All Posts in Category: HIPAA Audit

hipaa audits underway

HIPAA Audits Underway! OCR’s Phase 2 Has Begun

On Monday, the HHS Office for Civil Rights (OCR) announced it has rolled out Phase 2 of its HIPAA audits, and entities have already begun receiving initial emails from OCR seeking audit contact information. The Phase 2 Audit Program is aimed at reviewing the policies and procedures of selected covered entities and their business associates to evaluate compliance with the HIPAA Privacy, Security and Breach Notification Rules. OCR’s announcement comes after data breaches in the health care industry compromised over 112 million records in 2015, according to OCR.

Phase 1 Audits

The HITECH Act required OCR to conduct periodic audits of covered entities and their business associates. Beginning in late 2011, OCR implemented a pilot audit program to assess the privacy and security controls and processes implemented by 115 covered entities across the country. Auditors then made site visits to each covered entity to evaluate compliance efforts. Following the site visits, auditors drafted a report describing how the audit was conducted, the compliance findings, and what actions the covered entity had taken in response to those findings. The covered entity then had an opportunity to develop corrective actions to address any identified concerns. The final report submitted to OCR incorporated the steps the covered entity took to resolve any compliance issues.

OCR reviewed the final reports to better understand compliance efforts with respect to the HIPAA Privacy, Security and Breach Notification Rules. In particular, OCR studied the final reports to ascertain what types of technical assistance should be developed and what forms of corrective action are the most effective. In reviewing the final reports, OCR determined several common shortcomings among covered entities, including inadequate risk analysis, outdated policies and procedures, and non-existent contingency plans.

OCR then announced its intentions to initiate a permanent audit program that was originally slated to begin in 2014. However, due to a lack of funding, OCR delayed the program. In May 2015, OCR began sending pre-audit screening surveys to covered entities classified as potential candidates for a Phase 2 Audit Program. In late 2015, OCR confirmed Phase 2 audits would begin in early 2016.

Phase 2 Audits

In the Phase 2 Audit Program, there will be a few significant changes from Phase 1 audits. First, business associates will be included in this round of audits. Additionally, most of the audits will be desk audits while only a few may ultimately result in more extensive on-site audits.

Phase 2 has already begun, with OCR sending out emails to covered entities to verify contact information. Every covered entity and business associate is eligible for an audit. Once OCR confirms an entity’s contact information, it will transmit a pre-audit questionnaire to gather data that will be used to create potential audit subject pools. OCR will then identify pools of covered entities and business associates who represent a wide range of organizations subject to the HIPAA Rules.

The Phase 2 Audit Program will be a three step audit process. The first set of audits will be desk audits of covered entities followed by a second round of desk audits of business associates. The desk audits will examine specific compliance requirements of the Privacy, Security and Breach Notification Rules. According to OCR, all desk audits will be completed by the end of December 2016. Finally, while OCR states there will be fewer in-person audits than in the Phase 1 Audit Program, a third set of audits may be conducted onsite, which will be more comprehensive than desk audits and cover a broader range of HIPAA requirements.

In an effort to promote transparency, OCR will post audit protocols on its website closer to the 2016 audits. OCR has also announced the procedures used and results found in the Phase 2 audits will be evaluated so as to develop a permanent HIPAA audit program.

Implications for Health Care Entities

The launch of the Phase 2 Audit Program confirms OCR’s commitment to the evaluation of compliance with and enforcement of the HIPAA Privacy, Security and Breach Notification Rules.

If you are an entity subject to the HIPAA Rules, be on the lookout for emails from OCR and review your HIPAA policies and procedures, risk analysis, and other compliance documents.

OCR’s announcement regarding the launch of Phase 2 of the HIPAA Audit Program can be found here.

If you need Risk Assessments, Managed Services, or just IT Support, give us a call at (818) 356-7188.

Read More
CAM HIPAA Solutions for HIPAA Consulting in Los Angeles


Three data breaches have been reported by pharmacy stores in the past two months, resulting in the PHI of almost 13,000 pharmacy customers being exposed or disclosed to unauthorized individuals.

Walmart Reports Breach of 4,800 Patients’ Data


Walmart stores recently announced that some of its online pharmacy customers may have had their names, addresses, date of births, and prescription histories exposed as a result of a coding error that was made while the company was migrating data between servers.

Between February 15 and February 18, 2015, online customers who logged into the company’s online pharmacy may have been able to view the data of other customers who logged in at the exact same time. No Social Security numbers or financial data were exposed as a result of the coding error.

Dan Toporek, a spokesperson for Walmart, said a few thousand individuals had been affected, although this is a small percentage of the number of individuals who used the company’s online pharmacy during the four-day stretch.

The data breach has now been reported to the Department of Health and Human Services’ Office for Civil Rights (OCR), with the breach report indicating 4,800 patients were affected. Toporek said there is no reason to believe that any data have been used inappropriately, although all customers who had their data exposed as a result of the error would be individually notified and offered identity protection services.

Hard Drive Containing 3000 Customers’ PHI Stolen in Roark’s Pharmacy Burglary


A burglary at Roark’s Pharmacy in Oneida, TN., in January has impacted 3,000 of the store’s customers. A hard drive containing customer prescription information and personal data was stolen by thieves who broke in to the pharmacy in the early hours of January 13. The break-in and theft was discovered four hours later when pharmacy owner, Terry Roark, arrived to open the store at 6:30am.

The thieves had taken all of the pharmacy’s narcotics, $400 in cash, and a computer hard drive containing the data of 3,000 customers. The thieves are understood to have broken in in order to steal narcotics, and took other items of value, including the hard drive. The thieves gained access to the building by sawing through the door and removing it from its hinges. While law enforcement officers have investigated the burglary and obtained CCTV footage from the service station next door, the DVR system linked to the pharmacy’s CCTV cameras was also stolen in the break-in. No suspects have been arrested.

5,000 Customers Affected by Locust Fork Pharmacy Data Breach


Locust Fork Pharmacy in Alabama has reported a security incident to the Office for Civil Rights that has affected 5,000 of its customers. The incident is listed as an “unauthorized access/disclosure”, although no further information has been made available about the incident.

Read More
Prepare for 2016 HIPAA Audits

7 Ways to Prepare for 2016 HIPAA Audits

Phase two of audits for the Health Insurance Portability and Accountability Act (HIPAA) are coming this year as the Office of Civil Rights looks to crack down on violations.

HIPAA was signed into law in August of 1996, and the Privacy and Security Rules were both implemented over a decade ago. Moreover, the Health Information Technology for Economic and Clinical Health Act (HITECH Act), which made significant changes to a variety of facets of HIPAA, passed in 2009. Section 13411 of the HITECH Act requires the Office of Civil Rights (OCR)–which is part of the U.S. Department of Health and Human Services (HHS)–to conduct periodic HIPAA audits.

Why is there so much emphasis on meeting standards that have been required for two decades in some instances? It’s due mainly to the increased use of technology in healthcare and accompanying cybersecurity risks. The purpose of this article is to provide an overview of the OCR audit program (phase 2), identify key areas of risk and provide suggestions on how to mitigate adverse findings.

Prepare for 2016 HIPAA Audits

OCR Audit Program

In 2011, OCR launched the requisite OCR Pilot Privacy, Security, and Breach Notification Audit Program. For the first phase, only covered entities were audited. This second phase includes business associates of covered entities.

Regardless of the type of entity, the time frames for the audit are the same. From the time the audit notification letter is sent from OCR, organizations should plan on a 30 day to 90 day process. Analogous to a Recovery Audit Contractor (RAC) audit, an entity has a certain period of time to produce the requested information. The information may be requested either on-site or as a desk audit, which is described below.

Next, OCR reviews the information provided and drafts a report. The entity then has the opportunity to review and respond to the draft report, after which OCR finalizes the report.
The scope of the phase 1 audits was limited to the federal Privacy, Security and Breach Notification Rules. This does not mean that a state law or international law provision may have been violated-it just was not addressed in the phase I audits.

Phase 2 audits will be more robust, in part due to a $4 million increase in OCR’s 2016 budget. Another area of difference will be the number of on site versus desk audits. During the phase 1 audits, covered entities were evaluated by a third party, who visited them on-site. Phase two audits will include a greater number of desk audits – entities responding to the audits from their desks by providing policies and documentation of privacy policies and procedures to HHS.

This serves as a signal —a key administrative area that will be looked at during the audits are the adequacy of policies and procedures. Therefore, the number of administrative and security violations could increase significantly.

Key Areas of Risk

A good place for practices to start is to look at the findings from phase 1, as well as recent penalties that were assessed by HHS for HIPAA violations. Violations occurred in the administrative, technical and physical realms. Primarily, policies and procedures were found to be inadequate; encryption of USB drives, laptops and email was found to be lacking; and inadequate employee security awareness and training were some of the major areas of vulnerability.

Suggestions to Mitigate Adverse Findings

The most prudent approach is to be prepared ahead of time, much like an IRS or Joint Commission audit. Whatever aspect of HIPAA compliance an organization is addressing, a good vantage point from which to start is the patient information. Every action should take into account the confidentiality, integrity and availability of the information. The way to make employees and contractors aware is through training. While the required way to hold business associates and subcontractors accountable is through the contractual obligations in a business associate agreement (BAA). Moreover, an annual risk assessment is a must. And, the HHS website is the ideal place to find explanations of what is set out in the laws and regulations.

Here are some tips to make sure that the practice is HIPAA compliant and avoid an adverse audit outcome:

  1. Begin compliance efforts from the vantage point of the government, who may “review pertinent policies, procedures, or practices of the covered entity or business associate and of the circumstances regarding any alleged violation”;
  2. Read Section 164.316 for what is required in relation to policies and procedures from an administrative, technical and physical aspect;
  3. Curtail policies and procedures to your individual practice;
  4. Know where the external and internal sources of protected health information are located;
  5. Encrypt everything both at rest and in transit and make sure that the level of encryption utilized is adequate;
  6. Train employees– Trustwave is a reputable vendor that has online training or various organizations offer live courses; and
  7. Perform due diligence on various third party risk assessors for expertise, price and quality.

OCR audits and HIPAA compliance should not be taken lightly. RAC audits also started with a pilot program more than a decade ago and now generate a substantial amount of revenue for the government, as well as serving as a check on providers’ claims submissions. Those submission, by the way, are also required to be HIPAA-compliant.


The overall goal of the phase 2 audits is to raise awareness and provide the opportunity for entities to correct their practices surrounding the creation, receipt, transmission and maintenance of protected health information.

The flip side, however, is that OCR may assess a penalty. Given that there are going to be more on site and business associate audits, the findings may translate into increased scrutiny by OCR on other fronts. Therefore, organizations of all types should look at the OCR audit like an IRS audit: a practice should be prepared for an audit. Failure to do so could be costly.

Original content by Modern Medicine Network

Read More
Dangers of Unsecure Texting HIPAA

Minimizing Mobile Risks in Healthcare

Minimizing emerging threats to mobile devices and applications should be a top health data breach prevention priority for 2016!

“What we’re seeing from the new [threat] vector perspective is that a lot of mobile is coming to the spotlight,” says Bowen, chief privacy and security officer and founder of the security firm ClearDATA.

“We’ve seen this trend for the last few years where we can use a mobile device in an incredibly effective way to enable healthcare to deliver amazing patient care,” he says in an interview with Information Security Media Group. “Some of the greatest innovations happen that way. Unfortunately, at times, the mobile device has been enabled with great software that doesn’t necessarily consider the entire ecosystem from a hardening perspective.”

The only way to stay ahead of emerging threats is to “employ a security-first strategy, make sure you’re doing vendor diligence, and make sure you’re implementing a defense-in-depth strategy that considers every layer of security,” he says.

For instance, healthcare organizations need to realize that mobile software may be storing logs that could contain personally identifiable information for a patient. Also, “you may be incorporating data flows from inside and outside that application that may not be hardened,” he notes.

Additionally, mobile data is at risk “because people are still lugging laptops around without encryption,” he notes.

In fact, about one-third of incidents listed on the Department of Health and Human Services “wall of shame” website of major health data breaches affecting 500 or more individuals since September 2009 involve unencrypted lost or stolen laptops or other portable electronic devices.

It’s also important to vet technology suppliers, he stresses. “We see new entrants into the healthcare market – and sometimes that’s a great thing, and other times it’s shocking how lax the security can be, even from security vendors who really claim to embrace a security-in-depth strategy.”

Other Threats

In developing strategies to fight against hacker attacks, which were pervasive in 2015, organizations need to take steps to make sure social engineering tactics fail, he says. “Hackers are really going after the easiest targets first,” he points out. “It’s not about stealing a database of credentials. It’s more about stealing credentials one phishing email or keystroke logger at a time.”

In the interview, Bowen also discusses:

  • Other security weaknesses that make healthcare organization easy targets for cyberattacks, and what those entities can do to bolster security;
  • How healthcare entities can better prevent and detect breaches involving insiders, including members of their workforce as well as business associates;
  • Three lessons that can be learned from the top healthcare breaches in 2015.

Bowen is the chief privacy and security officer and founder of security firm ClearDATA. He manages the risks and business impacts faced by global healthcare organizations, with a specific focus on cyberthreats, privacy violations, security incidents, social engineering attempts and data breaches. Bowen is a Certified Information Privacy Professional,Certified Information Privacy Technologist and Certified Information Systems Security Professional.

Full interview here

Read More

Think 2015 HIPAA breaches were bad, 2016 will be worse

Without a doubt, 2015 was the year of the healthcare mega-breach and a major turning point for the sector.

Some 56 major hacker attacks affecting a total of nearly 112 million individuals occurred in 2015, according to the Department of Health and Human Services. The largest of these cyber-attacks hit health insurer Anthem, affecting nearly 79 million individuals, making it the biggest healthcare breach ever reported to HHS.

“2015 was a blaring wake-up call to healthcare entities and their business associates that protected health information of their patients is a bulls-eye for fraudsters and other cyber-criminals as well as nation states eager to steal IDs,” HealthcareInfoSecurity Executive Editor Marianne Kolbasuk McGee

In the blog, McGee:

  • Reviews major healthcare breaches in 2015;
  • Analyzes the severity of healthcare breaches in 2015 compared with previous years’ incidents; and
  • Advises organizations to pay close attention to the breach pain their peers suffered in 2015.

“Watch your back, and especially your databases, networks, email systems and medical devices in 2016,” McGee says, “because clearly hackers are watching them, too, waiting for an easy way in.”

In 2016 expect to see an surge in cyber-attacks and breaches on both the national and local scale. Implementing some basic preventative measures can pay off in big ways in the near future.

  • System monitoring and patch management
  • Redundant disaster recovery plans
  • Both hardware and software network protection
  • Full Disk Encryption
  • Current Anti Virus protection
  • Proper employee education  on Policies and Procedures

Take the steps today to secure your patients information tomorrow. Give us a call at CAM to help with these measures and more 888-959-0220.

Read More

5 things to know now about coming OCR HIPAA audits

Nothing sends a shock of fear through a hospital C-suite quite like the word audit. And the second phase of HIPAA audits is slated to being in early 2016.

Those CIOs, CISOs, CEOs, General Counsel and privacy officers unfortunate enough to receive notification of an impending HIPAA audit from the Health and Human Services Department’s Office for Civil Rights will invariably feel that pressure.

1. OCR is moving forward with HIPAA compliance audit program. The audit contract was awarded to FCiFederal, a government operations management and professional services provider. Audits will cover hospitals, healthcare providers, health plans and business associates.

2. Compliance audits expected to be in hundreds; not thousands. Both healthcare organizations and business associates can expect approximately 200-300 limited scope desk audits to create a sample base of covered entities to ensure HIPAA Privacy, Security & Breach Notification Rules compliance.

3. OCR has been transparent on topics it will target. From the way patients access and obtain their data to breach notification policies, the OCR will cover a wide range of functions that are listed in detail on its site.

4. Prepare now in case your organization is selected. Management should speak with individual staff members to review policies, procedures and guidelines that support HIPAA and HITECH standards. Collect data beforehand and designate an area to keep materials to provide to OCR if needed.

5. Educate staff and leadership on how your organization is preparing for an OCR audit. Keep staff abreast of information relevant to the OCR audit, including prompt attention to communication from OCR. Ensure your C-suite is prepared for the new OCR compliance measurement standards, as well.

OCR will look into security, privacy and breach notification rules to analyze risk, safeguards and implementations, especially those associated with electronic health information and device encryption.

Smart healthcare executives will use the waiting period before audits begin by assessing risk, preparing staff and reviewing policies. Let us help you prepare for an upcoming audit. We offer compliance checks, policy revisions, creation and management as a service, Healthcare IT consultations and support to help get you and your organization to where it needs to be.

Originally published by Jessica Davis of Healthcare IT News

Read More
Fear Itself Speech 修改 文章 英文 click through the following web site | Advanced Trading Tools · Learn How to Trade opciones binarias demo click here now
Loan Canada go credit visit their website