Call Us Today! 877-659-2467 contactus@arismedicalsolutions.com

Category: HIPAA Compliance News

Workstation Security

Posted bySuze Shaffer

HIPAA Compliance is more than just about a patient’s right to access their information. Although the HIPAA Privacy Rule is how most of this began, it is so much more now! The HIPAA Security Rule outlines administrative safeguards, physical, and technical security. Most organizations are so busy trying to figure out how to protect themselves from the unknown (technical concerns) that they forget about the actual physical security. We are not just talking about building security systems, but how you secure the individual devices that are utilized within your facility and those who travel with portable devices.

Here are some helpful ideas to review with your particular situation:

  1. Although utilizing a security system that has motion sensors is better than nothing, using security cameras usually discourages theft.
  2. Conduct a walk through of your facility and create an inventory list of all devices that access or store ePHI. Knowing what you have, where it is located, and if it contains ePHI is essential in securing your data. This includes portable devices and small electronic media. Remember, printers, copiers, and scanners can store data as well.
  3. Review the location of all devices that access or store ePHI. Ensure they are not located in an area that could be easily accessed by an unauthorized person or utilize cable locks. If screens are viewable and cannot be relocated, the use of privacy screens are highly recommended. Encryption is recommended on any device that contains ePHI. If the devices are transported they should be encrypted even if they do not contain ePHI. If they are ever lost or stolen and the encryption is engaged, it would not be a reportable breach.
  4. If your USB drives are not used, locks should be installed. This is an inexpensive method to protect the network. If your workstations utilize CD/DVD drives, these should be disabled as well. Another option would be to configure this through a Microsoft Group Policy.
  5. Make sure paper PHI is not left in areas that could be accessed by another as well. This includes where you store your excess paper charts. These areas should be locked when not in use. It is also recommended to utilize signage instructing “Employees Only”.
  6. Employees can be your biggest asset or your largest liability. Training your employees on computer security is an ongoing process. Annual HIPAA training should include the HIPAA privacy rule and HIPAA security rule. Also, add monthly security reminders to keep HIPAA fresh in their minds. Continuing education is the key to safety.
  7. HIPAA Policies and procedures are the backbone of an organization. Properly trained employees know and understand what is required and needed. The data that a health care provider has in its possession is priceless. This data must be secure physically and technically. All of this is necessary to avoid a data breach.

If an organization fails to secure patient information the Office for Civil Rights (OCR) will open an investigation and the organization can end up with massive fines. These fines have ranged from $250K to $3.5M. Although the fines are based on the organization’s ability to pay, the days of receiving just a $50K fine seems to be over. Best practices would be to review your HIPAA risk analysis and make sure it is thorough. Some online risk assessments unfortunately do not uncover all of your vulnerabilities. The OCR could consider this as willful neglect even though you didn’t know. Make sure you update your risk management plan and mitigate those vulnerabilities. Small oversights could cost you a fortune.

For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting your Data call 877.659.2467.

“Simplifying HIPAA through Partnership, Education, and Support”

State law data breach notification updates

Posted bySuze Shaffer

All 50 states now have a separate privacy law. South Dakota and Alabama are the final two states to enact data breach notification laws. Other states like North Carolina are proposing to update their requirements that only allow 15 days to notify in the event of a data breach.

Although medical practices must adhere to the Federal HIPAA law guidelines, if your state law is more stringent state law will supersede federal notification requirements. You may also be required to notify your state officials or the credit reporting agencies. Know your state law!

Lastly, know where your patients or customers are located. Even if you are in a different state but you have their data, you must follow THEIR state privacy law. If you have any international patients or customers, be sure to understand how the GDPR will affect your organization. Then you must update your privacy policy within your office.

The link below lists the state and the statutes. Only a couple of the states have live links. If you want more information you will need to copy and paste in to Google.
http://www.ncsl.org/research/telecommunications-and-information-technology/2018-security-breach-legislation.aspx

To find out more about how our automated HIPAA compliance platform can help your organization click here:

https://arismedicalsolutions.com/aris-hipaa-service-automated-platform/

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support

General Data Protection Regulation: What does this mean to the US

Posted bySuze Shaffer

By Aris Medical Solutions

You may have already heard about the GDPR (General Data Protection Regulation) from the EU (European Union) that will affect many organizations here in the United States.

Our personal information has been being sold for years. Some with and some without our knowledge. Many organizations require a person to “accept” their terms and conditions with long legal agreements that we must agree to before using their software, joining their network, or downloading an app to name a few. Most people do not read this very important disclosure because it is simply too long and too legal. They collect data from us in order to enter a sweepstakes, win a prize, or simply to gain access to a forum. This information can be sold to other organizations so they can market their good and services to us. I will be explaining in my next notification how to poison this information and make it useless. For now we need to concentrate on how to understand this new regulation.

With the GDPR from the EU becoming effect May 25, 2018, organizations must become compliant by May 25, 2018.

Here is a basic summary of what you need to know:

  1. Organizations that provide goods or services to anyone located within the European Union regardless of where the company is located must adhere to this new regulation. This also includes companies that process and store personal data of an EU citizen. This is similar to our individual state laws we currently have in the United States.
  2. Personal data is anything that can be used to identify a person, directly or indirectly. This includes name, photo, email address, bank details, medical information, computer IP address, and even posts on social media.
  3. You must have clear full consent to use a person’s information. No lengthy vague legal forms; just clear plain language. Nothing short of an opt-in will be acceptable.
  4. Just like HIPAA, there is a tiered sanction policy. Organizations can be fined up to 4% of annual global income for breaching the GDPR. This is for severe violators. Organizations can be fined up to 2% for not having their records in order, not notifying a supervising authority, not notifying the person that is affected by a data breach, or not conducting an impact assessment.
  5. These rules will apply to both cloud data controllers and processors and will not be exempt from GDPR enforcement.
  6. Data breaches must be reported within 72 hours.

What do you need to do to prepare:

  1. Review your client/patient database.
  2. Do you have any European clients/patients?
  3. Review where all of your data is stored.
  4. Do you use a cloud system?
  5. Do you have a BA agreement in place with the data processor/center?
  6. Update your breach notification plan.

For more information on the GDPR: https://www.eugdpr.org/

For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting your Data call 877.659.2467.

“Protecting Organizations through Partnership, Education, and Support”

How well do you trust your compliance efforts?

Posted bySuze Shaffer

 

By Aris Medical Solutions

compliance board game

HIPAA encompasses many aspects. Risk assessments, risk management, and your policies, procedures, documentation are the backbone of compliance.

Most medical providers don’t think about compliance until they are audited. By that time it is too late to mitigate any issues that you may have. The main misconception is that “it will never happen to me”.

A random audit is possible but relatively a low probability. A compliance audit is typically initiated by a disgruntled employee, a patient that feels their privacy has been violated, or a data breach. Once the HIPAA violation is reported then the Office for Civil Rights (OCR) will determine if the complaint will need to be investigated. If it does, depending on the documentation that you provide, will determine whether or not a desk audit will be issued. This is where your policies and procedures are critical. If your employees understand what they need to do, how to do, and what needs to be documented, your chances of a desk audit is greatly reduced. The OCR understands that people make mistakes, but if you don’t learn from them, they will fine you heavily!

Note to self… if you recognize a problem, address it, correct it, and learn from it.

You can survive a audit with proper documentation!

For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting your Data click here call 877.659.2467.

“Protecting Organizations through Partnership, Education, and Support”

Do HIPAA Fines go away when a practice or business closes?

Posted bySuze Shaffer

By Aris Medical Solutions

Many medical practices and business associates have the misconception that if they are fined they can simply close their doors and not be obligated to pay the fines or penalties. We have been asked if this will work many times. The Office for Civil Rights (OCR) has answered this haunting question.

Three years ago the OCR received an anonymous complaint against Filefax, Inc. that transported 2,150 patient files to be shredded. These files were left in an unlocked truck in their parking lot, or by granting permission to an unauthorized person to remove the files from Filefax, and leaving the Protected Health Information (PHI) unsecured outside the Filefax facility.

Although Filefax shut their doors during the course of the OCR’s investigation they were still obligated under the law. In 2016, a court in unrelated litigation appointed a receiver to liquidate its assets. In addition to a $100,000 monetary settlement, the receiver has agreed, on behalf of Filefax, to properly store and dispose of remaining medical records found at Filefax’s facility in compliance with HIPAA.

The first step in protecting your practice or business is to conduct a thorough security risk assessment and identify vulnerabilities and workflow. From there you can develop a risk management plan to ensure you document your compliance efforts and mitigate risks.

For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting your Data call 877.659.2467 or click here to contact us.

“Protecting Organizations through Partnership, Education, and Support”

Updating your Contingency Plan

Posted bySuze Shaffer

 

By Aris Medical Solutions

HIPAA Disaster

Contingency Planning is more than just a power outage or how to backup and restore your data. A complete plan should include different types of scenarios that could happen in your area.

For those involved in Healthcare, creating a contingency plan is not optional.  Should you have a disaster and are not prepared you can be fined! The Office for Civil Rights (OCR) considers protecting personal information a civil right and they will enforce this if you have a data breach or a situation where your data is not recoverable.

Think about ransomware, have you included this in your contingency plan?

Depending where you are located, have you included how to respond to a hurricane, tornado, snowstorm, or fire?

Where is your data located and what would happen if you had a toilet overflow or a pipe burst?

In light of the recent tragedies have you included a section on workplace violence?

How to create a Contingency plan:

  1. Conduct a thorough HIPAA Risk Assessment. Understand and analyze what type of risks you are vulnerable to. This includes where you are located and what type of computer network that you utilize.
  2. Create a diagram of how your network is configured. This will help you to determine the best method to protect and restore your data from a backup.
  3. Implement a risk management plan that outlines what you have in place and what you will need in the future if it is not possible at the moment. Of course, you will need a timeline if you will be adding to your plan.

For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting your Data call 877.659.2467 or click here to contact us.

Healthcare Cyber Attacks went up almost 90% in 2017

Posted bySuze Shaffer

By Aris Medical Solutions

There were 132 reported breaches under investigation from Health and Human Services’ (HHS) Office for Civil Rights (OCR) in 2017 related to Hacking/IT Incident. As you review the report you can see how many were related to email and desktop computers.

Click here to see a list of current data breaches: OCR breach portal

So how does this happen? More than likely it has been caused by an unsuspecting employee. Healthcare is typically targeted with ransomware through social engineering. Practices need to be vigilant in educating their staff to be extremely careful when it comes to clicking on emails or surfing the web with their work computers. That is why we always recommend work computers be used exclusively for work. Plus, personal email addresses should never be utilized to communicate with patients or vendors for a number of reasons, this being just one!

There were many server attacks as well. This can happen in the same manner, especially when someone is logged in with administrative rights when they should be logged in as a user instead.

When it comes to cloud storage or cloud based EHRs, these too can be hacked although it is not as common. Most of the time this is caused by a misconfiguration in the network.

What can you do to prevent this from happening to you?

First of all, conduct a full HIPAA Security Risk Analysis, you need to know where your data is in order to create a Risk Management Plan to protect your organization.
Secondly, continual education on new threats to inform your employees how to be diligent.
Most of all, make sure your IT professional is a network security specialist. Doing your own network security is not longer an option, you must utilize a professional to ensure your network is secure. This includes your websites and cloud services.

For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting your Data call 877.659.2467 or click here to contact us.

“Protecting Organizations through Automation, Education, and Support”

Two factor vs Two Step Authentications

Posted bySuze Shaffer

By Aris Medical Solutions

Sometimes these terms are interchanged which is is not exactly correct. Let us explain the difference!

Two factor authentication is typically a username AND a password. This can also be explained as who you are and something you know.

Two step is using two different types of authentication like a username and password PLUS a one time code that is text to your phone. Some providers permit the use of a fingerprint to authorize the second step.

The use of a security word is also used as a second step type of authentication so you need to be very careful about posting any type of personal information on social media. Aris suggests when the security question asks for your mother’s maiden name, make up a name! Just don’t forget what name you used!

No matter what type of the second step authentication that is offered, it is best to select whatever is offered because although a username and password is the most common type of authentication, it is also easily compromised.

People who work within the Health Care sector are heavily targeted since the type of data they access is very valuable on the dark web. Anyone who works with patient information or for a company that provides services to a medical facility can be targeted. Again, special care must be taken to ensure that patient information is not compromised.

First step in protecting patient data is conducting a HIPAA Security Risk Analysis. Know where your data is and understand how to protect it. Secondly, make sure you have a full set of Privacy and Security Policies and Procedures. Members of your staff need to know how important protecting patient data is and understand what they need to do to accomplish this.

For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting your Data call 877.659.2467 or click here to contact us.

“Protecting Organizations through Partnership, Education, and Support”

MIPS, MACRA, and Risk Assessments

Posted bySuze Shaffer

 

By Aris Medical Solutions

HIPAA Doctor EKG

MIPS (Merit-based Incentive Payment System) and MACRA (Medicare Access and CHIP Reauthorization Act) is designed to create better patient outcomes and reward those providers that accurately document the progress of their patients. This all sounds great but it takes additional time until this new workflow is established. This is very frustrating to providers who just want to take care of their patients. It is a “learned” function and can be dealt with accordingly if you keep your patience. I know what you are thinking…. and it is easier said than done.

So many practices think since “meaningful use” went away they no longer need to conduct a risk analysis. This is incorrect information. Part of the requirements are that you must still conduct a risk analysis or update the one you already have. When “updating” your risk analysis, be very careful. You are attesting that you have reviewed your vulnerabilities and mitigated those risks.

Conducting a thorough risk analysis is more than just checking a box. It is meant to assist the organization in identifying possible vulnerabilities so you have the opportunity to mitigate them to prevent data breaches. If you merely change the date on your risk analysis and later suffer a breach; that could come back to harm you. If you skip over this or do not take this seriously, you are literally putting your practice at risk.

The best way to tackle this elephant in the room is… one step at a time!

  1. Review your technology devices. Determine if anything has been or needs to be replaced and/or updated.
  2. Understand where and how data is created, accessed, and stored. This includes reviewing the workflow of everyone involved with PHI and ePHI.
  3. Conduct your risk analysis and update the risk management plan. If you choose to “update or review” your existing risk analysis, make sure you do not overlook anything.
  4. If you have not not done so already, create a Incident Response Team (IRT). Utilizing the Security Incident Report will help in determining whether the security incident should be treated as a data breach or not.
  5. When it comes to the actually MIPS documentation, there are organizations that will assist you at no cost to the practice. Don’t chance missing this opportunity to ensure your documentation is accurate.

For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting your Data call 877.659.2467 or click here to contact us.

“Protecting Organizations through Partnership, Education, and Support”

Why should I try to secure my data?

Posted bySuze Shaffer

 

By Aris Medical Solutions

HIPAA Data security

With all of the large data breaches making the news many smaller organizations think why bother. If the large companies can’t keep their data save, there is no way I can. Keep in mind, large organizations are a huge target and their data is sought after on a grander scale. Smaller companies are targets too, because their data is easier to capture. Smaller organizations typically do not have a qualified IT person or company that oversees their network. Unsuspecting employees are usually how the data is compromised because they have not been properly trained.

Here are some helpful hints how you can protect your data:

  1. Conduct a thorough risk analysis. Know where your data is and how it is accessed.
  2. Create a risk management plan to demonstrate your efforts in compliance.
  3. Conduct a network security audit to ensure your computers/network do not have any open vulnerabilities. This is more than just a scan of your network.
  4. Create a full set of privacy and security policies and procedures so employees understand patient’s rights and how to protect their data.
  5. Employee education. This is more than just once a year HIPAA training. This should be included in your monthly/quarterly meetings. Monthly emails can be sent to the staff as reminders of how important their vigilance is needed.

Patient data is valuable on the dark web and it is up to us to protect the data. One breach can destroy your organization unless you have a lot of money for reputation management. So when you are thinking about how much all of this “prevention” is going to cost, it will cost so much more if you ignore this need.

For the current breaches under investigation click below:
https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

You can also view archived investigations that have been resolved or that are older than 24 months on the same website.
For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting your Data call 877.659.2467 or click here to contact us.

“Protecting Organizations through Partnership, Education, and Support”

©2025 Aris Medical Solutions – HIPAA Risk Management | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC