Call Us Today! 877-659-2467 contactus@arismedicalsolutions.com

Author: Suze Shaffer

Suze Shaffer is the owner and president of Aris Medical Solutions. She specializes in HIPAA compliance, risk management, and cyber security. She believes that by educating her clients in understanding why and what needs to be done to protect their practice they have a better outcome. Suze has been instrumental in helping clients nationwide with risk management, implementing privacy and security rule policies and procedures, and ultimately protecting patient data. She includes state and federal regulatory requirements to ensure clients are protected in all areas. She has spoken at numerous conferences and functions. She continues to educate organizations how to minimize the risks of data breaches. HIPAA compliance is not an option, it is mandatory for every organization that comes in contact with protected health information to have reasonable and appropriate security measures in place. Unfortunately, most organizations don’t realize they are not compliant until they suffer a data breach or they are faced with an audit or investigation. Did you know that the Office for Civil Rights (OCR) is the agency that investigates data breaches? Have you seen the heavy fines that have been imposed for non-compliance? All 50 states now have their own set of privacy laws and the State's Attorney General may also investigate privacy violations!

HIPAA and Emergencies – How to Respond

Posted bySuze Shaffer

First, I hope that all of you and your loved ones are safe. Fiona and Ian have affected many places, and many have suffered so much. Prayers for all…

HIPAA Applies Only to Covered Entities and Business Associates

The HIPAA Privacy Rule applies to disclosures made by employees, volunteers, and other members of a covered entity’s or business associate’s workforce. Business associates also include subcontractors that create, receive, maintain, or transmit protected health information on behalf of another business associate. The Privacy Rule does not apply to disclosures made by entities or other persons who are not covered entities or business associates. The HIPAA Privacy Rule does not restrict the American Red Cross from sharing patient information. Keep in mind, there may be other state or federal rules that apply.

HIPAA requires every healthcare facility and business associate to have a Contingency plan in place. Disasters come in a variety of circumstances and additional challenges on health care providers. Questions often arise about the HIPAA regulations to share PHI with friends and family, public health officials, and emergency personnel. The HIPAA Privacy Rule allows patient information to be shared to assist in disaster relief efforts, and to assist patients in receiving the care they need. Keep in mind the HIPAA Privacy Rule is not suspended during a public health or other emergency, however, the Secretary of Health and Human Services may waive certain provisions of the Privacy Rule under section 1135(b)(7) of the Social Security Act.

Under these circumstances, the Secretary also has the authority to waive sanctions and penalties against a covered hospital that does not comply with the following provisions of the HIPAA Privacy Rule:

  • the requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care.
  • the requirement to honor a request to opt out of the facility directory.
  • the requirement to distribute a notice of privacy practices.
  • the patient’s right to request privacy restrictions.
  • the patient’s right to request confidential communications.

When the Secretary issues such a waiver, it only applies:

(1) in the emergency area and for the emergency period identified in the public health emergency declaration

(2) to hospitals that have instituted a disaster protocol

(3) for up to 72 hours from the time the hospital implements its disaster protocol. When the Presidential or Secretarial declaration terminates, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours has not elapsed since implementation of its disaster protocol.

HIPAA Privacy and Disclosures in Emergency Situations

Under the HIPAA Privacy Rule, a waiver is not required to share protected health information (PHI) for the following purposes and under the following conditions.

Treatment

Covered entities may disclose, without a patient’s authorization, PHI about the patient as necessary to treat the patient. Treatment includes the coordination or management of health care and related services by one or more health care providers and others, consultation between providers, and the referral of patients for treatment.

Public Health Activities

The HIPAA Privacy Rule recognizes the need for public health authorities and others responsible for ensuring public health and safety to have access to protected health information that is necessary to carry out their public health mission. Therefore, the Privacy Rule permits covered entities to disclose needed PHI without an authorization, for example:

  • To a public health authority, A “public health authority” is an agency or authority of the United States government, a State, a territory, a political subdivision of a State or territory, or Indian tribe that is responsible for public health matters as part of its official mandate, as well as a person or entity acting under a grant of authority from, or under a contract with, a public health agency. For example: Centers for Disease Control and Prevention (CDC) or a state or local health department.
  • At the direction of a public health authority, to a foreign government agency that is acting in collaboration with the public health authority.
  • To persons at risk of contracting or spreading a disease or condition if other law, such as state law, authorizes the covered entity to notify such persons as necessary to prevent or control the spread of the disease or otherwise to carry out public health interventions or investigations.

Minimum Necessary

A covered entity must make reasonable efforts to limit the information disclosed to that which is the “minimum necessary” to accomplish thepurpose.

Disclosures to Family, Friends, and Others Involved in an Individual’s Care and for Notification

A covered entity may share PHI with a patient’s family members, relatives, friends, or other persons identified by the patient as involved in the patient’s care.

  • The covered entity should get verbal permission from individuals or otherwise be able to reasonably infer that the patient does not object, when possible.
  • If the person is incapacitated or not available, covered entities may share information for these purposes if, in their professional judgment, doing so is in the patient’s best interest.
  • For patients who are unconscious or incapacitated: A health care provider may share relevant information about the patient with family, friends, or others involved in the patient’s care or payment for care, if the health care provider determines, based on professional judgment, that doing so is in the best interests of the patient.

A covered entity may share PHI with disaster relief organizations such as the American Red Cross, that are authorized by law to assist in disaster relief efforts, for the purpose of coordinating the notification of family members or other persons involved in the patient’s care. A patient’s permission is not required in this situation if doing so would interfere with the organization’s ability to respond to the emergency.

Imminent Danger

HIPAA expressly defers to the professional judgment of health care professionals in making determinations about the nature and severity of the threat to health or safety. Covered entities may share PHI with anyone to prevent or lessen a serious and imminent threat to the health and safety of a person or the public – consistent with applicable law (such as state statutes, regulations, or case law) and the provider’s standards of ethical conduct.

Disclosures to the Media or Others Not Involved in the Care of the Patient/Notification

Upon request for information about a particular patient by name, a hospital or other health care facility may release limited facility directory information to acknowledge an individual is a patient at the facility and provide basic information about the patient’s condition in general terms (e.g., critical or stable, deceased, or treated and released) if the patient has not objected to or restricted the release of such information or, if the patient is incapacitated, if the disclosure is believed to be in the best interest of the patient. Reports to the media about an specific patient, or the disclosure of specific information about treatment of a specific patient, such as tests, test results, or details of a patient’s illness, may not be done without the patient’s written authorization (or the written authorization of a personal representative, who is a person legally authorized to make health care decisions for the patient).

Business Associates

A business associate of a covered entity (including a business associate that is a subcontractor) may make disclosures permitted by the Privacy Rule, such as to a public health authority, on behalf of a covered entity or another business associate to the extent authorized by its business associate agreement.

Safeguarding Patient Information

In an emergency, covered entities must continue to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and disclosures. Covered entities (and their business associates) must apply the administrative, physical, and technical safeguards of the HIPAA Security Rule to electronic protected health information. Safeguard all patient information as if it were your own.

If there are other areas that you have questions, please do not hesitate to contact us!

To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:

https://arismedicalsolutions.com/aris-hipaa-compliance-system-for-medical-offices/

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

HIPAA Privacy Facts for Medical Offices

Posted bySuze Shaffer

There has been some confusion about when and how to share patient information. I thought it might be a good time to review some of the facts from the HIPAA Privacy and Security Rules.

Here are some highlights:

  1. The Privacy Rule does not require a signed consent form before sharing information for treatment.
  2. Medical providers can share information for treatment purposes without a signed patient authorization.
  3. The Privacy Rule permits communication with patients, providers, and others by e-mail, telephone, or facsimile, with the implementation of safeguards to protect patient privacy. During your risk analysis you will have discovered how data flows in and out of your network so you can apply reasonable and appropriate safeguards.
  4. Medical providers may use remote communication technologies to provide telehealth services, including audio-only services, in compliance with the HIPAA Privacy Rule.
  5. HIPAA requires reasonable safeguards to protect the privacy of protected health information (PHI) from impermissible uses or disclosures, including when providing telehealth services.
  6. Medical providers may offer audio-only telehealth services using remote communication technologies consistent with the requirements of the HIPAA Rules, regardless of whether any health plan covers or pays for those services.
  7. The HIPAA Security Rule does not apply to audio-only telehealth services provided by a covered entity that is using a standard telephone line. Keep in mind traditional landlines are being replaced with Voice over Internet Protocol (VoIP) and mobile technologies that use the Internet, cellular, and Wi-Fi. Medical providers using telephone systems that transmit ePHI need to apply the HIPAA Security Rule safeguards to those technologies.
  8. Medical providers must enter into a business associate agreement (BAA) with a telecommunication service provider (TSP) only when the vendor is acting as a business associate.
  9. If using a telephone to communicate with patients, a BAA is not required with a TSP that has only transient access to the PHI it transmits, because the vendor is acting merely as a conduit for the PHI.
  10. The Privacy Rule does not cut off all communications between medical providers and the families and friends of patients. If the patient does not object, you may:
    • share needed information with family, friends, or anyone else a patient identifies as involved in his/her care.
    • disclose information when needed to notify a family member or anyone responsible for the patient’s care about the patient’s location or general condition.
    • share the appropriate information for these purposes even when the patient is incapacitated if doing so is in the best interest of the patient.
  11. Medical providers may report child abuse or neglect to appropriate government authorities. 
  12. Patient right of access is another area that has been confusing for medical practices. When possible, you should obtain the request for medical records in writing. However, you may not require a patient to come to the office to complete the authorization if it would cause a hardship, or if they do not have access to email or a fax machine. You must still verify that the person requesting the information has the right to do so. You may do this by asking verification questions and/or calling them back at the number you have on file.

If there are other areas that you have questions about please do not hesitate to contact us!

To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:

https://arismedicalsolutions.com/aris-hipaa-compliance-system-for-medical-offices/

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

HIPAA changes and updates for 2022-2023

Posted bySuze Shaffer

Since HIPAA’s inception there have been several updates over the years. As technology changes, so must some the of HIPAA rules. We have not seen any major changes since 2013 when the Omnibus Rule gave HIPAA teeth and enforcement became real.

During 2019 the United States Department of Health and Human Services (HHS) had requested comments on 54 questions from providers. In December 2020 HHS issued a Notice of Proposed Rulemaking that outlined several changes to the HIPAA Privacy Rule based on the response they received in 2019. In 2021 HHS again requested comments on the proposed HIPAA changes, however the Final Rule has not been published yet.

The Office for Civil Rights (OCR) has been implementing many files for violations of the HIPAA Right of Access when access to medical records in the designated record set is not provided in a timely manner. With these new proposed changes, the time frame maybe reduced. 

The proposed changes strengthen the requirements for providers to offer patients access to their PHI. This also includes data sharing between facilities, technology partners, and mobile apps. 

Some of these changes to HIPAA in 2022 are likely to be implemented, but it may take until 2023 for those changes to become enforceable. We will be updating our policies to reflect these changes. At that time, you will receive an email from Aris requesting to review and approve changes and/or new policies. It is suggested to review these changes and update your staff. Many of these changes will directly affect how they interact with your patients.

We are updating our HIPAA training to include the new rules to ensure all staff members understand these changes. We will be dividing the training into two sessions since there is so much to cover. One session will cover the Privacy Rule and the other session will discuss the Security Rule. This will help educate everyone on the new rules and protect your practice. 

The proposed updates to the HIPAA Privacy Rule are as follows:

  • individuals’ rights to inspect their PHI in person, which includes taking notes or capturing images of their PHI;
  • shortening covered entities’ required response time to no later than 15 calendar days (from the current 30 days) with the opportunity for an extension of no more than 15 calendar days (from the current 30-day extension);
  • clarifying the form and format required for responding to individuals’ requests for their PHI, including when business associates are involved;
  • requiring covered entities to inform individuals that they retain their right to obtain or direct copies of PHI to a third party when a summary of PHI is offered in lieu of a copy;
  • reducing the identity verification burden on individuals exercising their access rights;
  • creating a pathway for individuals to direct the sharing of PHI in an EHR among covered health care providers and health plans, by requiring covered health care providers and health plans to submit an individual’s access request to another health care provider and to receive back the requested electronic copies of the individual’s PHI in an EHR;
  • requiring covered health care providers and health plans to respond to certain records requests received from other covered health care providers and health plans when directed by individuals pursuant to the right of access;
  • limiting the individual right of access to direct the transmission of PHI to a third party to electronic copies of PHI in an EHR; 
  • specifying when electronic PHI (ePHI) must be provided to the individual at no charge;
  • amending the permissible fee structure for responding to requests to direct records to a third party; and
  • requiring covered entities to post estimated fee schedules on their websites for access and for disclosures with an individual’s valid authorizationand, upon request, provide individualized estimates of fees for an individual’s request for copies of PHI, and itemized bills for completed requests.

Amending the definition of health care operations to clarify the scope of permitted uses and disclosures for individual-level care coordination and case management that constitute health care operations. 

  • Creating an exception to the “minimum necessary” standard for individual-level care coordination and case management uses and disclosures. The minimum necessary standard generally requires covered entities to limit uses and disclosures of PHI to the minimum necessary needed to accomplish the purpose of each use or disclosure. This proposal would relieve covered entities of the minimum necessary requirement for uses by, disclosures to, or requests by, a health plan or covered health care provider for care coordination and case management activities with respect to an individual, regardless of whether such activities constitute treatment or health care operations.
  • Clarifying the scope of covered entities’ abilities to disclose PHI to social services agencies, community-based organizations, home and community based service (HCBS) providers,and other similar third parties that provide health-related services, to facilitate coordination of care and case management for individuals.
  • Replacing the privacy standard that permits covered entities to make certain uses and disclosures of PHI based on their “professional judgment” with a standard permitting such uses or disclosures based on a covered entity’s good faith belief that the use or disclosure is in the best interests of the individual. The proposed standard is more permissive in that it would presume a covered entity’s good faith, but this presumption could be overcome with evidence of bad faith.
  • Expanding the ability of covered entities to disclose PHI to avert a threat to health or safety when a harm is “serious and reasonably foreseeable,” instead of the current stricter standard which requires a “serious and imminent” threat to health or safety.
  • Eliminating the requirement to obtain an individual’s written acknowledgment of receipt of a direct treatment provider’s Notice of Privacy Practices (NPP).
  • Modifying the content requirements of the NPP to clarify for individuals their rights with respect to their PHI and how to exercise those rights.
  • Expressly permitting disclosures to Telecommunications Relay Services (TRS) communications assistants for persons who are deaf, hard of hearing, or deaf-blind, or who have a speech disability, and modifying the definition of business associate to exclude TRS providers.
  • Expanding the Armed Forces permission to use or disclose PHI to all uniformed services, which then would include the U.S. Public Health Service (USPHS) Commissioned Corps and the National Oceanic and Atmospheric Administration (NOAA) Commissioned Corps.

Effective and Compliance Dates

The effective date of a final rule would be 60 days after publication. Covered entities and their business associates would have until the “compliance date” to establish and implement policies and practices to achieve compliance with any new or modified standards. The Department of Health and Human Services (HHS) previously noted that the 180-day general compliance period for new or modified standards would not apply where a different compliance period is provided in the regulation for one or more provisions. 

HHS requested comment on whether the 180-day compliance period is sufficient for covered entities and business associates to revise existing policies and practices and complete training and implementation. For proposed modifications that would be difficult to accomplish within the 180-day timeframe, the HHS requests information about the types of entities and proposed modifications that would necessitate a longer compliance period, how much longer such compliance period would need to be to address such issues, as well as the complexity and scope of changes and the impact on entities and individuals of a longer compliance period.

To give you some idea of how serious this can be, see below the tiered penalty structure:

Tier 1: Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA and had reasonably tried to adhere to the HIPAA rules: $100 per violation, with an annual maximum of $25,000. 

Tier 2: HIPAA violation due to reasonable cause and should have been aware (but was not due to willful neglect), even with the HIPAA rules they had in place: $1,000 per violation, with an annual maximum of $100,000.

Tier 3: HIPAA violation due to willful neglect of the HIPAA rules, but violation is corrected within the required time period: $10,000 per violation, with an annual maximum of $250,000.

Tier 4: HIPAA violation is due to willful or wanton neglect and no attempt to correct: $50,000 per violation, with an annual maximum of $1.5 million.

HIPAA has teeth and the Office for Civil Rights (OCR) is heavily enforcing fines against violations. Let’s work together to avoid this! 

To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:

https://arismedicalsolutions.com/aris-hipaa-compliance-system-for-medical-offices/

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

Data Breaches in Healthcare are Increasing

Posted bySuze Shaffer

Since 2015 the number of data breaches in healthcare has steadily been rising. This includes medical offices, health plans, and business associates. These breaches range from unauthorized access, loss, theft, but mostly from hacking. Hacking was determined to be from emails, network servers, desktop computers, to electronic medical records. No office is immune. Starting with a system wide HIPAA risk analysis is the first step in protecting your data. Modern technology helps us in many ways, but it is ever so important to keep up with data security. Many medical offices think once their office is set up, they are set for life or at least “a while”. Technology is growing faster and faster, and you must be diligent to keep up. This is not a do-it-yourself job anymore!

Let’s look at some of the numbers from the data breaches over 500 patient records that were reported:

From January – July 2022 there have been 380 breaches reported.

In 2021 there are 457 still being investigated and 258 that have been archived, that is a total of 715 reported.

In 2020 there are 63 still being investigated and 601 that have been archived, totaling 663.

In 2019 there were 512 reported breaches.

In 2018 there were 368.

In 2017 there were 357.

In 2016 there were 329.

In 2015 there were 270.

I think it is important to note that the number of breaches are increasing each year. Now more than ever anyone involved in healthcare must approach HIPAA compliance and data security as necessary as having insurance to protect your organization. Instead of being reactive to “when” this happens, being proactive can help this “from” happening.

To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:

https://arismedicalsolutions.com/aris-hipaa-compliance-system-for-medical-offices/

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

Why it is so important to secure emails that contain PHI

Posted bySuze Shaffer

We have advised our clients for years to only transmit protected health information (PHI) if it is encrypted. We have also recommended encryption for the data at rest. With the rise of hacking, this is never more important. There are many problems that can arise from compromised email accounts.

It only takes one employee’s email account to get hacked, then the hacker can view what the user has stored, who they communicate with, and who they do not speak with directly. Let’s review each one:

  1. Contents of email. Of course, you do not want an unknown person reading your emails, but it is even worse if your email account contains PHI. The hacker can take that information, sell it, or even target your patients to gain more information.
  2. The hacker can also see who you are communicating with and now they can target your co-workers into giving them information by impersonating you.
  3. They also know who you only communicate with via email. This sets the stage for phone conversations since you do not know what this person sounds like. The hacker can request wire transfers, employee lists, patient lists, the amount of information that they are willing to request is only limited by their imagination.

These attacks may be targeted for financial gain, identity theft, or medical insurance theft. Regardless of the hackers’ motives, they all can be devastating to a practice. Just last year an Orlando practice had 4 email accounts compromised and over 447K patients were affected. When considering the methods to secure email accounts, you must also consider which devices are used to access email. This furthers the security requirements. A thorough risk analysis will uncover potential vulnerabilities and give you the opportunity to avoid a data breach.

That brings me to the next topic… if you don’t need to store it, DO NOT. If you can move the needed documentation to a secure server or your EHR, then do. If there isn’t a “need” to store patient information (or any sensitive information) in email, then remove it. This also applies to “old” patient records in databases or software. There is a reason behind medical record retention requirements, and when it is safe to dispose of medical records, then do! This too reduces your liability!

To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:

https://arismedicalsolutions.com/aris-hipaa-compliance-system-for-medical-offices/

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

What does “Recognized Security Practices” mean?

Posted bySuze Shaffer

We have talked in the past about the Office for Civil Rights conducting a minimum of a 12 month look back for data security/ HIPAA compliance efforts. If an organization suffers a breach, with proper documentation fines may be waived. This is known as “Recognized Security Practices”. Every organization will have different documentation based on their network configuration and how data flows in and out of your information systems. This isn’t really anything new since data security requirements have been in place since the Security Rule was enacted. There have been updates over the last few years, and they are making some new revisions requiring covered entities and business associates to document their efforts now more than ever. NIST SP800-66 Rev. 2

This includes ensuring your policies and procedures are documented and followed by your staff. Our online system makes this task must easier by enabling the HIPAA compliance officer to download and share certain policies for employees to review. Plus, the confidentiality and acceptable use agreement that is signed via DocuSign demonstrates you have advised your employees they must follow your policies and procedures.

Another part of this documentation should be reports from your IT department/vendor. Again, depending on how you access ePHI (electronic protected health information), reports will vary from practice to practice. Some suggested reports are:

  1. Managed devices. You can use this as your inventory list instead of completing the list in your package. However, we still recommend documenting which devices have been used to access and/or store ePHI.
  2. In the report above, this may contain operating systems, patches / updates that have been applied, IP addresses, User ID, and a device name. All of this is useful information, and if the report does not contain this information, you need to look for another report.
  3. Software lists are very important since you can see if any employee has downloaded unauthorized software or if a computer has been compromised.
  4. Device health reports typically include information on anti-virus, last log in, some record failed logins, or that is in a different report. These are must have reports.
  5. Access logs may be located within the software the IT vendor utilizes to manage your network, within your domain controller, and within your EHR/PM software. These reports must be reviewed to ensure employees are only accessing ePHI based on their job function and to look for outside intrusions.
  6. Backup reports should demonstrate when backups are performed and to ensure they are successful.
  7. Summary reports are useful, but you must make sure you review them, and they can be lengthy.

There are times when certain devices cannot be updated or upgraded due to the nature of the equipment and the cost to do so. This would not necessarily be a violation if you demonstrate other means to protect your system. For example, either removing the outdated equipment from internet access or placing it on a separate network so it would not be accessible by other drives that contain ePHI. Your IT vendor should be able to guide you through the proper process based on your particular network.

Annual audits by a third party are highly recommended unless your IT vendor specializes in network security. Often, these two types of companies work well together. The IT vendor handles the day-to-day operations, and the network security companies hardens the systems.

Some organizations complain that this costs too much money. Trust me, this is much less expensive than a data breach. Plus, if you plan on obtaining cyber liability insurance, carriers are now asking detailed questions about data security and compliance efforts. If you do have a data breach and you do not have “qualified documentation”, your claim could be denied. Of course, the term “qualified documentation” is open to interpretation. They do have an outlandish wish list from what I have seen. Although I have always been a proponent of this insurance, I am starting to believe unless you already have a policy, you may not be able to obtain one. If you do apply now, you will need to have HEAVY data security in place. Which you should have anyway!

To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:

https://arismedicalsolutions.com/aris-hipaa-compliance-system-for-medical-offices/

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

How to protect your organization from phishing attacks

Posted bySuze Shaffer

It is a known fact that hackers target the healthcare sector because the data is so valuable. The cost of healthcare data breaches increased from a total average of $7.13M in 2020 to $9.23M in 2021. The average breach cost rose $1.07M for those who had remote access. Organizations in the U.S. has lost $2.4B to business email scams. They have estimated that cybercrime topped $6T worldwide.

So, how do hackers get in and what can you do to protect yourself?

Remember, there isn’t ONE magic setting to protect you from all threats, it takes layers of security!

Organizations must have solid network security in place. Firewalls are a necessity in today’s world. You can set specific parameters to ensure employees can go where they need to, and block where they do not. You can also set security policies that block other countries.

Utilizing real-time anti-virus and anti-malware software also helps. This won’t help if an employee clicks on a link or picks up malware on the internet unless the system alerts the user BEFORE they click! For example, if an employee is surfing the web (and no they should not surf on a work computer), and they visit a website that has been infected, your anti-virus / anti-malware software should alert you with a warning.

Although there are brut attacks, but most hackers come in via through a phishing attempt. Often, an employee makes a simple mistake like clicking on a link or an attachment in an email. Even though I talk about this ALL the time and say NEVER do this…people still do.
Email scammers use several ways to trick employees to gain access to information. Including getting employees to send wire transfers, send a list of employee’s social security numbers, or to make purchases they are not aware of. Alan Suderman at Fortune cited a case where thieves hacked the email account of the organization’s bookkeeper, then inserted themselves into a long email thread, sent messages asking to change the wire payment instructions for a grant recipient, and made off with $650,000.
You think this can’t happen to you, but I know of a practice that someone hacked an email account and changed the bank information for payments from an insurance carrier, they lost about $100K.

I know of a company that the CEO email was hacked and being monitored, once the scammers knew who they talked to on the phone and who they did not, then the call came in to make a $65K wire transfer. POOF! Just like that $65K was gone.
YES, THIS HAPPENS! Keep in mind, if the caller or the email is asking for private information or money, verify BEFORE releasing it.

• Unless you are expecting an email from someone, DO NOT CLICK!
• If you get an email from someone you know and were not expecting it, pick up the phone and call them!
• If there is a link, open a web browser and open your account from there.
• If it is URGENT and requires you to act immediately, it is more than likely a hacker/spammer.
• If it says your credit card has been charged for something and you didn’t charge it, call your card company or your bank, do not call the number in the email or call the number in the voice mail.
• If they have all your information except the code on the back and ask you to verify the card by giving them the number, DO NOT.
• Government, state, and local authorities will not call you and demand payment immediately. Ignore these completely.
• Again, if money or personal information is involved, VERIFY!

Scammers share their success stories with other scammers, while ransomware hackers will hit you again if you pay. There is no honor among thieves.

All sizes of organizations need to be on high alert, from large hospitals to small single provider practices. I have used this analogy before, the World Wide Web it the modern version of the Wild Wild West. The biggest difference is you can’t see the bad guys coming into town to prepare. You must prepare for the unknown and the unseen.
There are companies that offer Phishing training. Then, they try to get your employees to take the bait. This has been a success at most companies. Educating your staff is JOB ONE! They can be your best ally, or your weakest link. You can build a fortress around your data, and one click can bring it down.

Continuous security awareness training is vital in your fight against these bad actors. Organizations must teach employees to be watchful for phishing attacks and stopping them by simply not engaging in emails and on the web.

To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:

https://arismedicalsolutions.com/aris-hipaa-compliance-system-for-medical-offices/

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

The Office for Civil Rights seeks public comment on Recognized Security Practices and Sharing Civil Money Penalties and Monetary Settlements

Posted bySuze Shaffer

The Office for Civil Rights (OCR) released a Request for Information (RFI) seeking comments from all stakeholders including covered entities, business associates, patients, and their families. The growing number of cybersecurity threats are a significant concern driving the need for enhanced safeguards of electronic protected health information (ePHI). 

This RFI will enable the OCR to consider ways to support the healthcare industry’s implementation of recognized security practices. The RFI also will help OCR consider ways to share funds collected through enforcement with individuals who are harmed by violations of the HIPAA Rules.

Through today’s RFI, OCR is seeking public comment on the following provisions of law:

  • Recognized Security Practices. Section 13412 of the HITECH Act requires HHS to take into consideration certain recognized security practices of covered entities (health plans, health care clearinghouses, and most health care providers) and business associates1 when determining potential fines, audit results, or other remedies for resolving potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule pursuant to an investigation, compliance review, or audit.  Public Law 116-321 went into effect when it was signed into law on January 5, 2021.

    One of the primary goals of this provision is to encourage covered entities and business associates to do “everything in their power to safeguard patient data.”

    The RFI solicits comment on how covered entities and business associates are implementing “recognized security practices,” how they anticipate adequately demonstrating that recognized security practices are in place, and any implementation issues they would like OCR to clarify through future guidance or rulemaking.
  • Civil Money Penalty (CMP) and Settlement Sharing. Section 13410(c)(3) of the HITECH Act requires HHS to establish by regulation a methodology under which an individual harmed by a potential violation of the HIPAA Privacy, Security, and/or Breach Notification Rules may receive a percentage of any CMP or monetary settlement collected with respect to such offense. Section 13140(d)(1) of HITECH requires that OCR base determinations of appropriate penalty amounts on the nature and extent of the violation and the nature and extent of the harm resulting from such violation. The HITECH Act does not define “harm,” nor does it provide direction to aid HHS in defining the term.

    The RFI solicits public comment on the types of harms that should be considered in the distribution of CMPs and monetary settlements to harmed individuals, discusses potential methodologies for sharing and distributing monies to harmed individuals, and invites the public to submit alternative methodologies.

OCR encourages comments from all stakeholders, including patients and their families, HIPAA covered entities and their business associates, consumer advocates, health care professional associations, health information management professionals, health information technology vendors, and government entities.

Individuals seeking more information about the RFI or how to provide written or electronic comments to OCR should visit the Federal Register to learn more:

https://www.federalregister.gov/documents/2022/04/06/2022-07210/considerations-for-implementing-the-health-information-technology-for-economic-and-clinical-health

Please note that comments must be submitted by June 6, 2022 in order to be considered.

To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:

https://arismedicalsolutions.com/aris-hipaa-compliance-system-for-medical-offices/

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

How to defend against common cyber-attacks

Posted bySuze Shaffer

The Office for Civil Rights sent out a cyber newsletter stating that throughout 2020-2021 hackers have targeted the health care industry and the number of breaches increased 45% from 2019 to 2020. The number of breaches due to hacking or IT incidents account for 66% of all breaches affecting over 500 patients records in 2020. Cyber-attacks are critical in health care since it can disrupt services to patients and destroy patient data.

Most cyber-attacks could have been prevented if covered entities and business associates had implemented the HIPAA Security Rule requirements. Technical safeguards are based on the organizations size, type of environment, and how data flows in and out of their systems. Keep in mind, phishing attacks and weak authentication protocols are the most common exploitations.   

What can you do to prevent cyber-attacks?

While nothing is 100%, simple precautious can go a long way. Educating your staff should be a top priority. Tricking employees to click on links or to share vital information is the most common tactic. An unsuspecting employee is typically how an attack starts. There are more sophisticated methods that can exploit previously unknown vulnerabilities, but phishing is still the most common. Train your employees not to click on attachments unless they are expecting the communication and the sender has been verified. Also, do not click on links within emails. Best practices are to open your browser window and go to the website and log-in from there. If the employee suspects an email contains a virus or is suspicious, they should contact their IT department/vendor and verify. It is always better to be safe than sorry later!

Ongoing HIPAA training is essential to keep up with new threats. Annual training keeps HIPAA on the minds of your employees, but when you add monthly security reminders it helps so much more! The HIPAA security officer should share emails or website information from reliable sources to keep their employees informed. When you receive Aris’ monthly Security Newsletter, share this valuable information with the staff, including clinicians, and management since they are often a target from hackers. If possible, utilize a company that offers Phishing training and exercises. Contact us for some suggestions.

Unfortunately, security training cannot be effective if it is viewed by as a burdensome, and employees just want to “check-the-box”.  Keep staff members engaged by explaining cyber security is everyone’s job in protecting ePHI.

In addition to education, organizations can mitigate the risk of phishing attacks by implementing anti-phishing technologies. You should talk to your IT vendor about what type of services they have that can help you. For example, if an email is suspected of being a threat, it can be blocked, and appropriate personnel notified. Another approach can involve scanning web links or attachments included in emails for potential threats and removing them if a threat is detected. Newer techniques can leverage machine learning or behavioral analysis to detect potential threats and block them as appropriate. Many available technology solutions use a combination of these approaches. Implementing access controls that restrict access to ePHI to only those requiring such access is also a requirement of the HIPAA Security Rule. Organizations may determine that because its privileged accounts (administrator) have access that supersedes other access controls (role or user-based access) and thus can access ePHI, the privileged accounts present a higher risk of unauthorized access to ePHI than non-privileged accounts. If exploited through an administrative access point, not only could privileged accounts supersede access restrictions, but they could also delete ePHI or even alter or delete hardware or software configurations, rendering devices inoperable. To reduce the risk of unauthorized access to privileged accounts, the organization could decide that a privileged access management (PAM) system is reasonable and appropriate to implement. 

Covered entities and business associates are required under HIPAA to ensure the integrity, confidentiality, and availability of ePHI. This means protecting patient data from improper alteration, destruction, and making sure it is available when needed. Hackers that penetrate an organization’s network can wreak havoc by encrypting patient data, modifying data, or stealing the data. Based on the type of network your organization utilizes, you may need domain controller and/or business grade firewall. Some firewalls that are designed for “small” businesses, are not robust enough for healthcare. As devices age, they must be replaced since technology is always changing, and vulnerabilities are exploited. Before purchasing new equipment, it is suggested to consult with an IT vendor that specializes in healthcare. It is important to ensure the device can be used in a healthcare setting, set up correctly, and custom security policies implemented.

As we just mentioned about devices being upgraded, so must software applications. Again, when an organization utilizes outdated software, these can be exploited as well. I have heard over the years many different reasons why “programs” cannot be upgraded, it won’t work with the new version of windows, they don’t offer upgrades, or simply they do not want to spend the money. None of these reasons are acceptable excuses from the Office for Civil Rights unless you have security measures in place to protect the legacy systems and they are safe from the “outside” world. If you utilize outdated equipment or software and you are hacked, you CAN and WILL be fined if you have not demonstrated best practices in protecting your data. You literally are running the risk of losing your business. The fines are THAT much!

We recommend yearly network security audits that are performed by a network security company. This is different that your regular IT company that maintains your systems unless they truly specialize in network security. This type of company should perform several types of vulnerability scans. Not all scans are created equal and different types may be necessary to uncover holes in your security. For example, scans that look for weak passwords, duplicate passwords, weak access controls, and vulnerable ports. 80% of the attacks can be linked to weak authentication credentials. By adding a second authentication process, a bio-scanner, or RFID card to access ePHI greatly enhances security. This is especially helpful for those using remote access. When it comes to your daily IT vendor, they must also under HIPAA and follow the security protocols set forth by NIST. Several medical practices have been breached due to incorrect settings within the network. Some of these breaches cost $3M in fines!

Summary:

Although malicious attacks targeting the health care sector continue to increase, many of these attacks can be prevented or mitigated by fully implementing the Security Rule’s requirements.  Many organizations continue to underappreciate the risks and vulnerabilities of their actions or inaction (increased risk of remote access, unpatched or unsupported systems, not fully engaging the workforce in cyber defense). 

Unfortunately, there isn’t a single magic action to ensure the safety of your data, it is a combination of the above and ongoing upgrades.

To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:

https://arismedicalsolutions.com/aris-hipaa-compliance-system-for-medical-offices/

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

Dental practices can be fined under HIPAA rules

Posted bySuze Shaffer

This week the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the resolution of four investigations related to the HIPAA privacy rule.

Two cases were part of the HIPAA Right of Access, bringing the total number of enforcement actions to twenty-seven since the initiative began. Another case included misuse of social media in response to a negative review.

  • A solo dental practitioner in Butler, Pennsylvania, failed to provide a patient with a copy of their medical record.  After being issued a Notice of Proposed Determination, the doctor requested a hearing before an Administrative Law Judge. The litigation was resolved before the court made a determination by a settlement agreement in which the doctor agreed to pay $30,000 and take corrective actions to comply with the HIPAA Privacy Rule’s right of access standard.
  • A dental practice with offices in Charlotte and Monroe, North Carolina, impermissibly disclosed a patient’s PHI on a webpage in response to a negative online review.  The practice did not respond to OCR’s data request, did not respond or object to an administrative subpoena, and waived its rights to a hearing by not contesting the findings in OCR’s Notice of Proposed Determination.  OCR imposed a $50,000 civil money penalty.
  • A dental practice in Fairhope, Alabama, who impermissibly disclosed its patients’ PHI to a campaign manager and a third-party marketing company hired to help with a state senate election campaign, agreed to take corrective action and pay $62,500 to settle potential violations of the HIPAA Privacy Rule.
  • A psychiatric medical services provider with two office locations in California, agreed to take corrective actions and pay OCR $28,000 to settle potential violations of the HIPAA Privacy Rule, including provisions of the right of access standard.

If you would like to read about other fines, follow this link:

https://arismedicalsolutions.com/what-are-some-of-the-actual-hipaa-fines/

To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:

https://arismedicalsolutions.com/aris-hipaa-compliance-system-for-medical-offices/

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

©2025 Aris Medical Solutions – HIPAA Risk Management | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC