Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

5 Lessons In One Big HIPAA Penalty

Posted on February 2, 2017 I Written By

The following is a guest blog post by Mike Semel, President and Chief Compliance Officer at Semel Consulting.

The federal Office for Civil Rights just announced a $ 3.2 million penalty against Children’s Medical Center of Dallas.

5 Lessons Learned from this HIPAA Penalty

  1. Don’t ignore HIPAA
  2. Cooperate with the enforcers
  3. Fix the problems you identify
  4. Encrypt your data
  5. Not everyone in your workforce should be able to access Protected Health Information

If you think complying with HIPAA isn’t important, is expensive, and annoying, do you realize you could be making a $3.2 million decision? In this one penalty there are lots of hidden and not-so-hidden messages.

1. A $ 3.2 million penalty for losing two unencrypted devices, 3 years apart.

LESSON LEARNED: Don’t ignore HIPAA.

If Children’s Medical Center was paying attention to HIPAA as it should have, it wouldn’t be out $3.2 million that should be used to treat children’s medical problems. Remember that you protecting your patients’ medical information is their Civil Right and part of their medical care.

2. This is a Civil Money Penalty, not a Case Resolution.

What’s the difference? A Civil Money Penalty is a fine. It could mean that the entity did not comply with the investigation; (as in this case) did not respond to an invitation to a hearing; or did not follow corrective requirements from a case resolution. Most HIPAA penalties are Case Resolutions, where the entity cooperates with the enforcement agency, and which usually results in a lower dollar penalty than a Civil Money Penalty.

LESSON LEARNED: Cooperate with the enforcers. No one likes the idea of a federal data breach investigation, but you could save a lot of money by cooperating and asking for leniency. Then you need to follow the requirements outlined in your Corrective Action Plan.

3. They knew they had security risks in 2007 and never addressed them until 2013, after a SECOND breach.

Children’s Medical Center had identified its risks and knew it needed to encrypt its data as far back as 2007, but had a breach of unencrypted data in 2010 and another in 2013.

LESSON LEARNED: Don’t be a SLOW LEARNER. HIPAA requires that you conduct a Security Risk Analysis AND mitigate your risks. Self-managed risk analyses can miss critical items that will result in a breach. Paying for a risk analysis and filing away the report without fixing the problems can turn into a $ 3.2 million violation. How would you explain that to your management, board of directors, your patients, and the media, if you knew about a risk and never did anything to address it? How will your management and board feel about you when they watch $3.2 million be spent on a fine?

4. There is no better way to protect data than by encrypting it.

HIPAA gives you some leeway by not requiring you to encrypt all of your devices, as long as the alternative methods to secure the data are as reliable as encryption. There’s no such thing.

If an unencrypted device is lost or stolen, you just proved that your alternative security measures weren’t effective. It amazes me how much protected data we find floating around client networks. Our clients swear that their protected data is all in their patient care system; that users are given server shares and always use them; that scanned images are directly uploaded into applications; and that they have such good physical security controls that they do not need to encrypt desktop computers and servers.

LESSON LEARNED: You must locate ALL of your data that needs to be protected, and encrypt it using an acceptable method with a tracking system. We use professional tools to scan networks looking for protected data.

5. Not everyone in your workforce needs access to Protected Health Information.

We also look at paper records storage and their movement. This week we warned a client that we thought too many workforce members had access to the rooms that store patient records. The Children’s Medical Center penalty says they secured their laptops but “provided access to the area to workforce not authorized to access ePHI.”

LESSON LEARNED: Is your Protected Health Information (on paper and in electronic form) protected against unauthorized physical access by your workforce members not authorized to access PHI?

You can plan your new career after your current organization gets hit with a preventable $ 3.2 million penalty, just like Children’s Medical Center. Or, you can take HIPAA seriously, and properly manage your risks.

Your choice.

About Mike Semel
mike-semel-hipaa-consulting
Mike Semel is the President and Chief Compliance Officer for Semel Consulting. He has owned IT businesses for over 30 years, has served as the Chief Information Officer for a hospital and a K-12 school district, and as the Chief Operating Officer for a cloud backup company. Mike is recognized as a HIPAA thought leader throughout the healthcare and IT industries, and has spoken at conferences including NASA’s Occupational Health conference, the New York State Cybersecurity conference, and many IT conferences. He has written HIPAA certification classes and consults with healthcare organizations, cloud services, Managed Service Providers, and other business associates to help build strong cybersecurity and compliance programs. Mike can be reached at 888-997-3635 x 101 or mike@semelconsulting.com.

States Strengthen Data Breach Laws & Regulations

Posted on October 18, 2016 I Written By

The following is a guest blog post by Mike Semel, President and Chief Compliance Officer at Semel Consulting.

If your cyber security and compliance program is focused on just one regulation, like HIPAA or banking laws, many steps you are taking are probably wrong.

Since 2015 a number of states have amended their data breach laws which can affect ALL BUSINESSES, even those out of state, that store information about their residents. The changes address issues identified in breach investigations, and public displeasure with the increasing number of data breaches that can result in identity theft.

Forty-seven states, plus DC, Puerto Rico, Guam, and the US Virgin Islands, protect personally identifiable information, that includes a person’s name plus their Driver’s License number, Social Security Number, and the access information for bank and credit card accounts.

Many organizations mistakenly focus only on the data in their main business application, like an Electronic Health Record system or other database they use for patients or clients. They ignore the fact that e-mails, reports, letters, spreadsheets, scanned images, and other loose documents contain data that is also protected by laws and regulations. These documents can be anywhere – on servers, local PC’s, portable laptops, tablets, mobile phones, thumb drives, CDs and DVDs, or somewhere up in the Cloud.

Some businesses also mistakenly believe that moving data to the cloud means that they do not have to have a secure office network. This is a fallacy because your cloud can be accessed by hackers if they can compromise the local devices you use to get to the cloud. In most cases there is local data even though the main business applications are in the cloud. Local computers should have business-class operating systems, with encryption, endpoint protection software, current security patches and updates, and strong physical security. Local networks need business-class firewalls with active intrusion prevention.

States are strengthening their breach laws to make up for weaknesses in HIPAA and other federal regulations. Between a state and federal law, whichever requirement is better for the consumer is what those storing data on that state’s residents (including out of state companies) must follow.

Some states have added to the types of information protected by their data breach reporting laws. Many states give their residents the right to sue organizations for not providing adequate cyber security protection. Many states have instituted faster reporting requirements than federal laws, meaning that incident management plans that are based on federal requirements may mean you will miss a shorter state reporting deadline.

In 2014, California began requiring mandatory free identity theft prevention services even when harm cannot be proven. This year Connecticut adopted a similar standard. Tennessee eliminated the encryption safe harbor, meaning that the loss of encrypted data must be reported. Nebraska eliminated the encryption safe harbor if the encryption keys might have been compromised. Illinois is adding medical records to its list of protected information.

Massachusetts requires every business to implement a comprehensive data protection program including a written plan. Texas requires that all businesses that have medical information (not just health care providers and health plans) implement a staff training program.

REGULATIONS

Laws are not the only regulations that can affect businesses.

The New York State Department of Financial Services has proposed that “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law or the financial services law” comply with new cyber security regulations. This includes banks, insurance companies, investment houses, charities, and even covers organizations like car dealers and mortgage companies who handle consumer financial information.

The new rule will require:

  • A risk analysis
  • An annual penetration test and quarterly vulnerability assessments
  • Implementation of a cyber event detection system
  • appointing a Chief Information Security Officer (and maintaining compliance responsibility if outsourcing the function)
  • System logging and event management
  • A comprehensive security program including policies, procedures, and evidence of compliance

Any organization connected to the Texas Department of Health & Human Services must agree to its Data Use Agreement, which requires that a suspected breach of some of its information be reported within ONE HOUR of discovery.

MEDICAL RECORDS

People often assume that their medical records are protected by HIPAA wherever they are, and are surprised to find out this is not the case. HIPAA only covers organizations that bill electronically for health care services, validate coverage, or act as health plans (which also includes companies that self-fund their health plans).

  • Doctors that only accept cash do not have to comply with HIPAA.
  • Companies like fitness centers and massage therapists collect your medical information but are not covered by HIPAA because they do not bill health plans.
  • Health information in employment records are exempt from HIPAA, like letters from doctors excusing an employee after an injury or illness.
  • Workers Compensation records are exempt from HIPAA.

Some states protect medical information with every entity that may store it. This means that every business must protect medical information it stores, and must report it if it is lost, stolen, or accessed by an unauthorized person.

  • Arkansas
  • California
  • Connecticut
  • Florida
  • Illinois (beginning January 1, 2017)
  • Massachusetts
  • Missouri
  • Montana
  • Nevada
  • New Hampshire
  • North Dakota
  • Oregon
  • Puerto Rico
  • Rhode Island
  • Texas
  • Virginia
  • Wyoming

Most organizations are not aware that they are governed by so many laws and regulations. They don’t realize that information about their employees and other workforce members are covered. Charities don’t realize the risks they have protecting donor information, or the impact on donations a breach can cause when it becomes public.

We have worked with many healthcare and financial organizations, as well as charities and general businesses, to build cyber security programs that comply with federal and state laws, industry regulations, contractual obligations, and insurance policy requirements. We have been certified in our compliance with the federal NIST Cyber Security Framework (CSF) and have helped others adopt this security framework, that is gaining rapid acceptance.

About Mike Semel
mike-semel-hipaa-consulting
Mike Semel is the President and Chief Compliance Officer for Semel Consulting. He has owned IT businesses for over 30 years, has served as the Chief Information Officer for a hospital and a K-12 school district, and as the Chief Operating Officer for a cloud backup company. Mike is recognized as a HIPAA thought leader throughout the healthcare and IT industries, and has spoken at conferences including NASA’s Occupational Health conference, the New York State Cybersecurity conference, and many IT conferences. He has written HIPAA certification classes and consults with healthcare organizations, cloud services, Managed Service Providers, and other business associates to help build strong cybersecurity and compliance programs. Mike can be reached at 888-997-3635 x 101 or mike@semelconsulting.com.