Inventory lists and network mapping, why they are so important!

First, it is required under HIPAA that medical organizations and business associates ensure the confidentiality, integrity, and availability of ePHI. Part of a HIPAA compliance program requires an entity to conduct a HIPAA risk analysis to determine where ePHI is located and how it is protected. It is critical that all organizations understand how data flows in and out of their systems as well has how business associates access your data. Risk management is the key to protecting your data.

Here is a starting point after your risk analysis:

  1. Create an inventory list. The list should include servers, computers, laptops, tablets, printers, scanners, fax servers/machines, and specialized equipment for your type of practice.
  2. Include what type of encryption you have implemented or what type of anti-virus and anti-malware is utilized. Also, think about devices that are not onsite, remote users, cloud servers, and offsite backups. If smartphones are used, add those as well. Even if they are not company owned, just make a note of that.
  3. The inventory list should also include software that is used to access or store ePHI. When the time comes to retire a device, this list could be used to determine how it is to be handled. For example, will it need to be destroyed or could be sanitized and reused?
  4. Be sure to include the operating systems on your devices. This will alert you when systems are at the end of life and need to be replaced.
  5. We also recommend adding assets that do not store or access ePHI, just in case they could be compromised and create a method of intrusion. This includes firewalls and routers.
  6. Next, create a diagram of all technology and how ePHI flows through your system. Hackers can gain access to your systems through your vendors. You may need the help from your IT company. Keep in mind when selecting an IT vendor, they MUST be well versed in healthcare. Your security is more complex than the average small business, not to mention the heavy fines should you suffer a data breach.
  7. When creating your network mapping, we suggest adding which devices store and/or access ePHI. Again, this is a visual reminder of how your data flows and can help you to understand how to protect your data. If possible, request a Visio Map from your IT vendor.

With all the data breaches that are happening, it is so important to know where your data is and how it is protected. Keeping up with your risk analysis and risk management plan demonstrates your on-going compliance efforts. This is a requirement under the HIPAA Security Rule. If you suffer from a data breach and you can provide documentation that you have reasonable and appropriate safeguards in place and that you have done the best you can to protect your data, more than likely you will not be fined.

To find out more about how our automated HIPAA compliance platform can help your organization click here:

https://arismedicalsolutions.com/aris-hipaa-service-automated-platform/

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

What does being HIPAA Compliant actually mean anyway?

HIPAA Reminder Aris Medical Solutions

We are always talking about HIPAA compliance because that is what we do! Sadly many practices think just having a patient sign they received your Notice of Privacy Practices is all that is needed. There is so much more to HIPAA than that! After we go over a client’s risk analysis they realize this and are anxious to get their compliance in place. Then you get busy and it is pushed off to the next week, then the next, and then you realize it never was implemented!

Being HIPAA compliant means MANY things, and I could write about this for hours, but here are some basic reminders:

  1. Work on your Risk Management plan, implement your policies and procedures and mitigate risks. Policies and procedures are necessary so employees understand what is and is not permitted. The enforcement of your sanction policy and being consistent for those employees who violate HIPAA can help you avoid fines and penalties.
  2. Monitor your audit logs. Know who is doing what within your systems. Whether it is an employee or a business associate, you must know who and how users access ePHI. This is critical in preventing or stopping a data breach.
  3. Make sure your HIPAA compliance officer is informed and educated on any security incidents that may occur. This can help them to determine if and when a data breach occurred when they are reviewing the audit logs. The HIPAA compliance officer is required under federal law to report data breaches, large and small. The only difference is timing. Large data breaches must be reported within 60 days (state law could be more stringent) and smaller breaches within 60 days after the end of the year in which the breach occurred.
  4. Check the OIG exclusions list before you hire a new employee which can save you from being required to return payments you received from CMS in the event you hired someone on this list. Also, conducting a thorough criminal background check can prevent you from being stolen from! Conducting and documenting annual HIPAA training as well as when new employees are hired will educate them on patient privacy and data security. Make sure the method of training you choose covers both areas.
  5. Make sure everyone uses their own login credentials and never share their passwords. If someone signs in under another person, then that person that is logged in could be held liability for anything that is done under their credentials! Remember to use strong passwords and change them often. If possible, implement a secondary authentication in addition to using just a username and password. This is extremely helpful in protecting information for business and personal. All online accounts, even email should use a two-step of some type.
  6. Since we work in healthcare we have the ability to look at anyone’s medical record in our system. Keep in mind, you should only look at records that you have a need to do so. This means that if a patient is being seen by another provider or medical staff member and you do not have the need to view the record, you are NOT permitted to do so.
  7. When it comes to technology, many people think if it’s not broke, don’t fix it. This is NOT true! As our systems age, unless they are updated and upgraded, your information may be at risk of a data breach. Firewalls, computers, servers, and software all must be maintained. Firewalls are your first line of defense. Would you put up a fence and never bother to lock it? I have said this many times in the past, in the old wild wild west you could see danger coming towards your town and prepare. The world wide web is the new wild wild west, but the intruders are invisible. You must have several layers of security to secure your data. NOTE: Microsoft Windows 7 will no longer be supported after January 14, 2020. I have always liked this operating system, but now we must prepare for those computers to be updated or replaced.

HIPAA is much more than just these items, but this should help you to remember some important steps!

If you haven’t implemented HIPAA privacy and security policies and procedures, now is a good time to start to ensure your employees understand how to protect your data. If you would like more information, contact us at 877.659.2467 or complete the contact us form.

2019 HIPAA Updates

 

As we start this new year we must reflect what we have learned from 2018 in order to make 2019 a success.

The Office for Civil Rights (OCR) has gained momentum in enforcing HIPAA violations. With that said HIPAA is an ongoing process and once is not enough. It is not considered done unless it is documented. At the annual conference this past year, the OCR admitted they are adamant on ensuring your patient’s information is protected. Therefore, you must document your compliance. If you say you did something, they will ask for your documentation. If you do not have documentation, you will be fined.

Companies located in United States are now required to adhere to the General Data Protection Regulation (GDPR) if they market goods and services to citizens of the European Union (EU). You must ensure the security of the data as well as inform visitors to your website how you intend to use their data. This must be clearly written in your privacy notice on website. This is not to be confused with your Notice of Privacy Practices that you give to your patients. If you plan on marketing to visitors from your website, you must offer them a free opt-out option. We could go on in more detail on this subject, but since many medical clinics do not market to international patients, you may contact us for more information.

Here are a few things to review and update as necessary:

  1. Risk analysis and risk management plan, this is your documentation to demonstrate what risks you have (had) and how you have mitigated them or plan to mitigate them.
  2. Replacing or updating any outdated technology, hardware and software require updates from time to time. You can be fined for utilizing outdated hardware/software that is no longer supported by the manufacturer.
  3. Adding a second authentication process for access to ePHI as well as for online personal accounts.
  4. HIPAA training, ensuring your employees understand how to protect your data is also part of this training.
  5. Making sure you have all of the necessary privacy and security policies, procedures, and forms in place. This means reading and dating them to demonstrate they were actually implemented.
  6. Retaining your documentation for the required time limit, including correspondence with patients that are considered to be part of their medical record.
  7. Reviewing your website, determining if your site collects any data and how it is transmitted and stored.

If you see something in your workplace that looks suspicious, tell your HIPAA Compliance Officer, you could be the one to prevent a data breach or stop a data breach from becoming a major breach (over 500 patient records). Keeping data secure is everyone’s business. Being mindful of our surroundings and educating others helps all of us in this crazy world we live in now!

To find out more about how our automated HIPAA compliance platform can help your organization click here:

https://arismedicalsolutions.com/aris-hipaa-service-automated-platform/

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

 

Spoofing, Phishing, and how to avoid getting caught in the middle

After attending the Office for Civil Rights (OCR) annual webcast, many things were confirmed that we thought may have been rumors. First of all, medical offices are targets of hacking because you hold everything needed for identity theft.

What is identity theft? Most people think of it as their credit card being stolen, or even their tax returns. True, that is identity theft but there is also another component that is not often talked about. That is, assuming someone else’s identity for health care purposes. Imagine someone assumes your identity and has a surgery and “corrects” your medical record and changes your blood type. Then, you are involved in a car accident and receive a blood transfusion but it’s the WRONG blood. Yes, this can happen. We are not sure how often, but with the rise of medical records being stolen we could see this happen more often. Knowing where your data is located and how it is stored is a starting point in protecting this valuable information. Conducting a risk analysis and having an ongoing risk management is mandatory under HIPAA. During this process you will uncover potential vulnerabilities. Once you mitigate these risks, you may be able to avoid a data breach.

Protecting yourself and your organization is one in the same. Practice these safety tips at work and at home:

  • Make sure your operating system updates are current as well as your anti-virus and anti-malware.
  • Scan for viruses and malware after every update.
  • If you use personal devices to access ePHI or work files, be sure to use enterprise versions of anti-virus and anti-malware. Free versions typically are not robust enough.
  • NEVER use free Wi-Fi even if you are not accessing any patient information. You could pick up malware from someone that has spoofed the Wi-Fi network that you thought you were logging into.
  • NEVER click on links within emails that claim to be urgent or a free offer of some type. Typical phishing expeditions start in this manner. After you click, they ask for certain information they are lacking about you or they may ask for everything! Sometimes, this is merely a tactic to get you to go to a certain website and place malware on your computer and you never even know it.
  • NEVER click on a link within an email asking you to verify your identity. You wouldn’t show a stranger on the street your driver’s license just because they asked to see it, then why would you “verify” your identity with someone invisible in your email? Again, this is how spear phishing starts.
  • NEVER click on an attachment within an email unless you are expecting it, even if you know the person that sent it. Their email could have been hacked and you are being spoofed into thinking it is from them. This includes messages from FedEx, UPS, and the IRS. Best practices is to open your web browser and go to their website and sign in.
  • NEVER click on links in text messages unless you are expecting one, such as you just signed up for text messages from a service provider. Bank customers are being spoofed into clicking on links in text messages and taking you to what looks like your bank. Guess what… it’s NOT your bank but looks like it!

I have said this before… the World Wide Web (WWW) is the new Wild Wild West. The only difference is, in the old wild wild west you could see danger coming on the horizon and prepare. The World Wide Web, the dangers are there, but they are invisible.

Be safe out there!

To find out more about how our automated HIPAA compliance platform can help your organization click here:

https://arismedicalsolutions.com/aris-hipaa-service-automated-platform/

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

Cost of cyber attacks on healthcare are steadily rising

Why are so many medical offices being attacked? Simple, this is a one stop shop for everything needed for identity theft and many medical practices do not have appropriate safeguards in place. Business associates have even been the target or the entry point. HIPAA requires certain security safeguards to be in place to ensure the safety and security of Protected Health Information (PHI).

There have been 188 data breaches of 500 or more patient records in the first 6 months of this year, and in April alone there were 42. Thirteen of the 188 have already been resolved. https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
These breaches include small medical practices, business associates, and hospitals. Small and large. Paper and electronic. No one is immune. Many organizations think they are too small to get hit, but the fact is the most common problem is untrained staff that unknowingly cause this to happen. Education is the key to avoiding this catastrophe from destroying your reputation. Of course you still need to certain technical safeguards in place, but even then it only takes one click of a mouse to bring your network down.

Here are some areas to consider:

  1. How would you process a data breach?
  2. How would you handle the reputation management of the breach?
  3. How would you pay for the cost of breach and the investigations?

Having a breach notification plan in place before a breach occurs is critical to reducing the damage. You must have processing in place to shut the system down, continue manually, and report to the appropriate authorities.

Consider the lack of trust from your patients since their information was compromised from your office. No matter if it was your fault or that of a business associate this could have a negative impact on your patient database.

Breaches are costly on many fronts, the first being the cost of the notification of the patients, investigations, downtime, and the mitigation of the source of the breach. In 2013 the Ponemon Institute reported that a data breach cost $233 per medical record, now in the 2018 the report states a healthcare breach can cost on average $408 per medical record.
https://www.ibm.com/security/data-breach

Keep in mind if you do not know which records were breached then everyone must be included in the notification process. What could turn out to be the most costly is the fines and penalties associated with the breach. Depending on how and when you processed the breach is one determining factor. Also once the investigation is complete, if it is discovered this was an ongoing problem and was not mitigated, then you could be found in willful and wanton neglect. This is NOT a place you want to find yourself! The Office for Civil Rights (OCR) can also fine you for not conducting a thorough enough risk analysis thus leaving vulnerabilities untouched. How well do you trust your efforts in securing your data? Have you conducted a risk assessment to determine if what you have in place is sufficient?

How can Aris help?

  • First of all we conduct a thorough risk analysis that uncovers vulnerabilities and create a risk management plan so that you can mitigate those risks.
  • Since written documentation is also part of HIPAA compliance, we provide the necessary privacy and security policies, procedures, and documentation needed for state and federal regulatory requirements.
  • We also offer HIPAA training that includes privacy and security and any custom requests.
  • If you are one of the many organizations that simply do not have the time to implement your HIPAA program, we can do that for you as well. Month to month, no long term contracts!

If you would like a free HIPAA checkup call 877.659.2467 or complete the contact us form.

“Simplifying HIPAA  through Partnership, Education, and Support”

How well do you trust your compliance efforts?

 

By Aris Medical Solutions

compliance board game

HIPAA encompasses many aspects. Risk assessments, risk management, and your policies, procedures, documentation are the backbone of compliance.

Most medical providers don’t think about compliance until they are audited. By that time it is too late to mitigate any issues that you may have. The main misconception is that “it will never happen to me”.

A random audit is possible but relatively a low probability. A compliance audit is typically initiated by a disgruntled employee, a patient that feels their privacy has been violated, or a data breach. Once the HIPAA violation is reported then the Office for Civil Rights (OCR) will determine if the complaint will need to be investigated. If it does, depending on the documentation that you provide, will determine whether or not a desk audit will be issued. This is where your policies and procedures are critical. If your employees understand what they need to do, how to do, and what needs to be documented, your chances of a desk audit is greatly reduced. The OCR understands that people make mistakes, but if you don’t learn from them, they will fine you heavily!

Note to self… if you recognize a problem, address it, correct it, and learn from it.

You can survive a audit with proper documentation!

For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting your Data click here call 877.659.2467.

“Protecting Organizations through Partnership, Education, and Support”

Do HIPAA Fines go away when a practice or business closes?

By Aris Medical Solutions

HIPAA Medical practice closed

Many medical practices and business associates have the misconception that if they are fined they can simply close their doors and not be obligated to pay the fines or penalties. We have been asked if this will work many times. The Office for Civil Rights (OCR) has answered this haunting question.

Three years ago the OCR received an anonymous complaint against Filefax, Inc. that transported 2,150 patient files to be shredded. These files were left in an unlocked truck in their parking lot, or by granting permission to an unauthorized person to remove the files from Filefax, and leaving the Protected Health Information (PHI) unsecured outside the Filefax facility.

Although Filefax shut their doors during the course of the OCR’s investigation they were still obligated under the law. In 2016, a court in unrelated litigation appointed a receiver to liquidate its assets. In addition to a $100,000 monetary settlement, the receiver has agreed, on behalf of Filefax, to properly store and dispose of remaining medical records found at Filefax’s facility in compliance with HIPAA.

The resolution agreement and corrective action plan may be found on the OCR website at: http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/Filefax/index.html.

The first step in protecting your practice or business is to conduct a thorough security risk assessment and identify vulnerabilities and workflow. From there you can develop a risk management plan to ensure you document your compliance efforts and mitigate risks.

For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting your Data call 877.659.2467 or click here to contact us.

“Protecting Organizations through Partnership, Education, and Support”

Updating your Contingency Plan

 

By Aris Medical Solutions

HIPAA Disaster

Contingency Planning is more than just a power outage or how to backup and restore your data. A complete plan should include different types of scenarios that could happen in your area.

For those involved in Healthcare, creating a contingency plan is not optional.  Should you have a disaster and are not prepared you can be fined! The Office for Civil Rights (OCR) considers protecting personal information a civil right and they will enforce this if you have a data breach or a situation where your data is not recoverable.

Think about ransomware, have you included this in your contingency plan?

Depending where you are located, have you included how to respond to a hurricane, tornado, snowstorm, or fire?

Where is your data located and what would happen if you had a toilet overflow or a pipe burst?

In light of the recent tragedies have you included a section on workplace violence?

How to create a Contingency plan:

  1. Conduct a thorough HIPAA Risk Assessment. Understand and analyze what type of risks you are vulnerable to. This includes where you are located and what type of computer network that you utilize.
  2. Create a diagram of how your network is configured. This will help you to determine the best method to protect and restore your data from a backup.
  3. Implement a risk management plan that outlines what you have in place and what you will need in the future if it is not possible at the moment. Of course, you will need a timeline if you will be adding to your plan.

For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting your Data call 877.659.2467 or click here to contact us.

©2022 Aris Medical Solutions – HIPAA Risk Management | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC