HIPAA Security Rule requirements, Part I

It is hard to believe we are in 2021, but I am sure you are like the rest of us and glad to see 2020 in the rear-view mirror.

As we move into this new year, we need to look ahead and learn from what has happened in the past. Last month we informed you about many HIPAA violations that the Office for Civil Rights (OCR) had investigated. Most of these violations could have been prevented. In fact, I was talking with a colleague that owns an audit log monitoring system and he informed me that during the pandemic they saw a 90% increase in snooping into patient records of the same last name. Fortunately for his clients, this was immediately stopped, and the employee(s) were sanctioned. This made me want to remind you of a few requirements under HIPAA.

 

  • 164.308(a)(1)(ii)(c) Sanction Policy – is a “required” standard under the HIPAA Security Rule. Employers are required by law to apply sanctions against employees who violate HIPAA, otherwise the employer could be fined.

 

  • 164.308(a)(1)(ii)(d) Information System Activity Review – is another required standard. Which requires procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. A security incident can be best described as the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.

 

  • 164.312(b) Audit Controls – is yet another required standard that states you must implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information (ePHI). This standard goes hand in hand with Information System Activity Review.

 

What does this mean to you?

First, you must understand what is considered “normal” usage within your software/hardware that contains ePHI. Then you must monitor your systems for abnormal behavior. This is a HUGE time-consuming task and unless you are monitoring every employee, 24/7 you may miss something. We highly recommend utilizing a third party to do this for you. The company we work with has interfaces with over 60 EHRs and is fully automated. If they do not have an interface, they will create one, or show you how to upload the logs in a matter of minutes instead of hours. No more looking over lengthy audit log reports. You simply receive an alert when there is abnormal activity. Best of all, this protects your patient data and your practice from fines and penalties. If you would like to learn more about this service, use the contact us page.

 

If you need assistance with HIPAA Risk Management or guidance with your HIPAA Compliance, contact us at 877.659.2467 or complete the contact us form.

OCR Issues Audit Report on Health Care Compliance

Yesterday, the Office for Civil Rights (OCR) at the Department of Health and Human Services (DHHS) released its 2016-2017 HIPAA Audits Report. Although this seems outdated, it typically takes this long to compile the data.  They reviewed selected covered entities (CE) and business associates (BA) for HIPAA compliance of the HIPAA Privacy, Security, and Breach Notification Rules.

DHHS is required by law under the HITECH Act to conduct periodic audits. The chances of a random audit are slim, but they do happen, and you must be prepared. Don’t be fooled by a slim chance of a random audit, you can be audited for many other reasons! This audit comprised of 166 covered entities and 41 business associates. The OCR publishes this report to share the overall findings.

A summary of the audit findings includes:

  • Most CEs met the timeliness requirements for providing breach notification to individuals.
  • Most CEs that maintained a website about their customer services or benefits satisfied the requirement to prominently post their Notice of Privacy Practices on their website.
  • Most CEs failed to provide all of the required content for a Notice of Privacy Practices.
  • Most CEs failed to provide all of the required content for breach notification to individuals.
  • Most CEs failed to properly implement the individual right of access requirements such as timely action within 30 days and charging a reasonable cost-based fee.
  • Most CEs and BAs failed to implement the HIPAA Security Rule requirements for risk analysis and risk management. 

“The audit results confirm the wisdom of OCR’s increased enforcement focus on hacking and OCR’s Right of Access initiative,” said OCR Director Roger Severino. “We will continue our HIPAA enforcement initiatives until health care entities get serious about identifying security risks to health information in their custody and fulfilling their duty to provide patients with timely and reasonable, cost-based access to their medical records.”

The 2016-2017 HIPAA Audits Industry Report may be found at:  https://www.hhs.gov/sites/default/files/hipaa-audits-industry-report.pdf

If you need assistance with HIPAA Risk Management or guidance with your HIPAA Compliance contact us at 877.659.2467 or complete the contact us form.

Looking back at 2020 and HIPAA Compliance Violations

During this pandemic, the Office for Civil Rights (OCR) relaxed some of the requirements for Telehealth. This has since been retracted. Make sure the service you are using is in fact HIPAA compliant and you have a business associate agreement (BAA) in place. We also encourage you and all your business associates (BA) to carry cyber liability insurance. Data breaches and mishaps are part of our everyday life it seems. Although your medical malpractice insurance may offer a token amount of coverage, it is probably not enough. Keep in mind, if you cannot determine WHICH patient’s data has been breached, you must notify all your patients. This is where is can be very costly. When selecting an agent, make sure they are well versed in this type of insurance, as we have seen some policies are not worth the paper they are written on. Read the exclusions!

