In 2025 and beyond there are many HIPAA updates that are occurring in the healthcare arena. Staff education and patient privacy are front and center of the OCR. You can be fined for HIPAA violations and be required to implement a corrective action plan that will be monitored by OCR for three years. There are significant changes to the HIPAA privacy rule and the security rule.
Notice of Privacy Practices must be updated to include Health Information Exchanges (HIEs).
Reproductive healthcare and how you protect privacy (this may change).
Substance Abuse and Mental Health Services Administration updates.
A Patient’s right of access may be reduced to 15 days, and immediate in some cases. Patient right of access has been a major problem with complaints resulting in fines from $3,500 to over $250K.
New patient authorization attestation requirements.
The posting of estimated fee schedules may be required.
Information blocking guidelines, this includes a patient’s request for their records in the format of their choice.
Non-discrimination notices with specific terminology (in 15 languages) on websites and in offices.
Language assistance notice (and staff training on the tools utilized).
Conscience rights notice.
Website accessibility requirements. The ADA requires that people with disabilities have equal access to information. An inaccessible website, mobile app, or kiosk can exclude people just as much as steps at an entrance to a physical location.
The updated HIPAA training requirements for 2025 bring several significant changes. The most notable is the emphasis on cybersecurity.
Cybersecurity awareness is a critical component, and employees must be trained in recognizing and responding to potential cyber threats. This includes:
understanding how to identify phishing attempts,
using strong passwords, and
implementing multi-factor authentication.
Data security proposed changes:
Healthcare providers and their business associates (BAs) may be required to implement enhanced administrative, physical, and technical safeguards for electronic protected health information (ePHI). This includes requiring written procedures for restoring electronic information systems and data within 72 hours. Adding specific compliance time periods for many of the existing requirements. Providers could be required to conduct a compliance audit at least every 12 months and to verify BAs that they have implemented the technical safeguards required under the HIPAA Security Rule. Keep in mind, all entities involved with ePHI must comply with the HIPAA security rule including subcontractors of BAs, this enhancement refers to reviewing/auditing every year.
Healthcare providers may be required to conduct more frequent and thorough risk assessments of their IT infrastructure. The requirement of maintaining an asset inventory and a network map, that illustrates the movement of ePHI throughout the organization’s environment. This is already a requirement under the HIPAA security rule, but the proposed rule will require this to be updated on an ongoing basis, or at least once a year. Also, reviewing their Security Incident Response Plans and documenting how employees are to report suspected or known security incidents and how the entity will respond.
Medical practices would need to utilize anti-malware/ anti-virus systems including remote users. Require vulnerability scanning every 6 months, and penetration testing once a year.
Healthcare providers would need to update legacy systems, since outdated legacy systems are seen as a significant vulnerability. Under the proposed updates, entities may face stricter obligations to retire or upgrade unsupported software.
ePHI would require higher levels of encryption both at rest and in transit and multi-factor authentication (MFA) will need to be utilized, along with continuous network monitoring to detect threats in real time.
Keep in mind, cyber-security is essential for patient privacy and safety.
The Healthcare and Public Health Sector Coordinating Council (HSCC)Cybersecurity Working Group (CWG) is working with the Trump Administration to initiate a one-year consultative process with leaders of the healthcare sector to negotiate sound cybersecurity practices that all healthcare stakeholders can be held accountable to.
HSCC Cybersecurity Working Group Executive Director Greg Garcia said “The healthcare industry is now targeted by more cyber-attacks than any other industry sector. If our healthcare owners and operators are to keep up with the evolution of healthcare delivery, technology innovation, and adversarial cyber threats across our vastly interconnected ecosystem, we need our government as a partner in this mission.”
Those involved in cyber-security in the healthcare space understand the need for greater protection but also believe there are many moving parts that need to be coordinated in order to be effective.
Although these proposed changes are being negotiated, the best practice is for all entities involved with patient data to conduct a system wide risk analysis and review how data flows in and out of your network. Once this has been determined, you can address cyber-security for your particular network. This is not a one size that fits all. This is where you need a partner that specializes in data security and not an average IT company. This sounds like a lot of work, but not when you have the right partners in place.
Summary
Our HIPAA Keeper™ online compliance system has everything needed for HIPAA compliance documentation. Plus, we work with business partners that are HIPAA compliant as well. So, whatever your need is, we have you covered!
“Simplifying HIPAA through Automation, Education, and Support”
Feel free to share this blog with your colleagues. We want to educate as many practices as we can since HIPAA violations can be expensive. If you need assistance with HIPAA Compliance, check out our HIPAA Keeper™. It’s an online compliance system that has everything you need to get compliant and stay compliant! Best of all you will have a HIPAA security analyst to guide you every step of the way!
For more information or to speak to someone about HIPAA Compliance call us at 877.659-2467 or use the contact us form.
The 2024 HIPAA and other compliance updates are included in the Office of the Inspector General (OIG) General Compliance Program Guidance (GCPG) for healthcare providers.
Although this compliance is not anything new, they have added this guidance to assist the health care community. This Compliance Program entails more than HIPAA. It is recommended after reviewing this summary that you review the Program Guidance in full.
Similar to the HIPAA Security Rule, the GCPG repeats certain information. This is because OIG recognizes that users may read, or may later reference, specific sections only, and not the whole document. Therefore, relevant information may be included and repeated in multiple sections.
The GCPG applies to all individuals and organizations involved in the health care industry. The GCPG addresses the seven elements of a compliance program. They have adaptations for small and large organizations. They anticipate updating the GCPG as changes in compliance practices or legal requirements.
Starting in 2024, the OIG will be publishing industry specific CPGs (ICPGs) for different types of providers, suppliers, and other participants in the health care industry. ICPGs will be tailored to fraud and abuse risk areas for each industry. They will also address compliance measures that the industry participants can take to reduce these risks. ICPGs are intended to be updated periodically to address newly identified risk areas and compliance measures and to ensure timely and meaningful guidance from OIG.
Keep in mind, the OIG’s compliance plan is a resource for healthcare providers and does not imply that it is a complete compliance program. Every organization is different, and this is not a one size fits all system. This is very comprehensive, and the following is a summary. For the complete document, see the link below:
The Department of Justice (DOJ), OIG, the Centers for Medicare & Medicaid Services (CMS), and the HHS Office for Civil Rights (OCR), are charged with interpreting and enforcing these laws and regulations. These overviews are intended to be summaries only and they do not address every legal obligation that may be imposed on the health care community and affiliated partners. For example, this guidance and these legal overviews do not address State fraud and abuse laws. It is important to understand that following these laws is the right thing to do and violating them could result in criminal penalties, fines, exclusion from Federal health care programs, and the enforcement to pay back overpayments.
Federal Anti-Kickback Statute
This statute prohibits organizations that are involved in Federal health care programs from engaging in some practices that are acceptable in other business sectors. For example, offering or receiving gifts for past or future referrals.
The Federal anti-kickback statute can be described as intent based. It is a criminal offense to knowingly and willfully offer, pay, solicit, or receive any remuneration to entice the referral of an individual for the furnishing of, or arranging the furnishing of any item or service, that is reimbursable under a federal health care program.
Violation of the Federal anti-kickback statute constitutes a felony punishable by a maximum fine of $100,000, imprisonment up to 10 years, or both. Conviction also will lead to mandatory exclusion from Federal health care programs, including Medicare and Medicaid.
Physician Self-Referral Law (PSL) a/k/a Stark Law
This law prohibits a physician from making referrals for certain designated health services (DHS) payable by Medicareto an entity with which the physician (or an immediate family member) has a financial relationship, unless an exception applies, and its requirements are satisfied.Financial relationships include ownership and investment interests as well as compensation arrangements. For example, if a physician invests in an imaging center to which the physician refers Medicare beneficiaries for DHS, the PSL requires that the financial relationship satisfies all requirements of an applicable exception. If it does not, the PSL prohibits the physician from making a referral for DHS to be furnished by the imaging center and prohibits the imaging center from billing Medicare (or any individual, third-party payor, or other entity) for the improperly referred DHS.
The PSL is implicated only when all six of the following elements are present.
A physician
Makes a referral
For designated health services
Payable by Medicare
To an entity
With which the physician (or an immediate family member) or the physician organization in whose shoes the physician stands has a financial relationship (which could be a direct or indirect ownership or investment interest in the entity or a compensation arrangement with the entity).
When all six elements exist, the PSL prohibits a physician from making a referral for DHS to the entity with which they have the financial relationship unless an exception applies and its requirements are satisfied. It is important for entities that furnish DHS to have a method to keep track of, and review closely, their financial relationships with physicians who refer Medicare patients to them.
CMS’s regulations define certain categories of DHS by Current Procedural Terminology (CPT) and Healthcare Common Procedure Coding System (HCPCS) codes. CMS publishes an updated list of codes for the relevant DHS annually.
The civil False Claims Act provides a way for the Government to recover money when an individual or entity knowingly submits or causes to be submitted false or fraudulent claims for payment to the Government.
This Act defines “knowing” and “knowingly” to mean that a person, with respect to information—
has actual knowledge of the information;
acts in deliberate ignorance of the truth or falsity of the information; or
acts in reckless disregard of the truth or falsity of the information; and no proof of specific intent to defraud is required.
The False Claims Act defines “knowing” and “knowingly” to include not only actual knowledge but also instances in which the person acted in deliberate ignorance or reckless disregard of the truth or falsity of the information. This means individuals and entities cannot avoid liability by deliberately ignoring inaccuracies in their claims.
Filing false claims may result in liability of up to three times the programs’ loss plus an additional penalty per claim filed. Each instance of an item or a service billed to Medicare or Medicaid counts as a claim. Liability can add up quickly!
A few examples of health care claims that may be false include claims where the service was not actually rendered to the patient, is already provided under another claim, is up coded, or is not supported by the patient’s medical record. A claim that is tainted by illegal remuneration under the Federal anti-kickback statute or submitted in violation of the PSL is also false or fraudulent, creating liability under the civil False Claims Act.
The Affordable Care Act included a requirement that entities must report and repay overpayments to Medicare and Medicaid by the later of:
(A) the date which is 60 days after the date on which the overpayment was identified; or
(B) the date any corresponding cost report is due, if applicable.
If an entity identifies billing mistakes or other non-compliance with program rules leading to an overpayment, the entity must repay the overpayments to Medicare and Medicaid to avoid False Claims Act liability. Even if an entity makes an innocent billing mistake, that entity still has an obligation to repay the money to the Government.
Civil Monetary Penalty (CMP) Authorities
The OIG is authorized to pursue monetary penalties and exclusion through a variety of civil authorities. Most notably, the Civil Monetary Penalties Law (CMPL). Under the CMPL, the OIG can pursue assessments in lieu of damages, CMPs, and exclusion from participation in the Federal health care programs. With this authority, OIG can address a wide variety of improper conduct related to Federal health care programs and other HHS programs.The CMPL principally addresses fraudulent and abusive conduct. In addition to OIG’s CMP authorities that closely parallel the False Claims Act, the OIG has additional CMP authorities aimed at certain specific types of conduct unique to HHS and the Federal health care programs. For example, the “patient dumping” CMP.
While False Claims Act cases are pursued by DOJ on behalf of HHS in Federal court, CMP cases are administrative and pursued by OIG before an HHS administrative law judge. By statute, different categories of conduct result in different penalty amounts. Such as, false claims result in penalties of up to $20,000 per item or service falsely claimed, and improper kickback conduct results in penalties of up to $100,000 per violation.
This provides for the imposition of CMPs against any person who offers or transfers remuneration to a Medicare or State health care program that the person knows or should know is likely to influence the beneficiary’s selection of a particular provider, practitioner, or supplier for the order or receipt of any item or service for which payment may be made, in whole or in part, by Medicare or a State health care program.
There are exceptions to the definition of “remuneration” under this section. For any applicable exception to apply, each condition of the exception must be completely satisfied. The exceptions include:
nonroutine waivers of copayments and deductibles based on individualized determinations of financial need;
preventive care incentives;
items and services that promote access to care and pose a low risk of harm;
retailer rewards;
items and services tied to medical care for financially needy beneficiaries.
The Beneficiary Inducements CMP is different from the Federal anti-kickback statute and the corresponding anti-kickback CMP, but the Beneficiary Inducements CMP and Federal anti-kickback statute often prohibit overlapping conduct.
The Beneficiary Inducements CMP is a separate and distinct authority, completely independent of the Federal anti-kickback statute. It is narrower than the Federal anti-kickback statute and the anti-kickback CMP in several ways.
The Federal anti-kickback statute applies to remuneration to induce or reward referrals of an individual to a person for the furnishing of any item or service, and purchases of any good, facility, service, or item that is payable by a Federal health care program. In contrast, under the Beneficiary Inducements CMP applies to remuneration that is likely to influence a beneficiary’s selection of a particular provider, practitioner, or supplier for items or services reimbursable by Medicare or a State health care program.
Information Blocking
Under the 21st Century Cures Act the OIG has the authority to investigate claims that health information technology (IT) developers of certified health IT (including entities offering certified health IT), health information exchanges and networks, and health care providers have engaged in conduct constituting “information blocking.” A health IT developer of certified health IT, health information exchange, or network that engages in information blocking may be subject to CMPs of up to $1 million per violation.
It is considered information blocking when a provider engages in a practice and the provider knows that it is likely to interfere with, prevent, or materially discourage the access, exchange, or use of EHI. Information blocking does not include any practice that is required by law or that meets an exception.
Criminal Health Care Fraud Statute
The criminal health care fraud statute makes it a criminal offense to defraud a health care benefits program. The criminal health care fraud statute prohibits knowingly and willfully executing, or attempting to execute, a scheme to either:
(1) defraud any health care benefit program; or
(2) to obtain, by means of false or fraudulent pretenses, representations, or promises, any money or property from any health care benefit program.
The Government must prove its case beyond a reasonable doubt and prove that the defendant acted with intent to defraud; however, specific intent to violate this statute is not required for a conviction. DOJ, OIG, and other law enforcement partners have successfully used this statute to pursue defendants who orchestrate complex health care fraud schemes. Cases that involve violations of the criminal health care fraud statute also often involve complex money laundering, tax, and other associated financial criminal offenses. The penalties for violating the criminal health care fraud statute may include fines of up to $250,000, imprisonment of not more than 10 years, or both.
The Department of Health and Human Services Office for Civil Rights are responsible for administering and enforcing the HIPAA Rules. Which includes the Privacy, Security, and Breach Notification Rule.
The Security Standards specifies a series of administrative, physical, and technical safeguards for covered entities and their business associates to ensure, among other provisions, the confidentiality, integrity, and security of electronic PHI (ePHI).
The OCR and ONC created the HSR Toolkit to assist providers and business associates in determining their risks. The HSR Toolkit does not produce a statement of compliance. Organizations may use the HSR Toolkit in coordination with other tools and processes to support HIPAA Security Rule compliance and risk management activities. Statements of compliance are the responsibility of the covered entity and the HIPAA Security Rule regulatory and enforcement authority. By using Aris’ HIPAA Keeper™, this replaces the need to use this tool kit since our system includes the risk assessment and all policies and procedures. It is recommended to utilize a third party to audit your network to ensure that your data is secure.
Elements of a Compliance Infrastructure
Written Policies and Procedures should encompass the HIPAA Rules and areas that could cause fraud and abuse. Including areas in billing, coding, sales, marketing, quality of care, patient incentives, arrangement with physicians, other health care providers, vendors, and other potential sources or recipients of referrals of health care business.
All individuals are required to have access to your policies and procedures. Many entities maintain their code, policies, and procedures on an internal intranet site or use other electronic communication tools to ensure that everyone has access to the same documents. Policies must be maintained in languages that the staff can easily understand and written an appropriate reading level.
Designating a compliance officer with appropriate authority is essential to the success of the compliance program. To be effective, the compliance officer should also maintain a degree of separation from the entity’s delivery of health care items and services and related operations. Thus, the compliance officer should not be responsible, either directly or indirectly, for the delivery of health care services, coding, or claim submission. In addition, involvement in functions such as contracting, medical review, or administrative appeals present potential conflicts. Whenever possible, the compliance officer’s sole responsibility should be compliance. In smaller organizations this can be burdensome, therefore a third party may be necessary for guidance.
Training should include education on the organization’s compliance program. Including Federal and State standards, and governance, and oversight of a health care entity. The compliance officer should develop an annual training plan that includes the training topics to be delivered and the target audience for each topic.
For a compliance program to be effective, the organization should establish appropriate consequences for instances of noncompliance, as well as incentives for compliance. Consequences may involve remediation, sanctions, or both, depending on the facts. Incentives may be used to encourage compliance performance and innovation.
Risk assessment is a process for identifying, analyzing, and responding to risk. Periodic compliance risk assessments should be a component of an organization’s compliance program and should be conducted at least annually. Entities may use commonly available spreadsheet software to analyze their data. Other software programs that entities already use, such as billing software and electronic health records, may also have components that allow entities to analyze the data they contain. Between compliance risk assessments, the compliance officer should continue to scan for unidentified or new risks.
Audits may be conducted by internal or external auditors who have expertise in Federal and State health care statutes, regulations, and Federal health care program requirements. Medicare requires that items must be medically reasonable and necessary. Entities may identify other areas appropriate for routine monitoring, such as high-value billing codes, medical record documentation, medical necessity of admission.
Monthly monitoring of the LEIE and state Medicaid exclusion lists, state licensure and certification databases, and an annual review of the organizations policies and procedures are also required.
Detected Offenses and Developing Corrective Action Plans. If credible evidence of misconduct from any source is discovered and a reasonable inquiry is conducted, and the compliance officer or counsel has reason to believe that the misconduct may violate criminal, civil, or administrative law, then the organization should promptly (not more than 60 days after the determination that credible evidence of a violation exists) notify the appropriate Government authority of the misconduct. Prompt reporting will demonstrate the entity’s good faith and willingness to work with governmental authorities to correct and remedy the problem.
Other Compliance Considerations
There are other important compliance considerations related to several generally applicable risk areas. Forthcoming ICPGs will address industry subsector-specific risk areas for different types of providers, suppliers, and other participants in health care industry subsectors or ancillary industry sectors relating to Federal health care programs. The existing CPGs and supplemental CPGs will remain available for use as ongoing resources to help identify risk areas in particular industry segments as the ICPGs are developed.
Quality and Patient Safety
Quality and patient safety are often treated as wholly separate and distinct from compliance, and the compliance program often does not contain quality and patient safety components. But quality and patient safety are integral to the work of HHS, CMS, FDA, and other agencies. And OIG and DOJ have long emphasized the importance of quality and patient safety. OIG and DOJ have investigated and settled cases based on the submission of false claims for care that is materially substandard, resulting in death or severe harm to patients.
New Businesses in the Health Care Industry
The health care sector is seeing an increasing number of new businesses, including technology companies (both established and start-up companies), new investors, and organizations providing non-traditional services in health care settings. New entrants are often unfamiliar with the unique regulations and business constraints that apply in the health care industry, as well as the range of Federal and State government agencies that regulate health care and enforce fraud and abuse laws. Business practices that are common in other sectors create compliance risk in health care, including potential criminal, civil, and administrative liability.
Financial Incentives: Ownership and Payment – Follow the Money
The growing prominence of private equity and other forms of private investment in health care raises concerns about the impact of ownership incentives on the delivery of high quality, efficient health care. Health care entities, including their investors and governing bodies, should carefully scrutinize their operations and incentive structures to ensure compliance with the Federal fraud and abuse.
Payment Incentives
Compliance officers should be attuned to the varying risks associated with the payment methodologies through which health care entities are reimbursed for the items and services they provide. When an insurer, including Federal health care programs, pays on a volume-sensitive or fee-for-service basis, there may be increased risks of overutilization, inappropriate patient steering, and use of more expensive items or services than needed. When payment incentives and associated risks are fully understood, compliance officers, including those at entities with private investment, are better positioned to design informed audit plans, conduct effective monitoring, detect problems early, and implement effective preventive strategies.
Financial Arrangement Tracking
Organizations involved in Federal health care program business may manage financial arrangements and transactional agreements, including those between referral sources and referral recipients, which can implicate the Federal anti-kickback statute and the PSL, among other Federal fraud and abuse laws. While legal counsel may be involved in the initial structuring and drafting of these agreements, ongoing monitoring of compliance with the terms and conditions set forth in the agreements remains equally important from a fraud and abuse perspective.
OIG Resources and Processes
OIG has a Compliance Section on its website that includes numerous compliance and legal resources. They most recently added a more robust section on Frequently Asked Questions, with a new process for the health care community to submit questions, as discussed further below. In addition, under the Newsroom tab, they have short, educational videos covering a variety of substantive topics, Testimonies before Congress, as well as News Releases & Articles.
They encourage organizations to subscribe to OIG’s What’s New Newsletter to receive email notifications when OIG has posted new information to their website, including reports, enforcement actions, and more. OIG also encourages to subscribe to email notifications when the List of Excluded Individuals/Entities is updated. Lastly, OIG has various social media accounts that users can opt to follow to view OIG posts.
OIG has several self-disclosure processes that can be used to report potential fraud in HHS programs. Health care providers, suppliers, or other individuals subject to CMPs can use the Health Care Fraud Self-Disclosure Protocol to voluntarily disclose self-discovered evidence of potential fraud. Self-disclosure gives providers the opportunity to avoid the costs and disruptions associated with a Government-directed investigation and civil or administrative litigation.
The GCPG is voluntary guidance that discusses general compliance risks and compliance programs. The OIG states that compliance should be implemented. The complete guide may be accessed or downloaded on any computer.
Be sure to check this link regularly as they will be updated and no longer available in the Federal Register.
If you need assistance with HIPAA Compliance, check out our HIPAA Keeper™. Our system includes documents on a variety of compliance topics, not just HIPAA. Best of all you will have a HIPAA security analyst to guide you every step of the way!
For more information or to speak to someone about HIPAA Compliance call us at 877.659-2467 or use the contact us form.
“Simplifying HIPAA through Automation, Education, and Support”
The Office for Civil Rights (OCR) released a Request for Information (RFI) seeking comments from all stakeholders including covered entities, business associates, patients, and their families. The growing number of cybersecurity threats are a significant concern driving the need for enhanced safeguards of electronic protected health information (ePHI).
This RFI will enable the OCR to consider ways to support the healthcare industry’s implementation of recognized security practices. The RFI also will help OCR consider ways to share funds collected through enforcement with individuals who are harmed by violations of the HIPAA Rules.
Through today’s RFI, OCR is seeking public comment on the following provisions of law:
Recognized Security Practices. Section 13412 of the HITECH Act requires HHS to take into consideration certain recognized security practices of covered entities (health plans, health care clearinghouses, and most health care providers) and business associates1 when determining potential fines, audit results, or other remedies for resolving potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule pursuant to an investigation, compliance review, or audit. Public Law 116-321 went into effect when it was signed into law on January 5, 2021.
One of the primary goals of this provision is to encourage covered entities and business associates to do “everything in their power to safeguard patient data.”
The RFI solicits comment on how covered entities and business associates are implementing “recognized security practices,” how they anticipate adequately demonstrating that recognized security practices are in place, and any implementation issues they would like OCR to clarify through future guidance or rulemaking.
Civil Money Penalty (CMP) and Settlement Sharing. Section 13410(c)(3) of the HITECH Act requires HHS to establish by regulation a methodology under which an individual harmed by a potential violation of the HIPAA Privacy, Security, and/or Breach Notification Rules may receive a percentage of any CMP or monetary settlement collected with respect to such offense. Section 13140(d)(1) of HITECH requires that OCR base determinations of appropriate penalty amounts on the nature and extent of the violation and the nature and extent of the harm resulting from such violation. The HITECH Act does not define “harm,” nor does it provide direction to aid HHS in defining the term.
The RFI solicits public comment on the types of harms that should be considered in the distribution of CMPs and monetary settlements to harmed individuals, discusses potential methodologies for sharing and distributing monies to harmed individuals, and invites the public to submit alternative methodologies.
OCR encourages comments from all stakeholders, including patients and their families, HIPAA covered entities and their business associates, consumer advocates, health care professional associations, health information management professionals, health information technology vendors, and government entities.
Individuals seeking more information about the RFI or how to provide written or electronic comments to OCR should visit the Federal Register to learn more:
The Office for Civil Rights sent out a cyber newsletter stating that throughout 2020-2021 hackers have targeted the health care industry and the number of breaches increased 45% from 2019 to 2020. The number of breaches due to hacking or IT incidents account for 66% of all breaches affecting over 500 patients records in 2020. Cyber-attacks are critical in health care since it can disrupt services to patients and destroy patient data.
Most cyber-attacks could have been prevented if covered entities and business associates had implemented the HIPAA Security Rule requirements. Technical safeguards are based on the organizations size, type of environment, and how data flows in and out of their systems. Keep in mind, phishing attacks and weak authentication protocols are the most common exploitations.
What can you do to prevent cyber-attacks?
While nothing is 100%, simple precautious can go a long way. Educating your staff should be a top priority. Tricking employees to click on links or to share vital information is the most common tactic. An unsuspecting employee is typically how an attack starts. There are more sophisticated methods that can exploit previously unknown vulnerabilities, but phishing is still the most common. Train your employees not to click on attachments unless they are expecting the communication and the sender has been verified. Also, do not click on links within emails. Best practices are to open your browser window and go to the website and log-in from there. If the employee suspects an email contains a virus or is suspicious, they should contact their IT department/vendor and verify. It is always better to be safe than sorry later!
Ongoing HIPAA training is essential to keep up with new threats. Annual training keeps HIPAA on the minds of your employees, but when you add monthly security reminders it helps so much more! The HIPAA security officer should share emails or website information from reliable sources to keep their employees informed. When you receive Aris’ monthly Security Newsletter, share this valuable information with the staff, including clinicians, and management since they are often a target from hackers. If possible, utilize a company that offers Phishing training and exercises. Contact us for some suggestions.
Unfortunately, security training cannot be effective if it is viewed by as a burdensome, and employees just want to “check-the-box”. Keep staff members engaged by explaining cyber security is everyone’s job in protecting ePHI.
In addition to education, organizations can mitigate the risk of phishing attacks by implementing anti-phishing technologies. You should talk to your IT vendor about what type of services they have that can help you. For example, if an email is suspected of being a threat, it can be blocked, and appropriate personnel notified. Another approach can involve scanning web links or attachments included in emails for potential threats and removing them if a threat is detected. Newer techniques can leverage machine learning or behavioral analysis to detect potential threats and block them as appropriate. Many available technology solutions use a combination of these approaches. Implementing access controls that restrict access to ePHI to only those requiring such access is also a requirement of the HIPAA Security Rule. Organizations may determine that because its privileged accounts (administrator) have access that supersedes other access controls (role or user-based access) and thus can access ePHI, the privileged accounts present a higher risk of unauthorized access to ePHI than non-privileged accounts. If exploited through an administrative access point, not only could privileged accounts supersede access restrictions, but they could also delete ePHI or even alter or delete hardware or software configurations, rendering devices inoperable. To reduce the risk of unauthorized access to privileged accounts, the organization could decide that a privileged access management (PAM) system is reasonable and appropriate to implement.
Covered entities and business associates are required under HIPAA to ensure the integrity, confidentiality, and availability of ePHI. This means protecting patient data from improper alteration, destruction, and making sure it is available when needed. Hackers that penetrate an organization’s network can wreak havoc by encrypting patient data, modifying data, or stealing the data. Based on the type of network your organization utilizes, you may need domain controller and/or business grade firewall. Some firewalls that are designed for “small” businesses, are not robust enough for healthcare. As devices age, they must be replaced since technology is always changing, and vulnerabilities are exploited. Before purchasing new equipment, it is suggested to consult with an IT vendor that specializes in healthcare. It is important to ensure the device can be used in a healthcare setting, set up correctly, and custom security policies implemented.
As we just mentioned about devices being upgraded, so must software applications. Again, when an organization utilizes outdated software, these can be exploited as well. I have heard over the years many different reasons why “programs” cannot be upgraded, it won’t work with the new version of windows, they don’t offer upgrades, or simply they do not want to spend the money. None of these reasons are acceptable excuses from the Office for Civil Rights unless you have security measures in place to protect the legacy systems and they are safe from the “outside” world. If you utilize outdated equipment or software and you are hacked, you CAN and WILL be fined if you have not demonstrated best practices in protecting your data. You literally are running the risk of losing your business. The fines are THAT much!
We recommend yearly network security audits that are performed by a network security company. This is different that your regular IT company that maintains your systems unless they truly specialize in network security. This type of company should perform several types of vulnerability scans. Not all scans are created equal and different types may be necessary to uncover holes in your security. For example, scans that look for weak passwords, duplicate passwords, weak access controls, and vulnerable ports. 80% of the attacks can be linked to weak authentication credentials. By adding a second authentication process, a bio-scanner, or RFID card to access ePHI greatly enhances security. This is especially helpful for those using remote access. When it comes to your daily IT vendor, they must also under HIPAA and follow the security protocols set forth by NIST. Several medical practices have been breached due to incorrect settings within the network. Some of these breaches cost $3M in fines!
Summary:
Although malicious attacks targeting the health care sector continue to increase, many of these attacks can be prevented or mitigated by fully implementing the Security Rule’s requirements. Many organizations continue to underappreciate the risks and vulnerabilities of their actions or inaction (increased risk of remote access, unpatched or unsupported systems, not fully engaging the workforce in cyber defense).
Unfortunately, there isn’t a single magic action to ensure the safety of your data, it is a combination of the above and ongoing upgrades.
To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:
This week the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the resolution of four investigations related to the HIPAA privacy rule.
Two cases were part of the HIPAA Right of Access, bringing the total number of enforcement actions to twenty-seven since the initiative began. Another case included misuse of social media in response to a negative review.
A solo dental practitioner in Butler, Pennsylvania, failed to provide a patient with a copy of their medical record. After being issued a Notice of Proposed Determination, the doctor requested a hearing before an Administrative Law Judge. The litigation was resolved before the court made a determination by a settlement agreement in which the doctor agreed to pay $30,000 and take corrective actions to comply with the HIPAA Privacy Rule’s right of access standard.
A dental practice with offices in Charlotte and Monroe, North Carolina, impermissibly disclosed a patient’s PHI on a webpage in response to a negative online review. The practice did not respond to OCR’s data request, did not respond or object to an administrative subpoena, and waived its rights to a hearing by not contesting the findings in OCR’s Notice of Proposed Determination. OCR imposed a $50,000 civil money penalty.
A dental practice in Fairhope, Alabama, who impermissibly disclosed its patients’ PHI to a campaign manager and a third-party marketing company hired to help with a state senate election campaign, agreed to take corrective action and pay $62,500 to settle potential violations of the HIPAA Privacy Rule.
A psychiatric medical services provider with two office locations in California, agreed to take corrective actions and pay OCR $28,000 to settle potential violations of the HIPAA Privacy Rule, including provisions of the right of access standard.
If you would like to read about other fines, follow this link:
There are many different types of “audits”, so when we refer to audits, we are referring to a “HIPAA audit”. When anyone mentions HIPAA audit, most practices think it won’t happen to them. I hear so often; I have never seen the “HIPAA Police” come around and do an audit. Well, they don’t just walk in off the street, but it only takes one patient complaint, a disgruntled employee, or a data breach to trigger an investigation. I have said this MANY times… and I feel the need to repeat it one more time! HIPAA has changed a few times over the years, one thing that has not changed since 1996 – HIPAA compliance is here to stay, and it is not optional.
When an investigation is opened, depending on the documentation you provide will determine whether a desk audit is conducted. For example, many OCR (Office for Civil Rights) investigations find systemic noncompliance with the HIPAA Security Rule, including failures to conduct an enterprise-wide risk analysis, implement risk management and audit controls, and maintain documentation of HIPAA Security Rule policies and procedures. With the “recognized security practices”, the OCR may review a minimum of 12 months of your documentation. The good news is, if you have documented your compliance efforts, you may not be fined or penalized! The OCR is trying to incentivize practices to step up their data security practices. Keep in mind, this must be documented. Just another reason why our clients are moving to our online compliance platform!
Employee mistakes are the typical cause of a security incident or data breach. Someone clicks on a link, opens an infected website, or falls for a phishing scam. This is a HUGE problem; all you have to do is go to the OCR breach portal and you can see for yourself the number of breaches reported for hacking. Educating your staff is #1, along with good data security practices that are documented.
Lost or stolen devices are also a problem unless they are encrypted. Security incidents must be reviewed, and the outcome documented. If a device is lost or stolen and it is encrypted (and documented as such) it is not a reportable breach!
Another area that the OCR reviews (depending on the complaint or violation) is employee training. HIPAA training requires periodic updates, and it is recommended that all staff including physicians attend annual HIPAA training. Again, this must be documented.
Background checks are so important and often overlooked. I can’t stress this enough… background checks are more than calling the “references” the candidate offers you. Of course, they will give glowing reviews! Insider threats are becoming more of a problem. People pose as a “great” employee, only to steal patient information, or some may just be curious and open patient records that they are not authorized to. Both situations can lead to data breaches or violations. Utilizing a professional company to conduct your background checks will provide you with the appropriate documentation.
Have you noticed something that all these areas have in common? DOCUMENTATION! If is not documented, it doesn’t exist in the eyes of the OCR.
Do you know why the OCR is coming down hard on the lack of data security? Because patient data is valuable, and hackers and scammers are trying to get to YOUR patient data. This is some of the most sought-after information because it contains everything needed to steal a person’s identity. It is easy to get a new credit card number, but you can’t get a new social security number. One more thing, some identity thefts lead to medical identity theft. This can be deadly if someone’s medical information is changed.
These are just friendly reminders to keep your practice safe and secure!
To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:
The OCR released their Summer 2021 Cybersecurity Newsletter and it stated that a recent report of security incidents and data breaches were committed 61% by external actors and 39% by insiders. During COVID last year, systems that monitor audit logs found that internal snooping was up by 90%.
The Information Access Management 45 CFR § 164.308(a)(4)(i) and Access Control 45 CFR § 164.312(a)(1) are two of the HIPAA Security Rule standards that cover access to ePHI.
We will discuss Information Access Management under the Administrative Safeguards first. This standard requires covered entities and business associates to implement policies and procedures that outline how covered entities and business associates authorize or grant access to ePHI within their organization. This may include how access to information systems containing ePHI is requested, authorized, and granted, who is responsible for authorizing access requests, and the requirements for granting access. These policies typically cover workforce roles that may be granted access to particular systems, applications, and/or data. It is important to point out that access must be based on job function or business necessity. Since this is an Addressable standard, if a particular implementation specification is not reasonable and appropriate, entities must document why, and implement equivalent alternative measures if reasonable and appropriate.
Access Establishment and Modification 45 CFR § 164.308(a)(4)(ii)(C) policies describe how to establish, document, review, and modify a user’s access to workstations, transactions, programs, or processes. For example, a workforce member being promoted or given some change in responsibility may require increased access to certain systems and decreased access to others. Another example is that a covered organization could change its system access requirements to permit remote access to systems containing ePHI during a pandemic. Policies and procedures should cover situations such as these to ensure that each workforce member’s access continues to be appropriate for their role.
Access Control under the Technical safeguards is a required standard for covered entities and business associates to implement access controls for electronic information systems to allow access to ePHI only to those approved in accordance with the organization’s Information Access Management process. The flexible, scalable, and technology-neutral nature of the Security Rule permits organizations to consider various access control mechanisms to prevent unauthorized access to ePHI. Such access controls could include role-based access, user-based access, attribute-based access, or any other access control mechanisms the organization deems appropriate. This means, what may be acceptable for one organization may not be suitable for another. Access controls need not be limited to computer systems. Firewalls, network segmentation, and network access control (NAC) solutions can also be effective means of limiting access to electronic information systems containing ePHI. Properly implemented, network-based solutions can limit the ability of a hacker to gain access to an organization’s network or impede the ability of a hacker already in the network from accessing other information systems – especially systems containing sensitive data.
The Access Control standard includes Unique User Identification 45 CFR § 164.312(a)(2)(i) which is a required implementation specification and is a key security requirement for any system. While the use of shared or generic usernames and passwords may seem to provide some short-term convenience, it severely degrades the integrity of a system because it removes accountability from individual users and makes it much easier for the system to become compromised. If information is improperly entered, altered, or deleted, whether intentionally or not, it can be very difficult to identify the person responsible (e.g., for training or sanctions) or determine which users may have been the victim of a phishing attack that introduced ransomware into the organization. Additionally, because shared usernames and passwords can become widely known, it may be difficult to know whether the person responsible was an authorized user. A former employee or contractor, a current employee not authorized for access, a friend or family member of an employee, or an outside hacker could be a source of unauthorized access. The inability to identify and track a user’s identity due to the use of shared user IDs can also impede necessary investigations when the shared user ID is used for unauthorized or even criminal activity. For example, a malicious insider could take advantage of known shared user IDs to hide their activities when collecting personal medical and financial information to use for identity theft. In such as case, an organization’s implemented audit controls would document the actions of the shared user ID, thus potentially limiting the organization’s ability to properly identify and track the malicious insider.
The second implementation specification, Emergency Access Procedure 45 CFR § 164.312(a)(2)(ii) is also a required implementation specification. This implementation specification is applicable in situations in which normal procedures for obtaining ePHI may not be available or may be severely limited, such as during power failures or the loss of Internet connectivity. Access controls are still necessary during an emergency, but may be very different from normal operations. For example, due to the recent COVID-19 public health emergency, many organizations quickly implemented mass telehealth policies. How workforce members can securely access ePHI during periods of increased teleworking should be part of an organization’s Emergency Access Procedures. Appropriate procedures should be established beforehand for how to access needed ePHI during an emergency.
The third implementation specification, Automatic Logoff 45 CFR § 164.312(a)(2)(iii), is an addressable implementation specification. Users sometimes inadvertently leave workstations unattended for various reasons. In an emergency setting, a user may not have time to manually log out of a system. Implementing a mechanism to automatically terminate an electronic session after a period of inactivity reduces the risk of unauthorized access when a user forgets or is unable to terminate their session. Failure to implement automatic logoff not only increases the risk of unauthorized access and potential alteration or destruction of ePHI, it also impedes an organization’s ability to properly investigate such unauthorized access because it would appear to originate from an authorized user.
The final implementation specification is Encryption and Decryption 45 CFR § 164.312(a)(2)(iv), which is also an addressable implementation specification. This technical safeguard can reduce the risks and costs of unauthorized access to ePHI. For example, if a hacker gains access to unsecured ePHI on a network server or if a device containing unsecured ePHI is stolen, a breach of PHI will be presumed and reportable under the Breach Notification Rule (unless the presumption can be rebutted in accordance with the breach risk assessment. The Breach Notification Rule applies to unsecured PHI which is PHI “that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in the guidance issued under [the HITECH Act].” OCR’s Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals, which provides guidance for securing PHI, states that ePHI that is “at-rest” (i.e., stored in an information system or electronic media) is considered secured if it is encrypted in a manner consistent with NIST Special Publication 800-111 (Guide to Storage Encryption Technologies for End User Devices) (SP 800-111).
EPHI encrypted in a manner consistent with SP 800-111 is not considered unsecured PHI and therefore is not subject to the Breach Notification Rule. Encrypting ePHI in this manner is an excellent example of how implementing an effective encryption solution may not only fulfill an organization’s encryption obligation under the Access Control standard, but also provides a means to leverage the Breach Notification Rule’s safe-harbor provision.
As the use of mobile computing devices (e.g., laptops, smartphones, tablets) becomes more and more pervasive, the risks to sensitive data stored on such devices also increases. Many mobile devices include encryption capabilities to protect sensitive data. Once enabled, a device’s encryption solution can protect stored sensitive data, including ePHI, from unauthorized access in the event the device is lost or stolen.
If you need assistance with HIPAA Risk Management, or guidance with your HIPAA Compliance contact us at 877.659.2467 or complete the contact us form.
“Simplifying HIPAA through Partnership, Education, and Support”
Most practices seek assistance from one or more businesses to help them with certain functions within their organization. Depending on the type of service they provide, they may be considered a “Business Associate” under the HIPAA guidelines.
So, what defines a business associate § 164.308(b)(1)?
Any person or entity that may encounter ePHI/PHI while providing services to the covered entity. For example, a shredding company, billing company, or an IT company. Even if the IT company is not responsible for the data transmission or storage of ePHI, they are still considered a business associate under the definition by the Office for Civil Rights (OCR). This is because they may have access to computers or software to assist the provider when issues arise, or when updates are needed.
Software providers such as EHR/ EMRs, and practice management are also BAs. Custom software providers may also be included if they maintain the system and are required to provide updates. The exception to this would be if a custom software were developed and turned over to the practice for their use and then maintained by the IT vendor. The IT vendor would be the BA.
Clearinghouses are covered entities, and business associates of a covered entity since they facilitate the processing of health information from a nonstandard format into standard format, or from standard format into nonstandard format.
Some practices with multiple partners may use revenue from patients to determine each provider’s share. If they use a third party like a CPA, then the CPA may be considered a BA.
If an attorney is needed to defend the provider/practice against a patient and PHI is disclosed, the attorney is then a BA.
An easy way to remember this is… if PHI/ePHI is disclosed or the possibility of being disclosed during the job function of the vendor, then they are a BA.
A cleaning company is NOT considered a business associate even though they may encounter PHI because their job function does not include the creation, transmitting, or maintaining of ePHI. It is advisable to require the company to sign a confidentiality agreement and require their employees receive HIPAA training, so they understand the HIPAA rules.
When hiring a business associate it is required under HIPAA to ensure your vendor is HIPAA compliant. The first step is to obtain a Business Associate Agreement (BAA), but you must also have reasonable assurances they are in fact HIPAA compliant. You may request their most recent HIPAA training for the employees that will be responsible for working withing your practice, policies on data security, and depending on the services they provide, a copy of their latest risk analysis (first and last page that demonstrates who conducted the analysis and when). You also have the right to ask if they use business associates (subcontractors). The practice must ensure that anyone and everyone that comes in contact with ePHI/PHI understands how to protect this data.
Large medical practices are targeted by hackers since this information is so valuable. Smaller practices are hacked through phishing attacks, unsuspecting employees, business associates, and outdated software/hardware. It is everyone’s responsibility within the practice to ensure all data is secure and to avoid data breaches. I am sure you are thinking that if the government cannot keep data secure, how can you? Large organizations are always a target, and they have the same issues as smaller ones just more area of vulnerabilities for the bad actors to get in.
Stay safe out on the World Wide Web (WWW), we call it, the Wild Wild West. The biggest difference is, during the Wild Wild West days, you could see trouble coming into town and prepare. On the World Wide Web, trouble is invisible until it is too late.
If you need assistance with Risk Management or guidance with your HIPAA Compliance, contact us at 877.659.2467 or complete the contact us form.
“Simplifying HIPAA through Partnership, Education, and Support”
