Danika Brinda

Are you prepared? The HIPAA Audits are COMING! Six Simple Steps to Create a Solid Foundation of HIPAA Compliance.

October 13, 2015 by Danika Brinda 2 Comments

It is that time of year – the weather in many places is all over the place.  From 80 degrees to 28 degrees in a few days in the Midwest, cool comfortable air on the east coast, from green leaves to an array of oranges, yellows, reds, and greens.  From trees full of summertime and leaves to bare branches and leave piles on the ground.  With the changing in the seasons, it’s time to prepare for the next season.  Creating a solid HIPAA compliance program can be like braving the weather and embracing the change in the seasons – but instead we focus on the change in the culture within our organization.

There has been a lot of news regarding HIPAA over the past couple weeks.  Continued data breaches, the Office of Inspector General (OIG) stating that there has been a lack of HIPAA oversight and enforcement, and Phase 2 of the HIPAA Audits beginning in early 2016.  The stage has been set, the world has been notified – there is going to be a change in the enforcement of HIPAA and NOW is the best time to prepare your organization.

Here are Six Simple Steps you can take to prepare your organization for success with the upcoming changes in enforcement and Phase 2 HIPAA Audits.

Conduct a Risk Assessment/Analysis – if you haven’t conducted a risk analysis recently, it might be a great idea to conduct one again soon. Make sure to have a risk analysis report that provides information on how the audit was conducted, what systems were evaluated and what the identified risks were.  Remember – don’t stop there.  You must create a risk management plan and mitigate and/or address all the risks identified.

Review and update all policies and procedures – policies and procedures create the foundation for success with HIPAA compliance. Conduct a gap analysis on your policies and procedures.  Look for policies that you may be missing or policies that don’t meet minimum compliance.  Then ensure that your organization is following the policies you have created.  Look for evidence such as documents, logs and audit forms that can prove you are in compliance with your policies.

Know who your Business Associates Are – evaluate who you are paying as third party contractors and what tasks they are performing for your organization. If they are creating, receiving, transmitting or storing any protected health information on your behalf – ensure that you have an updated business associate agreement in place with them.  Consider creating an easily accessible list or spreadsheet of all your business associates within your organization.

Review and become familiar with the Audit Protocol – although the new HIPAA audit protocol hasn’t been officially published, it is good practice to review and become familiar with the HIPAA audit protocol that was used on the HIPAA audits of 2011-2012. This will help an organization understand what will be looked for as far as evidence of compliance with the regulations.

Conduct internal HIPAA audits – practicing audits and helping staff become comfortable with answering questions regarding HIPAA compliance should be done. If an on-site HIPAA audit is conducted, the auditors will not only be talking to the HIPAA Privacy and Security Officers, but also all workforce members that take part in providing proper protection of patient information (A.K.A. – EVERYONE)

Educate all staff and leaders on the importance of HIPAA Compliance – education of your entire workforce becomes an essential step in HIPAA compliance. Your workforce should know and understand what HIPAA is and the processes and procedures that are established within your organization for proper HIPAA compliance!

While this list isn’t a complete list of what an organization can do – it is a few simple steps that can definitely help create a solid HIPAA program and prepare for the increase in enforcement and Phase 2 HIPAA Audits.  Don’t be one of the healthcare organizations that states “We didn’t know that was a requirement” or “We thought we had more time to be compliant.”  Be prepared and feel confident in the way that you are protecting your patient’s information.  Your healthcare organization will benefit and your patients will be satisfied knowing that they are receiving great care and their information is properly protected and secured!

TriPoint Healthcare Solutions will be launching an online course soon that will guide healthcare organizations through preparing for a HIPAA Audit!  Want to be the first to know about this new class? Sign up here and receive the information and access to this class!

Click Here to Be the First to Know

Danika

Breaking Down a HIPAA Corrective Action Plan and Settlement: It’s Not All About the Money

September 14, 2015 by Danika Brinda 2 Comments

The headlines over the last week highlighted that an Oncology Practice in Indiana, Cancer Care Group, P.C., received a $750,000 fine for HIPAA non-compliance by the Office for Civil Rights.  After a laptop bag was stolen out of an employee’s car in 2012, the information of approximately 55,000 patients was breached, including names, addresses, date of birth, social security number, clinical information, and insurance information.  The laptop didn’t have any safeguards such as encryption applied to it, creating risk for those 55,000 patients.  In the settlement, the organization must pay a hefty $750,000 fine; HOWEVER, it is only part of the correction action settlement.  The organization must do a lot more than just pay the fine – causing additional costs and time commitments to the organization.  In addition, the corrective action plan is valid for 3 years from the effective date!!

Looking deeper into the corrective action plan (CAP) between Cancer Care Group and Department of Health and Human Services (HHS), they are also required to:

Conduct a HIPAA Risk Analysis within 90 days of the CAP effective date

Submit the Risk Analysis Report for approval to the HHS

If the Risk Analysis is not approved, Cancer Care Group will have 60 days to revise the Risk Analysis and submit to the HHS for approval

Implement an organization-wide risk management plan to address and mitigate any risks and vulnerability found during the risk analysis

Within 90 days of approval of the Risk Analysis from HHS, Cancer Care Group must submit the Risk Management Plan to HHS for approval.

If the Risk Management Plan is not approved, Cancer Care Group must update the Risk Management Plan and resubmit to HHS within 60 days.

One approved, Cancer Care Group must begin the implementation of the Risk Management Plan.

Review and revise policies and procedures relating to the HIPAA Security Rule

Based on the findings from the HIPAA Risk Analysis, Cancer Care Group must review and revise all policies and procedures relating the to the HIPAA Security Rule

All policies and procedures must be forward to HHS within 60 days of the approval of the Risk Management Plan

If policies and procedures are not approved by HHS, Cancer Care Group will have to revise and resubmit the policies and procedures within 30 days.

Within 30 days of approval of the policies and procedures from HHS, Cancer Care Group must implement the new policies and procedures.

Review and revise security rule training program based on the risk analysis findings

Revise and update the training program and submit for approval to HHS within 60 days of the approved Risk Analysis from HHS.

Within 30 days of approved training program from HHS, administer the approved training program to all Cancer Care Group workforce.

Any reportable events (failure of workforce member to comply with policies and procedures, security incident, potential data breach, etc.) must be promptly investigated and reported to HHS within 30 days of the awareness of the incident.

Notification must include: 1) a description of the event including relevant facts individuals involved and policies and procedure(s) impacted AND 2) description of actions taken and future actions planned

Provide HHS Annual Reports of the following for the CAP Timeframe (3 Years)

Updates or changes to the approved Risk Analysis or Risk Management Plan

Updates or changes to Cancer Care Group’s approved HIPAA policies and procedures

Summary of all Reportable Privacy and Security Events

Attestation by the appointed officer/owner at Cancer Care Group that he/she has appropriately reviewed the annual report to HHS and verification that the information is truthful and accurate.

In the event that you find your organization in the middle of a data breach that is being submitted to HHS, the proper steps should be taken to evaluate your current level of compliance.  It is best to try and identify risks and vulnerabilities to your organization immediately rather than waiting for the HHS to come and mandate that you evaluate your compliance.  From the above information, HHS doesn’t just ‘go away’ after the fine is appropriately paid.  Being linked and connected to the HHS for 3 years post settlement is intense and challenging.  Relying on approval from HHS of all aspects of the HIPAA Security Rule can overwhelming and stressful.  Don’t find yourself in this situation.

Remember – your organization is the one responsible for compliance with the federal privacy and security requirements.  With the verge of Phase 2 of the HIPAA Audits starting soon, now is the time to get out and evaluate.  Waiting for the HHS to come in and tell you what to do, or worse, assess a fine is something that should be avoided!

Take time to evaluate your compliance, plan your mitigation strategies and take action for compliance!

Danika

Ready, Set, Data Breach Fun Facts! An Updated Look at Data Breach Stats!

August 17, 2015 by Danika Brinda Leave a Comment

If you are like me, I love to review the current stats of healthcare data breaches to look at trending or see if there is an area that is more prone to data breaches than others.  I thought I would share some new analysis of data breaches!  This information is based on healthcare data breaches where greater than 500 individuals were impacted.  

Some major highlights from the statistics:

A total of 1,293 Data Breaches have been reported since September 2009

Paper is still the #1 location (media type) of data breaches - 23% of total breaches involving greater than 500 individuals

Theft and Loss make up 59% of types of data breaches

Data hacking only makes up 10% of all data breaches where greater than 500 individuals were impacted

Business Associates are responsible for 22% of data breaches greater than 500 individuals

A total of 143,495,899 individuals have been impacted by data breaches greater than 500 individuals

Data breaches involving business associates have impacted 26,399,466 individuals

The largest data breach occurred in 2015, Anthem Data Breach, impacting 78,800,000 individuals














































If you don't have a good process in place for data breaches, now is the time to get one established!  It is better to be prepared to report a data breach than struggle when one occurs!  Breach notification is one of the major focuses of Phase 2 HIPAA audits.

Danika

The data for this analysis is from the HHS Data Breach Portal: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

Are You Ready? 10 Questions that will Test Your Readiness for a HIPAA Audit.

June 11, 2015 by Danika Brinda Leave a Comment

The Office for Civil Rights (OCR) announced recently that Phase 2 of the HIPAA audits have begun.  The first round of pre-audit surveys have been delivered to both covered entities and business associates.  If you are not in the first round of the audits, don’t breathe a sigh of relief as it is only the first round and definitely will not be the last.  Based on the recent increase in the data breaches, the OCR is definitely going to identify new risks and vulnerabilities.  The HIPAA audits are causing fear and concern among healthcare organizations.  Now is the time to evaluate your current level of compliance to ensure that you have clearly established policies and procedures, and are following them as defined.  Remember: Documentation is one of the keys to success with HIPAA!

Take this short quiz to test your readiness for a HIPAA Audit:

Do you currently know and/or have a list of all systems that stores, maintains, or transmits protected health information within your organization?

Has your organization completed a HIPAA Risk Analysis within the last 2 years and do you have your Risk Analysis Report and Risk Mitigation Plan clearly documented?

Has your organization evaluated and updated your policies and procedures since the final HIPAA Omnibus Rule (HITECH) was published in 2013?

Do you have a clearly established process for identification of business associates and have current business associate agreements signed and on file?

Do you have a documented process for your breach investigation within your organization?

Do you have a process for maintaining burden of proof (administrative Breach Notification Requirement) for all investigated breaches (confirmed or not)?

Do you currently conduct Information System Activity Review and Log-in Monitoring in the exact manner defined by your policies and procedures?

Could you produce documentation to support the information system activity review and log-in monitoring, if requested?

Have you conducted HIPAA training to your workforce members within the past year? Do you have documentation to support the training that was conducted?

Do you have a detail process for access management (adding users, modifying users, terminating users) in all systems that store, maintain, or transmit PHI?

If you answered NO to ANY of the above questions, your organization may not be properly prepared in the event that a HIPAA audits comes your way.  The good news – you have time to fix it!  Start now – don’t wait!  HIPAA compliance doesn’t have to be a barrier to providing good patient care and customer service.  If you take the time and operationalize HIPAA to meet your organization’s needs, you can have a successful HIPAA compliance program without impacting patient care and customer service.  In fact, you may just enhance patient care and customer service with a complete HIPAA compliance program.

If you need help getting ready for a HIPAA audit or need assistance with analyzing your current level of compliance, don’t be afraid to reach out for help!  Check out the list of TriPoint Healthcare Solutions’ Services to help you with HIPAA Compliance!!

Danika

Disclaimer: The above questions are not intended to be a complete evaluation of HIPAA compliance or to determine if completely prepared for a HIPAA audit. It is a tool to evaluate if your organization needs to spend more time focusing on HIPAA compliance to prepare in the event of an audit. It is recommended to be used a simple evaluation to determine if you have concerns regarding your current compliance level with HIPAA. It is not considered legal advice or complete compliance evaluation.

Data Breach: It WILL NEVER Happen to Our Organization

June 1, 2015 by Danika Brinda Leave a Comment

You choose your path: Be Prepared OR Be Scared.

How many times have you heard an organization say “A data breach will never happen here,” “We are too small for a data breach to happen,” “It only happens to hospitals and insurance companies.” The thought that a data breach will never happen to your organization can be your biggest mistake in the preparation and defense in the event that a data breach does occur. If you asked all the organizations who have experienced a HIPAA data breach in the past 12 months, many of them would agree that they never believed that something like that could happen.

Healthcare covered entities and business associates need to plan and be prepared in the event a potential data breach does occur. Policies, procedures, and processes should be established that can be immediately activated in the event that a potential breach occurs and needs to be stopped, investigated, and mitigated.

Looking over the past week, we see data breaches are occurring at all types of healthcare facilities and for a variety of reasons.

Buffalo Heart Group, 500 to 600 impacted – Third Party working under a physician access information outside of the scope of the work to solicit patients with the movement of a physician to a new practice
Unity Recovery Group, Inc., Fewer than 1,000 impacted – improper disclosures of patient information to unaffiliated recovery services
New Jersey Medical Center, 1,400 Impacted – An e-mail with an spreadsheet meant for internal use was sent to an incorrect recipient
Beacon Health, unknown impacted – Victim to a sophisticated phishing attached that caused unauthorized access to e-mails with PHI
University of Rochester Medical Group, 3,400 Impacted – Former Nurse Practitioner took patient’s personal information with her when she left for another organization
HHC Jacobi Medical Center, 90,000 impacted – Improper access and transmission of files containing PHI to personal email account
Associated Dentists– theft of a laptop – one was encrypted and the other was not encrypted

One piece of advice to all healthcare organizations and business associates: Be Prepared. Don’t follow the path of so many and think that a data breach will never occur within your organization.

If you are not confident about your breach notification response plan, review and update the plan so that it makes sense for your organization. Go through practice drills to assure the process gets practiced and is realistic in the event of a potential data breach occurring.

If additional help is needed, reaching out to experts in the industry is always a great idea. Having third party assistance in the creation and establishment of a process for your organization can help elevate some of the fears and challenges that healthcare covered entities face.

Be prepared, plan accordingly, and assure your breach investigation process is ready. You never know when your organization maybe the next data breach – a good response plan can save your organization from unwanted reproductions that data breaches bring to organizations.

“If you are failing to plan, you are planning to fail.” – Tariq Siddique

Danika