How to protect your organization from phishing attacks

It is a known fact that hackers target the healthcare sector because the data is so valuable. The cost of healthcare data breaches increased from a total average of $7.13M in 2020 to $9.23M in 2021. The average breach cost rose $1.07M for those who had remote access. Organizations in the U.S. has lost $2.4B to business email scams. They have estimated that cybercrime topped $6T worldwide.

So, how do hackers get in and what can you do to protect yourself?

Remember, there isn’t ONE magic setting to protect you from all threats, it takes layers of security!

Organizations must have solid network security in place. Firewalls are a necessity in today’s world. You can set specific parameters to ensure employees can go where they need to, and block where they do not. You can also set security policies that block other countries.

Utilizing real-time anti-virus and anti-malware software also helps. This won’t help if an employee clicks on a link or picks up malware on the internet unless the system alerts the user BEFORE they click! For example, if an employee is surfing the web (and no they should not surf on a work computer), and they visit a website that has been infected, your anti-virus / anti-malware software should alert you with a warning.

Although there are brut attacks, but most hackers come in via through a phishing attempt. Often, an employee makes a simple mistake like clicking on a link or an attachment in an email. Even though I talk about this ALL the time and say NEVER do this…people still do.
Email scammers use several ways to trick employees to gain access to information. Including getting employees to send wire transfers, send a list of employee’s social security numbers, or to make purchases they are not aware of. Alan Suderman at Fortune cited a case where thieves hacked the email account of the organization’s bookkeeper, then inserted themselves into a long email thread, sent messages asking to change the wire payment instructions for a grant recipient, and made off with $650,000.
You think this can’t happen to you, but I know of a practice that someone hacked an email account and changed the bank information for payments from an insurance carrier, they lost about $100K.

I know of a company that the CEO email was hacked and being monitored, once the scammers knew who they talked to on the phone and who they did not, then the call came in to make a $65K wire transfer. POOF! Just like that $65K was gone.
YES, THIS HAPPENS! Keep in mind, if the caller or the email is asking for private information or money, verify BEFORE releasing it.

• Unless you are expecting an email from someone, DO NOT CLICK!
• If you get an email from someone you know and were not expecting it, pick up the phone and call them!
• If there is a link, open a web browser and open your account from there.
• If it is URGENT and requires you to act immediately, it is more than likely a hacker/spammer.
• If it says your credit card has been charged for something and you didn’t charge it, call your card company or your bank, do not call the number in the email or call the number in the voice mail.
• If they have all your information except the code on the back and ask you to verify the card by giving them the number, DO NOT.
• Government, state, and local authorities will not call you and demand payment immediately. Ignore these completely.
• Again, if money or personal information is involved, VERIFY!

Scammers share their success stories with other scammers, while ransomware hackers will hit you again if you pay. There is no honor among thieves.

All sizes of organizations need to be on high alert, from large hospitals to small single provider practices. I have used this analogy before, the World Wide Web it the modern version of the Wild Wild West. The biggest difference is you can’t see the bad guys coming into town to prepare. You must prepare for the unknown and the unseen.
There are companies that offer Phishing training. Then, they try to get your employees to take the bait. This has been a success at most companies. Educating your staff is JOB ONE! They can be your best ally, or your weakest link. You can build a fortress around your data, and one click can bring it down.

Continuous security awareness training is vital in your fight against these bad actors. Organizations must teach employees to be watchful for phishing attacks and stopping them by simply not engaging in emails and on the web.

To find out more about how our automated HIPAA compliance platform can help your organization click here:

https://arismedicalsolutions.com/aris-hipaa-service-automated-platform/

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

The Office for Civil Rights seeks public comment on Recognized Security Practices and Sharing Civil Money Penalties and Monetary Settlements

The Office for Civil Rights (OCR) released a Request for Information (RFI) seeking comments from all stakeholders including covered entities, business associates, patients, and their families. The growing number of cybersecurity threats are a significant concern driving the need for enhanced safeguards of electronic protected health information (ePHI). 

This RFI will enable the OCR to consider ways to support the healthcare industry’s implementation of recognized security practices. The RFI also will help OCR consider ways to share funds collected through enforcement with individuals who are harmed by violations of the HIPAA Rules.

Through today’s RFI, OCR is seeking public comment on the following provisions of law:

  • Recognized Security Practices. Section 13412 of the HITECH Act requires HHS to take into consideration certain recognized security practices of covered entities (health plans, health care clearinghouses, and most health care providers) and business associates1 when determining potential fines, audit results, or other remedies for resolving potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule pursuant to an investigation, compliance review, or audit.  Public Law 116-321 went into effect when it was signed into law on January 5, 2021.

    One of the primary goals of this provision is to encourage covered entities and business associates to do “everything in their power to safeguard patient data.”

    The RFI solicits comment on how covered entities and business associates are implementing “recognized security practices,” how they anticipate adequately demonstrating that recognized security practices are in place, and any implementation issues they would like OCR to clarify through future guidance or rulemaking.
  • Civil Money Penalty (CMP) and Settlement Sharing. Section 13410(c)(3) of the HITECH Act requires HHS to establish by regulation a methodology under which an individual harmed by a potential violation of the HIPAA Privacy, Security, and/or Breach Notification Rules may receive a percentage of any CMP or monetary settlement collected with respect to such offense. Section 13140(d)(1) of HITECH requires that OCR base determinations of appropriate penalty amounts on the nature and extent of the violation and the nature and extent of the harm resulting from such violation. The HITECH Act does not define “harm,” nor does it provide direction to aid HHS in defining the term.

    The RFI solicits public comment on the types of harms that should be considered in the distribution of CMPs and monetary settlements to harmed individuals, discusses potential methodologies for sharing and distributing monies to harmed individuals, and invites the public to submit alternative methodologies.

OCR encourages comments from all stakeholders, including patients and their families, HIPAA covered entities and their business associates, consumer advocates, health care professional associations, health information management professionals, health information technology vendors, and government entities.

Individuals seeking more information about the RFI or how to provide written or electronic comments to OCR should visit the Federal Register to learn more:

https://www.federalregister.gov/documents/2022/04/06/2022-07210/considerations-for-implementing-the-health-information-technology-for-economic-and-clinical-health

Please note that comments must be submitted by June 6, 2022 in order to be considered.

Now is the time to make sure you are protecting your data! To find out more about how our automated HIPAA compliance platform can help your organization click here:

https://arismedicalsolutions.com/aris-hipaa-service-automated-platform/

If you would like to experience the system, scroll down and click schedule a demo.

“Simplifying HIPAA through Automation, Education, and Support”

How to defend against common cyber-attacks

The Office for Civil Rights sent out a cyber newsletter stating that throughout 2020-2021 hackers have targeted the health care industry and the number of breaches increased 45% from 2019 to 2020. The number of breaches due to hacking or IT incidents account for 66% of all breaches affecting over 500 patients records in 2020. Cyber-attacks are critical in health care since it can disrupt services to patients and destroy patient data.

Most cyber-attacks could have been prevented if covered entities and business associates had implemented the HIPAA Security Rule requirements. Technical safeguards are based on the organizations size, type of environment, and how data flows in and out of their systems. Keep in mind, phishing attacks and weak authentication protocols are the most common exploitations.   

What can you do to prevent cyber-attacks?

While nothing is 100%, simple precautious can go a long way. Educating your staff should be a top priority. Tricking employees to click on links or to share vital information is the most common tactic. An unsuspecting employee is typically how an attack starts. There are more sophisticated methods that can exploit previously unknown vulnerabilities, but phishing is still the most common. Train your employees not to click on attachments unless they are expecting the communication and the sender has been verified. Also, do not click on links within emails. Best practices are to open your browser window and go to the website and log-in from there. If the employee suspects an email contains a virus or is suspicious, they should contact their IT department/vendor and verify. It is always better to be safe than sorry later!

Ongoing HIPAA training is essential to keep up with new threats. Annual training keeps HIPAA on the minds of your employees, but when you add monthly security reminders it helps so much more! The HIPAA security officer should share emails or website information from reliable sources to keep their employees informed. When you receive Aris’ monthly Security Newsletter, share this valuable information with the staff, including clinicians, and management since they are often a target from hackers. If possible, utilize a company that offers Phishing training and exercises. Contact us for some suggestions.

Unfortunately, security training cannot be effective if it is viewed by as a burdensome, and employees just want to “check-the-box”.  Keep staff members engaged by explaining cyber security is everyone’s job in protecting ePHI.

In addition to education, organizations can mitigate the risk of phishing attacks by implementing anti-phishing technologies. You should talk to your IT vendor about what type of services they have that can help you. For example, if an email is suspected of being a threat, it can be blocked, and appropriate personnel notified. Another approach can involve scanning web links or attachments included in emails for potential threats and removing them if a threat is detected. Newer techniques can leverage machine learning or behavioral analysis to detect potential threats and block them as appropriate. Many available technology solutions use a combination of these approaches. Implementing access controls that restrict access to ePHI to only those requiring such access is also a requirement of the HIPAA Security Rule. Organizations may determine that because its privileged accounts (administrator) have access that supersedes other access controls (role or user-based access) and thus can access ePHI, the privileged accounts present a higher risk of unauthorized access to ePHI than non-privileged accounts. If exploited through an administrative access point, not only could privileged accounts supersede access restrictions, but they could also delete ePHI or even alter or delete hardware or software configurations, rendering devices inoperable. To reduce the risk of unauthorized access to privileged accounts, the organization could decide that a privileged access management (PAM) system is reasonable and appropriate to implement. 

Covered entities and business associates are required under HIPAA to ensure the integrity, confidentiality, and availability of ePHI. This means protecting patient data from improper alteration, destruction, and making sure it is available when needed. Hackers that penetrate an organization’s network can wreak havoc by encrypting patient data, modifying data, or stealing the data. Based on the type of network your organization utilizes, you may need domain controller and/or business grade firewall. Some firewalls that are designed for “small” businesses, are not robust enough for healthcare. As devices age, they must be replaced since technology is always changing, and vulnerabilities are exploited. Before purchasing new equipment, it is suggested to consult with an IT vendor that specializes in healthcare. It is important to ensure the device can be used in a healthcare setting, set up correctly, and custom security policies implemented.

As we just mentioned about devices being upgraded, so must software applications. Again, when an organization utilizes outdated software, these can be exploited as well. I have heard over the years many different reasons why “programs” cannot be upgraded, it won’t work with the new version of windows, they don’t offer upgrades, or simply they do not want to spend the money. None of these reasons are acceptable excuses from the Office for Civil Rights unless you have security measures in place to protect the legacy systems and they are safe from the “outside” world. If you utilize outdated equipment or software and you are hacked, you CAN and WILL be fined if you have not demonstrated best practices in protecting your data. You literally are running the risk of losing your business. The fines are THAT much!

We recommend yearly network security audits that are performed by a network security company. This is different that your regular IT company that maintains your systems unless they truly specialize in network security. This type of company should perform several types of vulnerability scans. Not all scans are created equal and different types may be necessary to uncover holes in your security. For example, scans that look for weak passwords, duplicate passwords, weak access controls, and vulnerable ports. 80% of the attacks can be linked to weak authentication credentials. By adding a second authentication process, a bio-scanner, or RFID card to access ePHI greatly enhances security. This is especially helpful for those using remote access. When it comes to your daily IT vendor, they must also under HIPAA and follow the security protocols set forth by NIST. Several medical practices have been breached due to incorrect settings within the network. Some of these breaches cost $3M in fines!

Summary:

Although malicious attacks targeting the health care sector continue to increase, many of these attacks can be prevented or mitigated by fully implementing the Security Rule’s requirements.  Many organizations continue to underappreciate the risks and vulnerabilities of their actions or inaction (increased risk of remote access, unpatched or unsupported systems, not fully engaging the workforce in cyber defense). 

Unfortunately, there isn’t a single magic action to ensure the safety of your data, it is a combination of the above and ongoing upgrades.

To find out more about how our automated HIPAA compliance platform can help your organization click here:

https://arismedicalsolutions.com/aris-hipaa-service-automated-platform/

Or to schedule a demo click the Contact Us tab.

“Simplifying HIPAA through Automation, Education, and Support”

Dental practices can be fined under HIPAA rules

This week the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the resolution of four investigations related to the HIPAA privacy rule.

Two cases were part of the HIPAA Right of Access, bringing the total number of enforcement actions to twenty-seven since the initiative began. Another case included misuse of social media in response to a negative review.

  • A solo dental practitioner in Butler, Pennsylvania, failed to provide a patient with a copy of their medical record.  After being issued a Notice of Proposed Determination, the doctor requested a hearing before an Administrative Law Judge. The litigation was resolved before the court made a determination by a settlement agreement in which the doctor agreed to pay $30,000 and take corrective actions to comply with the HIPAA Privacy Rule’s right of access standard.
  • A dental practice with offices in Charlotte and Monroe, North Carolina, impermissibly disclosed a patient’s PHI on a webpage in response to a negative online review.  The practice did not respond to OCR’s data request, did not respond or object to an administrative subpoena, and waived its rights to a hearing by not contesting the findings in OCR’s Notice of Proposed Determination.  OCR imposed a $50,000 civil money penalty.
  • A dental practice in Fairhope, Alabama, who impermissibly disclosed its patients’ PHI to a campaign manager and a third-party marketing company hired to help with a state senate election campaign, agreed to take corrective action and pay $62,500 to settle potential violations of the HIPAA Privacy Rule.
  • A psychiatric medical services provider with two office locations in California, agreed to take corrective actions and pay OCR $28,000 to settle potential violations of the HIPAA Privacy Rule, including provisions of the right of access standard.

If you would like to read about other fines, follow this link:

https://arismedicalsolutions.com/what-are-some-of-the-actual-hipaa-fines/

What are common HIPAA violations and how to avoid them?

When the providers and upper management understand the ramifications of violations, then the rest of the staff typically will follow the examples that are set in place. Because HIPAA Compliance starts at the top!

Violations happen when someone makes a mistake or is simply not thinking. HIPAA needs to be on the forefront of everyone who encounters patient information. Treat this information as if it were your own! HIPAA does not have to be difficult; it only takes a few precautionary measures to stay compliant.

Here are some helpful reminders:

  1. Always speak in hushed tones. The person you are talking to may not be the one that will complain. Others may think if they can hear what you are saying to another patient, someone else will hear what you are saying to them.
  2. When a patient makes a request, always ask this to be in writing. Remember there is a time limit on most requests, and you must answer within the time allotted. If a patient asks for a copy of their medical records, you have 30 days to answer the request, you may extend 30 days, but it must be explained to the patient why, and a date when they will be available must be determined.
  3. With the new information blocking rules, patients now have the right to ask for their information in the format of their choice. This means if they want to download to an app or share with a third party, you are required to do so. If you do not have the technology in place to honor their request, advise the patient you are checking into this, and never tell them “no” you can’t honor their request. That may be considered information blocking.
  4. Before emailing or faxing patient information, verify the number/address, and before you click send, verify AGAIN! If you are attaching documents, be sure the document you are sending is the correct information for that patient. If you are emailing protected health information (PHI), encryption should be utilized. The only time this is not required is if the patient has been informed that this is not a secure method of transmission, and they authorize you to send it anyway. Be sure to keep that email as your authorization.
  5. Train your staff to verify that business associate agreements are in place before releasing any paper, digital, or electronic PHI. This can save you hundreds of thousands of dollars in fines should they mishandle PHI.
  6. Educate your staff that looking into medical records that they do not have a need to do so, is grounds for termination. This includes family members, friends, neighbors, and celebrities. The monitoring of audit logs is a required standard under the security rule. If you are not reviewing your logs, then it is highly recommended to utilize an audit log monitoring company.
  7. Remind staff that work computers are for business purposes only. It is so easy to introduce malware and viruses from the internet. Also, remind them NEVER click on links in emails unless you are expecting the email.

These are just a few items to keep in mind. Be sure to train your staff on privacy and security annually and send out reminders. HIPAA is not just a once-a-year commitment, it is every day! Stay safe out there!

To find out more about our automated HIPAA compliance platform, click here:

https://arismedicalsolutions.com/aris-hipaa-service-automated-platform/

or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

Would your practice survive an audit?

There are many different types of “audits”, so when we refer to audits, we are referring to a “HIPAA audit”. When anyone mentions HIPAA audit, most practices think it won’t happen to them. I hear so often; I have never seen the “HIPAA Police” come around and do an audit. Well, they don’t just walk in off the street, but it only takes one patient complaint, a disgruntled employee, or a data breach to trigger an investigation. I have said this MANY times… and I feel the need to repeat it one more time! HIPAA has changed a few times over the years, one thing that has not changed since 1996 – HIPAA compliance is here to stay, and it is not optional.

When an investigation is opened, depending on the documentation you provide will determine whether a desk audit is conducted. For example, many OCR (Office for Civil Rights) investigations find systemic noncompliance with the HIPAA Security Rule, including failures to conduct an enterprise-wide risk analysis, implement risk management and audit controls, and maintain documentation of HIPAA Security Rule policies and procedures. With the “recognized security practices”, the OCR may review a minimum of 12 months of your documentation. The good news is, if you have documented your compliance efforts, you may not be fined or penalized! The OCR is trying to incentivize practices to step up their data security practices. Keep in mind, this must be documented. Just another reason why our clients are moving to our online compliance platform!

Employee mistakes are the typical cause of a security incident or data breach. Someone clicks on a link, opens an infected website, or falls for a phishing scam. This is a HUGE problem; all you have to do is go to the OCR breach portal and you can see for yourself the number of breaches reported for hacking. Educating your staff is #1, along with good data security practices that are documented.

Lost or stolen devices are also a problem unless they are encrypted. Security incidents must be reviewed, and the outcome documented. If a device is lost or stolen and it is encrypted (and documented as such) it is not a reportable breach!

Another area that the OCR reviews (depending on the complaint or violation) is employee training. HIPAA training requires periodic updates, and it is recommended that all staff including physicians attend annual HIPAA training. Again, this must be documented.

Background checks are so important and often overlooked. I can’t stress this enough… background checks are more than calling the “references” the candidate offers you. Of course, they will give glowing reviews! Insider threats are becoming more of a problem. People pose as a “great” employee, only to steal patient information, or some may just be curious and open patient records that they are not authorized to. Both situations can lead to data breaches or violations. Utilizing a professional company to conduct your background checks will provide you with the appropriate documentation.

Have you noticed something that all these areas have in common? DOCUMENTATION! If is not documented, it doesn’t exist in the eyes of the OCR.

Do you know why the OCR is coming down hard on the lack of data security? Because patient data is valuable, and hackers and scammers are trying to get to YOUR patient data. This is some of the most sought-after information because it contains everything needed to steal a person’s identity. It is easy to get a new credit card number, but you can’t get a new social security number. One more thing, some identity thefts lead to medical identity theft. This can be deadly if someone’s medical information is changed.

These are just friendly reminders to keep your practice safe and secure!

If you need more information or would like a 30 minute live demo of our Automated HIPAA Compliance platform, you may click on the Schedule a Demo to select a convenient time. 

“Simplifying HIPAA through Automation, Education, and Support”

Information Blocking Rule – Best practices to prepare now

It is the start of a new year and one thing we know for sure; nothing stays the same. Rules change, technology changes, and we must keep up. We wrote about the new Information Blocking Rule last July, but we have found many practices still do not understand what this means to them.

When the EHR Meaningful Use criteria was introduced in 2013, CMS stated that practices did not have to implement specific technology if a patient requested their information in a format that they did not have in place. This has all changed with the Information Blocking Rule that was passed in 2021. Part of the Interoperability Standard requires medical providers and health information companies to share patient data upon patient request. This Rule makes it very clear when it comes to patients and the control they have over their information. This is also known as “right of access”.

In the past EHRs was hesitant to open their portals due to security issues. Now, it is required to have security measures in place and share the data. There are some exceptions, but be forewarned, they are vague, and could be misinterpreted.

Penalty guidelines are in place for IT operators and health information companies, they are still working on the guidelines for medical providers. This gives you a limited amount of time to get ready for heavy enforcement.

Patients are now permitted to request their information be made available in the format of their choice. This includes to a third-party app installed on their mobile devices. These apps should protect patient data by supporting secure access through authentication processes similar to what the financial industries use.

When a patient makes a request and you do not have the technology in place to grant their request, you are obligated to comply with their request if possible or contact your technology vendors to see if this can be accomplished. If you do not, this could be considered Information Blocking. We recommend contacting your EHR and starting a conversation with them to ensure they are working on interfaces with other EHRs and some of the most common mobile apps.

There are some companies working on this technology, from what I have heard, they are limited. I am sure more will be adding this service as we progress. Before you hire a company to “develop” an interface for you, read below.

NOTE: If a patient requests their medical provider to share their information with another entity that is not a covered entity or a business associate, the information is not subject to the HIPAA rules. For example, the covered entity would not have HIPAA responsibilities or liability if such an app that the patient designated to receive their ePHI later experiences a breach. If a patient requests a covered entity to send their ePHI using an unsecure method the covered entity must grant the disclosure if it is readily available in the form and format used by the app. However, it is highly recommended to advise the patient of the lack of security so they can make an informed decision.

On the other hand, if the app was developed for, or provided by or on behalf of the covered entity and it creates, receives, maintains, or transmits ePHI on behalf of the covered entity, the covered entity could be liable under the HIPAA Rules for a subsequent impermissible disclosure because of the business associate relationship between the covered entity and the app developer. For example, if the patient selects an app that the medical provider uses to provide services to their patients involving ePHI, the medical provider may be subject to liability under the HIPAA Rules if the app impermissibly discloses the ePHI received. If you choose to develop or work with a company that has developed an app, be sure to obtain a BA agreement and review their technology security to ensure they are following the HIPAA requirements.

As we venture into this new territory, there will bad actors trying to “jump” on the healthcare wagon. As always, do your research before using any new applications or vendors. Ask your colleagues and most of all, check out their credentials.

If you need more information about the Information Blocking Rule or would like a live demo of our Automated HIPAA Compliance platform, contact us at 877.659.2467 or complete the contact us form.

“Simplifying HIPAA through Automation, Education, and Support”

Do you know what it means to be HIPAA compliant?

Be careful what you post on your website, you could be charged for false advertising! Some HIPAA compliance companies want you to use their “seal” of compliance. It is great advertising for them, but does it put your practice at risk of an audit? Some say yes, and worse, you could be charged for false advertising from the FTC.

https://www.ftc.gov/news-events/press-releases/2021/02/ftc-gives-final-approval-settlement-emergency-travel-services

https://www.ftc.gov/system/files/documents/cases/c-4732_skymed_final_order.pdf

HIPAA is a moving target and at any given moment you could be “out of compliance” for something as simple as using a device that hasn’t been updated with latest security patch. Of course, you won’t get fined for that, UNLESS it causes a data breach. So, to advertise that your organization is “HIPAA Compliant” could put you at risk for false advertising.

It has always been all about “documentation”. The HIPAA rules clearly outline the requirements for policies, procedures, and documentation. If your organization has not been evaluating (§164.308(a)(8)) the technical and non-technical security measures you have in place on a regular basis, you are out of compliance. How do you know when to conduct these evaluations? This depends on your policies, and if you do not have a policy on this, you are out of compliance. As you can see, this can be very confusing! Did you know that 75% of the Security Rule is policies and procedures, and 25% is technical safeguards? With Public Law No: 116-321, it is all about your documentation.

If the covered entity or business associate has adequately demonstrated that it had, for not less than the previous 12 months, recognized security practices in place that may:

(1) mitigate fines under section 1176 of the Social

        Security Act (as amended by section 13410);

(2) result in the early, favorable termination of an audit

        under section 13411; and

(3) mitigate the remedies that would otherwise be agreed

        to in any agreement with respect to resolving potential

        violations of the HIPAA Security rule (part 160 of title 45 Code

        of Federal Regulations and subparts A and C of part 164 of such

        title) between the covered entity or business associate and the

        Department of Health and Human Services.

Recognized security practices are those recommended in NIST and the Security Rule. Each organization must assess their environment and adapt “best practices”.

Most organizations think they are HIPAA compliant until they suffer a data breach, or a disgruntled employee / patient files a complaint against them. Then they are investigated by the Office for Civil Rights (OCR), unless they have proper documentation and have demonstrated best practices in data security, they may be fined up to $1.5M per violation.

This healthcare cybersecurity handout was created by the DHHS:

https://www.phe.gov/Preparedness/planning/405d/Documents/HICP-Main-508.pdf

If you need assistance in navigating the maze of HIPAA, complete the contact us form at https://arismedicalsolutions.com/contact/ or call 877.659.2467 and schedule a demo of Aris’ automated HIPAA compliance platform. Documentation has never been easier, and with our customer service, you will know what is required and how to handle situations that arise.

 

“Simplifying HIPAA through Automation, Education, and Support”

More fines for Providers for not providing timely right of access

Medical professionals have had a rough year and a half. This has been trying times for so many and we have had to learn to adapt to new ways of running practices. I was hoping to be able to share some good news during this time of thankfulness and joyous season, but the Office for Civil Rights do not take breaks… This is not meant to be disrespectful but to inform you that when a patient files a complaint, the OCR takes that seriously and will open an investigation. So, during this holiday season, please stay vigilant to patient requests. Be sure to have the patient make the request in writing and no sticky notes allowed! DOCUMENTATION is your friend, not your enemy. Make sure this task is completed in a timely manner. These forms are included in your HIPAA compliance program if you do not have one already in use.

The Office for Civil Rights is VERY interested in how timely you answer a patient’s request to access their medical records. This is known as “Right of Access”. A patient has the “right” to request a copy of their medical records and this should be provided within 30 days, or if additional time is needed, a 30-day extension may be permitted if the patient has been notified of the reason and the delay with a date that the records will be made available.

In September the OCR announced the twentieth settlement for right of access violations. Earlier this month, they announced five more.

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced the resolution of five investigations in its Health Insurance Portability and Accountability Act (HIPAA) Right of Access Initiative, bringing the total number of these enforcement actions to twenty-five since the initiative began.  OCR created this initiative to support individuals’ right to timely access their health records at a reasonable cost under the HIPAA Privacy Rule.

HIPAA gives people the right to see and get copies of their health information from their healthcare providers and health plans.  After receiving a request, an entity that is regulated by HIPAA has, absent an extension, 30 days to provide an individual or their representative with their records in a timely manner.

“Timely access to your health records is a powerful tool in staying healthy, patient privacy and it is your right under law,” said OCR Director Lisa J. Pino. “OCR will continue its enforcement actions by holding covered entities responsible for their HIPAA compliance and pursue civil money penalties for violations that are not addressed.”

OCR has taken the following enforcement actions that underscore the importance and necessity of compliance with the HIPAA Right of Access:

  • Advanced Spine & Pain Management (ASPM), which provides management and treatment of chronic pain services in Cincinnati and Springboro, Ohio, has agreed to take corrective actions that include two years of monitoring, and has paid OCR $32,150 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.
  • Denver Retina Center, a provider of ophthalmological services in Denver, CO, has agreed to take corrective actions that includes one year of monitoring and has paid OCR $30,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.
  • Dr. Robert Glaser, a cardiovascular disease and internal medicine doctor in New Hyde Park, NY, did not cooperate with OCR’s investigation or respond to OCR’s data requests after failing to provide a patient with a copy of their medical record.  Dr. Glaser waived his right to a hearing and did not contest the findings of OCR’s Notice of Proposed Determination.  Accordingly, OCR closed this case by issuing a civil money penalty of $100,000.
  • Wake Health Medical Group, a provider of primary care and other health care services in Raleigh, NC, has agreed to take corrective actions and has paid OCR $10,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.

There are many other fines being assessed that can be reviewed on the HHS/OCR website. This is not meant to scare you but rather inform you what they are doing so you can stay safe and prosperous.

All of us at Aris Medical Solutions want to wish everyone a safe and wonderful holiday season. We do not take breaks either, we are here to help you! 

If you need more information or would like a live demo of our Automated HIPAA Compliance platform, contact us at 877.659.2467 or complete the contact us form.

“Simplifying HIPAA through Partnership, Education, and Support”

HIPAA Requirements and Software updates

HIPAA Requirements and Software updates

Many medical providers are so busy trying to run a successful practice they sometimes forget the “technical” side of their business. Hackers know this and capitalize on it. Lately in the news, we have heard about Microsoft and Apple vulnerabilities that have been exploited by spammers and hackers. Therefore, it is SO important to stay on top of technology updates!

Most practices utilize an IT company of some sort, we recommend an IT company that specializes in network security. We do not recommend the practice trying to do this themselves unless the person assigned to the task is well versed in data security.

The Office for Civil Rights recommends an annual HIPAA risk analysis be conducted because technology changes so fast, by the time you implement a new system, an update is probably available. Speaking of the Office for Civil Rights, over the last few years, they have added hundreds of new auditors and now they are advertising for multiple new attorneys to enforce HIPAA.

Who May Apply: This vacancy announcement is open to all US Citizens and may be used to fill multiple positions”.

We have an automated HIPAA Compliance platform to help medical practices and their business associates with the daunting task up updating HIPAA compliance. To learn more about why you should and how to protect your data, read more below.

Over the last 12 years we have learned so much from our clients and have created a system that came out of their suggestions. For example, keeping all policies in one Step so you can easily scroll down to locate the one you need. Also, being able to view the state breach notification requirements. This is especially helpful for those practices that have multiple state locations or patients in more than one state. As we have been onboarding clients, we have had great feedback on the look and ease of use. Here is some information for your review.

Aris’ automated HIPAA system will enable your organization to maintain the HIPAA compliance documentation is an easy-to-follow format. As you know, it only takes one patient complaint, a disgruntled employee, or a data breach to start an investigation from the Office for Civil Rights (OCR) and they sometimes include the Office of Inspector General (OIG) and the Department of Justice (DOJ). Documentation is a main factor in avoiding a desk audit or passing an audit.

Our new system is better than ever, you have the ability to upload your own documents or implement and customize the ones that are included. Plus, as new rules and laws are introduced, we send out notifications of updates so you can review and approve the new policies. For instance, the Information Blocking rule is included, and we are watching for the other updates that are to follow. If you are not familiar with this, our new online HIPAA compliance system may be of interest to you.

Training your employees has never been easier, after you enter your employees during the onboarding process, you can send them to take an online HIPAA training course that is included. Once they complete the course, they will be required to take a short quiz and their certification of completion is conveniently stored within the system should you be audited.

The entire system educates the client every step of the way to ensure you understand what is required under HIPAA. If you have questions about HIPAA or need guidance, we offer a support ticketing system that is included with our monthly subscription.

Once you create your login, it is easy to navigate! In the Profile section, you will add employees, business associates, and electronic devices. You may use an excel spreadsheet to upload each section or enter individually. From here you can send employees the Confidentiality and Acceptable Use agreement via DocuSign to ensure employees understand what is acceptable and what is not permitted. If you do not have a business associate agreement in place will all your vendors, you have the option of sending one via DocuSign or printing a copy and sending one instead. The inventory list is a great way to keep track of which devices have had ePHI located on them, so you know the method to retire equipment when the time comes.

Step 1 – You will answer a series of questions to uncover risks and vulnerabilities. A risk management plan will be generated automatically that outlines what is needed to mitigate the vulnerabilities that were uncovered. You may modify what is recommended if you choose.

Step 2 – Security Incident Procedures and Breach Notification Plan. You will select which states your patients are located and the state law will automatically be populated. This plan also includes the links needed in the event of a data breach large or small.

Step 3 – You will be asked a series of questions about whether or not you have policies and procedures in place that meet the HIPAA Privacy and Security Rule requirements. Each policy will have a side note of education to ensure you understand what is required to be included. We suggest adopting the policies included and modify to meet your specific needs, then the policies are automatically dated and approved.

Step 4 – HIPAA Forms and Documentation. You may have forms you are already using; you may upload them to this Step to keep all your forms organized. There also many forms you may not be aware that is required under HIPAA, they are included and available for download in a Word format. You can customize them with your information and logo.

Step 5 – Business Associate agreements. During the creation of your profile, you are asked to add your business associates and upload any existing business associate agreements and HIPAA compliance documentation you may have. You have the option of sending a business associate a BA agreement via DocuSign or you may download a Word format and customize if needed. This is also useful if you have a Business Associate that uses Subcontractors, you would be able to use this document.

Step 6 – Contingency Plan. You may upload your own contingency plan, or you may choose to complete the one included in this Step.

Step 7 – This step contains a wealth of information. You can take a leisurely stroll to learn more about the HIPAA rules and other requirements that may affect your organization. You have the option to include which areas to include in your download. We also have a list of affiliates that you may need to complete your compliance requirements.

After you have completed the 7-Steps, you may simply download your package to share your policies and procedures with your employees.

When you are ready to get started all you have to do is click on the Order Now button on the main page of our website. Included is an online 1 hour live onboarding meeting to explain how to use the system.

If you need more information or would like to schedule a live demo, contact us at 877.659.2467 or complete the contact us form.

“Simplifying HIPAA through Partnership, Education, and Support”

©2022 Aris Medical Solutions – HIPAA Risk Management | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC