How to protect your organization from phishing attacks

It is a known fact that hackers target the healthcare sector because the data is so valuable. The cost of healthcare data breaches increased from a total average of $7.13M in 2020 to $9.23M in 2021. The average breach cost rose $1.07M for those who had remote access. Organizations in the U.S. has lost $2.4B to business email scams. They have estimated that cybercrime topped $6T worldwide.

So, how do hackers get in and what can you do to protect yourself?

Remember, there isn’t ONE magic setting to protect you from all threats, it takes layers of security!

Organizations must have solid network security in place. Firewalls are a necessity in today’s world. You can set specific parameters to ensure employees can go where they need to, and block where they do not. You can also set security policies that block other countries.

Utilizing real-time anti-virus and anti-malware software also helps. This won’t help if an employee clicks on a link or picks up malware on the internet unless the system alerts the user BEFORE they click! For example, if an employee is surfing the web (and no they should not surf on a work computer), and they visit a website that has been infected, your anti-virus / anti-malware software should alert you with a warning.

Although there are brut attacks, but most hackers come in via through a phishing attempt. Often, an employee makes a simple mistake like clicking on a link or an attachment in an email. Even though I talk about this ALL the time and say NEVER do this…people still do.
Email scammers use several ways to trick employees to gain access to information. Including getting employees to send wire transfers, send a list of employee’s social security numbers, or to make purchases they are not aware of. Alan Suderman at Fortune cited a case where thieves hacked the email account of the organization’s bookkeeper, then inserted themselves into a long email thread, sent messages asking to change the wire payment instructions for a grant recipient, and made off with $650,000.
You think this can’t happen to you, but I know of a practice that someone hacked an email account and changed the bank information for payments from an insurance carrier, they lost about $100K.

I know of a company that the CEO email was hacked and being monitored, once the scammers knew who they talked to on the phone and who they did not, then the call came in to make a $65K wire transfer. POOF! Just like that $65K was gone.
YES, THIS HAPPENS! Keep in mind, if the caller or the email is asking for private information or money, verify BEFORE releasing it.

• Unless you are expecting an email from someone, DO NOT CLICK!
• If you get an email from someone you know and were not expecting it, pick up the phone and call them!
• If there is a link, open a web browser and open your account from there.
• If it is URGENT and requires you to act immediately, it is more than likely a hacker/spammer.
• If it says your credit card has been charged for something and you didn’t charge it, call your card company or your bank, do not call the number in the email or call the number in the voice mail.
• If they have all your information except the code on the back and ask you to verify the card by giving them the number, DO NOT.
• Government, state, and local authorities will not call you and demand payment immediately. Ignore these completely.
• Again, if money or personal information is involved, VERIFY!

Scammers share their success stories with other scammers, while ransomware hackers will hit you again if you pay. There is no honor among thieves.

All sizes of organizations need to be on high alert, from large hospitals to small single provider practices. I have used this analogy before, the World Wide Web it the modern version of the Wild Wild West. The biggest difference is you can’t see the bad guys coming into town to prepare. You must prepare for the unknown and the unseen.
There are companies that offer Phishing training. Then, they try to get your employees to take the bait. This has been a success at most companies. Educating your staff is JOB ONE! They can be your best ally, or your weakest link. You can build a fortress around your data, and one click can bring it down.

Continuous security awareness training is vital in your fight against these bad actors. Organizations must teach employees to be watchful for phishing attacks and stopping them by simply not engaging in emails and on the web.

To find out more about how our automated HIPAA compliance platform can help your organization click here:

https://arismedicalsolutions.com/aris-hipaa-service-automated-platform/

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

How to defend against common cyber-attacks

The Office for Civil Rights sent out a cyber newsletter stating that throughout 2020-2021 hackers have targeted the health care industry and the number of breaches increased 45% from 2019 to 2020. The number of breaches due to hacking or IT incidents account for 66% of all breaches affecting over 500 patients records in 2020. Cyber-attacks are critical in health care since it can disrupt services to patients and destroy patient data.

Most cyber-attacks could have been prevented if covered entities and business associates had implemented the HIPAA Security Rule requirements. Technical safeguards are based on the organizations size, type of environment, and how data flows in and out of their systems. Keep in mind, phishing attacks and weak authentication protocols are the most common exploitations.   

What can you do to prevent cyber-attacks?

While nothing is 100%, simple precautious can go a long way. Educating your staff should be a top priority. Tricking employees to click on links or to share vital information is the most common tactic. An unsuspecting employee is typically how an attack starts. There are more sophisticated methods that can exploit previously unknown vulnerabilities, but phishing is still the most common. Train your employees not to click on attachments unless they are expecting the communication and the sender has been verified. Also, do not click on links within emails. Best practices are to open your browser window and go to the website and log-in from there. If the employee suspects an email contains a virus or is suspicious, they should contact their IT department/vendor and verify. It is always better to be safe than sorry later!

Ongoing HIPAA training is essential to keep up with new threats. Annual training keeps HIPAA on the minds of your employees, but when you add monthly security reminders it helps so much more! The HIPAA security officer should share emails or website information from reliable sources to keep their employees informed. When you receive Aris’ monthly Security Newsletter, share this valuable information with the staff, including clinicians, and management since they are often a target from hackers. If possible, utilize a company that offers Phishing training and exercises. Contact us for some suggestions.

Unfortunately, security training cannot be effective if it is viewed by as a burdensome, and employees just want to “check-the-box”.  Keep staff members engaged by explaining cyber security is everyone’s job in protecting ePHI.

In addition to education, organizations can mitigate the risk of phishing attacks by implementing anti-phishing technologies. You should talk to your IT vendor about what type of services they have that can help you. For example, if an email is suspected of being a threat, it can be blocked, and appropriate personnel notified. Another approach can involve scanning web links or attachments included in emails for potential threats and removing them if a threat is detected. Newer techniques can leverage machine learning or behavioral analysis to detect potential threats and block them as appropriate. Many available technology solutions use a combination of these approaches. Implementing access controls that restrict access to ePHI to only those requiring such access is also a requirement of the HIPAA Security Rule. Organizations may determine that because its privileged accounts (administrator) have access that supersedes other access controls (role or user-based access) and thus can access ePHI, the privileged accounts present a higher risk of unauthorized access to ePHI than non-privileged accounts. If exploited through an administrative access point, not only could privileged accounts supersede access restrictions, but they could also delete ePHI or even alter or delete hardware or software configurations, rendering devices inoperable. To reduce the risk of unauthorized access to privileged accounts, the organization could decide that a privileged access management (PAM) system is reasonable and appropriate to implement. 

Covered entities and business associates are required under HIPAA to ensure the integrity, confidentiality, and availability of ePHI. This means protecting patient data from improper alteration, destruction, and making sure it is available when needed. Hackers that penetrate an organization’s network can wreak havoc by encrypting patient data, modifying data, or stealing the data. Based on the type of network your organization utilizes, you may need domain controller and/or business grade firewall. Some firewalls that are designed for “small” businesses, are not robust enough for healthcare. As devices age, they must be replaced since technology is always changing, and vulnerabilities are exploited. Before purchasing new equipment, it is suggested to consult with an IT vendor that specializes in healthcare. It is important to ensure the device can be used in a healthcare setting, set up correctly, and custom security policies implemented.

As we just mentioned about devices being upgraded, so must software applications. Again, when an organization utilizes outdated software, these can be exploited as well. I have heard over the years many different reasons why “programs” cannot be upgraded, it won’t work with the new version of windows, they don’t offer upgrades, or simply they do not want to spend the money. None of these reasons are acceptable excuses from the Office for Civil Rights unless you have security measures in place to protect the legacy systems and they are safe from the “outside” world. If you utilize outdated equipment or software and you are hacked, you CAN and WILL be fined if you have not demonstrated best practices in protecting your data. You literally are running the risk of losing your business. The fines are THAT much!

We recommend yearly network security audits that are performed by a network security company. This is different that your regular IT company that maintains your systems unless they truly specialize in network security. This type of company should perform several types of vulnerability scans. Not all scans are created equal and different types may be necessary to uncover holes in your security. For example, scans that look for weak passwords, duplicate passwords, weak access controls, and vulnerable ports. 80% of the attacks can be linked to weak authentication credentials. By adding a second authentication process, a bio-scanner, or RFID card to access ePHI greatly enhances security. This is especially helpful for those using remote access. When it comes to your daily IT vendor, they must also under HIPAA and follow the security protocols set forth by NIST. Several medical practices have been breached due to incorrect settings within the network. Some of these breaches cost $3M in fines!

Summary:

Although malicious attacks targeting the health care sector continue to increase, many of these attacks can be prevented or mitigated by fully implementing the Security Rule’s requirements.  Many organizations continue to underappreciate the risks and vulnerabilities of their actions or inaction (increased risk of remote access, unpatched or unsupported systems, not fully engaging the workforce in cyber defense). 

Unfortunately, there isn’t a single magic action to ensure the safety of your data, it is a combination of the above and ongoing upgrades.

To find out more about how our automated HIPAA compliance platform can help your organization click here:

https://arismedicalsolutions.com/aris-hipaa-service-automated-platform/

Or to schedule a demo click the Contact Us tab.

“Simplifying HIPAA through Automation, Education, and Support”

Dental practices can be fined under HIPAA rules

This week the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the resolution of four investigations related to the HIPAA privacy rule.

Two cases were part of the HIPAA Right of Access, bringing the total number of enforcement actions to twenty-seven since the initiative began. Another case included misuse of social media in response to a negative review.

  • A solo dental practitioner in Butler, Pennsylvania, failed to provide a patient with a copy of their medical record.  After being issued a Notice of Proposed Determination, the doctor requested a hearing before an Administrative Law Judge. The litigation was resolved before the court made a determination by a settlement agreement in which the doctor agreed to pay $30,000 and take corrective actions to comply with the HIPAA Privacy Rule’s right of access standard.
  • A dental practice with offices in Charlotte and Monroe, North Carolina, impermissibly disclosed a patient’s PHI on a webpage in response to a negative online review.  The practice did not respond to OCR’s data request, did not respond or object to an administrative subpoena, and waived its rights to a hearing by not contesting the findings in OCR’s Notice of Proposed Determination.  OCR imposed a $50,000 civil money penalty.
  • A dental practice in Fairhope, Alabama, who impermissibly disclosed its patients’ PHI to a campaign manager and a third-party marketing company hired to help with a state senate election campaign, agreed to take corrective action and pay $62,500 to settle potential violations of the HIPAA Privacy Rule.
  • A psychiatric medical services provider with two office locations in California, agreed to take corrective actions and pay OCR $28,000 to settle potential violations of the HIPAA Privacy Rule, including provisions of the right of access standard.

If you would like to read about other fines, follow this link:

https://arismedicalsolutions.com/what-are-some-of-the-actual-hipaa-fines/

What are common HIPAA violations and how to avoid them?

When the providers and upper management understand the ramifications of violations, then the rest of the staff typically will follow the examples that are set in place. Because HIPAA Compliance starts at the top!

Violations happen when someone makes a mistake or is simply not thinking. HIPAA needs to be on the forefront of everyone who encounters patient information. Treat this information as if it were your own! HIPAA does not have to be difficult; it only takes a few precautionary measures to stay compliant.

Here are some helpful reminders:

  1. Always speak in hushed tones. The person you are talking to may not be the one that will complain. Others may think if they can hear what you are saying to another patient, someone else will hear what you are saying to them.
  2. When a patient makes a request, always ask this to be in writing. Remember there is a time limit on most requests, and you must answer within the time allotted. If a patient asks for a copy of their medical records, you have 30 days to answer the request, you may extend 30 days, but it must be explained to the patient why, and a date when they will be available must be determined.
  3. With the new information blocking rules, patients now have the right to ask for their information in the format of their choice. This means if they want to download to an app or share with a third party, you are required to do so. If you do not have the technology in place to honor their request, advise the patient you are checking into this, and never tell them “no” you can’t honor their request. That may be considered information blocking.
  4. Before emailing or faxing patient information, verify the number/address, and before you click send, verify AGAIN! If you are attaching documents, be sure the document you are sending is the correct information for that patient. If you are emailing protected health information (PHI), encryption should be utilized. The only time this is not required is if the patient has been informed that this is not a secure method of transmission, and they authorize you to send it anyway. Be sure to keep that email as your authorization.
  5. Train your staff to verify that business associate agreements are in place before releasing any paper, digital, or electronic PHI. This can save you hundreds of thousands of dollars in fines should they mishandle PHI.
  6. Educate your staff that looking into medical records that they do not have a need to do so, is grounds for termination. This includes family members, friends, neighbors, and celebrities. The monitoring of audit logs is a required standard under the security rule. If you are not reviewing your logs, then it is highly recommended to utilize an audit log monitoring company.
  7. Remind staff that work computers are for business purposes only. It is so easy to introduce malware and viruses from the internet. Also, remind them NEVER click on links in emails unless you are expecting the email.

These are just a few items to keep in mind. Be sure to train your staff on privacy and security annually and send out reminders. HIPAA is not just a once-a-year commitment, it is every day! Stay safe out there!

To find out more about our automated HIPAA compliance platform, click here:

https://arismedicalsolutions.com/aris-hipaa-service-automated-platform/

or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

Information Blocking Rule – Best practices to prepare now

It is the start of a new year and one thing we know for sure; nothing stays the same. Rules change, technology changes, and we must keep up. We wrote about the new Information Blocking Rule last July, but we have found many practices still do not understand what this means to them.

When the EHR Meaningful Use criteria was introduced in 2013, CMS stated that practices did not have to implement specific technology if a patient requested their information in a format that they did not have in place. This has all changed with the Information Blocking Rule that was passed in 2021. Part of the Interoperability Standard requires medical providers and health information companies to share patient data upon patient request. This Rule makes it very clear when it comes to patients and the control they have over their information. This is also known as “right of access”.

In the past EHRs was hesitant to open their portals due to security issues. Now, it is required to have security measures in place and share the data. There are some exceptions, but be forewarned, they are vague, and could be misinterpreted.

Penalty guidelines are in place for IT operators and health information companies, they are still working on the guidelines for medical providers. This gives you a limited amount of time to get ready for heavy enforcement.

Patients are now permitted to request their information be made available in the format of their choice. This includes to a third-party app installed on their mobile devices. These apps should protect patient data by supporting secure access through authentication processes similar to what the financial industries use.

When a patient makes a request and you do not have the technology in place to grant their request, you are obligated to comply with their request if possible or contact your technology vendors to see if this can be accomplished. If you do not, this could be considered Information Blocking. We recommend contacting your EHR and starting a conversation with them to ensure they are working on interfaces with other EHRs and some of the most common mobile apps.

There are some companies working on this technology, from what I have heard, they are limited. I am sure more will be adding this service as we progress. Before you hire a company to “develop” an interface for you, read below.

NOTE: If a patient requests their medical provider to share their information with another entity that is not a covered entity or a business associate, the information is not subject to the HIPAA rules. For example, the covered entity would not have HIPAA responsibilities or liability if such an app that the patient designated to receive their ePHI later experiences a breach. If a patient requests a covered entity to send their ePHI using an unsecure method the covered entity must grant the disclosure if it is readily available in the form and format used by the app. However, it is highly recommended to advise the patient of the lack of security so they can make an informed decision.

On the other hand, if the app was developed for, or provided by or on behalf of the covered entity and it creates, receives, maintains, or transmits ePHI on behalf of the covered entity, the covered entity could be liable under the HIPAA Rules for a subsequent impermissible disclosure because of the business associate relationship between the covered entity and the app developer. For example, if the patient selects an app that the medical provider uses to provide services to their patients involving ePHI, the medical provider may be subject to liability under the HIPAA Rules if the app impermissibly discloses the ePHI received. If you choose to develop or work with a company that has developed an app, be sure to obtain a BA agreement and review their technology security to ensure they are following the HIPAA requirements.

As we venture into this new territory, there will bad actors trying to “jump” on the healthcare wagon. As always, do your research before using any new applications or vendors. Ask your colleagues and most of all, check out their credentials.

If you need more information about the Information Blocking Rule or would like a live demo of our Automated HIPAA Compliance platform, contact us at 877.659.2467 or complete the contact us form.

“Simplifying HIPAA through Automation, Education, and Support”

Do you know what it means to be HIPAA compliant?

Be careful what you post on your website, you could be charged for false advertising! Some HIPAA compliance companies want you to use their “seal” of compliance. It is great advertising for them, but does it put your practice at risk of an audit? Some say yes, and worse, you could be charged for false advertising from the FTC.

https://www.ftc.gov/news-events/press-releases/2021/02/ftc-gives-final-approval-settlement-emergency-travel-services

https://www.ftc.gov/system/files/documents/cases/c-4732_skymed_final_order.pdf

HIPAA is a moving target and at any given moment you could be “out of compliance” for something as simple as using a device that hasn’t been updated with latest security patch. Of course, you won’t get fined for that, UNLESS it causes a data breach. So, to advertise that your organization is “HIPAA Compliant” could put you at risk for false advertising.

It has always been all about “documentation”. The HIPAA rules clearly outline the requirements for policies, procedures, and documentation. If your organization has not been evaluating (§164.308(a)(8)) the technical and non-technical security measures you have in place on a regular basis, you are out of compliance. How do you know when to conduct these evaluations? This depends on your policies, and if you do not have a policy on this, you are out of compliance. As you can see, this can be very confusing! Did you know that 75% of the Security Rule is policies and procedures, and 25% is technical safeguards? With Public Law No: 116-321, it is all about your documentation.

If the covered entity or business associate has adequately demonstrated that it had, for not less than the previous 12 months, recognized security practices in place that may:

(1) mitigate fines under section 1176 of the Social

        Security Act (as amended by section 13410);

(2) result in the early, favorable termination of an audit

        under section 13411; and

(3) mitigate the remedies that would otherwise be agreed

        to in any agreement with respect to resolving potential

        violations of the HIPAA Security rule (part 160 of title 45 Code

        of Federal Regulations and subparts A and C of part 164 of such

        title) between the covered entity or business associate and the

        Department of Health and Human Services.

Recognized security practices are those recommended in NIST and the Security Rule. Each organization must assess their environment and adapt “best practices”.

Most organizations think they are HIPAA compliant until they suffer a data breach, or a disgruntled employee / patient files a complaint against them. Then they are investigated by the Office for Civil Rights (OCR), unless they have proper documentation and have demonstrated best practices in data security, they may be fined up to $1.5M per violation.

This healthcare cybersecurity handout was created by the DHHS:

https://www.phe.gov/Preparedness/planning/405d/Documents/HICP-Main-508.pdf

If you need assistance in navigating the maze of HIPAA, complete the contact us form at https://arismedicalsolutions.com/contact/ or call 877.659.2467 and schedule a demo of Aris’ automated HIPAA compliance platform. Documentation has never been easier, and with our customer service, you will know what is required and how to handle situations that arise.

 

“Simplifying HIPAA through Automation, Education, and Support”

More fines for Providers for not providing timely right of access

Medical professionals have had a rough year and a half. This has been trying times for so many and we have had to learn to adapt to new ways of running practices. I was hoping to be able to share some good news during this time of thankfulness and joyous season, but the Office for Civil Rights do not take breaks… This is not meant to be disrespectful but to inform you that when a patient files a complaint, the OCR takes that seriously and will open an investigation. So, during this holiday season, please stay vigilant to patient requests. Be sure to have the patient make the request in writing and no sticky notes allowed! DOCUMENTATION is your friend, not your enemy. Make sure this task is completed in a timely manner. These forms are included in your HIPAA compliance program if you do not have one already in use.

The Office for Civil Rights is VERY interested in how timely you answer a patient’s request to access their medical records. This is known as “Right of Access”. A patient has the “right” to request a copy of their medical records and this should be provided within 30 days, or if additional time is needed, a 30-day extension may be permitted if the patient has been notified of the reason and the delay with a date that the records will be made available.

In September the OCR announced the twentieth settlement for right of access violations. Earlier this month, they announced five more.

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced the resolution of five investigations in its Health Insurance Portability and Accountability Act (HIPAA) Right of Access Initiative, bringing the total number of these enforcement actions to twenty-five since the initiative began.  OCR created this initiative to support individuals’ right to timely access their health records at a reasonable cost under the HIPAA Privacy Rule.

HIPAA gives people the right to see and get copies of their health information from their healthcare providers and health plans.  After receiving a request, an entity that is regulated by HIPAA has, absent an extension, 30 days to provide an individual or their representative with their records in a timely manner.

“Timely access to your health records is a powerful tool in staying healthy, patient privacy and it is your right under law,” said OCR Director Lisa J. Pino. “OCR will continue its enforcement actions by holding covered entities responsible for their HIPAA compliance and pursue civil money penalties for violations that are not addressed.”

OCR has taken the following enforcement actions that underscore the importance and necessity of compliance with the HIPAA Right of Access:

  • Advanced Spine & Pain Management (ASPM), which provides management and treatment of chronic pain services in Cincinnati and Springboro, Ohio, has agreed to take corrective actions that include two years of monitoring, and has paid OCR $32,150 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.
  • Denver Retina Center, a provider of ophthalmological services in Denver, CO, has agreed to take corrective actions that includes one year of monitoring and has paid OCR $30,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.
  • Dr. Robert Glaser, a cardiovascular disease and internal medicine doctor in New Hyde Park, NY, did not cooperate with OCR’s investigation or respond to OCR’s data requests after failing to provide a patient with a copy of their medical record.  Dr. Glaser waived his right to a hearing and did not contest the findings of OCR’s Notice of Proposed Determination.  Accordingly, OCR closed this case by issuing a civil money penalty of $100,000.
  • Wake Health Medical Group, a provider of primary care and other health care services in Raleigh, NC, has agreed to take corrective actions and has paid OCR $10,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.

There are many other fines being assessed that can be reviewed on the HHS/OCR website. This is not meant to scare you but rather inform you what they are doing so you can stay safe and prosperous.

All of us at Aris Medical Solutions want to wish everyone a safe and wonderful holiday season. We do not take breaks either, we are here to help you! 

If you need more information or would like a live demo of our Automated HIPAA Compliance platform, contact us at 877.659.2467 or complete the contact us form.

“Simplifying HIPAA through Partnership, Education, and Support”

HIPAA Requirements and Software updates

Many medical providers are so busy trying to run a successful practice they sometimes forget the “technical” side of their business. Hackers know this and capitalize on it. Lately in the news, we have heard about Microsoft and Apple vulnerabilities that have been exploited by spammers and hackers. Therefore, it is SO important to stay on top of technology updates!

Most practices utilize an IT company of some sort, we recommend an IT company that specializes in network security. We do not recommend the practice trying to do this themselves unless the person assigned to the task is well versed in data security.

The Office for Civil Rights recommends an annual HIPAA risk analysis be conducted because technology changes so fast, by the time you implement a new system, an update is probably available. Speaking of the Office for Civil Rights, over the last few years, they have added hundreds of new auditors and now they are advertising for multiple new attorneys to enforce HIPAA. “Who May Apply: This vacancy announcement is open to all US Citizens and may be used to fill multiple positions”.

We have an automated HIPAA Compliance platform to help medical practices and their business associates with the daunting task up updating HIPAA compliance. To learn more about why you should and how to protect your data, read more below.

Over the last 12 years we have learned so much from our clients and have created a system that came out of their suggestions. For example, keeping all policies in one Step so you can easily scroll down to locate the one you need. Also, being able to view the state breach notification requirements. This is especially helpful for those practices that have multiple state locations or patients in more than one state. As we have been onboarding clients, we have had great feedback on the look and ease of use. Here is some information for your review.

Aris’ automated HIPAA system will enable your organization to maintain the HIPAA compliance documentation is an easy-to-follow format. As you know, it only takes one patient complaint, a disgruntled employee, or a data breach to start an investigation from the Office for Civil Rights (OCR) and they sometimes include the Office of Inspector General (OIG) and the Department of Justice (DOJ). Documentation is a main factor in avoiding a desk audit or passing an audit.

Our new system is better than ever, you have the ability to upload your own documents or implement and customize the ones that are included. Plus, as new rules and laws are introduced, we send out notifications of updates so you can review and approve the new policies. For instance, the Information Blocking rule is included, and we are watching for the other updates that are to follow. If you are not familiar with this, our new online HIPAA compliance system may be of interest to you.

Training your employees has never been easier, after you enter your employees during the onboarding process, you can send them to take an online HIPAA training course that is included. Once they complete the course, they will be required to take a short quiz and their certification of completion is conveniently stored within the system should you be audited.

The entire system educates the client every step of the way to ensure you understand what is required under HIPAA. If you have questions about HIPAA or need guidance, we offer a support ticketing system that is included with our monthly subscription.

Once you create your login, it is easy to navigate! In the Profile section, you will add employees, business associates, and electronic devices. You may use an excel spreadsheet to upload each section or enter individually. From here you can send employees the Confidentiality and Acceptable Use agreement via DocuSign to ensure employees understand what is acceptable and what is not permitted. If you do not have a business associate agreement in place will all your vendors, you have the option of sending one via DocuSign or printing a copy and sending one instead. The inventory list is a great way to keep track of which devices have had ePHI located on them, so you know the method to retire equipment when the time comes.

Step 1 – You will answer a series of questions to uncover risks and vulnerabilities. A risk management plan will be generated automatically that outlines what is needed to mitigate the vulnerabilities that were uncovered. You may modify what is recommended if you choose.

Step 2 – Security Incident Procedures and Breach Notification Plan. You will select which states your patients are located and the state law will automatically be populated. This plan also includes the links needed in the event of a data breach large or small.

Step 3 – You will be asked a series of questions about whether or not you have policies and procedures in place that meet the HIPAA Privacy and Security Rule requirements. Each policy will have a side note of education to ensure you understand what is required to be included. We suggest adopting the policies included and modify to meet your specific needs, then the policies are automatically dated and approved.

Step 4 – HIPAA Forms and Documentation. You may have forms you are already using; you may upload them to this Step to keep all your forms organized. There also many forms you may not be aware that is required under HIPAA, they are included and available for download in a Word format. You can customize them with your information and logo.

Step 5 – Business Associate agreements. During the creation of your profile, you are asked to add your business associates and upload any existing business associate agreements and HIPAA compliance documentation you may have. You have the option of sending a business associate a BA agreement via DocuSign or you may download a Word format and customize if needed. This is also useful if you have a Business Associate that uses Subcontractors, you would be able to use this document.

Step 6 – Contingency Plan. You may upload your own contingency plan, or you may choose to complete the one included in this Step.

Step 7 – This step contains a wealth of information. You can take a leisurely stroll to learn more about the HIPAA rules and other requirements that may affect your organization. You have the option to include which areas to include in your download. We also have a list of affiliates that you may need to complete your compliance requirements.

After you have completed the 7-Steps, you may simply download your package to share your policies and procedures with your employees.

When you are ready to get started all you have to do is click on the Order Now button on the main page of our website. Included is an online 1 hour live onboarding meeting to explain how to use the system.

To find out more about how our automated HIPAA compliance platform can help your organization click the contact us tab and scroll down to schedule a demo.

“Simplifying HIPAA through Automation, Education, and Support”

Introducing Our New HIPAA Compliance Platform

Is your medical practice HIPAA compliant?  

Do you have a Risk Management Plan?  

Do you have all your HIPAA policies and procedures?  

Have your employees completed HIPAA training?  

Do you have all your Business Associate agreements in place?  

If you are unsure about any of these questions, you may be exposed to potential fines by the Office of Civil Rights (OCR) should you become part of a HIPAA complaint or investigation by a disgruntled employee or patient.

Our HIPAA Compliance automation platform is designed to educate and protect covered entities such as medical practices, dental practices, and chiropractors.  How does it work?  Just sign-up, enter your employee and business associate information, answer a comprehensive questionnaire, then implement, generate, and download all your documents required under HIPAA law in one easy ZIP file each year.  You are required by law to keep your documents for 6 years. Our document package includes employee confidentiality agreements and business associate agreements signed via DocuSign, or you may upload your own.  The package also includes a risk management plan, certificates of completion for employee training, as well as all policies and procedures required for HIPAA compliance.  There is no better or easier way to document and maintain your HIPAA Compliance history.

Visit https://arismedicalsolutions.com to learn more, or call us at 877.659.2467 to speak with a HIPAA security consultant.

Controlling Access to ePHI

The OCR released their Summer 2021 Cybersecurity Newsletter and it stated that a recent report of security incidents and data breaches were committed 61% by external actors and 39% by insiders. During COVID last year, systems that monitor audit logs found that internal snooping was up by 90%.

The Information Access Management 45 CFR § 164.308(a)(4)(i) and Access Control 45 CFR § 164.312(a)(1) are two of the HIPAA Security Rule standards that cover access to ePHI.

We will discuss Information Access Management under the Administrative Safeguards first. This standard requires covered entities and business associates to implement policies and procedures that outline how covered entities and business associates authorize or grant access to ePHI within their organization. This may include how access to information systems containing ePHI is requested, authorized, and granted, who is responsible for authorizing access requests, and the requirements for granting access. These policies typically cover workforce roles that may be granted access to particular systems, applications, and/or data. It is important to point out that access must be based on job function or business necessity. Since this is an Addressable standard, if a particular implementation specification is not reasonable and appropriate, entities must document why, and implement equivalent alternative measures if reasonable and appropriate. 

Access Establishment and Modification 45 CFR § 164.308(a)(4)(ii)(C) policies describe how to establish, document, review, and modify a user’s access to workstations, transactions, programs, or processes. For example, a workforce member being promoted or given some change in responsibility may require increased access to certain systems and decreased access to others. Another example is that a covered organization could change its system access requirements to permit remote access to systems containing ePHI during a pandemic. Policies and procedures should cover situations such as these to ensure that each workforce member’s access continues to be appropriate for their role.

Access Control under the Technical safeguards is a required standard for covered entities and business associates to implement access controls for electronic information systems to allow access to ePHI only to those approved in accordance with the organization’s Information Access Management process. The flexible, scalable, and technology-neutral nature of the Security Rule permits organizations to consider various access control mechanisms to prevent unauthorized access to ePHI.  Such access controls could include role-based access, user-based access, attribute-based access, or any other access control mechanisms the organization deems appropriate. This means, what may be acceptable for one organization may not be suitable for another. Access controls need not be limited to computer systems. Firewalls, network segmentation, and network access control (NAC) solutions can also be effective means of limiting access to electronic information systems containing ePHI. Properly implemented, network-based solutions can limit the ability of a hacker to gain access to an organization’s network or impede the ability of a hacker already in the network from accessing other information systems – especially systems containing sensitive data.

The Access Control standard includes Unique User Identification 45 CFR § 164.312(a)(2)(i) which is a required implementation specification and is a key security requirement for any system. While the use of shared or generic usernames and passwords may seem to provide some short-term convenience, it severely degrades the integrity of a system because it removes accountability from individual users and makes it much easier for the system to become compromised. If information is improperly entered, altered, or deleted, whether intentionally or not, it can be very difficult to identify the person responsible (e.g., for training or sanctions) or determine which users may have been the victim of a phishing attack that introduced ransomware into the organization. Additionally, because shared usernames and passwords can become widely known, it may be difficult to know whether the person responsible was an authorized user. A former employee or contractor, a current employee not authorized for access, a friend or family member of an employee, or an outside hacker could be a source of unauthorized access. The inability to identify and track a user’s identity due to the use of shared user IDs can also impede necessary investigations when the shared user ID is used for unauthorized or even criminal activity. For example, a malicious insider could take advantage of known shared user IDs to hide their activities when collecting personal medical and financial information to use for identity theft. In such as case, an organization’s implemented audit controls would document the actions of the shared user ID, thus potentially limiting the organization’s ability to properly identify and track the malicious insider.

The second implementation specification, Emergency Access Procedure 45 CFR § 164.312(a)(2)(ii) is also a required implementation specification. This implementation specification is applicable in situations in which normal procedures for obtaining ePHI may not be available or may be severely limited, such as during power failures or the loss of Internet connectivity. Access controls are still necessary during an emergency, but may be very different from normal operations. For example, due to the recent COVID-19 public health emergency, many organizations quickly implemented mass telehealth policies. How workforce members can securely access ePHI during periods of increased teleworking should be part of an organization’s Emergency Access Procedures. Appropriate procedures should be established beforehand for how to access needed ePHI during an emergency.

The third implementation specification, Automatic Logoff 45 CFR § 164.312(a)(2)(iii), is an addressable implementation specification. Users sometimes inadvertently leave workstations unattended for various reasons.  In an emergency setting, a user may not have time to manually log out of a system.  Implementing a mechanism to automatically terminate an electronic session after a period of inactivity reduces the risk of unauthorized access when a user forgets or is unable to terminate their session.  Failure to implement automatic logoff not only increases the risk of unauthorized access and potential alteration or destruction of ePHI, it also impedes an organization’s ability to properly investigate such unauthorized access because it would appear to originate from an authorized user.

The final implementation specification is Encryption and Decryption 45 CFR § 164.312(a)(2)(iv), which is also an addressable implementation specification. This technical safeguard can reduce the risks and costs of unauthorized access to ePHI.  For example, if a hacker gains access to unsecured ePHI on a network server or if a device containing unsecured ePHI is stolen, a breach of PHI will be presumed and reportable under the Breach Notification Rule (unless the presumption can be rebutted in accordance with the breach risk assessment. The Breach Notification Rule applies to unsecured PHI which is PHI “that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in the guidance issued under [the HITECH Act].”  OCR’s Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals, which provides guidance for securing PHI, states that ePHI that is “at-rest” (i.e., stored in an information system or electronic media) is considered secured if it is encrypted in a manner consistent with NIST Special Publication 800-111 (Guide to Storage Encryption Technologies for End User Devices) (SP 800-111).

EPHI encrypted in a manner consistent with SP 800-111 is not considered unsecured PHI and therefore is not subject to the Breach Notification Rule. Encrypting ePHI in this manner is an excellent example of how implementing an effective encryption solution may not only fulfill an organization’s encryption obligation under the Access Control standard, but also provides a means to leverage the Breach Notification Rule’s safe-harbor provision.

As the use of mobile computing devices (e.g., laptops, smartphones, tablets) becomes more and more pervasive, the risks to sensitive data stored on such devices also increases. Many mobile devices include encryption capabilities to protect sensitive data. Once enabled, a device’s encryption solution can protect stored sensitive data, including ePHI, from unauthorized access in the event the device is lost or stolen.

If you need assistance with HIPAA Risk Management, or guidance with your HIPAA Compliance contact us at 877.659.2467 or complete the contact us form.

“Simplifying HIPAA through Partnership, Education, and Support”

©2022 Aris Medical Solutions – HIPAA Risk Management | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC