Suze Shaffer is the owner and president of Aris Medical Solutions. She specializes in HIPAA compliance, risk management, and cyber security. She believes that by educating her clients in understanding why and what needs to be done to protect their practice they have a better outcome.
Suze has been instrumental in helping clients nationwide with risk management, implementing privacy and security rule policies and procedures, and ultimately protecting patient data. She includes state and federal regulatory requirements to ensure clients are protected in all areas.
She has spoken at numerous conferences and functions. She continues to educate organizations how to minimize the risks of data breaches. HIPAA compliance is not an option, it is mandatory for every organization that comes in contact with protected health information to have reasonable and appropriate security measures in place. Unfortunately, most organizations don’t realize they are not compliant until they suffer a data breach or they are faced with an audit or investigation.
Did you know that the Office for Civil Rights (OCR) is the agency that investigates data breaches? Have you seen the heavy fines that have been imposed for non-compliance?
All 50 states now have their own set of privacy laws and the State's Attorney General may also investigate privacy violations!
So… you find a flash drive and you want to be a good Samaritan and return it to its rightful owner. Great idea, right? Criminals know this and they use it against us! They want our data!
Malware and viruses can be installed on a flash drive. When you open it and find there isn’t any real information to tell you who it belongs to, so you think “nothing” happened. Malicious code can be developed to do most anything today. It can immediately take over your system or it can lay in wait. Infecting and worming it’s way into your files and creating havoc and you not even know it until it is too late.
Best practices:
Never, EVER, insert a flash drive into your computer that you do not know where it came from.
Never insert a flash drive that was used in a home environment, home computers have a 73% chance of having some type of malware.
Never accept a flash drive that someone has used on their computer on a public Wi-Fi.
If you find a flash drive, ask around, or post on a bulletin board.
If you notice a flash drive in one of your computers that doesn’t belong there, report it to your HIPAA Security Officer immediately.
Be informed, be alert, and be diligent!
For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting your Data call 877.659.2467 or click here to contact us.
“Protecting Organizations through Partnership, Education, and Support”
Many healthcare providers have websites, since in today’s digital age nearly everyone searches for goods and services before making a decision, this includes healthcare. However, healthcare providers must ensure their websites are HIPAA compliant if any patient data is transferred or accepted.
Many vendors are targeting healthcare with promises of ease of use, added patient interactions, and the ability to gain more patients. Before you agree to accept patient information through your website, you must ensure the vendor or service you are going to use actually understands HIPAA and the requirements.
Here are some issues to consider:
Do patients complete forms on your website? If yes, your website must be secure by utilizing encryption during transmission. This also includes if you are using appointment scheduling through your website. If your site starts with “https” then the data is securely transmitted. However, your site may require updates to ensure the encryption is up to date. If you have a “contact us” and they can send an email to you and your site is not encrypted you should post a message advising them not to send any personal information.
Who has access to your website? If you work with a third party, they too must be HIPAA compliant and understand how to protect your website. If possible add a two-step authentication to prevent unauthorized access. Make sure you have administrative access to your site as well.
Do you know how and where your data is stored? You must utilize a company that understands HIPAA and security if your website accepts or stores any patient data. If your site is not set up properly, Google can actually index your intake forms. If your web hosting company shares your web server with other clients, this too must be reviewed. Keep in mind, if your data (including your backups) is encrypted, it would not be a reportable breach but you still must have a HIPAA compliant business associate agreement in place.
Do you have a recent backup of your website? This may sound crazy because it’s “in the cloud”. Keep in mind, a cloud is just a term used to explain it is NOT on your physical location. It is located on a server somewhere on someone’s physical site.
Do you know how to properly destroy old data? Whether the data is stored on a web server, an old external hard drive, or computer, all data must be removed in a HIPAA compliant manner. This could be a physical destruction or sanitized so that the data cannot retrieved. Don’t forget to document this process!
Websites are a necessity today. If you decide to add features like online forms and/or patient scheduling, only do so if properly setup and secured.
For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting your Practice call 877.659.2467 or click here to contact us.
“Protecting Organizations through Partnership, Education, and Support”
With all of the new technology that we have access to, many vendors are targeting healthcare with promises of ease of use and the ability to communicate with other healthcare providers. Before you agree to “share” or open your “portal” you must ensure the vendor or service you are going to use actually understands HIPAA and the requirements.
File sharing and cloud computing are here to stay. As we move forward with sharing patient data amongst our peers, you will need to be vigilant with your security.
Here are a few things to review:
Network misconfigurations are very common, review your data flow, including how data is transmitted and stored.
Backup your data!
When access is given to an employee, contractor, or vendor, once the need for access is no longer required, terminate their access credentials immediately.
Although most providers do not think hackers are a problem for them, they are! Your network security is vital and you must use a trained professional to set up your network and your file sharing configuration. If your IT professional does not specialize in network security, then hire a network security auditor to conduct a vulnerability scan after you have implemented your systems. A good vendor will mitigate your risks as they scan your network.
Make sure you have a HIPAA compliant business associate agreement in place.
Review the service agreement. Make sure it includes specific business expectations.
Invest in cyber liability insurance.
File sharing and cloud computing are wonderful tools that can be used in healthcare if setup properly and securely.
For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting your Practice call 877.659.2467 or click here to contact us.
“Protecting Organizations through Partnership, Education, and Support”
This is actually easier said than done. However, there are some simple tips you can use to help guard yourself against this cyber warfare.
First of all let’s discuss what is Ransomware and why are these criminals doing this?
Ransomware is when an invader takes over your computer and encrypts your data and will not release it until you pay a “ransom”. Simply put, they do this to make money and, since it is a lucrative business, we do not see it going away anytime soon. With healthcare being such a popular target, you must be vigilant at all times.
Next, there are malicious malware and viruses that are used just want to be mean. Although I am not a fan of bumper stickers, I do like the one that says “Mean People Suck”. These criminals are the meanest of the mean. They don’t even give you the opportunity to pay a ransom. They just encrypt your data or delete it. I could go on and on explaining how all of this works, but instead let’s just talk about how to prevent this from happening in the first place!
Rule #1
Read the email carefully. More than likely you can spot misspelled words or subtle clues that the email is not authentic. Look closely at the email address. At a quick glance it may look like a legitimate email address. It will start with a prefix other than the original address and may even include a period (.) in a separate place. I have said this many times…rather than clicking on links or attachments in your email, open your browser and go to that particular website instead.
Rule #2
Again, do not EVER click on an attachment in an email that claims to have important information that you must act on immediately. For example:
FedEx (UPS, USPS) was not able to deliver your package
Your friend liked your post on Facebook, click to read more (some of these are true but it is best to open your browser and go to Facebook)
A message about your credit card or bank account.
There are many variations to these emails. Just exercise caution when opening your mail even from people you know. Their email account may have been hacked and being used to distribute the virus.
Rule #3
Keep a backup of any and all data that you want or need. Once the backup is created, disconnect it from your computer or network. If your system is ever violated, your backup will not be affected. Then you can wipe your system clean and restore your data.
Having a good anti-virus and anti-malware installed on your system are a necessity today, but it still only takes one click of a mouse to bring your network down because the software developers have to identify the problem before they can send out an update. Criminals are creating hundreds if not thousands of new viruses daily! Continual education for you and your staff is a must!
For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting your Practice call 877.659.2467 or click here to contact us.
“Protecting Organizations through Partnership, Education, and Support”
Modern technology is both amazing and scary! Do you know what is being said about you or your organization? In today’s world we must keep up with what is being said on the World Wide Web (WWW) to make sure what the world sees and reads is not Fake News! It also helps you to uncover any broken links to your website that may frustrate potential new patients from actually finding you.
It is a proven fact that before a person buys nearly anything, they “Google” it. This includes finding services as well as looking for a new physician. Do you want to increase your patient visits? Are you being found? Is the information that is out there correct? We suggest searching for your name, practice name, address, and phone numbers to see what is listed. Also check the websites that rate physicians.
Do you have any social media sites? Did you know that someone else can create one for you? These are called “unofficial” sites in Facebook. Patients could be checking in and writing negative comments about your practice and you may not even know about it. That is why it is so important to keep an watchful eye! However, be very careful how you respond. Patients have the right to tell the world about themselves but healthcare providers do not!
Before you venture into any marketing campaigns, make sure you are not violating any privacy laws. If you decide to hire a marketing company or reputation management service; insist on a company that is well versed in the medical arena. Special HIPAA regulations are required in marketing and we have heard some practices being charged with HIPAA violations due to their service provider. Also, remember to check your state laws as well!
For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting your Practice call 877.659.2467 or click here to contact us.
“Protecting Organizations through Partnership, Education, and Support”
Nearly everyone has received a phishing email at one time or another. It seems like every time a celebrity makes the news, scammers are sending emails, and creating fake sites to steal your information. They prey on our interests and they know that many people are interested in learning what “really” happened. Remember the old saying “curiosity killed the cat”, well this may not kill you but it could make your life miserable and cost you a lot of money! They can install malware on your computer and depending on the type of malware, it could also do some very nasty things!
Here are some helpful hints:
Never use work computers to surf the web, especially do not go to websites that you are unfamiliar with. If you do not follow the policies and procedures of your organization, YOU personally could be held liable for any breaches or theft of information.
Never click on links in an email offering “important” or requires an “urgent” response. Instead open your browser and go to the website you are familiar with.
Never click on email attachments that offer “important” or “urgent” information.
Never click on links within social media.
Make sure you have enterprise versions of anti-virus and anti-malware software and they are up to date.
Implement a two step process before authorizing any exchange of money and anywhere it is offered.
Continual education!
For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting your Data call 877.659.2467 or click hereto contact us.
“Protecting Organizations through Partnership, Education, and Support”
As you know you HIPAA Compliance is not a once and done process. It continually changes and evolves as your organization grows and your technology changes. This is a reminder to review what you have in place to ensure it still adequately safeguards your data.
Here are some quick helpful tips:
Review your Notice of Privacy Practices. Have you implemented any new technology or added any new services that needs to posted? If you have a website make sure you update your NPP there as well.
If you have a “Contact us” or an “Appointment Scheduler” form on your website and your website is not HTTPS, we recommend placing a disclaimer advising patients not to send personal information via the form. If you do have an HTTPS site, make sure your hosting vendor understands HIPAA and review where the data is sent and stored.
Review your Technology Equipment. Have you added any new software or hardware? Do you regularly check your firewall settings? Are you reviewing your website security to ensure it is up to date? Are you documenting your IT efforts or reviewing your monthly IT vendor reports?
Have you reviewed your list of Business Associates to ensure you have BA agreement in place with ALL of your Associates?
Review your Inventory list. Have you added any new equipment or have you disposed of any?
Have you conducted your annual HIPAA training for everyone? Is it documented?
Have you tested your Contingency Plan?
Of course we could go on and on, but hopefully this will jumpstart your thinking process! Remember, your Risk Management Plan is a living document that needs to be updated on a continual basis. As you review your compliance efforts be sure to document this in your Plan.
For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting your Data call 877.659.2467 or click here to contact us.
“Protecting Organizations through Partnership, Education, and Support”
Health care organizations are now a primary target since they are the custodians of patient data and a plethora of information. The reason patient information is sought after so much is because it can be sold on the black market for a decent price. Social Security Numbers also have a longer shelf life unlike credit card numbers. Therefore it is imperative that any company or person that is involved with healthcare data do what they can to protect their computers and/or network.
Criminals are diligent in trying to gain access to these valuable databases. They can get into your network through social engineering, malware, and mobile devices to name a few. Sadly, most attacks go undetected for months, sometimes even a year unless it is ransomware when you are “notified” immediately!
