HIPAA HITETCH Compliance Blog Archive
You only need to be HIPAA compliant in a manner that is reasonable and appropriate to your organization. For a small organization this could mean that over 1/3 of the rules may not apply to you, but the question is, which ones?
If you want to have the quickest of tests for whether your organization is HIPAA compliant check for the three legs of the stool; risk assessment, updated policies and procedures, and staff training on the updated policies and procedures.
Documentation Critical for HIPAA Risk Assessment and Mitigation. Roswell Park Cancer Institute did the risk assessment, developed a plan for mitigation of the high risk items but then couldn't show the auditor the documentation of that mitigation.
Initial HIPAA Compliance in as few as 48 Hours with HIPAAssure®, including a risk assessment, editing policies and procedures, and training and awareness.
How do I know whether I am HIPAA compliant when the rules are so confusing? One approach would be to read the Omnbus Rule: http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf but if you are like me after about twenty pages I surrender. An easier concept is the three legged stool: Risk Assessment, Policies and Procedures, and Training and Awareness.
Falsely attesting to meaningul use earned Joe White, former CFO of a Texas hospital group a 23 month sentence in federal prison plus restituion of $4.5 million dollars. This should strike fear in the hearts of many who signed similar attestations without satisfying the meaningful use requirements, particularly Core Measure 15.
Over 2 million patients had their medical identity stolen in 2014 which represented a 22% increase over the previous year according to the organization Medical Identity Fraud Alliance or MIFA.
8% of surveyed healthcare executives said that they were HIghly Confident that their business assocates were HIPAA compliant in the 2015 Healthcare Information Security Today Survey. 68% were either neutral or not confident.
The study found that the healthcare was most at risk for costly breaches, with an average cost per record lost or stolen as high as $363, more than twice the average for all sectors of $154.
Congratulations, you have just been entered, without your permission, in the HHS OCR HIPAA audit lottery! The first stage will be being one of 500 covered entities or 200 business associates who receive an OCR screening survey in the mail. From this pool an undisclosed number will be chosen for an unannounced HIPAA audit.
A large cyberinsurance company is claiming that it doesn't have to pay a claim based on a HIPAA breach because the covered entity failed to meet "minimum required practices". Cottage Hospital in Santa Barbara had a HIPAA breach of 32,500 patient records or PHI in in 2013 and filed a claim for $4.1 million, which CNA is contesting.
No HIPAA risk assessment, no HIPAA written policies and procedures, and no HIPAA training equals “willful neglect” and earned a $125,000 HIPAA fine for a Colorado compounding pharmacy.
In another example of hackers targeting PHI, Baltimore-based CareFirst BlueCross BlueShield disclosed on May 20 that an "unauthorized intrusion" into a database dating back to June 2014 resulted in a breach affecting 1.1 million individuals.
“Protecting patient data (PHI) comes down to one key factor – the human factor. As attackers continue to find new ways to exploit healthcare organizations, compromising patient data and patient trust, one common denominator remains – the human factor.”
CISO: Compliance Is the Wrong InfoSec Focus. Even if your information security program was bullet proof (an unlikely scenario), a HIPAA risk assessment based on the NIST protocol would probably show that you were not HIPAA compliant.
An administrator for the Indiana State Medical Association who was transporting unencrypted data on a laptop and two hard drives to an off-site location as part of their disaster recovery program had their car burglarized. The net result is 38,000 patient records stolen and a major HIPAA breach.
The recent Ponemon Institute study showed a 125% increase in criminal attacks on healthcare data. These now outrank stolen laptops as the leading cause of breach.
“Although only federal agencies are required to follow guidelines set by NIST, the guidelines
The Indiana Attorney General filed a complaint for violation of the Indiana Disclosure of Security Breach Act and HIPAA against Dr. Beck. Dr. Beck had hired an outside vendor (business associate) to dispose of paper records but the records were discovered in a dumpster. In a consent decree he agreed to a $12,000 fine.
A recent Transunion Health survey showed that 65% of patients would consider changing providers if their provider had a HIPAA data breach. 73% of younger patients (18-35) would consider leaving.