Breaking Compliance News Blog

Healthcare Provider Ransomware Risk is Elevated – What Do We Do???

Posted by Scott Gima on 11/5/20 10:00 AM

On October 28, a joint cybersecurity advisory was issued by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) that provided a warning of imminent ransomware attacks to U.S. hospitals and healthcare providers.

This advisory provides technical information on the methods used by the hackers so healthcare providers can better protect themselves. In particular, the advisory mentioned the hackers’ use of Ryuk and Conti ransomware.

Leading up to this advisory, Universal Health Services was a recent target of a ransomware attack in late September. UHS is a large health care provider with 26 hospitals in the U.S., Puerto Rico and the U.K. It is believed that the Ryuk ransomware was used in the attack.

I don’t know about you, but for me, a non-IT person, the technical details are way over my head. However, the user awareness best practices are relevant to anybody who uses a workstation or laptop. Here are the user awareness best practices found in the advisory (direct quote):

Read More

Topics: HIPAA, data breach, security, compliance

Free Webinar: HIPAA Security - Board of Governance Responsibility

Posted by Margaret Scavotto & Scott Gima on 9/3/20 10:32 AM

Join HIPAAtrek and MPA's Executive VP Scott Gima for a complimentary webinar:

Read More

Topics: HIPAA, security, webinar

HIPAA reminder: Is your workforce changing?

Posted by Margaret Scavotto, JD, CHC on 5/19/20 10:44 AM

Many providers are seeing changes to their workforce during the pandemic. Hospitals are recruiting additional healthcare professionals; nursing homes are relying more heavily on agency staff as employees become ill or do not show up for work. CMS has changed rules, allowing expanded types of providers to order tests and perform other tasks. An increased number of students or volunteers are also being used.

With these workforce changes, HIPAA training must continue. The HIPAA privacy and security rule remain in place during the pandemic. OCR enforcement remains active. HIPAA requires providers to train their workforce on HIPAA requirements. Workforce means “employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of such covered entity or business associate, whether or not they are paid by the covered entity or business associate.”  45 CFR 160.103

HIPAA training reminders:

  • Covered entities should routinely evaluate who is working on their behalf and determine who is included in their workforce (and needs training).
  • The Privacy Rule requires covered entities to train all workforce members on policies and procedures related to PHI, as necessary and appropriate for the workforce members to carry out their functions. 45 CFR 164.530(b)
  • The Security Rule requires covered entities to: “implement a security awareness and training program for all members of its workforce (including management)” 45 CFR 164.308(a)(5)
  • Workforce members should also be trained to recognize breaches, how to report them internally, and who to report them to.
  • All workforce member should be trained on appropriate social media use (this is especially important during a national emergency).

Read More

Topics: HIPAA, Social Media, security, breach notification, COVID-19, privacy

Using Social Media Safely During a Pandemic

Posted by Margaret Scavotto, JD, CHC on 5/14/20 9:20 AM

During a national public health emergency, healthcare providers will have many reasons to use social media. The community will likely turn to social media to learn what your organization is doing in response to COVID-19. Social media can be used to keep the public informed, ward off panic, advise patients and loved ones of new procedures or protocols, and show the public a strong response during the disaster. Social media is also being used to recruit staff, volunteers, and supplies.

Read More

Topics: Social Media, security, business associates, compliance, COVID-19, privacy

Protect your organization from skyrocketing COVID cyber scams

Posted by Scott Gima on 4/30/20 11:00 AM

Google’s Threat Analysis Group (TAG) is responsible for identifying online vulnerabilities and threats. The Group released a report on April 22, 2020 that describes their latest information on COVID-19 related threats. This report provides a timely reminder that cybersecurity concerns continue and everyone must remain cautious and vigilant with their email accounts.

COVID-19 Themed Attacks

In April, Google has detected 18 million COVID-19 related malware and phishing Gmail messages per day and more than 240 million COVID-related daily spam messages. If you use Gmail, 99.9% of these messages never reach your inbox. The TAG has found that these attacks are government sponsored. They have identified over a dozen government-backed attacker groups using COVID-19 related topics.

Type of Attacks

The attack tools are no different from what has been used in the past; phishing emails that lure you to click malicious links or download files that contain malware. Google provided the following examples:

Free meals and coupons in response to COVID-19.

Links to malicious websites disguised as online ordering and delivery options, where the recipient is asked to provide their Google account credentials.

Emails that impersonate the World Health Organization:


Emails luring users who may be working from home:


Stimulus package theme:



Best Practices Reminder

These types of attacks are not limited to Gmail and everyone must be vigilant with all email accounts, work and personal. For all your accounts, users should:

  • Never download file attachments - or, verify an email attachment with the recipient by voice or text before downloading – this is an old-fashioned version of two-factor authentication.
  • Don’t click on an email link. An alternative safe option is to go directly to the web-page or google the target described in the link. For example, if it is an email from your bank that could be legitimate, open a new browser page and type in the website or search for the website.
  • If possible, use or activate two-factor authentication.

MPA can help with your HIPAA Security Risk Analysis - contact me today to learn more.

Read More

Topics: HIPAA, security, COVID-19

HIPAA & COVID-19 Toolkit UPDATED for new OCR Business Associate Guidance

Posted by Margaret Scavotto, JD, CHC on 4/2/20 3:08 PM

***To help providers with HIPAA compliance during the COVID-19 pandemic, all MPA HIPAA Tool Kits are now marked down to 50% off. 
 

Business Associate Disclosures during COVID-19

On April 2, 2020, the OCR issued a Notification of Enforcement Discretion under HIPAA to Allow Uses and Disclosures of Protected Health Information by Business Associates for Public Health and Health Oversight Activities in Response to COVID-19

This Notification, effective immediately, announces that the OCR will NOT impose HIPAA penalties against a business associate or covered entity under the following Privacy Rule provisions, in some circumstances. Enforcement is waived for the following Privacy Rule sections:

  • 45 CFR 164.502(a)(3): Business Associates: Permitted Uses and Disclosures
  • 45 CFR 164.502(e)(2): Disclosures to Business Associations: Documentation
  • 45 CFR 164.504(e)(1): Business Associate Contracts
  • 45 CFR 164.504(e)(5): Business Associate Contracts with Subcontractors

Enforcement of these sections will not occur in the following circumstances:

  • A business associate makes a good faith use or disclosure of the covered entity’s PHI for public health activities consistent with 45 CFR 164.512(b) or health oversight activities consistent with 45 CFR 164.512(d); AND
  • The business associate informs the covered entity within 10 calendar days after the use or disclosure occurs (or commences, with respect to uses or disclosures that will repeat over time).

If a business associate makes one of these disclosures, and the covered entity and business associate have not had time to update their business associate agreement to allow for such disclosures, OCR will not impose penalties.

An example of how this waiver might apply to you might be:

  • If a business associate is contacted by the local public health department and asked questions during a health investigation related to a COVID-19 patient. The business associate will be permitted to disclose information to the public health department. This type of disclosure is not typically permitted, if it is not specifically outlined in the BAA. However, under this waiver, the business associate may disclose the requested information to the public health department. Within 10 days of the disclosure to the public health department, the business associate must inform the covered entity that the disclosure was made. 

Business associates are STILL expected to comply with the Security Rule. For example, ePHI must be securely transmitted to the public health authority or health oversight agency.

MPA's HIPAA & COVID-19 Toolkit was updated April 2 for the new OCR guidance on business associates.

HIPAAtrek and MPA are here to help navigate and guide HIPAA compliance. Our priority is you – our clients, our healthcare providers, and healthcare administrators. We understand that this is a confusing and scary time. Now more than ever, please reach out with your compliance questions. We are here to help alleviate your compliance burden both now and in the future. Stay healthy.

Sincerely,

Margaret and Sarah

Check out our other HIPAA & COVID-19 blogs:

Read More

Topics: HIPAA, data breach, security, COVID-19, privacy

HIPAA & COVID-19: telehealth

Posted by Margaret Scavotto, JD, CHC on 3/27/20 12:00 AM

Blog Series: Staying HIPAA Compliant During COVID-19

Sarah Badahman, CHPSE, Founder/CEO, HIPAAtrek, St. Louis 

Read More

Topics: HIPAA, data breach, security, COVID-19, privacy

HIPAA & COVID-19: What HIPAA requirements are waived during COVID-19?

Posted by Margaret Scavotto, JD, CHC on 3/26/20 10:01 AM

Blog Series: Staying HIPAA Compliant During COVID-19

Sarah Badahman, CHPSE, Founder/CEO, HIPAAtrek, St. Louis 

Bethany Baty, Digital Marketing Director, HIPAAtrek, St. Louis

Margaret Scavotto, JD, CHC, President, MPA, St. Louis 

***To help providers with HIPAA compliance during the COVID-19 pandemic, all MPA HIPAA Tool Kits are now marked down to 50% off. 
 
A HIPAA & COVID-19 Telehealth policy was added to the Privacy and Security Tool Kits on 3/24 ***

Today is day four of a five day blog series on HIPAA issues that are relevant during COVID-19. Our goal is to help you remain compliant during these challenging times. ~ MPA and HIPPAtrek.

 

What HIPAA requirements are waived during COVID-19?

On March 16, the Office for Civil Rights (OCR) issued a bulletin in response to the COVID-19 outbreak: Limited Waiver of HIPAA Sanctions and Penalties During a Nationwide Public Health Emergency. For providers who followed the OCR’s waivers during Hurricanes Irma or Michael, this waiver should look familiar to you.

Who is covered by the waiver?

This waiver only applies to covered hospitals. All other providers must continue to follow HIPAA fully (with some leeway given under the Telehealth Waiver).

What’s waived

Under this waiver, as of March 15, 2020, the OCR waives sanctions and penalties against hospitals that do not follow these HIPAA Privacy Rule provisions:

  • the requirements to obtain a patient's agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
  • the requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
  • the requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
  • the patient's right to request privacy restrictions. See 45 CFR 164.522(a).
  • the patient's right to request confidential communications. See 45 CFR 164.522(b)

The waiver ONLY applies to the COVID-19 public health emergency. To get the benefits of the waiver. Hospitals must:

  • have a disaster protocol in place
  • use the waiver for a maximum of 72 hours from the time the disaster protocol is implemented
  • resume complying with the Privacy Rule when the public health emergency ends.

What’s not waived?

The OCR’s waiver alert provides guidance on HIPAA practices that are not waived, and should be followed during the COVID-19 pandemic. Here is what is NOT waived:

  • The REST of the Privacy Rule. All Privacy Rule provisions not listed in the waiver must still be followed. Perhaps most importantly, providers must continue to follow the Minimum Necessary Rule wen making disclosures.
  • The waivers do NOT change how providers can communicate with the media. Follow your directory. For all other requests, get an authorization.
  • The Security Rule is NOT waived. Providers must still safeguard patient information with administrative, physical, and technical safeguards. With employees working from home and cyber scams on the rise, provider should take extra security precautions.

We encourage you to read the OCR’s Alert in its entirety to familiarize yourself with all of the OCR’s recommendations and reminders.

***To help providers with HIPAA compliance during the COVID-19 pandemic, all MPA HIPAA Tool Kits are now marked down to 50% off. 
 
A HIPAA & COVID-19 Telehealth policy was added to the Privacy and Security Tool Kits on 3/24 ***

Read More

Topics: HIPAA, data breach, security, COVID-19, privacy

HIPAA & COVID-19: Watch out for COVID-19 cyber scams

Posted by Margaret Scavotto, JD, CHC on 3/25/20 9:56 AM

Blog Series: Staying HIPAA Compliant During COVID-19

Sarah Badahman, CHPSE, Founder/CEO, HIPAAtrek, St. Louis 

Bethany Baty, Digital Marketing Director, HIPAAtrek, St. Louis

Margaret Scavotto, JD, CHC, President, MPA, St. Louis 

***To help providers with HIPAA compliance during the COVID-19 pandemic, all MPA HIPAA Tool Kits are now marked down to 50% off.
 
A HIPAA & COVID-19 Telehealth policy was added to the Privacy and Security Tool Kits on 3/24.***

 

Today is day three of a five day blog series on HIPAA issues that are relevant during COVID-19. Our goal is to help you remain compliant during these challenging times. ~ MPA and HIPPAtrek.

Watch out for COVID-19 cyber scams

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) issued a warning about increased hacker activity during the coronavirus pandemic: Defending Against COVID-19 Cyber Scams.

In this Alert, CISA warns the nation to be on guard against an increase in malicious cyber activity:

Cyber actors may send emails with malicious attachments or links to fraudulent websites to trick victims into revealing sensitive information or donating to fraudulent charities or causes. Exercise caution in handling any email with a COVID-19-related subject line, attachment, or hyperlink, and be wary of social media pleas, texts, or calls related to COVID-19.

Likewise, the FBI addressed an “unprecedented wave” of cyber-attacks in the U.S.

Sadly, hackers are focusing their efforts on the three states hit the hardest by coronavirus: California, New York, and Washington – and hackers are targeting employees working from home. As the virus spreads in more states, this focus could broaden.

On Monday, the OIG sent out a Fraud Alert warning the public about a new fraud scheme preying on COVID-19 fears. Individuals are using telemarketing, social media, and in-person solicitation to offer COVID-19 tests to Medicare beneficiaries. The scammers obtain patients' personal information and Medicare information, and use it to submit fraudulent Medicare claims and commit identity theft. Individuals who think they need to be tested for COVID-19 should contact their physician or the health department, rather than responding to a solicitation.

CISA outlines precautions you can take to increase your security defense against COVID-19 inspired cyber-attacks:

In addition, now would be a good time to increase training on phishing scams and other malicious attacks. Consider providing staff with examples of malicious emails for training purposes, or use phishing drills.

HIPAAtrek and MPA can help make HIPAA compliance easier with policy downloads, training, and HIPAA software. Let us know if we can help. 

***To help providers with HIPAA compliance during the COVID-19 pandemic, all MPA HIPAA Tool Kits are now marked down to 50% off. 
 
HIPAA & COVID-19  Telehealth policy was added to the Privacy and Security Tool Kits on 3/24 ***

Read More

Topics: HIPAA, data breach, security, COVID-19, privacy

HIPAA & COVID-19: Disclosing to public health and the authorities

Posted by Margaret Scavotto, JD, CHC on 3/24/20 9:00 AM

Blog Series: Staying HIPAA Compliant During COVID-19

Sarah Badahman, CHPSE, Founder/CEO, HIPAAtrek, St. Louis 

Bethany Baty, Digital Marketing Director, HIPAAtrek, St. Louis

Margaret Scavotto, JD, CHC, President, MPA, St. Louis 

 

Today is day two of a five day blog series on HIPAA issues that are relevant during COVID-19. Our goal is to help you remain compliant during these challenging times. ~ MPA and HIPPAtrek.

Disclosures to Public Health and the Authorities

COVID-19 is a national emergency. While healthcare facilities are preparing for the coronavirus pandemic, hospitals are facing increased workloads. Healthcare providers and public health agencies are working in overdrive to prevent the further spread of the virus. Healthcare providers are required to report cases of COVID-19 to public health agencies as a part of the response effort. As healthcare professionals identify new cases of COVID-19, they must follow required protocols for notifying public health agencies and alerting those that may be at risk of exposure to the virus.  

The risk of over-disclosure is prevalent as we work to protect the public by informing those that may have had contact with a COVID-19 infected patient. Care needs to be taken to release only the minimum necessary information to properly inform those at risk for infection. This will become increasingly important as more cases are identified.

Rely on Public Health Agencies

During an infectious disease outbreak – such as COVID-19 - protection under the Privacy Rule is not waived. Providers are permitted, and required, to disclose patient information for public health activities. Public health agencies include the CDC and state or local public health departments that are authorized by law to receive patient information. Public health agency disclosures may include:

  • referrals for testing of suspected cases of COVID-19
  • confirmed cases of COVID-19
  • deaths due to COVID-19 infections

Rely on your public health agencies to make media disclosures and locate potentially exposed persons. If you have a public relations department, work with them to ensure only relevant disclosures are made and that those disclosures do not include any PHI identifiers.

PHI Identifiers:

  • Name
  • Geographical areas
  • Dates, except of year (unless over the age of 89)
  • Telephone and Fax numbers
  • Social Security numbers
  • Email addresses
  • Medical record numbers
  • Account numbers
  • Health plan beneficiary numbers
  • Certificate/license numbers
  • Vehicle identification and serial numbers, including license plates
  • Web URLs
  • Device identifiers and serial numbers
  • Internet protocol addresses
  • Full face photographs and comparable images
  • Biometric identifiers
  • Any other unique identifying number or code

Healthcare providers and public health agencies also have a responsibility to protect the public against COVID-19. Protection will include informing persons that have had contact with a COVID-19 infected patient. These communications should include instructions to adhere to recommendations of healthcare providers and/or government agencies to avoid a serious or imminent threat to public health.

Additionally, these disclosures are more sensitive and require authorization, in some instances. Steps must be taken to not disclose information that could identify the patient. When unsure if the disclosure requires an authorization, healthcare providers should either contact a healthcare attorney or use caution and obtain patient consent. In February, the Office for Civil Rights (OCR)  released a bulletin to help healthcare providers navigate the COVID-19 pandemic and HIPAA.

Relying on your local or state public health agencies to report new cases of COVID-19 protects the healthcare provider from a potential HIPAA breach. This process ensures patient privacy and proper reporting format, and assists in containing public panic.

Consider Local Laws

In addition to HIPAA considerations, healthcare providers and public health agencies need to consider local and state laws when disclosing patient information. This includes awareness of any changes that are implemented during a declared public health emergency. Work with your healthcare attorney to create notifications to patient family members, care givers, and the media. Your attorney will be your best resource to help you ensure your notifications meet your local and state laws as well as ensure HIPAA privacy. If you need a referral to a healthcare attorney, please contact us and we can help put you in touch with a healthcare attorney in your area.

The coronavirus is not a case of public health versus patient privacy. As public health agencies and healthcare providers must work together to identify, treat, contain and prevent the further spread of COVID-19, they must also remember to work together to protect patient privacy.

HIPAAtrek and MPA can help make HIPAA compliance easier with policy downloads, training, and HIPAA software. Let us know if we can help. 

SIGN UP for MPA and HIPAAtrek's webinar:

Surviving HIPAA During COVID-19

March 25, 1:00 p.m. CST

CLICK HERE TO SIGN UP

Read More

Topics: HIPAA, security, COVID-19, privacy

    Privacy Policy           Terms of Use