Breaking Compliance News Blog

I’ll have a brown sugar rosemary latte and a HIPAA breach, please.

Posted by Margaret Scavotto, JD, CHC on 3/12/19 8:43 AM

The other day I stopped by my favorite local coffee shop for an afternoon pick-me-up. I ordered my guilty pleasure – a brown sugar rosemary latte – and sat down in the only available seat on the lobby couch to wait.

A few minutes later, a young woman came in and sat down next to me, opened her laptop, and began clack-clacking away (a common occurrence, as this coffee place is known as an unofficial co-working space).

I got up to get my latte, sat back down, and noticed that the woman was on the phone. I began reading an article about a recent HIPAA breach (in a moment you will learn the irony in this), and tried not to be distracted by her call. But, I couldn’t help but notice she seemed to be talking about a patient. She mentioned the patient’s name and birthday, and then scheduled an appointment for him. She went on to do this for several other patients. Then she called a few patients to check on their condition and well-being. I also couldn’t help but notice that she was typing information into some kind of EMR database.

If this was a cartoon, my head would have exploded at this moment.

When my disbelief faded into the reality that this person – perhaps some kind of case worker or social worker – was in fact discussing patients and their health care information – I had a sinking feeling in my stomach. Does this really happen? Am I on some kind of brainy reality TV show for HIPAA professionals? How could two people sitting on the same couch have such different reactions to these phone calls? How could I be so appalled – and this woman be oblivious and even pleased to be accomplishing so much?

I’ll tell you why: awareness and training.

I think about HIPAA all the time. I follow HIPAA settlements and headlines daily, blog about them, and build training programs and policies around them. So, I see HIPAA everywhere.

I don’t know what kind of HIPAA training my couch neighbor has had. It could be she was trained extensively and chose to ignore the advice. Or perhaps it is more likely that she wasn’t trained on HIPAA – or at least, not recently – and not on protecting patient privacy when working remotely.

What about your staff? Would they know what to do?

 

Read More

Topics: Training and Education, HIPAA, Culture of Compliance

HIPAA breaches are everywhere: Are your employees prepared?

Posted by Margaret Scavotto, JD, CHC on 12/13/18 2:01 PM

A hospital OR secretary was fired after she accessed the hospital's EHR to locate a co-worker's phone number.

A child's adoptive parents sued a hospital for allegedly violating HIPAA when it notified the child's birth mother of his death.

Hospital employees clicked on links in emails that appeared to be from trusted sources, unleashing a spear phishing attack. Hackers accessed PHI for 63,000 individuals - some of whom are suing the hospital for failing to protect their privacy.

A patient is suing CVS for telling his wife about his Viagra prescription.

Some of you might read these (true) stories and view them as blatant, or at least ignorant, HIPAA violations. Or maybe you believe these are honest mistakes. I think it depends on whether, when, and how the healthcare employees involved were trained on HIPAA in a practical way.

In the CVS example, we can imagine a pharmacist or pharmacy tech at the register and taking phone calls. This person talks to people all day long about prescriptions - often prescriptions dropped off or picked up by a spouse. When is the last time this pharmacist was trained on when to share information with a spouse (and when to keep it confidential)?

Regarding the spear phishing example, I received two phishing email attempts today, and it's only 2:00 p.m. I recognized the emails as phony - but my day job involves HIPAA, and I read about HIPAA for fun. It's always on my mind. Would healthcare employees who spend their days scheduling patients, sending out EOBs, or providing care recognize suspicious emails? It depends on how well they have been trained, and how often.

HIPAA, like the rest of compliance, is not simply something for the lawyers or the compliance department to figure out.

Our compliance programs are only as strong as our weakest employees - and it's up to us to train them to get it right.

 

 

 

Read More

Topics: HIPAA, Social Media, data breach, security

HIPAA Update: The Cost of Not Encrypting

Posted by Margaret Scavotto, JD, CHC on 11/14/18 10:26 AM

At HCCA’s 2018 Compliance Institute, Iliana Peters, formerly of the OCR and now with the Polsinelli law firm, commented that not encrypting is “less and less persuasive.” In other words, it is increasingly harder to justify a decision not to encrypt electronic protected health information (ePHI).

