Most practices seek assistance from one or more businesses to help them with certain functions within their organization. Depending on the type of service they provide, they may be considered a “Business Associate” under the HIPAA guidelines.
So, what defines a business associate § 164.308(b)(1)?
Any person or entity that may encounter ePHI/PHI while providing services to the covered entity. For example, a shredding company, billing company, or an IT company. Even if the IT company is not responsible for the data transmission or storage of ePHI, they are still considered a business associate under the definition by the Office for Civil Rights (OCR). This is because they may have access to computers or software to assist the provider when issues arise, or when updates are needed.
Software providers such as EHR/ EMRs, and practice management are also BAs. Custom software providers may also be included if they maintain the system and are required to provide updates. The exception to this would be if a custom software were developed and turned over to the practice for their use and then maintained by the IT vendor. The IT vendor would be the BA.
Clearinghouses are covered entities, and business associates of a covered entity since they facilitate the processing of health information from a nonstandard format into standard format, or from standard format into nonstandard format.
Some practices with multiple partners may use revenue from patients to determine each provider’s share. If they use a third party like a CPA, then the CPA may be considered a BA.
If an attorney is needed to defend the provider/practice against a patient and PHI is disclosed, the attorney is then a BA.
An easy way to remember this is… if PHI/ePHI is disclosed or the possibility of being disclosed during the job function of the vendor, then they are a BA.
A cleaning company is NOT considered a business associate even though they may encounter PHI because their job function does not include the creation, transmitting, or maintaining of ePHI. It is advisable to require the company to sign a confidentiality agreement and require their employees receive HIPAA training, so they understand the HIPAA rules.
When hiring a business associate it is required under HIPAA to ensure your vendor is HIPAA compliant. The first step is to obtain a Business Associate Agreement (BAA), but you must also have reasonable assurances they are in fact HIPAA compliant. You may request their most recent HIPAA training for the employees that will be responsible for working withing your practice, policies on data security, and depending on the services they provide, a copy of their latest risk analysis (first and last page that demonstrates who conducted the analysis and when). You also have the right to ask if they use business associates (subcontractors). The practice must ensure that anyone and everyone that comes in contact with ePHI/PHI understands how to protect this data.
Large medical practices are targeted by hackers since this information is so valuable. Smaller practices are hacked through phishing attacks, unsuspecting employees, business associates, and outdated software/hardware. It is everyone’s responsibility within the practice to ensure all data is secure and to avoid data breaches. I am sure you are thinking that if the government cannot keep data secure, how can you? Large organizations are always a target, and they have the same issues as smaller ones just more area of vulnerabilities for the bad actors to get in.
Stay safe out on the World Wide Web (WWW), we call it, the Wild Wild West. The biggest difference is, during the Wild Wild West days, you could see trouble coming into town and prepare. On the World Wide Web, trouble is invisible until it is too late.
If you need assistance with Risk Management or guidance with your HIPAA Compliance, contact us at 877.659.2467 or complete the contact us form.
“Simplifying HIPAA through Partnership, Education, and Support”
Many practices think once they have conducted a risk analysis, they are done with their HIPAA compliance efforts. Unfortunately, a risk analysis is just the beginning! You must document your ongoing HIPAA efforts through evaluations.
45 CFR § 164.308(a)(8) Evaluation – HIPAA requires organizations to review technical and non-technical aspects of their compliance efforts based on their original risk analysis. These evaluations could be based on operational or environmental changes that affect the security of ePHI.
Setting a time frame in which to perform your evaluations will be essential in determining if you are adequately protecting ePHI. Organizations may perform these processes annually or as needed (e.g., bi-annual or every 3 years) depending on circumstances of their environment. An annual evaluation is recommended due the ever-changing world of technology. As software/hardware are outdated or replaced, the new devices must be reviewed to ensure they are HIPAA compliant and installed properly. Of course, if you have a major change in your organization or a data breach you may need to reorganize your quarterly plans and conduct a new risk analysis. Keep in mind, should you suffer a data breach and you have not updated your risk analysis and a vulnerability is discovered; you could be heavily fined. It is important to know if the security plans and procedures you have implemented continue to adequately protect ePHI. Some organizations do not understand the need in hiring an IT vendor with the thoughts they can do this themselves. Depending on the services that are being offered, you could be making a huge mistake. An IT vendor that specializes in data security for healthcare is essential in protecting your data and your assets.
We recommend reviewing certain aspects each quarter of each year. For instance, the first quarter review your Risk Management Plan to ensure everything is documented. It may not be necessary to update your Breach Notification Plan, but we suggest reading it to remind yourself what to do in the event of a data breach.
The second quarter would be a good time to review your Contingency Plan and make any updates. You may need to request additional information from your IT department or vendor.
The third quarter review your HIPAA Privacy Rule Policies, Procedures and Documentation. Most of these will not need any updates, but as always, it is recommended to review them, just in case something has changed.
The fourth quarter review your HIPAA Security Rule Policies, Procedures and Documentation. As in the privacy section, you may not need to update very many, but it is required under HIPAA to review them. Pay close attention to the Technical Safeguards section, as this may be where changes need to be made.
We also recommend reviewing your insurance policies and vendor contracts at least 60-90 days before they renew. This should give you ample time to review and decide if you have adequate coverage. This includes medical malpractice, life, and disability for key personnel. We also suggest reviewing your contract with your IT vendor at least 90 days before the contract terminates, some vendors add stipulations in the contract that automatically locks you in an additional year.
Cyber/breach insurance should be reviewed with an agent that specializes in this type of coverage; the average policy may not be enough to protect you.
Aris has been busy creating an automated HIPAA compliance package. With the new program, you will be able to update your plan and your policies quickly and easily. With the documentation within the system, you will be able to demonstrate your on-going HIPAA compliance efforts. Watch for the launch annoucement!
If you need assistance with Risk Management or guidance with your HIPAA Compliance, contact us at 877.659.2467 or complete the contact us form.
“Simplifying HIPAA through Partnership, Education, and Support”
Recently a cosmetic practice was fined $30,000 to settle potential HIPAA Privacy Rule violations. In the past many practices believed if they did not accept insurance payments (considered as a “transaction” under HIPAA), they were immune from the privacy rule. This may not be the case. There is a section in the rule that states “Other transactions that the Secretary may prescribe by regulation”. HIPAA compliance is a balancing act, are you willing to lose $30K of your hard-earned money to test the system?
This investigation started with a compliant from a patient that had requested their medical record and did not receive them in a timely manner. Under the HIPAA Privacy Rule, the provider must respond to a patient’s request for access no later than 30 calendar days after the request. If the covered entity is not able to act within this timeframe, the entity may have up to an additional 30 calendar days if they provide the individual (within the initial 30-day period) with a written statement for the reason of the delay and include a date when the entity will have the information available. See 45 CFR §164.524(b)(2). Unfortunately for this practice, this was not handled in a timely manner. Therefore, an investigation was launched.
Let us review how this happens.
Once a complaint is filed to the Office for Civil Rights (OCR), the OCR will determine if the complaint falls within their duties to investigate. Once an investigation has been opened, the OCR will contact the practice for their documentation surrounding the incident. Depending on the documentation that is submitted will determine if a desk audit is warranted. Therefore, documentation is SO important, you may be able to avoid a desk audit if you supply the appropriate documents.
During a desk audit more than likely, you will be asked for documentation of what preventative measures you had in place before the incident and what you have implemented to prevent this from happening again. While you are being investigated the OCR may also review your compliance in other areas. If they find discrepancies, you could be fined for those as well. HIPAA encompasses a large range of requirements. Patient privacy, patient rights, and data security to name a few. I will not go into detail during this notification since we are sharing the security rule requirements in other messages.
Each resolution agreement that is issued by the HHS/OCR outlines the deficiencies they uncover. Most of them include the lack of a risk analysis, risk management, training, business associate agreements, and policies and procedures. During this investigation, other violations were uncovered and included the social security act was named in the resolution agreement: Section 1128A of the Social Security Act (42 U.S.C. § 1320a- 7a) a.
From this, I hope you can understand the importance of HIPAA compliance. Because one simple oversight can cause this much heartache. Patient privacy, patient rights, and data security is as important as caring for your patients. We have just learned that any entity that has patient data can be investigated and fined for violations under HIPAA.
Tell your friends and colleagues to ensure everyone understands no one is immune from HIPAA if you have patient data. Fines are fierce and not worth taking a chance by thinking “it won’t happen to me”.
If you need assistance with HIPAA Training, Risk Management, or guidance with your HIPAA Compliance contact us at 877.659.2467 or complete the contact us form.
“Simplifying HIPAA through Partnership, Education, and Support”
When it comes to planning for a disaster, most people think “that won’t happen to me”. Under HIPAA, you are required to ensure the integrity, confidentiality, and available of ePHI. When creating your contingency plan, it is necessary to review what natural disasters could happen in your area, how would you handle a hacking incident, and what precautions do you have in place to protect your facility from theft? The idea is to have a “plan” in place for whatever may happen.
The Contingency Plan § 164.308(a)(7) standard has five implementation sections, three are required and two are addressable. Remember, addressable does not mean optional. Addressable gives the entity some flexibility on how to implement the requirements.
164.308(a)(7)(ii)(A) Data Backup Plan (R)
Most covered entities may have backup procedures as part of current business practices. Data backup plans are an important safeguard for all covered entities, and a required implementation specification. “Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.”
164.308(a)(7)(ii)(B) Disaster Recovery Plan (R)
When it comes to disaster recovery planning, your plan may differ from others. Be sure your plan is based on where your data is located. Review where your data is located. Is it in a cloud-based or a premise (onsite) system? Although the majority of your ePHI may be in your EHR, you may have certain programs or files that are critical to business continuity that should also be backed up.
“Establish (and implement as needed) procedures to restore any loss of data.” Some organizations may already have a general Disaster Plan that meets this requirement; however, each entity must review the current plan to ensure that it allows them to recover ePHI.
164.308(a)(7)(ii)(C) Emergency Mode Operation Plan (R)
When an organization is operating in emergency mode due to a technical failure or power outage, security processes to protect ePHI must be maintained. “Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode.”
An emergency mode operation plan should include procedures to enable continued operations in the event of a natural disaster, fire, flood, vandalism, or a system failure while still protecting the facility and the electronic data. This may include budgeting for and scheduling outside resources.
For example:
Does the plan include a list of different types of emergencies and how to react to them?
Would your organization need a temporary location, or would you be able to use one of your other locations?
Does your organization have reasonable arrangements with your IT vendor to ensure critical systems are back up and running in an appropriate time frame?
Has your organization created an emergency process that includes procedures that can be accomplished manually that is critical to patient care and business continuity?
Has your organization secured a contract with a security company to protect the facility in the event of severe damage to the building?
Has your organization considered agreements with suppliers to provide equipment or considered a backup power source?
Has your organization created a budget and allocated for the extra expenses should an emergency arise?
164.308(a)(7)(ii)(D) Testing and Revision Procedures (A)
Where the testing and revision procedures implementation specification is a reasonable and appropriate safeguard the entity must: “Implement procedures for periodic testing and revision of contingency plans.” It is important to point out that this implementation specification applies to all implementation specifications under the Contingency Plan Standard, including the Data Backup Plan, Disaster Recovery Plan, and Emergency Mode Operations Plan.
164.308(a)(7)(ii)(E) Applications and Data Criticality Analysis (A)
“Assess the relative criticality of specific applications and data in support of other contingency plan components.”
This implementation specification requires entities to identify their software applications (data applications that store, maintain or transmit ePHI) and determine how important each is to patient care or business needs, in order to prioritize for Data Backup, Disaster Recovery and/or Emergency Mode Operations Plans. A prioritized list of specific applications and data will help determine which applications or information systems be restored first and/or which must be available at all times.
In our 7 Simple-Steps to HIPAA Compliance package, we have included an outline to assist clients in completing their Contingency Plan. You may also request a plan from your IT vendor to assist you as well. Try to think outside the box to ensure all bases are covered.
If you need assistance with your HIPAA Contingency Plan or guidance with your HIPAA Compliance contact us at 877.659.2467 or complete the contact us form.
“Simplifying HIPAA through Partnership, Education, and Support”
What the Office for Civil Rights (OCR) and the Department of Health and Human Services (HHS) considers as reasonable and appropriate safeguards are always open for discretion. Every organization is different, and what may work for one, may not for another. For that reason, this information is a guideline only and should not be taken as legal advice.
Here are a few areas that should be reviewed:
§ 164.308(a)(5)(i) Security Awareness and Training has (4) implementation standards. They are labeled as “Addressable” under the HIPAA Security Rule. Do not be fooled by the term addressable, that does not mean optional. It just means you have options in implementing the standards.
The Security Awareness and Training standard means that a covered entity must implement a security training program for all employees including management. The frequency in which the training is performed is typically questionable and HIPAA requires new hires must be trained within a reasonable amount of time. We recommend HIPAA training BEFORE any person has access to PHI or ePHI since one mistake can cause a data breach. Then, HIPAA requires “periodic” training. Most organizations conduct annual HIPAA training. Although HHS does not specifically state you must conduct annual training, should you suffer a data breach and it is caused by an employee that did not have proper training, you could be fined for that violation. That is why it is so important to ensure your employees not only attend (and have documentation) HIPAA training, but must also actually understand what is required of them and how to safeguard patient data.
§ 164.308(a)(5)(ii)(A) Security Reminders – HIPAA is not just a once-a-year process. Periodic security reminder updates should be conducted throughout the year to keep HIPAA and data security in the minds of your staff. This should be documented as well.
§ 164.308(a)(5)(ii)(B) Protection from Malicious Code – Procedures must be in place to guard against, detect, and report viruses and malware. Up to date anti-virus and anti-malware software can ward off most intrusions. That is, as long your staff does not click on attachments or visit certain website where malicious code is located. Education is key. Ensuring software patches are applied when released, scanning systems on a routine basis, and utilizing firewalls are also very important. Making sure users do not introduce malicious code from downloads, DVDs, flash-drives, or other products brought from home.
§ 164.308(a)(5)(ii)(C) Log-in Monitoring – Procedures for monitoring log-in activity and reporting discrepancies. This standard states you must monitor user logins and unsuccessful attempts. Best practices are to have procedures to lock a user out after a predetermined number of failed log-in attempts. This may prevent an unauthorized user from gaining access to your system. With malware that repeatedly tries new passwords, this is highly recommended.
§ 164.308(a)(5)(ii)(D) Password Management – Procedures for creating, changing, and safeguarding passwords. All users must use their own credentials to log into systems that contain ePHI. Passwords are to be complex, never shared, secure, and changed at least every 90 days. Although HIPAA does not specifically state the 90-day rule, it is best practices unless you are utilizing a second method of authentication.
§ 164.308(a)(6)(i) Security Incident Procedures has (1) implementation standard, and this is “Required”. This means you MUST implement the standard as stated. You must have policies and procedures in place that identify security incidents, so employees understand what a security incident is, and how to respond.
§ 164.308(a)(6)(ii) Response and Reporting requires a covered entity to have policies and procedures in place to report and mitigate security incidents and determine if a data breach occurred. Then, if a data breach has occurred, the covered entity must determine how many patient records were affected. The time frame to report the breach to OCR and possibly state and local agencies differs on whether the breach is over 500 patient records or not. This should be clearly outlined in your Breach Notification Plan. During the breach notification process, state law will supersede the federal HIPAA law if the state law is more stringent. Keep in mind, all 50 states have their set of privacy laws.
We will be adding more information on other Security Standards, so watch for more posts!
If you need assistance with HIPAA Risk Management or guidance with your HIPAA Compliance contact us at 877.659.2467 or complete the contact us form.
It is hard to believe we are in 2021, but I am sure you are like the rest of us and glad to see 2020 in the rear-view mirror.
As we move into this new year, we need to look ahead and learn from what has happened in the past. Last month we informed you about many HIPAA violations that the Office for Civil Rights (OCR) had investigated. Most of these violations could have been prevented. In fact, I was talking with a colleague that owns an audit log monitoring system and he informed me that during the pandemic they saw a 90% increase in snooping into patient records of the same last name. Fortunately for his clients, this was immediately stopped, and the employee(s) were sanctioned. This made me want to remind you of a few requirements under HIPAA.
164.308(a)(1)(ii)(c) Sanction Policy – is a “required” standard under the HIPAA Security Rule. Employers are required by law to apply sanctions against employees who violate HIPAA, otherwise the employer could be fined.
164.308(a)(1)(ii)(d) Information System Activity Review – is another required standard. Which requires procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. A security incident can be best described as the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
164.312(b) Audit Controls – is yet another required standard that states you must implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information (ePHI). This standard goes hand in hand with Information System Activity Review.
What does this mean to you?
First, you must understand what is considered “normal” usage within your software/hardware that contains ePHI. Then you must monitor your systems for abnormal behavior. This is a HUGE time-consuming task and unless you are monitoring every employee, 24/7 you may miss something. We highly recommend utilizing a third party to do this for you. The company we work with has interfaces with over 60 EHRs and is fully automated. If they do not have an interface, they will create one, or show you how to upload the logs in a matter of minutes instead of hours. No more looking over lengthy audit log reports. You simply receive an alert when there is abnormal activity. Best of all, this protects your patient data and your practice from fines and penalties. If you would like to learn more about this service, use the contact us page.
If you need assistance with HIPAA Risk Management or guidance with your HIPAA Compliance, contact us at 877.659.2467 or complete the contact us form.
Yesterday, the Office for Civil Rights (OCR) at the Department of Health and Human Services (DHHS) released its 2016-2017 HIPAA Audits Report. Although this seems outdated, it typically takes this long to compile the data.They reviewed selected covered entities (CE) and business associates (BA) for HIPAA compliance of the HIPAA Privacy, Security, and Breach Notification Rules.
DHHS is required by law under the HITECH Act to conduct periodic audits. The chances of a random audit are slim, but they do happen, and you must be prepared. Don’t be fooled by a slim chance of a random audit, you can be audited for many other reasons! This audit comprised of 166 covered entities and 41 business associates. The OCR publishes this report to share the overall findings.
A summary of the audit findings includes:
Most CEs met the timeliness requirements for providing breach notification to individuals.
Most CEs that maintained a website about their customer services or benefits satisfied the requirement to prominently post their Notice of Privacy Practices on their website.
Most CEs failed to provide all of the required content for a Notice of Privacy Practices.
Most CEs failed to provide all of the required content for breach notification to individuals.
Most CEs failed to properly implement the individual right of access requirements such as timely action within 30 days and charging a reasonable cost-based fee.
Most CEs and BAs failed to implement the HIPAA Security Rule requirements for risk analysis and risk management.
“The audit results confirm the wisdom of OCR’s increased enforcement focus on hacking and OCR’s Right of Access initiative,” said OCR Director Roger Severino. “We will continue our HIPAA enforcement initiatives until health care entities get serious about identifying security risks to health information in their custody and fulfilling their duty to provide patients with timely and reasonable, cost-based access to their medical records.”
During this pandemic, the Office for Civil Rights (OCR) relaxed some of the requirements for Telehealth. This has since been retracted. Make sure the service you are using is in fact HIPAA compliant and you have a business associate agreement (BAA) in place. We also encourage you and all your business associates (BA) to carry cyber liability insurance. Data breaches and mishaps are part of our everyday life it seems. Although your medical malpractice insurance may offer a token amount of coverage, it is probably not enough. Keep in mind, if you cannot determine WHICH patient’s data has been breached, you must notify all your patients. This is where is can be very costly. When selecting an agent, make sure they are well versed in this type of insurance, as we have seen some policies are not worth the paper they are written on. Read the exclusions!
Below are some HIPAA violation highlights from 2020. This is not meant to scare you, but to remind you of how important adhering to HIPAA really is. The Office for Civil Rights (OCR) enforcement actions are designed to send a message to the health care industry about the importance and necessity of compliance with the HIPAA Rules.
The OCR investigation found longstanding, systemic noncompliance with the HIPAA Security Rule including failure to conduct a risk analysis, and failures to implement information system activity review, security incident procedures, and access controls.
“The health care industry is a known target for hackers and cyberthieves. The failure to implement the security protections required by the HIPAA Rules, especially after being notified by the FBI of a potential breach, is inexcusable,” said OCR Director Roger Severino.
The OCR investigation discovered longstanding, systemic noncompliance with the HIPAA Privacy and Security Rules including failures to conduct a risk analysis, implement risk management and audit controls, maintain HIPAA policies and procedures, secure business associate agreements with multiple business associates, and provide HIPAA Privacy Rule training to workforce members.
“Hacking is the number one source of large health care data breaches. Health care providers that fail to follow the HIPAA Security Rule make their patients’ health data a tempting target for hackers,” said OCR Director Roger Severino.
The OCR investigation revealed that a former employee returned eight days after being terminated, logged into her old computer with her still-active user name and password. Additionally, OCR found that the former employee had shared her user ID and password with an intern, who continued to use these login credentials to access PHI after the employee was terminated. The investigation determined that the entity failed to conduct an enterprise-wide risk analysis, and failed to implement termination procedures, access controls such as unique user identification, and HIPAA Privacy Rule policies and procedures.
“Medical providers need to know who in their organization can access patient data at all times. When someone’s employment ends, so must their access to patient records,” said OCR Director Roger Severino.
The OCR investigation revealed that in addition to the impermissible disclosures, Aetna failed to perform periodic technical and nontechnical evaluations of operational changes affecting the security of their electronic PHI (ePHI); implement procedures to verify the identity of persons or entities seeking access to ePHI; limit PHI disclosures to the minimum necessary to accomplish the purpose of the use or disclosure; and have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI.
“When individuals contract for health insurance, they expect plans to keep their medical information safe from public exposure. Unfortunately, Aetna’s failure to follow the HIPAA Rules resulted in three breaches in a six-month period, leading to this million-dollar settlement,” said OCR Director Roger Severino.
The OCR has settled twelve investigations for HIPAA Right of Access denials. This is not to be confused with a medical summary at the end of a patient encounter. A patient’s request for a copy of their medical record (their designated record set) either by them or from a third party must be handled in a timely manner.
“It shouldn’t take a federal investigation to secure access to patient medical records, but too often that’s what it takes when health care providers don’t take their HIPAA obligations seriously. OCR has many right of access investigations open across the country, and will continue to vigorously enforce this right to better empower patients,” said Roger Severino, OCR Director.
“No one should have to wait over a year to get copies of their medical records. HIPAA entitles patients to timely access to their records and we will continue our stepped up enforcement of the right of access until covered entities get the message,” said Roger Severino, OCR Director.
“The OCR is committed to enforcing patients’ right to access their medical records, including the right to direct electronic copies to a third party of their choice. HIPAA covered entities should review their policies and training programs to ensure they know and can fulfill all their HIPAA obligations whenever a patient seeks access to his or her records,” said Roger Severino, OCR Director.
“For too long, healthcare providers have slow-walked their duty to provide patients their medical records out of a sleepy bureaucratic inertia. We hope our shift to the imposition of corrective actions and settlements under our Right of Access Initiative will finally wake up healthcare providers to their obligations under the law,” said Roger Severino, OCR Director.
The OCR investigation determined that there was systemic noncompliance with the HIPAA Rules including a failure to encrypt ePHI on laptops after Lifespan ACE determined it was reasonable and appropriate to do so. OCR also uncovered a lack of device and media controls, and a failure to have a business associate agreement in place with the Lifespan Corporation.
“Laptops, cellphones, and other mobile devices are stolen every day, that’s the hard reality. Covered entities can best protect their patients’ data by encrypting mobile devices to thwart identity thieves,” said Roger Severino, OCR Director.
A breach report regarding the impermissible disclosure of protected health information to an unknown email account. The breach affected 1,263 patients. OCR’s investigation revealed longstanding, systemic noncompliance with the HIPAA Security Rule. Specifically, they failed to conduct any risk analyses, failed to implement any HIPAA Security Rule policies and procedures, and neglected to provide workforce members with security awareness training until 2016.
“Health care providers owe it to their patients to comply with the HIPAA Rules. When informed of potential HIPAA violations, providers owe it to their patients to quickly address problem areas to safeguard individuals’ health information,” said Roger Severino, OCR Director.
“All health care providers, large and small, need to take their HIPAA obligations seriously,” said OCR Director Roger Severino. “The failure to implement basic HIPAA requirements, such as an accurate and thorough risk analysis and risk management plan, continues to be an unacceptable and disturbing trend within the health care industry.”
HIPAA covered entities and business associates are required to conduct an accurate and thorough assessment of the risks to the ePHI it maintains. Identifying, assessing, and managing risk can be difficult, especially in organizations that have a large, complex technology footprint. Understanding one’s environment – particularly how ePHI is created and enters an organization, how ePHI flows through an organization, and how ePHI leaves an organization – is crucial to understanding the risks ePHI is exposed to throughout one’s organization. As technology changes, risk assessments must be updated and reflected in a risk management plan. Reviewing policies and procedures may also need to be updated depending on the type of changes in technology. As we get ready to close out 2020, set your schedule to review your updates and planned upgrades for 2021.
To read about enforcement and the resolution agreements, click on the link below:
When an employee is terminated, it is necessary to remove access to protected health information (PHI) immediately. It is just as important for employees not to share their log-in credentials with anyone. The City of New Haven, Connecticut found out the hard way. In January 2017 the New Haven Health Department filed a breach report stating that a terminated employee may have accessed a file on a New Haven computer that contained PHI (protected health information) of 498 individuals. During the OCR’s investigation they discovered the former employee had returned to the health department eight days after being terminated and logged into her old computer and downloaded patient information to a USB drive. They also uncovered that the former employee had shared her user credentials with an intern, who continued to use these credentials to access PHI.
As we have mentioned before, when you are under investigation, they review all of your compliance efforts and not just the incident that provoked the investigation. During this investigation, the OCR determined they failed to conduct a system wide risk analysis and failed to implement access controls and termination procedures.
“Medical providers need to know who in their organization can access patient data at all times. When someone’s employment ends, so must their access to patient records,” said OCR Director Roger Severino.
This mistake cost the City of New Haven $202, 400 and they must implement a robust corrective action plan that includes two years of monitoring.
The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the U.S. Department of Health and Human Services (HHS) have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.
CISA, FBI, and HHS have released AA20-302A Ransomware Activity Targeting the Healthcare and Public Health Sector that details both the threat and practices that healthcare organizations should continuously engage in to help manage the risk posed by ransomware and other cyber threats. The advisory references the joint CISA MS-ISAC Ransomware Guide that provides a ransomware response checklist that can serve as a ransomware-specific addendum to organization cyber incident response plans.
In addition to these materials regarding the most recent ransomware threat to the Healthcare and Public Health Sector, the HHS Office for Civil Rights’ Fact Sheet: Ransomware and HIPAA provides further information for entities regulated by the HIPAA Rules.
CISA, FBI, and HHS are sharing this information in order to provide a warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their networks from these threats. CISA encourages users and administrators to review CISA’s Ransomware webpage for additional information.