Preventing a Data Breach

Preventing a data breach can feel like a daunting task. However, a well-educated staff is your first line of defense. Although nothing is failsafe, there are many things you can do within your practice to prevent a data breach. We covered this last year, but I thought it might be time for a reminder with the latest breach from Change Healthcare.

Hacking/IT incidents remain the largest category comprising of 77% of the reported breaches. Network servers continued as the largest category by location for breaches involving 500 or more individuals at 58% of reported large breaches.

If you would like to review the list of breaches, click here: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

Many of these start from an unsuspecting employee that clicks on link or shares information before it has been verified. Most attacks begin from a phishing email, text, or a visit to a website. Once this occurs, then many times you are infected with a virus, malware, or ransomware. When this happens, your systems may be frozen, and a DOS (denial of service) begins. Let’s review how to prevent a data breach:

Emails:

What does a fake email may look like? First, they are going to look “real” until you take a closer look. Pay attention to the “from” email address. This is the most common place to start. Most email addresses will have a name you are familiar with, but the URL will be different. For example: sally@email.bankofamerica.com. So, look for anything that is “slightly” different. Then, if they want to click on a link, hover over the link to see if it is really for what they are proposing. I received an email from my “bank” asking me to “Finish the Do-To-List”. I knew I hadn’t started any such list and I hovered over the link. It was to a completely different website. I reviewed the message details and looked up the IP address, it was from Spain. My bank is not in Spain! If you would like to learn more about reading your message details, reply to this email.

Text Messages:

Text messages are somewhat the same. Look at the top of the message and review who it is from. Most of these will either be from a phone number or an email address that is not from the actual company. NEVER click on any link or call the number in the message. If you receive a message about a purchase and it states you must click to decline, DON’T! Call your bank or credit card company to verify. You must be very diligent with these messages; they try to spoof your bank or card company’s email address by adding something like this: stop@fraud.bankofamerica.com.

Websites:

Websites can be infected with malware, a virus, or redirect the information you enter. Again, it is very important to look at the URL closely before entering any credentials. When visiting unknown sites, you take the risk of being infected. This is difficult to comprehend since we all like to “surf” the web. Many recipe sites have been known to have malware since people do not maintain security on older sites. If you are going to surf, you MUST have very good anti-virus / anti malware software. I am currently using Bitdefender Total Security. When I try to go to a website and the credentials of the site do not match, my software will NOT let me go to the site unless I enter my password for my software. Your IT vendor may utilize something like this. Websites that have not been maintained or have been hacked can present all kinds of problems. Preventing a data breach means that staff members should NOT use their work computers for surfing!

Man-in-the-middle:

Another type of threat is when information is intercepted without a person knowledge, this is commonly referred to as the “man in the middle”. When a person uses a public wi-fi system, a nefarious character can spoof a legitimate connection and steal information. Depending on the type of activity, a virus or malware could be placed on the device and brought back into the office. This could in turn infect your network.

Zero-day attacks:

Then, there are zero-day exploits that happen when hackers uncover a vulnerability in a system and attack. These are usually widespread and can be all over the world. Developers must work fast to create a patch to correct this deficiency. In the meantime, your systems could be down or destroyed. This is why it is critical to maintain a backup that is not connected to your network.

Ransomware attacks are a real problem and not just for healthcare but for everyone. It has gone up 70% in just one year. Think about losing everything on your business network or your home computer. It happens, so all these recommendations are for your personal use as well.

The Office for Civil Rights (OCR) released their breach report to Congress, below are a few highlights.

The “OCR’s Reports to Congress provide useful information for everyone on trends in HIPAA complaints and breach reporting,” said OCR Director Melanie Fontes Rainer. “Our health care systems should take note of these trends and address potential HIPAA compliance issues before they experience a breach or receive notice of an OCR investigation. My staff and I stand ready to continue to work with Congress and the health care industry to drive compliance and protect against security threats.”

The HHS 2022 Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance identifies the number of complaints received. Some highlights include:

  • OCR received 30,435 new complaints alleging violations of the HIPAA Rules
  • OCR resolved 32,250 complaints alleging violations of the HIPAA Rules
  • OCR resolved 17 complaint investigations with Resolution Agreements and Corrective Action Plans (RA/CAPs) and monetary settlements totaling $802,500, and one complaint investigation with a civil money penalty in the amount of $100,000
  • OCR completed 846 compliance reviews and required subject entities to take corrective action or pay a civil money penalty in 80% (674) of these investigations. Three compliance reviews were resolved with RA/CAPs and monetary payments totaling $2,425,640.

Feel free to share this blog with your colleagues. We want to educate as many practices as we can since data breaches can be expensive. If you need assistance with HIPAA Compliance, check out our HIPAA Keeper. It’s an online compliance system that has everything you need to get compliant and stay compliant! Best of all you will have a HIPAA security analyst to guide you every step of the way!

For more information or to speak to someone about HIPAA Compliance call us at 877.659-2467 or use the contact us form.

“Simplifying HIPAA through Automation, Education, and Support”

HIPAA Documentation and Medical Records Retention

As this year comes to a close and it may be time for some practices to review which medical records can be archived. We have been asked many times what is the “difference” between HIPAA documentation vs medical record retention requirements. Many organizations think these have the same requirements, and they do not!

If you are not sure about the differences, let Aris Medical Solutions offer you a complimentary consultation. We want to be your HIPAA partner!

HIPAA documentation retention:

HIPAA requires that your privacy and security rule policies, procedures, and documentation be retained for at least 6 years from the date of creation or the last date it was in effect. If a policy was implemented three years before it was revised, the original policy must be retained for a minimum of 9 years after its creation. If state privacy law is more stringent, then state law must be followed.

Here is an example of what is covered under HIPAA:

  • Audit logs of access to ePHI
  • Business associate agreements
  • Contingency plans
  • Employee sanction policy and documentation
  • Notice of Privacy Practices
  • Patient authorizations (unless included in their medical record)
  • Patient complaints and resolutions
  • Privacy policies (patient access, amendments, and authorizations)
  • Security incident reports and Breach notification documentation
  • Security policies (administrative, physical, and technical)
  • IT reports that include updates and device status

Medical record retention:

Most people think HIPAA controls the medical record retention requirements. HIPAA is a federal law, and each state has their own set of medical record retention requirements. State retention requirements can vary depending on the type of records and who they belong to.

Florida state law requires medical practices to maintain records for at least 5 years after the last visit. Hospitals are required to retain records for 7 years after the last visit.

Claims may be brought up to 7 years after the incident under the False Claims Act; however, on occasion, the time has been extended to 10 years.

Medicare managed care program providers must also retain their records for 10 years.

Some states required Pediatrics to retain records until the patient reaches the age of 23.

North Carolina has some of the lengthiest requirements, 11 years from the date of discharge and patients that are minors must be retained until 30 years of age.

It is recommended to retain any documentation that may be needed in a personal injury or breach of contract dispute for as long as necessary.

As you can see, there are many variables.

Proper organization of patient records and dates can assist you when the time comes to purge your records. This can also protect you from storing unnecessary records that could be a liability should you suffer a data breach.

If you need assistance with HIPAA Compliance, check out our HIPAA Keeper. It’s an online compliance system that has everything you need to get compliant and stay compliant! Best of all you will have a HIPAA security analyst to guide you every step of the way!

For more information about Aris Medical Solutions call 877.659.2467 or click here to contact us.

“Simplifying HIPAA through Automation, Education, and Support”

HIPAA Risk Analysis Requirements

Nefarious characters see healthcare organizations as high value yet relatively easy targets. These are referred to as target rich, cyber poor.  Given that healthcare organizations have a combination of personally identifiable information, financial information, health records, and countless medical devices, they are essentially a one-stop shop for a bad actor. Understanding the HIPAA risk analysis requirements can help save your organization from these criminals.

There has been a significant rise in the number and severity of cyber-attacks against hospitals and medical practices in the last few years. These attacks expose vulnerabilities and endanger patient safety. The more they happen, the more expensive, and dangerous they become.

