Breaking Compliance News Blog

Cold hard HIPAA stats

Posted by Margaret Scavotto & Scott Gima on 1/25/22 8:15 AM

As we enter a new year, it’s a good time to review the status of data breaches, HIPAA hazards, and the state of security risk with some statistics:

  • The average cost of a data breach in the United States is $9.05 million. The average cost is higher in organizations with greater compliance failures.

  • Only 25% of employees are “very confident” they can identify a social engineering attack.

  • 76% of healthcare employees have received security awareness training. That means 24% have not.

  • 24% of employees believe “clicking on a suspicious link or attachment in an email represents little or no risk.”

  • Only 31% of employees think “allowing family members of friends to use work devices for personal activities outside of work” is risky.

  • In the past 12 months, 94% of organizations have had an insider data breach. The most common cause is human error.
  • As many as 90% of data breaches are phishing attacks

It is always eye-opening to review the latest HIPAA stats – because they get colder and harder every year. Especially in healthcare.

What you can do

Read More

Topics: HIPAA, data breach, security

When HIPAA security is a public health issue

Posted by Margaret Scavotto & Scott Gima on 1/18/22 9:00 AM

Read More

Topics: HIPAA, data breach, security, compliance, webinar

Have you upped your HIPAA game during COVID?

Posted by Margaret Scavotto, JD, CHC on 1/11/22 8:00 AM

HIPAA was a high priority for most healthcare providers before the pandemic.

 

COVID-19 stretched resources and lengthened to-do lists, and has made it harder to keep up with HIPAA compliance.

 

Which is tricky, because HIPAA risk has only increased during the pandemic, for two reasons.

 

First, hackers are opportunists.

They know the pandemic strains healthcare facilities, and a cyberattack might be more successful on a provider facing a COVID-19 surge. In March 2020, U.S. authorities warned that hackers were focusing their efforts on the three states hit the hardest by coronavirus: California, New York, and Washington – and hackers were targeting employees working from home.

Second, the pandemic has brought new ways to violate HIPAA.

Providers and vendors have scrambled to implement testing sites and vaccine clinics, ways to manage the data flowing in and out of testing sites and vaccine clinics, and software programs to sign up for testing and vaccines – to name a few. Many of these methods had to be put together hastily, as they were urgently needed. Was HIPAA the first consideration? Probably not. This inevitably led to breaches.

For example:

  • Denton County, Texas announced a breach involving a third-party application used by the County for COVID-19 vaccination clinics. This application had a configuration error that exposed information about individuals who received vaccinations.
  • An agency employee at Atacadero State Hospital in California improperly accessed patient and employee information, including COVID-19 test results. The records involved 1,735 employees and former employees, and 1,217 job applicants. The improper access was discovered during an “annual review of employee access to data folders, and the employee is believed to have been improperly accessing the information for about 10 months….”
  • The Lake County Health Department and Community Health Center in Illinois announced that 24,000 patient names were on a spreadsheet sent attached to an unencrypted email to an employee’s personal email address. 
  • Indiana’s COVID-19 online contact tracing survey was breached, compromising the data of hundreds of thousands of Indiana residents. The breach was caused by a software misconfiguration that left the information visible to the public.

I know resources are stretched thin, and people are exhausted. But it is still important to ask: Have you upped your HIPAA game during the pandemic? Has your organization addressed evolving threats that COVID-19 has brought the healthcare industry?

Here are some more questions to ask:

Read More

Topics: HIPAA, data breach, security, compliance, webinar

HIPAA interrupts an historical tour: Pause before you pitch!

Posted by Margaret Scavotto, JD, CHC on 11/19/20 10:00 AM

It’s not often that a HIPAA incident also provides a history lesson, but there’s a first time for everything.

Read More

Topics: HIPAA, data breach

Healthcare Provider Ransomware Risk is Elevated – What Do We Do???

Posted by Scott Gima on 11/5/20 10:00 AM

On October 28, a joint cybersecurity advisory was issued by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) that provided a warning of imminent ransomware attacks to U.S. hospitals and healthcare providers.

This advisory provides technical information on the methods used by the hackers so healthcare providers can better protect themselves. In particular, the advisory mentioned the hackers’ use of Ryuk and Conti ransomware.

Leading up to this advisory, Universal Health Services was a recent target of a ransomware attack in late September. UHS is a large health care provider with 26 hospitals in the U.S., Puerto Rico and the U.K. It is believed that the Ryuk ransomware was used in the attack.

I don’t know about you, but for me, a non-IT person, the technical details are way over my head. However, the user awareness best practices are relevant to anybody who uses a workstation or laptop. Here are the user awareness best practices found in the advisory (direct quote):

Read More

Topics: HIPAA, data breach, security, compliance

HIPAA Lessons from Uber: Don't Sweep Data Breaches Under the Rug

Posted by Margaret Scavotto, JD, CHC on 9/10/20 10:57 AM

I

n 2016, Uber suffered a data breach affecting the personal information of 57 million drivers and customers. Uber did not announce the breach until November 2017. In August 2020, the United States Department of Justice (DOJ) filed a criminal complaint against Joseph Sullivan, Uber’s Chief Security Officer at the time of the breach. The DOJ has charged Sullivan with obstruction of justice and misprision of a felon for his alleged role in concealing the 2016 breach.

Read More

Topics: Board Involvement, HIPAA, data breach, breach notification

Has your HIPAA training kept up with COVID-19?

Posted by Margaret Scavotto, JD, CHC on 7/23/20 10:15 AM

During the pandemic, healthcare providers have seen countless headlines announcing both HIPAA guidance related to COVID-19, and HIPAA breaches. For example:

If your HIPAA training hasn't changed in response to this guidance and headlines, that could be a problem.

Read More

Topics: HIPAA, data breach, COVID-19

HIPAA & COVID-19 Toolkit UPDATED for new OCR Business Associate Guidance

Posted by Margaret Scavotto, JD, CHC on 4/2/20 3:08 PM

***To help providers with HIPAA compliance during the COVID-19 pandemic, all MPA HIPAA Tool Kits are now marked down to 50% off. 
 

Business Associate Disclosures during COVID-19

On April 2, 2020, the OCR issued a Notification of Enforcement Discretion under HIPAA to Allow Uses and Disclosures of Protected Health Information by Business Associates for Public Health and Health Oversight Activities in Response to COVID-19

This Notification, effective immediately, announces that the OCR will NOT impose HIPAA penalties against a business associate or covered entity under the following Privacy Rule provisions, in some circumstances. Enforcement is waived for the following Privacy Rule sections:

  • 45 CFR 164.502(a)(3): Business Associates: Permitted Uses and Disclosures
  • 45 CFR 164.502(e)(2): Disclosures to Business Associations: Documentation
  • 45 CFR 164.504(e)(1): Business Associate Contracts
  • 45 CFR 164.504(e)(5): Business Associate Contracts with Subcontractors

Enforcement of these sections will not occur in the following circumstances:

  • A business associate makes a good faith use or disclosure of the covered entity’s PHI for public health activities consistent with 45 CFR 164.512(b) or health oversight activities consistent with 45 CFR 164.512(d); AND
  • The business associate informs the covered entity within 10 calendar days after the use or disclosure occurs (or commences, with respect to uses or disclosures that will repeat over time).

If a business associate makes one of these disclosures, and the covered entity and business associate have not had time to update their business associate agreement to allow for such disclosures, OCR will not impose penalties.

An example of how this waiver might apply to you might be:

  • If a business associate is contacted by the local public health department and asked questions during a health investigation related to a COVID-19 patient. The business associate will be permitted to disclose information to the public health department. This type of disclosure is not typically permitted, if it is not specifically outlined in the BAA. However, under this waiver, the business associate may disclose the requested information to the public health department. Within 10 days of the disclosure to the public health department, the business associate must inform the covered entity that the disclosure was made. 

Business associates are STILL expected to comply with the Security Rule. For example, ePHI must be securely transmitted to the public health authority or health oversight agency.

MPA's HIPAA & COVID-19 Toolkit was updated April 2 for the new OCR guidance on business associates.

HIPAAtrek and MPA are here to help navigate and guide HIPAA compliance. Our priority is you – our clients, our healthcare providers, and healthcare administrators. We understand that this is a confusing and scary time. Now more than ever, please reach out with your compliance questions. We are here to help alleviate your compliance burden both now and in the future. Stay healthy.

Sincerely,

Margaret and Sarah

Check out our other HIPAA & COVID-19 blogs:

Read More

Topics: HIPAA, data breach, security, COVID-19, privacy

HIPAA & COVID-19: telehealth

Posted by Margaret Scavotto, JD, CHC on 3/27/20 12:00 AM

Blog Series: Staying HIPAA Compliant During COVID-19

Sarah Badahman, CHPSE, Founder/CEO, HIPAAtrek, St. Louis 

Read More

Topics: HIPAA, data breach, security, COVID-19, privacy

HIPAA & COVID-19: What HIPAA requirements are waived during COVID-19?

Posted by Margaret Scavotto, JD, CHC on 3/26/20 10:01 AM

Blog Series: Staying HIPAA Compliant During COVID-19

Sarah Badahman, CHPSE, Founder/CEO, HIPAAtrek, St. Louis 

Bethany Baty, Digital Marketing Director, HIPAAtrek, St. Louis

Margaret Scavotto, JD, CHC, President, MPA, St. Louis 

***To help providers with HIPAA compliance during the COVID-19 pandemic, all MPA HIPAA Tool Kits are now marked down to 50% off. 
 
A HIPAA & COVID-19 Telehealth policy was added to the Privacy and Security Tool Kits on 3/24 ***

Today is day four of a five day blog series on HIPAA issues that are relevant during COVID-19. Our goal is to help you remain compliant during these challenging times. ~ MPA and HIPPAtrek.

 

What HIPAA requirements are waived during COVID-19?

On March 16, the Office for Civil Rights (OCR) issued a bulletin in response to the COVID-19 outbreak: Limited Waiver of HIPAA Sanctions and Penalties During a Nationwide Public Health Emergency. For providers who followed the OCR’s waivers during Hurricanes Irma or Michael, this waiver should look familiar to you.

Who is covered by the waiver?

This waiver only applies to covered hospitals. All other providers must continue to follow HIPAA fully (with some leeway given under the Telehealth Waiver).

What’s waived

Under this waiver, as of March 15, 2020, the OCR waives sanctions and penalties against hospitals that do not follow these HIPAA Privacy Rule provisions:

  • the requirements to obtain a patient's agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
  • the requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
  • the requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
  • the patient's right to request privacy restrictions. See 45 CFR 164.522(a).
  • the patient's right to request confidential communications. See 45 CFR 164.522(b)

The waiver ONLY applies to the COVID-19 public health emergency. To get the benefits of the waiver. Hospitals must:

  • have a disaster protocol in place
  • use the waiver for a maximum of 72 hours from the time the disaster protocol is implemented
  • resume complying with the Privacy Rule when the public health emergency ends.

What’s not waived?

The OCR’s waiver alert provides guidance on HIPAA practices that are not waived, and should be followed during the COVID-19 pandemic. Here is what is NOT waived:

  • The REST of the Privacy Rule. All Privacy Rule provisions not listed in the waiver must still be followed. Perhaps most importantly, providers must continue to follow the Minimum Necessary Rule wen making disclosures.
  • The waivers do NOT change how providers can communicate with the media. Follow your directory. For all other requests, get an authorization.
  • The Security Rule is NOT waived. Providers must still safeguard patient information with administrative, physical, and technical safeguards. With employees working from home and cyber scams on the rise, provider should take extra security precautions.

We encourage you to read the OCR’s Alert in its entirety to familiarize yourself with all of the OCR’s recommendations and reminders.

***To help providers with HIPAA compliance during the COVID-19 pandemic, all MPA HIPAA Tool Kits are now marked down to 50% off. 
 
A HIPAA & COVID-19 Telehealth policy was added to the Privacy and Security Tool Kits on 3/24 ***

Read More

Topics: HIPAA, data breach, security, COVID-19, privacy

    Privacy Policy           Terms of Use