TriPoint Healthcare Solutions

Advising, Educating, and Operationalizing Privacy and Security in Healthcare

Ready, Set, HIPAA Enforcement – 2017 is Going to be a Year to Remember

by Leave a Comment

HIPAA Data Breaches and HIPAA Enforcement is definitely off to the races in the first 2 months of 2017.  While previous years have started slower and then gradually increased, 2017 proves to be on an advanced path.  2016 ended with a RECORD year in HIPAA Data Breaches (329 Data Breaches greater than 500 Individuals) as well as HIPAA Enforcement Fines ($23.5 Million), but 2017 is off to a quicker start in both of those categories.

Remember that the government only posts details about the data breaches that impact 500 individuals or more.  Here are some key facts to know about 2017 HIPAA Data Breaches through February 28, 2017:

  • 42 Data Breaches impacting greater than 500 Individuals have been reported
  • Unauthorized Access/Disclosure leads the Type of Breach Category with 17 (40%) – Hacking/IT incident comes in a close second with 13 (31%)
  • 312,827 Individuals have been impacted by the 42 data breaches
  • Unauthorized Access/Disclosure and Hacking/IT Incident account for 289,584 (93%) of the total individual impacted
  • Paper/Films comes in #1 place for the location of data breaches with 10 (21%) with Network Server in #2 place with 8 (19%)
  • Largest Data Breach was from Emory Healthcare due to a Hacking/IT incident impacting 79,930 individual
  • California has had the most reported data breaches with 8, followed by Ohio with 4
  • Business Associates were only involved in 3 of the reported data breaches

So comparing what we are seeing in 2017 to where we were at the end of February 2016, we are slightly up on the number of data breaches greater than 500 individuals reported.  The location of data breaches and type of data breaches remains consistent with what was seen in the beginning of 2016. 

HIPAA Enforcement has been active in 2017 as well.  We continue to hear about the HIPAA Audits with on-site audits starting some time in 2017 to 2018.  You can prepare for your HIPAA audits by comparing your organization’s HIPAA policies and procedures as well as practices and safeguards with the HIPAA Audit Protocol.

HIPAA corrective action plans (CAP) with monetary fines have made a fast and furious start in 2017.  In the first 2 months of the year, 4 HIPAA CAP with monetary fines have been assessed resulting in a total $11.4 Million.  In 2016 we only saw 1 HIPAA fine in the first 2 months of the year.  Of course the monetary fines and CAPs are always concerning for organizations; however, your organization can learn from what others are being held accountable for.  Review the information on the CAPs and see where the non-compliance with HIPAA occurred.  Then, as necessary, make changes within your organization.  The main categories for the 2017 CAP with monetary fines are:

  • Inappropriate delay in data breach reporting (reported after 60 days from the date of discovery)
  • Inappropriate implementation of information activities reviews
  • Inappropriate oversight into user set up and user management
  • Lack of implementation of encryption technology on mobile devices
  • Lack of current HIPAA Risk Analysis
  • Insufficient policies and procedures for HIPAA Compliance

Ask yourself a question – do you view HIPAA as out of sight, out of mind in your organization?  If the answer is YES – now is the time to make a change.  Implementing a strong HIPAA Compliance Program can help your organization.  A strong HIPAA Compliance program isn’t just about written policy and procedures that collect dust on the shelf.  A strong HIPAA Compliance program consists of:

  • HIPAA Policies and Procedures
  • HIPAA Requests Forms for Patient’s Rights
  • A Complete Notice Of Privacy Practices
  • Established Technical, Physical, and Administrative Safeguards
  • Conducting a regular HIPAA Risk Analysis
  • Strong Workforce Education
  • Effective User Management and Oversight into systems with Protected Health Information
  • Auditing practices for verification of compliance
  • Ongoing evaluation of current safeguards established by the organization

Let me know if you ever have any questions – anything HIPAA goes!! 

Until Next Time,

Danika

2015 Healthcare Data Breaches: Paper Tops Data Breach Location!

by Leave a Comment 

Many articles are circulating that slice and dice the data from the 2015 data breaches greater than 500 people impacted. The data comes from the infamous Department of Health and Human Services’ HIPAA “Wall of Shame.” The data being published puts a lot of emphasis on hacking and the impact that it has had on healthcare over the past year. There is no doubt, hacking did have a BIG impact on the data breaches of 2015; however, the data is slightly skewed due one data breach that impacted approximately 78 Million Individuals – The Anthem Data breach. In fact, three data breaches occurred due to hacking that skewed the image of what actually happened in 2015 with healthcare data breaches. A total of 113,208,516 individuals were impacted by 266 data breaches in healthcare in 2015. The Anthem data breach (78.8 Million individuals), the Excellus data breach (10 Million individuals), and the Premera Blue Cross (11 Million individuals) accounted for only 3 of the total data breaches but impacted 88% of total individuals whose data was breached. Definitely a significant happening in 2015; however, it is important to look at the data as a whole and understand there were outliers that significantly impacted what occurred in 2015 data breaches.

Looking at the data in several different ways can help shed some light on other important aspects of data breaches impacting greater than 500 individuals in healthcare during the year of 2015. While hacking is a significant impact on the amount of people in 2015, the category of Hacking/IT Incidents only accounted for 57 (21%) of the 266 data breaches that were reported on the Department of Health and Human Services HIPAA “Wall of Shame.” 

Based on the number of data breaches impacting over 500 individuals, what did actually occur in 2015 besides the large Anthem data breach that skewed the view of the data breaches in 2015? Here are some facts that may help paint an actual picture of what occurred in 2015.

• #1 Data Breach Type: Unauthorized Access/Disclosure – 38% of 2015 Data Breaches 

















• #1 Data Breach Location: Paper/Films – 27% of 2015 Data Breaches
















• #1 Data Breach by Covered Entity Type: Healthcare Providers – 73% of 2015 Data Breaches
BD By CE 2015















• Top Range of Number of Individuals Impacted: 1,000 – 9,999 Individuals Impacted – 53% of 2015 Data Breaches
DB by Individuals 2015

















Healthcare organizations need to understand it is not one area that is at risk for data breaches to occur. Each organization needs to spend time evaluating their organization and specifically the protected health information that they create, store, transmit or maintain to understand what risks that they have. Data breaches are being caused by a significant amount of reasons, and it is important to know that hacking/IT incidents is only one of those areas to focus on. Hacking/IT incidents definitely will impact a great amount of individuals as the hackers get access to a larger amount of data; however, a data breach caused by another issue such as an unauthorized disclosure causes just as much damage to an individual as someone hacking into a system and gaining information. Understanding the entire picture of what occurred in healthcare data breaches in 2015 will help organization prepare for proper protection of patient information.

Moral of the Story – don’t just focus on one item when it comes to the protecting and safeguarding of patient information. Focus on privacy and security of healthcare data as a whole, it is the best defense against the unwanted data breach. 

Cheers!
Danika

Source: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

Here comes Peter Cottontail – Hopping Down the HIPAA Trail!

by Leave a Comment

Easter BunnyWhen we think about the Easter Holiday and Spring that has found us, the focus shifts from existing in a dull, mundane world into a new world full of new life and new excitement.  The snow melts (if you have snow), the rivers and lakes open, the birds chirp more, and the temperature rises.  At the same time, we prepare for one of our favorite furry friends to come and visit, the Easter Bunny.  With the hope and intent of new and fresh goodies in our bag, the anticipation of the little bunny visiting creates entertainment and excitement!

It is easy for a HIPAA Compliance program to be ordinary and unexciting.  HIPAA consists of many different kinds of regulations that you must comply with just to make the government happy and that might not really work in your organization.  Many organizations focus on writing and creating a process for in order to meet compliance, but over time that process becomes outdated and doesn’t really meet the intent behind the HIPAA regulations. 

It is time to head down the HIPAA Trail and focus on HIPAA in a new way.  As Peter Cottontail comes to provide treats and goodies to everyone’s baskets, it is time to provide your compliance program with a new basket of tools and tricks to make HIPAA fun and enjoyable.  Rather than focusing on HIPAA as something that is forced and mandated just to comply with regulations, change the focus to be something the organizations does to protect the patients they see and the information stored and maintained by the healthcare organization. 

Here is a list of a few ideas to help provide your HIPAA Basket with new and fresh goodies:

  1. Conduct a HIPAA Risk Analysis – the risk analysis allows an organization to review and see potential risks so that they can be mitigated before an unauthorized use or disclosure of health information exists. Get everyone involved – see how your entire organization can help and support the risk analysis process.  Something fun is to go on a HIPAA scavenger hunt for employees – give them a walk through document and send them to another department to see what they can find that might be risks to your organization! 
  2. Refresh HIPAA Training – so often organizations use the same training for HIPAA or the same format for training year after year. While it is important to create consistency and assure proper training is occurring, providing a refresh on the format or content of the training can support a better compliance among employees and a better understanding of the importance of protecting patient information.
  3. Review and Update Policies and Procedures – while no regulations or processes have changed, it is always good to give the policies and procedures that help manage HIPAA compliance a review on a regular basis. While there is not mandate on how often, best practice is to review yearly or upon changes of technology, regulations, or physical space.  Set a timeline for each year to review policies and procedures and commit to that timeline! 
  4. Create a Culture of Privacy and Security Protections – organizations that are most successful with HIPAA compliance create a culture of privacy and security protections. While policies and procedures as well as technical and physical safeguards are a necessity for HIPAA Compliance, workforce members need to buy into the philosophy and intent of protecting and securing patient information.  Many times your employees become the front line defense to the safeguard and protection of patient information.  If they don’t buy in or understand the importance, an organization will struggle for success with their HIPAA compliance. 
  5. Create a HIPAA Governance Structure – there is that word – governance – again! A strong governance and oversight into the management of HIPAA at an organization will help transform from a department or person who manages privacy and security of patient information to an organization who knows the importance of protecting patient information and acts upon it throughout each day and every task.  Have specific leaders through the process and assure that roles are clearly defined!   

Office for Civil Rights (OCR) HIPAA Audits are coming in 2015 – take the time that has been given to fill your HIPAA Compliance Basket with new goodies and tools to be successful.  Figure out how you can breathe new life into your HIPAA program and make it successful in protecting the valuable patient information that the organization is trusted with.  HIPAA can be fun and exciting – just like the change in the season and a full basket of goodies!  Hopefully you will bump into Peter Cottontail hopping down the HIPAA Trail!    

“Most of us feel that our health information is private and should be protected. That is why there is a federal law that sets rules for health care providers and health insurance companies about who can look at and receive our health information.”

—Office for Civil Rights

Danika

Your PHI Goes in There and Out Where? Can Understanding your PHI Flow Help Support HIPAA Compliance?

by Leave a Comment

How many organizations can say that they completely understand where all their protected health information exists and where are the inputs and outputs of the data are?  Based on current clients, very few know exactly where all protected health information is being stored and maintained.  It is not uncommon to walk into an organization and hear that they have 2 or 3 systems that store or interact with PHI – then after discussion and analysis, it is determined that there are actually 9 or 10 different systems that interact with PHI within the organization.  Additionally, many organizations don’t fully understand all the areas where PHI may come out of electronic systems.  Example, a transcription system may automatically send a document once it is transcribed or a lab system may send information to the billing system for proper charges.  Without properly understanding where all the data is being stored, what happens to the data, how those systems are protected, and where is the ePHI outputs from the systems are, it creates a challenge on effectively managing the privacy and security of protected health information.  It is the key link from privacy and security to Information Governance in an electronic era.

Sure, everyone knows they have patient data within their electronic health record, stored in their lab system, or on the organization’s file server, right?  Those areas may be obvious and clear; however, organizations must know and understand every system and location where protected health information is being stored.  Without the knowledge of where all protected health information resides within an organization and the systems that use health information, it becomes nearly impossible to manage privacy and security of information and leaves the organization extremely vulnerable to a data breach. 

Privacy and Security Officers at healthcare organizations should start a process of identification of all systems storing, transmitting, or accessing patient information – creating a knowledge and understanding of how protected health information is being stored and used within their organization.  Creating a protected health information flow diagram or documentation is a complex and detailed process.  It is most likely not going to happen in one day or one week.  It is going to take time to understand each specific system, how it may or may not use protected health information, and what other systems it interacts with.

Some suggested steps to create this information at an organization:

  • Conduct a system inventory analysis of all systems that the organizations uses
  • Understand all the hardware being used in the organization and if ePHI is being stored on the hardware
  • Evaluate each system identified to determine what the interaction is with any type of patient information
  • If the system interacts with protected health information, determine
    1. What type of PHI is being stored in the system
    2. What is the intent of the system
    3. Who is the system ‘owner’
    4. Who has access to the system and how is access management managed
    5. Where the system is being stored (local server, cloud based) and backed up
    6. What are the inputs into the system with PHI
    7. What are the outputs from of PHI from the system – both automatic and manual
    8. If the system interfaces and interacts with other systems
    9. Other security measures in place to protect the information
    10. Other pertinent information regarding the system that is important from a security perspective
  • Create documentation to support and understand all systems – Your Protected Health Information Flow!
  • Assure proper management of all systems that contain PHI!!!! It is not the job on the security officer to own the systems, but it is a responsibility to ensure the systems are understood and proper security is maintained so the privacy of the data is properly secured and protected!

This is not an easy process – in some large integrated systems, they could have hundreds of different systems that interact with ePHI in some aspect!

Remember that HIPAA doesn’t just apply to an electronic health record.  Electronic protected health information is any protected health information (PHI) that is produced, saved, transferred or received in an electronic form.  ePHI can be found on computer hard drives, in databases, in e-mail, in the EHR, and many other locations – you need to evaluate and look at your entire system to truly understand and manage ePHI!!

Don’t get caught in an unwanted data breach due to not knowing or understanding how your data flows throughout your organization, what systems have protected health information, where the inputs are, what happens to the data in the system, and where the outputs from the system exist.  Work upstream, understand your PHI data flow, and properly manage and reduce risks to PHI!

Danika

Don’t Get Run Over by the HIPAA Omnibus!

by Leave a Comment

3d london bus on white backgroundHIPAA Compliance continues to be a HOT TOPIC in healthcare.  Everyday news and information is published about the lack of compliance, the struggles within organizations, data breaches occurring, and the HIPAA audits coming.  In 2013, the HIPAA Omnibus Rule was established which had many provisions on the HIPAA Privacy and Security Regulations.  With the compliance date of September 23, 2013, many healthcare organizations and business associates have not taken proper steps to get to climb onto the HIPAA Omnibus and assure compliance with the new regulations.   

A recent study conducted by NueMD in 2014 provided insight into compliance levels with the HIPAA Regulations and the HIPAA Omnibus Rule.  Over 1,000 Medical Practices and 160 Billing Companies were surveyed in regards to the current level of compliance with HIPAA and the changes with the HIPAA Omnibus Rule.  The results were SHOCKING and EYEOPENING!!!!  Check out some key findings:

  • 36% of respondents stated they didn’t know about the HIPAA Omnibus Rule
  • 68% of respondents stated they didn’t know of the HIPAA Audits
  • 23% of respondents stated they had no HIPAA Compliance Plan
  • 54% of respondents stated they didn’t have a Security Officer
  • 45% of respondents stated they didn’t have a Privacy Officer
  • 55% of respondents stated they had no process established for Breach Notification

Based on the findings, it is clear that healthcare organizations need to step up and establish HIPAA Compliance Programs and ensure they are updating their information to include the HIPAA Omnibus Requirements.  Jump on the HIPAA Omnibus and ensure that the organization has a joyful ride rather than being ran off the road. 

The major components of the HIPAA Omnibus Rule that healthcare organizations AND business associates need to evaluate and implement within their organization are:

  • Breach Notification
  • Business Associates Compliance Requirements
  • Sale of Protected Health Information
  • Marketing and Protected Health Information
  • Fundraising and Protected Health Information
  • Research Authorization Changes
  • Access to Immunization Data
  • Electronic copy of Protected Health Information
  • Access to Deceased Patient’s Records
  • Genetic Information Nondisclosure Act (ACT)
  • Restriction of Protected Health Information to Health Plans
  • Update to the Notice of Privacy Practices

Please note this is not an “end all be all” list of requirements.  Each organization needs to assess the regulatory changes and determine how and what applies to their specific organization.

With the HIPAA Delays – healthcare organizations are given the gift of time.  Use this time to get aboard the HIPAA Omnibus and assure that you have updated or established all appropriate policies and procedures for your organization.  Don’t delay any longer – the time is NOW! 

Danika

Source: NueMD Survey Findings: http://www.nuemd.com/hipaa/survey/practice-findings.html

Recent Posts

Connect With Us

TriPoint Healthcare Solutions
dbrinda@tripointhealthcaresolutions.com
Phone: 612.325.9742
Fax: 763.322.5027