Medical Records Services, LLC Connected, Compliant, Collaborative Healthcare Data
Medical Records Services, LLCConnected, Compliant, Collaborative Healthcare Data

2018 in the news

LabCorp Data Breach

Pravin Kothari, CEO of cybersecurity solution provider CipherCloud, today commented on news that LabCorp is investigating a data breach on its computer network that potentially putting millions of people’s sensitive personal information at risk: Read more Here

Click Here to read more about them. 

2017 in the News

June 28 2017

The Health Information Technology for Economic and Clinical Health (“HITECH”) Act modified the Health Insurance Portability and Accountability Act (“HIPAA”) by expanding the definition of Business Associates (“BA”) and their responsibilities and liabilities. A BA includes: Click here

May 25th  -- HIPAA is here to stay..........What does it mean?

CMS Releases Guidance on MIPS Data Validation and Auditing for Improvement Activities

05.03.17......Click HERE to read more

2017 OCR HIPAA Settlements Focus on Risk Analyses, Safeguards

 

 

Maintaining PHI security must remain a top priority for covered entities and business associates year-round. Lackluster safeguards and irregular risk analyses can lead to potential data security issues, and even an OCR HIPAA settlement.

With four months of 2017 almost complete,..........................click here for the full article

April 24, 2017

$2.5 million settlement shows that not understanding HIPAA requirements creates risk

The U.S. Department of Health and Human Services, Office for Civil Rights (OCR), has announced a Health Insurance Portability and Accountability Act of 1996 (HIPAA) settlement based on the impermissible disclosure of unsecured electronic protected health information (ePHI).  CardioNet has agreed to settle potential noncompliance with the HIPAA Privacy and Security Rules by paying $2.5 million and implementing a corrective action plan. This settlement is the first involving a wireless health services provider, as CardioNet provides remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias.

In January 2012, CardioNet reported to the HHS Office for Civil Rights (OCR) that a workforce member’s laptop was stolen from a parked vehicle outside of the employee’s home. The laptop contained the ePHI of 1,391 individuals. OCR’s investigation into the impermissible disclosure revealed that CardioNet had an insufficient risk analysis and risk management processes in place at the time of the theft. Additionally, CardioNet’s policies and procedures implementing the standards of the HIPAA Security Rule were in draft form and had not been implemented. Further, the Pennsylvania –based organization was unable to produce any final policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices.

The Resolution Agreement and Corrective Action Plan may be found on the OCR website athttps://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/cardionet

HHS has gathered tips and information to help protect and secure health information when using mobile devices:  https://www.healthit.gov/providers-professionals/your-mobile-device-and-health-information-privacy-and-security

To learn more about non-discrimination and health information privacy laws, your civil rights, and privacy rights in health care and human service settings, and to find information on filing a complaint, visit us at http://www.hhs.gov/hipaa/index.html

April 20, 2017

No Business Associate Agreement? $31K Mistake

 

The Center for Children’s Digestive Health (CCDH) has paid the U.S. Department of Health and Human Services (HHS) $31,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule and agreed to implement a corrective action plan. CCDH is a small, for-profit health care provider with a pediatric subspecialty practice that operates its practice in seven clinic locations in Illinois. 

In August 2015, the HHS Office for Civil Rights (OCR) initiated a compliance review of the Center for Children’s Digestive Health (CCDH) following an initiation of an investigation of a business associate, FileFax, Inc., which stored records containing protected health information (PHI) for CCDH. While CCDH began disclosing PHI to Filefax in 2003, neither party could produce a signed Business Associate Agreement (BAA) prior to Oct. 12, 2015. Additionally, neither party could produce a signed BAA prior to Oct. 2015.

The Resolution Agreement and Corrective Action Plan may be found on the OCR website athttp://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/CCDH

For more information on Business Associate Agreements, please visithttps://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html

To learn more about non-discrimination and health information privacy laws, your civil rights, and privacy rights in health care and human service settings, and

April 12, 2017

Overlooking risks leads to breach, $400,000 settlement

 

The U.S. Department of Health and Human Services, Office for Civil Rights (OCR), has announced a Health Insurance Portability and Accountability Act of 1996 (HIPAA) settlement based on  the lack of a security management process to safeguard electronic protected health information (ePHI).  Metro Community Provider Network (MCPN), a federally-qualified health center (FQHC), has agreed to settle potential noncompliance with the HIPAAPrivacy and Security Rules by paying $400,000 and implementing a corrective action plan. With this settlement amount, OCR considered MCPN’s status as a FQHC when balancing the significance of the violation with MCPN’s ability to maintain sufficient financial standing to ensure the provision of ongoing patient care. MCPN provides primary medical care, dental care, pharmacies, social work, and behavioral health care services throughout the greater Denver, Colorado metropolitan area to approximately 43,000 patients per year, a large majority of whom have incomes at or below the poverty level.

On January 27, 2012, MCPN filed a breach report with OCR indicating that a hacker accessed employees' email accounts and obtained 3,200 individuals' ePHI through a phishing incident. OCR’s investigation revealed that MCPN took necessary corrective action related to the phishing incident; however, the investigation also revealed that MCPN failed to conduct a risk analysis until mid-February 2012. Prior to the breach incident, MCPN had not conducted a risk analysis to assess the risks and vulnerabilities in its ePHI environment, and, consequently, had not implemented any corresponding risk management plans to address the risks and vulnerabilities identified in a risk analysis.  When MCPN finally conducted a risk analysis, that risk analysis, as well as all subsequent risk analyses, were insufficient to meet the requirements of the Security Rule.

The Resolution Agreement and Corrective Action Plan may be found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/MCPN

OCR’s guidance on the Security Rule may be found at https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html

To learn more about non-discrimination and health information privacy laws, your civil rights, and privacy rights in health care and human service settings, and to find information on filing a complaint, visit us at http://www.hhs.gov/hipaa/index.html

Follow OCR on Twitter at http://twitter.com/HHSOCR

This email is being sent to you from the OCR-Security-List listserv, operated by the Office for Civil Rights (OCR) in the US Department of Health and Human Services.

This is an announce-only list, a resource to distribute information about the HIPAA Privacy and Security Rules. For additional information on a wide range of topics about the Privacy and Security Rules, please visit the OCR Privacy website at http://www.hhs.gov/ocr/privacy/index.html. You can also call the OCR Privacy toll-free phone line at (866) 627-7748. Information about OCR's civil rights authorities and responsibilities can be found on the OCR home page at http://www.hhs.gov/ocr/office/index.html.

If you believe that a person or organization covered by the Privacy and Security Rules (a "covered entity") violated your health information privacy rights or otherwise violated the Privacy or Security Rules, you may file a complaint with OCR.  For additional information about how to file a complaint, visit OCR's web page on filing complaints at http://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html.

February 16, 2017

$5.5 million HIPAA settlement shines light on the importance of audit controls

 

Memorial Healthcare Systems (MHS) has paid the U.S. Department of Health and Human Services (HHS) $5.5 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules and agreed to implement a robust corrective action plan. MHS is a nonprofit corporation which operates six hospitals, an urgent care center, a nursing home, and a variety of ancillary health care facilities throughout the South Florida area. MHS is also affiliated with physician offices through an Organized Health Care Arrangement (OHCA).

MHS reported to the HHS Office for Civil Rights (OCR) that the protected health information (PHI) of 115,143 individuals had been impermissibly accessed by its employees and impermissibly disclosed to affiliated physician office staff. This information consisted of the affected individuals’ names, dates of birth, and social security numbers. The login credentials of a former employee of an affiliated physician’s office had been used to access the ePHI maintained by MHS on a daily basis without detection from April 2011 to April 2012, affecting 80,000 individuals. Although it had workforce access policies and procedures in place, MHS failed to implement procedures with respect to reviewing, modifying and/or terminating users’ right of access, as required by the HIPAA Rules. Further, MHS failed to regularly review records of information system activity on applications that maintain electronic protected health information by workforce users and users at affiliated physician practices, despite having identified this risk on several risk analyses conducted by MHS from 2007 to 2012.

The Resolution Agreement and Corrective Action Plan may be found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/memorial

OCR offers helpful guidance on the importance of audit controls and audit trails at https://www.hhs.gov/sites/default/files/january-2017-cyber-newsletter.pdf - PDF

To learn more about non-discrimination and health information privacy laws, your civil rights, and privacy rights in health care and human service settings, and to find information on filing a complaint, visit us at http://www.hhs.gov/hipaa/index.html

January 2017 OCR Cyber Awareness Newsletter

 

Understanding the Importance of Audit Controls

January 13, 2017

 

Covered Entities and Business Associates should make sure that they appropriately review and secure audit trails, and they use the proper tools to collect, monitor, and review audit trails.  Protecting audit logs and audit trails prevent intruders from tampering with the audit records and protecting their integrity. Not safeguarding audit logs and audit trails can allow hackers or malevolent insiders to cover their electronic tracks, making it difficult for Covered Entities and Business Associate to not only recover from breaches, but to prevent them before they happen.

According to the National Institute of Standards and Technology (NIST), audit logs are records of events based on applications,users, and systems, and audit trails involve audit logs of applications, users, and systems.  Audit trails’ main purpose is to maintain a record of system activity by application processes and by user activity within systems and applications. 

 

The HIPAA Security Rule provision on Audit Controls (45 C.F.R. § 164.312(b)) requires Covered Entities and Business Associates to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information (ePHI).  The majority of information systems provide some level of audit controls with a reporting method, such as audit reports. These controls are useful for recording and examining information system activity which also includes users and applications activity.

 

Examples of audit trails include: 

 

Application audit trails – Normally monitor and log user activities in the application.  This includes the application data files opened and closed, and the creating, reading, editing, and deleting of application records associated with ePHI.

System-level audit trails – Usually capture successful or unsuccessful log-on attempts, log-on ID/username, date and time of each log-on/off attempt, devices used to log-on, and the application the user successfully or unsuccessfully accessed. 

User audit trails – Normally monitor and log user activity in a ePHI system or application by recording events initiated by the user, such as all commands directly initiated by the user, log-on attempts with identification and authentication, and access to ePHI files and resources.

 

Audit controls that produce audit reports work in conjunction with audit logs and audit trails.  Audit logs and trails assist Covered Entities and Business Associates with reducing risk associated with: reviewing inappropriate access; tracking unauthorized disclosures of ePHI; detecting performance problems and flaws in applications; detecting potential intrusions and other malicious activity; and providing forensic evidence during investigation of security incidents and breaches. As part of this process, Covered Entities and Business Associates should consider which audit tools may best help them with reducing non-useful information contained in audit records, as well as with extracting useful information.

 

The HIPAA Security Rule does not identify what information should be collected from an audit log or trail or how often the audit reports should be reviewed.  When determining reasonable and appropriate audit controls for information systems containing or using ePHI, Covered Entities and Business Associates must consider their risk analysis results and organizational factors, such as their current technical infrastructure, hardware, and software security capabilities.  It is imperative for Covered Entities and Business Associates to review their audit trails regularly, both particularly after security incidents or breaches, and during real-time operations. Regular review of information system activity should promote awareness of any information system activity that could suggest a security incident or breach.  Access to audit trails should be strictly restricted, and should be provided only to authorized personnel.

 

Questions that Covered Entities and Business Associates should consider:

·         What audit control mechanisms are reasonable and appropriate to implement so as to record and examine activity in information systems that contain or use ePHI?

 

·         What are the audit control capabilities of information systems with ePHI?

 

·         Do the audit controls implemented allow the organization to adhere to their audit control policies and procedures?

 

·         Are changes or upgrades of an information system’s audit capabilities necessary?

                              Videos

What is ransomware? How can I avoid it? Watch this informative video for more information.

 

 

Why should I file a hardship exemption?

Microsoft Bitlocker
A great article walking you through the setup steps for encryption using Microsoft Bitlocker
Bit Locker steps to Sccurity.pdf
Adobe Acrobat document [419.5 KB]

Utilizing Risk Analyses for Comprehensive HIPAA Compliance...read more here

Print Print | Sitemap
© Medical record Services

Call

E-mail