HIPAA HITETCH Compliance Blog Archive

Reasonable and Appropriate HIPAA Compliance

 You only need to be HIPAA compliant in a manner that is reasonable and appropriate to your organization.  For a small organization this could mean that over 1/3 of the rules may not apply to you, but the question is, which ones?

Continue reading…

HIPAA’s Three Legged Stool

 If you want to have the quickest of tests for whether your organization is HIPAA compliant check for the three legs of the stool; risk assessment, updated policies and procedures, and staff training on the updated policies and procedures.

Continue reading…

Do The HIPAA Risk Assessment: Document the Mitigation

Documentation Critical for HIPAA Risk Assessment and Mitigation.  Roswell Park Cancer Institute did the risk assessment, developed a plan for mitigation of the high risk items but then couldn't show the auditor the documentation of that mitigation.

Continue reading…

Initial HIPAA Compliance in as few as 48 Hours with HIPAAssure®

 Initial HIPAA Compliance in as few as 48 Hours with HIPAAssure®, including a risk assessment, editing policies and procedures, and training and awareness.

Continue reading…

Am I HIPAA Compliant?

 How do I know whether I am HIPAA compliant when the rules are so confusing? One approach would be to read the Omnbus Rule: http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf  but if you are like me after about twenty pages I surrender.  An easier concept is the three legged stool: Risk Assessment, Policies and Procedures, and Training and Awareness.

Continue reading…

Falsely Attest to Meaningful Use: Go To Jail

 Falsely attesting to meaningul use earned Joe White, former CFO of a Texas hospital group a 23 month sentence in federal prison plus restituion of $4.5 million dollars.  This should strike fear in the hearts of many who signed similar attestations without satisfying the meaningful use requirements, particularly Core Measure 15.

Continue reading…

22% Increase in Medical Identity Theft

 Over 2 million patients had their medical identity stolen in 2014 which represented a 22% increase over the previous year according to the organization Medical Identity Fraud Alliance or MIFA.

Continue reading…

Only 8% have High Confidence their Business Associates are HIPAA compliant

 8% of surveyed healthcare executives said that they were HIghly Confident that their business assocates were HIPAA compliant  in the 2015 Healthcare Information Security Today Survey.  68% were either neutral or not confident.

Continue reading…

Healthcare Breachs Cost $363 Per Record

 The study found that the healthcare was most at risk for costly breaches, with an average cost per record lost or stolen as high as $363, more than twice the average for all sectors of $154.

That reflects the relatively high value of a person's medical records on the underground market, said IBM, as Social Security information is much more useful for identity theft than simple names, addresses or credit card numbers.

Continue reading…

HIPAA Audit Lottery

 Congratulations, you have just been entered, without your permission, in the HHS OCR HIPAA audit lottery!  The first stage will be being one of 500 covered entities or 200 business associates who receive an OCR screening survey in the mail.  From this pool an undisclosed number will be chosen for an unannounced HIPAA audit.

Continue reading…

Catch 22 of HIPAA Cyberinsurance

 A large cyberinsurance company is claiming that it doesn't have to pay a claim based on a HIPAA breach because the covered entity failed to meet "minimum required practices".  Cottage Hospital in Santa Barbara had a HIPAA breach of 32,500 patient records or PHI in in 2013 and filed a claim for $4.1 million, which CNA is contesting.

Continue reading…

Small Pharmacy gets $125,000 HIPAA Fine for Willful Neglect

 No HIPAA risk assessment, no HIPAA written policies and procedures, and no HIPAA training equals “willful neglect” and earned a $125,000 HIPAA fine for a Colorado compounding pharmacy.

Continue reading…

HIPAA Breach at Care First Blue Cross Blue Shield

In another example of hackers targeting PHI,  Baltimore-based CareFirst BlueCross BlueShield disclosed on May 20 that an "unauthorized intrusion" into a database dating back to June 2014 resulted in a breach affecting 1.1 million individuals.

Continue reading…

The Human Factor Most Important in Protecting PHI

  “Protecting patient data (PHI) comes down to one key factor – the human factor.  As attackers continue to find new ways to exploit healthcare organizations, compromising patient data and patient trust, one common denominator remains – the human factor.”

Continue reading…

Information Security versus HIPAA Compliance

 CISO: Compliance Is the Wrong InfoSec Focus.  Even if your information security program was bullet proof (an unlikely scenario), a HIPAA risk assessment based on the NIST protocol would probably show that you were not HIPAA compliant.  

Continue reading…

Disaster Recovery Plan Creates HIPAA Breach

 An administrator for the Indiana State Medical Association who was transporting unencrypted data on a laptop and two hard drives to an off-site location as part of their disaster recovery program had their car burglarized.  The net result is 38,000 patient records stolen and a major HIPAA breach.

Continue reading…

Crooks are after your PHI

 The recent Ponemon Institute study showed a 125% increase in criminal attacks on healthcare data.  These now outrank stolen laptops as the leading cause of breach.

Continue reading…

NIST guidelines are the Industry Standard for HIPAA Risk Assessment

 “Although only federal agencies are required to follow guidelines set by NIST, the guidelines

represent the industry standard for good business practices with respect to standards for
securing e-PHI.” Guidance on Risk Analysis Requirements under the HIPAA Security Rule
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf 
 

Continue reading…

Dentist Fined $12,000 for HIPAA Breach caused by a business associate

 The Indiana Attorney General filed a complaint for violation of the Indiana Disclosure of Security Breach Act and HIPAA against Dr. Beck.  Dr. Beck had hired an outside vendor (business associate) to dispose of paper records but the records were discovered in a dumpster.  In a consent decree he agreed to a $12,000 fine.

Continue reading…

HIPAA Data Breach Could Cause 65% of your patients to switch providers

 A recent Transunion Health survey showed that 65% of patients would consider changing providers if their provider had a HIPAA data breach.  73% of younger patients (18-35)  would consider leaving.

Continue reading…