HIPAA HITETCH Compliance Blog Archive
Medical Identity Theft is an iatrogenic condition that could be caused by your physician's office. If the office is not HIPAA compliant your medical record could be stolen and used for medical identity theft. This could cause severe symptoms such as fiscal stress and anxiety.
“Based on the results of the study, human error continues to be the biggest source of healthcare data breaches, as 75 percent of organizations view employee negligence as the greatest breach threat.” The Ponemon Institute’s fourth annual Patient Privacy & Data Study
HHS has repeatedly emphasized that HIPAA complance is a process, not an event, but what is the basic process? We call this the Cycle of Compliance and the basic elements are an initial risk assessment, risk remediation, training and awareness and then another risk assessment to measure your progress.
Medical Identity Theft up 21.7% (http://medidfraud.org/2014-fifth-annual-study-on-medical-identity-theft). This makes even small clinics and practices targets if they are not HIPAA compliant.
A lawsuit can be won against a company that does not maintain HIPAA compliance. In a recent case: “Reviewing a $1.44 million jury verdict, an Indiana appellate court affirmed that the plaintiff had raised a viable claim of negligence based on using HIPAA as the standard of care.”
If you store, access, transfer or create PHI you are a target. “Hackers target health care as industry goes digital”, (PC World), “Anthem hack: 'Healthcare is a target'” (Healthcare IT News), “Why Hackers are Targeting The Medical Sector” (Washington Post).
Anthem was hacked, with exposure to 80 million patient files, which qualifies as a HIPAA breach, but what does that mean to a small physician practice? The hack has been attributed to a program called "Deep Panda" and the Chinese Army, which is unlikely to target a small physician practice, but could trigger copycat attacks.
Many small companies avoid a HIPAA risk assessment because they think it is too difficult, too expensive and will reveal their non-compliance. The key is to use an on-line system that allows you to measure, remediate, and measure again so that you can show progress not perfection.
HIPAA Compliance is the industry standard. Your patient medical data or EPHI is worth around $100 per record on the blackmarket. Now according to this New York Times article "Need Some Espionage Done? Hackers Are for Hire Online" criminals don't need hacker skills they can simply hire someone to hack your database.
A medical record is worth10-20 times a credit card record on the black market. The information is quiclky sold to an organizaton that will use it to get drugs and medical services.
If you still have "grandfathered" HIPAA business associate agreements (BAA) in place they may expire on September 22, 2014. BAAs that were in effect prior to January 25, 2013 were given until September 22, 2014 at the latest to be updated. If this has not been done you will be out of HIPAA compliance at that time.
If you don't document your HIPAA compliance activities you can't prove HIPAA compliance. Documentation of your HIPAA compliance activities is what builds the legal firewall around your company
Unless you have a HIPAA expert on your staff you probably need a HIPAA Helper to answer your questions and make sure that you are HIPAA compliant. The big question is how do you get a HIPAA Helper and how much do you pay?
Are Health Insurance Producers Your Greatest HIPAA Liability? If you are a health insurance carrier, agent, broker, or managing general agent and don’t demand proof of HIPAA compliance from your producers you are taking a huge financial risk.
The Health Insurance Industry is Leaking HIPAA Data: A cursory examination of the Wall of Shame which records HIPAA data breaches of more than 500 records reveals that insurance companies are leaking data, in fact by my calculations they have leaked over 3.5 million patient records.
A HIPAA checklist such as the one we offer for free on our website at www.compliancehelper.com is a useful tool for getting a snapshot view of your HIPAA compliance but it does not assure your on-going compliance like our Compliance Meter ®. The Compliance Meter ® is your assurance that your organization is HIPAA compliant on an on-going basis and that you can prove it. Thus our new product name HIPAAssure™, for which we have applied for a registered trademark, is symbolic of our commitment to on-going compliance.
One big item in the news today is increased HIPAA audits and fines coming from HHS and the other discusses monitoring of HIPAA business associates, which should you fear the most? This is an example of Hobson's Choice or Morton's Fork where neither choice is good but the monitoring can cause an immediate loss of revenue versus a possible fine somewhere in the future in the case of a audit from HHS.
Big HIPAA breaches are primarily electronic (EPHI) but 61% of small HIPAA breaches (<500) are paper records. Mass General paid a $1 million dollar fine for the loss of 192 paper patient records. An employee left the paper records on the subway and they were never found.
Insurance producers as well as their agents are being asked to provide proof of HIPAA compliance by the insurance carriers. They are asking for copies of policies and procedures as well as risk assessments.