All Posts Tagged: hipaa security

false sense of security

Does HIPAA Compliance Give A False Sense of Security?

The fact that HIPAA compliance isn’t bulletproof – that cyber security frameworks around health information require a new level of vigilance – is now axiomatic.Perhaps owing to whatever legislative sausage-making gave birth to HIPAA, to protect the privacy and security of protected health information, the law offers no guidance on how to follow it.

Read More
hipaa audits underway

HIPAA Audits Underway! OCR’s Phase 2 Has Begun

On Monday, the HHS Office for Civil Rights (OCR) announced it has rolled out Phase 2 of its HIPAA audits, and entities have already begun receiving initial emails from OCR seeking audit contact information. The Phase 2 Audit Program is aimed at reviewing the policies and procedures of selected covered entities and their business associates to evaluate compliance with the HIPAA Privacy, Security and Breach Notification Rules. OCR’s announcement comes after data breaches in the health care industry compromised over 112 million records in 2015, according to OCR.

Phase 1 Audits

The HITECH Act required OCR to conduct periodic audits of covered entities and their business associates. Beginning in late 2011, OCR implemented a pilot audit program to assess the privacy and security controls and processes implemented by 115 covered entities across the country. Auditors then made site visits to each covered entity to evaluate compliance efforts. Following the site visits, auditors drafted a report describing how the audit was conducted, the compliance findings, and what actions the covered entity had taken in response to those findings. The covered entity then had an opportunity to develop corrective actions to address any identified concerns. The final report submitted to OCR incorporated the steps the covered entity took to resolve any compliance issues.

OCR reviewed the final reports to better understand compliance efforts with respect to the HIPAA Privacy, Security and Breach Notification Rules. In particular, OCR studied the final reports to ascertain what types of technical assistance should be developed and what forms of corrective action are the most effective. In reviewing the final reports, OCR determined several common shortcomings among covered entities, including inadequate risk analysis, outdated policies and procedures, and non-existent contingency plans.

OCR then announced its intentions to initiate a permanent audit program that was originally slated to begin in 2014. However, due to a lack of funding, OCR delayed the program. In May 2015, OCR began sending pre-audit screening surveys to covered entities classified as potential candidates for a Phase 2 Audit Program. In late 2015, OCR confirmed Phase 2 audits would begin in early 2016.

Phase 2 Audits

In the Phase 2 Audit Program, there will be a few significant changes from Phase 1 audits. First, business associates will be included in this round of audits. Additionally, most of the audits will be desk audits while only a few may ultimately result in more extensive on-site audits.

Phase 2 has already begun, with OCR sending out emails to covered entities to verify contact information. Every covered entity and business associate is eligible for an audit. Once OCR confirms an entity’s contact information, it will transmit a pre-audit questionnaire to gather data that will be used to create potential audit subject pools. OCR will then identify pools of covered entities and business associates who represent a wide range of organizations subject to the HIPAA Rules.

The Phase 2 Audit Program will be a three step audit process. The first set of audits will be desk audits of covered entities followed by a second round of desk audits of business associates. The desk audits will examine specific compliance requirements of the Privacy, Security and Breach Notification Rules. According to OCR, all desk audits will be completed by the end of December 2016. Finally, while OCR states there will be fewer in-person audits than in the Phase 1 Audit Program, a third set of audits may be conducted onsite, which will be more comprehensive than desk audits and cover a broader range of HIPAA requirements.

In an effort to promote transparency, OCR will post audit protocols on its website closer to the 2016 audits. OCR has also announced the procedures used and results found in the Phase 2 audits will be evaluated so as to develop a permanent HIPAA audit program.

Implications for Health Care Entities

The launch of the Phase 2 Audit Program confirms OCR’s commitment to the evaluation of compliance with and enforcement of the HIPAA Privacy, Security and Breach Notification Rules.

If you are an entity subject to the HIPAA Rules, be on the lookout for emails from OCR and review your HIPAA policies and procedures, risk analysis, and other compliance documents.

OCR’s announcement regarding the launch of Phase 2 of the HIPAA Audit Program can be found here.

If you need Risk Assessments, Managed Services, or just IT Support, give us a call at (818) 356-7188.

Read More
university of washington hipaa violations

University of Washington HIPAA Violations: Settlement Over Potential Violations

Dec. 14 — University of Washington Medicine reached a $750,000 settlement with the federal government to resolve allegations it violated the Health Insurance Portability and Accountability Act Security Rule, the government said Dec. 14.

The Department of Health and Human Services Office for Civil Rights began investigating UWM after receiving a November 2013 report of a breach that affected the electronic protected health information (PHI) of roughly 90,000 patients.

Read More
November HIPAA Settlement - CAM HIPAA Solutions

November HIPAA Settlement: Reminder for Users of Medical Devices

Lahey Hospital and Medical Center (Lahey)  has agreed, in it’s November HIPAA Settlement, to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules with the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR).  Lahey will pay $850,000 and will adopt a robust corrective action plan to correct deficiencies in its HIPAA compliance program.  Lahey is a nonprofit teaching hospital affiliated with Tufts Medical School, providing primary and specialty care in Burlington, Massachusetts.

Read More
warner chilcott settlement

HIPAA Lessons from the Warner Chilcott Settlement

Last week, the US Attorney’s Office in Boston announced that drug company Warner Chilcott agreed to plead guilty to health care fraud and pay $125 million to resolve criminal and civil liability arising out of allegations involving the promotion of the company’s drugs.

Read More
Fear Itself Speech 修改 文章 英文 click through the following web site | Advanced Trading Tools · Learn How to Trade opciones binarias demo click here now
Loan Canada go credit visit their website