This is welcome input, considering that encryption is “addressable,” but not “required” under the HIPAA Security Rule.

Addressable safeguards require covered entities and business associates to:

  • Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting electronic protected health information; and
  • As applicable to the covered entity or business associate—

            (A) Implement the implementation specification if reasonable and appropriate; or

            (B) If implementing the implementation specification is not reasonable and appropriate— (1) Document              why it would not be reasonable and appropriate to implement the implementation specification; and (2)              Implement an equivalent alternative measure if reasonable and appropriate.

45 CFR 164.306(d)(3).

But when it comes to encryption, the line has been moving since the HIPAA Security Rule was originally implemented. Fifteen years ago, it was common – and perhaps more “persuasive” – to make the argument that encryption was cost prohibitive, and therefore not “reasonable and appropriate.” As time went on, the likelihood of ePHI being compromised increased—partly because there is more ePHI; partly because there is more demand for ePHI on the black market; and partly because hackers have more sophisticated methods of illegally obtaining ePHI. At the same time, encryption options have become plentiful and more affordable.

It comes as little surprise, then, that we are seeing more HIPAA settlements and enforcement involving unencrypted ePHI. For example:

And last but not least, on June 18, 2018, the OCR announced that an HHS Administrative Law Judge (ALJ) ruled that MD Anderson violated the HIPAA Privacy and Security Rules when it failed to encrypt its electronic devices, despite identifying encryption as a high security risk. 

It is noteworthy that the ALJ rejected MD Anderson’s argument that it was not required to encrypt its devices. The ALJ stated:

       The regulations governing ePHI do not specifically require devices to be encrypted if "encryption" in this             context is interpreted to mean some mechanical feature that renders these devices physically impossible           to enter by any persons who are not authorized users. But, these regulations require covered entities to             assure that all systems containing ePHI be inaccessible to unauthorized users. 45 C.F.R. § 164.306(a); 45        C.F.R. § 164.312(a)(1). · These regulations give considerable flexibility to covered entities as to how they          protect their ePHI. Nothing in those regulations directs the use of specific devices or specific mechanisms          by a covered entity. However, the bottom line is that whatever mechanisms an entity adopts must be                  effective. Respondent failed to comply with regulatory requirements because it failed to adopt an effective          mechanism to protect its ePHI.

For covered entities and business associates who have not encrypted – perhaps because it is not “required” under the Security Rule - there are mounting indications from the enforcers that opting not to encrypt is, in the words of Ms. Peters, “less and less persuasive.” 

New Call-to-action

Read More

Topics: HIPAA

HIPAA Fax Check

Posted by Margaret Scavotto, JD, CHC on 10/30/18 9:44 AM

An Ohio resident recently told local news that she has been receiving faxes from a local hospital for the past year.

The problem? The faxes, which contained medical information for another individual, were not meant for her. The faxes included another individual's weight, diagnoses and medication information.

The recipient of the faxes told the media she tried notifying the hospital of the misdirected faxes several times. She says she called the number on the faxes, as well as the hospital's main phone number - and faxed the hospital - but the faxes continued.

After ABC 6 On Your Side contacted the hospital, the hospital audited fax logs and identified that "three faxes were sent to the individual in error due to a transposed fax number in one patient's record."

The hospital notified the patient and apologized - and the woman who received the faxes in error shredded them. But, the story still appeared in local news and made its way into the HIPAA blogosphere.

Transposing a fax number is an honest mistake - one many of us can sympathize with. Still, the stakes are high in today's world of record HIPAA enforcement and high patient expectations of privacy.

This is certainly not the first time a misdirected fax landed a provider in the headlines.

In 2014, the OCR received a complaint alleging that a health center disclosed sensitive PHI, including a patient’s HIV status, treatment information, STDs, medications, sexual orientation, mental health diagnosis and physical abuse. The provider paid a $387,200 fine, and entered a resolution agreement and corrective action plan with the OCR for possible HIPAA violations.

The OCR investigation found that the health center faxed one patient's PHI to the patient's employer, and faxed another patient's PHI to an office where that patient volunteered. The OCR stated that the health center failed to reasonably safeguard the PHI from "intentional and unintentional disclosure."

What can you do?

Include faxes in your new employee training, annual HIPAA training, and ongoing HIPAA updates. Make sure staff understand that when it comes to faxes, HIPAA violations are almost always unintentional. Establish faxing protocols to minimize errors. Address faxes in your HIPAA security risk analysis, and include fax protocols in your HIPAA walk through audits. Finally, if you do have a misdirected fax, your investigation will be a lot easier if you have the capability of pulling fax logs, like the Ohio hospital in the first example did.

 

New Call-to-action

Read More

Topics: HIPAA

New North Korean Cyberattack– A Sophisticated Attack? Or Not?

Posted by ScottGima on 10/25/18 8:56 AM

A recent technical alert issued jointly by the Department of Homeland Security, the Department of the Treasury and the Federal Bureau of Investigation states a “high confidence” that North Korea is responsible for multiple attacks that have stolen millions of dollars from banking ATM systems across the world.

This attack, known as “FASTCash,” was a very sophisticated attack. The government’s technical alert about the attack includes a diagram. This diagram – and the inner workings of the attack are hard for a non-technical person like myself to discern.   

Phishing Attack

But one surprising detail of the attack is very easy to understand: The hackers began their attack with simple spear-phishing emails:

“The initial infection vector used to compromise victim networks is unknown; however, analysts surmise HIDDEN COBRA actors used spear-phishing emails in targeted attacks against bank employees.”

Despite the high level of sophistication of this attack, the entry into the banks’ network was not technically sophisticated. It was a simple phishing attack directed at bank employees.

What is Spear Phishing?

Spear phishing uses a fraudulent email is designed to appear to originate from a known or trusted source. It is a targeted attack toward the email recipient and/or the recipient’s organization with the goal of obtaining the employee’s credentials (ID and password) and/or to download malware. The fraudulent email could mimic an email coming from Twitter, Facebook, LinkedIn or other social media account. It may also be formatted to look like it originates from a senior executive within the organization. When an employee clicks on the email, they either download malware, and/or are taken to a website where they input their credentials (which are then sent to the hackers).

Is your organization vulnerable to spear phishing?

Possibly. According to Verizon’s 2018 Data Breach Investigations Report, 12% of people click on phishing emails. Using this statistic, if you have 200 employees, you should expect 24 successful phishing attacks this year.

Take this Phishing IQ Test from SonicWall. Do you think you or your employees in your organization can successfully identify every phishing email in this test?

 

Read More

Topics: HIPAA, security

Social Media Snafus: Keep Your Staff HIPAA Compliant

Posted by Margaret Scavotto, JD, CHC on 10/18/18 6:59 AM

An EMS worker gave CPR to a man who suffered a heart attack in his chicken coop. The EMS worker later posted on Facebook: "Well, we had a first... We worked a code in a chicken coop. Knee deep in chicken droppings."

A medical student who helped deliver a baby posted to Instagram a selfie of himself next to the mother's genitals.

A hospital employee appeared in a photo flipping off a newborn baby, with the caption: "How I currently feel about these mini Satans." The photo was shared 185,000 times on Facebook.

A pediatric ICU/ER nurse discussed a child's measles diagnosis on a Facebook page, before the measles case was announced to the public.

What do these stories have in common?

They're true. They involve disrespect to patients. They potentially violate HIPAA. They likely caused their organizations' privacy officers to pour hours into analyzing whether patients needed to be notified of a breach of HIPAA or other privacy laws. And, they made news headlines, creating a sizable PR problem for each provider involved.

Would your employees do this?

Your employees have Facebook, Instagram, Snapchat and Twitter accounts. They text. How many times do you think your employees text and post to social media every day? 

How often do you train staff on how to use social media without violating HIPAA (or disrespecting patients)? Once a year? Is your training frequent, helpful - and memorable - enough to ensure your employees get this right?

Help your employees use social media appropriately.

  • Implement a social media policy.
  • Train employees to recognize PHI.
  • Use examples. Help your team understand how seemingly innocent posts can violate HIPAA.
  • Train some more! Keep HIPAA and social media top of mind.
  • Encourage staff to report violations of the policy. This will allow you to research potential breaches and mitigate them swiftly.

Taking on the unstoppable world of social media might seem impossible. But it's better to help employees use it properly--and know when they aren't--than to cover our eyes and wait to hear it from the patients (or the media).

New Call-to-action

Read More

Topics: HIPAA, Social Media

Anthem Makes HIPAA History

Posted by Margaret Scavotto, JD, CHC on 10/16/18 3:43 PM

In early 2015, Anthem announced the largest healthcare cyber-attack America has seen. Hackers accessed records of 79 million people. Affected patients brought class action lawsuits against Anthem. In 2017, the lawsuits settled for $115 million.

Yesterday, the OCR announced it has settled the underlying HIPAA violations of this data breach for a whopping $16 million. This settlement far exceeds the next-highest HIPAA settlement we have seen ($5.5 million), and brings 2018's average HIPAA settlement amount up to $4,978,000.

The OCR reported that hackers were able to infiltrate Anthem's system after at least one employee clicked on a spear phishing email. The OCR also found that Anthem: "failed to conduct an enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent the cyber-attackers from accessing sensitive ePHI, beginning as early as February 18, 2014."

What you can do

Your HIPAA security strategy needs to address the HIPAA Security Rules. If you haven't already done so, conduct a HIPAA security risk analysis (or update yours, if it's time). Review HIPAA Security administrative, technical and security safeguards to make sure you have implemented measures to mitigate risks that could subject your organization to an attack.

And, don't forget to train your staff. The OCR noted that the Anthem breach started when potentially a single employee clicked on a spear phishing email.  You could have the most sophisticated HIPAA security defense available - but if employees can't recognize suspicious emails, you are still vulnerable to cyber-attacks.

New Call-to-action

 

Read More

Topics: HIPAA, data breach, security

Attend Compliance and HIPAA Workshops in Springfield, Illinois

Posted by Margaret Scavotto, JD, CHC on 10/4/18 10:32 AM

MPA is excited to partner with LeadingAge Illinois to bring you a two-day compliance and HIPAA workshop in Springfield Illinois on October 24 and 25!

Come for a day of compliance, a day of HIPAA, or both!  You will get some MPA freebies, including our new Compliance Flash Cards.

How to Build & Maintain an Effective Compliance Program

Overview: This workshop will walk you through steps in building a compliance program. Special emphasis will be placed on strategies for evaluating board and Compliance Committee engagement, audit integrity, compliance culture, quality of reporting, and the programs’ ability to spot and address new compliance issues. You will also receive a compliance checklist, draft board resolution, suggested training topics, PEPPER guide, compliance risk area/audit plan worksheet and compliance officer handbook.

Faculty: Margaret C. Scavotto, JD, CHC, President, MPA    
Scott Gima, COO, Executive VP of Compliance & Management, MPA

Date/Location:

Wednesday, October 24, 2018
Illinois Education Association
3440 Liberty Dr. Springfield, IL 62704

Time: 9:00 a.m. – 4:30 p.m.

Fee Per Person: $149 members, $249 Non-members

Learn more or sign up here.

How to Build a HIPAA Program

Overview: In this workshop, we will provide an overview of HIPAA privacy, security, and breach notification that is appropriate for beginners, but will also serve as a refresher for more senior HIPAA professionals. We will emphasize practical strategies to make HIPAA a part of daily life and culture at your organization. Together we will brainstorm strategies to make HIPAA a mindset at our organizations. We will share examples from headlines as well as from around the water cooler, and discuss best practices and practical solutions for preventing these HIPAA hazards, with an emphasis on going beyond a paper policy and annual training.

Faculty: Margaret C. Scavotto, JD, CHC, President, MPA
Scott Gima, COO, Executive VP of Compliance & Management, MPA

Date/Location
 
Thursday, October 25, 2018
Illinois Education Association
3440 Liberty Dr. Springfield, IL 62704

Time: 9:00 a.m. – 4:30 p.m.

Fee Per Person: $149 members, $249 Non-members

Learn more or sign up here.

 
Read More

Topics: Compliance Basics, Training and Education, HIPAA

Will your staff call the HIPAA Security Officer?

Posted by Margaret Scavotto, JD, CHC on 9/27/18 6:57 AM

Compliance and HIPAA officers routinely train staff on how to respond to a potential security incident. Often, instructions look something like this:

  • If you receive an email that appears to be from an impostor, stop and call the Security Officer immediately.
  • If you get an email with suspicious links, stop and call the Security Officer immediately.
  • If a window pops up on your screen and prompts you to click a button, stop and call the Security Officer immediately.

These are excellent precautions for employees to follow when they encounter potential spam, phishing attempts, spear phishing, or ransomware attacks.

But… how likely are your employees to call your Security Officer? Hopefully, staff are familiar with the Security Officer and would not hesitate to pick up the phone. If you aren’t sure how comfortable staff are reaching out to the Security Officer, it’s worth an inquiry. Here are some items to consider:

  • Where is the Security Officer’s office? Does it get a lot of foot traffic? Would employees know how to find the Security Officer in an emergency? Or, is his or her office housed with separate corporate offices, which have less visibility? If so, you might need to take some extra steps to make sure staff know how to find this person.
  • How often does the Security Officer interact with staff? Does the Security Officer lead HIPAA Security training – or is this training done online, without Security Officer interaction? Does the Security Officer participate in new employee orientation? Attend regular staff meetings? Walk the halls and make conversation? Send out friendly security reminder emails?

Or, is your organization one of the 47% that do not have an appointed Security Officer? (If so, it’s time to appoint one).  

Staff are more likely to contact the Security Officer in an emergency if they have already interacted with this person – preferably more than once. Make sure outreach is an integral part of the Security Officer’s role – it could be just as effective in preventing a HIPAA breach as a firewall.

MPA's Compliance Store is now open! Maximize compliance with MPA's compliance tool kits.

Read More

Topics: HIPAA

Attend Compliance and HIPAA Workshops in Illinois!

Posted by Margaret Scavotto, JD, CHC on 9/5/18 2:40 PM

MPA is excited to partner with LeadingAge Illinois to bring you two two-day compliance and HIPAA workshops!

Come for a day of compliance, a day of HIPAA, or both! Two options: Naperville, IL and Springfield, IL

How to Build & Maintain an Effective Compliance Program

Overview: This workshop will walk you through steps in building a compliance program. Special emphasis will be placed on strategies for evaluating board and Compliance Committee engagement, audit integrity, compliance culture, quality of reporting, and the programs’ ability to spot and address new compliance issues. You will also receive a compliance checklist, draft board resolution, suggested training topics, PEPPER guide, compliance risk area/audit plan worksheet and compliance officer handbook.

Faculty: Margaret C. Scavotto, JD, CHC, President, MPA    
Scott Gima, COO, Executive VP of Compliance & Management, MPA

Date/Locations:

Thursday, September 27, 2018
NIU Naperville Conference Campus
1120 E Diehl Rd, Naperville, IL 60563

Wednesday, October 24, 2018
Illinois Education Association
3440 Liberty Dr. Springfield, IL 62704

Time: 9:00 a.m. – 4:30 p.m.

Fee Per Person: $149 members, $249 Non-members

Learn more or sign up here.

How to Build a HIPAA Program

Overview: In this workshop, we will provide an overview of HIPAA privacy, security, and breach notification that is appropriate for beginners, but will also serve as a refresher for more senior HIPAA professionals. We will emphasize practical strategies to make HIPAA a part of daily life and culture at your organization. Together we will brainstorm strategies to make HIPAA a mindset at our organizations. We will share examples from headlines as well as from around the water cooler, and discuss best practices and practical solutions for preventing these HIPAA hazards, with an emphasis on going beyond a paper policy and annual training.

Faculty: Margaret C. Scavotto, JD, CHC, President, MPA
Scott Gima, COO, Executive VP of Compliance & Management, MPA

Date/Locations
Friday, September 28, 2018
NIU Naperville Conference Campus
1120 E Diehl Rd, Naperville, IL 60563
 
Thursday, October 25, 2018
Illinois Education Association
3440 Liberty Dr. Springfield, IL 62704

Time: 9:00 a.m. – 4:30 p.m.

Fee Per Person: $149 members, $249 Non-members

Learn more or sign up here.

 
Read More

Topics: Compliance Basics, Training and Education, HIPAA

    Privacy Policy           Terms of Use