HIPAA Blog Posts: HIPAA Covered Entity
Medical Identity Theft up 21.7% (http://medidfraud.org/2014-fifth-annual-study-on-medical-identity-theft). This makes even small clinics and practices targets if they are not HIPAA compliant.
A medical record is worth10-20 times a credit card record on the black market. The information is quiclky sold to an organizaton that will use it to get drugs and medical services.
Are Health Insurance Producers Your Greatest HIPAA Liability? If you are a health insurance carrier, agent, broker, or managing general agent and don’t demand proof of HIPAA compliance from your producers you are taking a huge financial risk.
In a recent ruling the FTC maintained its right to enforce their rules on covered entities in additon to the HIPAA rules, adding to the responsibility of covered entities to protect PHI. LabMD’s Motion to Dismiss Complaint with Prejudice and to Stay Administrative Proceedings was denied and LabMD announced that they were closing down.
" Whether systems upgrades are conducted by covered entities or their business associates, HHS expects organizations to have in place reasonable and appropriate technical, administrative and physical safeguards to protect the confidentiality, integrity and availability of electronic protected health information – especially information that is accessible over the Internet." OS OCR PrivacyList, OCR (HHS/OS)
Fallout from failing to conduct a HIPAA risk analysis, Epstein Becker Green, Alaap B. Shah
"There are many reasons a healthcare entity dealing with protected health information (“PHI”) should conduct a risk analysis. First and foremost, if conducted properly, a risk analysis should identify PHI-containing systems, assess vulnerabilities of those systems, evaluate and prioritize risks to those systems, and assist in developing mitigation strategies to safeguard the systems. These on-going efforts can help ensure adequate protection of patients’ health information.
Covered entities need "satisfactory assurances" that their business associates are HIPAA HITECH compliant and business associate need to be able to provide proof of on-going compliance. BA Tracker helps both.
Hundreds of thousands of small clinics and practices are ticking time bombs for a HIPAA HITECH data breach, and it could be their business associates that cause the explosion. Let's take a look at Phoenix Cardiac Group again and see how their business associates cost them $100,000.
It is estimated that the majority of MU attestations by practices and small clinics have falsely attested to core measure 15 of meaningful use. It states the organization must: “Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308 (a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.”(FR Vol. 75, No. 144 / 7/28/2010, p 44568).
Item 15 of Meaningful Use requirements is for a HIPAA risk assessment and remediation of risk discovered. New estimates of 90% of covered entities that attested they qualify may have attested falsely threatens over $700 million in stimulus funds. If they are found to have attested falsely they will be required to return the funds and may be subject to a fine.