Although the HIPAA Security Rule does not specify how often a risk analysis must be conducted, it is recommended to review your systems at least once a year. Keep in mind if you introduce new equipment, software, or suffer a security incident, you may need to evaluate your risks more often.

If you need a HIPAA Security Risk Analysis, check out our:

The OCR conducted a webinar regarding Risk Analysis Requirements and discussed the areas that are deficient.

The OCR mentioned the following:

  1. The lack of a system wide accurate and thorough analysis. (Step 1 Questionnaire)
  2. Performing only the MIPS risk analysis does not encompass the system wide requirements.
  3. PCI/DSS is more than likely not a complete risk assessment since it does not include ePHI.
  4. Instead of a system wide accurate and thorough risk assessment, a summary or heat map is provided without the backup documentation.
  5. Lack of inventory list to track which devices access, transmit, or store ePHI. (Located in the Profile)
  6. No method to track operating systems that become out of date. (Documented in the inventory list)
  7. Lack of mitigation documentation after the risk analysis was completed. (Step 1 Risk Management Plan)
  8. Lack of sanctions against staff who violate HIPAA. (Step 3 Policies and Procedures)
  9. Lack of security software / equipment updates. (Documented in reports from your IT company and stored in the Profile under Uploads)

Let’s all work together to keep patient data safe and secure. If you need assistance with HIPAA Compliance, check out our HIPAA Keeper. It’s an online compliance system that has everything you need to get compliant and stay compliant. Best of all you will have a HIPAA security analyst to guide you every step of the way!

“Simplifying HIPAA through Automation, Education, and Support”

Why it is so important to secure emails that contain PHI

We have advised our clients for years to only transmit protected health information (PHI) if it is encrypted. We have also recommended encryption for the data at rest. With the rise of hacking, this is never more important. There are many problems that can arise from compromised email accounts.

It only takes one employee’s email account to get hacked, then the hacker can view what the user has stored, who they communicate with, and who they do not speak with directly. Let’s review each one:

  1. Contents of email. Of course, you do not want an unknown person reading your emails, but it is even worse if your email account contains PHI. The hacker can take that information, sell it, or even target your patients to gain more information.
  2. The hacker can also see who you are communicating with and now they can target your co-workers into giving them information by impersonating you.
  3. They also know who you only communicate with via email. This sets the stage for phone conversations since you do not know what this person sounds like. The hacker can request wire transfers, employee lists, patient lists, the amount of information that they are willing to request is only limited by their imagination.

These attacks may be targeted for financial gain, identity theft, or medical insurance theft. Regardless of the hackers’ motives, they all can be devastating to a practice. Just last year an Orlando practice had 4 email accounts compromised and over 447K patients were affected. When considering the methods to secure email accounts, you must also consider which devices are used to access email. This furthers the security requirements. A thorough risk analysis will uncover potential vulnerabilities and give you the opportunity to avoid a data breach.

That brings me to the next topic… if you don’t need to store it, DO NOT. If you can move the needed documentation to a secure server or your EHR, then do. If there isn’t a “need” to store patient information (or any sensitive information) in email, then remove it. This also applies to “old” patient records in databases or software. There is a reason behind medical record retention requirements, and when it is safe to dispose of medical records, then do! This too reduces your liability!

To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:

https://arismedicalsolutions.com/aris-hipaa-compliance-system-for-medical-offices/

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

ICD-10 updates, Fraud, Waste, and Abuse Training, Booklets and Prevention

We try to share useful information as we come across it. Below are some links that we think may be of interest to our audience such as: ICD-10 updates, Fraud, Waste, and Abuse Training, Booklets, and Prevention. We have also included some videos from YouTube. Be sure to follow the guidelines set forth and do not let hindsight get you in trouble.

ICD10 Code sets revised:

https://www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-MLN/MLNProducts/Downloads/ICD9-10CM-ICD10PCS-CPT-HCPCS-Code-Sets-Educational-Tool-ICN900943.pdf

This is about 88 minutes, we thought it had some good content. Web-based Fraud, Waste, and Abuse Training:

https://www.cms.gov/Outreach-and-Education/MLN/WBT/MedicareFraudandAbuse/FraudandAbuse/story.html

Medicare Fraud-Abuse Booklet:

https://www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-MLN/MLNProducts/Downloads/Fraud-Abuse-MLN4649244.pdf

Medicaid Fraud Prevention:

https://www.cms.gov/Medicare-Medicaid-Coordination/Fraud-Prevention/Medicaid-Integrity-Program/Education

For those who do not think they are serious about this, here is a link for enforcement:

https://oig.hhs.gov/fraud/enforcement/?type=criminal-and-civil-actions

OIG Compliance Resource Portal:

https://oig.hhs.gov/compliance/

Evaluation and Management Services Guide:

https://www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-MLN/MLNProducts/Downloads/eval_mgmt_serv_guide-ICN006764TextOnly.pdf

OIG Videos:

False Claims Act https://www.youtube.com/watch?v=BbZ78QTLztQ&list=PLkw9IKOokUiIjlyjm7wsvZd31z0U8QxxP&index=42&t=26s

Federal Anti-Kickback Statute https://www.youtube.com/watch?v=a4KhqqeAaUg&list=PLkw9IKOokUiIjlyjm7wsvZd31z0U8QxxP&index=43&t=9s

Physician Self-Referral Law

Exclusion Authorities and Effects of Exclusions

How to use the LEIE Online and Downable Databases

Eye on Oversight: Kick Backs to Physicians

Eye on Oversight: Medicare Part D Fraud

If you need assistance with HIPAA Risk Management, or guidance with your HIPAA Compliance contact us at 877.659.2467 or complete the contact us form.

“Simplifying HIPAA through Automation, Education, and Support”

Controlling Access to ePHI

The OCR released their Summer 2021 Cybersecurity Newsletter and it stated that a recent report of security incidents and data breaches were committed 61% by external actors and 39% by insiders. During COVID last year, systems that monitor audit logs found that internal snooping was up by 90%.

The Information Access Management 45 CFR § 164.308(a)(4)(i) and Access Control 45 CFR § 164.312(a)(1) are two of the HIPAA Security Rule standards that cover access to ePHI.

We will discuss Information Access Management under the Administrative Safeguards first. This standard requires covered entities and business associates to implement policies and procedures that outline how covered entities and business associates authorize or grant access to ePHI within their organization. This may include how access to information systems containing ePHI is requested, authorized, and granted, who is responsible for authorizing access requests, and the requirements for granting access. These policies typically cover workforce roles that may be granted access to particular systems, applications, and/or data. It is important to point out that access must be based on job function or business necessity. Since this is an Addressable standard, if a particular implementation specification is not reasonable and appropriate, entities must document why, and implement equivalent alternative measures if reasonable and appropriate. 

Access Establishment and Modification 45 CFR § 164.308(a)(4)(ii)(C) policies describe how to establish, document, review, and modify a user’s access to workstations, transactions, programs, or processes. For example, a workforce member being promoted or given some change in responsibility may require increased access to certain systems and decreased access to others. Another example is that a covered organization could change its system access requirements to permit remote access to systems containing ePHI during a pandemic. Policies and procedures should cover situations such as these to ensure that each workforce member’s access continues to be appropriate for their role.

Access Control under the Technical safeguards is a required standard for covered entities and business associates to implement access controls for electronic information systems to allow access to ePHI only to those approved in accordance with the organization’s Information Access Management process. The flexible, scalable, and technology-neutral nature of the Security Rule permits organizations to consider various access control mechanisms to prevent unauthorized access to ePHI.  Such access controls could include role-based access, user-based access, attribute-based access, or any other access control mechanisms the organization deems appropriate. This means, what may be acceptable for one organization may not be suitable for another. Access controls need not be limited to computer systems. Firewalls, network segmentation, and network access control (NAC) solutions can also be effective means of limiting access to electronic information systems containing ePHI. Properly implemented, network-based solutions can limit the ability of a hacker to gain access to an organization’s network or impede the ability of a hacker already in the network from accessing other information systems – especially systems containing sensitive data.

The Access Control standard includes Unique User Identification 45 CFR § 164.312(a)(2)(i) which is a required implementation specification and is a key security requirement for any system. While the use of shared or generic usernames and passwords may seem to provide some short-term convenience, it severely degrades the integrity of a system because it removes accountability from individual users and makes it much easier for the system to become compromised. If information is improperly entered, altered, or deleted, whether intentionally or not, it can be very difficult to identify the person responsible (e.g., for training or sanctions) or determine which users may have been the victim of a phishing attack that introduced ransomware into the organization. Additionally, because shared usernames and passwords can become widely known, it may be difficult to know whether the person responsible was an authorized user. A former employee or contractor, a current employee not authorized for access, a friend or family member of an employee, or an outside hacker could be a source of unauthorized access. The inability to identify and track a user’s identity due to the use of shared user IDs can also impede necessary investigations when the shared user ID is used for unauthorized or even criminal activity. For example, a malicious insider could take advantage of known shared user IDs to hide their activities when collecting personal medical and financial information to use for identity theft. In such as case, an organization’s implemented audit controls would document the actions of the shared user ID, thus potentially limiting the organization’s ability to properly identify and track the malicious insider.

The second implementation specification, Emergency Access Procedure 45 CFR § 164.312(a)(2)(ii) is also a required implementation specification. This implementation specification is applicable in situations in which normal procedures for obtaining ePHI may not be available or may be severely limited, such as during power failures or the loss of Internet connectivity. Access controls are still necessary during an emergency, but may be very different from normal operations. For example, due to the recent COVID-19 public health emergency, many organizations quickly implemented mass telehealth policies. How workforce members can securely access ePHI during periods of increased teleworking should be part of an organization’s Emergency Access Procedures. Appropriate procedures should be established beforehand for how to access needed ePHI during an emergency.

The third implementation specification, Automatic Logoff 45 CFR § 164.312(a)(2)(iii), is an addressable implementation specification. Users sometimes inadvertently leave workstations unattended for various reasons.  In an emergency setting, a user may not have time to manually log out of a system.  Implementing a mechanism to automatically terminate an electronic session after a period of inactivity reduces the risk of unauthorized access when a user forgets or is unable to terminate their session.  Failure to implement automatic logoff not only increases the risk of unauthorized access and potential alteration or destruction of ePHI, it also impedes an organization’s ability to properly investigate such unauthorized access because it would appear to originate from an authorized user.

The final implementation specification is Encryption and Decryption 45 CFR § 164.312(a)(2)(iv), which is also an addressable implementation specification. This technical safeguard can reduce the risks and costs of unauthorized access to ePHI.  For example, if a hacker gains access to unsecured ePHI on a network server or if a device containing unsecured ePHI is stolen, a breach of PHI will be presumed and reportable under the Breach Notification Rule (unless the presumption can be rebutted in accordance with the breach risk assessment. The Breach Notification Rule applies to unsecured PHI which is PHI “that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in the guidance issued under [the HITECH Act].”  OCR’s Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals, which provides guidance for securing PHI, states that ePHI that is “at-rest” (i.e., stored in an information system or electronic media) is considered secured if it is encrypted in a manner consistent with NIST Special Publication 800-111 (Guide to Storage Encryption Technologies for End User Devices) (SP 800-111).

EPHI encrypted in a manner consistent with SP 800-111 is not considered unsecured PHI and therefore is not subject to the Breach Notification Rule. Encrypting ePHI in this manner is an excellent example of how implementing an effective encryption solution may not only fulfill an organization’s encryption obligation under the Access Control standard, but also provides a means to leverage the Breach Notification Rule’s safe-harbor provision.

As the use of mobile computing devices (e.g., laptops, smartphones, tablets) becomes more and more pervasive, the risks to sensitive data stored on such devices also increases. Many mobile devices include encryption capabilities to protect sensitive data. Once enabled, a device’s encryption solution can protect stored sensitive data, including ePHI, from unauthorized access in the event the device is lost or stolen.

