April 18, 2017

Phishing Incident Leads to $400,000 HIPAA Settlement

The lack of skills and software tools contributed to the inability of organizations to adequately address cybersecurity risks.

So, what am I supposed to be doing?

The ONC Guide to Privacy and Security 4/2015
The ONC Guide to Privacy and Security explains in great detail, what the expectations are for HIPAA compliance.
ONC privacy-and-security-guide (2) (1) ([...]
Adobe Acrobat document [1.2 MB]

For a full view of the Federal Regulations on Health IT. Gov, click here

OCR Issues Second Largest HIPAA Fine to Date – $5.5 Million

read about it HERE

It wont happen to me, right?

Peachtree Orthopedics thought the same thing...

Top 10 Myths of Security Risk Analysis

As with any new program or regulation, there may be misinformation making the rounds. The following is a top 10 list distinguishing fact from fiction.

1. The security risk analysis is optional for small providers.

False. All providers who are “covered entities” under HIPAA are required to perform a risk analysis. In addition, all providers who want to receive EHR incentive payments must conduct a risk analysis.

2. Simply installing a certified EHR fulfills the security risk analysis MU requirement.

False. Even with a certified EHR, you must perform a full security risk analysis. Security requirements address all electronic protected health information you maintain, not just what is in your EHR.

3. My EHR vendor took care of everything I need to do about privacy and security.

False. Your EHR vendor may be able to provide information, assistance, and training on the privacy and security aspects of the EHR product. However, EHR vendors are not responsible for making their products compliant with HIPAA Privacy and Security Rules. It is solely your responsibility to have a complete risk analysis conducted.

4. I have to outsource the security risk analysis.

False. It is possible for small practices to do risk analysis themselves using self-help tools. However, doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional.

5. A checklist will suffice for the risk analysis requirement.

False. Checklists can be useful tools, especially when starting a risk analysis, but they fall short of performing a systematic security risk analysis or documenting that one has been performed.

6. There is a specific risk analysis method that I must follow.

False. A risk analysis can be performed in countless ways. OCR has issued Guidance on Risk Analysis Requirements of the Security Rule. This guidance assists organizations in identifying and implementing the most effective and appropriate safeguards to secure e-PHI.

7. My security risk analysis only needs to look at my EHR.

False. Review all electronic devices that store, capture, or modify electronic protected health information. Include your EHR hardware and software and devices that can access your EHR data (e.g., your tablet computer, your practice manager’s mobile phone). Remember that copiers also store data. Please see U.S. Department of Health and Human Services (HHS) guidance on remote use.

8. I only need to do a risk analysis once.

False. To comply with HIPAA, you must continue to review, correct or modify, and update security protections. For more on reassessing your security practices, please see the Reassessing Your Security Practice in a Health IT Environment.

9. Before I attest for an EHR incentive program, I must fully mitigate all risks.

False. The EHR incentive program requires correcting any deficiencies (identified during the risk analysis) during the reporting period, as part of its risk management process.

10. Each year, I’ll have to completely redo my security risk analysis.

False. Perform the full security risk analysis as you adopt an EHR. Each year or when changes to your practice or electronic systems occur, review and update the prior analysis for changes in risks. Under the Meaningful Use Programs, reviews are required for each EHR reporting period. For EPs, the EHR reporting period will be 90 days or a full calendar year, depending on the EP’s year of participation in the program.

REQUIRED vs. ADDRESSABLE SPECIFICATIONS:

In meeting standards that contain addressable implementation specifications, a covered entity will do one of the following for each addressable specification: (a) implement the addressable implementation specifications (b) implement one or more alternative security measures to accomplish the same purpose; (c) not implement either an addressable implementation specification or an alternative. The covered entity’s choice must be documented. The covered entity must decide whether a given addressable implementation specification is a reasonable and appropriate security measure to apply within its particular security framework. For example, a covered entity must implement an addressable implementation specification if it is reasonable and appropriate to do so, and must implement an equivalent alternative if the addressable implementation specification is unreasonable and inappropriate, and there is a reasonable and appropriate alternative. This decision will depend on a variety of factors, such as, among others, the entity's risk analysis, risk mitigation strategy, what security measures are already in place, and the cost of implementation. The decisions that a covered entity makes regarding addressable specifications must be documented. Users must document how the organization will implement addressable specifications.

For more information: http://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2020.html

Nothing new here, but now HIPAA enforcement now has some teeth.

Concerned about mobile devices? You probably should be.... Watch this video put out by CMS

Watch these two short videos from by CMS for an easy to understand explanation of what it is and what needs to be done....

HIPAA Privacy Requirements Change as a Result of ARRA

Under the Health Information Portability and Accountability Act (HIPAA) and the American Recovery and Reinvestment Act (ARRA), physicians are required to control the ways in which they use and disclose patients' protected health information.

The U.S. Department of Health and Human Services' (HHS) Office of Civil Rights (OCR) oversees compliance with the HIPAA privacy requirements. As a result of the ARRA, several new regulations will be published implementing the law. In January 2013, the OCR published an omnibus final rule that covers:

changes to the HIPAA rule as required by ARRA
final regulations on notifications associated with the breach of patient information that has not been encrypted
modifications to the HIPAA rule regarding privacy protections for genetic information as required by the Genetic Information Nondiscrimination Act (GINA)
additional changes to the HIPAA privacy, security, and enforcement rules.

The compliance date for the final omnibus rule is effective September 23, 2013.

Security Risk Analysis fact sheet from CMS
Conducting or reviewing a security risk analysis to meet the standards of Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule is included in the meaningful use requirements of the Medicare and Medicaid EHR Incentive Programs. Eligible professionals must conduct or review a security risk analysis in bothStage 1 and Stage 2 of meaningful use to ensure the privacy and security of their patients’ protected health information:
SecurityRiskAssessment_FactSheet_Updated[...]
Adobe Acrobat document [914.9 KB]

HIPAA Audit Preparation Checklist
Think your ready for a HIPAA Compliance Audit? Download this checklist to see how ready you really are.
HIPAA_Audit_Preparation_Checklist (2).do[...]
Microsoft Word document [30.1 KB]

The guide to privacy and security Updated for 2015
As Meaningful Use progresses forward, so does the complexity of protecting ePHI. In this consolidated guide, updated for 2015, CMS has clearly laid out a roadmap that all practices must follow in order to be compliant.
privacy-and-security-guide.pdf
Adobe Acrobat document [1.2 MB]

Breach, BREACH BREACH BREACH BREACH

To report a security incident of 1 patient life or more, visit HHS.gov, and click here

Sample Incident Response Workbook - paper based
This workbook is intended to provide general guidance and assistance in developing security standards appropriate for individual businesses. No one solution fits all businesses. Measures will vary depending on factors including the size and complexity of the business, the industry, and sensitivity of data.
The information in this workbook should not be regarded as a substitute for a company’s self-assessment of security procedures or for legal advice.
Self_Service_Incident_Response_Workbook [...]
Adobe Acrobat document [2.3 MB]

Your audit is coming........Are you ready?

The OCR HIPAA Audit program analyzes processes, controls, and policies of selected covered entities pursuant to the HITECH Act audit mandate. OCR established a comprehensive audit protocol that contains the requirements to be assessed through these performance audits. The entire audit protocol is organized around modules, representing separate elements of privacy, security, and breach notification. The combination of these multiple requirements may vary based on the type of covered entity selected for review. For more information on required protocols and what to expect in a Security Risk Analysis Audit, go to this link.