HIPAA Compliance News Archives

Telemedicine on the other side of the Pandemic

Suze Shaffer July 15, 2020February 1, 2024

By Suze Shaffer

July 15, 2020

The Office for Civil Rights (OCR) back in March relaxed it’s enforcement for non-compliance with regards to telemedicine. They permitted the use of audio/video communication applications such as Facetime, Google hangouts, Zoom, and Skype without risk that a provider could be issued a penalty for non-compliance. Providers were encouraged to inform their patients of potential privacy risks and do their best to engage encryption and whatever means they had available to secure the data.

Even though some states are experiencing a surge in more COVID cases, medical providers are expected to seek HIPAA qualified products and obtain a business associate agreement. Telehealth providers should now have an agreement ready that will include state law provisions and data security information. Medical providers should read this agreement carefully to ensure the data security is outlined and meets their state law breach notification guidelines. Ideally, it would be best for the vendor to sign YOUR business associate agreement if you have one that has outlined security requirements.

If a medical provider does not obtain a signed business associate from a vendor, the medical provider should terminate using the vendor. Just because a vendor doesn’t sign a BAA it does NOT release them from liability. It just means the liability falls on the medical provider for not obtaining the signed document. Furthermore, the medical provider may receive fines for non-compliance should the business associate suffer a data breach or security incident. These documents are extremely important!

Many thanks to all our healthcare workers for staying strong throughout these trying times.

If you would like more information or need a business associate agreement, contact us at 877.659.2467 or complete the contact us form.

“Simplifying HIPAA through Partnership, Education, and Support”

Cell phone use in the workplace causing distrust

Suze Shaffer March 15, 2020June 1, 2020

By Suze Shaffer

March 15, 2020

We all have been annoyed at one time or another when we arrive at a counter or a place of business and the person is on their cell phone and we are ignored. Of course, that is not very good customer service. When you work in healthcare, it goes to an all new level. HIPAA doesn’t restrict the use of cell phones, except how they are secured and protected. However, this is not what we are discussing here today.

We are hearing about complaints from patients accusing employees of taking pictures of their information. This particular situation the employee was accused of taking pictures of the computer screen and the patient told the doctor. This afforded the doctor the opportunity to address the situation and avoid a formal complaint to the Office for Civil Rights (OCR). We recommend employees leaving their cell phones out of sight of patients unless the phone is used for business purposes within the practice. Some organizations are even adding cell phone lockers. I can remember before we had cell phones, we actually gave out our work number to anyone who needed to get in contact with us! Now you know how old I really am! Joking aside, this is a very serious matter that could cause the OCR to open an investigation. Keep in mind, when you are being investigated by the OCR, they do not “just” investigate “that” situation. They look at your overall compliance plan. Where are your policies? What were your procedures before, during, and after the occurrence. What have you done to prevent the same situation from happening again? Plus, many more items they take into consideration when conducting an investigation.

The next area of concern with cell phones are with patients. We have long been a proponent of using privacy screens on computers. Now, even if the screen is across the room, we are pushing our clients to add the screens. Patients now have their phones out while making new appointments, they could potentially take pictures of computer screens across the room and enlarge them. Some of you may be thinking that we worry too much and all this security is driving you crazy. It only takes ONE mistake or ONE complaint to turn your life into a rollercoaster. Prevention is the best medicine!

If you would like more information, contact us at 877.659.2467 or complete the contact us form.

“Simplifying HIPAA through Partnership, Education, and Support”

A Patient’s Right of Access is still an issue for many Covered Entities

Suze Shaffer February 15, 2020June 1, 2020

By Suze Shaffer

February 15, 2020

Many covered entities struggle to understand what is “right of access” for individuals. Under HIPAA and the Omnibus Rule, a patient has the “right” to request a copy of their medical record in the format of their choice (if available). What this means is, a medical provider is not required to purchase special equipment or software to meet these requests. With that said, if a patient requests a CD or DVD of their medical records and you do not have a DVD drive, you would not necessarily be required to purchase one. Keep in mind, DVD drives are only about $25 and it would not be unreasonable for a practice to purchase one. Of course, the ideal situation would be to direct the patient to your EHR portal and download it themselves. However, you can’t require them to do so.

When a patient requests the right to access their PHI (protected health information), be sure to have the patient sign a written request and make note of the date. A provider has 30 days to supply the patient with this information. To extend the time, the covered entity must, within the initial 30 days, inform the individual in writing of the reasons for the delay and the date by which the covered entity will provide access. Keep in mind, only one extension is permitted per access request.

The next area of confusion is the fee limitation. Copying fees for medical records are set by individual states and typically refer to the cost of labor, printing, and delivery of paper or electronic data. The labor fee does not permit the provider to charge for the preparation of the data but labor costs could include skilled technical staff time spent to create and copy the electronic file, such as compiling, extracting, scanning and burning [PHI] to media.

The Flat Fee rate option is not cap, merely an option rather than calculating the actual cost of labor and printing. Many providers are utilizing this method since it is easier than calculating the actual costs.

On January 23, 2020, a federal court vacated the “third-party directive” within the individual right of access “insofar as it expands the HITECH Act’s third-party directive beyond requests for a copy of an electronic health record with respect to PHI (protected health information) in an electronic format.” Additionally, the fee limitation set forth at 45 C.F.R. § 164.524(c)(4) will apply only to a patient’s request for access to their own records, and does not apply to a patient’s request to transmit records to a third party.

https://www.hhs.gov/hipaa/court-order-right-of-access/index.html

If you would like to read the Memorandum Opinion from the United States District Court in the case Ciox Health LLC vs Alex Azar:

https://ecf.dcd.uscourts.gov/cgi-bin/show_public_doc?2018cv0040-51

We hope this will help clear up any misconceptions when it comes to a patient’s right to access their medical information.

If you would like more information, contact us at 877.659.2467 or complete the contact us form.

“Simplifying HIPAA through Partnership, Education, and Support”

HIPAA in 2020 – How the protection of our privacy maybe changing

Suze Shaffer January 15, 2020March 6, 2020

By Suze Shaffer

January 15, 2020

Hindsight is always 2020, as we begin this new year, let’s try to make that a current sight!

By now, those of you who have been using Windows 7 computers and 2008 Servers have been getting notifications that the end of life was coming. Time is here. January 14, 2020, Microsoft no longer will be supporting these operating systems. What this means is they will no longer send out security updates. Each time a security update is issued, it is because someone has found a vulnerability that could be exploited. This is why hackers lay in wait for unsuspecting people to ignore this. Of course, it is doubtful that you will get hit on January 15, but the chance is there and will increase with each passing day. If you are hacked and this causes a data breach, you WILL be fined for using outdated software. At the conference in October, the OCR specifically discussed this.

All 50 states have their own set of privacy laws to protect their residents. In Healthcare we have to adhere to HIPAA, the Federal law, but also must follow state law when it is more stringent. Sometimes, this means flipping back and forth and it becomes very confusing. The good news is that lawmakers are trying to come up with a Federal privacy law to help stop the confusion. Although they haven’t come up with a firm plan yet, they are working on it. This is partly due to the GDPR (General Data Protection Regulation) being enforceable in the United States. Some people view this a cost guzzling law, but we are all consumers and we should have the right to know who is collecting our data, how they are storing our information, and if they are selling our information. Hopefully, our Federal lawmakers will come up with a law that will allow consumers to opt out if we don’t want our information sold. In healthcare, our information may be sold by EHRs and other healthcare companies, when it is de-identified. Medical practitioners are required to obtain a patient’s authorization before they share patient information. Other businesses should be required to do the same and be fined for selling our personal information if we do not permit the disclosure.

To learn more on what is being discussed in legislation , click here:

https://cdt.org/collections/federal-privacy-legislation/

If you would like to learn more about the legislative proposal, click here:

https://cdt.org/insights/statement-of-michelle-richardson-examining-legislative-proposals-to-protect-consumer-data-privacy/

In June 2018 California passed a consumer privacy law, AB 375, that may be more stringent than the GDPR. The California Consumer Privacy Act (CCPA) went into law January 1, 2020. Although the law isn’t as stringent as the GDPR on timeline notifications, it does have some very tight restrictions that go even further. Any company that have at least $25 million in annual revenue and serves California residents must comply with the law. Also, companies of any size that have personal data on at least 50,000 people or that collect more than half of their revenues from the sale of personal data fall under this law. Companies don’t have to be based in California to fall under the law. They don’t even have to be based in the United States.

We believe more states will follow California unless we can agree on a Federal law to help all consumers. Most of us are patients at a medical facility somewhere, and we are ALL consumers everywhere! By enacting a Federal privacy law, this is a good thing, not a bad!

Happy New Year and praying for good things to come!

If you would like more information, contact us at 877.659.2467 or complete the contact us form.

“Simplifying HIPAA through Partnership, Education, and Support”

RIPlace technique allows malware to bypass anti-malware programs

Suze Shaffer December 23, 2019February 1, 2024

By Suze Shaffer

Like we don’t have enough to worry about, now this!

Security researchers are saying this new technique is effective even against systems that are patched and run anti-virus scans. This process allows ransomware to encrypt files on Windows based systems. The way most ransomware gets into our systems is by unsuspecting users or hi-jacked user credentials. Of course it can happen from a disgruntled employee as well. Once this happens, the ransomware opens and reads an original file, then deletes or destroys the original by encrypting it. Within a short amount of time the hacker can invade your systems and crawl through your entire network. Taking everything down and literally destroying your livelihood.. Of course, there is more to this and if you want, you can research this. The main reason why I wanted to share this with you is because… as I have said many times, employees are your first line of defense! Well educated employees can prevent this from happening in your organization. Here is what you need to do TODAY to prevent a data breach:

Remind every user of your system that the computers are for business purposes ONLY. Clicking on infected websites can infect your network.
Remind users do not click on any links or attachments that are not expected even if it comes from someone they know.
Do not permit anyone access to your systems without confirming their identity. This includes service providers. If you do not have an appointment, call and verify the person is still employed there.
Remove user access for terminated employees IMMEDIATELY. Before terminating a person, have this process set and ready.
Conduct a criminal background check on ALL new hires. This needs to be included in your employee manual, and state that a background check can be performed at anytime during their employment.
Contact a network security professional and have them run an audit on your system. This will ensure you do not have any open ports or vulnerabilities.
Be sure to have a backup of your system that is NOT connected to your network.

I know I have said this in the past, but I have to say it again… The World Wide Web (WWW) is the new Wild Wild West, the difference is, danger is invisible until it is too late. Be careful out there.

If you would like more information, contact us at 877.659.2467 or complete the contact us form.

“Simplifying HIPAA through Partnership, Education, and Support”

Are you sharing TMI – Too Much Information?

Suze Shaffer November 20, 2019February 1, 2024

By Suze Shaffer

When designing your website we all think it’s a great idea to “share” who are team is. Although, it is necessary in healthcare because patients want to see who your staff is and get to know them, be careful not to give out TMI – too much information. Hacker and spammers troll websites looking for information they can use. Think about this… when you post on your website your favorite flower, favorite food, or where you were born, these can be used as security questions or used to figure out other details of your life.

Another area of concern is when a business associate calls your office and asks for information and you didn’t request them to call or contact you. Make sure that person is still employed there and verify the call before giving out any information, sending any information, or permitting access to your systems. Recently, a friend of mine told me about an IT company who had one of their employees impersonated on the phone. Luckily the hacker wasn’t able to get anything since the computer wasn’t connected to the network. Just think what could have happened if it were!

Best practices in protecting your information.

Although you want to be “real” and connect with your patients online, give out information sparingly. What you post online is read by ANYONE!
When creating your security questions, don’t answer the questions truthfully. When asked what is your favorite flower, make something up! You just have to remember what you made up! For example: Favorite flower, Mexican – name a food instead. Favorite food, Pink Roses – name a flower instead. Mix it up a bit!
When anyone calls and asks for any confidential or patient information. Verify before giving out any information. Make sure that employee still works there and they have been requested to perform whatever they are requesting.
Never let anyone that calls on the phone have access to your computer, server, or any electronic device until they have been verified.
Do not permit any transactions to be processed until what is requested has been verified.

I know this sounds like a lot of extra work, but think about the consequences and the time that will be spent correcting a mistake. Not to mention the cost if you have a data breach!

If you would like more information, contact us at 877.659.2467 or complete the contact us form.

“Simplifying HIPAA through Partnership, Education, and Support”

Ransomware is a REAL threat…

Suze Shaffer October 20, 2019February 1, 2024

By: Aris Medical Solutions

We all hope that we do not fall victim to ransomware, but we need to do more than just hope. All businesses, especially healthcare must have a contingency plan that includes data recovery in the event their systems are encrypted. If you have a backup that is NOT connected to your network, your downtime will be minimal. Keep in mind, you may need to go through the breach notification process based on your state and federal HIPAA law.

A Michigan ENT and Hearing practice refused to pay $6,500 in ransom and the hackers wiped their systems. With no chance of recovering this data, they chose to close the practice.
Most recently, a California Medical Practice was unable to recover their data after ransomware encrypted their systems including their backups. As a result, they will close their practice December 17, 2019.
I could keep adding to the list, but I would rather educate you on how to avoid this!

Best practice is of course to PREVENT ransomware in the first place. This starts with a solid network security program and education for your workforce. Most malware is introduced by an unsuspecting employee. Truly, one click of a mouse can cause a tumbling effect leading to the loss of your business. I know that sounds a bit dramatic, but most small to medium sized organizations that suffer a data breach do not survive.

Healthcare is a major target, in fact, 71% of ransomware attacks are towards small to medium sized practices since they do not have adequate network security in place.

Your first line of defense is an enterprise version firewall device. This means, do not purchase one that has parental controls!
Second, have a network security specialist set up your firewall and set custom security controls. It is fairly simple to set up a “network”, but it takes someone who truly understands network security to secure your network. This includes computers, servers, access points, etc.
Depending on the size of your organization, you may need to set up an onsite server as a domain controller. Once this is in place, all users are authenticated through the domain. Security permissions can be set all at once and can’t be changed by the users.
Phishing education for all employees including providers, and management. Business email addresses are targeted typically between Tuesday and Thursday according to the analysis from Barracuda. Phishing emails impersonate a trusted entity, they try to get the recipients to click on the links or attachments, share account credentials, and typically have some sort of urgency associated with the email. These emails often bypass traditional email security since they originate from reputable senders.
Ensuring you have business associate agreements in place before releasing any PHI. This will protect you from fines and penalties in the event they have a data breach. It is advisable to carry cyber-liability insurance. If your business associate causes a data breach, it will still be your responsibility to go through the breach notification process. Best practice is to require your business associate to carry cyber liability as well.
Physical security is often overlooked when we talk about data security. Portable devices need to be secured when left unattended. Printers and fax machines should not be located where they can be accessed by an unauthorized person. Servers should be in a locked room or cabinet. Computers should not be located near exits. Keeping an up to date inventory list and reviewing it regularly is critical in knowing if anything is missing. Lastly, a security system that has cameras and access logs is recommended.
Organizations that have well defined policies and procedures are less likely to have a data breach. Employees are educated on what they can and cannot do with business equipment. Knowing what to do in the event of a security incident can actually STOP a data breach from becoming a major breach. Plus, most large fines are because the organization did NOT have a policy or plan in place. Just make sure you have read and dated them!

Remember HIPAA is not a once and done process, as technology changes and employees come and go, you need to keep track and update accordingly. Use your Risk Management Plan to track your progress! Let us know if you need any help with implementation.

If you would like more information, contact us at 877.659.2467 or complete the contact us form.

“Simplifying HIPAA through Partnership, Education, and Support”

How much does a data breach really cost?

Suze Shaffer August 15, 2019February 1, 2024

We really don’t want to scare organizations, but this is a real problem and we feel this must be disclosed. A data breach costs an organization on many different levels. The cost of notification, credit monitoring, remediation, then comes fines and penalties if you do not have reasonable and appropriate safeguards in place based on the size of your organization.

Earlier this year we had estimated the cost per patient record to be $380, according to the Ponemon Institute, they are estimating this cost has risen to $429 per patient record. If you can’t determine which records were breached, then you must notify all of your patients. This is where the massive costs are generated. Of course, the sooner you discover the breach the less it will cost you. This is why audit log monitoring is so important. If you are monitoring who and what is going on in your network, you can prevent a breach or at least stop a breach before it becomes a major breach (over 500 records).

Audit log monitoring is very time consuming and nearly impossible to do on your own. We recommend monitoring your logs from different sources, starting with your EHR. This is where most of your patient data resides and this needs to be protected. Aris works with a company in California that offers EHR audit log monitoring. They have developed a system that will send out email alerts when suspicious activity occurs.

We also recommend monitoring your logs from your firewall or domain controller. This is even more complex and again we recommend utilizing a third party. Aris has partnered with a nationally recognized network security company that can assist in this area as well. We understand that cost is very important to our clients and that is why we have selected these particular companies. They are reasonably priced and offer outstanding service. Let us know if you would like more information from either of these companies.

Keep safe out there on the World Wide Web aka the Wild Wild West!

If you would like more information, contact us at 877.659.2467 or complete the contact us form.

What does being HIPAA Compliant actually mean anyway?

Suze Shaffer July 15, 2019February 2, 2024

We are always talking about HIPAA compliance because that is what we do! Sadly many practices think just having a patient sign they received your Notice of Privacy Practices is all that is needed. There is so much more to HIPAA than that! After we go over a client’s risk analysis they realize this and are anxious to get their compliance in place. Then you get busy and it is pushed off to the next week, then the next, and then you realize it never was implemented!

Being HIPAA compliant means MANY things, and I could write about this for hours, but here are some basic reminders:

Work on your Risk Management plan, implement your policies and procedures and mitigate risks. Policies and procedures are necessary so employees understand what is and is not permitted. The enforcement of your sanction policy and being consistent for those employees who violate HIPAA can help you avoid fines and penalties.
Monitor your audit logs. Know who is doing what within your systems. Whether it is an employee or a business associate, you must know who and how users access ePHI. This is critical in preventing or stopping a data breach.
Make sure your HIPAA compliance officer is informed and educated on any security incidents that may occur. This can help them to determine if and when a data breach occurred when they are reviewing the audit logs. The HIPAA compliance officer is required under federal law to report data breaches, large and small. The only difference is timing. Large data breaches must be reported within 60 days (state law could be more stringent) and smaller breaches within 60 days after the end of the year in which the breach occurred.
Check the OIG exclusions list before you hire a new employee which can save you from being required to return payments you received from CMS in the event you hired someone on this list. Also, conducting a thorough criminal background check can prevent you from being stolen from! Conducting and documenting annual HIPAA training as well as when new employees are hired will educate them on patient privacy and data security. Make sure the method of training you choose covers both areas.
Make sure everyone uses their own login credentials and never share their passwords. If someone signs in under another person, then that person that is logged in could be held liability for anything that is done under their credentials! Remember to use strong passwords and change them often. If possible, implement a secondary authentication in addition to using just a username and password. This is extremely helpful in protecting information for business and personal. All online accounts, even email should use a two-step of some type.
Since we work in healthcare we have the ability to look at anyone’s medical record in our system. Keep in mind, you should only look at records that you have a need to do so. This means that if a patient is being seen by another provider or medical staff member and you do not have the need to view the record, you are NOT permitted to do so.
When it comes to technology, many people think if it’s not broke, don’t fix it. This is NOT true! As our systems age, unless they are updated and upgraded, your information may be at risk of a data breach. Firewalls, computers, servers, and software all must be maintained. Firewalls are your first line of defense. Would you put up a fence and never bother to lock it? I have said this many times in the past, in the old wild wild west you could see danger coming towards your town and prepare. The world wide web is the new wild wild west, but the intruders are invisible. You must have several layers of security to secure your data. NOTE: Microsoft Windows 7 will no longer be supported after January 14, 2020. I have always liked this operating system, but now we must prepare for those computers to be updated or replaced.

HIPAA is much more than just these items, but this should help you to remember some important steps!

If you haven’t implemented HIPAA privacy and security policies and procedures, now is a good time to start to ensure your employees understand how to protect your data. If you would like more information, contact us at 877.659.2467 or complete the contact us form.

Heavy fines demonstrate the importance of a network security audit…

Suze Shaffer July 1, 2019February 2, 2024

When we discuss IT security, we generally think of a company that maintains our computer network. That is partially true, but that is just the beginning. There is a difference between maintaining your network and securing it. There are a lot of companies that are eager to maintain your network because you pay them a monthly fee to do so. Maintaining a network is making sure updates are done, anti-virus / anti-malware are current, upgrading any technology that is outdated or about to be unsupported. A network security company tests to see if there are any open vulnerabilities that could affect or infect your network. There is a huge difference between the two.
For example, a misconfigured settings of a Windows operating system permitted access to files containing PHI without requiring a username or password. Then two years later a second breach occurred when a server was misconfigured following an IT’s response to troubleshooting an issue, this time it exposed patient information over the internet. These two breaches cost Cottage Health a $3M fine. The Office for Civil Rights (OCR) investigation found that they had not conducted an accurate and thorough assessment and failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level based on the size of their organization. Even though they had an IT company maintaining their ePHI system, they failed to obtain a signed business associate agreement.

Cottage Health fined $3M

Another breach that happened in 2014 has just been settled by the OCR. Touchstone Medical Imaging has been ordered to also pay $3M. The OCR and the FBI informed Touchstone in 2014 that one it’s FTP servers allowed uncontrolled access to ePHI. The uncontrolled access permitted search engines to index the patients personal information, which remained visible after the server was taken offline.

Touchtone Medical Imaging fined $3M

The lesson here is, what you do today can affect your business in the years to come. Make sure you are doing what is reasonable and appropriate to safeguard your patient information. One more keep point, these are just the federal fines. All 50 states now have their own set of privacy laws to protect personal identifiable information that doesn’t have anything to do with health information. Since we work in healthcare, we must adhere to state and federal privacy laws. No longer can you ignore the elephant (HIPAA) in the room, HIPAA is here to stay and you need to choose wisely who you work with to secure your data.

If you haven’t conducted an audit this year, now is a good time to schedule one to ensure your data is secure. If you would like more information on network security audits, contact us at 877.659.2467 or complete the contact us form.