Below are some HIPAA violation highlights from 2020. This is not meant to scare you, but to remind you of how important adhering to HIPAA really is. The Office for Civil Rights (OCR) enforcement actions are designed to send a message to the health care industry about the importance and necessity of compliance with the HIPAA Rules.

The OCR investigation found longstanding, systemic noncompliance with the HIPAA Security Rule including failure to conduct a risk analysis, and failures to implement information system activity review, security incident procedures, and access controls.

“The health care industry is a known target for hackers and cyberthieves.  The failure to implement the security protections required by the HIPAA Rules, especially after being notified by the FBI of a potential breach, is inexcusable,” said OCR Director Roger Severino.

The OCR investigation discovered longstanding, systemic noncompliance with the HIPAA Privacy and Security Rules including failures to conduct a risk analysis, implement risk management and audit controls, maintain HIPAA policies and procedures, secure business associate agreements with multiple business associates, and provide HIPAA Privacy Rule training to workforce members.

“Hacking is the number one source of large health care data breaches. Health care providers that fail to follow the HIPAA Security Rule make their patients’ health data a tempting target for hackers,” said OCR Director Roger Severino.

The OCR investigation revealed that a former employee returned eight days after being terminated, logged into her old computer with her still-active user name and password. Additionally, OCR found that the former employee had shared her user ID and password with an intern, who continued to use these login credentials to access PHI after the employee was terminated. The investigation determined that the entity failed to conduct an enterprise-wide risk analysis, and failed to implement termination procedures, access controls such as unique user identification, and HIPAA Privacy Rule policies and procedures.

“Medical providers need to know who in their organization can access patient data at all times. When someone’s employment ends, so must their access to patient records,” said OCR Director Roger Severino.

The OCR investigation revealed that in addition to the impermissible disclosures, Aetna failed to perform periodic technical and nontechnical evaluations of operational changes affecting the security of their electronic PHI (ePHI); implement procedures to verify the identity of persons or entities seeking access to ePHI; limit PHI disclosures to the minimum necessary to accomplish the purpose of the use or disclosure; and have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI.

“When individuals contract for health insurance, they expect plans to keep their medical information safe from public exposure. Unfortunately, Aetna’s failure to follow the HIPAA Rules resulted in three breaches in a six-month period, leading to this million-dollar settlement,” said OCR Director Roger Severino.

The OCR has settled twelve investigations for HIPAA Right of Access denials. This is not to be confused with a medical summary at the end of a patient encounter. A patient’s request for a copy of their medical record (their designated record set) either by them or from a third party must be handled in a timely manner.

“It shouldn’t take a federal investigation to secure access to patient medical records, but too often that’s what it takes when health care providers don’t take their HIPAA obligations seriously.  OCR has many right of access investigations open across the country, and will continue to vigorously enforce this right to better empower patients,” said Roger Severino, OCR Director.

“No one should have to wait over a year to get copies of their medical records.  HIPAA entitles patients to timely access to their records and we will continue our stepped up enforcement of the right of access until covered entities get the message,” said Roger Severino, OCR Director.

“The OCR is committed to enforcing patients’ right to access their medical records, including the right to direct electronic copies to a third party of their choice. HIPAA covered entities should review their policies and training programs to ensure they know and can fulfill all their HIPAA obligations whenever a patient seeks access to his or her records,” said Roger Severino, OCR Director.

“For too long, healthcare providers have slow-walked their duty to provide patients their medical records out of a sleepy bureaucratic inertia. We hope our shift to the imposition of corrective actions and settlements under our Right of Access Initiative will finally wake up healthcare providers to their obligations under the law,” said Roger Severino, OCR Director.

The OCR investigation determined that there was systemic noncompliance with the HIPAA Rules including a failure to encrypt ePHI on laptops after Lifespan ACE determined it was reasonable and appropriate to do so.  OCR also uncovered a lack of device and media controls, and a failure to have a business associate agreement in place with the Lifespan Corporation.

“Laptops, cellphones, and other mobile devices are stolen every day, that’s the hard reality.  Covered entities can best protect their patients’ data by encrypting mobile devices to thwart identity thieves,” said Roger Severino, OCR Director.

A breach report regarding the impermissible disclosure of protected health information to an unknown email account. The breach affected 1,263 patients.  OCR’s investigation revealed longstanding, systemic noncompliance with the HIPAA Security Rule.  Specifically, they failed to conduct any risk analyses, failed to implement any HIPAA Security Rule policies and procedures, and neglected to provide workforce members with security awareness training until 2016.

“Health care providers owe it to their patients to comply with the HIPAA Rules.  When informed of potential HIPAA violations, providers owe it to their patients to quickly address problem areas to safeguard individuals’ health information,” said Roger Severino, OCR Director.

“All health care providers, large and small, need to take their HIPAA obligations seriously,” said OCR Director Roger Severino. “The failure to implement basic HIPAA requirements, such as an accurate and thorough risk analysis and risk management plan, continues to be an unacceptable and disturbing trend within the health care industry.”

HIPAA covered entities and business associates are required to conduct an accurate and thorough assessment of the risks to the ePHI it maintains. Identifying, assessing, and managing risk can be difficult, especially in organizations that have a large, complex technology footprint. Understanding one’s environment – particularly how ePHI is created and enters an organization, how ePHI flows through an organization, and how ePHI leaves an organization – is crucial to understanding the risks ePHI is exposed to throughout one’s organization. As technology changes, risk assessments must be updated and reflected in a risk management plan. Reviewing policies and procedures may also need to be updated depending on the type of changes in technology. As we get ready to close out 2020, set your schedule to review your updates and planned upgrades for 2021.

To read about enforcement and the resolution agreements, click on the link below:

https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html

If you need assistance with HIPAA Risk Management or guidance with your HIPAA Compliance contact us at 877.659.2467 or complete the contact us form.

OCR enforces potential HIPAA violations for failure to remove a terminated employee’s access to Protected Health Information (PHI)

When an employee is terminated, it is necessary to remove access to protected health information (PHI) immediately. It is just as important for employees not to share their log-in credentials with anyone. The City of New Haven, Connecticut found out the hard way. In January 2017 the New Haven Health Department filed a breach report stating that a terminated employee may have accessed a file on a New Haven computer that contained PHI (protected health information) of 498 individuals. During the OCR’s investigation they discovered the former employee had returned to the health department eight days after being terminated and logged into her old computer and downloaded patient information to a USB drive. They also uncovered that the former employee had shared her user credentials with an intern, who continued to use these credentials to access PHI.

As we have mentioned before, when you are under investigation, they review all of your compliance efforts and not just the incident that provoked the investigation. During this investigation, the OCR determined they failed to conduct a system wide risk analysis and failed to implement access controls and termination procedures.

“Medical providers need to know who in their organization can access patient data at all times. When someone’s employment ends, so must their access to patient records,” said OCR Director Roger Severino.

This mistake cost the City of New Haven $202, 400 and they must implement a robust corrective action plan that includes two years of monitoring.

To read more about this click here:

https://www.hhs.gov/about/news/2020/10/30/city-health-department-failed-terminate-former-employees-access-protected-health-information.html

Cyber Alert: Ransomware Activity Targeting the Healthcare and Public Health Sector

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the U.S. Department of Health and Human Services (HHS) have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.

CISA, FBI, and HHS have released AA20-302A Ransomware Activity Targeting the Healthcare and Public Health Sector that details both the threat and practices that healthcare organizations should continuously engage in to help manage the risk posed by ransomware and other cyber threats. The advisory references the joint CISA MS-ISAC Ransomware Guide that provides a ransomware response checklist that can serve as a ransomware-specific addendum to organization cyber incident response plans.

In addition to these materials regarding the most recent ransomware threat to the Healthcare and Public Health Sector, the HHS Office for Civil Rights’ Fact Sheet: Ransomware and HIPAA provides further information for entities regulated by the HIPAA Rules.

CISA, FBI, and HHS are sharing this information in order to provide a warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their networks from these threats. CISA encourages users and administrators to review CISA’s Ransomware webpage for additional information.

Responsibilities of a HIPAA Compliance Officer

While the nation was shut down and people were suffering, hackers were busy at work. It is coming to light how many organizations have had a data breach and have been hit with ransomware.

Now more than ever all organizations need to make sure their HIPAA Compliance Officer understands what is needed for data security. The FBI has stated cybercrime in 2020 has surpassed 2019 and we still have a few months to go. The problem is the hackers have become very sophisticated in their attacks. Whereas it used to be easy to spot a fake email, that is no longer the case. Between email and text efforts, they are gaining access to our information and we are the ones permitting it. Also, user credentials are compromised and used to gain access to your network or to send false emails to gather personal information. These scams typically involve a criminal that has hacked a legitimate email address. For example, a person would receive a message that appears to be from someone within their organization or a business associate with which that person knows. The message will request a payment, wire transfer, gift card purchase, or even a list of employees with social security numbers that seems legitimate. The compliance officer should be notified, and the transaction verified BEFORE it is completed. Every office needs to have a verification process in place before releasing ANY data.

We have said this before… if a stranger walked up to you and asked you to verify your identity would you give them any information? Of course not, but that is exactly what we are doing when we receive an email or text message from someone or somewhere, we trust. Trust, but verify.

With more and more people working remotely, that brings us to another vulnerability. Covered entities that utilize the services of business associates are required by HIPAA to ensure the business associate is in fact HIPAA compliant. The starting point is to ensure you have a business associate agreement in place with all your vendors that create, receive, maintain, or transmit protected health information (PHI). This agreement should include security requirements to ensure they are protecting your patient data. If a covered entity does not have a BA agreement in place and the vendor causes a data breach, the covered entity will more than likely receive the fine. With a BA agreement in place, it is still typical the covered entity bears the financial burden of the breach but may not receive the fines. That is why a BA agreement should include an indemnification and requiring the business associate to carry cyber liability insurance. Recently, a business associate was fined $2.3 million for a data breach that was caused by a hacking incident. If the covered entities did not have BA agreements in place, they could have been the ones who received this hefty penalty. Also, recently an orthopedic clinic was fined $1.5 million after a journalist notified them that a database of their patient information was posted for sale online. For this reason, we recommend covered entities should carry their own policies as well. “Hacking is the number one source of large health care data breaches. Health care providers that fail to follow the HIPAA Security Rule make their patients’ health data a tempting target for hackers,” said OCR Director Roger Severino. Many electronic and portable devices are used to process and store PHI. Anyone with access to such devices could potentially have the ability to change configurations, install malicious programs, change information, or access information that are not authorized to. Any of these actions has the potential to affect the integrity of patient information. HIPAA requires covered entities and their business associates to implement and follow policies and procedures to limit access to only those who are authorized.

Risk management should be at the top of everyone’s list. Preventing data breaches and securing patient data is everyone’s responsibility, but the OCR requires someone to be the point person, hence the HIPAA Security or Compliance Officer title. This responsibility is so much more than just a title. HIPAA Compliance Officers responsibilities include creating, maintaining, and enforcing compliance. This includes the staff, management, and even the medical providers.  I hear too often that the compliance officer gets push back from the doctors or owners. This is so unfortunate since they are only trying to do their job that is required under state and federal law. They are the frontline defense in keeping your practice alive and well. The owners of the practice may suffer the financial loss, but sometimes everyone does if the practice closes. Let’s all work together to keep patient data safe and secure.

If you need assistance with HIPAA Security training or guidance with your HIPAA Compliance contact us at 877.659.2467 or complete the contact us form.

Inventory lists and network mapping, why they are so important!

First, it is required under HIPAA that medical organizations and business associates ensure the confidentiality, integrity, and availability of ePHI. Part of a HIPAA compliance program requires an entity to conduct a HIPAA risk analysis to determine where ePHI is located and how it is protected. It is critical that all organizations understand how data flows in and out of their systems as well has how business associates access your data. Risk management is the key to protecting your data.

Here is a starting point after your risk analysis:

  1. Create an inventory list. The list should include servers, computers, laptops, tablets, printers, scanners, fax servers/machines, and specialized equipment for your type of practice.
  2. Include what type of encryption you have implemented or what type of anti-virus and anti-malware is utilized. Also, think about devices that are not onsite, remote users, cloud servers, and offsite backups. If smartphones are used, add those as well. Even if they are not company owned, just make a note of that.
  3. The inventory list should also include software that is used to access or store ePHI. When the time comes to retire a device, this list could be used to determine how it is to be handled. For example, will it need to be destroyed or could be sanitized and reused?
  4. Be sure to include the operating systems on your devices. This will alert you when systems are at the end of life and need to be replaced.
  5. We also recommend adding assets that do not store or access ePHI, just in case they could be compromised and create a method of intrusion. This includes firewalls and routers.
  6. Next, create a diagram of all technology and how ePHI flows through your system. Hackers can gain access to your systems through your vendors. You may need the help from your IT company. Keep in mind when selecting an IT vendor, they MUST be well versed in healthcare. Your security is more complex than the average small business, not to mention the heavy fines should you suffer a data breach.
  7. When creating your network mapping, we suggest adding which devices store and/or access ePHI. Again, this is a visual reminder of how your data flows and can help you to understand how to protect your data. If possible, request a Visio Map from your IT vendor.

With all the data breaches that are happening, it is so important to know where your data is and how it is protected. Keeping up with your risk analysis and risk management plan demonstrates your on-going compliance efforts. This is a requirement under the HIPAA Security Rule. If you suffer from a data breach and you can provide documentation that you have reasonable and appropriate safeguards in place and that you have done the best you can to protect your data, more than likely you will not be fined.

If you would like more information, contact us at 877.659.2467 or complete the contact us form.

HIPAA Fines assessed to small practices

We find this difficult to talk about especially during these trying times. However, we feel it is important for all practices to know that HIPAA violations and fines have not disappeared during this pandemic.

Investigations take a long time and many practices think since they have not heard of small practices being fined that they are immune. Unfortunately, that is not true. Fines are smaller, but even the “small” fines hurt small practices. Could you afford $25K or $50K in fines?

The latest fine of $25K for ongoing HIPAA violations could have been more but the statute of limitations is 6 years. It was reported that they had failed to implement security rule policies and procedures, failed to provide their employees with security awareness and training, and they failed to conduct a thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity and availability of the ePHI they held.

To read the full resolution agreement click here:

https://www.hhs.gov/sites/default/files/metro-signed-agreement.pdf

We understand that after you conduct the HIPAA risk analysis, the hard work begins. Implementing your HIPAA policies and procedures and documenting your risk management plan are difficult and there never seems to be enough hours in the day to complete this task. This is a MUST. If you do not have the time, then you need to hire someone or a company to do this for you.

If you would like more information, contact us at 877.659.2467 or complete the contact us form.

 

“Simplifying HIPAA through Partnership, Education, and Support”

Telemedicine on the other side of the Pandemic

By Suze Shaffer

July 15, 2020

The Office for Civil Rights (OCR) back in March relaxed it’s enforcement for non-compliance with regards to telemedicine. They permitted the use of audio/video communication applications such as Facetime, Google hangouts, Zoom, and Skype without risk that a provider could be issued a penalty for non-compliance. Providers were encouraged to inform their patients of potential privacy risks and do their best to engage encryption and whatever means they had available to secure the data.

Even though some states are experiencing a surge in more COVID cases, medical providers are expected to seek HIPAA qualified products and obtain a business associate agreement. Telehealth providers should now have an agreement ready that will include state law provisions and data security information. Medical providers should read this agreement carefully to ensure the data security is outlined and meets their state law breach notification guidelines. Ideally, it would be best for the vendor to sign YOUR business associate agreement if you have one that has outlined security requirements.

If a medical provider does not obtain a signed business associate from a vendor, the medical provider should terminate using the vendor. Just because a vendor doesn’t sign a BAA it does NOT release them from liability. It just means the liability falls on the medical provider for not obtaining the signed document. Furthermore, the medical provider may receive fines for non-compliance should the business associate suffer a data breach or security incident. These documents are extremely important!

Many thanks to all our healthcare workers for staying strong throughout these trying times.

If you would like more information or need a business associate agreement, contact us at 877.659.2467 or complete the contact us form.

“Simplifying HIPAA through Partnership, Education, and Support”

Cell phone use in the workplace causing distrust

By Suze Shaffer

March 15, 2020

We all have been annoyed at one time or another when we arrive at a counter or a place of business and the person is on their cell phone and we are ignored. Of course, that is not very good customer service. When you work in healthcare, it goes to an all new level. HIPAA doesn’t restrict the use of cell phones, except how they are secured and protected. However, this is not what we are discussing here today.

We are hearing about complaints from patients accusing employees of taking pictures of their information. This particular situation the employee was accused of taking pictures of the computer screen and the patient told the doctor. This afforded the doctor the opportunity to address the situation and avoid a formal complaint to the Office for Civil Rights (OCR). We recommend employees leaving their cell phones out of sight of patients unless the phone is used for business purposes within the practice. Some organizations are even adding cell phone lockers. I can remember before we had cell phones, we actually gave out our work number to anyone who needed to get in contact with us! Now you know how old I really am! Joking aside, this is a very serious matter that could cause the OCR to open an investigation. Keep in mind, when you are being investigated by the OCR, they do not “just” investigate “that” situation. They look at your overall compliance plan. Where are your policies? What were your procedures before, during, and after the occurrence. What have you done to prevent the same situation from happening again? Plus, many more items they take into consideration when conducting an investigation.

The next area of concern with cell phones are with patients. We have long been a proponent of using privacy screens on computers. Now, even if the screen is across the room, we are pushing our clients to add the screens. Patients now have their phones out while making new appointments, they could potentially take pictures of computer screens across the room and enlarge them. Some of you may be thinking that we worry too much and all this security is driving you crazy. It only takes ONE mistake or ONE complaint to turn your life into a rollercoaster. Prevention is the best medicine!

If you would like more information, contact us at 877.659.2467 or complete the contact us form.

“Simplifying HIPAA through Partnership, Education, and Support”

©2021 Aris Medical Solutions – HIPAA Risk Management | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC