HIPAA HITETCH Compliance Blog Archive

Initial HIPAA Compliance in as few as 48 Hours with HIPAAssure®

 Initial HIPAA Compliance in as few as 48 Hours with HIPAAssure®, including a risk assessment, editing policies and procedures, and training and awareness.

Continue reading…

Am I HIPAA Compliant?

 How do I know whether I am HIPAA compliant when the rules are so confusing? One approach would be to read the Omnbus Rule: http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf  but if you are like me after about twenty pages I surrender.  An easier concept is the three legged stool: Risk Assessment, Policies and Procedures, and Training and Awareness.

Continue reading…

Falsely Attest to Meaningful Use: Go To Jail

 Falsely attesting to meaningul use earned Joe White, former CFO of a Texas hospital group a 23 month sentence in federal prison plus restituion of $4.5 million dollars.  This should strike fear in the hearts of many who signed similar attestations without satisfying the meaningful use requirements, particularly Core Measure 15.

Continue reading…

22% Increase in Medical Identity Theft

 Over 2 million patients had their medical identity stolen in 2014 which represented a 22% increase over the previous year according to the organization Medical Identity Fraud Alliance or MIFA.

Continue reading…

Only 8% have High Confidence their Business Associates are HIPAA compliant

 8% of surveyed healthcare executives said that they were HIghly Confident that their business assocates were HIPAA compliant  in the 2015 Healthcare Information Security Today Survey.  68% were either neutral or not confident.

Continue reading…

Healthcare Breachs Cost $363 Per Record

 The study found that the healthcare was most at risk for costly breaches, with an average cost per record lost or stolen as high as $363, more than twice the average for all sectors of $154.

That reflects the relatively high value of a person's medical records on the underground market, said IBM, as Social Security information is much more useful for identity theft than simple names, addresses or credit card numbers.

Continue reading…

HIPAA Audit Lottery

 Congratulations, you have just been entered, without your permission, in the HHS OCR HIPAA audit lottery!  The first stage will be being one of 500 covered entities or 200 business associates who receive an OCR screening survey in the mail.  From this pool an undisclosed number will be chosen for an unannounced HIPAA audit.

Continue reading…

Catch 22 of HIPAA Cyberinsurance

 A large cyberinsurance company is claiming that it doesn't have to pay a claim based on a HIPAA breach because the covered entity failed to meet "minimum required practices".  Cottage Hospital in Santa Barbara had a HIPAA breach of 32,500 patient records or PHI in in 2013 and filed a claim for $4.1 million, which CNA is contesting.

Continue reading…

Small Pharmacy gets $125,000 HIPAA Fine for Willful Neglect

 No HIPAA risk assessment, no HIPAA written policies and procedures, and no HIPAA training equals “willful neglect” and earned a $125,000 HIPAA fine for a Colorado compounding pharmacy.

Continue reading…

HIPAA Breach at Care First Blue Cross Blue Shield

In another example of hackers targeting PHI,  Baltimore-based CareFirst BlueCross BlueShield disclosed on May 20 that an "unauthorized intrusion" into a database dating back to June 2014 resulted in a breach affecting 1.1 million individuals.

Continue reading…

The Human Factor Most Important in Protecting PHI

  “Protecting patient data (PHI) comes down to one key factor – the human factor.  As attackers continue to find new ways to exploit healthcare organizations, compromising patient data and patient trust, one common denominator remains – the human factor.”

Continue reading…

Information Security versus HIPAA Compliance

 CISO: Compliance Is the Wrong InfoSec Focus.  Even if your information security program was bullet proof (an unlikely scenario), a HIPAA risk assessment based on the NIST protocol would probably show that you were not HIPAA compliant.  

Continue reading…

Disaster Recovery Plan Creates HIPAA Breach

 An administrator for the Indiana State Medical Association who was transporting unencrypted data on a laptop and two hard drives to an off-site location as part of their disaster recovery program had their car burglarized.  The net result is 38,000 patient records stolen and a major HIPAA breach.

Continue reading…

Crooks are after your PHI

 The recent Ponemon Institute study showed a 125% increase in criminal attacks on healthcare data.  These now outrank stolen laptops as the leading cause of breach.

Continue reading…

NIST guidelines are the Industry Standard for HIPAA Risk Assessment

 “Although only federal agencies are required to follow guidelines set by NIST, the guidelines

represent the industry standard for good business practices with respect to standards for
securing e-PHI.” Guidance on Risk Analysis Requirements under the HIPAA Security Rule
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf 
 

Continue reading…

Dentist Fined $12,000 for HIPAA Breach caused by a business associate

 The Indiana Attorney General filed a complaint for violation of the Indiana Disclosure of Security Breach Act and HIPAA against Dr. Beck.  Dr. Beck had hired an outside vendor (business associate) to dispose of paper records but the records were discovered in a dumpster.  In a consent decree he agreed to a $12,000 fine.

Continue reading…

HIPAA Data Breach Could Cause 65% of your patients to switch providers

 A recent Transunion Health survey showed that 65% of patients would consider changing providers if their provider had a HIPAA data breach.  73% of younger patients (18-35)  would consider leaving.

Continue reading…

Iatrogenic (Caused by a Physician) Medical Identity Theft

 Medical Identity Theft is an iatrogenic condition that could be caused by your physician's office.  If the office is not HIPAA compliant your medical record could be stolen and used for medical identity theft.  This could cause severe symptoms such as fiscal stress and anxiety.

Continue reading…

HIPAA Training: "We have met the enemy and he is us"

 “Based on the results of the study, human error continues to be the biggest source of healthcare data breaches, as 75 percent of organizations view employee negligence as the greatest breach threat.”  The Ponemon Institute’s fourth annual Patient Privacy & Data Study

Continue reading…

Cycle of HIPAA Compliance

 HHS has repeatedly emphasized that HIPAA complance is a process, not an event, but what is the basic  process? We call this the Cycle of Compliance and the basic elements are an initial risk assessment, risk remediation, training and awareness and then another risk assessment to measure your progress.  

Continue reading…