Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Beware: Don’t Buy In to Myths about Data Security and HIPAA Compliance

Posted on January 22, 2015 I Written By

The following is a guest blog post by Mark Fulford, Partner in LBMC’s Security & Risk Services practice group.
Mark Fulford
Myths abound when it comes to data security and compliance. This is not surprising—HIPAA covers a lot of ground and many organizations are left to decide on their own how to best implement a compliant data security solution. A critical first step in putting a compliant data security solution in place is separating fact from fiction.  Here are four common misassumptions you’ll want to be aware of:

Myth #1: If we’ve never had a data security incident before, we must be doing OK on compliance with the HIPAA Security Rule.

It’s easy to fall into this trap. Not having had an incident is a good start, but HIPAA requires you to take a more proactive stance. Too often, no one is dedicated to monitoring electronic protected health information (ePHI) as prescribed by HIPAA. Data must be monitored—that is, someone must be actively reviewing data records and security logs to be on the lookout for suspicious activity.

Your current IT framework most likely includes a firewall and antivirus/antimalware software, and all systems have event logs. These tools collect data that too often go unchecked. Simply assigning someone to review the data you already have will greatly improve your compliance with HIPAA monitoring requirements, and more importantly, you may discover events and incidents that require your attention.

Going beyond your technology infrastructure, your facility security, hardcopy processing, workstation locations, portable media, mobile device usage and business associate agreements all need to be assessed to make sure they are compliant with HIPAA privacy and security regulations. And don’t forget about your employees. HIPAA dictates that your staff is trained (with regularly scheduled reminders) on how to handle PHI appropriately.

Myth #2: Implementing a HIPAA security compliance solution will involve a big technology spend.

This is not necessarily the case.  An organization’s investment in data security solutions can vary, widely depending on its size, budget and the nature of its transactions. The Office for Civil Rights (OCR) takes these variables into account—certainly, a private practice will have fewer resources to divert to security compliance than a major corporation. As long as you’ve justified each decision you’ve made about your own approach to compliance with each of the standards, the OCR will take your position into account if you are audited.

Most likely, you already have a number of appropriate technical security tools in place necessary to meet compliance. The added expense will more likely be associated with administering your data security compliance strategy.

Myth #3: We’ve read the HIPAA guidelines and we’ve put a compliance strategy in place. We must be OK on compliance.

Perhaps your organization is following the letter of the law. Policies and procedures are in place, and your staff is well-trained on how to handle patient data appropriately. By all appearances, you are making a good faith effort to be compliant.

But a large part of HIPAA compliance addresses how the confidentiality, integrity, and availability of ePHI is monitored in the IT department. If no one on the team has been assigned to monitor transactions and flag anomalies, all of your hard work at the front of the office could be for naught.

While a ‘check the box’ approach to HIPAA compliance might help if you get audited, unless it includes the ongoing monitoring of your system, your patient data may actually be exposed.

Myth #4: The OCR won’t waste their time auditing the ‘little guys.’ After all, doesn’t the agency have bigger fish to fry?

This is simply not true. Healthcare organizations of all sizes are eligible for an audit. Consider this cautionary tale: as a result of a reported incident, a dermatologist in Massachusetts was slapped with a $150,000 fine when an employee’s thumb drive was stolen from a car.

Fines for non-compliance can be steep, regardless of an organization’s size. If you haven’t done so already, now might be a good time to conduct a risk assessment and make appropriate adjustments. The OCR won’t grant you concessions just because you’re small, but they will take into consideration a good faith effort to comply.

Data Security and HIPAA Compliance: Make No Assumptions

As a provider, you are probably aware that the audits are starting soon, but perhaps you aren’t quite sure what that means for you. Arm yourself with facts. Consult with outside sources if necessary, but be aware that the OCR is setting the bar higher for healthcare organizations of all sizes. You might want to consider doing this, too. Your business—and your patients—are counting on it.

About Mark Fulford
Mark Fulford is a Partner in LBMC’s Security & Risk Services practice group.  He has over 20 years of experience in information systems management, IT auditing, and security.  Marks focuses on risk assessments and information systems auditing engagements including SOC reporting in the healthcare sector.  He is a Certified Information Systems Auditor (CISA) and Certified Information Systems Security Professional (CISSP).   LBMC is a top 50 Accounting & Consulting firm based in Brentwood, Tennessee.

Top 4 HIT Challenges and Opportunities for Healthcare Organizations in 2015 – Breakaway Thinking

Posted on January 15, 2015 I Written By

The following is a guest blog post by Mitchell Woll, Instructional Designer at The Breakaway Group (A Xerox Company). Check out all of the blog posts in the Breakaway Thinking series.
Mitchell Woll - The Breakaway Group
Healthcare organizations face numerous challenges in 2015: ICD-10 implementation, HIPAA compliance, new Meaningful Use objectives, and the Office of the National Coordinator’s (ONC) interoperability road map.  To adapt successfully, organizations must take advantage of numerous opportunities to prepare.

Healthcare leaders must thoroughly assess, prioritize, prepare, and execute in each area:

  1. Meaningful Use Stage 2 objectives require increased patient engagement and reporting for a full year before earning incentives.
  2. The ONC’s interoperability road map demands a new framework to achieve successful information flow between healthcare systems over the next ten years.
  3. There are 10 months left in which to prepare for the October 1 ICD-10 deadline.
  4. HIPAA compliance will be audited.

1. Meaningful Use
For those who have already implemented an EHR, Meaningful Use Stage 2 focuses new efforts on patient access to personal health data and emphasizes the exchange of health information between patient and providers. Stage 2 also imposes financial penalties for failure to meet requirements.

CMS’s latest deadline for Stage 2 extends through 2016, so healthcare organizations have additional time to fulfill Stage 2 requirements. Stage 3 requirements begin in 2017, so healthcare organizations should take the extra time to build interoperability and foster an internal culture of collaboration between providers and patients. For Stage 3, Medicare incentives will not apply in 2017 and EHR penalties will rise to 3 percent.

CMS has also proposed a 2015 EHR certification, which requests interoperability enhancement to support transitions of care.  Complying with this certification is voluntary, but provides the opportunity to become certified for Medicare and Medicaid EHR incentive programs at the same time.

Meaningful Use Stage 2 and the ONC roadmap require that 2015 efforts concentrate on interoperability. Healthcare organizations should prepare for health information exchange by focusing efforts on building patient portals and integrating communications by automating phone, text, and e-mail messages. After setting up successful exchange methods, healthcare organizations should train staff how to use patient portals. The delay in Stage 2 means providers have more time to become comfortable using the technology to correspond with patients. Hospitals should also educate patients about these resources, describing the benefits of collaboration between providers and patients. Positive collaboration and successful data exchange helps achieve desired health outcomes faster.

2. Interoperability
The three-year goal of the ONC’s 10-year roadmap is for providers and patients to be able to send, receive, find, and use basic health information. The six and ten-year goals then build on the initial objectives, improving interoperability into the future.

Congress has also shown initiative on promoting interoperability asking the ONC to investigate information blocking by EHRs. Most of the ONC’s roadmap for the next three years is similar to Meaningful Use Stage 2 goals.

Sixty-four percent of Americans do not use patient portals, so for 2015 healthcare organizations should focus on creating them, refining their workflows, and encouraging patients to use them. Additionally, 35 percent of patients said they are unaware of patient portals, while 31 percent said their physician has never mentioned them. Fifty-six percent of patients ages 55-64, and 46 percent of patients 65 and older, said they would access medical information more if it were available online. Hospitals need their own staff to use and promote patient portals in order to conquer the challenges of interoperability and Stage 2.

3. HIPAA Compliance
In 2015, the Office of the Inspector General (OIG) will audit EHR use, looking closely at HIPAA security, incentive payments, possible fraud, and contingency plan requirements. Also during the HIPAA compliance audit, the Office of Civil Rights (OCR) will confirm whether hospitals’ policies and procedures meet updated security criteria.  Healthcare organizations should take this opportunity to verify compliance with 2013 HIPAA standards to prepare for upcoming audits. Many helpful resources exist, including HIPAA compliance toolkits, available from several publishers. These kits include advice on privacy and security models. Healthcare organizations and leaders can also take advantage of online education, or hire consultants to help review and implement the necessary measures. It’s important that action be taken now to educate staff about personal health information security and how to remain HIPAA compliant.

4. ICD-10 Deadline
The new ICD-10 deadline comes as no surprise now that it was delayed several times. In July 2014, the US Department of Health and Human Services (HHS) implemented the most recent delay and set a new date of Oct. 1, 2015, giving hospitals a 10-month window to prepare for the eventual ICD-10 rollout. Because healthcare organizations are more adaptable than ever, they can use their practiced flexibility and experience to meet these demands successfully.

As Health Information and Management Systems Society (HIMSS) suggests, communication, education and testing must be part of an ICD-10 implementation plan. Informing internal staff and external partners of the transition is a crucial first step. ICD-10 should be tested internally and externally to verify the system works with the new codes before the transition. Healthcare organizations should outline and develop an ICD-10 training program by selecting a training team and assessing the populations who need ICD-10 education. They should perform a gap analysis to understand the training needed and utilize role-based training to educate the proper populations. Finally, organizations should establish the training delivery method, whether online, in the classroom, one-on-one, or some combination of these to teach different topics or levels of proficiency. In my experience at The Breakaway Group, I’ve seen that the most effective and efficient education is role-based, readily-accessible, and offers learners hands-on experience performing tasks essential to their role. This type of targeted education ensures learners are proficient before the implementation. As with any go-live event, healthcare organizations must prepare and deliver the new environment, providing support throughout the event and beyond.

Facing 2015
These challenges require the same preparation, willingness, and audacity needed for prior HIT successes, including EHR implementation and meeting Meaningful Use Stage 1 requirements. ICD-10, HIPAA compliance, Stage 2, and interoperability all have the element of education in common. Healthcare organizations and leaders should apply the same tenacity and discipline to inform, educate, and prepare clinicians for upcoming obligations.

Targeted role-based education will best ensure proficiency and avoid comprehensive, costly, and time-consuming system training. Through role-based education, healthcare organizations gain more knowledgeable personnel who are up to speed on new applications. These organizations probably already have at least a foundation for 2015 expectations, and they should continue to recall the strategies used for prior go-live events. What was successful? It’s important to plan to replicate successful strategies, alleviating processes that caused problems.  This is great opportunity to capitalize efforts for organizational improvements. Healthcare leaders must let the necessity of 2015 government requirements inspire invention and innovation, ultimately strengthening their organizations.

Xerox is a sponsor of the Breakaway Thinking series of blog posts.

HIPAA Security and Compliance Thoughts from the Healthcare Cyber Security Summit

Posted on January 12, 2015 I Written By

The following is a guest blog post by Anna Drachenberg, Founder and CEO of HIPAA Risk Management.
Anna Drachenberg
It’s taken a while to collect our team’s thoughts, feedback and reactions to the SANS Institute Healthcare Cyber Security Summit 2014 held last month in San Francisco. The holidays, end-of-year, and beginning-of-the-year craziness played a part, but it also required several team discussions to produce a concise wrap-up of the event because it covered so many topics.

The healthcare community needs to get active in SANS Institute’s events and programs. SANS Institute was created in 1989 as a cooperative research and education organization. The organization is focused on information security for all industries. However, SANS needs industry participation in order for that industry to benefit from its research and information-sharing programs. Most of the SANS healthcare community is made up of IT executives and professionals who started in the financial sector and have moved to healthcare in the past couple of years at some of the largest organizations – Kaiser Permanente, Aetna, etc. It’s a great start, and the recent summit, while only in its 2nd year, was a well-developed, well-organized event. But, SANS needs more participation from different healthcare organizations including smaller covered entities.

We asked the three members of our team who attended the conference to provide their top “take-aways” from the Summit.

“Stop focusing on compliance and start focusing on security”
This concept was repeated in several presentations, and for the most part, it is true. So many organizations and HIPAA Security Officers focus on whether or not they are in compliance with the regulation – documenting why they are not implementing an addressable standard like encryption – instead of securing the information that is at risk. That said, the presenters missed an important reality of healthcare information security: owners and management understand compliance; they don’t understand security. Until the healthcare community fears the cost of the breach more than the cost of a HIPAA fine, covered entities will spend money on “compliance” before they spend money on “security.” I would not recommend that a healthcare IT professional start his or her next presentation to the executive team with “Forget Compliance – Focus on Security!” any time soon.

“No one had a good answer when asked how small businesses could implement effective information security programs when most don’t even have a dedicated IT staff person”
Yes, our team asked several presenters and panelists how the majority of covered entities were supposed to implement the technology, tool and/or process being discussed when, according to Census.gov, 89% of healthcare businesses in the U.S. have less than 25 employees. The answers varied, from “use cloud technology,” from a cloud technology vendor; to “participate in the NH-IASC,” from a board member of the National Health Information Sharing and Analysis Center. The most honest answer was from Rob Foster, Deputy Chief Information Officer and Acting Chief – Information Security, U.S. Dept. of Health and Human Services. Mr. Foster acknowledged that small covered entities would need to look outside their organization to consultants and other experts. We have to give the folks from HHS and ONC credit – they suffered many jabs at healthcare.gov, meaningful use and CMS with good humor and professionalism.

“Healthcare software and technology vendors are decades behind when it comes to security”
There was a panel of healthcare software and technology vendors from some of the most widely-used products, including McKesson and Siemens Healthcare. We were shocked at the level of self-congratulation these panelists had when they admitted that their software security initiatives were all less than five years old – some less than a year. They were seriously proud of the fact that they had implemented a formal software security process “last year.” There should have been a lot more heads hung in shame rather than pats on the back. Covered entities need to start demanding accountability from vendors on the security of their products, especially if you are entrusting your patient data to a cloud vendor. A business associate agreement is not enough – ask them specific questions about their risk analysis process, if they’ve had a third-party perform a penetration/vulnerability test on their software and infrastructure and if they have off-shore development teams.

“The healthcare community needs to get more involved with the information security community”
Jim Routh, CISO, Aetna & Board Member, NH-ISAC, used a common analogy about information security, “I don’t have to run faster than the bear; I just have to run faster than you.” The reality is that most covered entities don’t know that they are in the woods, not to mention the fact that they are supposed to be running from a bear. The healthcare industry is not the same as the financial industry and we need effective solutions to our industry’s problems. Until the healthcare industry commits to information security and is more active in the information security community, we aren’t going to get the same level of education, information and technology specific to our needs that is available to the financial industry.

In summary, the SANS Healthcare Cyber Security Summit was well worth the investment for our team; however, it highlighted a need for the healthcare industry to make information security a higher priority and get more involved in the information security community.

About Anna Drachenberg
Anna Drachenberg has more than 20 years in the software development and healthcare regulatory fields, having held management positions at Pacificare Secure Horizons, Apex Learning and the Food and Drug Administration. Anna co-founded HRM Services, Inc., (hipaarisk.com) a data security and compliance company for healthcare. HRM offers online risk management software for HIPAA compliance and provides consulting services for covered entities and business associates. HRM has clients nationwide and also partners with IT providers, medical associations and insurance companies. Anna is available via email at adrache@hipaarisk.com

Wearables And Mobile Apps Pose New Data Security Risks

Posted on December 30, 2014 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

In the early days of mobile health apps and wearable medical devices, providers weren’t sure they could cope with yet another data stream. But as the uptake of these apps and devices has grown over the last two years, at a rate surpassing virtually everyone’s expectations, providers and payers both have had to plan for a day when wearable and smartphone app data become part of the standard dataflow. The potentially billion-dollar question is whether they can figure out when, where and how they need to secure such data.

To do that, providers are going to have to face up to new security risks that they haven’t faced before, as well as doing a good job of educating patients on when such data is HIPAA-protected and when it isn’t. While I am most assuredly not an attorney, wiser legal heads than mine have reported that once wearable/app data is used by providers, it’s protected by HIPAA safeguards, but in other situations — such as when it’s gathered by employers or payers — it may not be protected.

For an example of the gray areas that bedevil mobile health data security, consider the case of upstart health insurance provider Oscar Health, which recently offered free Misfit Flash bands to its members. The company’s leaders have promised members that use the bands that if their collected activity numbers look good, they’ll offer roughly $240 off their annual premium. And they’ve promised that the data will be used for diagnostics or any other medical purpose. This promise may be worthless, however, if they are still legally free to resell this data to say, pharmaceutical companies.

Logical and physical security

Meanwhile, even if providers, payers and employers are very cautious about violating patients’ privacy, their careful policies will be worth little if they don’t take a look at managing the logical and physical security risks inherent in passing around so much data across multiple Wi-Fi, 4G and corporate networks.

While it’s not yet clear what the real vulnerabilities are in shipping such data from place to place, it’s clear that new security holes will pop up as smartphone and wearable health devices ramp up to sharing data on massive scale. In an industry which is still struggling with BYOD security, corralling data that facilities already work with on a daily basis, it’s going to pose an even bigger challenge to protect and appropriately segregate connected health data.

After all, every time you begin to rely on a new network model which involves new data handoff patterns — in this case from wired medical device or wearable data streaming to smartphones across Wi-Fi networks, smart phones forwarding data to providers via 4G LTE cellular protocols and providers processing the data via corporate networks, there has to be a host of security issues we haven’t found yet.

Cybersecurity problems could lead to mHealth setbacks

Worst of all, hospitals’ and medical practices’ cyber security protocols are quite weak (as researcher after researcher has pointed out of late). Particularly given how valuable medical identity data has become, healthcare organizations need to work harder to protect their cyber assets and see to it that they’ve at least caught the obvious holes.

But to date, if our experiences with medical device security are any indication, not only are hospitals and practices vulnerable to standard cyber hacks on network assets, they’re also finding it difficult to protect the core medical devices needed to diagnose and treat patients, such as MRI machines, infusion pumps and even, in theory, personal gear like pacemakers and insulin pumps.  It doesn’t inspire much confidence that the Conficker worm, which attacked medical devices across the world several years ago, is still alive and kicking, and in fact, accounted for 31% the year’s top security threats.

If malevolent outsiders mount attacks on the flow of connected health data, and succeed at stealing it, not only is it a brand-new headache for healthcare IT administrators, it could create a crisis of confidence among mHealth shareholders. In other words, while patients, providers, payers, employers and even pharmaceutical companies seem comfortable with the idea of tapping digital health data, major hacks into that data could slow the progress of such solutions considerably. Let’s hope those who focus on health IT security take the threat to wearables and smartphone health app data seriously going into 2015.

Top 10 Cybersecurity Predictions for 2015

Posted on December 29, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

The people at Coalfire have put out this infographic which identifies their Top 10 Cybersecurity Predictions for 2015. I’m not sure how much 2015 matters, but I do think that this list is worthy of your consideration. Are you ready for these threats and changes? What are you doing to get ready? I believe increased security will be an important topic in 2015.

Top Ten Cybersecurity Predictions for 2015

Lessons from the Year of the Breach Infographic

Posted on December 23, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

This only partially applies to healthcare, but considering all the breaches from inside and outside of healthcare I thought that readers would find it useful. This infographic was created by Lifelock (you can imagine why they did). The best part of the infographic is the 8 suggestions at the end. We definitely have to be more vigilant.

Managing a Data Breach

NueMD’s Startling HIPAA Compliance Survey Results

Posted on December 12, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

In a recent HIPAA compliance survey of 1,000 medical practices and 150 medical billing companies, NueMD found some really startling results about medical practices’ understanding and compliance with HIPAA. You can see their research methodology here and the full HIPAA Compliance survey results.

This is the most in depth HIPAA survey I’ve ever seen. NueMD and their partners Porter Research and The Daniel Brown Law Group did an amazing job putting together this survey and asking some very important questions. The full results take a while to consume, but here’s some summary findings from the survey:

  • Only 32 percent of medical practices knew the HIPAA audits were taking place
  • 35 percent of respondents said their business had conducted a HIPAA risk analysis
  • 34 percent of owners, managers, and administrators reported they were “very confident” their electronic devices containing PHI were HIPAA compliant
  • 24 percent of owners, managers, and administrators at medical practices reported they’ve evaluated all of their Business Associate Agreements
  • 56 percent of office staff and non-owner care providers at practices said they have received HIPAA training within the last year

The most shocking number for me is that only 35% of respondents had conducted a HIPAA risk analysis. That means that 65% of practices are in violation of HIPAA. Yes, a HIPAA risk analysis isn’t just a requirement for meaningful use, but was and always has been a part of HIPAA as well. Putting the HIPAA risk assessment in meaningful use was just a way for HHS to try and get more medical practices to comply with HIPAA. I can’t imagine what the above number would have been before meaningful use.

These numbers explain why our post yesterday about HIPAA penalties for unpatched and unsupported software is likely just a preview of coming attractions. I wonder how many more penalties it will take for practices to finally start taking the HIPAA risk assessment seriously.

Thanks NueMD for doing this HIPAA survey. I’m sure I’ll be digging through your full survey results as part of future posts. You’ve created a real treasure trove of HIPAA compliance data.

Firewall & Windows XP HIPAA Penalties

Posted on December 11, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Anchorage Community Mental Health Services, Inc, has just been assessed a $150,000 penalty for a HIPAA data breach. The title of the OCR bulletin for the HIPAA settlement is telling: “HIPAA Settlement Underscores the Vulnerability of Unpatched and Unsupported Software.” It seems that OCR wanted to communicate clearly that unpatched and unsupported software is a HIPAA violation.

If you’re a regular reader of EMR and HIPAA, then you might remember that we warned you that continued use of Windows XP would be a HIPAA violation since Windows stopped providing updates to it on April 8, 2014. Thankfully, it was one of our most read posts with ~35,000 people viewing it. However, I’m sure many others missed the post or didn’t listen. The above example is proof that using unsupported software will result in a HIPAA violation.

Mike Semel has a great post up about this ruling and he also points out that Microsoft Office 2003 and Microsft Exchange Server 2003 should also be on the list of unsupported software alongside Windows XP. He also noted that Windows Server 2003 will stop being supported on July 14, 2015.

Along with unsuppported and unpatched software, Mike Semel offers some great advice for Firewalls and HIPAA:

A firewall connects your network to the Internet and has features to prevent threats such as unauthorized network intrusions (hacking) and malware from breaching patient information. When you subscribe to an Internet service they often will provide a router to connect you to their service. These devices typically are not firewalls and do not have the security features and update subscriptions necessary to protect your network from sophisticated and ever-changing threats.

You won’t find the word ‘firewall’ anywhere in HIPAA, but the $ 150,000 Anchorage Community Mental Health Services HIPAA penalty and a $ 400,000 penalty at Idaho State University have referred to the lack of network firewall protection.

Anyone who has to protect health information should replace their routers with business-class firewalls that offer intrusion prevention and other security features. It is also wise to work with an IT vendor who can monitor your firewalls to ensure they continue to protect you against expensive and embarrassing data breaches.

Be sure to read Mike Semel’s full article for other great insights on this settlement and what it means.

As Mike aptly points out, many organizations don’t want to incur the cost of updating Windows XP or implementing a firewall. It turns out, it’s much cheaper to do these upgrades than to pay the HIPAA fines for non-compliance. Let alone the hit to your reputation.

Fun Friday – HIPPA Sign

Posted on November 21, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Only readers of this site could enjoy this pharmacy sign. Thanks to HIPAA One for sharing the picture with me. Have a great weekend everyone! Stay Warm!
HIPPA Sign - Or Should We Say HIPAA Sign?

Maybe the pharmacy thought that HIPPA with two P’s stood for Patient Privacy. Of course, a quick search through posts on my site turn up 18 posts with HIPPA. So, this might be the pot calling the kettle black. I just enjoy the humor of humanity.

Beyond the Basics: What Covered Entities and Business Associates Need to Know About OCR Security Audits

Posted on November 20, 2014 I Written By

The following is a guest blog post by Mark Fulford, Partner in LBMC’s Security & Risk Services practice group.
Mark_Fulford_Headshot
The next round of Office for Civil Rights (OCR) audits are barreling down upon us, and many healthcare providers, clearing houses and business associates—even ones that think they’re prepared—could be in for an unpleasant surprise. If the 2012 round of OCR audits is any indication, the upcoming audits will most likely reveal that the healthcare industry at large is still struggling to figure out how to implement a compliant security strategy.

Granted, HIPAA regulations are not always as prescriptive as some might like. By design, HIPAA incorporates a degree of flexibility, leaving covered entities and business associates to make decisions about their own approach to compliance based on size, budget, and the risks that are unique to their operations.

But the first round of OCR audits indicated that many healthcare organizations had not even taken the first step in initiating a security compliance strategy—two-thirds of the covered entities had not performed a complete and accurate risk assessment to determine areas of vulnerability and exposure. Apparently, these entities were not necessarily unclear on HIPAA regulations; they simply had not yet made a serious effort to comply.

Out of the 115 entities audited, only 13 had no findings or observations (11%). This time around, the expectation will be that covered entities and business associates will have taken note of the 2012 audit findings, and that the effort to comply will be much improved.

All covered entities and business associates may be subject to an OCR audit. If you have not yet conducted an organizational risk assessment, now would be the time to do so. The OCR provides guidelines, and you can also reference the Office of the National Coordinator for Health Information Technology (ONC) and standards organizations like the National Institute of Standards and Technology (NIST). Additionally, the OCR has released an Audit Program Protocol to help you better prepare.

Five Key Areas to Address for OCR Audit Preparation

Based on our experience in the healthcare industry and consistent with the 2012 OCR Audit findings and observations, here’s how you can prepare for the upcoming OCR audits:

  • Know where your data resides. Many organizations fail to account for protected health information (PHI) in both paper and electronic forms. Between legacy systems (where data might be not well-indexed), printed copies (data could be abandoned in a desk) and mobile device use (data could be anywhere), large volumes of at-risk data is often floating around in places it shouldn’t be. In the first round of OCR audits, issues with security accounted for 60% of the findings and observations. To avoid falling into that trap, do a thorough inventory of your PHI and make decisions on how to handle and store it going forward.
  • Review business associate agreements. Business associates were not included in the 2012 OCR audits, but they will be this time around. If any of your business associates are found to be non-compliant, you will most likely be included in the subsequent investigation. Ask your accounting and IT departments to prepare a list of all third parties with whom you share PHI. Make sure your agreements are up-to-date and that your vendors are making good faith efforts to be in compliance. Due diligence can be accomplished through the use of questionnaires, your own audit, or a third-party assurance (e.g., a Service Organization Control (SOC) or a HITRUST report). And if you are a business associate, be aware that you, too, could be selected for an audit.
  • Establish a monitoring program. Your system, firewall and antivirus/antimalware software all regularly log system events. But beyond logging data, HIPAA dictates that you actively review the data to identify suspicious activity. If you haven’t already, assign an individual the task of reviewing your data for anomalies. Also, plan on conducting regular sweeps of the office to make sure that all printed documents are being stored and disposed of properly.
  • Identify breach reporting procedures. The Omnibus HIPAA rule has since updated the breach reporting requirements that were first outlined in HITECH. Make sure your breach reporting procedures are compliant with the most recent standards. While the 2012 OCR audits reported only 10% of their findings associated with the Breach Rule (as opposed to 30% and 60% associated with the Privacy and Security Rules respectively), failure to have a compliant breach reporting process could be a major problem if you are audited.
  • Schedule Staff Training. Most breaches are the result of human error. HIPAA requires that regular security training and security reminders be an integral part of your healthcare compliance strategy. Twenty-six percent of the Administrative Requirements findings and observations in the 2012 OCR audits involved training issues. Don’t assume that your employees know how to handle sensitive data. (Even if they do, it’s easy to forget.) Constant reminders create a culture of accountability that holds each individual responsible for protecting patients’ confidential health information.

While OCR audits give the OCR an opportunity to step up enforcement of HIPAA rules, anyone can register a complaint against you at any time. Thorough preparation for the upcoming OCR audits not only ensures that you will pass one if you are selected, it also protects you from breach, patient complaints, and general loss of public trust and good will.

About Mark Fulford
Mark Fulford is a Partner in LBMC’s Security & Risk Services practice group.  He has over 20 years of experience in information systems management, IT auditing, and security.  Marks focuses on risk assessments and information systems auditing engagements including SOC reporting in the healthcare sector.  He is a Certified Information Systems Auditor (CISA) and Certified Information Systems Security Professional (CISSP).   LBMC is a top 50 Accounting & Consulting firm based in Brentwood, Tennessee.