Cosmetic Practice Fined – No one is immune from HIPAA

April 15, 2021

By Suze Shaffer | Aris Medical Solutions

Recently a cosmetic practice was fined $30,000 to settle potential HIPAA Privacy Rule violations. In the past many practices believed if they did not accept insurance payments (considered as a “transaction” under HIPAA), they were immune from the privacy rule. This may not be the case. There is a section in the rule that states “Other transactions that the Secretary may prescribe by regulation”.  HIPAA compliance is a balancing act, are you willing to lose $30K of your hard-earned money to test the system?

This investigation started with a compliant from a patient that had requested their medical record and did not receive them in a timely manner. Under the HIPAA Privacy Rule, the provider must respond to a patient’s request for access no later than 30 calendar days after the request. If the covered entity is not able to act within this timeframe, the entity may have up to an additional 30 calendar days if they provide the individual (within the initial 30-day period) with a written statement for the reason of the delay and include a date when the entity will have the information available. See 45 CFR §164.524(b)(2). Unfortunately for this practice, this was not handled in a timely manner. Therefore, an investigation was launched.

Let us review how this happens.

Once a complaint is filed to the Office for Civil Rights (OCR), the OCR will determine if the complaint falls within their duties to investigate. Once an investigation has been opened, the OCR will contact the practice for their documentation surrounding the incident. Depending on the documentation that is submitted will determine if a desk audit is warranted. Therefore, documentation is SO important, you may be able to avoid a desk audit if you supply the appropriate documents.

During a desk audit more than likely, you will be asked for documentation of what preventative measures you had in place before the incident and what you have implemented to prevent this from happening again. While you are being investigated the OCR may also review your compliance in other areas. If they find discrepancies, you could be fined for those as well. HIPAA encompasses a large range of requirements. Patient privacy, patient rights, and data security to name a few. I will not go into detail during this notification since we are sharing the security rule requirements in other messages.

Each resolution agreement that is issued by the HHS/OCR outlines the deficiencies they uncover. Most of them include the lack of a risk analysis, risk management, training, business associate agreements, and policies and procedures. During this investigation, other violations were uncovered and included the social security act was named in the resolution agreement: Section 1128A of the Social Security Act (42 U.S.C. § 1320a- 7a) a.

From this, I hope you can understand the importance of HIPAA compliance. Because one simple oversight can cause this much heartache. Patient privacy, patient rights, and data security is as important as caring for your patients. We have just learned that any entity that has patient data can be investigated and fined for violations under HIPAA.

Tell your friends and colleagues to ensure everyone understands no one is immune from HIPAA if you have patient data. Fines are fierce and not worth taking a chance by thinking “it won’t happen to me”.

If you need assistance with HIPAA Training, Risk Management, or guidance with your HIPAA Compliance contact us at 877.659.2467 or complete the contact us form. 

 

“Simplifying HIPAA through Partnership, Education, and Support” 

HIPAA Security Rule requirements, Part 2 – Security Awareness and Security Incident Procedures

What the Office for Civil Rights (OCR) and the Department of Health and Human Services (HHS) considers as reasonable and appropriate safeguards are always open for discretion. Every organization is different, and what may work for one, may not for another. For that reason, this information is a guideline only and should not be taken as legal advice.

Here are a few areas that should be reviewed:

§ 164.308(a)(5)(i) Security Awareness and Training has (4) implementation standards. They are labeled as “Addressable” under the HIPAA Security Rule. Do not be fooled by the term addressable, that does not mean optional. It just means you have options in implementing the standards.

The Security Awareness and Training standard means that a covered entity must implement a security training program for all employees including management. The frequency in which the training is performed is typically questionable and HIPAA requires new hires must be trained within a reasonable amount of time. We recommend HIPAA training BEFORE any person has access to PHI or ePHI since one mistake can cause a data breach. Then, HIPAA requires “periodic” training. Most organizations conduct annual HIPAA training. Although HHS does not specifically state you must conduct annual training, should you suffer a data breach and it is caused by an employee that did not have proper training, you could be fined for that violation. That is why it is so important to ensure your employees not only attend (and have documentation) HIPAA training, but must also actually understand what is required of them and how to safeguard patient data.

§ 164.308(a)(5)(ii)(A) Security Reminders – HIPAA is not just a once-a-year process. Periodic security reminder updates should be conducted throughout the year to keep HIPAA and data security in the minds of your staff. This should be documented as well.

§ 164.308(a)(5)(ii)(B) Protection from Malicious Code – Procedures must be in place to guard against, detect, and report viruses and malware. Up to date anti-virus and anti-malware software can ward off most intrusions. That is, as long your staff does not click on attachments or visit certain website where malicious code is located. Education is key. Ensuring software patches are applied when released, scanning systems on a routine basis, and utilizing firewalls are also very important. Making sure users do not introduce malicious code from downloads, DVDs, flash-drives, or other products brought from home.

§ 164.308(a)(5)(ii)(C) Log-in Monitoring – Procedures for monitoring log-in activity and reporting discrepancies. This standard states you must monitor user logins and unsuccessful attempts. Best practices are to have procedures to lock a user out after a predetermined number of failed log-in attempts. This may prevent an unauthorized user from gaining access to your system. With malware that repeatedly tries new passwords, this is highly recommended.

§ 164.308(a)(5)(ii)(D) Password Management – Procedures for creating, changing, and safeguarding passwords. All users must use their own credentials to log into systems that contain ePHI. Passwords are to be complex, never shared, secure, and changed at least every 90 days. Although HIPAA does not specifically state the 90-day rule, it is best practices unless you are utilizing a second method of authentication.

§ 164.308(a)(6)(i) Security Incident Procedures has (1) implementation standard, and this is “Required”. This means you MUST implement the standard as stated. You must have policies and procedures in place that identify security incidents, so employees understand what a security incident is, and how to respond.

§ 164.308(a)(6)(ii) Response and Reporting requires a covered entity to have policies and procedures in place to report and mitigate security incidents and determine if a data breach occurred. Then, if a data breach has occurred, the covered entity must determine how many patient records were affected. The time frame to report the breach to OCR and possibly state and local agencies differs on whether the breach is over 500 patient records or not. This should be clearly outlined in your Breach Notification Plan. During the breach notification process, state law will supersede the federal HIPAA law if the state law is more stringent. Keep in mind, all 50 states have their set of privacy laws.

We will be adding more information on other Security Standards, so watch for more posts!

If you need assistance with HIPAA Risk Management or guidance with your HIPAA Compliance contact us at 877.659.2467 or complete the contact us form.

HIPAA Security Rule requirements, Part I

It is hard to believe we are in 2021, but I am sure you are like the rest of us and glad to see 2020 in the rear-view mirror.

As we move into this new year, we need to look ahead and learn from what has happened in the past. Last month we informed you about many HIPAA violations that the Office for Civil Rights (OCR) had investigated. Most of these violations could have been prevented. In fact, I was talking with a colleague that owns an audit log monitoring system and he informed me that during the pandemic they saw a 90% increase in snooping into patient records of the same last name. Fortunately for his clients, this was immediately stopped, and the employee(s) were sanctioned. This made me want to remind you of a few requirements under HIPAA.

 

  • 164.308(a)(1)(ii)(c) Sanction Policy – is a “required” standard under the HIPAA Security Rule. Employers are required by law to apply sanctions against employees who violate HIPAA, otherwise the employer could be fined.

 

  • 164.308(a)(1)(ii)(d) Information System Activity Review – is another required standard. Which requires procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. A security incident can be best described as the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.

 

  • 164.312(b) Audit Controls – is yet another required standard that states you must implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information (ePHI). This standard goes hand in hand with Information System Activity Review.

 

What does this mean to you?

First, you must understand what is considered “normal” usage within your software/hardware that contains ePHI. Then you must monitor your systems for abnormal behavior. This is a HUGE time-consuming task and unless you are monitoring every employee, 24/7 you may miss something. We highly recommend utilizing a third party to do this for you. The company we work with has interfaces with over 60 EHRs and is fully automated. If they do not have an interface, they will create one, or show you how to upload the logs in a matter of minutes instead of hours. No more looking over lengthy audit log reports. You simply receive an alert when there is abnormal activity. Best of all, this protects your patient data and your practice from fines and penalties. If you would like to learn more about this service, use the contact us page.

 

If you need assistance with HIPAA Risk Management or guidance with your HIPAA Compliance, contact us at 877.659.2467 or complete the contact us form.

OCR Issues Audit Report on Health Care Compliance

Yesterday, the Office for Civil Rights (OCR) at the Department of Health and Human Services (DHHS) released its 2016-2017 HIPAA Audits Report. Although this seems outdated, it typically takes this long to compile the data.  They reviewed selected covered entities (CE) and business associates (BA) for HIPAA compliance of the HIPAA Privacy, Security, and Breach Notification Rules.

DHHS is required by law under the HITECH Act to conduct periodic audits. The chances of a random audit are slim, but they do happen, and you must be prepared. Don’t be fooled by a slim chance of a random audit, you can be audited for many other reasons! This audit comprised of 166 covered entities and 41 business associates. The OCR publishes this report to share the overall findings.

A summary of the audit findings includes:

  • Most CEs met the timeliness requirements for providing breach notification to individuals.
  • Most CEs that maintained a website about their customer services or benefits satisfied the requirement to prominently post their Notice of Privacy Practices on their website.
  • Most CEs failed to provide all of the required content for a Notice of Privacy Practices.
  • Most CEs failed to provide all of the required content for breach notification to individuals.
  • Most CEs failed to properly implement the individual right of access requirements such as timely action within 30 days and charging a reasonable cost-based fee.
  • Most CEs and BAs failed to implement the HIPAA Security Rule requirements for risk analysis and risk management. 

“The audit results confirm the wisdom of OCR’s increased enforcement focus on hacking and OCR’s Right of Access initiative,” said OCR Director Roger Severino. “We will continue our HIPAA enforcement initiatives until health care entities get serious about identifying security risks to health information in their custody and fulfilling their duty to provide patients with timely and reasonable, cost-based access to their medical records.”

The 2016-2017 HIPAA Audits Industry Report may be found at:  https://www.hhs.gov/sites/default/files/hipaa-audits-industry-report.pdf

If you need assistance with HIPAA Risk Management or guidance with your HIPAA Compliance contact us at 877.659.2467 or complete the contact us form.

Looking back at 2020 and HIPAA Compliance Violations

During this pandemic, the Office for Civil Rights (OCR) relaxed some of the requirements for Telehealth. This has since been retracted. Make sure the service you are using is in fact HIPAA compliant and you have a business associate agreement (BAA) in place. We also encourage you and all your business associates (BA) to carry cyber liability insurance. Data breaches and mishaps are part of our everyday life it seems. Although your medical malpractice insurance may offer a token amount of coverage, it is probably not enough. Keep in mind, if you cannot determine WHICH patient’s data has been breached, you must notify all your patients. This is where is can be very costly. When selecting an agent, make sure they are well versed in this type of insurance, as we have seen some policies are not worth the paper they are written on. Read the exclusions!

Below are some HIPAA violation highlights from 2020. This is not meant to scare you, but to remind you of how important adhering to HIPAA really is. The Office for Civil Rights (OCR) enforcement actions are designed to send a message to the health care industry about the importance and necessity of compliance with the HIPAA Rules.

The OCR investigation found longstanding, systemic noncompliance with the HIPAA Security Rule including failure to conduct a risk analysis, and failures to implement information system activity review, security incident procedures, and access controls.

“The health care industry is a known target for hackers and cyberthieves.  The failure to implement the security protections required by the HIPAA Rules, especially after being notified by the FBI of a potential breach, is inexcusable,” said OCR Director Roger Severino.

The OCR investigation discovered longstanding, systemic noncompliance with the HIPAA Privacy and Security Rules including failures to conduct a risk analysis, implement risk management and audit controls, maintain HIPAA policies and procedures, secure business associate agreements with multiple business associates, and provide HIPAA Privacy Rule training to workforce members.

“Hacking is the number one source of large health care data breaches. Health care providers that fail to follow the HIPAA Security Rule make their patients’ health data a tempting target for hackers,” said OCR Director Roger Severino.

The OCR investigation revealed that a former employee returned eight days after being terminated, logged into her old computer with her still-active user name and password. Additionally, OCR found that the former employee had shared her user ID and password with an intern, who continued to use these login credentials to access PHI after the employee was terminated. The investigation determined that the entity failed to conduct an enterprise-wide risk analysis, and failed to implement termination procedures, access controls such as unique user identification, and HIPAA Privacy Rule policies and procedures.

“Medical providers need to know who in their organization can access patient data at all times. When someone’s employment ends, so must their access to patient records,” said OCR Director Roger Severino.

The OCR investigation revealed that in addition to the impermissible disclosures, Aetna failed to perform periodic technical and nontechnical evaluations of operational changes affecting the security of their electronic PHI (ePHI); implement procedures to verify the identity of persons or entities seeking access to ePHI; limit PHI disclosures to the minimum necessary to accomplish the purpose of the use or disclosure; and have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI.

“When individuals contract for health insurance, they expect plans to keep their medical information safe from public exposure. Unfortunately, Aetna’s failure to follow the HIPAA Rules resulted in three breaches in a six-month period, leading to this million-dollar settlement,” said OCR Director Roger Severino.

The OCR has settled twelve investigations for HIPAA Right of Access denials. This is not to be confused with a medical summary at the end of a patient encounter. A patient’s request for a copy of their medical record (their designated record set) either by them or from a third party must be handled in a timely manner.

“It shouldn’t take a federal investigation to secure access to patient medical records, but too often that’s what it takes when health care providers don’t take their HIPAA obligations seriously.  OCR has many right of access investigations open across the country, and will continue to vigorously enforce this right to better empower patients,” said Roger Severino, OCR Director.

“No one should have to wait over a year to get copies of their medical records.  HIPAA entitles patients to timely access to their records and we will continue our stepped up enforcement of the right of access until covered entities get the message,” said Roger Severino, OCR Director.

“The OCR is committed to enforcing patients’ right to access their medical records, including the right to direct electronic copies to a third party of their choice. HIPAA covered entities should review their policies and training programs to ensure they know and can fulfill all their HIPAA obligations whenever a patient seeks access to his or her records,” said Roger Severino, OCR Director.

“For too long, healthcare providers have slow-walked their duty to provide patients their medical records out of a sleepy bureaucratic inertia. We hope our shift to the imposition of corrective actions and settlements under our Right of Access Initiative will finally wake up healthcare providers to their obligations under the law,” said Roger Severino, OCR Director.

The OCR investigation determined that there was systemic noncompliance with the HIPAA Rules including a failure to encrypt ePHI on laptops after Lifespan ACE determined it was reasonable and appropriate to do so.  OCR also uncovered a lack of device and media controls, and a failure to have a business associate agreement in place with the Lifespan Corporation.

“Laptops, cellphones, and other mobile devices are stolen every day, that’s the hard reality.  Covered entities can best protect their patients’ data by encrypting mobile devices to thwart identity thieves,” said Roger Severino, OCR Director.

A breach report regarding the impermissible disclosure of protected health information to an unknown email account. The breach affected 1,263 patients.  OCR’s investigation revealed longstanding, systemic noncompliance with the HIPAA Security Rule.  Specifically, they failed to conduct any risk analyses, failed to implement any HIPAA Security Rule policies and procedures, and neglected to provide workforce members with security awareness training until 2016.

“Health care providers owe it to their patients to comply with the HIPAA Rules.  When informed of potential HIPAA violations, providers owe it to their patients to quickly address problem areas to safeguard individuals’ health information,” said Roger Severino, OCR Director.

“All health care providers, large and small, need to take their HIPAA obligations seriously,” said OCR Director Roger Severino. “The failure to implement basic HIPAA requirements, such as an accurate and thorough risk analysis and risk management plan, continues to be an unacceptable and disturbing trend within the health care industry.”

HIPAA covered entities and business associates are required to conduct an accurate and thorough assessment of the risks to the ePHI it maintains. Identifying, assessing, and managing risk can be difficult, especially in organizations that have a large, complex technology footprint. Understanding one’s environment – particularly how ePHI is created and enters an organization, how ePHI flows through an organization, and how ePHI leaves an organization – is crucial to understanding the risks ePHI is exposed to throughout one’s organization. As technology changes, risk assessments must be updated and reflected in a risk management plan. Reviewing policies and procedures may also need to be updated depending on the type of changes in technology. As we get ready to close out 2020, set your schedule to review your updates and planned upgrades for 2021.

To read about enforcement and the resolution agreements, click on the link below:

https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html

If you need assistance with HIPAA Risk Management or guidance with your HIPAA Compliance contact us at 877.659.2467 or complete the contact us form.

Telemedicine on the other side of the Pandemic

By Suze Shaffer

July 15, 2020

The Office for Civil Rights (OCR) back in March relaxed it’s enforcement for non-compliance with regards to telemedicine. They permitted the use of audio/video communication applications such as Facetime, Google hangouts, Zoom, and Skype without risk that a provider could be issued a penalty for non-compliance. Providers were encouraged to inform their patients of potential privacy risks and do their best to engage encryption and whatever means they had available to secure the data.

Even though some states are experiencing a surge in more COVID cases, medical providers are expected to seek HIPAA qualified products and obtain a business associate agreement. Telehealth providers should now have an agreement ready that will include state law provisions and data security information. Medical providers should read this agreement carefully to ensure the data security is outlined and meets their state law breach notification guidelines. Ideally, it would be best for the vendor to sign YOUR business associate agreement if you have one that has outlined security requirements.

If a medical provider does not obtain a signed business associate from a vendor, the medical provider should terminate using the vendor. Just because a vendor doesn’t sign a BAA it does NOT release them from liability. It just means the liability falls on the medical provider for not obtaining the signed document. Furthermore, the medical provider may receive fines for non-compliance should the business associate suffer a data breach or security incident. These documents are extremely important!

Many thanks to all our healthcare workers for staying strong throughout these trying times.

If you would like more information or need a business associate agreement, contact us at 877.659.2467 or complete the contact us form.

“Simplifying HIPAA through Partnership, Education, and Support”

Cell phone use in the workplace causing distrust

By Suze Shaffer

March 15, 2020

We all have been annoyed at one time or another when we arrive at a counter or a place of business and the person is on their cell phone and we are ignored. Of course, that is not very good customer service. When you work in healthcare, it goes to an all new level. HIPAA doesn’t restrict the use of cell phones, except how they are secured and protected. However, this is not what we are discussing here today.

We are hearing about complaints from patients accusing employees of taking pictures of their information. This particular situation the employee was accused of taking pictures of the computer screen and the patient told the doctor. This afforded the doctor the opportunity to address the situation and avoid a formal complaint to the Office for Civil Rights (OCR). We recommend employees leaving their cell phones out of sight of patients unless the phone is used for business purposes within the practice. Some organizations are even adding cell phone lockers. I can remember before we had cell phones, we actually gave out our work number to anyone who needed to get in contact with us! Now you know how old I really am! Joking aside, this is a very serious matter that could cause the OCR to open an investigation. Keep in mind, when you are being investigated by the OCR, they do not “just” investigate “that” situation. They look at your overall compliance plan. Where are your policies? What were your procedures before, during, and after the occurrence. What have you done to prevent the same situation from happening again? Plus, many more items they take into consideration when conducting an investigation.

The next area of concern with cell phones are with patients. We have long been a proponent of using privacy screens on computers. Now, even if the screen is across the room, we are pushing our clients to add the screens. Patients now have their phones out while making new appointments, they could potentially take pictures of computer screens across the room and enlarge them. Some of you may be thinking that we worry too much and all this security is driving you crazy. It only takes ONE mistake or ONE complaint to turn your life into a rollercoaster. Prevention is the best medicine!

If you would like more information, contact us at 877.659.2467 or complete the contact us form.

“Simplifying HIPAA through Partnership, Education, and Support”

Heavy fines demonstrate the importance of a network security audit…

data locked

When we discuss IT security, we generally think of a company that maintains our computer network. That is partially true, but that is just the beginning. There is a difference between maintaining your network and securing it. There are a lot of companies that are eager to maintain your network because you pay them a monthly fee to do so. Maintaining a network is making sure updates are done, anti-virus / anti-malware are current, upgrading any technology that is outdated or about to be unsupported. A network security company tests to see if there are any open vulnerabilities that could affect or infect your network. There is a huge difference between the two.
For example, a misconfigured settings of a Windows operating system permitted access to files containing PHI without requiring a username or password. Then two years later a second breach occurred when a server was misconfigured following an IT’s response to troubleshooting an issue, this time it exposed patient information over the internet. These two breaches cost Cottage Health a $3M fine. The Office for Civil Rights (OCR) investigation found that they had not conducted an accurate and thorough assessment and failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level based on the size of their organization. Even though they had an IT company maintaining their ePHI system, they failed to obtain a signed business associate agreement.
https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/cottage/index.html
Another breach that happened in 2014 has just been settled by the OCR. Touchstone Medical Imaging has been ordered to also pay $3M. The OCR and the FBI informed Touchstone in 2014 that one it’s FTP servers allowed uncontrolled access to ePHI. The uncontrolled access permitted search engines to index the patients personal information, which remained visible after the server was taken offline.
https://www.hhs.gov/about/news/2019/05/06/tennessee-diagnostic-medical-imaging-services-company-pays-3000000-settle-breach.html
The lesson here is, what you do today can affect your business in the years to come. Make sure you are doing what is reasonable and appropriate to safeguard your patient information. One more keep point, these are just the federal fines. All 50 states now have their own set of privacy laws to protect personal identifiable information that doesn’t have anything to do with health information. Since we work in healthcare, we must adhere to state and federal privacy laws. No longer can you ignore the elephant (HIPAA) in the room, HIPAA is here to stay and you need to choose wisely who you work with to secure your data.

If you haven’t conducted an audit this year, now is a good time to schedule one to ensure your data is secure. If you would like more information on network security audits, contact us at 877.659.2467 or complete the contact us form.

Spoofing, Phishing, and how to avoid getting caught in the middle

 

By Aris Medical Solutions

cyber criminal

After attending the Office for Civil Rights (OCR) annual webcast, many things were confirmed that we thought may have been rumors. First of all, medical offices are targets of hacking because you hold everything needed for identity theft.

What is identity theft? Most people think of it as their credit card being stolen, or even their tax returns. True, that is identity theft but there is also another component that is not often talked about. That is, assuming someone else’s identity for health care purposes. Imagine someone assumes your identity and has a surgery and “corrects” your medical record and changes your blood type.Then, you are involved in a car accident and receive a blood transfusion but it’s the WRONG blood. Yes, this can happen. We are not sure how often, but with the rise of medical records being stolen we could see this happen more often. Knowing where your data is located and how it is stored is a starting point in protecting this valuable information. Conducting a risk analysis and having an ongoing risk management is mandatory under HIPAA. During this process you will uncover potential vulnerabilities. Once you mitigate these risks, you may be able to avoid a data breach.

Protecting yourself and your organization is one in the same. Practice these safety tips at work and at home:

  • Make sure your operating system updates are current as well as your anti-virus and anti-malware.
  • Scan for viruses and malware after every update.
  • If you use personal devices to access ePHI or work files, be sure to use enterprise versions of anti-virus and anti-malware. Free versions typically are not robust enough.
  • NEVER use free Wi-Fi even if you are not accessing any patient information. You could pick up malware from someone that has spoofed the Wi-Fi network that you thought you were logging into.
  • NEVER click on links within emails that claim to be urgent or a free offer of some type. Typical phishing expeditions start in this manner. After you click, they ask for certain information they are lacking about you or they may ask for everything! Sometimes, this is merely a tactic to get you to go to a certain website and place malware on your computer and you never even know it.
  • NEVER click on a link within an email asking you to verify your identity. You wouldn’t show a stranger on the street your driver’s license just because they asked to see it, then why would you “verify” your identity with someone invisible in your email? Again, this is how spear phishing starts.
  • NEVER click on an attachment within an email unless you are expecting it, even if you know the person that sent it. Their email could have been hacked and you are being spoofed into thinking it is from them. This includes messages from FedEx, UPS, and the IRS. Best practices is to open your web browser and go to their website and sign in.
  • NEVER click on links in text messages unless you are expecting one, such as you just signed up for text messages from a service provider. Bank customers are being spoofed into clicking on links in text messages and taking you to what looks like your bank. Guess what… it’s NOT your bank but looks like it!

I have said this before… the World Wide Web (WWW) is the new Wild Wild West. The only difference is, in the old wild wild west you could see danger coming on the horizon and prepare. The World Wide Web, the dangers are there, but they are invisible.

Be safe out there!

If you would like to schedule a HIPAA training course customized to your facility, or if you need to update any of your HIPAA security needs call 877.659.2467 or complete the contact us form.

“Simplifying HIPAA through Partnership, Education, and Support”

Cost of cyber attacks on healthcare are steadily rising

 

By Aris Medical Solutions

HIPAA medical hacker

Why are so many medical offices being attacked? Simple, this is a one stop shop for everything needed for identity theft and many medical practices do not have appropriate safeguards in place. Business associates have even been the target or the entry point. HIPAA requires certain security safeguards to be in place to ensure the safety and security of Protected Health Information (PHI).

There have been 188 data breaches of 500 or more patient records in the first 6 months of this year, and in April alone there were 42. Thirteen of the 188 have already been resolved. https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
These breaches include small medical practices, business associates, and hospitals. Small and large. Paper and electronic. No one is immune. Many organizations think they are too small to get hit, but the fact is the most common problem is untrained staff that unknowingly cause this to happen. Education is the key to avoiding this catastrophe from destroying your reputation. Of course you still need to certain technical safeguards in place, but even then it only takes one click of a mouse to bring your network down.

Here are some areas to consider:

  1. How would you process a data breach?
  2. How would you handle the reputation management of the breach?
  3. How would you pay for the cost of breach and the investigations?

Having a breach notification plan in place before a breach occurs is critical to reducing the damage. You must have processing in place to shut the system down, continue manually, and report to the appropriate authorities.

Consider the lack of trust from your patients since their information was compromised from your office. No matter if it was your fault or that of a business associate this could have a negative impact on your patient database.

Breaches are costly on many fronts, the first being the cost of the notification of the patients, investigations, downtime, and the mitigation of the source of the breach. In 2013 the Ponemon Institute reported that a data breach cost $233 per medical record, now in the 2018 the report states a healthcare breach can cost on average $408 per medical record.
https://www.ibm.com/security/data-breach

Keep in mind if you do not know which records were breached then everyone must be included in the notification process. What could turn out to be the most costly is the fines and penalties associated with the breach. Depending on how and when you processed the breach is one determining factor. Also once the investigation is complete, if it is discovered this was an ongoing problem and was not mitigated, then you could be found in willful and wanton neglect. This is NOT a place you want to find yourself! The Office for Civil Rights (OCR) can also fine you for not conducting a thorough enough risk analysis thus leaving vulnerabilities untouched. How well do you trust your efforts in securing your data? Have you conducted a risk assessment to determine if what you have in place is sufficient?

How can Aris help?

  • First of all we conduct a thorough risk analysis that uncovers vulnerabilities and create a risk management plan so that you can mitigate those risks.
  • Since written documentation is also part of HIPAA compliance, we provide the necessary privacy and security policies, procedures, and documentation needed for state and federal regulatory requirements.
  • We also offer HIPAA training that includes privacy and security and any custom requests.
  • If you are one of the many organizations that simply do not have the time to implement your HIPAA program, we can do that for you as well. Month to month, no long term contracts!

If you would like a free HIPAA checkup call 877.659.2467 or complete the contact us form.

“Simplifying HIPAA  through Partnership, Education, and Support”

©2021 Aris Medical Solutions – HIPAA Risk Management | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC