared they are.

In an interview with HealthcareInfoSecurity, Devine says his 370-bed hospital in Kankakee, Illinois, will focus on employee training, making sure systems are patched and third-party review--"making sure we're doing what our policies say we're doing."

He foresees more persistent threats in 2015, such as the Sony hack and other breaches seen last year.

"I think healthcare is going to see a lot of attacks in ransomware," Devine says. "Employees leaking data unknowingly is a big threat to healthcare systems. Hackers are going to take advantage of that and look for the monetary value in return."

Health information exchanges will pose particular challenges, he adds.

"Are we prepared to manage all the information that's flowing in and out of the system? ... Trying to get information for the patient out there in the real world so they have better experiences at any hospital they visit will obviously will carry significant risks. Is healthcare ready for that change? That's what we're going to determine in 2015 and further."

In its 2015 Data Breach Industry Forecast, Experian called healthcare "a vulnerable and attractive target for cybercriminals." However, it noted that employees remain the leading cause of compromises, but receive the least attention from their employers.

Security experts foresee phishing and ransomware attacks posing particular challenges to healthcare organizations in the coming year.

To help protect against threats like those, the healthcare industry should make use of cyberthreat intelligence, according to Jeff Bell, HIMSS privacy and security committee chair.

Entities such as the U.S. Computer Emergency Readiness Team, the U.S. Department of Homeland Security National Cybersecurity and Communications Integration Center and the National Cyber-Forensics & Training Alliance provide information on threats, malware and vulnerabilities that organizations can use to increase their security systems, Bell says. Vendors of security products also often have their own intelligence feeds.

No comment yet.

Stage 3 Meaningful Use: Breaking Down HIPAA Rules

Stage 3 Meaningful Use: Breaking Down HIPAA Rules | HIPAA Compliance for Medical Practices | Scoop.it

CMS released its Stage 3 Meaningful Use proposal last month, with numerous aspects that covered entities (CEs) need to be aware of and pay attention to. While the proposal has a large focus on EHR interoperability, it continues to build on the previously established frameworks in Stage 1 and Stage 2 – including keeping patient information secure.

HIPAA rules and regulations cannot be thrown out the window as CEs work toward meeting meaningful use requirements. We’ll break down the finer points of Stage 3 Meaningful Use as it relates to data security, and how organizations can remain HIPAA compliant while also make progress in the Meaningful Use program.

Stage 3 further protects patient information

One of the top objectives for Stage 3 Meaningful Use is to protect patient information. New technical, physical, and administrative safeguards are recommended that provide more strict and narrow requirements for keeping patient data secure.

The new proposal addresses how the encryption of patient electronic health information continues to be essential for the EHR Incentive Programs. Moreover, it explains that relevant entities will need to conduct risk analysis and risk management processes, as well as develop contingency plans and training programs.

In order to receive EHR incentive payments, covered entities must perform a security risk analysis. However, these analyses must go beyond just reviewing the data that is stored in an organization’s EHR. CEs need to address all electronic protected health information they maintain.

It is also important to remember that installing a certified EHR does not fulfill the Meaningful Use security analysis requirement. This security aspect ensures that all ePHI maintained by an organization is reviewed.  For example, any electronic device – tablets, laptops, mobile phones – that store, capture or modify ePHI need to be examined for security.

“Review all electronic devices that store, capture, or modify electronic protected health information,” states the ONC website. “Include your EHR hardware and software and devices that can access your EHR data (e.g., your tablet computer, your practice manager’s mobile phone). Remember that copiers also store data.”

It is also important to regularly review the existing security infrastructure, identify potential threats, and then prioritize the discovered risks. For example, a risk analysis could reveal that an organization needs to update its system software, change the workflow processes or storage methods, review and modify policies and procedures, schedule additional training for your staff, or take other necessary corrective action to eliminate identified security deficiency.

A security risk analysis does not necessarily need to be done every year. CEs only need to conduct one when they adopt an EHR. When a facility changes its setup or makes alterations to its electronic systems, for example, then it is time to review and make updates for any subsequent changes in risk.

Stage 3 works with HIPAA regulations

In terms of patient data security, it is important to understand that the Stage 3 Meaningful Use rule works with HIPAA – the two are able to compliment one another.

“Consistent with HIPAA and its implementing regulations, and as we stated under both the Stage 1 and Stage 2 final rules (75 FR 44368 through 44369 and 77 FR 54002 through 54003), protecting ePHI remains essential to all aspects of meaningful use under the EHR Incentive Programs,” CMS wrote in its proposal. “We remain cognizant that unintended or unlawful disclosures of ePHI could diminish consumer confidence in EHRs and the overall exchange of ePHI.”

As EHRs become more common, CMS explained that protecting ePHI becomes more instrumental in the EHR Incentive Program succeeding. However, CMS acknowledged that there had been some confusion in the previous rules when it came to HIPAA requirements and requirements for the meaningful use core objective:

For the proposed Stage 3 objective, we have added language to the security requirements for the implementation of appropriate technical, administrative, and physical safeguards. We propose to include administrative and physical safeguards because an entity would require technical, administrative, and physical safeguards to enable it to implement risk management security measures to reduce the risks and vulnerabilities identified.

CMS added that even as it worked to clarify security requirements under Stage 3, their proposal was not designed “to supersede or satisfy the broader, separate requirements under the HIPAA Security Rule and other rulemaking.”

For example, the CMS proposal narrows the requirements for a security risk analysis in terms of meaningful use requirements. Stage 3 states that the analysis must be done when CEHRT is installed or when a facility upgrades to a new certified EHR technology edition. From there, providers need to review the CEHRT security risk analysis, as well as the implemented safeguards, “as necessary, but at least once per EHR reporting period.”

However, CMS points out that HIPAA requirements “must assess the potential risks and vulnerabilities to the confidentiality, availability, and integrity of all ePHI that an organization creates, receives, maintains, or transmits” in all electronic forms.

Working toward exchange securely

The Stage 3 Meaningful Use proposal encourages CEs to work toward health information exchange and to focus on better health outcomes for patients. As healthcare facilities work toward both of these goals, it is essential that health data security still remains a priority and that PHI stays safe.

While HIPAA compliance ensures that CEs avoid any federal fines, it also ensures that those facilities are keeping patient information out of the wrong hands. The right balance needs to be found between health information security and health information exchange.

No comment yet.