If you need assistance with HIPAA Risk Management, or guidance with your HIPAA Compliance contact us at 877.659.2467 or complete the contact us form.

“Simplifying HIPAA through Partnership, Education, and Support”

Security Rule requirements, Part 4, Evaluations 45 CFR § 164.308(a)(8)

Many practices think once they have conducted a risk analysis, they are done with their HIPAA compliance efforts. Unfortunately, a risk analysis is just the beginning! You must document your ongoing HIPAA efforts through evaluations.

45 CFR § 164.308(a)(8) Evaluation – HIPAA requires organizations to review technical and non-technical aspects of their compliance efforts based on their original risk analysis. These evaluations could be based on operational or environmental changes that affect the security of ePHI.

Setting a time frame in which to perform your evaluations will be essential in determining if you are adequately protecting ePHI. Organizations may perform these processes annually or as needed (e.g., bi-annual or every 3 years) depending on circumstances of their environment. An annual evaluation is recommended due the ever-changing world of technology. As software/hardware are outdated or replaced, the new devices must be reviewed to ensure they are HIPAA compliant and installed properly. Of course, if you have a major change in your organization or a data breach you may need to reorganize your quarterly plans and conduct a new risk analysis. Keep in mind, should you suffer a data breach and you have not updated your risk analysis and a vulnerability is discovered; you could be heavily fined. It is important to know if the security plans and procedures you have implemented continue to adequately protect ePHI. Some organizations do not understand the need in hiring an IT vendor with the thoughts they can do this themselves. Depending on the services that are being offered, you could be making a huge mistake. An IT vendor that specializes in data security for healthcare is essential in protecting your data and your assets.

We recommend reviewing certain aspects each quarter of each year. For instance, the first quarter review your Risk Management Plan to ensure everything is documented. It may not be necessary to update your Breach Notification Plan, but we suggest reading it to remind yourself what to do in the event of a data breach.

The second quarter would be a good time to review your Contingency Plan and make any updates. You may need to request additional information from your IT department or vendor.

 

The third quarter review your HIPAA Privacy Rule Policies, Procedures and Documentation. Most of these will not need any updates, but as always, it is recommended to review them, just in case something has changed.

 

The fourth quarter review your HIPAA Security Rule Policies, Procedures and Documentation. As in the privacy section, you may not need to update very many, but it is required under HIPAA to review them. Pay close attention to the Technical Safeguards section, as this may be where changes need to be made.

We also recommend reviewing your insurance policies and vendor contracts at least 60-90 days before they renew. This should give you ample time to review and decide if you have adequate coverage. This includes medical malpractice, life, and disability for key personnel. We also suggest reviewing your contract with your IT vendor at least 90 days before the contract terminates, some vendors add stipulations in the contract that automatically locks you in an additional year.

Cyber/breach insurance should be reviewed with an agent that specializes in this type of coverage; the average policy may not be enough to protect you.

 

Aris has been busy creating an automated HIPAA compliance package. With the new program, you will be able to update your plan and your policies quickly and easily. With the documentation within the system, you will be able to demonstrate your on-going HIPAA compliance efforts. Watch for the launch annoucement!

 

If you need assistance with Risk Management or guidance with your HIPAA Compliance, contact us at 877.659.2467 or complete the contact us form.

 

“Simplifying HIPAA through Partnership, Education, and Support”

Cosmetic Practice Fined – No one is immune from HIPAA

April 15, 2021

By Suze Shaffer | Aris Medical Solutions

Recently a cosmetic practice was fined $30,000 to settle potential HIPAA Privacy Rule violations. In the past many practices believed if they did not accept insurance payments (considered as a “transaction” under HIPAA), they were immune from the privacy rule. This may not be the case. There is a section in the rule that states “Other transactions that the Secretary may prescribe by regulation”.  HIPAA compliance is a balancing act, are you willing to lose $30K of your hard-earned money to test the system?

This investigation started with a compliant from a patient that had requested their medical record and did not receive them in a timely manner. Under the HIPAA Privacy Rule, the provider must respond to a patient’s request for access no later than 30 calendar days after the request. If the covered entity is not able to act within this timeframe, the entity may have up to an additional 30 calendar days if they provide the individual (within the initial 30-day period) with a written statement for the reason of the delay and include a date when the entity will have the information available. See 45 CFR §164.524(b)(2). Unfortunately for this practice, this was not handled in a timely manner. Therefore, an investigation was launched.

Let us review how this happens.

Once a complaint is filed to the Office for Civil Rights (OCR), the OCR will determine if the complaint falls within their duties to investigate. Once an investigation has been opened, the OCR will contact the practice for their documentation surrounding the incident. Depending on the documentation that is submitted will determine if a desk audit is warranted. Therefore, documentation is SO important, you may be able to avoid a desk audit if you supply the appropriate documents.

During a desk audit more than likely, you will be asked for documentation of what preventative measures you had in place before the incident and what you have implemented to prevent this from happening again. While you are being investigated the OCR may also review your compliance in other areas. If they find discrepancies, you could be fined for those as well. HIPAA encompasses a large range of requirements. Patient privacy, patient rights, and data security to name a few. I will not go into detail during this notification since we are sharing the security rule requirements in other messages.

Each resolution agreement that is issued by the HHS/OCR outlines the deficiencies they uncover. Most of them include the lack of a risk analysis, risk management, training, business associate agreements, and policies and procedures. During this investigation, other violations were uncovered and included the social security act was named in the resolution agreement: Section 1128A of the Social Security Act (42 U.S.C. § 1320a- 7a) a.

From this, I hope you can understand the importance of HIPAA compliance. Because one simple oversight can cause this much heartache. Patient privacy, patient rights, and data security is as important as caring for your patients. We have just learned that any entity that has patient data can be investigated and fined for violations under HIPAA.

Tell your friends and colleagues to ensure everyone understands no one is immune from HIPAA if you have patient data. Fines are fierce and not worth taking a chance by thinking “it won’t happen to me”.

If you need assistance with HIPAA Training, Risk Management, or guidance with your HIPAA Compliance contact us at 877.659.2467 or complete the contact us form. 

 

“Simplifying HIPAA through Partnership, Education, and Support” 

HIPAA Security Rule requirements, Part 2 – Security Awareness and Security Incident Procedures

What the Office for Civil Rights (OCR) and the Department of Health and Human Services (HHS) considers as reasonable and appropriate safeguards are always open for discretion. Every organization is different, and what may work for one, may not for another. For that reason, this information is a guideline only and should not be taken as legal advice.

Here are a few areas that should be reviewed:

§ 164.308(a)(5)(i) Security Awareness and Training has (4) implementation standards. They are labeled as “Addressable” under the HIPAA Security Rule. Do not be fooled by the term addressable, that does not mean optional. It just means you have options in implementing the standards.

The Security Awareness and Training standard means that a covered entity must implement a security training program for all employees including management. The frequency in which the training is performed is typically questionable and HIPAA requires new hires must be trained within a reasonable amount of time. We recommend HIPAA training BEFORE any person has access to PHI or ePHI since one mistake can cause a data breach. Then, HIPAA requires “periodic” training. Most organizations conduct annual HIPAA training. Although HHS does not specifically state you must conduct annual training, should you suffer a data breach and it is caused by an employee that did not have proper training, you could be fined for that violation. That is why it is so important to ensure your employees not only attend (and have documentation) HIPAA training, but must also actually understand what is required of them and how to safeguard patient data.

§ 164.308(a)(5)(ii)(A) Security Reminders – HIPAA is not just a once-a-year process. Periodic security reminder updates should be conducted throughout the year to keep HIPAA and data security in the minds of your staff. This should be documented as well.

§ 164.308(a)(5)(ii)(B) Protection from Malicious Code – Procedures must be in place to guard against, detect, and report viruses and malware. Up to date anti-virus and anti-malware software can ward off most intrusions. That is, as long your staff does not click on attachments or visit certain website where malicious code is located. Education is key. Ensuring software patches are applied when released, scanning systems on a routine basis, and utilizing firewalls are also very important. Making sure users do not introduce malicious code from downloads, DVDs, flash-drives, or other products brought from home.

§ 164.308(a)(5)(ii)(C) Log-in Monitoring – Procedures for monitoring log-in activity and reporting discrepancies. This standard states you must monitor user logins and unsuccessful attempts. Best practices are to have procedures to lock a user out after a predetermined number of failed log-in attempts. This may prevent an unauthorized user from gaining access to your system. With malware that repeatedly tries new passwords, this is highly recommended.

§ 164.308(a)(5)(ii)(D) Password Management – Procedures for creating, changing, and safeguarding passwords. All users must use their own credentials to log into systems that contain ePHI. Passwords are to be complex, never shared, secure, and changed at least every 90 days. Although HIPAA does not specifically state the 90-day rule, it is best practices unless you are utilizing a second method of authentication.

§ 164.308(a)(6)(i) Security Incident Procedures has (1) implementation standard, and this is “Required”. This means you MUST implement the standard as stated. You must have policies and procedures in place that identify security incidents, so employees understand what a security incident is, and how to respond.

§ 164.308(a)(6)(ii) Response and Reporting requires a covered entity to have policies and procedures in place to report and mitigate security incidents and determine if a data breach occurred. Then, if a data breach has occurred, the covered entity must determine how many patient records were affected. The time frame to report the breach to OCR and possibly state and local agencies differs on whether the breach is over 500 patient records or not. This should be clearly outlined in your Breach Notification Plan. During the breach notification process, state law will supersede the federal HIPAA law if the state law is more stringent. Keep in mind, all 50 states have their set of privacy laws.

We will be adding more information on other Security Standards, so watch for more posts!

If you need assistance with HIPAA Risk Management or guidance with your HIPAA Compliance contact us at 877.659.2467 or complete the contact us form.

HIPAA Security Rule requirements, Part I

It is hard to believe we are in 2021, but I am sure you are like the rest of us and glad to see 2020 in the rear-view mirror.

As we move into this new year, we need to look ahead and learn from what has happened in the past. Last month we informed you about many HIPAA violations that the Office for Civil Rights (OCR) had investigated. Most of these violations could have been prevented. In fact, I was talking with a colleague that owns an audit log monitoring system and he informed me that during the pandemic they saw a 90% increase in snooping into patient records of the same last name. Fortunately for his clients, this was immediately stopped, and the employee(s) were sanctioned. This made me want to remind you of a few requirements under HIPAA.

 

  • 164.308(a)(1)(ii)(c) Sanction Policy – is a “required” standard under the HIPAA Security Rule. Employers are required by law to apply sanctions against employees who violate HIPAA, otherwise the employer could be fined.

 

  • 164.308(a)(1)(ii)(d) Information System Activity Review – is another required standard. Which requires procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. A security incident can be best described as the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.

 

  • 164.312(b) Audit Controls – is yet another required standard that states you must implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information (ePHI). This standard goes hand in hand with Information System Activity Review.

 

What does this mean to you?

First, you must understand what is considered “normal” usage within your software/hardware that contains ePHI. Then you must monitor your systems for abnormal behavior. This is a HUGE time-consuming task and unless you are monitoring every employee, 24/7 you may miss something. We highly recommend utilizing a third party to do this for you. The company we work with has interfaces with over 60 EHRs and is fully automated. If they do not have an interface, they will create one, or show you how to upload the logs in a matter of minutes instead of hours. No more looking over lengthy audit log reports. You simply receive an alert when there is abnormal activity. Best of all, this protects your patient data and your practice from fines and penalties. If you would like to learn more about this service, use the contact us page.

 

If you need assistance with HIPAA Risk Management or guidance with your HIPAA Compliance, contact us at 877.659.2467 or complete the contact us form.

©2024 Aris Medical Solutions – HIPAA Risk Management | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC