Call Us Today! 877-659-2467 contactus@arismedicalsolutions.com

Author: Suze Shaffer

Suze Shaffer is the owner and president of Aris Medical Solutions. She specializes in HIPAA compliance, risk management, and cyber security. She believes that by educating her clients in understanding why and what needs to be done to protect their practice they have a better outcome. Suze has been instrumental in helping clients nationwide with risk management, implementing privacy and security rule policies and procedures, and ultimately protecting patient data. She includes state and federal regulatory requirements to ensure clients are protected in all areas. She has spoken at numerous conferences and functions. She continues to educate organizations how to minimize the risks of data breaches. HIPAA compliance is not an option, it is mandatory for every organization that comes in contact with protected health information to have reasonable and appropriate security measures in place. Unfortunately, most organizations don’t realize they are not compliant until they suffer a data breach or they are faced with an audit or investigation. Did you know that the Office for Civil Rights (OCR) is the agency that investigates data breaches? Have you seen the heavy fines that have been imposed for non-compliance? All 50 states now have their own set of privacy laws and the State's Attorney General may also investigate privacy violations!

Responsibilities of a HIPAA Compliance Officer

Posted bySuze Shaffer

While the nation was shut down and people were suffering, hackers were busy at work. It is coming to light how many organizations have had a data breach and have been hit with ransomware.

Now more than ever all organizations need to make sure their HIPAA Compliance Officer understands what is needed for data security. The FBI has stated cybercrime in 2020 has surpassed 2019 and we still have a few months to go. The problem is the hackers have become very sophisticated in their attacks. Whereas it used to be easy to spot a fake email, that is no longer the case. Between email and text efforts, they are gaining access to our information and we are the ones permitting it. Also, user credentials are compromised and used to gain access to your network or to send false emails to gather personal information. These scams typically involve a criminal that has hacked a legitimate email address. For example, a person would receive a message that appears to be from someone within their organization or a business associate with which that person knows. The message will request a payment, wire transfer, gift card purchase, or even a list of employees with social security numbers that seems legitimate. The compliance officer should be notified, and the transaction verified BEFORE it is completed. Every office needs to have a verification process in place before releasing ANY data.

We have said this before… if a stranger walked up to you and asked you to verify your identity would you give them any information? Of course not, but that is exactly what we are doing when we receive an email or text message from someone or somewhere, we trust. Trust, but verify.

With more and more people working remotely, that brings us to another vulnerability. Covered entities that utilize the services of business associates are required by HIPAA to ensure the business associate is in fact HIPAA compliant. The starting point is to ensure you have a business associate agreement in place with all your vendors that create, receive, maintain, or transmit protected health information (PHI). This agreement should include security requirements to ensure they are protecting your patient data. If a covered entity does not have a BA agreement in place and the vendor causes a data breach, the covered entity will more than likely receive the fine. With a BA agreement in place, it is still typical the covered entity bears the financial burden of the breach but may not receive the fines. That is why a BA agreement should include an indemnification and requiring the business associate to carry cyber liability insurance. Recently, a business associate was fined $2.3 million for a data breach that was caused by a hacking incident. If the covered entities did not have BA agreements in place, they could have been the ones who received this hefty penalty. Also, recently an orthopedic clinic was fined $1.5 million after a journalist notified them that a database of their patient information was posted for sale online. For this reason, we recommend covered entities should carry their own policies as well. “Hacking is the number one source of large health care data breaches. Health care providers that fail to follow the HIPAA Security Rule make their patients’ health data a tempting target for hackers,” said OCR Director Roger Severino. Many electronic and portable devices are used to process and store PHI. Anyone with access to such devices could potentially have the ability to change configurations, install malicious programs, change information, or access information that are not authorized to. Any of these actions has the potential to affect the integrity of patient information. HIPAA requires covered entities and their business associates to implement and follow policies and procedures to limit access to only those who are authorized.

Risk management should be at the top of everyone’s list. Preventing data breaches and securing patient data is everyone’s responsibility, but the OCR requires someone to be the point person, hence the HIPAA Security or Compliance Officer title. This responsibility is so much more than just a title. HIPAA Compliance Officers responsibilities include creating, maintaining, and enforcing compliance. This includes the staff, management, and even the medical providers.  I hear too often that the compliance officer gets push back from the doctors or owners. This is so unfortunate since they are only trying to do their job that is required under state and federal law. They are the frontline defense in keeping your practice alive and well. The owners of the practice may suffer the financial loss, but sometimes everyone does if the practice closes. Let’s all work together to keep patient data safe and secure.

To find out more about how our automated HIPAA compliance platform can help your organization click here:

https://arismedicalsolutions.com/aris-hipaa-service-automated-platform/

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

Inventory lists and network mapping, why they are so important!

Posted bySuze Shaffer

First, it is required under HIPAA that medical organizations and business associates ensure the confidentiality, integrity, and availability of ePHI. Part of a HIPAA compliance program requires an entity to conduct a HIPAA risk analysis to determine where ePHI is located and how it is protected. It is critical that all organizations understand how data flows in and out of their systems as well has how business associates access your data. Risk management is the key to protecting your data.

Here is a starting point after your risk analysis:

  1. Create an inventory list. The list should include servers, computers, laptops, tablets, printers, scanners, fax servers/machines, and specialized equipment for your type of practice.
  2. Include what type of encryption you have implemented or what type of anti-virus and anti-malware is utilized. Also, think about devices that are not onsite, remote users, cloud servers, and offsite backups. If smartphones are used, add those as well. Even if they are not company owned, just make a note of that.
  3. The inventory list should also include software that is used to access or store ePHI. When the time comes to retire a device, this list could be used to determine how it is to be handled. For example, will it need to be destroyed or could be sanitized and reused?
  4. Be sure to include the operating systems on your devices. This will alert you when systems are at the end of life and need to be replaced.
  5. We also recommend adding assets that do not store or access ePHI, just in case they could be compromised and create a method of intrusion. This includes firewalls and routers.
  6. Next, create a diagram of all technology and how ePHI flows through your system. Hackers can gain access to your systems through your vendors. You may need the help from your IT company. Keep in mind when selecting an IT vendor, they MUST be well versed in healthcare. Your security is more complex than the average small business, not to mention the heavy fines should you suffer a data breach.
  7. When creating your network mapping, we suggest adding which devices store and/or access ePHI. Again, this is a visual reminder of how your data flows and can help you to understand how to protect your data. If possible, request a Visio Map from your IT vendor.

With all the data breaches that are happening, it is so important to know where your data is and how it is protected. Keeping up with your risk analysis and risk management plan demonstrates your on-going compliance efforts. This is a requirement under the HIPAA Security Rule. If you suffer from a data breach and you can provide documentation that you have reasonable and appropriate safeguards in place and that you have done the best you can to protect your data, more than likely you will not be fined.

To find out more about how our automated HIPAA compliance platform can help your organization click here:

https://arismedicalsolutions.com/aris-hipaa-service-automated-platform/

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

HIPAA Fines assessed to small practices

Posted bySuze Shaffer

We find this difficult to talk about especially during these trying times. However, we feel it is important for all practices to know that HIPAA violations and fines have not disappeared during this pandemic.

Investigations take a long time and many practices think since they have not heard of small practices being fined that they are immune. Unfortunately, that is not true. Fines are smaller, but even the “small” fines hurt small practices. Could you afford $25K or $50K in fines?

The latest fine of $25K for ongoing HIPAA violations could have been more but the statute of limitations is 6 years. It was reported that they had failed to implement security rule policies and procedures, failed to provide their employees with security awareness and training, and they failed to conduct a thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity and availability of the ePHI they held.

To read the full resolution agreement click here:

https://www.hhs.gov/sites/default/files/metro-signed-agreement.pdf

We understand that after you conduct the HIPAA risk analysis, the hard work begins. Implementing your HIPAA policies and procedures and documenting your risk management plan are difficult and there never seems to be enough hours in the day to complete this task. This is a MUST!

To find out more about how our automated HIPAA compliance platform can help your organization click here:

https://arismedicalsolutions.com/aris-hipaa-service-automated-platform/

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

Telemedicine on the other side of the Pandemic

Posted bySuze Shaffer

By Suze Shaffer

July 15, 2020

The Office for Civil Rights (OCR) back in March relaxed it’s enforcement for non-compliance with regards to telemedicine. They permitted the use of audio/video communication applications such as Facetime, Google hangouts, Zoom, and Skype without risk that a provider could be issued a penalty for non-compliance. Providers were encouraged to inform their patients of potential privacy risks and do their best to engage encryption and whatever means they had available to secure the data.

Even though some states are experiencing a surge in more COVID cases, medical providers are expected to seek HIPAA qualified products and obtain a business associate agreement. Telehealth providers should now have an agreement ready that will include state law provisions and data security information. Medical providers should read this agreement carefully to ensure the data security is outlined and meets their state law breach notification guidelines. Ideally, it would be best for the vendor to sign YOUR business associate agreement if you have one that has outlined security requirements.

If a medical provider does not obtain a signed business associate from a vendor, the medical provider should terminate using the vendor. Just because a vendor doesn’t sign a BAA it does NOT release them from liability. It just means the liability falls on the medical provider for not obtaining the signed document. Furthermore, the medical provider may receive fines for non-compliance should the business associate suffer a data breach or security incident. These documents are extremely important!

Many thanks to all our healthcare workers for staying strong throughout these trying times.

If you would like more information or need a business associate agreement, contact us at 877.659.2467 or complete the contact us form.

“Simplifying HIPAA through Partnership, Education, and Support”

Cell phone use in the workplace causing distrust

Posted bySuze Shaffer

By Suze Shaffer

March 15, 2020

We all have been annoyed at one time or another when we arrive at a counter or a place of business and the person is on their cell phone and we are ignored. Of course, that is not very good customer service. When you work in healthcare, it goes to an all new level. HIPAA doesn’t restrict the use of cell phones, except how they are secured and protected. However, this is not what we are discussing here today.

We are hearing about complaints from patients accusing employees of taking pictures of their information. This particular situation the employee was accused of taking pictures of the computer screen and the patient told the doctor. This afforded the doctor the opportunity to address the situation and avoid a formal complaint to the Office for Civil Rights (OCR). We recommend employees leaving their cell phones out of sight of patients unless the phone is used for business purposes within the practice. Some organizations are even adding cell phone lockers. I can remember before we had cell phones, we actually gave out our work number to anyone who needed to get in contact with us! Now you know how old I really am! Joking aside, this is a very serious matter that could cause the OCR to open an investigation. Keep in mind, when you are being investigated by the OCR, they do not “just” investigate “that” situation. They look at your overall compliance plan. Where are your policies? What were your procedures before, during, and after the occurrence. What have you done to prevent the same situation from happening again? Plus, many more items they take into consideration when conducting an investigation.

The next area of concern with cell phones are with patients. We have long been a proponent of using privacy screens on computers. Now, even if the screen is across the room, we are pushing our clients to add the screens. Patients now have their phones out while making new appointments, they could potentially take pictures of computer screens across the room and enlarge them. Some of you may be thinking that we worry too much and all this security is driving you crazy. It only takes ONE mistake or ONE complaint to turn your life into a rollercoaster. Prevention is the best medicine!

If you would like more information, contact us at 877.659.2467 or complete the contact us form.

“Simplifying HIPAA through Partnership, Education, and Support”

A Patient’s Right of Access is still an issue for many Covered Entities

Posted bySuze Shaffer

By Suze Shaffer

February 15, 2020

Many covered entities struggle to understand what is “right of access” for individuals. Under HIPAA and the Omnibus Rule, a patient has the “right” to request a copy of their medical record in the format of their choice (if available). What this means is, a medical provider is not required to purchase special equipment or software to meet these requests. With that said, if a patient requests a CD or DVD of their medical records and you do not have a DVD drive, you would not necessarily be required to purchase one. Keep in mind, DVD drives are only about $25 and it would not be unreasonable for a practice to purchase one. Of course, the ideal situation would be to direct the patient to your EHR portal and download it themselves. However, you can’t require them to do so.

When a patient requests the right to access their PHI (protected health information), be sure to have the patient sign a written request and make note of the date. A provider has 30 days to supply the patient with this information. To extend the time, the covered entity must, within the initial 30 days, inform the individual in writing of the reasons for the delay and the date by which the covered entity will provide access. Keep in mind, only one extension is permitted per access request.

The next area of confusion is the fee limitation. Copying fees for medical records are set by individual states and typically refer to the cost of labor, printing, and delivery of paper or electronic data. The labor fee does not permit the provider to charge for the preparation of the data but labor costs could include skilled technical staff time spent to create and copy the electronic file, such as compiling, extracting, scanning and burning [PHI] to media.

The Flat Fee rate option is not cap, merely an option rather than calculating the actual cost of labor and printing. Many providers are utilizing this method since it is easier than calculating the actual costs.

On January 23, 2020, a federal court vacated the “third-party directive” within the individual right of access “insofar as it expands the HITECH Act’s third-party directive beyond requests for a copy of an electronic health record with respect to PHI (protected health information) in an electronic format.” Additionally, the fee limitation set forth at 45 C.F.R. § 164.524(c)(4) will apply only to a patient’s request for access to their own records, and does not apply to a patient’s request to transmit records to a third party.

https://www.hhs.gov/hipaa/court-order-right-of-access/index.html

If you would like to read the Memorandum Opinion from the United States  District Court in the case  Ciox Health LLC vs Alex Azar:

https://ecf.dcd.uscourts.gov/cgi-bin/show_public_doc?2018cv0040-51

We hope this will help clear up any misconceptions when it comes to a patient’s right to access their medical information.

If you would like more information, contact us at 877.659.2467 or complete the contact us form.

“Simplifying HIPAA through Partnership, Education, and Support”

HIPAA in 2020 – How the protection of our privacy maybe changing

Posted bySuze Shaffer

By Suze Shaffer

HIPAA Compliance TrainingJanuary 15, 2020

Hindsight is always 2020, as we begin this new year, let’s try to make that a current sight!

By now, those of you who have been using Windows 7 computers and 2008 Servers have been getting notifications that the end of life was coming. Time is here. January 14, 2020, Microsoft no longer will be supporting these operating systems. What this means is they will no longer send out security updates. Each time a security update is issued, it is because someone has found a vulnerability that could be exploited. This is why hackers lay in wait for unsuspecting people to ignore this. Of course, it is doubtful that you will get hit on January 15, but the chance is there and will increase with each passing day. If you are hacked and this causes a data breach, you WILL be fined for using outdated software. At the conference in October, the OCR specifically discussed this.

All 50 states have their own set of privacy laws to protect their residents. In Healthcare we have to adhere to HIPAA, the Federal law, but also must follow state law when it is more stringent. Sometimes, this means flipping back and forth and it becomes very confusing. The good news is that lawmakers are trying to come up with a Federal privacy law to help stop the confusion. Although they haven’t come up with a firm plan yet, they are working on it. This is partly due to the GDPR (General Data Protection Regulation) being enforceable in the United States. Some people view this a cost guzzling law, but we are all consumers and we should have the right to know who is collecting our data, how they are storing our information, and if they are selling our information. Hopefully, our Federal lawmakers will come up with a law that will allow consumers to opt out if we don’t want our information sold. In healthcare, our information may be sold by EHRs and other healthcare companies, when it is de-identified. Medical practitioners are required to obtain a patient’s authorization before they share patient information. Other businesses should be required to do the same and be fined for selling our personal information if we do not permit the disclosure.

To learn more on what is being discussed in legislation , click here:

https://cdt.org/collections/federal-privacy-legislation/

If you would like to learn more about the legislative proposal, click here:

https://cdt.org/insights/statement-of-michelle-richardson-examining-legislative-proposals-to-protect-consumer-data-privacy/

In June 2018 California passed a consumer privacy law, AB 375, that may be more stringent than the GDPR. The California Consumer Privacy Act (CCPA) went into law January 1, 2020. Although the law isn’t as stringent as the GDPR on timeline notifications, it does have some very tight restrictions that go even further. Any company that have at least $25 million in annual revenue and serves California residents must comply with the law. Also, companies of any size that have personal data on at least 50,000 people or that collect more than half of their revenues from the sale of personal data fall under this law. Companies don’t have to be based in California to fall under the law. They don’t even have to be based in the United States.

We believe more states will follow California unless we can agree on a Federal law to help all consumers. Most of us are patients at a medical facility somewhere, and we are ALL consumers everywhere! By enacting a Federal privacy law, this is a good thing, not a bad!

Happy New Year and praying for good things to come!

If you would like more information, contact us at 877.659.2467 or complete the contact us form.

“Simplifying HIPAA through Partnership, Education, and Support”

RIPlace technique allows malware to bypass anti-malware programs

Posted bySuze Shaffer

By Suze Shaffer

HIPAA Ransomware

Like we don’t have enough to worry about, now this!

Security researchers are saying this new technique is effective even against systems that are patched and run anti-virus scans. This process allows ransomware to encrypt files on Windows based systems. The way most ransomware gets into our systems is by unsuspecting users or hi-jacked user credentials. Of course it can happen from a disgruntled employee as well. Once this happens, the ransomware opens and reads an original file, then deletes or destroys the original by encrypting it. Within a short amount of time the hacker can invade your systems and crawl through your entire network. Taking everything down and literally destroying your livelihood.. Of course, there is more to this and if you want, you can research this. The main reason why I wanted to share this with you is because… as I have said many times, employees are your first line of defense! Well educated employees can prevent this from happening in your organization. Here is what you need to do TODAY to prevent a data breach:

  1. Remind every user of your system that the computers are for business purposes ONLY. Clicking on infected websites can infect your network.
  2. Remind users do not click on any links or attachments that are not expected even if it comes from someone they know.
  3. Do not permit anyone access to your systems without confirming their identity. This includes service providers. If you do not have an appointment, call and verify the person is still employed there.
  4. Remove user access for terminated employees IMMEDIATELY. Before terminating a person, have this process set and ready.
  5. Conduct a criminal background check on ALL new hires. This needs to be included in your employee manual, and state that a background check can be performed at anytime during their employment.
  6. Contact a network security professional and have them run an audit on your system. This will ensure you do not have any open ports or vulnerabilities.
  7. Be sure to have a backup of your system that is NOT connected to your network.

I know I have said this in the past, but I have to say it again… The World Wide Web (WWW) is the new Wild Wild West, the difference is, danger is invisible until it is too late. Be careful out there.

If you would like more information, contact us at 877.659.2467 or complete the contact us form.

“Simplifying HIPAA through Partnership, Education, and Support”

Are you sharing TMI – Too Much Information?

Posted bySuze Shaffer

By Suze Shaffer

HIPAA Doctors

When designing your website we all think it’s a great idea to “share” who are team is. Although, it is necessary in healthcare because patients want to see who your staff is and get to know them, be careful not to give out TMI – too much information. Hacker and spammers troll websites looking for information they can use. Think about this… when you post on your website your favorite flower, favorite food, or where you were born, these can be used as security questions or used to figure out other details of your life.

Another area of concern is when a business associate calls your office and asks for information and you didn’t request them to call or contact you. Make sure that person is still employed there and verify the call before giving out any information, sending any information, or permitting access to your systems. Recently, a friend of mine told me about an IT company who had one of their employees impersonated on the phone. Luckily the hacker wasn’t able to get anything since the computer wasn’t connected to the network. Just think what could have happened if it were!

Best practices in protecting your information.

  1. Although you want to be “real” and connect with your patients online, give out information sparingly. What you post online is read by ANYONE!
  2. When creating your security questions, don’t answer the questions truthfully. When asked what is your favorite flower, make something up! You just have to remember what you made up! For example: Favorite flower, Mexican – name a food instead. Favorite food, Pink Roses – name a flower instead. Mix it up a bit!
  3. When anyone calls and asks for any confidential or patient information. Verify before giving out any information. Make sure that employee still works there and they have been requested to perform whatever they are requesting.
  4. Never let anyone that calls on the phone have access to your computer, server, or any electronic device until they have been verified.
  5. Do not permit any transactions to be processed until what is requested has been verified.

I know this sounds like a lot of extra work, but think about the consequences and the time that will be spent correcting a mistake. Not to mention the cost if you have a data breach!

If you would like more information, contact us at 877.659.2467 or complete the contact us form.

“Simplifying HIPAA through Partnership, Education, and Support”

Ransomware is a REAL threat…

Posted bySuze Shaffer

By: Aris Medical Solutions

HIPAA Ransomware arismedicalsolutions.com

We all hope that we do not fall victim to ransomware, but we need to do more than just hope. All businesses, especially healthcare must have a contingency plan that includes data recovery in the event their systems are encrypted. If you have a backup that is NOT connected to your network, your downtime will be minimal. Keep in mind, you may need to go through the breach notification process based on your state and federal HIPAA law.

A Michigan ENT and Hearing practice refused to pay $6,500 in ransom and the hackers wiped their systems. With no chance of recovering this data, they chose to close the practice.
Most recently, a California Medical Practice was unable to recover their data after ransomware encrypted their systems including their backups. As a result, they will close their practice December 17, 2019.
I could keep adding to the list, but I would rather educate you on how to avoid this!

Best practice is of course to PREVENT ransomware in the first place. This starts with a solid network security program and education for your workforce. Most malware is introduced by an unsuspecting employee. Truly, one click of a mouse can cause a tumbling effect leading to the loss of your business. I know that sounds a bit dramatic, but most small to medium sized organizations that suffer a data breach do not survive.

Healthcare is a major target, in fact, 71% of ransomware attacks are towards small to medium sized practices since they do not have adequate network security in place.

  1. Your first line of defense is an enterprise version firewall device. This means, do not purchase one that has parental controls!
  2. Second, have a network security specialist set up your firewall and set custom security controls. It is fairly simple to set up a “network”, but it takes someone who truly understands network security to secure your network. This includes computers, servers, access points, etc.
  3. Depending on the size of your organization, you may need to set up an onsite server as a domain controller. Once this is in place, all users are authenticated through the domain. Security permissions can be set all at once and can’t be changed by the users.
  4. Phishing education for all employees including providers, and management. Business email addresses are targeted typically between Tuesday and Thursday according to the analysis from Barracuda. Phishing emails impersonate a trusted entity, they try to get the recipients to click on the links or attachments, share account credentials, and typically have some sort of urgency associated with the email. These emails often bypass traditional email security since they originate from reputable senders.
  5. Ensuring you have business associate agreements in place before releasing any PHI. This will protect you from fines and penalties in the event they have a data breach. It is advisable to carry cyber-liability insurance. If your business associate causes a data breach, it will still be your responsibility to go through the breach notification process. Best practice is to require your business associate to carry cyber liability as well.
  6. Physical security is often overlooked when we talk about data security. Portable devices need to be secured when left unattended. Printers and fax machines should not be located where they can be accessed by an unauthorized person. Servers should be in a locked room or cabinet. Computers should not be located near exits. Keeping an up to date inventory list and reviewing it regularly is critical in knowing if anything is missing. Lastly, a security system that has cameras and access logs is recommended.
  7. Organizations that have well defined policies and procedures are less likely to have a data breach. Employees are educated on what they can and cannot do with business equipment. Knowing what to do in the event of a security incident can actually STOP a data breach from becoming a major breach. Plus, most large fines are because the organization did NOT have a policy or plan in place. Just make sure you have read and dated them!

Remember HIPAA is not a once and done process, as technology changes and employees come and go, you need to keep track and update accordingly. Use your Risk Management Plan to track your progress! Let us know if you need any help with implementation.

If you would like more information, contact us at 877.659.2467 or complete the contact us form.

“Simplifying HIPAA through Partnership, Education, and Support”

©2024 Aris Medical Solutions – HIPAA Risk Management | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC