HIPAA Compliance for Medical Practices
82.6K views | +39 today
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...

Patients Demand the Best Care … for Their Data

Patients Demand the Best Care … for Their Data | HIPAA Compliance for Medical Practices | Scoop.it

Whether it’s a senior’s first fitting for a hearing aid, or a baby boomer in for a collagen injection, both are closely scrutinizing new patient forms handed to them by the office clerk.  With 100 million medical records breached and stolen to date, patients have every reason to be reluctant when they’re asked to fill out forms that require their social security number, driver’s license, insurance card and date of birth — all the ingredients for identity fraud.  Patients are so squeamish about disclosing their personal information, even Medicare has plans to remove social security numbers on patients’ benefits cards.

Now patients have as much concern about protecting their medical records as they do about receiving quality care, and they’re getting savvy about data protection.  They have every right to be assured by their physician that his practice is as concerned about their privacy as he is about their health.

But despite ongoing reports of HIPAA violations and continuous breaking news about the latest widespread patient data breach, medical practices continue to treat ePHI security as a lesser priority.  And they neglect to train front office staff so the patient who now asks a receptionist where the practice stores her records either gets a quizzical look, or is told they’re protected in an EHR but doesn’t know how, or they’re filed in a bank box in “the back room” but doesn’t know why.

In some cases, the practice may hide the fact that office staff is throwing old paper records in a dumpster. Surprisingly this happens over and over.  Or, on the dark side, the receptionist accesses the EHR, steals patients’ social security numbers and other personal information and texts them to her criminal boyfriend for medical identity theft.

Another cybercrime threatening medical practices comes from hackers who attack a server through malware and encrypt all the medical files.  They hold the records hostage and ask for ransoms.  Medical records can vanish and the inability to access critical information about a patient’s medical condition could end up being life threatening.

Physicians should not only encrypt all mobile devices, servers and desktops, regularly review system activity, back up their servers and have a disaster recovery plan in place, etc. they should also share their security practices and policies with the patient who asks how his office is protecting her records.

Otherwise, the disgruntled patient whose question about security is dismissed won’t only complain to her friends over coffee, she’ll spread the word on Facebook.  Next time a friend on Facebook asks for a referral the patient tells her not to go to her doctor — not because he’s an incompetent surgeon but because he doesn’t know the answer when she asks specifically if the receptionist has unlimited access to her records.

And word gets out through social media that the practice is ‘behind the times.’  The doctor earns a reputation for not taking the patient’s question seriously, and for not putting the proper measures in place to secure the patient’s data.  This is the cockroach running through the restaurant that ends up on YELP.

It’s time to pull back the curtain and tell patients how you’re protecting their valuable data.  Hand them a HIPAA security fact sheet with key measures you’ve put in place to gain their confidence.  For example, our practice:

  • Performs annual risk assessments, with additional security implemented, including encryption and physical security of systems that contain patient information.
  • Shows patients that the organization has policies and procedures in place
  • Trains employees on how to watch for risks for breaches
  • Gives employees limited access to medical records
  • Backups systems daily
  • Performs system activity regularly

Practices that communicate to patients how they are protecting their information, whether it’s provided by the front office staff, stated in a fact sheet or displayed on their websites, not only instills confidence and maintains their reputations, they actually differentiate themselves in the market place and attract new patients away from competitors.

No comment yet.

Patient discharged with paperwork of 20 other patients

Patient discharged with paperwork of 20 other patients | HIPAA Compliance for Medical Practices | Scoop.it
The Medical Center of Aurora in Colorado is under scrutiny for discharging a patient with the paperwork of 20 other patients, according to Fox 31 Denver.

On November 22, 2014, the medical center discharged Karen Billings and included the medical information of 20 other patients in the documentation provided. Billings returned to the medical center where a nurse retrieved other patients’ paperwork. However, upon reviewing her file the following day, Billings found that she was still in possession of seven pages of operating room notes belonging to other patients, Fox 31 Denver reported.

Billings said the paperwork given to her listed patients’ dates of birth, physician names, procedures, and medications. The medical center is offering free identity theft protection for affected patients, according to Fox 31 Denver.
No comment yet.

State agency HIPAA security gaffe puts patient data on the Internet

State agency HIPAA security gaffe puts patient data on the Internet | HIPAA Compliance for Medical Practices | Scoop.it

A Texas state agency has come forward to notify its Medicaid recipients that due to security shortfalls, their Social Security numbers and protected health information became accessible on the Internet.

The Texas Department of Aging and Disability Services, a state agency responsible for administering support and services for the aging individuals and people with disabilities, announced June 11 a data breach following the "unintentional release" of personal data. The breach impacted 6,600 of its Medicaid recipients, state officials said, including the compromise of their names, dates of birth, addresses, Social Security numbers, Medicaid numbers and clinical diagnoses and treatment information.

According to the agency notice, the department was notified that patient information was available via the Internet April 21, 2015. Officials provided no additional details on the incident. As of publication time, they had not responded toHealthcare IT News' inquiries around details of what occurred and whether a third-party vendor was involved.

In the notice, there were no apologies issued from department officials over the incident, but they did indicate they had "strengthened" Web-app security and policies "in an effort to prevent such a breach from occurring again."

To date, nearly 135 million people have had their protected health information compromised in reportable HIPAA breaches, according to data from the Office for Civil Rights, the HHS division responsible for enforcing HIPAA. In this tally, only HIPAA breaches involving 500 or more individuals are counted.

In Texas, specifically, since the HIPAA breach notification rule went into effect in 2009, nearly 3.6 million people have had their protected health information compromised. One of the biggest HIPAA violators in the state has been the University of Texas MD Anderson Cancer Center, with officials reporting three HIPAA breaches since 2012, impacting nearly 35,000 individuals.

The HealthTexas Provider Network, which is affiliated with Baylor Scott & White Health, has also reported three HIPAA breaches since 2011, including a case of hacking, unauthorized access and theft of an unencrypted laptop.

Cameron's curator insight, July 2, 2015 5:59 PM

The article involves a situation where health information was leaked into the Internet due to security breaches in the system of a Texas cancer treatment facility. 

Medical information is something I believe a lot of healthy, less frequent doctor visitors, and everyone forgets about and is one of the most identifiable things when it comes to finding out who someone is. The hack that happened in Texas caused Social Security numbers to be leaked as well as patient diagnoses and treatment information. Social Security information in the wrong hands can ultimately ruin lives. Once your identity in the most technical form, such as your Social Security Number, are stolen there is not much you can do to get it back. In health communications class we have seen the dangerous amount of information that insurance and medical facilities have on people. The Internet just turns it into an even bigger sea to fish your personal data out of. 


VA Healthcare Data Breach Exposes Info of 7,000 Veterans | HealthITSecurity.com

The VA experienced a healthcare data breach after a third-party vendor allegedly had an online security flaw.

The Department of Veterans Affairs (VA) experienced yet another healthcare data breach, as it announced last week that approximately 7,000 veterans’ information was potentially exposed after a contractor’s database flaw.

The VA was notified of the incident on Nov. 4, and said that it was due to a potential flaw in a vendor’s system, according to Federal News Radio. The VA told the news source that the vendor was supposed to provide home telehealth services to veterans. More than 790,000 veterans reportedly took advantage of this program in 2014.

“An investigation was immediately initiated and security scans were conducted by VA, which confirmed the concern,” the spokesman said. “The contracted vendor has assured VA that only vendor staff and VA staff had accessed this information. The security flaw in the vendor database was immediately corrected and VA continues to closely monitor the application.”

Information that was potentially exposed via the internet includes names, addresses, dates of birth, phone numbers and VA patient identification numbers. Veterans who were possibly affected have been notified by the VA and are being offered complementary credit protection services.

The VA did not name the vendor that was involved. However, according to the third-party company, no data was actually exfiltrated through the security hole. Rather, the information was potentially seen after a database was inadvertently exposed online, according to the Federal Times.

This is just the latest in long line of cybersecurity issues for the VA. In November, the agency failed its annual cybersecurity audit for the 16th straight time. Full results were not released, but VA Chief Information Officer Stephen Warren presented the audit results at a House Veterans Affairs Committee hearing. According to Warren, the results were disappointing, especially since “significant time and effort” were put into 2014.

Even so, auditors told VA leaders that noticeable progress had been made from the year before. In 2013, the IG found 6,000 specific cybersecurity vulnerabilities and made 35 separate recommendations to close weaknesses. This year, the IG said the list of vulnerabilities had been cut by 21 percent.

The cybersecurity report followed a US Government Accountability Office (GAO) investigation that also said the VA was lacking in terms of cybersecurity. While the VA took action to fix problems that led to a 2012 breach, the GAO stated that weaknesses identified on VA workstations had not been corrected in a timely manner. This could increase the risk that sensitive data, such as veterans’ personal information, can be compromised.

“Specifically, by not keeping sufficient records of its incident response activities, VA lacks assurance that incidents have been effectively addressed and may be less able to effectively respond to future incidents,” the GAO report stated. “In addition, without fully addressing an underlying vulnerability that allowed a serious intrusion to occur, increased risk exists that such an incident could recur.”

These security issues demonstrate why healthcare organizations must not only maintain their own cybersecurity measures, but also ensure that all third-party companies have current protections in place. Creating business associate agreements (BAA) that account for cybersecurity issues are critical, and can help keep all parties accountable should a healthcare data breach occur. The contract will also clarify and limit how a business associate uses and discloses protected health information (PHI). Without a clear BAA, it can be more difficult to maintain patients’ privacy and mitigate a possible healthcare data breach.

No comment yet.