All posts by admin

How to Avoid 3 Common HIPAA Compliance Oversights


While advising covered entities and business associates of various sizes about HIPAA compliance issues, we’ve noticed three common bad practices.

Most CEs fail to appropriately vet and oversee their BAs. Most CEs, as well as BAs, address HIPAA compliance as a checklist activity instead of a comprehensive risk management process. And many do not provide effective training or awareness communications.

“A risk assessment is an important tool in identifying risks, but you cannot stop there.”

As a result, I recommend organizations make three New Year’s resolutions to help bolster security and minimize the risk of a data breach:
1. Ramp Up Contractor Scrutiny

Do you know how well your vendors, business associates and contracted third parties – who I will collectively call “contractors” – are protecting the information with which you’ve entrusted them to perform some sort of business activity?

Keep in mind that about 20 percent of breaches on the HHS “wall of shame” of major health data breaches involve a BA.
Also, be aware that your organization will probably share liability for the bad actions of your contractors. Case in point: In November, the Connecticut Attorney General applied penalties against both Hartford Hospital and its business associate, EMC Corp., as a result of a breach that occurred in 2012.
In 2016 make sure your contractors:

  • Have documented policies and procedures. If they aren’t documented they don’t exist.
  • Understand that they must appropriately secure, and not share, the personal information you’ve entrusted to them.
  • Provide regular information security and privacy training to their workers, and regularly send awareness reminders.
  • Have a risk management process in place.
  • Have implemented basic security tools to protect the information you’ve entrusted to them.

2. Go Beyond a Risk Management Checklist

It’s vital to address administrative, technical and physical risks. Significant breaches have occurred as a result of not addressing all of these risks. Of course, a risk assessment is an important tool in identifying risks, but you cannot stop there. You need to implement a risk management program that includes additional activities to manage risks, such as keeping track of mobile computing devices with access to PHI; documenting those using personally owned computing devices; staying on top of new Internet of Things plans; making sure big data analytics is not used in a way that brings unacceptable security and privacy risks; keeping anti-malware updated and applying security patches regularly; and performing audits, just to name a few.
Here’s a perfect case in point. After numerous breaches, on Nov. 30, 2015, Triple-S Management Corp. agreed to pay a $3.5 million HIPAA non-compliance fine and to implement a robust corrective action plan to establish an effective HIPAA compliance program with effective security controls. Among the HHS findings:
Failure to implement appropriate administrative, physical, and technical safeguards;

  • Impermissible disclosure of PHI to an outside vendor with which it did not have an appropriate business associate agreement;
  • Failure to conduct an accurate and thorough risk analysis; and
  • Failure to implement security measures sufficient to reduce the risks and vulnerabilities to its PHI to a reasonable and appropriate level.
  • If the insurer had a comprehensive risk management program in place, including keeping systems patched and up-to-date, Triple-S probably could have prevented the breaches.

3. Educate the Workforce

Information security and privacy education is more important than ever because new gadgets and technologies enable more healthcare workers to collect and share data.
In September 2015, Cancer Care Group agreed to settle HIPAA violations by paying a $750,000 fine and adopting a “robust corrective action plan to correct deficiencies in its HIPAA compliance program.” One of the major requirements for Cancer Care Group was to review and revise its training program, because the breach was caused by an easily preventable employee action (leaving a laptop with clear text files of 55,000 patients in an unsecured car).

Training needs to be more than once a year, and as soon as, or prior to, the start of employment. There also need to be ongoing awareness communications and activities, as required by HIPAA.
Every organization of every size needs to invest some time and resources into regular training and ongoing awareness communications. Besides being a wise business decision, it’s also a requirement in most data protection laws and regulations to provide such education.

Read More

Think 2015 HIPAA breaches were bad, 2016 will be worse

Without a doubt, 2015 was the year of the healthcare mega-breach and a major turning point for the sector.

Some 56 major hacker attacks affecting a total of nearly 112 million individuals occurred in 2015, according to the Department of Health and Human Services. The largest of these cyber-attacks hit health insurer Anthem, affecting nearly 79 million individuals, making it the biggest healthcare breach ever reported to HHS.

“2015 was a blaring wake-up call to healthcare entities and their business associates that protected health information of their patients is a bulls-eye for fraudsters and other cyber-criminals as well as nation states eager to steal IDs,” HealthcareInfoSecurity Executive Editor Marianne Kolbasuk McGee

In the blog, McGee:

  • Reviews major healthcare breaches in 2015;
  • Analyzes the severity of healthcare breaches in 2015 compared with previous years’ incidents; and
  • Advises organizations to pay close attention to the breach pain their peers suffered in 2015.

“Watch your back, and especially your databases, networks, email systems and medical devices in 2016,” McGee says, “because clearly hackers are watching them, too, waiting for an easy way in.”

In 2016 expect to see an surge in cyber-attacks and breaches on both the national and local scale. Implementing some basic preventative measures can pay off in big ways in the near future.

  • System monitoring and patch management
  • Redundant disaster recovery plans
  • Both hardware and software network protection
  • Full Disk Encryption
  • Current Anti Virus protection
  • Proper employee education  on Policies and Procedures

Take the steps today to secure your patients information tomorrow. Give us a call at CAM to help with these measures and more 888-959-0220.

Read More

3 Things to consider before migrating to the Cloud

Cloud computing grows more popular by the day, and it continues to show its value to the healthcare industry. Being able to dynamically access content while online is a great asset. But, of course, this doesn’t come without taking some risks and gambling your data’s security. Thankfully, there are some ways in which you can tip the odds in your favor.

To help you successfully leverage your technology to meet the needs of your organization without compromising your data’s security, we’ve assembled three common risks that are typically associated with Cloud solutions, and how to successfully avoid them.

Number 1: Data Theft
The most obvious risk to your organization’s data, and any information that’s stored online, is data theft, and other types of hacks that could compromise or even corrupt your mission-critical information. No matter how small or large your organization is, it’s a target for hackers and threats of all kinds, especially in the online environment.

It’s important that you understand that there’s no way to ensure that your practice’s data is 100 percent protected from all types of threats found on the Internet. It’s just not feasible. As long as your organization’s data is stored in an online environment, there’s always going to be a possibility (no matter how slim) that a hacker will get their hands on your data. What you can do, however, is optimize your network and Cloud security to ensure that this possibility is minimal at best. To find out more information about online data security, contact CAM and ask us about our comprehensive security solutions for the online environment.

Number 2: Compliance Violation
Many organizations in specific industries are subject to compliance laws pertaining to the storage and sharing of sensitive information. Due to the nature of cloud storage, using it to store sensitive information in an online environment can have unexpected complications. For example, if this information were to be compromised, what would you do? Depending on the situation, you will be required to inform the victim of the breach, and/or be subject to a costly fine.

Naturally, it’s your responsibility to ensure that your systems are meeting the compliance standards set by your industry. Depending on what type of orperation you run, there are specific criteria that must be met for any kind of sensitive information stored online. Chances are that if your organization collects this information, you’re subject to compliance laws that are often convoluted and difficult to understand. CAM HIPAA Solutions can help make this easier.

Number 3: Immense Downtime
If your practice only stores information in the Cloud, what would happen if that information were suddenly unavailable due to downtime? Hosting your data in the Cloud demands that you need an Internet connection; if this is lost, you’ll be staring downtime in the eyes. This, in essence, is major roadblock that can set your organization behind schedule, break your operations budget, and overall, become quite a nuisance.

This is the reason why you want your information stored in multiple locations; you should be able to access your organization’s data and mission-critical applications from both online and offline systems. This minimizes downtime and improves mobility, which is invaluable for remote workers.

Read More
HIPAA Audit

5 things to know now about coming OCR HIPAA audits

Nothing sends a shock of fear through a hospital C-suite quite like the word audit. And the second phase of HIPAA audits is slated to being in early 2016.

Those CIOs, CISOs, CEOs, General Counsel and privacy officers unfortunate enough to receive notification of an impending HIPAA audit from the Health and Human Services Department’s Office for Civil Rights will invariably feel that pressure.

1. OCR is moving forward with HIPAA compliance audit program. The audit contract was awarded to FCiFederal, a government operations management and professional services provider. Audits will cover hospitals, healthcare providers, health plans and business associates.

2. Compliance audits expected to be in hundreds; not thousands. Both healthcare organizations and business associates can expect approximately 200-300 limited scope desk audits to create a sample base of covered entities to ensure HIPAA Privacy, Security & Breach Notification Rules compliance.

3. OCR has been transparent on topics it will target. From the way patients access and obtain their data to breach notification policies, the OCR will cover a wide range of functions that are listed in detail on its site.

4. Prepare now in case your organization is selected. Management should speak with individual staff members to review policies, procedures and guidelines that support HIPAA and HITECH standards. Collect data beforehand and designate an area to keep materials to provide to OCR if needed.

5. Educate staff and leadership on how your organization is preparing for an OCR audit. Keep staff abreast of information relevant to the OCR audit, including prompt attention to communication from OCR. Ensure your C-suite is prepared for the new OCR compliance measurement standards, as well.

OCR will look into security, privacy and breach notification rules to analyze risk, safeguards and implementations, especially those associated with electronic health information and device encryption.

Smart healthcare executives will use the waiting period before audits begin by assessing risk, preparing staff and reviewing policies. Let us help you prepare for an upcoming audit. We offer compliance checks, policy revisions, creation and management as a service, Healthcare IT consultations and support to help get you and your organization to where it needs to be.

Originally published by Jessica Davis of Healthcare IT News

Read More

HIPAA Enforcer Losing Patience on Encryption

OCR Officials Frustrated by Breaches Involving Lost, Stolen Devices

Originally posted by Marianne Kolbasuk McGee (HealthInfoSec) • September 8, 2015

If there’s one thing federal regulators want to drill into the heads of covered entities and business associates about data breach prevention, it’s this: Stop procrastinating, and conduct a risk analysis and encrypt most of your computing devices right away.

Officials at the Department of Health and Human Services’ Office for Civil Rights, which enforces HIPAA, repeatedly emphasized that message at last week’s HIPAA security conference that OCR co-sonsored with the National Institute of Standards and Technology.

“All of us need to be vigilant in protecting information.” 

Anything that can “walk” away – including laptop computers, storage devices, desktop PCs as well as servers that aren’t nailed to the floor – should be encrypted, even though encryption isn’t explicitly mandated by the HIPAA Security Rule, which defines it as an “addressable” issue, OCR officials said.

“Addressable doesn’t mean optional,” even for the smallest of healthcare providers and business associates, Deven McGraw, OCR deputy director of information privacy, told the audience. “We expect you to address encrypting data at rest and in transmission – and if you don’t, you must implement an alternative option in its place,” as well as document the reasoning, she reminded attendees.

Aside from encryption, there really aren’t any other great options to secure electronic protected health information on devices that can be lost or stolen, emphasized Iliana Peters, senior adviser for compliance and enforcement at OCR. “If it can walk away, it will get lost or stolen at some point,” she said. Lost and stolen unencrypted computing devices have been involved in 57 percent of the 1,310 major breaches reported to OCR from September 2009 to Aug. 28, 2015, she said.

OCR officials are clearly annoyed that breaches involving unencrypted devices keep happening, year after year. In fact, the latest enforcement action taken by the office last week was a $750,000 settlement with a small cancer care practice that – drum roll please – had an unencrypted laptop and storage device stolen from an employee’s car in 2012 (see New HIPAA Compliance Audit Details Revealed).

The bigger problem with breaches involving lost and stolen unencrypted devices is that they are often a tip off for OCR that an organization has other more serious HIPAA compliance issues – particularly the failure to conduct a risk analysis that’s followed up by actually mitigating identified risks, McGraw said.

“The linchpin is risk assessment,” she said. During the Cancer Care Corp. breach investigation, OCR found that the practice hadn’t conducted a risk assessment prior to the 2012 theft incident. That’s a common issue not only uncovered in OCR breach investigations, but also in the findings of OCR’s random HIPAA audit pilot program in 2011 and 2012.

The agency will resuming its HIPAA compliance audits in 2016, and documentation of a risk analysis – and risk mitigation – are among the measures they’ll be scrutinizing at covered entities, and at business associates, which will also be part of the scrutiny this time around (see: Exclusive: OCR’s McGraw on Timing of HIPAA Audits).

Hacker Attacks

Although breaches involving unencrypted devices are a persistent problem, hacker attacks affecting many millions of individuals have been grabbing headlines in recent months.

OCR is continuing its investigations of the recent mega-breaches, including those experienced by Anthem Inc., Premera Blue Cross and UCLA Health, noted OCR Director Jocelyn Samuels

“All of us need to be vigilant in protecting information,” Samuels said, stressing the need to ensure strong controls are in place. Key steps, she said, include: monitoring whether authorized users are adhering to an organization’s rules and policies about data access; monitoring what’s happening with large packets of information moving across firewalls; updating virus protection and patching out-of-date software.

Other Concerns

As for other kinds of breaches, OCR officials admitted that incidents involving unsecured email and text communications are likely being underreported.

However, while communication among covered entities – as well as communication with BAs – involving patient ePHI should to be secured through encryption or another means, patients can insist on having unsecured communication with their healthcare providers. “Patients may request unencrypted communication,” McGraw noted, as long as they’re made aware of the risks.

Other important issues that covered entities and business associates need to consider, Peters said, include:

  • Retraining staff about phishing emails in light of recent hacker attacks;
  • Having a back-up plan in case your organization becomes a victim of a ransomware attack or suffers another disaster;
  • Thoroughly assessing and managing risks if your organization permits BYOD;
  • Re-evaluating which users in your organization actually need elevated data access privileges. “The more people who have elevated privileges, the more risk,” Peters noted.

While OCR officials say it’s a only a matter of time before your organization will discover that it’s had some sort of breach, it’s clear that when the HIPAA enforcers investigate the incident, they’ll want you to explain the security measures you had in place to minimize risks.

Read More

Imagine Your Life if you Fail a HIPAA Audit

Imagine your life if your organization fails a federal HIPAA audit. Last week those of us attending the HIPAA Security conference in Washington heard clear warnings from the leaders of the Office for Civil Rights (OCR) that should make everyone who has to comply with HIPAA take notice.

Audits Coming Very Soon

  1. While audits have been discussed for a long time, they are imminent and 1,200 letters will be going out shortly. 1,200 out of the entire health care industry means the odds of you getting a letter are low. But if you do, the impact can be very high.
  1. If you receive a letter you will have only 10 – 14 days to provide the requested documentation. That isn’t enough time to overcome years of HIPAA neglect.
  1. A contractor has been hired to conduct the audits, and the OCR has been actively hiring attorneys. They aren’t there to help you.
  1. The audits will likely focus on areas that were identified as common weaknesses in the 2012 test audits – no security risk analysis, not addressing risks, unencrypted data, and lack of effective policies and procedures.
  1. Small practices will be targeted. In 2012, many smaller practices were found to be lacking in their compliance efforts. The new audits are likely to be skewed towards small medical practices, not large health systems.
  1. Are you confident your Business Associates won’t cause you to fail the audit? When a Covered Entity gets audited the OCR will now examine their Business Associates. In our experience Business Associates are often clueless about their HIPAA responsibilities, beyond signing Business Associate Agreements. Have your Business Associates complied based on the 2013 HIPAA changes?
  1. Patients’ rights to their records, especially the new requirements for electronic records, are not being followed by many HIPAA Covered Entities. This is a Hot Button with the OCR which is charged with protecting the rights of patients.
  1. Haven’t had a HIPAA incident? Most likely you have, and either don’t recognize them or aren’t giving them serious consideration. Data breach notification requirements have changed since 2009, and OCR wants to know if you have a clear policy and practice in place for notifications.

Encryption

Encryption was probably mentioned more than 50 times. No kidding.

At the conference, Jocelyn Samuels, the Director of the OCR, announced a $ 750,000 settlement with a small cancer practice that had a bag that contained an unencrypted laptop and unencrypted backup media stolen from an employee’s car.

Deven McGraw, the new Deputy Director of the OCR for Patient Privacy, said, “The bigger problem with breaches involving lost and stolen unencrypted devices is that they are often a tip off for OCR that an organization has other more serious HIPAA compliance issues – particularly the failure to conduct a risk analysis that’s followed up by actually mitigating identified risks.” This is more than a subtle hint.

Other speakers stressed that encryption not only protects patient data, but it protects the Covered Entity against having to report a lost or stolen device. Encryption is much less expensive than HIPAA penalties. Check out this article HIPAA Enforcer Losing Patience on Encryption for more details.

So What Can You Do? PREPARE NOW.

  1. Quickly obtain a thorough and accurate Security Risk Analysis, not a ‘checklist overview’ that will miss critical issues.

Should you do your own? The US Dept. of Health & Human Services says, “…doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional.

This is coming from the agency that does compliance reviews and has failed many practices that have done their own risk analyses. As the famed oil well firefighter Red Adair said, “If you think it’s expensive to hire a professional to do the job, wait until you hire an amateur.

  1. Fix the problems identified in the Security Risk Analysis. HIPAA requires Risk Management for both security and compliance. Years of neglect may be expensive to correct. Encryption is an obvious starting point.
  1. Have an expert review your Notice of Privacy Practices and your Business Associate Agreements to make sure they are current and properly implemented. And your Data Breach Notification policies and procedures.
  1. Contact Semel Consulting. We’ll do a risk analysis, help you fix your risks, implement effective policies and procedures, and help you with any HIPAA questions or incidents. We have helped many organizations including small medical practices, large clinics, surgery centers, hospitals, nursing home chains, home health care, health plans, and many Business Associates.
  1. Be on the lookout for the audit letter. It won’t be good if someone who opens your mail misses the letter and you miss the deadline. Especially when you have made the efforts to comply.

Businesswoman Cheering

Now imagine your life when you pass a federal HIPAA audit.

Read More
Fear Itself Speech 修改 文章 英文 click through the following web site | Advanced Trading Tools · Learn How to Trade opciones binarias demo click here now
Loan Canada go credit visit their website