Breaking Compliance News Blog

HIPAA Update: The Cost of Not Encrypting

Posted by Margaret Scavotto, JD, CHC on 11/14/18 10:26 AM

At HCCA’s 2018 Compliance Institute, Iliana Peters, formerly of the OCR and now with the Polsinelli law firm, commented that not encrypting is “less and less persuasive.” In other words, it is increasingly harder to justify a decision not to encrypt electronic protected health information (ePHI).

This is welcome input, considering that encryption is “addressable,” but not “required” under the HIPAA Security Rule.

Addressable safeguards require covered entities and business associates to:

  • Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting electronic protected health information; and
  • As applicable to the covered entity or business associate—

            (A) Implement the implementation specification if reasonable and appropriate; or

            (B) If implementing the implementation specification is not reasonable and appropriate— (1) Document              why it would not be reasonable and appropriate to implement the implementation specification; and (2)              Implement an equivalent alternative measure if reasonable and appropriate.

45 CFR 164.306(d)(3).

But when it comes to encryption, the line has been moving since the HIPAA Security Rule was originally implemented. Fifteen years ago, it was common – and perhaps more “persuasive” – to make the argument that encryption was cost prohibitive, and therefore not “reasonable and appropriate.” As time went on, the likelihood of ePHI being compromised increased—partly because there is more ePHI; partly because there is more demand for ePHI on the black market; and partly because hackers have more sophisticated methods of illegally obtaining ePHI. At the same time, encryption options have become plentiful and more affordable.

It comes as little surprise, then, that we are seeing more HIPAA settlements and enforcement involving unencrypted ePHI. For example:

And last but not least, on June 18, 2018, the OCR announced that an HHS Administrative Law Judge (ALJ) ruled that MD Anderson violated the HIPAA Privacy and Security Rules when it failed to encrypt its electronic devices, despite identifying encryption as a high security risk. 

It is noteworthy that the ALJ rejected MD Anderson’s argument that it was not required to encrypt its devices. The ALJ stated:

       The regulations governing ePHI do not specifically require devices to be encrypted if "encryption" in this             context is interpreted to mean some mechanical feature that renders these devices physically impossible           to enter by any persons who are not authorized users. But, these regulations require covered entities to             assure that all systems containing ePHI be inaccessible to unauthorized users. 45 C.F.R. § 164.306(a); 45        C.F.R. § 164.312(a)(1). · These regulations give considerable flexibility to covered entities as to how they          protect their ePHI. Nothing in those regulations directs the use of specific devices or specific mechanisms          by a covered entity. However, the bottom line is that whatever mechanisms an entity adopts must be                  effective. Respondent failed to comply with regulatory requirements because it failed to adopt an effective          mechanism to protect its ePHI.

For covered entities and business associates who have not encrypted – perhaps because it is not “required” under the Security Rule - there are mounting indications from the enforcers that opting not to encrypt is, in the words of Ms. Peters, “less and less persuasive.” 

New Call-to-action

Read More

Topics: HIPAA

HIPAA Fax Check

Posted by Margaret Scavotto, JD, CHC on 10/30/18 9:44 AM

An Ohio resident recently told local news that she has been receiving faxes from a local hospital for the past year.

The problem? The faxes, which contained medical information for another individual, were not meant for her. The faxes included another individual's weight, diagnoses and medication information.

The recipient of the faxes told the media she tried notifying the hospital of the misdirected faxes several times. She says she called the number on the faxes, as well as the hospital's main phone number - and faxed the hospital - but the faxes continued.

After ABC 6 On Your Side contacted the hospital, the hospital audited fax logs and identified that "three faxes were sent to the individual in error due to a transposed fax number in one patient's record."

The hospital notified the patient and apologized - and the woman who received the faxes in error shredded them. But, the story still appeared in local news and made its way into the HIPAA blogosphere.

Transposing a fax number is an honest mistake - one many of us can sympathize with. Still, the stakes are high in today's world of record HIPAA enforcement and high patient expectations of privacy.

This is certainly not the first time a misdirected fax landed a provider in the headlines.

In 2014, the OCR received a complaint alleging that a health center disclosed sensitive PHI, including a patient’s HIV status, treatment information, STDs, medications, sexual orientation, mental health diagnosis and physical abuse. The provider paid a $387,200 fine, and entered a resolution agreement and corrective action plan with the OCR for possible HIPAA violations.

The OCR investigation found that the health center faxed one patient's PHI to the patient's employer, and faxed another patient's PHI to an office where that patient volunteered. The OCR stated that the health center failed to reasonably safeguard the PHI from "intentional and unintentional disclosure."

What can you do?

Include faxes in your new employee training, annual HIPAA training, and ongoing HIPAA updates. Make sure staff understand that when it comes to faxes, HIPAA violations are almost always unintentional. Establish faxing protocols to minimize errors. Address faxes in your HIPAA security risk analysis, and include fax protocols in your HIPAA walk through audits. Finally, if you do have a misdirected fax, your investigation will be a lot easier if you have the capability of pulling fax logs, like the Ohio hospital in the first example did.

 

New Call-to-action

Read More

Topics: HIPAA

New North Korean Cyberattack– A Sophisticated Attack? Or Not?

Posted by ScottGima on 10/25/18 8:56 AM

A recent technical alert issued jointly by the Department of Homeland Security, the Department of the Treasury and the Federal Bureau of Investigation states a “high confidence” that North Korea is responsible for multiple attacks that have stolen millions of dollars from banking ATM systems across the world.

This attack, known as “FASTCash,” was a very sophisticated attack. The government’s technical alert about the attack includes a diagram. This diagram – and the inner workings of the attack are hard for a non-technical person like myself to discern.   

Phishing Attack

But one surprising detail of the attack is very easy to understand: The hackers began their attack with simple spear-phishing emails:

“The initial infection vector used to compromise victim networks is unknown; however, analysts surmise HIDDEN COBRA actors used spear-phishing emails in targeted attacks against bank employees.”

Despite the high level of sophistication of this attack, the entry into the banks’ network was not technically sophisticated. It was a simple phishing attack directed at bank employees.

What is Spear Phishing?

Spear phishing uses a fraudulent email is designed to appear to originate from a known or trusted source. It is a targeted attack toward the email recipient and/or the recipient’s organization with the goal of obtaining the employee’s credentials (ID and password) and/or to download malware. The fraudulent email could mimic an email coming from Twitter, Facebook, LinkedIn or other social media account. It may also be formatted to look like it originates from a senior executive within the organization. When an employee clicks on the email, they either download malware, and/or are taken to a website where they input their credentials (which are then sent to the hackers).

Is your organization vulnerable to spear phishing?

Possibly. According to Verizon’s 2018 Data Breach Investigations Report, 12% of people click on phishing emails. Using this statistic, if you have 200 employees, you should expect 24 successful phishing attacks this year.

Take this Phishing IQ Test from SonicWall. Do you think you or your employees in your organization can successfully identify every phishing email in this test?

 

Read More

Topics: security, HIPAA

Social Media Snafus: Keep Your Staff HIPAA Compliant

Posted by Margaret Scavotto, JD, CHC on 10/18/18 6:59 AM

An EMS worker gave CPR to a man who suffered a heart attack in his chicken coop. The EMS worker later posted on Facebook: "Well, we had a first... We worked a code in a chicken coop. Knee deep in chicken droppings."

A medical student who helped deliver a baby posted to Instagram a selfie of himself next to the mother's genitals.

A hospital employee appeared in a photo flipping off a newborn baby, with the caption: "How I currently feel about these mini Satans." The photo was shared 185,000 times on Facebook.

A pediatric ICU/ER nurse discussed a child's measles diagnosis on a Facebook page, before the measles case was announced to the public.

What do these stories have in common?

They're true. They involve disrespect to patients. They potentially violate HIPAA. They likely caused their organizations' privacy officers to pour hours into analyzing whether patients needed to be notified of a breach of HIPAA or other privacy laws. And, they made news headlines, creating a sizable PR problem for each provider involved.

Would your employees do this?

Your employees have Facebook, Instagram, Snapchat and Twitter accounts. They text. How many times do you think your employees text and post to social media every day? 

How often do you train staff on how to use social media without violating HIPAA (or disrespecting patients)? Once a year? Is your training frequent, helpful - and memorable - enough to ensure your employees get this right?

Help your employees use social media appropriately.

  • Implement a social media policy.
  • Train employees to recognize PHI.
  • Use examples. Help your team understand how seemingly innocent posts can violate HIPAA.
  • Train some more! Keep HIPAA and social media top of mind.
  • Encourage staff to report violations of the policy. This will allow you to research potential breaches and mitigate them swiftly.

Taking on the unstoppable world of social media might seem impossible. But it's better to help employees use it properly--and know when they aren't--than to cover our eyes and wait to hear it from the patients (or the media).

New Call-to-action

Read More

Topics: Social Media, HIPAA

Anthem Makes HIPAA History

Posted by Margaret Scavotto, JD, CHC on 10/16/18 3:43 PM

In early 2015, Anthem announced the largest healthcare cyber-attack America has seen. Hackers accessed records of 79 million people. Affected patients brought class action lawsuits against Anthem. In 2017, the lawsuits settled for $115 million.

Yesterday, the OCR announced it has settled the underlying HIPAA violations of this data breach for a whopping $16 million. This settlement far exceeds the next-highest HIPAA settlement we have seen ($5.5 million), and brings 2018's average HIPAA settlement amount up to $4,978,000.

The OCR reported that hackers were able to infiltrate Anthem's system after at least one employee clicked on a spear phishing email. The OCR also found that Anthem: "failed to conduct an enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent the cyber-attackers from accessing sensitive ePHI, beginning as early as February 18, 2014."

What you can do

Your HIPAA security strategy needs to address the HIPAA Security Rules. If you haven't already done so, conduct a HIPAA security risk analysis (or update yours, if it's time). Review HIPAA Security administrative, technical and security safeguards to make sure you have implemented measures to mitigate risks that could subject your organization to an attack.

And, don't forget to train your staff. The OCR noted that the Anthem breach started when potentially a single employee clicked on a spear phishing email.  You could have the most sophisticated HIPAA security defense available - but if employees can't recognize suspicious emails, you are still vulnerable to cyber-attacks.

New Call-to-action

 

Read More

Topics: security, data breach, HIPAA

Attend Compliance and HIPAA Workshops in Springfield, Illinois

Posted by Margaret Scavotto, JD, CHC on 10/4/18 10:32 AM

MPA is excited to partner with LeadingAge Illinois to bring you a two-day compliance and HIPAA workshop in Springfield Illinois on October 24 and 25!

Come for a day of compliance, a day of HIPAA, or both!  You will get some MPA freebies, including our new Compliance Flash Cards.

How to Build & Maintain an Effective Compliance Program

Overview: This workshop will walk you through steps in building a compliance program. Special emphasis will be placed on strategies for evaluating board and Compliance Committee engagement, audit integrity, compliance culture, quality of reporting, and the programs’ ability to spot and address new compliance issues. You will also receive a compliance checklist, draft board resolution, suggested training topics, PEPPER guide, compliance risk area/audit plan worksheet and compliance officer handbook.

Faculty: Margaret C. Scavotto, JD, CHC, President, MPA    
Scott Gima, COO, Executive VP of Compliance & Management, MPA

Date/Location:

Wednesday, October 24, 2018
Illinois Education Association
3440 Liberty Dr. Springfield, IL 62704

Time: 9:00 a.m. – 4:30 p.m.

Fee Per Person: $149 members, $249 Non-members

Learn more or sign up here.

How to Build a HIPAA Program

Overview: In this workshop, we will provide an overview of HIPAA privacy, security, and breach notification that is appropriate for beginners, but will also serve as a refresher for more senior HIPAA professionals. We will emphasize practical strategies to make HIPAA a part of daily life and culture at your organization. Together we will brainstorm strategies to make HIPAA a mindset at our organizations. We will share examples from headlines as well as from around the water cooler, and discuss best practices and practical solutions for preventing these HIPAA hazards, with an emphasis on going beyond a paper policy and annual training.

Faculty: Margaret C. Scavotto, JD, CHC, President, MPA
Scott Gima, COO, Executive VP of Compliance & Management, MPA

Date/Location
 
Thursday, October 25, 2018
Illinois Education Association
3440 Liberty Dr. Springfield, IL 62704

Time: 9:00 a.m. – 4:30 p.m.

Fee Per Person: $149 members, $249 Non-members

Learn more or sign up here.

 
Read More

Topics: Compliance Basics, Training and Education, HIPAA

Will your staff call the HIPAA Security Officer?

Posted by Margaret Scavotto, JD, CHC on 9/27/18 6:57 AM

Compliance and HIPAA officers routinely train staff on how to respond to a potential security incident. Often, instructions look something like this:

  • If you receive an email that appears to be from an impostor, stop and call the Security Officer immediately.
  • If you get an email with suspicious links, stop and call the Security Officer immediately.
  • If a window pops up on your screen and prompts you to click a button, stop and call the Security Officer immediately.

These are excellent precautions for employees to follow when they encounter potential spam, phishing attempts, spear phishing, or ransomware attacks.

But… how likely are your employees to call your Security Officer? Hopefully, staff are familiar with the Security Officer and would not hesitate to pick up the phone. If you aren’t sure how comfortable staff are reaching out to the Security Officer, it’s worth an inquiry. Here are some items to consider:

  • Where is the Security Officer’s office? Does it get a lot of foot traffic? Would employees know how to find the Security Officer in an emergency? Or, is his or her office housed with separate corporate offices, which have less visibility? If so, you might need to take some extra steps to make sure staff know how to find this person.
  • How often does the Security Officer interact with staff? Does the Security Officer lead HIPAA Security training – or is this training done online, without Security Officer interaction? Does the Security Officer participate in new employee orientation? Attend regular staff meetings? Walk the halls and make conversation? Send out friendly security reminder emails?

Or, is your organization one of the 47% that do not have an appointed Security Officer? (If so, it’s time to appoint one).  

Staff are more likely to contact the Security Officer in an emergency if they have already interacted with this person – preferably more than once. Make sure outreach is an integral part of the Security Officer’s role – it could be just as effective in preventing a HIPAA breach as a firewall.

MPA's Compliance Store is now open! Maximize compliance with MPA's compliance tool kits.

Read More

Topics: HIPAA

Attend Compliance and HIPAA Workshops in Illinois!

Posted by Margaret Scavotto, JD, CHC on 9/5/18 2:40 PM

MPA is excited to partner with LeadingAge Illinois to bring you two two-day compliance and HIPAA workshops!

Come for a day of compliance, a day of HIPAA, or both! Two options: Naperville, IL and Springfield, IL

How to Build & Maintain an Effective Compliance Program

Overview: This workshop will walk you through steps in building a compliance program. Special emphasis will be placed on strategies for evaluating board and Compliance Committee engagement, audit integrity, compliance culture, quality of reporting, and the programs’ ability to spot and address new compliance issues. You will also receive a compliance checklist, draft board resolution, suggested training topics, PEPPER guide, compliance risk area/audit plan worksheet and compliance officer handbook.

Faculty: Margaret C. Scavotto, JD, CHC, President, MPA    
Scott Gima, COO, Executive VP of Compliance & Management, MPA

Date/Locations:

Thursday, September 27, 2018
NIU Naperville Conference Campus
1120 E Diehl Rd, Naperville, IL 60563

Wednesday, October 24, 2018
Illinois Education Association
3440 Liberty Dr. Springfield, IL 62704

Time: 9:00 a.m. – 4:30 p.m.

Fee Per Person: $149 members, $249 Non-members

Learn more or sign up here.

How to Build a HIPAA Program

Overview: In this workshop, we will provide an overview of HIPAA privacy, security, and breach notification that is appropriate for beginners, but will also serve as a refresher for more senior HIPAA professionals. We will emphasize practical strategies to make HIPAA a part of daily life and culture at your organization. Together we will brainstorm strategies to make HIPAA a mindset at our organizations. We will share examples from headlines as well as from around the water cooler, and discuss best practices and practical solutions for preventing these HIPAA hazards, with an emphasis on going beyond a paper policy and annual training.

Faculty: Margaret C. Scavotto, JD, CHC, President, MPA
Scott Gima, COO, Executive VP of Compliance & Management, MPA

Date/Locations
Friday, September 28, 2018
NIU Naperville Conference Campus
1120 E Diehl Rd, Naperville, IL 60563
 
Thursday, October 25, 2018
Illinois Education Association
3440 Liberty Dr. Springfield, IL 62704

Time: 9:00 a.m. – 4:30 p.m.

Fee Per Person: $149 members, $249 Non-members

Learn more or sign up here.

 
Read More

Topics: Compliance Basics, Training and Education, HIPAA

Margaret Scavotto blogs for HCCA: A Tale of Two Doctor's Visits

Posted by Margaret Scavotto, JD, CHC on 8/30/18 7:47 AM

A Tale of Two Doctor's Visits

by Margaret Scavotto, JD, CHC

A few weeks ago, I went to a new doctor for a consultation. While waiting alone in a patient room for the doctor, I noticed a monitor attached to the wall. It showed a color-coded appointment schedule with last names of every patient coming in that week. I wondered what I else I could access if I tried to use the computer (Don’t worry, I didn’t try).

When I checked out after my appointment, I saw three patient files open on the reception desk. I also saw another monitor, with a patient’s X-ray prominently displayed. While my PHI wasn’t visible to others that day, I realized it could be. I felt disrespected. I didn’t go back. Instead, I asked around for another doctor – one with good privacy practices – and will fork over another copay to see a different doctor.

Read more at The Compliance and Ethics blog.

Read More

Topics: HIPAA

Attend Compliance and HIPAA Workshops in Illinois!

Posted by Margaret Scavotto, JD, CHC on 8/16/18 12:40 PM

MPA is excited to partner with LeadingAge Illinois to bring you two two-day compliance and HIPAA workshops!

Come for a day of compliance, a day of HIPAA, or both! Two options: Naperville, IL and Springfield, IL

How to Build & Maintain an Effective Compliance Program

Overview: This workshop will walk you through steps in building a compliance program. Special emphasis will be placed on strategies for evaluating board and Compliance Committee engagement, audit integrity, compliance culture, quality of reporting, and the programs’ ability to spot and address new compliance issues. You will also receive a compliance checklist, draft board resolution, suggested training topics, PEPPER guide, compliance risk area/audit plan worksheet and compliance officer handbook.

Faculty: Margaret C. Scavotto, JD, CHC, President, MPA    
Scott Gima, COO, Executive VP of Compliance & Management, MPA

Date/Locations:

Thursday, September 27, 2018
NIU Naperville Conference Campus
1120 E Diehl Rd, Naperville, IL 60563

Wednesday, October 24, 2018
Illinois Education Association
3440 Liberty Dr. Springfield, IL 62704

Time: 9:00 a.m. – 4:30 p.m.

Fee Per Person: $149 members, $249 Non-members

Learn more or sign up here.

How to Build a HIPAA Program

Overview: In this workshop, we will provide an overview of HIPAA privacy, security, and breach notification that is appropriate for beginners, but will also serve as a refresher for more senior HIPAA professionals. We will emphasize practical strategies to make HIPAA a part of daily life and culture at your organization. Together we will brainstorm strategies to make HIPAA a mindset at our organizations. We will share examples from headlines as well as from around the water cooler, and discuss best practices and practical solutions for preventing these HIPAA hazards, with an emphasis on going beyond a paper policy and annual training.

Faculty: Margaret C. Scavotto, JD, CHC, President, MPA
Scott Gima, COO, Executive VP of Compliance & Management, MPA

Date/Locations
Friday, September 28, 2018
NIU Naperville Conference Campus
1120 E Diehl Rd, Naperville, IL 60563
 
Thursday, October 25, 2018
Illinois Education Association
3440 Liberty Dr. Springfield, IL 62704

Time: 9:00 a.m. – 4:30 p.m.

Fee Per Person: $149 members, $249 Non-members

Learn more or sign up here.

 
Read More

Topics: Compliance Basics, Training and Education, HIPAA

    Privacy Policy           Terms of Use