The OCR and FTC are investigating online tracking technologies

We wrote about this back in December 2022, but the Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) has added an additional warning. The OCR has confirmed its active investigations nationwide to ensure compliance with HIPAA. The use of online tracking technologies and HIPAA requirements must be reviewed on all medical websites.

The OCR and the FTC are cautioning providers about the privacy and security risks when utilizing online tracking technologies. These may be integrated into websites or mobile apps. Depending on how they are created and set up, these technologies may be disclosing personal health information to third parties. Tracking technologies collect and analyze information when visitors use websites or apps. Most of the time, this information is shared directly with third parties and even track the visitor when they navigate away from the website or app.

Online tracking technology can be used for good, but patients should not have to sacrifice their personal information in the process. The OCR and FTC sent letters to 130 hospital systems and telehealth providers to emphasize the risks and concerns about the use of these technologies, such as the Meta/Facebook pixel and Google Analytics. These are just a couple that are known to track a user’s online activities. These tracking technologies gather identifiable information about visitors, usually without their knowledge.

The minimum necessary rule must be followed even with modern technology. This means only the minimum necessary information can be shared to complete the task, nothing more. The OCR enforces the HIPAA rules and will review all aspects of your compliance if they receive a complaint, or if you have a data breach. 

The FTC’s role in is protecting the public from deceptive or unfair business practices. This includes unfair methods of competition, promotion, research, and education. Through FTC’s recent enforcement actions against BetterHelp, GoodRx, and Premom, the FTC has put companies on notice that they must monitor the flow of health information to third parties that use tracking technologies integrated into websites and apps. The unauthorized disclosure of such information may violate the FTC Act and could constitute a breach of security under the FTC’s Health Breach Notification Rule.

Companies not covered by HIPAA still have a responsibility to protect against the unauthorized disclosure of personal health information—even when a third party developed their website or mobile app. When working with a website designer or marketing group, be sure to fully vet them for their HIPAA compliance efforts. Even if they have worked with other medical practices. Being HIPAA compliant is more complicated now with all the modern technology and they must jump through the same hoops as a medical practice. Just because they say it will help you with your practice, doesn’t mean it is acceptable under the HIPAA rules. Trust but verify!

Aris Medical Solutions has an online system called the HIPAA Keeper™, to help covered entities and business associates get compliant and stay compliant with HIPAA!

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

To read about actual HIPAA fines, click on our Education tab!

Business Associate fined for a data breach UNDER 500 patient records

Most of us are familiar with fines for data breaches of over 500 patient records. This time a business associate was fined $75K for 267 records.

Covered entities are responsibility to vet their business associates. This includes making sure they understand the HIPAA rules. Such as, conducting risk assessments, determining vulnerabilities and how to mitigate them, and maintaining proper HIPAA policies and procedures. While it is unusual to see a fine like this for under 500 records, this says the Office for Civil Rights (OCR) is now setting fines for breaches under 500 patient records. If this business associate had done their due diligence and had tried to be HIPAA compliant, I truly doubt they would have been fined. Compliance can be achieved in 7 Steps with our HIPAA Keeper System!

Do not be afraid to ask who conducted and when their last risk analysis was updated. Ask if you may see a copy of their data security policies. Ask for their HIPAA training certificates or a training list of employees who will be working with your practice.

iHealth Solutions, LLC (doing business as Advantum Health), a Kentucky-based business associate that provides coding, billing, and onsite information technology services to health care providers has paid $75,000 to OCR and has agreed to implement a corrective action plan.

Under the terms of the settlement agreement, iHealth Solutions will be monitored by OCR for two years to ensure compliance with the HIPAA Security Rule. iHealth Solutions has agreed to take the following steps:

  • Conduct an accurate and thorough analysis of its organization to determine the possible risks and vulnerabilities to the electronic protected health information it holds;
  • Develop and implement a risk management plan to address and mitigate identified security risks and vulnerabilities to the confidentiality, integrity, and availability of its electronic protected health information;
  • Implement a process to evaluate environmental and operational changes that affect the security of electronic protected health information; and
  • Develop, maintain, and revise, as necessary, its written HIPAA policies and procedures.

Sound familiar? YES, this is what covered entities are required to do! Business associates and their subcontractors (business associates of business associates) are required under HIPAA to follow the same rules and regulations as covered entities. Making sure you have a business associate agreement (BAA) in place is only the first step!

Let your business associates know Aris Medical Solutions has an online system called the HIPAA Keeper™, to help them get compliant and stay compliant with HIPAA!

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

To read about other actual fines, click on our Education tab!

HIPAA Requirements for Online Tracking from OCR

The Office for Civil Rights (OCR) has issued a bulletin to remind covered entities and business associates of their obligations under HIPAA when using online tracking technology. These technologies include but are not limited to Google Analytics, Meta Pixel, Cookies, and QR codes.

Cover entities regularly share electronic protected health information (ePHI) with some of these tracking vendors. Some may be doing so in violation of HIPAA. Regulated entities are not permitted to use tracking technologies in a manner that would result in unauthorized disclosures of ePHI to tracking technology vendors or any other violations of the HIPAA Rules.

Tracking technologies are used to collect and analyze information about how patients interact with websites and/or mobile applications (“apps”). If a covered entity or business associate utilizes a technology partner to analyze interactions or to disclose tracking information as part of their health care operations, the HIPAA rules will apply when the information that is collected contains protected health information (PHI). If your organization collects sensitive information with an online tracking vendor, such sharing may be considered impermissible disclosures. Another example of a HIPAA violation would be disclosures of PHI to a tracking company for marketing purposes without a patient’s authorization.

Tracking technology is a script or code on a website or mobile app that is used to gather information about users as they interact with the website or mobile app. Then it is analyzed by owners of the website or mobile app. Some third parties may also be used to analyze the data to create insights about users’ online activities. These insights could be used in beneficial ways. Such as to help improve care or the patient experience. However, this tracking information could also be misused and cause identity theft, stalking, and harassment.

Disclosures include a variety of information that is shared through tracking technologies on a website or mobile app. Including individually identifiable health information (IIHI) that the individual provides when they use websites or mobile apps. This information could include a patient’s medical record number, home or email address, or dates of services, as well as an individual’s IP address or geographic location, or medical device IDs. All such IIHI collected on a website or mobile app generally is PHI, even if the individual does not have an existing relationship with the entity and even if the IIHI, such as IP address or geographic location, does not include specific treatment or billing information like dates and types of health care services. This is because, when an entity collects the individual’s IIHI through its website or mobile app, the information connects the individual to the entity and thus relates to the individual’s past, present, or future health or health care or payment for care.

Covered entities and business associates may have user-authenticated webpages, which require a patient to log in before they are able to access the webpage, such as a patient portal or a telehealth platform. Tracking technologies on an entity’s user-authenticated webpages generally have access to PHI. Tracking technologies within user-authenticated webpages may even have access to an individual’s diagnosis and treatment information, prescription information, billing information, or other information within the portal. A regulated entity must configure any user-authenticated webpages that include tracking technologies to allow technologies to only use and disclose PHI in compliance with the HIPAA Privacy Rule and must ensure that the electronic protected health information (ePHI) collected through its website is protected and secured in accordance with the HIPAA Security Rule. Hence, why it is so important to only work with website companies that are familiar with the HIPAA rules.

Tracking technology vendors are business associates if they create, receive, maintain, or transmit PHI on behalf of a covered entity or provide certain services to or for a covered entity (or another business associate) that involve the disclosure of PHI. In these circumstances, regulated entities must ensure that the disclosures made to such vendors are permitted by the Privacy Rule and enter into a business associate agreement (BAA) with these tracking technology vendors to ensure that PHI is protected in accordance with the HIPAA Rules. If a patient makes an appointment through the website of a covered entity and that website uses third party tracking technologies, then the website might automatically transmit information regarding the appointment and the individual’s IP address to a tracking technology vendor. In this case, the tracking technology vendor is a business associate, and a BAA is required. The BAA must specify the vendor’s permitted and required uses and disclosures of PHI and provide that the vendor will safeguard the PHI and report any security incidents, including breaches of unsecured PHI to the covered entity. The tracking technology vendor must implement administrative, physical, and technical safeguards in accordance with the Security Rule (encrypting ePHI that is transmitted to the tracking technology vendor; enabling and using appropriate authentication, access, encryption, and audit controls when accessing ePHI maintained in the tracking technology vendor’s infrastructure) to protect the ePHI.

Cover entities may also have webpages that do not require users to log in before the patient can access the information on a webpage, these are considered unauthenticated webpages. This may include general information about the practice or business like their location, services they provide, or their policies and procedures. Tracking technologies on unauthenticated webpages generally do not have access to PHI. Then a regulated entity’s use of such tracking technologies is not regulated by the HIPAA Rules. If tracking technologies on unauthenticated webpages have access to PHI, then the HIPAA Rules apply.

Examples of unauthenticated webpages where the HIPAA Rules apply include:

  • The login page of a patient portal (which may be the website’s homepage or a separate, dedicated login page), or a user registration webpage where an individual creates a login for the patient portal, generally are unauthenticated because the individual did not provide credentials to be able to navigate to those webpages.
  • However, if the individual enters credential information on that login webpage or enters registration information (name, email address) on that registration page, such information is PHI. Therefore, if tracking technologies on a regulated entity’s patient portal login page or registration page collects an individual’s login information or registration information, that information is PHI and is protected by the HIPAA Rules.
  • Tracking technologies on an unauthenticated webpage that addresses specific symptoms or health conditions, such as pregnancy or miscarriage, or that permits individuals to search for doctors or schedule appointments without entering credentials may have access to PHI in certain circumstances. For example, tracking technologies could collect an individual’s email address and/or IP address when the individual visits a regulated entity’s webpage to search for available appointments with a health care provider. In this example, the covered entity is disclosing PHI to the tracking technology vendor, and therefore, the HIPAA Rules apply.

Mobile apps that help patients manage their health information or pay bills collect a variety of information that is provided by the app user. This includes information typed or uploaded into the app, as well as information provided by the app user’s device, such as fingerprints, network location, geolocation, device ID, or advertising ID. This information is PHI, and the regulated entity must comply with the HIPAA Rules for any PHI that the mobile app uses or discloses. Any subsequent disclosures to the mobile app vendor, tracking technology vendor, or any other third party who receives such information may also be considered PHI. The HIPAA Rules apply to any PHI collected by a covered entity through a mobile app used by patients to track health-related variables. Such as heartrate monitoring or menstrual cycle, body temperature, etc.

Patients that voluntarily download or enter their information into mobile apps that are not developed or offered by regulated entities, regardless of where the information came from do not have to follow the HIPAA Rules. For example, the HIPAA Rules do not apply to health information that a patient enters in a mobile app offered by an entity that is not regulated by HIPAA (even if the individual obtained that information from their medical record created by a regulated entity). In instances where the HIPAA Rules do not apply to such information, other laws may apply. For instance, the Federal Trade Commission (FTC) Act and the FTC’s Health Breach Notification Rule (HBNR) may apply in instances where a mobile health app impermissibly discloses a user’s health information.

Again, covered entities and business associates are required to comply with the HIPAA Rules when using tracking technologies. The HIPAA rules include the HIPAA Privacy, Security, and Breach Notification requirements. Ensuring that all disclosures of PHI to tracking technology vendors are specifically permitted by the Privacy Rule and that the minimum necessary rule is followed.

Websites may advise the use of tracking technology in the website privacy policy or terms of use, but the Privacy Rule does not permit disclosure of PHI to tracking technology vendors based on this notice. Website banners asking patients to accept cookies or other tracking technology does not constitute a HIPAA authorization. If the technology vendor is not a business associate of the covered entity, then a patient authorization is required BEFORE the PHI is disclosed to the vendor. Any disclosure of PHI to the vendor without a patients’ authorization requires the vendor to have a signed BAA in place and requires that there is an applicable Privacy Rule permission for disclosure. If a covered entity does not want to create a business associate relationship with these vendors, or the chosen tracking technology vendor will not provide written satisfactory assurances in the form of a BAA that it will appropriately safeguard PHI, then the entity cannot disclose PHI to the vendors without a patient authorization.

A regulated entity’s failure to comply with the HIPAA Rules may result in a civil money penalty. Therefore, moving forward it will be necessary to ensure your business partners are HIPAA compliant.

To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:

https://hipaakeeper.com/

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

Can a Medical Practitioner be sued for a HIPAA Violation or a Data Breach?

With so many data breaches in the news many medical practitioners are asking if they can be sued over HIPAA violations or from a data breach.

HIPAA rules state there is no private right of action, therefore, a patient cannot sue for a HIPAA violation. With that said, it is possible if there were privacy violations under state law, legal action may be taken. All states have their own set of privacy laws that encompasses more than just the healthcare sector. State privacy laws vary from state to state and define what is considered private information. HIPAA and state laws require covered entities to secure protected health information (PHI) with administrative, physical, and technical safeguards. Business associates and subcontractors are required to do the same.

If a patient wants to file a lawsuit, the patient must be able to prove negligence and damage caused harm by the violation or data breach. The Omnibus Rule removed the harm threshold when it came to covered entities reporting data breaches, but a patient has the right to claim harm. On another note, if a patient joins a class action lawsuit, it may make a stronger case. However, many class action lawsuits are filed based on the exposure to future harm. Without evidence of harm this may reduce the case. This can be a costly endeavor and patients should consider this and review what they hope to gain before taking legal action. Keep in mind, this is not a quick lawsuit. In the end, there is no guarantee of any monetary gain for the patient.

Many times, the practice can discuss the issues with the patient and avoid legal action altogether. It is recommended that if a practice has a disgruntled patient, the HIPAA privacy officer should talk to the patient if given the opportunity. Sometimes, an upset patient merely wants to be heard. Depending on the circumstances, the practice may be required to report the incident to the Department of Health and Human Services Office for Civil Rights (OCR).

If a patient feels as though their protected health information has been violated, they do have the right to file a complaint with the OCR. The complaint from the patient must be filed within 180 days of the incident. In some cases, an extension may be permitted. The complaint is reviewed to determine if it is justifiable. If it is, then the OCR will contact the practice and try to resolve the issue in the most suitable manner. This may include technical assistance, a resolution agreement, and/or ongoing compliance documentation. The average investigation timeline for a data breach takes 1½ – 2 years. Of course, for more complex breaches, it may take even longer. The outcome of the investigation will depend on the severity and nature of the violation, if this was a repeated offense, and the number of patients affected. Depending on the documentation of the incident and how it was handled, a practice may be able to avoid a desk audit. Remember, if it’s not documented, it does not exist. The patient may also file a complaint with the State Attorney General. Some complaints are referred to the Department of Justice (DOJ) if the investigation results in criminal violations. I hope this helps you to understand how important it is to keep patient data secure, and the documentation that demonstrates your efforts. If you have any questions on data security, how to handle a patient complaint, or how to handle a security incident, we are here to help.

To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

Cosmetic Practice Fined – No one is immune from HIPAA

April 15, 2021

By Suze Shaffer | Aris Medical Solutions

Recently a cosmetic practice was fined $30,000 to settle potential HIPAA Privacy Rule violations. In the past many practices believed if they did not accept insurance payments (considered as a “transaction” under HIPAA), they were immune from the privacy rule. This may not be the case. There is a section in the rule that states “Other transactions that the Secretary may prescribe by regulation”.  HIPAA compliance is a balancing act, are you willing to lose $30K of your hard-earned money to test the system?

This investigation started with a compliant from a patient that had requested their medical record and did not receive them in a timely manner. Under the HIPAA Privacy Rule, the provider must respond to a patient’s request for access no later than 30 calendar days after the request. If the covered entity is not able to act within this timeframe, the entity may have up to an additional 30 calendar days if they provide the individual (within the initial 30-day period) with a written statement for the reason of the delay and include a date when the entity will have the information available. See 45 CFR §164.524(b)(2). Unfortunately for this practice, this was not handled in a timely manner. Therefore, an investigation was launched.

Let us review how this happens.

Once a complaint is filed to the Office for Civil Rights (OCR), the OCR will determine if the complaint falls within their duties to investigate. Once an investigation has been opened, the OCR will contact the practice for their documentation surrounding the incident. Depending on the documentation that is submitted will determine if a desk audit is warranted. Therefore, documentation is SO important, you may be able to avoid a desk audit if you supply the appropriate documents.

During a desk audit more than likely, you will be asked for documentation of what preventative measures you had in place before the incident and what you have implemented to prevent this from happening again. While you are being investigated the OCR may also review your compliance in other areas. If they find discrepancies, you could be fined for those as well. HIPAA encompasses a large range of requirements. Patient privacy, patient rights, and data security to name a few. I will not go into detail during this notification since we are sharing the security rule requirements in other messages.

Each resolution agreement that is issued by the HHS/OCR outlines the deficiencies they uncover. Most of them include the lack of a risk analysis, risk management, training, business associate agreements, and policies and procedures. During this investigation, other violations were uncovered and included the social security act was named in the resolution agreement: Section 1128A of the Social Security Act (42 U.S.C. § 1320a- 7a) a.

From this, I hope you can understand the importance of HIPAA compliance. Because one simple oversight can cause this much heartache. Patient privacy, patient rights, and data security is as important as caring for your patients. We have just learned that any entity that has patient data can be investigated and fined for violations under HIPAA.

Tell your friends and colleagues to ensure everyone understands no one is immune from HIPAA if you have patient data. Fines are fierce and not worth taking a chance by thinking “it won’t happen to me”.

If you need assistance with HIPAA Training, Risk Management, or guidance with your HIPAA Compliance contact us at 877.659.2467 or complete the contact us form. 

 

“Simplifying HIPAA through Partnership, Education, and Support” 

Responsibilities of a HIPAA Compliance Officer

While the nation was shut down and people were suffering, hackers were busy at work. It is coming to light how many organizations have had a data breach and have been hit with ransomware.

Now more than ever all organizations need to make sure their HIPAA Compliance Officer understands what is needed for data security. The FBI has stated cybercrime in 2020 has surpassed 2019 and we still have a few months to go. The problem is the hackers have become very sophisticated in their attacks. Whereas it used to be easy to spot a fake email, that is no longer the case. Between email and text efforts, they are gaining access to our information and we are the ones permitting it. Also, user credentials are compromised and used to gain access to your network or to send false emails to gather personal information. These scams typically involve a criminal that has hacked a legitimate email address. For example, a person would receive a message that appears to be from someone within their organization or a business associate with which that person knows. The message will request a payment, wire transfer, gift card purchase, or even a list of employees with social security numbers that seems legitimate. The compliance officer should be notified, and the transaction verified BEFORE it is completed. Every office needs to have a verification process in place before releasing ANY data.

We have said this before… if a stranger walked up to you and asked you to verify your identity would you give them any information? Of course not, but that is exactly what we are doing when we receive an email or text message from someone or somewhere, we trust. Trust, but verify.

With more and more people working remotely, that brings us to another vulnerability. Covered entities that utilize the services of business associates are required by HIPAA to ensure the business associate is in fact HIPAA compliant. The starting point is to ensure you have a business associate agreement in place with all your vendors that create, receive, maintain, or transmit protected health information (PHI). This agreement should include security requirements to ensure they are protecting your patient data. If a covered entity does not have a BA agreement in place and the vendor causes a data breach, the covered entity will more than likely receive the fine. With a BA agreement in place, it is still typical the covered entity bears the financial burden of the breach but may not receive the fines. That is why a BA agreement should include an indemnification and requiring the business associate to carry cyber liability insurance. Recently, a business associate was fined $2.3 million for a data breach that was caused by a hacking incident. If the covered entities did not have BA agreements in place, they could have been the ones who received this hefty penalty. Also, recently an orthopedic clinic was fined $1.5 million after a journalist notified them that a database of their patient information was posted for sale online. For this reason, we recommend covered entities should carry their own policies as well. “Hacking is the number one source of large health care data breaches. Health care providers that fail to follow the HIPAA Security Rule make their patients’ health data a tempting target for hackers,” said OCR Director Roger Severino. Many electronic and portable devices are used to process and store PHI. Anyone with access to such devices could potentially have the ability to change configurations, install malicious programs, change information, or access information that are not authorized to. Any of these actions has the potential to affect the integrity of patient information. HIPAA requires covered entities and their business associates to implement and follow policies and procedures to limit access to only those who are authorized.

Risk management should be at the top of everyone’s list. Preventing data breaches and securing patient data is everyone’s responsibility, but the OCR requires someone to be the point person, hence the HIPAA Security or Compliance Officer title. This responsibility is so much more than just a title. HIPAA Compliance Officers responsibilities include creating, maintaining, and enforcing compliance. This includes the staff, management, and even the medical providers.  I hear too often that the compliance officer gets push back from the doctors or owners. This is so unfortunate since they are only trying to do their job that is required under state and federal law. They are the frontline defense in keeping your practice alive and well. The owners of the practice may suffer the financial loss, but sometimes everyone does if the practice closes. Let’s all work together to keep patient data safe and secure.

To find out more about how our automated HIPAA compliance platform can help your organization click here:

https://arismedicalsolutions.com/aris-hipaa-service-automated-platform/

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

Telemedicine on the other side of the Pandemic

By Suze Shaffer

July 15, 2020

The Office for Civil Rights (OCR) back in March relaxed it’s enforcement for non-compliance with regards to telemedicine. They permitted the use of audio/video communication applications such as Facetime, Google hangouts, Zoom, and Skype without risk that a provider could be issued a penalty for non-compliance. Providers were encouraged to inform their patients of potential privacy risks and do their best to engage encryption and whatever means they had available to secure the data.

Even though some states are experiencing a surge in more COVID cases, medical providers are expected to seek HIPAA qualified products and obtain a business associate agreement. Telehealth providers should now have an agreement ready that will include state law provisions and data security information. Medical providers should read this agreement carefully to ensure the data security is outlined and meets their state law breach notification guidelines. Ideally, it would be best for the vendor to sign YOUR business associate agreement if you have one that has outlined security requirements.

If a medical provider does not obtain a signed business associate from a vendor, the medical provider should terminate using the vendor. Just because a vendor doesn’t sign a BAA it does NOT release them from liability. It just means the liability falls on the medical provider for not obtaining the signed document. Furthermore, the medical provider may receive fines for non-compliance should the business associate suffer a data breach or security incident. These documents are extremely important!

Many thanks to all our healthcare workers for staying strong throughout these trying times.

If you would like more information or need a business associate agreement, contact us at 877.659.2467 or complete the contact us form.

“Simplifying HIPAA through Partnership, Education, and Support”

Cell phone use in the workplace causing distrust

By Suze Shaffer

March 15, 2020

We all have been annoyed at one time or another when we arrive at a counter or a place of business and the person is on their cell phone and we are ignored. Of course, that is not very good customer service. When you work in healthcare, it goes to an all new level. HIPAA doesn’t restrict the use of cell phones, except how they are secured and protected. However, this is not what we are discussing here today.

We are hearing about complaints from patients accusing employees of taking pictures of their information. This particular situation the employee was accused of taking pictures of the computer screen and the patient told the doctor. This afforded the doctor the opportunity to address the situation and avoid a formal complaint to the Office for Civil Rights (OCR). We recommend employees leaving their cell phones out of sight of patients unless the phone is used for business purposes within the practice. Some organizations are even adding cell phone lockers. I can remember before we had cell phones, we actually gave out our work number to anyone who needed to get in contact with us! Now you know how old I really am! Joking aside, this is a very serious matter that could cause the OCR to open an investigation. Keep in mind, when you are being investigated by the OCR, they do not “just” investigate “that” situation. They look at your overall compliance plan. Where are your policies? What were your procedures before, during, and after the occurrence. What have you done to prevent the same situation from happening again? Plus, many more items they take into consideration when conducting an investigation.

The next area of concern with cell phones are with patients. We have long been a proponent of using privacy screens on computers. Now, even if the screen is across the room, we are pushing our clients to add the screens. Patients now have their phones out while making new appointments, they could potentially take pictures of computer screens across the room and enlarge them. Some of you may be thinking that we worry too much and all this security is driving you crazy. It only takes ONE mistake or ONE complaint to turn your life into a rollercoaster. Prevention is the best medicine!

If you would like more information, contact us at 877.659.2467 or complete the contact us form.

“Simplifying HIPAA through Partnership, Education, and Support”

Heavy fines demonstrate the importance of a network security audit…

 

When we discuss IT security, we generally think of a company that maintains our computer network. That is partially true, but that is just the beginning. There is a difference between maintaining your network and securing it. There are a lot of companies that are eager to maintain your network because you pay them a monthly fee to do so. Maintaining a network is making sure updates are done, anti-virus / anti-malware are current, upgrading any technology that is outdated or about to be unsupported. A network security company tests to see if there are any open vulnerabilities that could affect or infect your network. There is a huge difference between the two.
For example, a misconfigured settings of a Windows operating system permitted access to files containing PHI without requiring a username or password. Then two years later a second breach occurred when a server was misconfigured following an IT’s response to troubleshooting an issue, this time it exposed patient information over the internet. These two breaches cost Cottage Health a $3M fine. The Office for Civil Rights (OCR) investigation found that they had not conducted an accurate and thorough assessment and failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level based on the size of their organization. Even though they had an IT company maintaining their ePHI system, they failed to obtain a signed business associate agreement.

Cottage Health fined $3M

Another breach that happened in 2014 has just been settled by the OCR. Touchstone Medical Imaging has been ordered to also pay $3M. The OCR and the FBI informed Touchstone in 2014 that one it’s FTP servers allowed uncontrolled access to ePHI. The uncontrolled access permitted search engines to index the patients personal information, which remained visible after the server was taken offline.

Touchtone Medical Imaging fined $3M

The lesson here is, what you do today can affect your business in the years to come. Make sure you are doing what is reasonable and appropriate to safeguard your patient information. One more keep point, these are just the federal fines. All 50 states now have their own set of privacy laws to protect personal identifiable information that doesn’t have anything to do with health information. Since we work in healthcare, we must adhere to state and federal privacy laws. No longer can you ignore the elephant (HIPAA) in the room, HIPAA is here to stay and you need to choose wisely who you work with to secure your data.

If you haven’t conducted an audit this year, now is a good time to schedule one to ensure your data is secure. If you would like more information on network security audits, contact us at 877.659.2467 or complete the contact us form.

2019 HIPAA Updates

 

As we start this new year we must reflect what we have learned from 2018 in order to make 2019 a success.

The Office for Civil Rights (OCR) has gained momentum in enforcing HIPAA violations. With that said HIPAA is an ongoing process and once is not enough. It is not considered done unless it is documented. At the annual conference this past year, the OCR admitted they are adamant on ensuring your patient’s information is protected. Therefore, you must document your compliance. If you say you did something, they will ask for your documentation. If you do not have documentation, you will be fined.

Companies located in United States are now required to adhere to the General Data Protection Regulation (GDPR) if they market goods and services to citizens of the European Union (EU). You must ensure the security of the data as well as inform visitors to your website how you intend to use their data. This must be clearly written in your privacy notice on website. This is not to be confused with your Notice of Privacy Practices that you give to your patients. If you plan on marketing to visitors from your website, you must offer them a free opt-out option. We could go on in more detail on this subject, but since many medical clinics do not market to international patients, you may contact us for more information.

Here are a few things to review and update as necessary:

  1. Risk analysis and risk management plan, this is your documentation to demonstrate what risks you have (had) and how you have mitigated them or plan to mitigate them.
  2. Replacing or updating any outdated technology, hardware and software require updates from time to time. You can be fined for utilizing outdated hardware/software that is no longer supported by the manufacturer.
  3. Adding a second authentication process for access to ePHI as well as for online personal accounts.
  4. HIPAA training, ensuring your employees understand how to protect your data is also part of this training.
  5. Making sure you have all of the necessary privacy and security policies, procedures, and forms in place. This means reading and dating them to demonstrate they were actually implemented.
  6. Retaining your documentation for the required time limit, including correspondence with patients that are considered to be part of their medical record.
  7. Reviewing your website, determining if your site collects any data and how it is transmitted and stored.

If you see something in your workplace that looks suspicious, tell your HIPAA Compliance Officer, you could be the one to prevent a data breach or stop a data breach from becoming a major breach (over 500 patient records). Keeping data secure is everyone’s business. Being mindful of our surroundings and educating others helps all of us in this crazy world we live in now!

To find out more about how our automated HIPAA compliance platform can help your organization click here:

https://arismedicalsolutions.com/aris-hipaa-service-automated-platform/

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

 

©2024 Aris Medical Solutions – HIPAA Risk Management | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC