HIPAA HITETCH Compliance Blog Archive

OCR Steps Up Investigation of Smaller HIPAA Breaches

“We’re doing more investigations of smaller breaches … I think you’re going to see more of that in terms of entities with whom we enter corrective action plans,” reiterated Deven McGraw, Esq., OCR deputy director of health information privacy at the 88th annual American Health Information Management (AHIMA) conference held October 16-19 in Baltimore, MD

Continue reading…

Risk Assessment Critical for MACRA

An up do date risk assessment is a key element in your MIPS Composite Performance Score.  The MACRA Act which was passed with bilateral support in Congress uses the MIPS score to determine reimbursement for practices.

Continue reading…

Quarterly Risk Assessments Might Have Saved St Josephs $10 Million

Leaving 31,800 patient records open and accessible on the Internet cost St Josephs Hospital a $7.5 million dollar settlement of a class action suit and a $2.145 million dollar fine from OCR.  Quarterly risk assessments might have revealed the problem sooner or prevented it from happening at all.

Continue reading…

Got PHI in The Cloud?: Get HIPAA Compliant!

HHS issued new guidelines for covered entities or business associates who use cloud computing to create, maintain, store, transfer, or process PHI.   In a nutshell, every entity involved in the process must be HIPAA compliant even if the data is encrypted.

Continue reading…

Outdated BA Agreements: $400,000 Fine

Old business associate agreements cost Care New England Health System, Providence, R.I. a $400,000 fine.  Business associate agreements need to be updated to reflect current law plus you need to get "suitable assurances" that they are compliant.

Continue reading…

Fifty Ways to Lose Your Lover or PHI

Getting chosen for a HIPAA audit by HHS is a longer shot than winning the lottery, but there are other ways; lose a laptop, click on the wrong email link, sign a business associate agreement, expose PHI on the internet, toss paper records in the dumpster, etc., etc.

Continue reading…

HIPAA Certification: Quarterly Risk Assessment

A quarterly risk assessment showing progress on compliance is your best HIPAA certification.  Progress not perfection is what HHS and OCR seek and a quarterly risk assessment is the best certfication of progress.

Continue reading…

OCR Steps Up Investigation of Smaller HIPAA Breaches

Beginning this month, OCR, through the continuing hard work of its Regional Offices, (my emphasis) has begun an initiative to more widely investigate the root causes of
breaches affecting fewer than 500 individuals.  OCR-Announcement-8-18-16.pdf

Continue reading…

Business Associate Exposes 650,000 Patient Records

In a breach reminiscent of the Anthem HIPAA breach, a business associate left 650,000 patient records exposed on the Internet.  R-C Healthcare Management a business associate of Bon Secour was adjusting their network settings and left the patient records exposed from April 18 through April 21.

Continue reading…

Cybercriminals are after your HIPAA data

Almost 30% of health care data breaches in July attributed to cybercriminals, according to Health IT Smart Brief.  Many of these records were posted on the dark net for sale by The Dark Overlord.

Continue reading…

HIPAA Audits and Penalties for Business Associates

Huge fines and audits are the signal that HIPAA compliance is entering a new era for business associates.  A $650,000 fine was assessed for a business associate that lost an unencrypted and non-password protected I-Phone and the audit letters are on their way.

Continue reading…

Revitalize Your HIPAA Program with a Risk Assessment

HIPAA compliance can be like an old battery that just loses it's spark over time.  A risk assessment can help you Jumpstart that old tired HIPAA battery

Continue reading…

Sorry Laura and ecfirst, Still No HIPAA Certification

"We are very excited about the recertification by ecfirst,” said Laura Huska, Head of IT. “HIPAA continues to be a critical certification for ISI as many of our healthcare clients rely on this standard to meet their compliance needs when using ISI’s UC Reporting application.”   Sorry Laura, there is no such thing as HIPAA certification thus no HIPAA recertification.

Continue reading…

Automated Risk Assessment: Best Value

Combining sophisticated Internet tools with experienced consultants can deliver a HIPAA risk assessment based on the NIST protocol quickly and at a reasonable cost.  

"Automated HIPAA Risk Assessment "
Thu, Jun 9, 2016 12:00 PM - 1:00 PM PDT
1. Click the link to join the webinar at the specified time and date:
https://global.gotowebinar.com/eojoin/8852590702394920194/4062226347872620034

Continue reading…

No BA Agreement: $750,000 Fine

An orthopedic clinic failed to get a BA agreement before sharing PHI with a business associate and got a $750,000 fine.  Jocelyn Samuels, director of OCR, said in the statement. "It is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected."

 

Continue reading…

Ransomware is a HIPAA Breach

A recent article in Health IT Security made the point that crminal control of PHI is a HIPAA breach and that in ramsomware that occurs.  Here is the full article:

http://healthitsecurity.com/news/why-healthcare-ransomware-attacks-are-hipaa-data-breaches 

Continue reading…

HIPAA Audit Questionnaire

If you were lucky enough to not receive one, here is the questionnaire that is going out to all potential audit winners.  http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/questionnaire/index.html 

Continue reading…

The BA Agreement Is Not Sufficient for "Satisfactory Assurances"

Just getting your business associates to sign a BA agreement is not enough.  You need "satisfactory assurances" such as documented HIPAA security awareness training, to protect you.

Continue reading…

Progress Key To HIPAA Compliance

Demonstrating progress is the key to HIPAA compliance.  Periodic HIPAA risk assessments that meet the NIST protocol are the proof.

Continue reading…

25% of Providers Audited for MU Compliance in Midwest, will Fail

Figliozzi has just started desk audits in the Midwest for covered entities who received meaningful use funds.  25% of providers audited for MU compliance in the past have failed.  A frequent cause is lack of an updated risk assessment meeting HHS standards.

Continue reading…