Author: Suze Shaffer

Suze Shaffer is the owner and president of Aris Medical Solutions. She specializes in HIPAA compliance, risk management, and cyber security. She believes that by educating her clients in understanding why and what needs to be done to protect their practice they have a better outcome. Suze has been instrumental in helping clients nationwide with risk management, implementing privacy and security rule policies and procedures, and ultimately protecting patient data. She includes state and federal regulatory requirements to ensure clients are protected in all areas. She has spoken at numerous conferences and functions. She continues to educate organizations how to minimize the risks of data breaches. HIPAA compliance is not an option, it is mandatory for every organization that comes in contact with protected health information to have reasonable and appropriate security measures in place. Unfortunately, most organizations don’t realize they are not compliant until they suffer a data breach or they are faced with an audit or investigation. Did you know that the Office for Civil Rights (OCR) is the agency that investigates data breaches? Have you seen the heavy fines that have been imposed for non-compliance? All 50 states now have their own set of privacy laws and the State's Attorney General may also investigate privacy violations!

When was the last time you updated your passwords on all internet sites?

Suze Shaffer June 15, 2016February 2, 2024

By Aris Medical Solutions

News broke that LinkedIn user account credentials were dumped on the dark web.
Back in 2012 is when the actually breach occurred, but now the data has surfaced for sale.

Although LinkedIn has taken reasonable advances to mitigate this problem, you still need to protect yourself as well. What that means to you is… you need to change your password as soon as possible. If you used this password anywhere else, you should change that as well. We also recommend implementing a two-step authentication on all sites that offer it. It is easy to set up and adds an extra measure to keep your data safe. Also be very cautious when answering or accepting new connections. Criminals have figured out how to look real, sound real, and get you to take their bait. They do leave clues, but you need to be diligent and read the communication carefully and do not click on any links. Open your web browser and type the name of the company and see if there are any warnings about the website. Your anti-virus (if you use a decent one) should notify you if the website has any suspicious activity.

An additional reason we bring this to your attention is because there are medical practices that have suffered a breach and they do not even know it. It may take years before this data surfaces or is sold. We not only work within this profession but we are also patients at medical facilities all over the country. We must do our part as employees as well as consumers to protect this (our) data. What you need to do:

Use strong passwords (phrases) and change them at least every 90 days.
Implement a two-step authentication anywhere it is available.
Uneducated employees cause most of the breaches, either by clicking on a link or through a lost or stolen device. Continuous education is of the utmost importance.
The use of encryption and/or auto-wipe/remote wipe on all devices that access or store Protected Health Information (ePHI).
Report any suspicious activity to your HIPAA Security Officer.
Be sure to review this report to determine if a breach has happened or potentially has happened.
Mitigate the risk to the best of your ability and make sure it is documented.

If you need assistance with a Risk Analysis, Risk Management Plan, or implementing a full set of HIPAA Policies and Procedures, call Aris at 877.659.2467 or click here to schedule a demo. We offer a full range of services from a Do-It-Yourself HIPAA program to a Full HIPAA Implementation package.

“Protecting Organizations through Partnership, Education, and Support”

OCR clarifies amount that can be charged for copies of PHI

Suze Shaffer June 10, 2016February 2, 2024

By Aris Medical Solutions

The Office for Civil Rights (OCR) announced the clarification in the Fact Sheet they released earlier this year. The maximum amount that can be charged for patients that request a copy of their Protected Health Information (PHI) under the right of access is not $6.50. Rather, charging a flat fee not to exceed $6.50 is an option available to those entities that do not want to go through the process of calculating the actual or average costs for requests for electronic copies of PHI maintained electronically. Entities may choose the fee calculation method that is most appropriate for their circumstances, of course within the boundaries of what is permissible under the Privacy Rule.

The new FAQ may be found at: New Clarification – Up to $6.50 Flat Rate Option. Additional information regarding permissible fees and other aspects of the individual right of access may be found at: http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html
Contact Aris Medical Solutions at 877.659.2467 or click here to find out how we can protect your organization.

“Protecting Organizations through Partnership, Education, and Support”

Do you have your ALL of your Business Associate Agreements in place?

Suze Shaffer May 14, 2016February 1, 2024

By Aris Medical Solutions

The Omnibus Rule that became effective March 26, 2013 was a game changer in many ways. One area was requiring Covered Entities to ensure that Business Associate Agreements (BAA) were in place with all of their business partners by September 23, 2013. If a Covered Entity had agreements already in place, Covered Entities had until September 22, 2014 to replace them with new ones that had all of the required elements of the new Omnibus Rule.

Did you know that if a Covered Entity (Medical Practice) releases Protected Health Information (PHI) to person or an entity and the practice does not have a signed BAA in place, the Covered Entity can be fined? In the eyes of HIPAA, you have disclosed PHI to an unauthorized user. Yes, this is TRUE!

Did you know that if a medical practice’s software vendor has a data breach and you as the Covered Entity do not have a BA agreement in place you could be fined as well? I know what you are thinking… it’s THEIR responsibility, not yours. True, but it is YOUR responsibility to have an agreement in place. Have you reviewed your BA agreements to ensure the documents have all of the required elements and it protects YOU the Covered Entity? These are very important documents and since it is the responsibility of the medical practice to protect patient data, the practice dictates when this information can be shared. The practice also has the responsibility to have assurances that the entity understands how to protect the data before it is released.

The Office for Civil Rights (OCR) recently imposed a $750K fine for such an offense. A Raleigh Orthopedic practice released 17,300 x-rays films to a Business Associate (BA) that promised to transfer the images in exchange for the silver in films. Unfortunately the practice forgot to have the entity sign a Business Associate Agreement.

Make sure you do not make the same mistake…

Contact Aris Medical Solutions at 877.659.2467 or click here to find out how we can protect your organization.

“Protecting Organizations through Partnership, Education, and Support”

Phishing & Piracy Reminders

Suze Shaffer April 15, 2016December 23, 2019

By Aris Medical Solutions

Most people try to do their best to avoid phishing scams but sometimes we do not even know it is happening!

For instance, criminals could be reading your emails to find out who you are, who you talk to, but more importantly… who you do NOT talk to.

This recently happened to a business I know. One of the corporate partners had his email infected with malware and was being “watched”. Once the criminals figured out who talked to who and who they did not talk to, they made the “phone” call. It went something like this:

Hi Sally, it’s Fred at ABC company. Frank, your CEO, asked me to call you to let you know that the $50K transfer has been approved. Here is the routing information you need.
Thanks! Have a nice day!

Sally had never actually talked to Fred and didn’t know his voice. Frank and Fred are known business associates. They knew who Sally was and what was her job function. They also knew that Frank commonly gave Sally financial instructions. She trusted him and never questioned his requests.

Make sure you have appropriate procedures in place. Had this company had a protocol in place, that required Frank to sign off on any wire transfers or distributions, this would not have happened.

At your next staff meeting, discuss your procedures and make sure this doesn’t happen to you!

Contact Aris Medical Solutions at 877.659.2467 or click here to find out how we can protect your organization.

“Protecting Organizations through Partnership, Education, and Support”

Small Medical Practices are Huge Targets!

Suze Shaffer April 6, 2016February 1, 2024

By Aris Medical Solutions

Many organizations have the attitude that they are too small to be a target for a data breach. Just because you don’t hear about small and medium sized practices being targeted doesn’t mean it is not happening.

Most medical practices are busy treating patients and are not aware of the severity behind this type of threat. Since small and even medium sized practices do not have the infrastructure in place to protect their data, they are a larger target than think. Data breaches can go undetected for months, if not years since they are not watching for it. For instance, if a Pediatric Practice is hacked, those social security numbers can be used for years before it will be discovered.

Many business associates are also targeted because they have access to medical records in different manner. Again, small and midsized organizations that do not have appropriate safeguards in place can wreak havoc in a medical environment. So what can you do?

First of all, conduct a Security Risk Analysis to understand what are your vulnerabilities. This is critical in order to mitigate risks.
Next, have a network security audit performed. Even if you access your data in the cloud and not through an onsite server, you can still be hacked.
Invest in monitoring your network. Know who is accessing your data.
TRAINING IS A MUST! Your employees can be your best asset or your largest liability.

Not only is this required under HIPAA, it is considered best practice in protecting patient data.

Contact Aris Medical Solutions at 877.659.2467 or click here to find out how we can protect your organization.

“Protecting Organizations through Partnership, Education, and Support”