Breaking Compliance News Blog

Making Recognized Security Practices work for you

Posted by Scott Gima on 11/30/22 10:15 AM

One Big Thing

IImplementation of Recognized Security Practices (RSPs) for at least 12 months provide covered entities and business associates with the opportunity to reduce fines and penalties for violations of the HIPAA security rule.


On January 5, 2021, Congress passed an amendment to the HITECH Act that requires the OCR to take into account the Recognized Security Practices of covered entities and business associates when they are able to show that RSPs have been in use for the 12 months prior to a HIPAA breach incident.

If RSPs are in place, the OCR may mitigate fines and remedies and allow an early and favorable termination of an audit..

Over the past months, the amendment has generated questions related to the uncertainty about what constitutes RSPs, and how to demonstrate their implementation. In response, on October 31, 2022, HHS-OCR released a video that addresses some of these concerns about RSPs.

What Are Recognized Security Practices?

Read More

Topics: HIPAA, security, compliance

Health System Ransomware Attack Lingers…

Posted by Scott Gima on 11/22/22 10:08 AM

CommonSpirit hospitals reported IT issues on October 3rd with a response that included taking systems offline, including their electronic medical records. CommonSpirit has 140 hospitals in 21 states.

According to, based on website information, hospitals in seven states have been impacted. Scheduling issues and procedure delays have been reported.

Systems being restored. On November 9, CommonSpirit announced that it continued to “work diligently to bring systems online and restore functionality as quickly and safely as possible, including electronic health records….” We know that, after the attack, many clinicians were unable to access medical records, and patient access to the MyChart portal was impacted.

Why it matters: There are no details on whether there has been a data breach of PHI – CommonSpirit says a forensic investigation is ongoing. But the news reports provide a clear picture of the operational impact that occurs in response to a ransomware attack – IT systems and applications have to be taken down to contain the impact or spread of the attack.

Security risk analysis and business continuity planning. A business continuity plan prepares your organization to respond quickly with temporary procedures and measures to continue key operational tasks and get systems back online as quickly as possible.

What to do: Identify and prioritize tasks that include but are not limited to electronic medical records (scheduling, documentation, orders, medications, and communication), communication, payroll, billing, collections, and food and supply ordering.

Every critical task must be reviewed to minimize patient risk. For example: a new medication order. What steps are now needed to get a new medication order from the physician to the bedside? Will human runners be needed? How and who will review, transcribe, and double check orders to prevent errors?

Email – don’t under estimate its impact. Business continuity takes a hit when email is inaccessible. Is your inbox your de facto “to do” list? Imagine how you are going to be able to tackle routine tasks without access to your inbox. Don’t overlook other email folders, as well as the inability to communicate by email for at least a couple of weeks if not longer….

Read More

Topics: HIPAA, security, compliance

Has your HIPAA security program addressed Callback Phishing?

Posted by Scott Gima on 8/30/22 8:45 AM

callback phishing

What is Callback Phishing?

CrowdStrike, a third-party cybersecurity firm, recently disclosed a new phishing tech support campaign. Hackers send out a fake email from a reputable cybersecurity firm (like CrowdStrike). The email falsely claims your business had a cybersecurity event and is working with the company’s security department to address a possible issue with the employee’s workstation. The letter asks the employee to urgently call a provided phone number to resolve the issue on their workstation.

If a call is made, the hackers will trick the caller into installing remote desktop software. Once given access, the hacker now has access to the user’s workstation and will attempt to move through the network to initiate a ransomware attack.


A New Version of an Old Scam

This tech support phishing attack is a new twist on an old scam. A May 2022 blog post discussed a FTC alert on Senior Tech Support Scams, which happened to a family member.

It is highly likely that these emails will get into an inbox because they contain no malicious links or attachments which diminishes the effectiveness of spam or anti-phishing filters.


Use your HIPAA training program to increase awareness

Training and education is the most effective method to prevent callback phishing attempts. A phishing reporting policy may be a worthwhile addition to your HIPAA and/or cybersecurity policies. Here are some simple training reminders:


  • Do not call the number provided. Assume any email from a well-known cybersecurity firm like CrowdStrike is a phishing email, especially if the email alleges a breach of your environment and requests an urgent call back.
  • Follow your organization’s phishing reporting policy. Call or forward the email to your Security Officer and/or IT department and let them handle the matter. If it is legitimate, they will let you know.
  • Pat yourself on the back, you just prevented a phishing attack.


Update your HIPAA Security Risk Analysis

Revisit and update your HIPAA Security Risk Analysis. Add callback phishing as a threat where appropriate. Document your anticipated mitigation strategies including training. Lastly, document when each mitigation effort has been implemented, and include dates so progress can be easily understood.

MPA can handle your HIPAA Security Risk Analysis

The HIPAA Security Risk Analysis is a lot to tackle. We all know it’s even more challenging to accomplish during COVID times. MPA can conduct your HIPAA Security Risk Analysis, saving you time and improving your security. Reply to this email to learn more information.

Read More

Topics: Training and Education, HIPAA, security, risk analysis

Is your HIPAA Security Risk Analysis outdated?

Posted by Margaret Scavotto & Scott Gima on 8/16/22 9:00 AM

big risk

The HIPAA Security Rule requires covered entities and business associates to complete a HIPAA Security Risk Analysis, and to periodically update it. Per industry standards, the Security Risk Analysis should be updated annually at the very minimum.

When investigating a breach, the OCR also reviews the organization’s compliance with the HIPAA Security Rule. One of the OCR’s top findings is the failure to conduct and/or update a comprehensive risk analysis.

In a recent interview, Lisa Pino, HHS OCR Director stated: “We are a law enforcement agency and we have to instill that sense of accountability when obligations of the law are not in compliance.” And that “hacking and IT incidents are still a growing threat.” She goes on to state that “this is really a time for organizations to bolster their security profile. This is an opportunity for them to reset and really establish, if not already, an enterprise-wide risk analysis instead of a reactive stance… an ongoing risk management is a must from a business perspective.”

Most entities failed OCR audit of risk analysis

Pino also referenced the OCR’s 2016-2017 HIPAA Audit Industry Report released in December 2020. She points out that the report provides valuable information that is still relevant today. In that report, the OCR found that only 14% of covered entities “are substantially fulfilling their regulatory responsibilities to safeguard ePHI they hold through risk analysis activities.”

For the 86% of covered entities who failed to meet risk analysis requirements, there were some common issues:

  • “Some entities provided irrelevant documentation, such as a document that describes a patient’s insurance prescription coverage and rights; a document that discusses pharmacy fraud, waste and abuse; and a conflict of interest and code of conduct employee sign-off page.”
  • "Providers commonly submitted documentation of some security activities of a third-party security vendor, but no documentation of any risk analysis that served as the basis of the activities.”
  • "Entities offered third party template policy manuals that contain no evidence of entity-specific review or revision and no evidence of implementation."

If you have not conducted a HIPAA Security Risk Analysis, or if it has been more than one year since you have updated yours, that’s a big risk.

Perhaps as risky as driving a vehicle without insurance. Or eating the marshmallow casserole someone plopped down on the picnic table on a hot, sunny day four hours ago.

It’s not worth the risk.

Without a current HIPAA Security Risk Analysis, organizations do not know where their security risks are – which means they are likely unmitigated. Think of it as a data breach waiting to happen.

Every day, security risks in healthcare increase:

  • According to IBM’s Cost of a Data Breach 2022, the healthcare industry has had the highest average data breach cost for 12 years in a row – and the average cost of a data breach in the healthcare industry is $10.10 million


  • According to the 2022 SonicWall Cyber Threat Report, ransomware attacks decreased 23% globally in the first half 2022. But, in the healthcare industry, ransomware attacks increased by 328% during this timeframe.


What’s your HIPAA breach risk tolerance?

Do you update your HIPAA Security Risk Analysis at least annually, and mitigate risks you identify in a timely manner? If so, you have reason to sleep well at night. Keep up the good work.

Or, are you more of the dangerous-casserole-taster type, operating with an outdated HIPAA Security Risk Analysis – or, worse, none at all? If so, has your organization calculated the likelihood of experiencing a breach (very high), and the expected costs of a breach (also very high)?

MPA can handle your HIPAA Security Risk Analysis

The HIPAA Security Risk Analysis is a lot to tackle. We all know it’s even more challenging to accomplish during COVID times. MPA can conduct your HIPAA Security Risk Analysis, saving you time and improving your security. Reply to this email to learn more information.

Read More

Topics: HIPAA, security, risk analysis

HIPAA Reminder: Paper Still Counts

Posted by Margaret Scavotto, JD, CHC on 6/21/22 11:40 AM

Lately, my inbox is flooded with warnings, reminders, and webinars about cybersecurity. Rightly so: cyberattacks are on the rise, and healthcare remains the #1 target. At MPA, we recently updated our HIPAA Security Risk Analysis, and we carefully documented every source of electronic PHI.

But: Paper still counts.

With so much of our efforts focused on cybersecurity and electronic PHI, we can’t lose sight of the risks posed by paper PHI. For example:

  • A patient went to the emergency department at a hospital to get her blood pressure checked. While there, her nurse wrote down the blood pressure result on a piece of paper. The patient noticed that the other side of the paper listed another patient’s name, number, address, and positive HIV status. 
  • A health system “became aware of a break-in to an off-site storage facility where certain limited patient records were housed. Six boxes of paper documents were removed from the facility without authorization.” 

In the HIPAA world, paper PHI still counts! Make sure your HIPAA security risk analysis and mitigation plan include paper PHI in addition to electronic PHI.

  • Remember:
Read More

Topics: HIPAA, security, privacy

“That’s so cute!” (if there’s a HIPAA authorization)

Posted by Margaret Scavotto, JD, CHC on 6/14/22 11:17 AM


Are you on TikTok?
I’m not (although I hear it’s worth it for the air fryer recipes).
But everyone else is, including an increasing number of healthcare professionals and healthcare providers.
Social media use increased during the early pandemic days as a way to connect with the world from inside locked down facilities. It also brings a healthy dose of levity.
For example:
  • A nursing home’s videos of residents enjoying therapy dogs Floyd and Loki went viral on TikTok. 
  • Last Thanksgiving, one nursing home’s TikTok video of the administrator dressed as a Thanksgiving turkey went viral. 
  • In a Scotland nursing home, a 102-year-old resident ‘s daily exercise dance routine – done with two nurses – was posted to TikTok. In the video, the resident and two of his caregivers are seen dancing. The home claims the videos “have been a great way to get the residents up and moving, and they’ve loved taking part.”
I love these videos! They are so cute. And they are okay to use – IF the patients signed a valid HIPAA authorization before the videos were taken.
Without a HIPAA authorization, the cute factor fades, and we are left with a potential HIPAA breach to investigate.
Thinking of going viral? Have fun – but make sure everyone involved understands the HIPAA consequences.

What you can do:

Read More

Topics: Training and Education, HIPAA, Social Media, security, privacy

Last Chance: Sign up for MPA's Virtual HIPAA Training!

Posted by Margaret Scavotto, JD, CHC on 6/7/22 12:03 PM

HIPAA is a lot!

MPA's e-course makes it easier to keep up with privacy, security, breach notification, and social media.

Sign up for MPA's Virtual HIPAA Training Course

Read More

Topics: Training and Education, HIPAA, Social Media, security, breach notification, privacy, webinar

Cold Hard HIPAA Stats: Where Do You Stand?

Posted by Scott Gima on 5/25/22 1:15 PM

HIPAA risks change constantly – and so must our response to them. The latest HIPAA statistics reveal how HIPAA risk is shifting (and increasing):

Read More

Topics: HIPAA, security

Sign up for MPA's Virtual HIPAA Training!

Posted by Margaret Scavotto, JD, CHC on 5/19/22 8:45 AM

HIPAA is a lot!

MPA's e-course makes it easier to keep up with privacy, security, breach notification, and social media.

Sign up for MPA's Virtual HIPAA Training Course

Read More

Topics: Training and Education, HIPAA, Social Media, security, breach notification, privacy, webinar

When Senior Tech Support Scams are a Cybersecurity/HIPAA Issue

Posted by Scott Gima on 5/10/22 9:45 AM

The FTC regularly sends out consumer alerts on various scams. Turbo Tax’s “free” tax service and car dealer junk add-on fees are just a couple of recent alerts. Many times, these emails hit the trash bin after reading the subject line. This morning, my inbox had the FTC’s latest alert: Shutting Down Tech Support Scams. This morning was different – I opened the email and read the alert. Why? Because an older family member was a victim of a tech support scam.

First, let me tell you about my family member’s experience with a tech support scam. Some of the facts have been changed to protect the family member’s identity. But to make it easier, let’s call my family member Mom. Mom and Dad are retired and in their 80s. A few years ago, my family went to Mom and Dad’s house for Thanksgiving. While there, other siblings and cousins are discussing possible Christmas gifts, so I jump on Mom’s computer to do a little online shopping.

In the bottom right-hand corner, the Windows task bar typically has a bunch of icons that show programs that are loaded on startup. Mom’s taskbar showed a TeamViewer icon. TeamViewer is a legitimate remote desktop program that is typically used by tech support people to obtain remote access to a workstation, computer or laptop. I recognized the icon because TeamViewer has been used by our own company’s tech support. But there is no reason for Mom to have this program on her home computer. So I start asking questions and this is what I learned.

Read More

Topics: HIPAA, security

    Privacy Policy           Terms of Use