TriPoint Healthcare Solutions

Advising, Educating, and Operationalizing Privacy and Security in Healthcare

Ready, Set, HIPAA Enforcement – 2017 is Going to be a Year to Remember

by Leave a Comment

HIPAA Data Breaches and HIPAA Enforcement is definitely off to the races in the first 2 months of 2017.  While previous years have started slower and then gradually increased, 2017 proves to be on an advanced path.  2016 ended with a RECORD year in HIPAA Data Breaches (329 Data Breaches greater than 500 Individuals) as well as HIPAA Enforcement Fines ($23.5 Million), but 2017 is off to a quicker start in both of those categories.

Remember that the government only posts details about the data breaches that impact 500 individuals or more.  Here are some key facts to know about 2017 HIPAA Data Breaches through February 28, 2017:

  • 42 Data Breaches impacting greater than 500 Individuals have been reported
  • Unauthorized Access/Disclosure leads the Type of Breach Category with 17 (40%) – Hacking/IT incident comes in a close second with 13 (31%)
  • 312,827 Individuals have been impacted by the 42 data breaches
  • Unauthorized Access/Disclosure and Hacking/IT Incident account for 289,584 (93%) of the total individual impacted
  • Paper/Films comes in #1 place for the location of data breaches with 10 (21%) with Network Server in #2 place with 8 (19%)
  • Largest Data Breach was from Emory Healthcare due to a Hacking/IT incident impacting 79,930 individual
  • California has had the most reported data breaches with 8, followed by Ohio with 4
  • Business Associates were only involved in 3 of the reported data breaches

So comparing what we are seeing in 2017 to where we were at the end of February 2016, we are slightly up on the number of data breaches greater than 500 individuals reported.  The location of data breaches and type of data breaches remains consistent with what was seen in the beginning of 2016. 

HIPAA Enforcement has been active in 2017 as well.  We continue to hear about the HIPAA Audits with on-site audits starting some time in 2017 to 2018.  You can prepare for your HIPAA audits by comparing your organization’s HIPAA policies and procedures as well as practices and safeguards with the HIPAA Audit Protocol.

HIPAA corrective action plans (CAP) with monetary fines have made a fast and furious start in 2017.  In the first 2 months of the year, 4 HIPAA CAP with monetary fines have been assessed resulting in a total $11.4 Million.  In 2016 we only saw 1 HIPAA fine in the first 2 months of the year.  Of course the monetary fines and CAPs are always concerning for organizations; however, your organization can learn from what others are being held accountable for.  Review the information on the CAPs and see where the non-compliance with HIPAA occurred.  Then, as necessary, make changes within your organization.  The main categories for the 2017 CAP with monetary fines are:

  • Inappropriate delay in data breach reporting (reported after 60 days from the date of discovery)
  • Inappropriate implementation of information activities reviews
  • Inappropriate oversight into user set up and user management
  • Lack of implementation of encryption technology on mobile devices
  • Lack of current HIPAA Risk Analysis
  • Insufficient policies and procedures for HIPAA Compliance

Ask yourself a question – do you view HIPAA as out of sight, out of mind in your organization?  If the answer is YES – now is the time to make a change.  Implementing a strong HIPAA Compliance Program can help your organization.  A strong HIPAA Compliance program isn’t just about written policy and procedures that collect dust on the shelf.  A strong HIPAA Compliance program consists of:

  • HIPAA Policies and Procedures
  • HIPAA Requests Forms for Patient’s Rights
  • A Complete Notice Of Privacy Practices
  • Established Technical, Physical, and Administrative Safeguards
  • Conducting a regular HIPAA Risk Analysis
  • Strong Workforce Education
  • Effective User Management and Oversight into systems with Protected Health Information
  • Auditing practices for verification of compliance
  • Ongoing evaluation of current safeguards established by the organization

Let me know if you ever have any questions – anything HIPAA goes!! 

Until Next Time,

Danika

What is your Greatest HIPAA Threat? Employee Negligence is Top Security Threat among Healthcare Providers and Business Associates!

by Leave a Comment 

We have seen a variety of different issues toping the lists of data breaches in healthcare in 2016.  Some of the issues are: cyber-attacks, ransomware, employee negligence and loss of devices with health information.  With so many moving pieces within a healthcare organization and the increase amount of information being stored and maintained by healthcare organizations and third party vendors (Business Associates), the healthcare industry has topped the list industries most likely to experience a data breach.

The Ponemon Institute recently published the 6th Annual Benchmark Study on Privacy and Security of Healthcare.  We often hear about the large scale data breach and how they impact healthcare organizations, but rarely hear of the small data breaches (under 500 individuals impacted).  The research study conducted by Ponemon Institute indicated that 90% of healthcare organization within the study have been impacted by a data breach and that data breaches have cost the healthcare industry about $6.2 billion.  Most of the participants within the study reported that the data breaches impacting their organizations were small in nature (less than 500 individuals impacted).

Healthcare organizations and business associates have cited that the top security threat that they worry about is employee negligence, which beat out cyber-attacks and mobile device insecurity.  Inattentive and careless actions of employees create more data breaches and issues for organizations that any other threat.  While cyber-attacks are a huge risk to healthcare organizations, human fault such as clicking e-mail links, downloading infected files, and having weak passwords are common reasons for a cyber-attacks.  Some recent headlines with employee negligence and data breach area:
  • Oneida Health Center Dental Clinic – Unencrypted flash drive stolen impacting 2,700 individuals
  • Wyoming Medical Center – Employees click on link in phishing scam email impacting 3,100 individuals
  • UnityPoint Health’s Allen Hospital - Employee snooping impacts 1,620 individuals
  • Children’s National Health System – Misconfiguration File Transfer Protocol impacts 4,100 individuals
  • Ohio Department of Mental Health and Additional Services – Satisfaction surveys sent on postcards impacting 59,000 individuals
  • EqalizeRCM Services – Unencrypted laptop stolen with unknown number impacted
  • Akron General Health System – Unencrypted flash drive stolen impacting 975 individuals
  • Vail Valley Medical Center – Employee copies records to bring to new employer impacting 3,100 individuals
As an organization, it is your responsibility to set your employees up for success when it comes to managing the privacy and security of your organization.  It is more than just complying with regulations and writing policies and procedures, it is about creating an environment where privacy and security is a priority for all workforce members of an organization.  Some key steps to help workforce safeguard and protect patient information:
  • Provide regular and pertinent education and guidance on privacy and security
  • Limit access to workforce members to only what they need to satisfy job requirements
  • Create clear communication processes for all security concerns and potential data breaches
  • Ensure your workforce knows and understands your policies and procedures for privacy and security of protected health information
  • Require strong password to access systems that contain protected health information and change passwords regularly
  • Implement proper safeguards such as encryption to protect data stored on laptops and other portable devices
Establish your practices within your organization and effectively train and manage your staff.  As a healthcare provide and business associate, the responsibility of your employee actions lies on the organization.  Not providing your workforce tools and education for success with the protection of the privacy and security of patient information is only going to have negative impacts on your organization and potentially cause a data breach that could cost the organization millions of dollars.  Be proactive, and provide your workforce with tools and processes to be successful.  Your workforce success is based on an organization!  Create a culture to promote privacy and security protections! 

Resource: Ponemon Institute. May 2016. Sixth Annual Benchmark Study on Privacy and Security of Healthcare Data.  https://www2.idexpertscorp.com/sixth-annual-ponemon-benchmark-study-on-privacy-security-of-healthcare-data-incidents

2015 Healthcare Data Breaches: Paper Tops Data Breach Location!

by Leave a Comment 

Many articles are circulating that slice and dice the data from the 2015 data breaches greater than 500 people impacted. The data comes from the infamous Department of Health and Human Services’ HIPAA “Wall of Shame.” The data being published puts a lot of emphasis on hacking and the impact that it has had on healthcare over the past year. There is no doubt, hacking did have a BIG impact on the data breaches of 2015; however, the data is slightly skewed due one data breach that impacted approximately 78 Million Individuals – The Anthem Data breach. In fact, three data breaches occurred due to hacking that skewed the image of what actually happened in 2015 with healthcare data breaches. A total of 113,208,516 individuals were impacted by 266 data breaches in healthcare in 2015. The Anthem data breach (78.8 Million individuals), the Excellus data breach (10 Million individuals), and the Premera Blue Cross (11 Million individuals) accounted for only 3 of the total data breaches but impacted 88% of total individuals whose data was breached. Definitely a significant happening in 2015; however, it is important to look at the data as a whole and understand there were outliers that significantly impacted what occurred in 2015 data breaches.

Looking at the data in several different ways can help shed some light on other important aspects of data breaches impacting greater than 500 individuals in healthcare during the year of 2015. While hacking is a significant impact on the amount of people in 2015, the category of Hacking/IT Incidents only accounted for 57 (21%) of the 266 data breaches that were reported on the Department of Health and Human Services HIPAA “Wall of Shame.” 

Based on the number of data breaches impacting over 500 individuals, what did actually occur in 2015 besides the large Anthem data breach that skewed the view of the data breaches in 2015? Here are some facts that may help paint an actual picture of what occurred in 2015.

• #1 Data Breach Type: Unauthorized Access/Disclosure – 38% of 2015 Data Breaches 

















• #1 Data Breach Location: Paper/Films – 27% of 2015 Data Breaches
















• #1 Data Breach by Covered Entity Type: Healthcare Providers – 73% of 2015 Data Breaches
BD By CE 2015















• Top Range of Number of Individuals Impacted: 1,000 – 9,999 Individuals Impacted – 53% of 2015 Data Breaches
DB by Individuals 2015

















Healthcare organizations need to understand it is not one area that is at risk for data breaches to occur. Each organization needs to spend time evaluating their organization and specifically the protected health information that they create, store, transmit or maintain to understand what risks that they have. Data breaches are being caused by a significant amount of reasons, and it is important to know that hacking/IT incidents is only one of those areas to focus on. Hacking/IT incidents definitely will impact a great amount of individuals as the hackers get access to a larger amount of data; however, a data breach caused by another issue such as an unauthorized disclosure causes just as much damage to an individual as someone hacking into a system and gaining information. Understanding the entire picture of what occurred in healthcare data breaches in 2015 will help organization prepare for proper protection of patient information.

Moral of the Story – don’t just focus on one item when it comes to the protecting and safeguarding of patient information. Focus on privacy and security of healthcare data as a whole, it is the best defense against the unwanted data breach. 

Cheers!
Danika

Source: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

HIPAA Risk Analysis: Exposing 10 Common Myths

by Leave a Comment 

Myths and Facts opposition.A HIPAA Risk Analysis creates an understanding for an organization to know what their current compliance level with HIPAA is and where risks within their compliance program exist.  HOWEVER, a lot of confusion is created when determining how to complete a HIPAA Risk Analysis.  It is important that each Covered Entity and Business Associate understand the risk analysis and ensure the risk analysis is being properly conducted for their specific organization.  Understanding common myths to the risk analysis can help an organization create the risk process and task to complete their risk analysis.
Myth #1 – The Security Risk Analysis is optional for small providers.  FALSE
All providers who are classified as a covered entity or a business associate must complete a HIPAA Risk Analysis in order to comply with the HIPAA Security Rule Section 164.308(a)(1).  The HIPAA Security Rule doesn’t define how often the Risk Analysis must be completed, but rather it must be complete and risks identified must be addressed and corrected.
Myth #2 – By Installing a Certified Electronic Health Record (EHR), the Security Risk Analysis Requirement is Complete. FALSE
Even though the certification process requires that EHRs meet some baseline security requirements, it does not satisfy the entire HIPAA Privacy Rule and HIPAA Security Rule regulations.  The Risks Analysis is intended to look at all practices and process that involved protected health information, electronic, verbal, paper, or other media.  Regardless if the healthcare organization has a certified EHR, an electronic practice management system, or a paper base practice, a risk analysis needs to be completed.
Myth #3 – My EHR vendor took care of everything I need to do about privacy and security and the risk analysis. FALSE
The EHR Vendor may have some of the requirements for compliance under the HIPAA Security rule such as contingency plans for back up and restoration of data; however, the covered entity is responsible for the overall compliance with the HIPAA Privacy and Security regulations.  While an EHR vendor may be able to assist with the process, the covered entity needs to ensure the risk analysis is completed, which evaluates their practices for privacy and security.  Many of times these practices include other sources of protected health information (PHI) outside of the EHR.
Myth #4 – I have to outsource the security risk analysis.  FALSE
The HIPAA Security Rule doesn’t define the process for conducting the HIPAA risk analysis.  There are many tools out there to help and assist with conducting a HIPAA risk analysis, both free and paid services.  It is really the preference of the covered entity or business associate as how the risk analysis will be conducted and if they choose to outsource the process.  Having the knowledge and expertise to conduct a complete and thorough risk analysis is an important aspect of the completion of the risk analysis.
Myth #5 – A checklist will suffice for the risk analysis requirement.  FALSE
A checklist can by useful and helpful as you are conducting a risk analysis; however, it should not be the only tool used when conducting the risk analysis.  Covered entities and business associates need to ensure that policies and procedures are in place; physical, technical, and administrative safeguards are implemented; and that the physical space is reviewed as part of the comprehensive risk analysis.  Think of it as evaluating the policies and procedures, reviewing implemented safeguard (technical, administrative, and physical), understanding the auditing and monitoring processes, and evaluating employee education.
Myth #6 – There is a specific risk analysis method that I must follow.  FALSE
The HIPAA Security Rule doesn’t define a specific methodology for the security risk analysis to be completed.  Allowing the security rule to have scalability to each specific organization, the Office for Civil Rights has only issued guidance on the security risk analysis.  It is up to the specific covered entity or business associate to determine how the risk analysis will be performed and the type of documentation that will exist on the findings.  The only item to keep in mind that it needs to be effective on identifying risk to the PHI that the organization creates, maintains, transmits and stores and well as there needs to be effective and efficient risk management to implement appropriate safeguards to reduce the risks identified.  Additionally, each time that a risk analysis is completed, a formal report should be created including the date, process, and findings.
Myth #7 – My security risk analysis only needs to look at my EHR and the PHI we store in it. FALSE
It is important that the covered entity and business associate review and evaluate every device and system that store, capture, transmit, or modify protected health information.  The review should range from reviewing all computers, laptops, and tablets to all copy machines and smart phones that may access PHI.  Additionally, safeguards need to be in place for all paper that is created, maintained, stored, and destroyed by the covered entity or business associate.
Myth #8 – I only need to do a risk analysis once. FALSE
The HIPAA Security Rule doesn’t define how often a security risk analysis should be conducted; however, in order to comply with the regulations, a covered entity or business associate must continue to review, correct, identify, modify, and update security protections that the organization has.  A policy and procedure should be created to manage the HIPAA risk analysis and risk management process within an organization.  If an organization is receiving Medicare or Medicaid EHR Incentive Program funds, a risk analysis needs to be completed or updated for each EHR reporting period.
Myth #9 – Before I attest for an EHR incentive program, I must fully mitigate all risks identified in the Risk Analysis.  FALSE
The EHR incentive program, also known as Meaningful Use, requires that an eligible provider or eligible hospital correct and/or address any deficiencies identified during the risk analysis during the reporting period or as part of the risk management process.
Myth #10 – Each year, I’ll have to completely redo my security risk analysis.  FALSE
A full security risk analysis should be conducted when you adopt the EHR, do major changes to your systems, or implement new regulations regarding privacy and security.  Each year or when changes to your practice or electronic systems occur, review and update the risk analysis for changes in the risks to your practice.
Conducing a risk analysis can be a challenging process that takes time and resources to complete.  A risk analysis that is properly completed allows an organization to identify risks and fix them before a major security incident or data breach occurs.  Don’t take this requirement lightly, make sure you take the time and complete the risk analysis!  Reviewing the corrective action plans and fines assessed by the federal government, failure to complete a risk analysis is a top finding in the documentation.

Unsure how to complete a HIPAA Risk Analysis, check out TriPoint Healthcare Solutions's Services! 
Danika

HIPAA Risk Analysis is More than a Checklist: 5 Steps to Conduct a Thorough Risk Analysis

by Leave a Comment 

file folder with documents and documents. storage contracts.Even though HIPAA has been around for over a decade, it is making news daily with health data breaches and the upcoming HIPAA audits.  When talking with many healthcare organizations, HIPAA is not and has not been a top priority within the organization.  In fact, many healthcare organizations implemented HIPAA in 2003 and 2005 as required by the compliance dates of the HIPAA Privacy and Security Rule and haven’t done any additional work on compliance. 
With the announcement by the Office of Civil Rights that the Phase 2 HIPAA audits will begin in early 2016, and afterwards a permanent HIPAA Audit program will be established, all healthcare organizations as well as business associates need to evaluate the current level of compliance and understand the risks within the organization.  The best process to take for evaluation of current compliance and risks is conducting a HIPAA risk analysis, as required by the HIPAA Security Rule.
When conducting a HIPAA risk analysis, a checklist of the regulations may be use as a guide, but it is important to understand that a checklist SHOULD NOT be the only item used when conducting a HIPAA Risk Analysis.  A checklist can be a good guide as you evaluate your current level of compliance, but other aspects of HIPAA compliance should also be evaluated during a HIPAA Risk Analysis process.  In addition to a checklist, healthcare organizations should also follow these simple steps to conduct a complete risk analysis:
  • Conduct Physical Walk-throughs – Part of the HIPAA regulations focus on the physical features of an organization. A walk-through should be conducted to determine: how information is being processed, where information may be improperly used, what safeguards are established for electronic equipment, how you are protecting paper records, if people are logging out of computers or systems when they are walking away.  These are some basic areas to review during a walkthrough.  A simple walkthrough checklist can be helpful during the process.
  • Collect Supporting Evidence of Compliance – An organization should collect evidence to support compliance with privacy and security policies and procedures established. For example, if you state that you will conduct information activity review on a bi-monthly basis, an organization will want to ensure that they have evidence of the bi-monthly information activity reviews. 
  • Conduct Workforce Interviews – Workforce members are the first line of defense with safeguarding and protecting PHI. It is important to understand the workforce’s knowledge and comfort with using and protecting PHI throughout the normal course of business.  Ask workforce questions to understand the comfort and adherence to organizational policies and procedures.   
  • Review Unauthorized Uses and Disclosures of PHI (and Data Breaches) – one area of non-compliance can be from the history of data breaches or unauthorized uses and disclosures of PHI. During the risk analysis process, an organization should evaluate the recent issues with the use and disclosure of PHI to trend issues and evaluate if potential risks exist.  For example, if 4 unauthorized disclosures are due to wrong faxes sent, there could be an indication a risk exists with employee education on faxing PHI.  Taking time to review this activity can help trend and understand the issues and potential risks within your organization. 
  • Evaluate Conducting Network Security Testing (Penetration Testing) – while not a requirement, it is a good idea to have penetration testing done to determine if there are security risks within your network infrastructure. Network security testing involves electronically evaluating the current network infrastructure to determine if here are weakness in the network.  Network weakness can lead to unauthorized intrusion and hacking into a network.  Penetration testing will look very different depending on the size and complexity of the network established. 
Regardless of the size of your organization, the foundational step in any HIPAA compliance program is the completion of a HIPAA Risk Analysis.  Why this is not mandated to be conducted on a yearly basis, the organizations that find themselves most comfortable and compliant with the HIPAA regulations conduct a Risk Analysis on a regular basis.  Don’t be the next headline of a large data breach with a monetary fine and corrective action plan.  Conduct a robust HIPAA risk analysis and feel confident with your compliance.
Danika

Recent Posts

Connect With Us

TriPoint Healthcare Solutions
dbrinda@tripointhealthcaresolutions.com
Phone: 612.325.9742
Fax: 763.322.5027