Under the Security Rule, all entities that work with Protected Health Information are required to conduct a Risk Analysis to uncover any potential vulnerabilities. Then they must create a Risk Management plan to correct those deficiencies. Although most of the “technical” standards are addressable and not required, this does not mean optional. All covered entities and business associates must have reasonable and appropriate safeguards in place to protect their data. Aside from your normal IT services, we believe it will only be a matter of time before network security audits will become mandatory. Keep in mind your Policies and Procedures are still the backbone of HIPAA Compliance.
So what can you do to protect your data and your organization?
Conduct a security risk analysis
Mitigate the vulnerabilities that are discovered
Request a third party network security audit
Request documentation that your business associates are HIPAA Compliant
Continual EDUCATION!
These are just some of the basics that you should implement. For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting your Data call 877.659.2467 or click here to contact us.
“Protecting Organizations through Partnership, Education, and Support”
We have been trained to be polite. When someone asks us a question, we are compelled to answer. Sometimes, you just need to HANG UP!
A new scam is making headlines now because they are recording your answer to use in the future. For example, when someone calls and asks you “can you hear me” and you simply say “yes”, this scammer is recording your voice. This scammer may be a live person or a robo call, some robo calls now even sound like a human and you do not realize it is a recording at first. Either way by you simply saying yes, they can edit the call and use your own voice to authorize a purchase or a contract. They may already have other personal information like your credit card number and need this additional component to carry out their scam.
Of course there are many phone scams out there, always remember to exercise caution when someone calls asking for information. ANY information! Do not even give out what type of copier or phone system you use. If they are a vendor of yours they will already have this information.
So, let’s start a new catch phrase. Instead of “just do it”, let’s “just hang up”!
For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting your Data call 877.659.2467 or click here to contact us.
“Protecting Organizations through Partnership, Education, and Support”
Section 1557 is the nondiscrimination provision of the Affordable Care Act (ACA). The law prohibits discrimination on the basis of race, color, national origin, sex, age, or disability in certain health programs or activities. Section 1557 builds on longstanding and familiar Federal civil rights laws: Title VI of the Civil Rights Act of 1964, Title IX of the Education Amendments of 1972, Section 504 of the Rehabilitation Act of 1973 and the Age Discrimination Act of 1975. Section 1557 extends nondiscrimination protections to individuals participating in:
Any health program or activity any part of which received funding from HHS
Any health program or activity that HHS itself administers
Health Insurance Marketplaces and all plans offered by issuers that participate in those Marketplaces.
Section 1557 has been in effect since its enactment in 2010 and the HHS Office for Civil Rights has been enforcing the provision since it was enacted.
This provision goes much further than most practices are aware of including the fact this rule became effective July 18, 2016.
Take steps to ensure 1557 has been addressed:
Assign a Civil Rights Coordinator;
Revise your policies and procedures;
Incorporate a general assessment evaluation;
Review the patient intake process;
Track all requests for auxiliary aids and services;
Monitor performance of interpreter services to ensure effective communication;
Review your complaint process;
Post a Notice of Nondiscrimination;
Post a Nondiscrimination Statement; and
Conduct mandatory training for all staff.
Title II of the Americans with Disabilities Act of 1990 (Title II), Section 504 of the Rehabilitation Act of 1973 (Section 504) and Section 1557 of the Affordable Care Act of 2010 (Section 1557) requires an entity to take steps to ensure communication with individuals with disabilities is as effective as communication with others through the use of appropriate auxiliary aids and services. This includes people with as well as language barriers.
OCR has modified the notice requirement in § 92.8 to exclude publications and significant communications that are small in size from the requirement to post all of the content specified in § 92.8; instead, covered entities will be required to post only a shorter nondiscrimination statement in such communications and publications, along with a limited number of taglines. OCR also is translating a sample nondiscrimination statement that covered entities may use in fulfilling this obligation.
In addition, with respect to the obligation in § 92.8 to post taglines in at least the top 15 languages spoken nationally by persons with limited English proficiency, OCR has replaced the national threshold with a threshold requiring taglines in at least the top 15 languages spoken by limited English proficient populations statewide.
For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting your Data call 877.659.2467 or click here to contact us.
“Protecting Organizations through Partnership, Education, and Support”
