HIPAA Compliance for Medical Practices
83.7K views | +20 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

HIPAA Compliance and EHR Access

HIPAA Compliance and EHR Access | HIPAA Compliance for Medical Practices | Scoop.it

In light of the recent massive security breaches at UCLA Medical Center and Anthem Blue Cross, keeping your EHR secure has become all the more important. However, as organizations work to prevent data breaches, it can be difficult to find a balance between improving security and maintaining accessibility. To that end, HIPAA Chat host Steve Spearman addresses digital access controls, common authentication problems, and how authentication meets HIPAA compliance and helps ensure the integrity of your EHR, even after multiple revisions.


Q: What are access controls?


A: Access controls are mechanisms that appropriately limit access to resources. This includes both physical controls in a building, such as security guards, and digital controls in information systems, such as firewalls. Having and maintaining access controls are a critical and required aspect of HIPAA compliance, and is the first technical HIPAA Security Standard.


Q: What’s the most common form of digital access control we see in healthcare?


A: The username and password is the most common form of access control by far. The Access Control Standard requires covered entities to give each user a distinct and unique user ID and password in order to access protected information. These unique credentials for each employee enable covered entities to confirm (“authenticate”) the identity of users and to track and audit information access.


Q: What are the most common problems with access controls and use of passwords in healthcare?


A: The most common problem is that covered entities often use multiple systems which each may require its own set of usernames and passwords along with varying requirements for these credentials, such as minimum character length or use of capital letters. Memorizing multiple sets of passwords and usernames for multiple systems is difficult for most people. In addition, there is a conundrum between password complexity and memorization. Complex passwords (longer with multiple required character types) are better for security but much harder to memorize. This is the conundrum.


Q: Are stricter password policies always more secure?


A: No, if passwords requirement are too strict, users then use coping mechanisms such as writing them down or re-using the same password over and over and across multiple systems. This compromises security rather than enhancing it. For example, a policy that required 14 digit passwords and required, lower-case, upper-case, numbers and symbols and expired every 30 days would create huge problems for most organizations. With these policies, staff would simply write down their passwords. But this compromises security. If a bad person gets a hold of a written list of passwords they have the “keys to the kingdom”, the ability to access the accounts on that written list. So passwords should not be written down.

In addition, overly strict password policies tend to overwhelm technical support staff with password reset requests.

So passwords should be sufficiently complex to make them hard to crack which also makes them hard to memorize.


Q: This sounds like a big problem. Do you have any suggestions to make things better?


A: At a minimum, organizations need to provide training to staff on straightforward techniques to create memorable but complex passwords. I have an exquisitely terrible memory. But I have great passwords using one particular technique. Just google “create good memorable passwords” and you can find dozens of videos demonstrating how to do it. But, of course, our favorite is the video featuring our very own, Gypsy, the InfoSec Wonderdog.


Enterprises should seriously consider additional technical solutions such as two factor authentication with single sign on (2FA/SSO).


Q: What is a good, reasonable password policy?


A: I recommend a policy that:


  • Requires a minimum of 8 characters
  • Requires two or three of the options of lower-case, upper-case, numbers and symbols
  • Expire every 3 to 6 months
  • And limit limit use of historical passwords so that the previous two cannot be used.


Q: You mentioned authentication before. What is that? What is two-factor or multi-factor authentication?


A: Authentication is the process of confirming the identity of a person before granting access to a resource. Computer geeks refer to the three factors of authentication:


  • What a user has (an ID badge or phone).
  • What a user knows (a PIN number)
  • Who a user is (biometrics)


For example, ATMs use two-factor authentication:

  1. What the user has: an ATM card and
  2. What they know: a PIN.


One of my favorite tools for two factor authentication is Google Authenticator which runs as an app on my mobile phone. Another common form of two factor authentication is text codes. With this method, the website or app, after entering a correct username and password, sends a text with a numeric code that expires after a few minutes to your phone that is entered into another field in the website before access is granted.


Everyone should enable two factor authentication on their most essential systems such as to online banking and to email accounts such as gmail.


In healthcare, there is a growing trend toward biometric authentication, the use of fingerprint readers or palm readers, etc. to authenticate into systems. Biometric authentication is generally very secure and is also very easy to use since there is nothing to memorize.


Q: What is SSO?


A: Single sign-on (SSO) lets users access multiple applications through one authentication event. In other words, one password allows access to multiple systems. It enhances security because users only have to remember one password. And because it is just one, it is commonly a good complex password. Once entered, it will allow access to all the core systems (if enabled) without having to re-authenticate.


Single sign-on combined with two factor authentication or biometrics work great together in tandem and are often sold together by vendors. The leading SSO/2FA vendor in healthcare is Imprivata, but there are other vendors making great in-roads into healthcare such as Duo Security2FA.com and Secureauth.com.


Q: What do you mean by “integrity” and what does it have to do with access control and authentication?


A: Integrity in System Standards is the practices used to track and verify all changes made to a health record. It is a condition that allows us to prevent editing or deleting of records without proper authorization.


Authentication and access controls are the primary means we use to preserve integrity of a record. If the information system is programmed to track its users’ activity, then it’s possible to track who made changes to a record and how they changed it.


This is why users should never share usernames and passwords with other users. Integrity becomes impossible if a username does not signify the same user every time it appears.


Q: Any final thoughts?


A: Finding that balance between HIPAA compliance, security and accessibility can be tricky. We recommend reducing digital access controls to a single multi-factor authentication or biometrics event. This single, secure method of authentication could be the balance between security and efficiency needed to keep your EHR secure and yet accessible. In addition to improving accessibility to your system, an MFA or biometrics sign-in method could help improve your organization’s EHR integrity.

No comment yet.
Scoop.it!

Hospital to pay $218,400 for HIPAA violations

Hospital to pay $218,400 for HIPAA violations | HIPAA Compliance for Medical Practices | Scoop.it

St. Elizabeth's Medical Center must pay $218,400 for HIPAA violations through an agreement with the Department of Health and Human Services' Office for Civil Rights.


In 2012, the OCR received a complaint alleging that the Brighton, Massachusetts-based health center did not analyze the risks of an Internet-based document sharing app, which stored protected health information for almost 500 individuals, according to anannouncement from OCR.


During its investigation, OCR found that the health center "failed to timely identify and respond to the known security incident, mitigate the harmful effects of the security incident, and document the security incident and its outcome." In addition, St. Elizabeth's in 2014 submitted notification to OCR that a laptop and USB drive had been breached, putting unsecured protected health information for 595 consumers at risk.

OCR also is requiring that St. Elizabeth's adopt a corrective action plan to correct deficiencies in its HIPAA compliance program.


"Organizations must pay particular attention to HIPAA's requirements when using Internet-based document sharing applications," OCR Director Jocelyn Samuels said in an announcement. "In order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner."


A recent report from application security vendor Veracode found that the healthcare industry fares poorly compared to other industries in reducing application security risk.


Healthcare also is near the bottom of the pack when it comes to addressing remediation, with only 43 percent of known vulnerabilities being remediated.


While Phase II of the federal HIPAA audit program remains "under development,"Samuels reiterated in March that OCR is "committed to implementing a robust audit program," FierceHealthIT previously reported.

No comment yet.
Scoop.it!

Hospital Slammed With $218,000 HIPAA Fine

Hospital Slammed With $218,000 HIPAA Fine | HIPAA Compliance for Medical Practices | Scoop.it

Federal regulators have slapped a Boston area hospital with a $218,000 HIPAA penalty after an investigation following two security incidents. One involved staff members using an Internet site to share documents containing patient data without first assessing risks. The other involved the theft of a worker's personally owned unencrypted laptop and storage device.


The Department of Health and Human Services' Office for Civil Rights says it has entered a resolution agreement with St. Elizabeth's Medical Center that also includes a "robust" corrective action plan to correct deficiencies in the hospital's HIPAA compliance program.

The Brighton, Mass.-based medical center is part of Steward Health Care System.


Privacy and security experts say the OCR settlement offers a number of valuable lessons, including the importance of the workforce knowing how to report security issues internally, as well as the need to have strong policies and procedures for safeguarding PHI in the cloud.

Complaint Filed

On Nov. 16, 2012, OCR received a complaint alleging noncompliance with the HIPAA by medical center workforce members. "Specifically, the complaint alleged that workforce members used an Internet-based document sharing application to store documents containing electronic protected health information of at least 498 individuals without having analyzed the risks associated with such a practice," the OCR statement says.


OCR's subsequent investigation determined that the medical center "failed to timely identify and respond to the known security incident, mitigate the harmful effects of the security incident and document the security incident and its outcome."


"Organizations must pay particular attention to HIPAA's requirements when using internet-based document sharing applications," says Jocelyn Samuels, OCR director in the statement. "In order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner."


Separately, on Aug. 25, 2014, St. Elizabeth's Medical Center submitted notification to OCR regarding a breach involving unencrypted ePHI stored on a former hospital workforce member's personal laptop and USB flash drive, affecting 595 individuals. The OCR "wall of shame" website of health data breaches impacting 500 or more individuals says the incident involved a theft.

Corrective Action Plan

In addition to the financial penalty - which OCR says takes into consideration the circumstances of the complaint and breach, the size of the entity, and the type of PHI disclosed - the agreement includes a corrective action plan "to cure gaps in the organization's HIPAA compliance program raised by both the complaint and the breach."

The plan calls for the medical center to:


  • Conduct a "self-assessment" of workforce members' familiarity and compliance with the hospital's policies and procedures that address issues including transmission and storage of ePHI;
  • Review and revise policies and procedures related to ePHI; and
  • Revise workforce training related to HIPAA and protection of PHI.


Lessons Learned

Other healthcare organizations and their business associates need to heed some lessons from OCR's latest HIPAA enforcement action, two compliance experts say.


Privacy attorney Adam Greene of the law firm Davis Wright Tremaine notes: "The settlement indicates that OCR first learned of alleged noncompliance through complaints by the covered entity's workforce members. Entities should consider whether their employees know how to report HIPAA issues internally to the privacy and security officers and ensure that any concerns are adequately addressed. Otherwise, the employees' next stop may be complaining to the government."

The settlement also highlights the importance of having a cloud computing strategy, Greene points out. That strategy, he says, should include "policies, training and potential technical safeguards to keep PHI off of unauthorized online file-sharing services."


The enforcement action spotlights the continuing challenge of preventing unencrypted PHI from ending up on personal devices, where it may become the subject of a breach, he notes.


The case also sheds light on how OCR evaluates compliance issues, he says. "The settlement highlights that OCR will look at multiple HIPAA incidents together, as it is not clear that OCR would have entered into a settlement agreement if there had only been the incident involving online file sharing software, but took action after an unrelated second incident involving PHI ending up on personal devices."


Privacy attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek, says the settlement "serves as an important reminder that a covered entity or a business associate must make sure that the organization's risk assessment takes into account any relationship where PHI has been disclosed to a contractor or vendor so as to ensure that appropriate safeguards to protect the data are in place."


The alleged violations involving the document sharing vendor, he says, "involve failure to have a BA agreement in place prior to disclosing PHI to the vendor, as well as failing to have appropriate security management processes in place to evaluate when a BA agreement is needed when bringing on a new contractor that will handle PHI."

St. Elizabeth's Medical Center did not immediately respond to an Information Security Media Group request for comment.

Previous Settlements

The settlement with the Boston-area medical center is the second HIPAA resolution agreement signed by OCR so far this year. In April, the agency OK'd an agreement with Cornell Prescription Pharmacyfor an incident related to unsecure disposal of paper records containing PHI. In that agreement, Cornell was fined $125,000 and also adopted a corrective action plan to correct deficiencies in its HIPAA compliance program.


The settlement with St. Elizabeth is OCR's 25th HIPAA enforcement action involving a financial penalty and/or resolution agreement that OCR has taken since 2008.


But privacy advocate Deborah Peel, M.D., founder of Patient Privacy Rights, says OCR isn't doing enough to crack down on organizations involved in HIPAA privacy breaches.


"Assessing penalties that low - St. Elizabeth will pay $218,400 - guarantees that virtually no organizations will fix their destructive practices," she says. "Industry views low fines as simply a cost of doing business. They'll take their chances and see if they're caught."

The largest HIPAA financial penalty to date issued by OCR was a $4.8 million settlement with New York-Presbyterian Hospital and Columbia University for incidents tied to the same 2010 breach that affected about 6,800 patients. The incidents involved unsecured patient data on a network.

No comment yet.
Scoop.it!

Complying with the HIPAA Nondisclosure Rule

Complying with the HIPAA Nondisclosure Rule | HIPAA Compliance for Medical Practices | Scoop.it

Under the HIPAA Omnibus Rule, patients can request a restriction on a disclosure of PHI to a health plan if they pay out of pocket, in full for the service. Practices must agree to such a request unless they are required by law to bill that health plan (as is the case with some Medicaid plans).

During a session at the Medical Group Management Association 2014 Annual Conference, Loretta Duncan, senior medical practice consultant with malpractice insurer the State Volunteer Mutual Insurance Company in Brentwood, Tenn., shared some of her compliance tips:


• If the service the patient does not want disclosed is bundled with something else, explain that the patient may need to pay more out-of-pocket costs than expected.

• Make sure that communication is tight between all staff and departments regarding nondisclosure.

• Document your new nondisclosure policies and procedures.

• Be careful when e-prescribing, as pharmacies may bill to the insurance plan before the patient has a chance to let the pharmacy know that the information should not be disclosed.

No comment yet.
Scoop.it!

What Happens in HIPAA Audits: Breaking Down HIPAA Rules

What Happens in HIPAA Audits: Breaking Down HIPAA Rules | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA audits are something that covered entities of all sizes must be prepared to potentially go through. As technology continues to evolve, facilities need to ensure that they are maintaining PHI security and understand how best to keep sensitive information secure.


The Department of Health & Human Services (HHS) Office for Civil Rights (OCR) had originally scheduled its second round of HIPAA audits for the fall of 2014, yet as of this publication, round two is still waiting to be scheduled. Regardless, HIPAA audits are an essential aspect to the HIPAA Privacy and Security Rules.


We’ll break down the finer points of the audit process and why it is important, while also highlighting tips for facilities in case they are selected for an OCR HIPAA audit.


What are the HIPAA audits?


The OCR HIPAA audit program was designed to analyze the processes, controls, and policies that selected covered entities have in place in relation to the HITECH Act audit mandate, according to the HHS website.

OCR established a comprehensive audit protocol that contains the requirements to be assessed through these performance audits. The entire audit protocol is organized around modules, representing separate elements of privacy, security, and breach notification. The combination of these multiple requirements may vary based on the type of covered entity selected for review.

The HIPAA audits also are designed to cover HIPAA Privacy Rule requirements in seven areas:

  • Notice of privacy practices for PHI
  • Rights to request privacy protection for PHI
  • Access of individuals to PHI
  • Administrative requirements
  • Uses and disclosures of PHI
  • Amendment of PHI
  • Accounting of disclosures.


Why are the HIPAA audits important?


HIPAA audits are not just a way for OCR to ensure that covered entities are keeping themselves HIPAA compliant. Having periodic reviews of audit logs can help healthcare facilities not only detect unauthorized access to patient information, but also provide forensic evidence during security investigations. Auditing also helps organizations track PHI disclosures, learn about new threats and intrusion attempts, and even help to determine the organization’s overall effectiveness of policies and user education.


In FY 2014 alone, the OCR resolved more than 15,000 complaints of alleged HIPAA violations, according to the national FY 2016 budget request proposal report.


“OCR conducted a pilot program to ensure that its audit functions could be performed in the most efficient and effective way, and in FY 2015 will continue designing, testing, and implementing its audit function to measure compliance with privacy, security, and breach notification requirements,” the report authors explained. “Audits are a proactive approach to evaluating and ensuring HIPAA privacy and security compliance.”


The HIPAA audits are important because they help incentivize covered entities to remain HIPAA compliant, but they are also an opportunity to strengthen up organization’s security measures and find any weak spots in their approach to security.


What if I am selected for the HIPAA audit program?


As previously mentioned, there is not yet an exact date for when the next round of HIPAA audits will take place, there have been several reports that preliminary surveys have been sent to covered entities that may be selected for audits.


According to a report in The National Law Review, OCR will audit approximately 150 of the 350 selected covered entities and 50 of the selected business associates for compliance with the Security Standards. Furthermore, OCR will audit 100 covered entities for compliance with the Privacy Standards and 100 covered entities for Breach Notification Standards compliance.


Whether your organization received one of those surveys or not, it’s important for entities to have at least a basic plan in place for potential audits. Healthcare organizations should not rely on a false sense of security, and they need to ensure that when their data systems and safeguards are being reviewed, that facilities try and keep in mind what the OCR would be looking for so no areas are missed.


Current physical safeguards, administrative safeguards, and technical safeguards are not only required by the Security Rule, but they work together to protect health information. In addition to those areas, here are a few key things for covered entities to maintain, as they may play a role in the HIPAA audit process:


  • Perform comprehensive and periodic risk analyses
  • Keep thorough inventories of business associates and their contracts or BAAs.
  • Maintain thorough accounts of where ePHI is stored, this includes but is not necessarily limited to internal databases, mobile devices and paper documents.
  • Thorough records of all security training that has taken place.
  • Documented evidence of the facility’s encryption capabilities.


If covered entities have performed a proper risk assessment, preparing for the HIPAA audits will not be as daunting. For further discussion on the legal implications of risk assessments and analyses.


Maintain compliance and stay prepared


Perhaps one of the best ways to prepare for a potential OCR HIPAA audit is to keep all three safeguards current, ensuring to adjust them as necessary as technology evolves.


It is also essential for covered entities to know their BAs, and have all appropriate contracts and business associate agreements in place and up to date.


Conducting periodic risk analysis will also be beneficial, and covered entities should be sure to be able to provide evidence of compliance. This can include documentation of policies and procedures being in place. For example, instances where a facility has sanctioned people and whether it was consistent with its sanctions policy will be beneficial if an audit takes place that looks at the sanction process.


Without a risk analysis, it is much more difficult for healthcare organizations to know where they are in terms of security. This can be detrimental not only for HIPAA audits, but also in maintaining comprehensive data security. Periodic reviews will help facilities continue to work toward maintaining HIPAA compliance and keeping sensitive data as secure as possible.

No comment yet.
Scoop.it!

Two Sentenced in HIPAA Criminal Case

Two Sentenced in HIPAA Criminal Case | HIPAA Compliance for Medical Practices | Scoop.it

Two individuals - a former hospital worker and a convicted drug trafficker - have been sentenced to serve time in federal prison for HIPAA privacy violations.


But the May 18 sentencing for HIPAA violations of drug "kingpin" Stuart Seugasala is the least of his problems. He'll be serving his 10-year HIPAA-related prison sentence concurrently with three life sentences for his January convictions on drug trafficking conspiracy and two kidnapping charges. In addition to that, he'll serve a consecutive seven-year sentence on firearm violations.


In a statement, the U.S. Department of Justice notes that because there is no parole in the federal penal system, Seugasala will spend the rest of his life in custody.


Meanwhile, as part of the same criminal case, Stacy Laulu, a former financial worker at Providence Alaska Medical Center in Anchorage, was sentenced on May 29 to two years in federal prison for each of her two counts of unauthorized disclosure of health information, for which she was convicted in January. She will serve the two year sentences concurrently. Federal prosecutors say Seugasala in March 2013 contacted Laulu, a friend, to find out if two victims of his crimes, who were both admitted to Providence Alaska Medical Center due to injuries inflicted by Seugasala and two other accomplices, had reported him to police.


"Laulu accessed the private electronic medical files of the victims and reported back to Seugasala," according to the Justice Department statement. Laulu went to trial with Seugasala in January and was convicted of violating the privacy rights of the victims.


Unlike Laulu, Seugasala received the maximum 10-year sentence on his HIPAA conviction. The HIPAA case is the first in the history of Alaska "and one of few such cases prosecuted in the country," federal prosecutors note. Judge Ralph Beistline, who presided over the Seugasala and Lulua cases, said that in committing these HIPAA violations, Seugasala "disrespected the victims again."


While imposing the life sentences on Seugasala, Beistline told him, "You enjoyed being a drug kingpin, you seemed to enjoy the misery that you created, and you enjoyed your criminal posse," according to the Justice Department statement.


Three other individuals involved with the criminal case were also convicted and sentenced on a variety of charges that included drug conspiracy, drug trafficking and kidnapping - but not HIPAA violations.

Relatively Rare Cases

While HIPAA criminal convictions are themselves unusual, it's even rarer in cases involving individuals who are not employed by a covered entity or business associate, says privacy attorney Adam Greene of the law firm Davis Wright Tremaine. In those rare cases, the individuals have usually been convicted of HIPAA violations related to other crimes, he notes.


"Before the HITECH Act in 2009, the criminal conviction could be based on an aiding and abetting or conspiracy charge, where the non-employee causes the HIPAA covered entity to violate HIPAA. We have seen this in identity theft cases," he says. "The HITECH Act amended the criminal provision to more explicitly permit prosecutors to go after anyone who improperly obtains or discloses health information, even if not part of a covered entity."


Criminal prosecutions tied to HIPAA violations often are tied to cases "involving criminal conduct, such as identity theft, other fraud, or in this case drug trafficking crimes," Greene notes. "So far, prosecutors have seemed to be more interested in using HIPAA as a secondary charge in other criminal matters rather than seeking to prosecute matters that only involve inappropriate access or use of health information."

Other Cases

There have been only a handful of other federal criminal HIPAA cases elsewhere in the U.S. The 10-year sentence for Seugasala's HIPAA crimes is apparently the most substantial so far.

Among other recent cases was the sentencing in February of Texas hospital worker Joshua Hippler to 18 months in federal prison for criminal HIPAA violations.


Hippler, 30, formerly of Longview, Texas, was sentenced after pleading guilty on Aug. 28, 2014, to wrongful disclosure of individually identifiable health information, according to federal prosecutors.

Prosecutors say that from December 2012 through January 2013, Hippler was an employee of an unidentified East Texas hospital. During this time, he obtained protected health information with the intent to use it for personal gain, they say.


In another HIPAA prosecution, Denetria Barnes, a former nursing assistant at a Florida assisted living facility, was sentenced in October 2013 to 37 months in prison after pleading guilty to several federal offenses, including conspiracy to defraud the U.S. government and wrongful disclosure of HIPAA protected information.


And in April 2013, Helene Michel, the former owner of a Long Island, N.Y., medical supply company, was sentenced to 12 years in prison in a case that involved $10.7 million in Medicarefraud as well as criminal HIPAA violations

.

Aside from those cases, most other defendants sentenced for criminal HIPAA violations have generally received much lighter sentences.

For example, last November, Christopher R. Lykes Jr., a former South Carolina state employee, was sentenced to three years of probation, plus community service, after he sent personal information about more than 228,000 Medicaid recipients to his personal e-mail account. Lykes pleaded guilty to four counts of willful examination of private records by a public employee and one count of criminal conspiracy.


And in 2010, former UCLA Healthcare System surgeon Huping Zhou was sentenced to four months in prison after admitting he illegally read private electronic medical records of celebrities and others. Zhou was the first defendant in the nation to receive a prison sentence for a HIPAAprivacy violation, according to the U.S. attorney's office for the central district of California.

No comment yet.
Scoop.it!

Your Cyber-Risk Policy: What it Covers and What it Doesn't

Your Cyber-Risk Policy: What it Covers and What it Doesn't | HIPAA Compliance for Medical Practices | Scoop.it

In healthcare, we deal with highly sensitive and very private electronic information, so of course our ears perk up every time we see headlines about the latest cyber threat or breach. The natural question is whether this could happen to us. This is constructive if it leads to cyber risk-prevention. But all too often, folks are responding with, "it could not happen to me," or "my insurance policy covers this so I'm prepared." These folks are ignoring the growing cyber threat around all of us. They are whistling past the "cyber" graveyard.

We live in a digital age where almost everything is accessible — even more now with the evolution of EHRs — so we have to run our businesses as though we are all at risk. To be prepared, we must first understand the common sources of cyber risk. Second, we must understand the basics of cyber insurance policies we may or may not have in place.


There are several ways breaches at small healthcare organizations may occur:


1. Disgruntled employees are one of the leading reasons for cyber attacks. They know your systems — likely better than you do — so keep a close watch on them and what type of data they have access to. Really pay close attention to new staff and those that may be on their way out. Also make sure they know they are monitored.

2. Cyber criminals are looking for remote Internet access services with weak passwords. Require and enforce more complex passwords and require employees to change their passwords regularly.


A smart form of cyber protection is a cyber-risk insurance policy. These provide bundled services designed to help you quickly respond to a data breach. However, there are many cyber insurance product options to consider. These range from standalone policies with high limits and comprehensive services to policy add-on coverages typically offering less coverage.


Rather than stumbling through a maze of complicated cyber-related insurance rhetoric, do yourself a favor and review your options with an experienced broker:


• Carefully scrutinize "free" cyber coverage or riders added onto your base coverage. While not totally worthless, the majority come nowhere near covering the exposure of a potential cyber breach (which explains why they are typically thrown in at no additional cost). In reviewing your insurance coverages with your broker, it's easy to brush by this one and mentally check off the fact that you have cyber coverage. Drill into the details of what's covered, as outlined below.

• Find out how much you are covered for and what out-of-pocket expenses you could expect. A data breach at a small physician practice could run into the hundreds of thousands of dollars or even higher. This type of uncovered damage could put a small practice out of business. Some expenses physicians can expect to incur when a breach occurs include legal fees, IT forensic costs, notification costs, credit monitoring costs, and public relations and advertising expenses to reclaim patient goodwill as well as making the public aware of the steps taken to address the breach.


Cyber risk is not just a technology issue. It affects all elements of the healthcare business and needs to be well-planned and mitigated through ongoing education and risk-management programs.

No comment yet.
Scoop.it!

Kareo Announces Apple Watch App To Improve Medical Practice Efficiency

Kareo Announces Apple Watch App To Improve Medical Practice Efficiency | HIPAA Compliance for Medical Practices | Scoop.it

Kareo, the leading provider of cloud-based medical office software for independent medical practices, today announced the launch of its Apple Watch App. Kareo’s most recent innovation extends the functionality of the company’s EHR to Apple Watch, streamlining care delivery and enhancing the patient experience by improving communications, reducing patient wait times, and increasing practice efficiency.


Kareo is launching this new Apple Watch App in response to the growing demands on physicians to increase their focus on all aspects of patient engagement. “Physicians are on their feet attending to the needs of patients for the majority of the day, leaving little time to check their schedules and prepare for the next appointment,” said Dr. Tom Giannulli, CMIO of Kareo. “Recognizing this demanding care delivery environment, Kareo’s Apple Watch App will help doctors better manage their schedule while enabling enhanced communication throughout the day, improving their ability to deliver a great patient experience.”

Kareo’s Apple Watch App provides the most relevant, practice-oriented information necessary to improve care and increase practice efficiency. Key functionalities of the App include:


  • Secure messaging that allows the user to send, reply, and read messages via dictation. Messages can be sent to staff or patients using Kareo’s secure messaging system, improving overall patient engagement and practice communication.
  • An agenda that allows the provider to quickly reference their schedule and see the status of appointments checked-in, no show, late, checked out, etc., helping reduce wait times and improve practice efficiency.
  • Appointment reminders that can be sent five minutes before the next scheduled appointment. The notification subtly vibrates the watch, indicating that the doctor has an impending appointment.
  • Appointment information that is accessible within a notification or through the agenda, allowing the provider to review details such as the patient’s name, time of appointment, visit type, and reason for the visit.
  • “I’m Running Late” pre-set messages that allow the doctor inform other staff members when they are running behind and how much longer they expect to be. This improves practice communication and enables the front desk to give patients a more accurate wait time estimate.
  • Apple “Glances” that provide a quick overview of key practice metrics, including how many patients are scheduled throughout the day, how many patients are waiting to be seen, and which patients are currently waiting in an exam room.


All features of Kareo’s Apple Watch App are HIPAA compliant and secure, ensuring all data are private, yet easily accessible.

“Independent physicians need new tools to grow strong, patient-centered practices, and Kareo’s Apple Watch App is another example of Kareo’s focus on helping physicians leverage innovative technology to drive their success,” said Dan Rodrigues, founder and CEO of Kareo. “With key practice and patient information accessible on their wrists, physicians are able to discreetly and efficiently provide updates to staff while staying focused on what matters most – the patient.”


No comment yet.
Scoop.it!

Criminal Attacks on Health Data Rising

Criminal Attacks on Health Data Rising | HIPAA Compliance for Medical Practices | Scoop.it

Criminal attacks in the healthcare sector - including those involving hackers and malicious insiders - have more than doubled in the last five years, according to a new study.


The "Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data" by the research firm Ponemon Institute concludes that criminal attacks in healthcare are up 125 percent since 2010. Cybercriminal incidents involving external and internal actors were the leading cause of a data breaches over the past two years, the study shows. In previous studies, lost or stolen computing devices had consistently had been the top breach culprit.


"The root cause for health data breaches had been mistakes and incompetency, but now criminal attacks are number one," Larry Ponemon, founder and chairman of the Ponemon Institute, tells Information Security Media Group. "Year to year, it's getting worse. We've seen it in large-scale incidents like Anthem," which in February revealed a hacker attack that compromised protected health information of 78.8 million individuals, he notes.


"A lot of organizations are easy targets," he says. "The combination of highly valuable information and easy access makes the sector a huge target."


Ponemon's research, conducted in February and March, generated responses from 90 healthcare organizations and, for the first time this year, 88 business associates. Under the HIPAA Omnibus Rule that went into effect in 2013, business associates and their subcontractors are directly liable for HIPAA compliance.

Hacking Trends

In recent months, the Department of Health and Human Services' "wall of shame" website tracking health data breaches affecting 500 or more individuals has shown a growing number of hacking incidents of various sizes - far more than in previous years. And the Anthem breach alone represents nearly 60 percent of the 133.2 million breach victims listed on the tally since September 2009, when the HIPAA breach notification rule went into effect.


Among the latest hacking breaches added to the wall of shame was an incident reported to HHS on May 1 by Partners HealthCare System, which operates several large hospitals in Boston.


"Unfortunately, the rise in both hacker attacks and criminal activities involving malicious insiders comes as no surprise," says Dan Berger, CEO of the consultancy Redspin, which was recently acquired by Auxilio. "A few years ago, I remember many people being surprised at how few hacker attacks there were in healthcare. We warned our clients of the 'risk of complacency' in this regard."


With more electronic health records than ever before, there's a growing awareness of their "exploitation value," Berger says. "At the same time, healthcare spending on IT security continues to lag almost all other industries. So with a greater amount of valuable data behind lower than average defenses, it should not be a surprise that PHI has become a favorite target of hackers. It is basic economics."


Hackers are the No. 1 "emerging" cyberthreat that healthcare entities are worried about this year, according to the 2015 Healthcare Information Security Today survey of 200 security and privacy leaders at healthcare organizations, which was conducted in December 2014 and January 2015 by ISMG. Coming in at a close second as the biggest "emerging threat" is business associates taking inadequate security precautions with PHI; that's also the top threat respondents are worried about "today." Complete results of that survey, and a webinar analyzing the results, will be available soon.


The Ponemon study found that nearly 45 percent of data breaches in healthcare are a result of criminal activity. However, the researchers found that criminal-based security incidents, such as malware or distributed denial-of-service attacks, don't necessarily result in breaches reportable under HIPAA. In fact, 78 percent of healthcare organizations and 82 percent of business associates had Web-borne malware attacks.

Breach Costs

Based on its study, the Ponemon Institute estimates that the average cost of a data breach for healthcare organizations is more than $2.1 million, while the average cost of a data breach to business associates is more than $1 million.


Rick Kam, U.S. president and co-founder of security software vendor ID Experts, which sponsored the Ponemon study, tells ISMG that stolen healthcare information is currently valued at about $60 to $70 per record by ID theft criminals, while the current value of credit card information is about 50 cents to $1 per record.


"We see recognition of medical ID theft being a problem, but we don't see many healthcare providers stepping up" in addressing the issue, he says. The Ponemon study found that nearly two-thirds of healthcare organizations and business associates do not offer any medical identity theft protection services for patients whose information has been breached.


The Ponemon study found that information most often stolen in these targeted healthcare sector attacks include medical files and billing and insurance records.


Privacy and security expert Kate Borten, founder of the consulting firm The Marblehead Group, offers a dire prediction: "I believe we will continue to see the number of reported breaches rise, despite stronger efforts to protect data. Personally identifiable health data continues to have high street value, leading to more attacks."


Scopidea's curator insight, June 22, 2015 3:03 AM

Many great points in this well written article.

Scoop.it!

Misplaced USB drive leads to county health department breach

Misplaced USB drive leads to county health department breach | HIPAA Compliance for Medical Practices | Scoop.it

The Denton County (Texas) Health Department began notifying tuberculosis (TB) clinic patients of a breach that occurred in February when a health department employee left a USB drive containing PHI at a printing store, according to a press release.


The USB drive contained the names, dates of birth, addresses, and test results of 874 patients seen at a TB clinic associated with the county health department. The employee left the USB drive unattended at the printing store for approximately one hour, according to the press release.


The department launched an internal investigation after the employee voluntarily reported the potential breach. The press release states that the department does not believe the records were accessed during the time the USB drive was left unattended. However, it is notifying affected patients by mail and recommending that they obtain a credit report and monitor financial statements.


No comment yet.
Scoop.it!

TigerText bringing HIPAA compliant messaging to Apple Watch

TigerText bringing HIPAA compliant messaging to Apple Watch | HIPAA Compliance for Medical Practices | Scoop.it

TigerText announced this week that its bringing its HIPAA compliant messaging platform to the Apple Watch.


TigerText is a secure enterprise text messaging platform that meets HIPAA requirements for electronic communication. In his review of TigerText, Dr. Eli Sprecher described how the app is used at Boston Children’s Hospital. The app can be used to communicate protected patient health information, send media such as pictures and video, or send group texts. And everyone on the care team can use it – physicians, nurses, social workers, case managers, patient advocates, and so on.


According to TigerText, the Apple Watch app will give users the ability to read as well as dictate messages. Specifically, the app will include:

  • Speech-to-text: An alternative to typing out a message, users can speak into the watch, and the TigerText app will dictate their speech to text, helping them save time when corresponding with others.
  • Receive notifications & alerts: Automated alerts and notifications from the TigerText app can be directly received on the Apple Watch.
  • View photos: Users can quickly view photos sent via TigerText on the Apple Watch.


With the increasingly multidisciplinary nature of the care team, improved communication is critical to effective care. That’s why HIPAA-compliant messaging was included in our wishlist of apps for the Apple Watch. Doximity recently announced that they would be launching an Apple Watch app that enables secure communication among physicians as well as delivering notifications when you get a fax on your secure Doximity e-fax line.


TigerText is already a popular tool at many healthcare institutions. And that is open to any team member, not just physicians, makes it a better fit for communication within a care team at a hospital or clinic.

Given the cost of the Apple Watch, it seems unlikely that we’ll see an enterprise level deployment within healthcare in the near future though I wouldn’t be surprised if we see a few pilots pop up here and there. As recognized by TigerText, its far more likely to start out much the same way as the iPhone and iPad did – in a “bring your own device” model. And with physicians’ enthusiastic uptake of iOS devices, we’ll probably see a fair number of Apple Watches in the clinic and on the wards.


No comment yet.
Scoop.it!

BYOD and cloud are top data breaches and malware risks, survey shows

BYOD and cloud are top data breaches and malware risks, survey shows | HIPAA Compliance for Medical Practices | Scoop.it

With the influx of personal devices in the workplace and the unprecedented risk of data breach and malware, tightening IT security at a company can seem like a daunting task. Just how difficult of a task is it? What are the biggest security risks and what are the top minds in IT considering to combat them?



Security risks and data breaches are growing while the form factors of computing devices shrink—because

Wisegate, a crowdsourced IT research company, surveyed hundreds of its senior IT professional members to find out. Earlier this year, we shared with CSO readers that a lack of security metrics and reporting was undermining IT security programs. Now, we’ll take a look at what those top security risks are.


Data breaches and malware are at the top

In a not surprising response to a poll that asked IT professionals to name their top three security risks, 32 percent of respondents named data breaches and malware as their top threats and risks. Over half—51 percent—of respondents included not only data breaches and malware, but also insider and outsider threat, BYOD management and security, and advanced persistent threats as their companies’ top risks.

While data breaches and malware are not new risks to the industry, we wanted to get to the bottom of what technology and business trends are causing this concern over malware and information leaks.


Trends impacting security programs: BYOD and cloud

When asked to identify the trends that most impact their security programs, IT professionals revealed that the malware threat and its associated data breach risk is likely to get worse over the coming years specifically because of these trends:

  • The continuing evolution of BYOD practices 

  • Increasing adoption of cloud technology, both public and private 



Required BYOD


What we’ll see is a world where employers will actually require people to bring and use their own devices. Most companies already provide staff with equipment, and many currently tolerate BYOD. The trend will continue until eventually companies will choose to make the personal devices employees already use official.


But this leads to a tension between company and personal information held on the same device. The company will need to protect its own data, but the personal data will be in conflict with any device monitoring that the company does. In short, there is potential for a ‘Big Brother’ inspired kickback from the employee. However, the savvy security team will earn the user’s trust by demonstrating that the company can only monitor the corporate data, and not only doesn’t, but cannot monitor anything else.


Shying away from BYOD and using the cloud to defend against malware-inspired sensitive breaches is a strong argument. It is harder to infect the cloud than it is to infect an individual endpoint. But there is also a scale issue. If an attacker manages to infect the cloud, he could potentially get to impact many more customers and much larger datasets. The weakness in cloud security is less the cloud itself and more how the cloud is used. This is an aspect of something that is one of the biggest challenges to IT security: the difference between something working correctly and something working correctly and securely. This affects everything from malware prevention to proprietary apps, open source software, and websites.


The future of IT security is data security—not device security

When asked what infrastructure security controls would be prioritized over the next few years, nearly a third of respondents—32 percent—named information protection and control as their top priority. Web application firewall wasn’t far behind, with 26 percent naming this as a top priority.




This suggests a shift in emphasis from protecting devices to placing a greater emphasis on protecting applications and the data itself. Firewalls are now application firewalls rather than trusted network firewalls. If IT security professionals’ top security controls are designed to protect the data itself, even if there is a breach of sensitive information, that information will remain hidden from any attacker.


What next?


Faced with the impossibility of defending against malware attacks in the new cloud/BYOD paradigm, security teams are engaged in a massive shift from protecting devices to protecting data. Stay tuned for our breakdown of this new paradigm—data centric security in a future CSO article. We’ll take a deeper dive into the idea that if data itself is safe, it doesn’t matter if there is a breach.


No comment yet.
Scoop.it!

Using E-mail at Your Medical Practice: 5 Security Tips

Using E-mail at Your Medical Practice: 5 Security Tips | HIPAA Compliance for Medical Practices | Scoop.it

Methods for transferring protected health information (PHI) have been broken for a long time. Even with the advent of EHRs, data exchange methods haven't kept pace with industry expectations for privacy and convenience.

It's time to retire the usual stable of secure alternatives to e-mail, like patient portals, faxes, or snail mail. They're far too burdensome for both practitioner and patient. Like it or not, e-mail is synonymous with accessibility. To deliver the best care possible, it's essential to meet patients on their terms. It's harder than ever to ignore e-mail, just as it's becoming more difficult to embrace it in good conscience.


Most e-mail security solutions focus on simple text, but the real risk comes with files and attachments. That's because sensitive data typically resides in files. Files, in turn, often get duplicated and cached on devices, making them hard to easily track or protect. So when we talk about the risks facing medical practices when it comes to communicating, it's about files—not simple text messages. The question, of course, is where all that leaves most practices.

The key lies with file encryption. Encryption essentially scrambles messages so that they're only legible by intended users. That's why encryption is so often the means through which healthcare providers guarantee HIPAA compliance. Although most secure e-mail tools focus on the body text of an e-mail, that part might not even be necessary to encrypt. After all, the real threat lies in what comes appended to the e-mail. Whether they're voice recordings, digital X-rays, intake forms, or medical bills, it's essential to encrypt the files themselves.


Seeking Solutions


Finding the right solution, though, is another story. E-mail encryption services exist for handling simple text correspondence with patients by scrambling the messages and sending them through a secure connection. But even these have risks. Many HIPAA-compliant e-mail providers are simply adding yet another system to your already disconnected work flows, rather than integrating seamlessly or solving some of the other problems you have, like storing files and auditing access. What's more, they aren't foolproof.


Here are five tips to help practices communicate with patients and other provider and business associates while maintaining airtight security.


1. Look for file encryption. File-level encryption ensures that protections follow the file no matter where it ends up. With built-in authentication controls, file-level encryption also eliminates the threats associated with mistakenly entering the wrong e-mail address.


2. Don't forget about secure file storage. Many encrypted e-mail services that purport to comply with HIPAA destroy messages after a set period of time. The issue, of course, is that practices need to keep detailed records — and the best place for that, in my humble opinion, is the cloud. Which brings us to …


3. The best solutions will integrate seamlessly with other work flows. The cost of inconvenience is too high, because inconvenience often leads users to seek out workarounds that aren't compliant, including popular cloud services like Dropbox. So the expensive EHR system you've built or bought is nothing more than a loophole to circumvent. In some ways, the cloud presents the ideal all-in-one solution, eliminating the need for e-mail attachments by allowing you to store and share links or folders themselves. In those deployments, it's essential to ensure that your Dropbox files are encrypted and HIPAA-compliant. If you have file encryption, you can use e-mail and Dropbox the same way you would in your personal life — just more securely.


4. Many easy-to-use secure providers don't include a safety net for mistakes. We're all familiar with the horror stories and HIPAA fines that have been levied against practices that mistakenly e-mailed lab results to the wrong patient or faxed a form to the wrong number. That's why the best HIPAA-compliant sharing tools will help prevent or create solutions for mistakes by showing just what was attached and offering the ability to revoke access to the wrong recipient. If a file itself is encrypted, access and modification can be audited even if it was mistakenly downloaded.


5. You don't need to encrypt everything. It isn't necessary — and maybe even inappropriate — to treat all information equally. Flexible solutions that allow you to set permissions according to their sensitivity are ideal.


There's no shortage of options for communicating, but many secure e-mail technologies can leave much to be desired. The key in striking a balance between convenience and compliance lies in finding a solution that does the hard work of communicating securely for you. The onus should be on the technology — not the patient or your employees — to strike that balance.


No comment yet.
Scoop.it!

Cybersecurity: Things Are Getting Worse, But Need to Get Better

Cybersecurity: Things Are Getting Worse, But Need to Get Better | HIPAA Compliance for Medical Practices | Scoop.it

In his opening keynote address at the CHIME Lead Forum at iHT2-Denver, sponsored by the Ann Arbor, Mich.-based College of Healthcare Information Management Executives (CHIME) and by the Institute for Health Technology Transformation (iHT2—a sister organization of Healthcare Informatics through our parent company, the Vendome Group LLC), being held at the Sheraton Downtown Denver, Mac McMillan laid out in the clearest possible terms for his audience of IT executives the growing cybersecurity dangers threatening patient care organizations these days.


Under the heading, “What Is Cyber Security and Why Is It Crucial to Your Organization?” McMillan, the CEO of the Austin, Tex.-based CynergisTek consulting firm, used his opening keynote address to challenge his audience to think strategically and proactively about the growing cyber-threats hitting patient care organizations across the U.S.

McMillan elaborated on what he sees as 11 key areas of concern going forward right now for healthcare IT leaders: “increased reliance”; “insider abuse”; “questionable supply chains”; “device-facilitated threats”; “malware”; “mobility”: “identity theft and fraud”; “theft and losses”; “hacking and cyber-criminality”; “challenges emerging out of intensified compliance demands”; and a shortage of chief information security officers, or CISOs.


In fact, McMillan said, cybersecurity threats are accelerating and intensifying, and are coming through such a broad range of threat vehicles—hacking by criminal organizations and foreign governments, penetration of information networks via the deliberate infiltration via medical devices, and a crazed proliferation of all types of malware across the cyber universe, that the leaders of patient care organizations must take action, and take it now, he urged.


As for “increased reliance,” the reality, McMillan noted, is that “We live in a world today that is hyper-connected. When I left the government and came back into healthcare in 2000,” he noted, “probably the total number of people who looked at any patient record, was about 50, and all were hospital employees. Today, that average is more like 150, and half of those individuals are not hospital employees. And our systems are interconnected. Digitizing the patient record, under meaningful use, coincided with the rise in breaches. Not that any of that is bad,” he emphasized. “But it did become easier for bad people to do bad things; it also increased the number of mistakes that could be made. If I wanted to carry out paper medical records” in the paper-based world, he noted, “I was limited to the number I could put into a basket. Now, I can download thousands at a time onto a flash drive.”


With regard to “insider abuse,” McMillan made a big pitch for the use of behavior pattern recognition strategies and tools. “We have to actively monitor what’ going on,” he urged. “It doesn’t mean running random audits. You have to actively monitor activity, and you can’t do that manually, and we have to recognize that. Also, a lot of activity, particularly identity theft, is not captured by monitoring compliance rules, but rather, by capturing activity patterns. The fact that someone looks at information four times the frequency that their neighbor does—the fact that an individual is looking at four times as many records, is absolutely a flag. They’re either working four times as hard/fast, or are snooping, or are engaged in nefarious activities. But fewer than 10 percent of hospitals are actively monitoring behavior patterns.”


McMillan was totally blunt when it came to discussing “questionable supply chains.” “I’ll just come out and say it: vendors are a threat,” he told his audience. “We’ve had cases where vendors have been hacked or have had incidents, and the vendor didn’t have a good procedure for restoration or what have you. We need to do a better job of vetting our vendors, of holding them to a higher standard for performance. And this industry needs to create a better baseline—basic requirements—if you connect my network, this is how you have to connect, this is the basic level of encryption required, that kind of thing. This is about creating and adhering to minimal requirements, not creating a new framework,” he said. “We’re already got a million frameworks out there.”


What about medical devices? The threats there are absolutely exploding, McMillan said. He noted that successful hacks have now been documented via such devices as insulin pumps and blood pumps, all of which are relatively recent, as most medical devices weren’t networkable until at least 2006.


Meanwhile, the malware explosion dwarfs just about all other issues, at least in terms of volume. At the beginning of last year, McMillan reported, there were 100 million instances of malware floating around; by the end of the year, there were 370 million. Importantly, he noted, “Malware is no longer produced by smart people in dark rooms writing code. It’s now being produced by bots morphing old malware. And this is putting more pressure on people in terms of the integrity of the environment.” He warned his audience that “The anti-virus products we have today are antiquated products. Less than half of the malware out there is recognized by anti-virus anymore; if you’re relying on antivirus, you’ve already lost the battle. In the next decade,” he predicted, “we’ll move from a speed of computing of 10 to the 8th power, to one of 10 to the 26th power—that’s how fast we’ll be computing. That’s phenomenal. So decisions will be made by computers so fast that any technology relying on signatures to be looked up, will be blown by. It will never keep up. So our security vendors have got to get ahead of this curve, have got to recognize that this whole paradigm we’re dealing with is changing, and we’ve got to change the way we act around this.”


With regard to the rest of the 11 key areas he cited, McMillan made a number of important comments. Among them, with regard to mobility and data, he said, “We’ve got to quit chasing the device. I’ve said this for the better part of five years now. If we chase the device, we’ll never catch up. We’ve got to focus on how the devices connect the environment and how we register and protect those devices.” Meanwhile, he emphasized that while hacking and cyber-criminality represented only 10 percent of data breaches only two years ago, breaches created by hacking and cyber-criminality are now surging.


A lot of these challenges really require a level of IT security management and governance that remains lacking in U.S. healthcare, McMillan said. “I absolutely believe that we need more CISOs in healthcare. I think we need to improve the education of our CISOs and need to help professionalize them. We need to find ways for CIOs to collaborate. That’s the way we help everyone benefit and get ahead.”

No comment yet.
Scoop.it!

Hospital with repeat security failures hit with $218K HIPAA fine

Hospital with repeat security failures hit with $218K HIPAA fine | HIPAA Compliance for Medical Practices | Scoop.it

Does your hospital permit employees to use a file-sharing app to store patients' protected health information? Better think again. A Massachusetts hospital is paying up and reevaluating its privacy and security policies after a file-sharing complaint and following a HIPAA breach. 


St. Elizabeth's Medical Center in Brighton, Mass. – a member hospital of Steward Health Care system – will pay $218,400 to the Office for Civil Rights for alleged HIPAA violations. The settlement resulted from a 2012 complaint filed by hospital employees, stating that the medical center was using a Web-based document-sharing application to store data containing protected health information. Without adequately analyzing the security risks of this application, it put the PHI of nearly 500 patients at risk.


"Organizations must pay particular attention to HIPAA's requirements when using Internet-based document sharing applications," said Jocelyn Samuels, OCR director, in a July 10 statement announcing the settlement. "In order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner."


It wasn't just the complaint that got St. Elizabeth's in hot water, however. A HIPAA breach reported by the medical center in 2014 also called attention to the lack of adequate security policies. The hospital notified OCR in August of last year of a breach involving unsecured PHI stored on the personal laptop and USB drive of a former hospital employee. The breach ultimately impacted 595 patients, according to a July 10 OCR bulletin.


As part of the settlement, St. Elizabeth's will also be required to "cure the gaps in the organization's HIPAA compliance program," OCR officials wrote in the bulletin. More specifically, this includes conducting a self-assessment of its employees' awareness and compliance with hospital privacy and security policies. Part of this assessment will involve "unannounced visits" to various hospital departments to assess policy implementations. Officials will also interview a total of 15 "randomly selected" employees with access to PHI. Additionally, at least three portable devices across each department with access to PHI will be inspected.


Then there's the policies and training piece part of the settlement. With this, St. Elizabeth's based on the assessment, will submit revised policies and training to HHS for approval.


In addition to the filed complaint and the 2014 breach, the medical center also reported an earlier HIPAA breach in 2012when paper records containing billing data, credit card numbers and security codes of nearly 7,000 patients were not properly shredded by the hospital. Some of the files containing the data were reportedly found blowing in a field nearby.


To date, OCR has levied nearly $26.4 million from covered entities and business associates found to have violated HIPAA privacy, security and breach notification rules.


The largest settlement to date was the whopping $4.8 million fine paid by New York Presbyterian Hospital and Columbia University Medical Center after a single physician accidentally deactivated an entire computer server, resulting in ePHI being posted on Internet search engines. 

Gerard Dab's curator insight, July 16, 2015 8:05 PM

Security! Security! Security!

#medicoolhc #medicoollifeprotector

Scoop.it!

Four Common HIPAA Misconceptions

Four Common HIPAA Misconceptions | HIPAA Compliance for Medical Practices | Scoop.it

While practices must work hard to comply with HIPAA, some are taking HIPAA compliance efforts a bit too far. That's according to risk management experts, who say there are some common compliance misconceptions that are costing practices unnecessary time and resources.

Here's what they say many practices are avoiding that they don't necessarily need to avoid, and some extra steps they say practices are taking that they don't necessarily need to take.


1. Avoiding leaving phone messages

While it's true that a phone message from your practice to a patient could be overheard by the wrong party, phone messages that contain protected health information (PHI) don't need to be strictly off limits at your practice, says Jim Hook, director of consulting services at healthcare consulting firm The Fox Group, LLC."Many offices adopt a blanket policy of, well, 'We can't leave you any phone messages because HIPAA says we can't,' and, that's really not true," he says. "You can always get consent from a patient on how they want to be communicated with."


Hook recommends asking all of your patients to sign a form indicating in what manner you are permitted to communicate with them, such as by mail, e-mail, text, and phone message. "If the patient says, 'Yes, you can call and leave me phone messages at this phone number I'm giving you,' then it's not a HIPAA violation to use that method of communication," he says.


2. Avoiding discussing PHI

It's important to safeguard PHI as much as possible, but some practices are taking unnecessary precautions, says Michelle Caswell, senior director, legal and compliance, at healthcare risk-management consulting firm Clearwater Compliance, LLC.


"I think there's still a fear among small providers ... that they can't discuss protected health information anywhere in the [practice]," she says. "They feel that they have to almost build soundproof walls and put up bulletproof glass or soundproof glass to prevent any sort of disclosure of protected health information, and that's not what HIPAA requires at all. HIPAA allows for incidental disclosures, [which] are disclosures that happen [incidentally] around your job. So if you've got a nurse and a doctor talking, maybe at the nurses' station, and someone overhears that Mr. Smith has blood work today, that probably wouldn't be a violation because it's incidental to the job. Where else are the doctors and nurses going to talk?"


As long as you are applying "reasonable and appropriate" safeguards, Caswell says you should be in the clear.


3. Requiring unnecessary business associate agreements

HIPAA requires practices to have written agreements, often referred to as business associate agreements (BAAs), with other entities that receive or work with their PHI. Essentially, the agreements state that the business associates will appropriately safeguard the PHI they receive or create on behalf of the practice.


Still, some practices take unnecessary precautions when it comes to BAAs, says Robert Tennant, senior policy adviser of government affairs for the Medical Group Management Association. "A lot of practices are very concerned about people like janitorial services [and] plant maintenance folks, and they have them sign business associate agreements, but those folks are not business associates for the most part," says Tennant. "You may want to have them sign confidentiality agreements basically saying, 'If you do come across any information of a medical nature, protected health information, you are not permitted to look at it, copy it, keep it ...,' But, you do not need to sign a business associate agreement with anybody other than those folks that you actually give PHI to for a specific reason, like if you've got a law office or accounting office or a shredding company that is coming in to pick up PHI to destroy it."


4. Requiring unnecessary patient authorizations

While it's critical to comply with HIPAA's requirement that only those who have a valid reason to access a patient's medical record, such as treatment purposes, payment purposes, or healthcare operations, have access to it — some practices are misconstruing that rule, says Tennant. "They demand patient authorization before they transfer data to another provider for treatment purposes," he says. "I understand why they do it, but it's one of those things that … can cause delays and confusion, and even some acrimony between the patient and the provider. If it's for treatment purposes specifically, you do not need a patient authorization."

No comment yet.
Scoop.it!

Think Your Practice is HIPAA Compliant? Think Again.

Think Your Practice is HIPAA Compliant? Think Again. | HIPAA Compliance for Medical Practices | Scoop.it

You may think you know HIPAA inside and out, but experts say many practices and physicians are making mistakes regarding protected health information (PHI) that could get them into big trouble with the law. Here are nine of the most common compliance missteps they say practices and physicians are making.

1. TEXTING UNENCRYPTED PHI

For most physicians, texting is an easy, convenient, and efficient way to communicate with patients and colleagues. But if a text contains unencrypted PHI, that could raise serious HIPAA problems.


"One of the big things people are doing these days is texting PHI, and people seem to be ignoring the fact that text messages can be read by anyone, they can be forwarded to anyone, [and] they're not encrypted in any fashion when they reside on a telecommunications provider's server," says Jim Hook, director of consulting services at healthcare consulting firm The Fox Group, LLC. "People really need to understand that [short message service (SMS)] text messaging is inherently nonsecure, and it's noncompliant with HIPAA."


That's not to say that texting PHI is never appropriate, it just means that physicians must find a way to do so securely. While the privacy and security rules don't provide explicit text messaging guidelines, they do state that covered entities must have "reasonable and appropriate safeguards to protect the confidentiality, availability, and integrity of protected health information," says Michelle Caswell, senior director, legal and compliance, at healthcare risk-management consulting firm Clearwater Compliance, LLC. As a result, Caswell, who formerly worked for HHS' Office for Civil Rights, says physicians must consider, "What would I put on my [smart] phone to reasonably and appropriately safeguard that information?" Most likely, the answer will be a secure messaging service with encryption, she says, adding that many inexpensive solutions are available to providers.


2. E-MAILING UNENCRYPTED PHI

Similar to text messaging, many physicians are e-mailing unencrypted PHI to patients and colleagues. As Robert Tennant, senior policy adviser of government affairs for the Medical Group Management Association says, e-mailing is becoming ubiquitous in our society, and healthcare is no exception.


If your providers are e-mailing PHI, consider implementing a secure e-mail application; for instance, one that recognizes when content included in the e-mail contains sensitive information and therefore automatically encrypts the e-mail. Your practice could use the application to specify certain circumstances in which e-mails should be encrypted; such as the inclusion of social security numbers or credit card numbers. The application would then filter e-mails for that specified content, and when it finds that content, encrypt those e-mails automatically, says Caswell.


Another option is to use a secure e-mail application to set up filters to automatically encrypt e-mails sent with attachments, or encrypt e-mails when senders include a word like "sensitive" or "encrypt" in the subject line, she says. An added benefit of encrypting e-mail is if a potential breach occurs, like the theft of a laptop containing e-mails with PHI, that is not considered a reportable breach if the e-mails stored on the laptop are encrypted, says Tennant. "You don't need to go through all of the rigmarole in terms of reporting the breach to the affected individual, and ultimately, to the government," he says. "So it's sort of a get out of jail free card in that sense."


If your practice would rather prohibit the use of e-mail altogether, a great alternative might be a patient portal that enables secure messaging.


Finally, if patients insist on having PHI e-mailed to them despite the risks, get their permission in writing for you to send and receive their e-mails, says Tennant.


3. FAILING TO CONDUCT A RISK ANALYSIS

If your practice has not conducted a security risk analysis — and about 31 percent of you have not, according to our 2014 Technology Survey, Sponsored by Kareo — it is violating HIPAA. The security rule requires any covered entity creating or storing PHI electronically to perform one. Essentially, this means practices must go through a series of steps to assess potential risks and vulnerabilities to the confidentiality, integrity, and availability of their electronic protected health information (ePHI).


Though the security risk analysis requirement has been in place since the security rule was formally adopted in 2003, it's been pretty widely ignored by practices, says Hook. Part of the reason, he says, is lack of enforcement of the requirement until recently. Since conducting a security risk analysis is now an attestation requirement in the EHR incentive program, auditors are increasingly noting whether practices are in compliance.


4. FAILING TO UPDATE THE NPP

If your practice has not updated its Notice of Privacy Practices (NPP) recently, it could be violating HIPAA. The HIPAA Omnibus Rule requires practices to update these policies and take additional steps to ensure patients are aware of them, says Tennant.

Some of the required updates to the NPP include:


• Information regarding uses and disclosures that require authorization;

• Information about an individual's right to restrict certain disclosures of PHI to a health plan; and

• Information regarding an affected individual's right to be notified following a privacy or security breach.


In addition to updating the NPP, a practice must post it prominently in its facility and on the website, and have new patients sign it and offer a copy to them, says Tennant. "I'd say of every 10 practices, hospitals, dental offices I go into, nine of them don't have their privacy notice in the waiting room," he says.


5. IGNORING RECORD AMMENDMENT REQUESTS

Don't hesitate to take action when patients request an amendment to information in their medical records, cautions Cindy Winn, deputy director of consulting services at The Fox Group, LLC. Under the HIPAA Privacy Rule, patients have the right to request a change to their records, and providers must act on those requests within 60 days, she says.


If you disagree with a patient's requested change, you must explain, in writing, why you are not making the requested change, says Hook. Then, share that reasoning with the patient and store a copy of it in the patient's medical record, as well as a copy of the patient's written request for the amendment.


6. NOT PROVIDING ENOUGH TRAINING

The privacy and security rules require formal HIPAA education and training of staff. Though the rules don't provide detailed guidance regarding what training is required, Hook recommends training all the members of your workforce on policies and procedures that address privacy and security at the time of hire, and at least annually thereafter.


The HIPAA Security Rule also requires practices to provide "periodic security reminders" to staff, says Caswell, adding that many practices are unaware of this. Actions that might satisfy this requirement include sending e-mails to staff when privacy and security issues come up in the news, such as information about a recent malware outbreak; or inserting a regular "security awareness" column in staff e-newsletters.

Finally, be sure to document any HIPAA training provided to staff.


7. OVERCHARING FOR RECORD COPIES

With few exceptions, the privacy rule requires practices to provide patients with copies of their medical records when requested. It also requires you to provide access to the record in the form requested by the individual, if it is readily producible in that manner.


While practices can charge for copies of records, some practices may be getting into trouble due to the fee they are charging, says Tennant. "HIPAA is pretty clear that you can only charge a cost-based fee and most of those are set by the state, so most states have [limits such as] 50 cents a page up to maybe $1 a page ... but you can't charge a $50 handling fee or processing fee; at least it's highly discouraged," says Tennant.


To ensure you are following the appropriate guidelines when dealing with record copy requests, review your state's regulations and consult an attorney. Also, keep in mind that though the privacy rule requires practices to provide copies within 30 days of the request, some states require even shorter timeframes.


8. BEING TOO OPEN WITH ACCESS

If your practice does not have security controls in place regarding who can access what medical records and in what situations, it's setting itself up for a HIPAA violation. The privacy rule requires that only those who have a valid reason to access a patient's record — treatment purposes, payment purposes, or healthcare operations — should do so, says Caswell. "If none of those things exist, then a person shouldn't [access] an individual's chart."


Caswell says practices need to take steps to ensure that staff members do not participate in "record snooping" — inappropriately accessing a neighbor's record, a family member's record, or even their own record.


She recommends practices take the following precautions:


• Train staff on appropriate record access;

• Implement policies related to appropriate record access; and

• Run EHR audits regularly to determine whether inappropriate access is occurring.


9. RELEASING TOO MUCH INFORMATION

Similar to providing too much access to staff, some practices provide too much access to outside entities, says Caswell. For instance, they release too much PHI when responding to requests such as subpoenas for medical records, requests for immunization information from schools, or requests for information from a payer.


"If there's, say, for instance, litigation going on and an attorney says, 'I need the record from December 2012 to February 2014,' it is your responsibility to only send that amount of information and not send anything else, so sort of applying what's called the minimum necessary standard," says Caswell. "When you receive outside requests for PHI, pay close attention to the dates for which information is requested, as well as the specific information requested."

No comment yet.
Scoop.it!

Unencrypted Laptop Leads To US HealthWorks Data Breach

Unencrypted Laptop Leads To US HealthWorks Data Breach | HIPAA Compliance for Medical Practices | Scoop.it

U.S. HealthWorks, a California-based health care service provider specializing in urgent care and occupational medicine, recently alerted employees to a data breach after a password protected (but unencrypted) laptop was stolen in April.


According to its website, the company operates over 200 locations in 20 states and has 3,600 employees, but it was unclear in the notification of the breach exactly how many people may be affected.


The letter explains how an internal investigation began shortly after the company was notified on April 22, 2015, that a laptop issued to an employee was stolen from their vehicle overnight.


“On May 5, 2015, we determined that the employee’s laptop was password protected, but it was not encrypted. After conducting a thorough review, we determined that the laptop may have contained files that included your name, address, date of birth, job title, and Social Security number. Although we continue to work with law enforcement, at this time, the computer has not been located,” U.S. HealthWorks said in its notice letter to employees.


The company did not confirm whether any personal information has been accessed or used inappropriately, but it said it will offer employees free enrollment in identity protection services for one year as a precautionary measure. U.S. HealthWorks reported efforts to ensure compliance to its laptop encryption policy going forward, including an enhancement to deployment procedures for laptops and full disk encryption.


With the number of security breaches on the rise, the importance of organizations controlling and protecting data is critical.

“If you have laptops in your enterprise environment, and let’s face it who doesn’t, you need to address this issue. In this day and age there really isn’t a good reason to not encrypt the hard drives on your laptops,” wrote Forbes contributor Dave Lewis in a post Monday (June 1).


While the scope and effects of this particular breach are unclear, U.S. HealthWorks does not need to look far to see that data breaches can wreak havoc. Anthem Inc.TargetHome Depot and many others have learned the hard way about the ongoing financial impacts associated with data breaches. A recent study by Ponemon Institute found that the average cost of a data breaches is now more than $3.8 million on average, a 23 percent increase from the levels seen two years ago.

No comment yet.
Scoop.it!

Beacon Health Is Latest Hacker Victim

Beacon Health Is Latest Hacker Victim | HIPAA Compliance for Medical Practices | Scoop.it

Yet another large hacker attack has been revealed in the healthcare sector. But unlike three recent cyber-attacks, which targeted health insurers, this latest breach, which affected nearly a quarter-million individuals, involved a healthcare provider organization.


South Bend, Ind.-based Beacon Health System recently began notifying 220,000 patients that their protected health information was exposed as a result of phishing attacks on some employees that started in November 2013, leading to hackers accessing "email boxes" that contained patient data.


The Beacon Health incident is a reminder that healthcare organizations should step up staff training about phishing threats as well as consider adopting multi-factor authentication, shifting to encrypted email and avoiding the use of email to share PHI.

"Email - or at least any confidential email - going outside the organization's local network should be encrypted. And increasingly, healthcare organizations are doing just that," says security and privacy expert Kate Borten.


Unfortunately, in cases where phishing attacks fool employees into giving up their email logon credentials, encryption is moot, she says. "Although encryption is an essential protection when PHI is sent over public networks, and stored somewhere other than within IT control, it is only one of many, many security controls. There's no silver bullet."

At the University of Vermont Medical Center, which has seen an uptick in phishing scams in recent months, the organization has taken a number of steps to bolster security, including implementing two-factor authentication "for anything facing the Web, because that can pretty much render phishing attacks that are designed to steal credentials useless," says CISO Heather Roszkowski.

The Latest Hacker Attack

On March 26, Beacon Health's forensic team discovered the unauthorized access to the employees' email accounts while investigating a cyber-attack. On May 1, the team determined that the affected email accounts contained PHI. The last unauthorized access to any employee email account was on Jan. 26, the health system says.


"While there is no evidence that any sensitive information was actually viewed or removed from the email boxes, Beacon confirmed that patient information was located within certain email boxes," Beacon Health says in a statement posted on its website. "The majority of accessible information related only to patient name, doctor's name, internal patient ID number, and patient status (either active or inactive). The accessible information, which was different for different individuals, included: Social Security number, date of birth, driver's license number, diagnosis, date of service, and treatment and other medical record information."


The provider organization says it has reported the incident to the U.S. Department of Health and Human Services, various state regulators, and the FBI.

Hospital Patients Affected

A Beacon Health spokeswoman tells Information Security Media Group that the majority of those affected by the breach were patients of Memorial Hospital of South Bend or Elkhart General Hospital, which combined have more than 1,000 beds. The two facilities merged in 2012 to form the health system. Individuals who became patients of Beacon Health after Jan. 26 were not affected by the breach, she says.


The breach investigation is being conducted by the organization's own forensics team, the spokeswoman says.

Affected individuals are being offered one year of identity and credit monitoring.


The news about similar hacker attacks earlier this year that targeted health insurers Anthem Inc. and Premera Blue Cross prompted Beacon's forensics investigation team to "closely review" the organization's systems after discovering it was the target of a cyber-attack, the Beacon spokeswoman says.


In the wake of the incident, the organization has been bolstering its security, including making employees better aware of "the sophisticated tactics that are used by attackers," she says. That includes instructing employees to change passwords and warning staff to be careful about the websites and email attachments they click on.

The Phishing Threat

Security experts say other healthcare entities are also vulnerable to phishing.


"The important takeaway is that criminals are using fake email messages - phishing - to trick recipients into clicking links taking them to fake websites where they are prompted to provide their computer account information," says Keith Fricke, principle consultant at consulting firm tw-Security. "Consequently, the fake website captures those credentials for intended unauthorized use. Or they are tricked into opening attachments of these fake emails and the attachment infects their computer with a virus that steals their login credentials."

As for having PHI in email, that's something that, while common, is not recommended, Fricke notes. "Generally speaking, most employees of healthcare organizations do not have PHI in email. In fact, many healthcare organizations do not provide an email account to all of their clinical staff; usually managers and directors of clinical departments have email," he says. "However, for those workers that have a company-issued email account, some may choose to send and receive PHI depending on business process and business need."

Recent Hacker Attacks

As of May 28, the Beacon Health incident was not yet posted on the HHS' Office for Civil Rights'"wall of shame" of health data breaches affecting 500 or more individuals.


OCR did not immediately respond to an ISMG request to comment on the recent string of hacker attacks in the healthcare sector.

Other recent hacker attacks, which targeted health insurers, include:


  • An attack on Anthem Inc. , which affected 78.8 million individuals, and is the largest breach listed on OCR's tally.
  • A cyber-assault on Premera Blue Cross announced on March 17, that resulted in a breach affecting 11 million individuals.
  • An "unauthorized intrusion" on a CareFirst BlueCross BlueShield database disclosed on May 20. The Baltimore-based insurer says the attack dated back to June 2014, but wasn't discovered until April 2015. The incident resulted in a breach affecting 1.1 million individuals.


But the recent attack on Beacon Health is yet another important reminder to healthcare provider organizations that it's not just insurers that are targets. Last year, a hacking assault on healthcare provider Community Health System affected 4.5 million individuals.

Smaller hacker attacks have also been disclosed recently by other healthcare providers, includingPartners HealthCare. And a number of other healthcare organizations in recent months have also reported breaches involving phishing attacks. That includes a breach affecting nearly 760 patients at St. Vincent Medical Group.


"Healthcare provider organizations are also big targets - [they have] more complex environments, and so have more vulnerabilities that the hackers can exploit," says security and privacy expert Rebecca Herold, CEO of The Privacy Professor. "Another contributing factor is insufficient funding for security within most healthcare organizations, resulting in insufficient safeguards for PHI in all locations where it can be stored and accessed."

Delayed Detection

A delay in detecting hacker attacks seems to be a common theme in the healthcare sector. Security experts say several factors contribute to the delayed detection.


"Attacks that compromise an organization's network and systems are harder to detect these days for a few reasons," says Fricke, the consultant. "Criminals wait longer periods of time before taking action once they successfully penetrate an organization's security defenses. In addition, the attack trend is to compromise the accounts of legitimate users rather than gaining unauthorized access to a system via a brute force attack."


When criminals access a system with an authorized account, it's more difficult to detect the intrusion, Fricke notes. "Network security devices and computer systems generate huge volumes of audit log events daily. Proactively searching for indicators of compromise in that volume of log information challenges all organizations today."

As organizations step up their security efforts in the wake of other healthcare breaches, it's likely more incidents will be discovered and revealed, says privacy attorney Adam Greene of the law firm Davis Wright Tremaine.


"The challenge that many healthcare entities face is that oftentimes, the better they do at information security, the more likely it is they find potential problems. Implementing new information security tools sometimes can detect problems that may be years old," he says. "But the alternative - keeping your head in the sand - can lead to far worst results for patients and the organization."


However, as more of these delayed-detection incidents are discovered, "regulators and plaintiffs may question why any particular security issue was not identified and corrected earlier," he warns.

Accordingly, organizations should consider if there were reasonable issues that led to any delays in identifying or correcting any security lapses and maintain any related documentation supporting the cause of any delays, he suggests.


"Hindsight is 20-20, and it is always easy for regulators to question why more wasn't done sooner, and it could be challenging for the organization if it is asked to justify why it spent resources on other projects," Greene says.

No comment yet.
Scoop.it!

Doctors Going the Distance (In Education)

Doctors Going the Distance (In Education) | HIPAA Compliance for Medical Practices | Scoop.it

We need more doctors.


Between older care providers retiring, and the general population shift that is the aging of the Baby Boomers, we are running into a massive demographic of more, older patients, living longer and managing more chronic conditions. This puts incredible pressure not just on the remaining doctors and nurses to make up the gap, but strains the capacity of schools to recruit, train, and produce competent medical professionals.


So how can schools do more to reach students and empower them to enter the healthcare field?


The increasing popularity of online programs (particularly at the Masters level, among working professionals looking for a boost to their career advancement) has called forth a litany of studies and commentaries questioning everything from their technology to their academics,compared to traditional, on-campus programs. More productive would be questioning the structure and measuring the outcomes of degree programs in general, rather than judging the value of a new delivery mechanism against an alternative more rooted in tradition than science.


In terms of sheer practicality, though, a distance education—yes, even for doctors and surgeons—makes a certain amount of sense. One of the hottest topics in the medical community right now is Electronic Health Records (EHRs) and the ongoing struggle to fully implement and realize the utility of such technology.


Rolling out in October of 2015, comes the sidecar for the EHR vehicle: ICD-10, the international medical coding language that the U.S. has long postponed adopting. While the digital nature of modern records platforms at least makes ICD-10 viable, it still represents a sharp learning curve for current care providers.


Then there is the intriguing promise of pharmacogenetics, whereby medication is developed, tested, and prescribed, all on the basis of a patient’s individual genetic profile. Combined with an EHR and a personal genetic profile, a patient could be observed, screened, diagnosed, referred to a pharmacist, and able to order and receive a prescription, all without leaving home. Taking into consideration the growing need for medication therapy management—driven by the Baby Boomers living longer with more conditions under care—the value of such a high-tech system is clear.


This draws on what is perhaps the most lucrative (in terms of health outcomes and large-scale care delivery) set of possibilities enabled by the shift to digital: telemedicine. From consultations to check-ups, telehealth in the digital age no longer necessitates sacrificing face-to-face interaction; streaming video chat means patients and doctors can still look one another in the eye, albeit through the aid of cameras.


Proponents of the technology take it further, declaiming that world-class surgeons will no longer be anchored to a single facility—human-guided robotic surgery (telesurgery) will bring expertise to even the most remote locations.


If industry leaders anticipate so much being done remotely, why then are others squeamish about delivering an education online? It would seem that the medical skillset of the future requires greater comfort and competence in dealing with virtual settings, online interaction, and digital record-keeping.


The problem many have is not with online med school in particular so much as online degree programs in general. How can a virtual setting possibly hope to compete with the unique, collaborative, community-oriented environment of the college campus—whatever the area of study?


Forward-thinking professors like Sharon Stoerger at Rutgers have pioneered at least one possible answer to this question. Adopting the online immersive social platform known as Second Life, Stoerger and her like-minded peers have constructed virtual classrooms with accompanying courses, and successfully guided several cohorts (of students as well as instructors) through the experience.


For the aspects of learning that simply require hands-on practice, of course, there are limits to the promise of such virtual environments. Then again, synthetic patient models, known as Human Patient Simulators (HPS), are already proving their merits as an efficient, effective way to let students gain practical experience in a controlled environment. While Ohio Universityinstructors have pioneered the use of HPS in the school’s nursing programs, advancing technology continues to push the functional limits of such systems.


In order to realize the potential of modern delivery of patient care, we first need to realize the potential of modern instructional delivery. The technology is already showing that the real limits of online learning are not practical considerations; they are attitudes and assumptions about what learning ought to look like.


No comment yet.
Scoop.it!

Are wearable makers violating HIPAA?

Are wearable makers violating HIPAA? | HIPAA Compliance for Medical Practices | Scoop.it

It’s a question that has been asked before: With the wearables craze, is all that patient data really safe? The answer is complicated - and might not even exist within the law.


“The way these devices capture data poses serious privacy and security issues to individually identifiable health information that must be addressed,” asserted Julie Anderson, a SafeGov expert. “The central challenge devices such as Google Glass and Jawbone UP pose stems from the fact that they employ cloud-based data storage.”

Anderson explains how it gets thorny: Simply by buying one of these wearables, a customer agrees to the vendor's terms of service, which can be “fairly permissive” in what can and cannot be done with the data.


“Mining individually identifiable health information could constitute a breach of patient privacy if the analysis falls outside of the scope of HIPAA,” Anderson wrote in an article on mHealth News sister site Government Health IT. “It is not clear whether using patient data to improve products, as opposed to health outcomes, is allowed under this law. And an even more concerning scenario could take shape if health information were combined with other personal, non-medical data for the purposes of user profiling.”


Anderson recommends that vendors analyze, secure and share data in ways that increase their understanding of baseline access and enable an audit trail to identify who has edited a patient’s information.

The fact that many of these vendors are not experienced HIPAA-covered entities will no doubt complicate matters even more.


No comment yet.
Scoop.it!

Health system sees 7th HIPAA data breach

Health system sees 7th HIPAA data breach | HIPAA Compliance for Medical Practices | Scoop.it

How many breaches, how many compromises of patients' confidential medical information does it take before there are some questions asked of an organization and its security policies? One health system recently announced its seventh large HIPAA breach.

 
The 20-hospital St. Vincent health system in Indianapolis, part of Ascension Health, most recently notified 760 of its medical group patients that their Social Security numbers and clinicaldata was compromised in an email phishing incident. The breach, which was discovered by hospital officials back in December 2014, marked the seventh breach for the health system in a less than five years.
 
It wasn't until March 12, 2015, that officials said they discovered which patients were impacted by the breach, which involved the compromise of an employee's network username and password. 
 
"St.Vincent Medical Group sincerely apologizes for any inconvenience this unfortunate incident may cause," St. Vincent officials wrote in the patient notification letter. 
 
According to data from the Office for Civil Rights, which keeps track of HIPAA breaches involving 500 people or more, St. Vincent health system has been a repeat HIPAA offender. Its most recent breach, reported in July 2014, compromised the health data of 63,325 patients after a clerical error sent patients letters to the wrong patients. 
 
The health system has also reported two breaches involving the theft of unencrypted laptops, which collectively compromised the health data of 2,341 patients. 


No comment yet.
Scoop.it!

Don't Make the Same HIPAA Mistakes as Other Practices

Don't Make the Same HIPAA Mistakes as Other Practices | HIPAA Compliance for Medical Practices | Scoop.it

All practices should be working hard to ensure they are HIPAA compliant. But with so much to focus on, it can be difficult to determine what compliance areas deserve the most attention. 

One way to craft an effective, targeted compliance strategy is by identifying what's getting other practices into trouble most often, and taking steps to prevent similar mistakes at your practice.

At the Healthcare Information and Management Systems Society (HIMSS) conference in Chicago, Adam Greene, a partner at Davis Wright Tremaine LLP, a national business and litigation law firm, identified some of these common problem areas during his session, "Preparing for a New Level of HIPAA Enforcement."


Common Sources of HIPAA Breaches


To illustrate what's leading to breaches most often at practices and health systems, Greene shared top sources of HIPAA breaches involving 500 or more individuals by number of individuals affected.

He compiled the information in February 2015 from the HHS and its Office for Civil Rights (OCR) Breach Portal, which features information on breaches that occurred from the start of the breach reporting period in September 2009.


53 percent of breaches occurred due to theft of protected health information (PHI). "We're not talking about mission impossible hanging from a wire kind of theft," said Greene. Instead, he said, most of the thefts appear to be "crimes of opportunity," such as a thief breaking into a window or car and stealing a laptop.
• 18 percent of breaches occurred due to unauthorized access or disclosure of PHI.
• 8 percent of breaches occurred due to loss of PHI.
• 4 percent of breaches occurred due to improper disposal of PHI.
13 percent of breaches occurred due to unknown causes and unknown causes.

Common Types of Media Involved in HIPAA Breaches

Greene also shared the most common types of media involved in HIPAA breaches. Again, the information is based on data he pulled from the HHS and OCR Breach Portal involving 500 or more individuals by number of individuals affected.

• 23 percent of breaches related to PHI stored on paper/films. Of this statistic, Greene said it's clear that amidst the push for electronic information, paper-based media should not be overlooked when it comes to HIPAA compliance. "We really need to be more focused on paper," he said.
• 21 percent of breaches related to PHI stored on laptops.
• 12 percent of breaches related to PHI on a network or server.
11 percent of breaches related to information stored on a desktop computer.
9 percent of breaches related to information stored on other electronic devices.
• 6 percent of breaches related to information included in e-mails.
• 4 percent of breaches related to information in EHRs.
• 14 percent of breaches related to other types of media.

Common HIPAA Compliance Problem Areas

For more insight into the HIPAA compliance areas that practices are most struggling with, Greene shared some of the top issues identified during the HIPAA Pilot Audit Program, which took place between 2011 and 2012.

• In relation to the HIPAA Security Rule, the program found that 80 percent of providers did not have a complete or accurate risk analysis. Other issues found in audits included lack of access management (such as failure to put appropriate role-based access safeguards in place); failure to have appropriate security incident procedures in place (such as those related to workstation security); and failure to encrypt PHI.

In relation to the HIPAA Privacy Rule, common problems identified in the audit program included: Inadequate procedures related to the Notice of Privacy Practices (such as not giving the notice out appropriately or failing to post it appropriately); and failure to have appropriate procedures related to patients' right to request privacy protections.

• In relation to the HIPAA Breach Notification Rule, common problems identified in the audit program included failing to provide breach notification appropriately (such as failing to include the proper content in the notification); and failure to comply with timelines regarding notification.



No comment yet.
Scoop.it!

Cybersecurity must be faced by industry head on

Cybersecurity must be faced by industry head on | HIPAA Compliance for Medical Practices | Scoop.it

Less than a quarter of the way through 2015, tens of millions of healthcare consumers already have seen their personal information compromised--the most notable hacks so far being on health insurance providers Anthem and Premera.


The Anthem attack, announced in February, sent the industry reeling, with the unencrypted information of more than 78 million individuals compromised after hackers broke into a database.


Weeks later, it was revealed that at Premera Blue Cross, hackers gained access to the personal information of 11 million customers. The attack initially occurred May 5, 2014, but it was not detected by the Mountlake Terrace, Washington-based insurer until Jan. 29 of this year, Premera said on a website it set up to inform members about the incident.


Many in healthcare have said threats have to be taken seriously from the top all the way down--from the C-suite to the workforce.

"The C-suite must care, the workforce must be aware. This is a very simple recipe, and if you follow this recipe, it will be tremendous improvement on protecting privacy and data security," Daniel Solove, the John Marshall Harlan Research Professor of Law at the George Washington University Law School said during the HIPAA Summit in the District of Columbia last month. "Data protection must be felt in the bones of an organization, it must be part of the organization's culture. It can't be something that's an afterthought or tacked on."


With all the trouble these kinds of breaches and attacks are causing healthcare organizations, it's no surprise that the Healthcare Information and Management Systems Society's conference in Chicago next week will be chock full of panels and events on the growing issue.


Educational sessions will address cybersecurity aspects that include upcoming HIPAA audits (though no date has been announced for when those will begin), data security and enforcement trends, and how to protect patients by staying ahead of such threats.



No comment yet.
Scoop.it!

Health Providers Beware: HIPAA Breaches May Give Rise To Negligence Actions

Health Providers Beware: HIPAA Breaches May Give Rise To Negligence Actions | HIPAA Compliance for Medical Practices | Scoop.it

Electronic medical records provide a multitude of benefits for providers and patients by promoting efficient record access, cost savings and better patient care.  So what's the down side?


Well, for starters, these records are ripe for hacking and inadvertent disclosures. As mentioned in a previous post, health care fraud has reached new heights by and through the theft of personal and medical information.  Left in the wrong hands, the sensitive information contained in these computerized records could unleash a fraud firestorm.


Historically, medical providers have successfully defended against claims brought by plaintiffs whose information was hacked or otherwise improperly accessed by relying upon the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") which expressly provides that there is no private right of action under HIPAA.  This success may be short lived as the number of hackers has increased and some courts, like Connecticut's Supreme Court,  have indicated a willingness to allow plaintiffs to bring claims for negligence and privacy violations against providers under state law.

HIPAA Standard of Care

In Byrne v. Avery Ctr. For Obstetrics & Gynecology, 314 Conn. 433 (2013), a health center produced a patient's protected health information (PHI) in response to a subpoena without notifying the patient and without taking any steps to protect it from disclosure in violation of HIPAA's guidelines.  The aggrieved patient filed an action against the provider for breach of contract, negligence, and negligent infliction of emotional distress.


While noting HIPAA's language with regard to private rights of action, the Court did not find that limitation dispositive of the negligence claim brought by the patient.  The Court hinted that a  violation of the standards promulgated under HIPAA may support a deviation from the standard of care required for a negligence claim.

Will New Jersey Follow Connecticut?

Given the proliferation of electronic medical records and the overwhelming amount of paperwork that healthcare providers deal with on a daily basis, the odds of falling victim to a HIPAA breach have markedly increased.  New Jersey health care providers should be mindful of the Connecticut case because New Jersey may follow this trend of reviewing HIPAA guidelines as a standard of care that may be considered to support a negligence action.

Problem Prevention
  1. Review and update HIPAA policies.
  2. Educate staff on the significance of the policies and demand 100% compliance.
  3. Develop a process to deal with subpoenas to ensure that the practice is in compliance with all applicable standards under federal and state law.


No comment yet.