All Posts in Category: Health Basics

Is Your HIPAA Compliance Program Ready for the FTC?

Everyone in healthcare knows that the next round of HIPAA audits is coming. Covered entities and business associates have long been advised to review and update their HIPAA compliance program, security risk analyses, have business associate agreements close at hand, and review and update HIPAA policies and procedures. At a recent conference, representatives from the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) provided more insight into the status of the HIPAA audits. In addition, that conference reinforced the need for covered entities, business associates, and all others in the healthcare industry to be prepared for increasing enforcement activity by the Federal Trade Commission (“FTC”).

Read More

OCR HIPAA Privacy, Security Platform Launched for Developers

The US Department of Health and Human Services Office for Civil Rights (OCR) recently launched a portal designed for health application developers, so that they can learn more about HIPAA Privacy and Security issues.

As more organizations are creating and integrating mHealth options, it is essential that all parties understand how HIPAA applies. Anyone can browse the site, according to OCR, and after users register they can submit questions, offer comments on other submissions or vote on the relevancy of the topic. However, user identities and email addresses are anonymous to OCR, the website explained.

“OCR launched this platform for mobile health developers and others interested in the intersection of health information technology and HIPAA privacy and security protections,” stated the website. “We will be moderating submissions for appropriateness but we cannot vouch for the accuracy of their representations. We cannot respond individually to questions, although we will try to post links to existing relevant resources when we can.”

Read More

HIPAA Enforcer Losing Patience on Encryption

OCR Officials Frustrated by Breaches Involving Lost, Stolen Devices

Originally posted by Marianne Kolbasuk McGee (HealthInfoSec) • September 8, 2015

If there’s one thing federal regulators want to drill into the heads of covered entities and business associates about data breach prevention, it’s this: Stop procrastinating, and conduct a risk analysis and encrypt most of your computing devices right away.

Officials at the Department of Health and Human Services’ Office for Civil Rights, which enforces HIPAA, repeatedly emphasized that message at last week’s HIPAA security conference that OCR co-sonsored with the National Institute of Standards and Technology.

“All of us need to be vigilant in protecting information.” 

Anything that can “walk” away – including laptop computers, storage devices, desktop PCs as well as servers that aren’t nailed to the floor – should be encrypted, even though encryption isn’t explicitly mandated by the HIPAA Security Rule, which defines it as an “addressable” issue, OCR officials said.

“Addressable doesn’t mean optional,” even for the smallest of healthcare providers and business associates, Deven McGraw, OCR deputy director of information privacy, told the audience. “We expect you to address encrypting data at rest and in transmission – and if you don’t, you must implement an alternative option in its place,” as well as document the reasoning, she reminded attendees.

Aside from encryption, there really aren’t any other great options to secure electronic protected health information on devices that can be lost or stolen, emphasized Iliana Peters, senior adviser for compliance and enforcement at OCR. “If it can walk away, it will get lost or stolen at some point,” she said. Lost and stolen unencrypted computing devices have been involved in 57 percent of the 1,310 major breaches reported to OCR from September 2009 to Aug. 28, 2015, she said.

OCR officials are clearly annoyed that breaches involving unencrypted devices keep happening, year after year. In fact, the latest enforcement action taken by the office last week was a $750,000 settlement with a small cancer care practice that – drum roll please – had an unencrypted laptop and storage device stolen from an employee’s car in 2012 (see New HIPAA Compliance Audit Details Revealed).

The bigger problem with breaches involving lost and stolen unencrypted devices is that they are often a tip off for OCR that an organization has other more serious HIPAA compliance issues – particularly the failure to conduct a risk analysis that’s followed up by actually mitigating identified risks, McGraw said.

“The linchpin is risk assessment,” she said. During the Cancer Care Corp. breach investigation, OCR found that the practice hadn’t conducted a risk assessment prior to the 2012 theft incident. That’s a common issue not only uncovered in OCR breach investigations, but also in the findings of OCR’s random HIPAA audit pilot program in 2011 and 2012.

The agency will resuming its HIPAA compliance audits in 2016, and documentation of a risk analysis – and risk mitigation – are among the measures they’ll be scrutinizing at covered entities, and at business associates, which will also be part of the scrutiny this time around (see: Exclusive: OCR’s McGraw on Timing of HIPAA Audits).

Hacker Attacks

Although breaches involving unencrypted devices are a persistent problem, hacker attacks affecting many millions of individuals have been grabbing headlines in recent months.

OCR is continuing its investigations of the recent mega-breaches, including those experienced by Anthem Inc., Premera Blue Cross and UCLA Health, noted OCR Director Jocelyn Samuels

“All of us need to be vigilant in protecting information,” Samuels said, stressing the need to ensure strong controls are in place. Key steps, she said, include: monitoring whether authorized users are adhering to an organization’s rules and policies about data access; monitoring what’s happening with large packets of information moving across firewalls; updating virus protection and patching out-of-date software.

Other Concerns

As for other kinds of breaches, OCR officials admitted that incidents involving unsecured email and text communications are likely being underreported.

However, while communication among covered entities – as well as communication with BAs – involving patient ePHI should to be secured through encryption or another means, patients can insist on having unsecured communication with their healthcare providers. “Patients may request unencrypted communication,” McGraw noted, as long as they’re made aware of the risks.

Other important issues that covered entities and business associates need to consider, Peters said, include:

  • Retraining staff about phishing emails in light of recent hacker attacks;
  • Having a back-up plan in case your organization becomes a victim of a ransomware attack or suffers another disaster;
  • Thoroughly assessing and managing risks if your organization permits BYOD;
  • Re-evaluating which users in your organization actually need elevated data access privileges. “The more people who have elevated privileges, the more risk,” Peters noted.

While OCR officials say it’s a only a matter of time before your organization will discover that it’s had some sort of breach, it’s clear that when the HIPAA enforcers investigate the incident, they’ll want you to explain the security measures you had in place to minimize risks.

Read More
What is Protected Health Information (PHI)? Brought to you By CAM HIPAA Solutions 888-959-0220

What is Protected Health Information (PHI)?

According to the US Department of Health and Human Services, protected health information (PHI) is individually identifiable information (see below for definition):

1.  except as provided in item 2 of this definition,

  • transmitted by electronic media;
  • maintained in electronic media;
  • transmitted or maintained in any other form or medium (includes paper and oral communication).
Read More
HIPAA Compliance and the Cloud- CAM HIPAA Solutions 888-959-0220

Four Things MSPs Should Know About HIPAA Compliance and the Cloud

While managed service providers (MSPs) are certainly well-versed in the areas of cloud-based file sharing and data storage, it pays to be just as familiar with some of the areas of interest of your clients. As MSPs see more healthcare companies migrating their services to the cloud – whether due to a relaxation of restrictions or a decision to evolve – the need for familiarity in this potentially lucrative market is as important as ever.

When the Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996, data security and privacy on the internet were not exactly the big concerns of the day. Then again, the MSP business model we know and love today didn’t even exist.

Read More
Fear Itself Speech 修改 文章 英文 click through the following web site | Advanced Trading Tools · Learn How to Trade opciones binarias demo click here now
Loan Canada go credit visit their website