Getting chosen for a HIPAA audit by HHS is a longer shot than winning the lottery, but there are other ways; lose a laptop, click on the wrong email link, sign a business associate agreement, expose PHI on the internet, toss paper records in the dumpster, etc., etc.
Posted September 26, 2016 by Jack Anderson
A quarterly risk assessment showing progress on compliance is your best HIPAA certification. Progress not perfection is what HHS and OCR seek and a quarterly risk assessment is the best certfication of progress.
Posted September 19, 2016 by Jack Anderson
Beginning this month, OCR, _through the continuing hard work of its Regional Offices_, (my emphasis) has begun an initiative to more widely investigate the root causes of breaches affecting fewer than 500 individuals. OCR-Announcement-8-18-16.pdf
Posted August 22, 2016 by Jack Anderson
In a breach reminiscent of the Anthem HIPAA breach, a business associate left 650,000 patient records exposed on the Internet. R-C Healthcare Management a business associate of Bon Secour was adjusting their network settings and left the patient records exposed from April 18 through April 21.
Posted August 15, 2016 by Jack Anderson
Almost 30% of health care data breaches in July attributed to cybercriminals, according to Health IT Smart Brief. Many of these records were posted on the dark net for sale by The Dark Overlord.
Posted August 10, 2016 by Jack Anderson
Huge fines and audits are the signal that HIPAA compliance is entering a new era for business associates. A $650,000 fine was assessed for a business associate that lost an unencrypted and non-password protected I-Phone and the audit letters are on their way.
Posted July 18, 2016 by Jack Anderson
Hackers are taking advantage of the most vulnerable point of entry into your computer network; your staff. Security awareness training is the most important factor in preventing ransomware.
Posted June 22, 2016 by Jack Anderson
HIPAA compliance can be like an old battery that just loses it's spark over time. A risk assessment can help you Jumpstart that old tired HIPAA battery
Posted June 13, 2016 by Jack Anderson
"We are very excited about the recertification by ecfirst,” said Laura Huska, Head of IT. “HIPAA continues to be a critical certification for ISI as many of our healthcare clients rely on this standard to meet their compliance needs when using ISI’s UC Reporting application.” Sorry Laura, there is no such thing as HIPAA certification thus no HIPAA recertification.
Posted June 7, 2016 by Jack Anderson
I changed the headline of this blog to reflect my personal observations in talking with hundreds of business associates (BAs). BA security is bad because most BAs don't know the requirements let alone how to meet them. CE security is bad because a lot of CEs are blase bout HIPAA or rely on outdated views of the requirements. _BA Security Is Probably a Lot Worse Than You Think Tally of Health Data Breaches Apparently Undercounts Incidents Involving BAs Marianne Kolbasuk McGee (HealthInfoSec) • May 13, 2016 _
Posted May 27, 2016 by Jack Anderson