The HHS Office for Civil Rights (OCR) announced that it has fined Idaho State University (ISU) $400,000 for failing to protect patient information.
The HHS Office for Civil Rights (OCR) opened an investigation after ISU notified HHS of the breach in which the ePHI of approximately 17,500 patients was unsecured for at least 10 months, due to the disabling of firewall protections at servers maintained by ISU. OCR’s investigation indicated that ISU’s risk analyses and assessments of its clinics were incomplete and inadequately identified potential risks or vulnerabilities. ISU also failed to assess the likelihood of potential risks occurring.
OCR goes into more details in the Resolution Agreement posted on their website:
Factual Background and Covered Conduct. On August 9, 2011, HHS received notification from ISU regarding a breach of its unsecured electronic protected health information (ePHI). On November 22, 2011, HHS notified ISU of its investigation regarding ISU’s compliance with the Privacy, Security, and Breach Notification Rules. HHS’ investigation indicated that the following conduct occurred “Covered Conduct”).
- ISU failed to conduct an appropriate risk assessment between April 1, 2007 and November 26, 2012;
- ISU failed to implement adequate security protections during the same time period to protect electronic protected health information (ePHI); and
- ISU did not regularly review information system (IS) activity to determine if ePHI was inappropriately used or disclosed.
The three findings are interesting because they represent HIPAA requirements that many organizations are not complying with.
A HIPAA Risk Assessment is the core of the HIPAA Security Rule. A Risk Assessment will provide an organization with the information they need to properly protect patient information. A Risk Assessment will look at where patient data is stored, how it is being protected and what are the risks to the data. In addition, a HIPAA Risk Assessment will provide suggestions for additional security measures that should be implemented.
Inadequate Security Protections
The second point goes directly with the failure to perform a Risk Assessment. Without the Risk Assessment an organization does not know what the risks are to patient information. Without knowing the risks, an organization may not put the proper protections in place.
Think about a patient going to the doctor. The patient might ignore some actions they are taking and its effect on their health. Only when the doctor says “If you don’t change your lifestyle you will be dead in 2 years”. The patient now knows the real risks to their health and might make the lifestyle changes needed to avoid the consequences. A HIPAA Risk Assessment will provide the same insight.
Information System Review
The third point is one that we see over and over again. Many organizations do not review system information activity. System information activity logs record access to patient information. They record:
- Who accessed patient information
- When patient information was accessed
- What patient information was accessed
Without reviewing system information activity an organization is blind to what is happening with their electronic patient information. Reviewing system activity can reveal interesting trends that might alert an organization that illegal activity is occurring or that patient information is being accessed in an inappropriate way. Examples include:
- That one employee is accessing 400 patient records a day when all other employees are only accessing 20 patient records a day. This employee might be downloading patient information and selling it for criminal activity
- There is a lot of patient information being accessed after normal working hours. This could be an indication that a hacker is illegally accessing patient information
Without reviewing system activity, an organization might be blind to what is happen to patient information. Illegal or inappropriate access might be occurring right under their nose.
It cost Idaho State University $400,000 plus significantly more to notify patients and address the findings in the OCR Resolution Agreement.
Unfortunately many organizations are guilty of failing to protect patient information and do not perform the 3 items that caused Idaho State University to receive a $400,000 HIPAA fine.
understand the HIPAA Risk Assessment process
Introduces New HIPAA Compliant Data Backup Service, HIPAA Secure Backup Powered by BUMI
Morristown, NJ (PRWEB) May 21, 2013
HIPAA Secure Now! and BUMI (Backup My Info!) announced today a new HIPAA compliant data backup service called HIPAA Secure Backup Powered by BUMI. BUMI is the premium provider of managed online backup and recovery solutions for small to mid-sized businesses. Under HIPAA Security Rule 164.308(a)(7)(ii)(A), medical providers and their business associates are required by law to implement a data backup plan that ensures Protected Health Information (PHI) is properly safeguarded.
HIPAA Secure Backup Powered by BUMI ensures that data is encrypted prior to being sent to the BUMI servers and that data remains encrypted on the servers. BUMI will sign a required HIPAA business associate agreement with either a covered entity or business associate (healthcare organizations and their contractors) to certify that they comply with the new HIPAA Omnibus Rule. The service is fully managed from the software installation to monitoring backups, notifying clients if there are issues with backups, and 24×7 live support and data recovery.
“One of the most frequently asked question we get from our clients is concerning HIPAA compliant data backup services,” explained HIPAA Secure Now! President and CEO Art Gross. “Our clients are looking for an automated, fully managed, affordable, HIPAA compliant backup service that not only helps protect patient information but helps them with HIPAA compliance. BUMI ensures that data backups comply with HIPAA regulations and signing a HIPAA business associate agreement ensures compliance with the HIPAA Security and Omnibus Rules. In addition, their 24×7 live support is unmatched.”
“Our clients are looking for an automated, fully managed, affordable, HIPAA compliant backup service that not only helps protect patient information but helps them with HIPAA compliance.” Art Gross, President and CEO, HIPAA Secure Now!
Jennifer Walzer, President and Founder of BUMI (Backup My Info!) said, “We are excited to be working with HIPAA Secure Now! to help healthcare organizations and their associates ensure compliance. Our fully managed, premium backup and recovery solution provides healthcare organization the peace of mind that their patient data is securely backed up and complaint with HIPAA regulations.”
About HIPAA Secure Now!
HIPAA Secure Now! has been helping clients comply with the HIPAA Security Rule since 2009. HIPAA Secure Now! is the fastest and easiest way to HIPAA compliance. HIPAA Secure Now! performs our client’s Risk Assessment; writes their policies and procedures and trains their employees on how to protect patient information. In addition, HIPAA Secure Now! offers a full suite of technology products to protect patient information including email encryption, mobile encryption, data backup, disaster recovery and network security. For more information visit https://www.hipaasecurenow.com.
Founded in 2002, BUMI (Backup My Info!) specializes in delivering online backup and recovery solutions for small to mid-sized businesses. Based in New York City, BUMI provides an off-site data protection solution that addresses critical issues such as rapid growth of data, business continuity, and regulatory compliance. Every BUMI client is cared for by a team of senior-level engineers dedicated to providing proactive and personalized support. Clients include professional service organizations such as banking, financial, insurance, accounting, hedge funds and law firms. For more information, visit http://www.backupmyinfo.com, call (866) 444- BUMI (2864)
Risk of owning a car
If you take a step back and think of the risks of owning a car I think you would be shocked. Cars have associated risks that could significantly impact you and your family. Some of the risks include:
- The risk of being hurt or killed in a car accident
- The risk of hurting someone else in a car accident
- The financial risk of being hurt and the associated medical costs
- The financial risk of hurting someone else and being sued
- The financial risk of someone stealing your car
- The financial risk of repairs to your car
Owning a car may be one of the most risky investments that a person makes. But yet we get in our cars every day and drive to work or bring our children to baseball practice. In fact most of us don’t even think about the associated risks. Why is that? Some of the reasons we don’t worry about the risk that automobiles present us is that we have taken steps to minimize the risk. Some of the steps include:
- We buy cars with advanced safety features to protect us in the event of an accident
- We have medical insurance to offset expenses in case we are hurt in an accident
- We have car insurance to cover expenses of accidents or if our cars are stolen
- We obey traffic regulations that are in place to make driving cars safer
Risk of maintaining patient information
So as you can see, we have put in place safeguards to protect us from the risks that our automobiles present us.
Like cars, electronic protected health information (ePHI or patient information) present us with significant associated risks. Some of the risks include:
- The financial risk of regulatory fines for non-compliance with HIPAA regulations
- The financial risk of security data breaches that disclose ePHI
- The risk of negative publicity or reputation damage in the event of a data breach. Negative publicity could have associated financial risk of patients leaving or not using to a medical practice
Have you thought about what the impact would be if any of these events would happen?
- What if you receive a $200,000 HIPAA fine for non-compliance?
- What if you had $300,000 of breach related expenses due to a security breach? Expenses include IT forensics, legal expenses, patient notification expenses, etc.
- What if you received a HIPAA fine and your search results in Google displayed stories on your HIPAA violation? Would this have an impact to existing or new patients?
Patient information safeguards
As you can see, maintaining ePHI has associated risks that could significantly impact your organization. Like owning a car, it is critical that you put in place safeguards to minimize the associated risks. Some of the safeguards include:
- Performing a HIPAA Risk Assessment to understand what security safeguards need to be implemented to protect ePHI
- Training employees on how to protect ePHI
- Implementing encryption on laptops and smartphones to minimize the risk if these devices are lost or stolen
- Purchasing HIPAA / Cyber insurance to offset the expenses of regulatory fines or breach related expenses
Maintaining ePHI is risky but like owning an automobile, it is possible to implement safeguards that offset the associated risk. But not understanding the risks or not putting in place the appropriate safeguards could significantly impact or cripple an organization.
- Would you purchase a car without purchasing insurance?
- Would you drive a car without using seat belts or put your children in a car without seat belts?
- Would you drive through red lights or disobey traffic regulations?
Most likely the answer to the above questions is NO! Take a step back and seriously look at the risk of having ePHI. Make sure you take steps to protect your organization against the associated risks of having electronic patient information.
Don’t drive without seat belts!
understand the HIPAA Risk Assessment process
HIPAA Security Tips: The Dangers of Smartphones
Click on above to view in fullscreen mode!
Learn more about Smartphone encryption and our other HIPAA security products. Visit our HIPAA Technology Suite page for more details.
The below infographic provides good insight into common myths of HIPAA compliance for medical practices.
Thanks goes out to HIPPOmsg for putting the infographic together!
We put together a free guide to help your compliance effort called:
5 simple and inexpensive tips to protect patient information
Microsoft has announced that they have updated their Business Associate Agreement (BAA) for Microsoft Office 365. The new BAA addresses the requirements in the HIPAA Omnibus Rule that went into effect on March 26, 2013.
Addressing HIPAA is embedded in the DNA of Microsoft’s cloud solutions, and Microsoft updated its BAA to help healthcare organizations address compliance for the final omnibus HIPAA rule, which went into effect March 26. Microsoft’s updated BAA covers Office 365, Microsoft Dynamics CRM Online and Windows Azure Core Services.
The new BAA focuses in on the changes to Business Associates.
The refreshed BAA aligns with new regulatory language included in the final omnibus HIPAA rule, such as the new definition of a Business Associate, which includes any entity that maintains protected health information on behalf of a HIPAA-covered entity and has access to such data, even if it does not view the data. It also covers important data protections, such as Microsoft’s reporting requirements in accordance with the HIPAA Breach Notification Rule, and Microsoft’s obligation to require its subcontractors who create, receive, maintain or transmit protected health information to agree to the same restrictions and conditions imposed on Microsoft pursuant to the applicable requirements of the HIPAA Security Rule.
Microsoft Office 365 is one of the products in our HIPAA Technology Suite. Click here to find out more about our cost effective HIPAA compliant suite of products to help you comply with HIPAA and protect patient information.
There is a very good article over at HealthData Management called Want to Impress OCR During a HIPAA Audit? Write a Book
The author discusses the benefits of creating a “Book of Evidence” that your organization is in HIPAA compliance if you were to get audited by the HHS Office of Civil Rights (OCR).
Creating a Book of Evidence on an organization’s compliance with HIPAA privacy, security and breach rules is not difficult, only takes a couple of weeks, and helps an organization not be overwhelmed if it’s selected by the HHS Office for Civil Rights for a random HIPAA audit, says Mark Dill, director of information security at Cleveland Clinic.
Mark Dill goes on to make a very good point:
“If you look disorganized, HHS will think you are.” An organization may be able to avoid an on-site visit just by the quality of data it sends to OCR, or at least can minimize the time spent on site, which avoids auditors finding more issues.
Dill gives some good example of what should be in a Book of Evidence (BOE):
A BOE will show proof of updating the risk analysis with introduction of business changes or new information systems; an incident response system that is quick, effective and a repeatable process; that all employees have received timely HIPAA training with their scores available; that appropriate authentication controls are in place; and can even show the receipts for security technology buys such as encrypted hard drives, Dill says.
At HIPAA Secure Now! we have been thinking about a Book of Evidence for years. Our HIPAA Compliance Portal can be your Book of Evidence. If you were to get audited by OCR, you can give them a userid to access your HIPAA Compliance Portal. All of your “evidence” of HIPAA compliance is in one place. Let’s take a look.
HIPAA Compliance Portal
HIPAA Security Policies and Procedures
All your HIPAA privacy and security policies are stored in our Compliance Portal. All employees have access to the Compliance Portal and access to your policies and procedures. You can even upload OHSA policies, your employee handbook and HR policies and procedures that employees can access online.
HIPAA Risk Assessment, Business Associate Agreements, Disaster Recovery Procedures
The Compliance Portal contains your Risk Assessment reports, tracks Business Associates and allows you to upload Business Associate Agreements, Disaster Recovery Plans and also allows you to upload other contracts or documents. Only administrators have access to this section. Employees do not have access to this sensitive information.
HIPAA Security Training
All training is done online via our Compliance Portal. The administrator training report is accessible only to the administrator(s). The reports shows each of your employees, when they took the HIPAA security training and what grade they received on their HIPAA compliance quiz. There is no better way to prove you have provided HIPAA security training to your employees! Employees also have access to our HIPAA Security Tips and Reminders which helps show that you are in compliance with the requirement to provide periodic security reminders to employees.
HIPAA Security Incidents, Server Room Access, Track ePHI Removed and Received
The Compliance Portal allows you to track HIPAA security incidents and what your response was to each of those incidents. You can also track who has accessed the server room, and ePHI that has left your organization (i.e. USB drives) and any ePHI that has been received by your organization (i.e. DVD drives with x-rays or ultrasound images given to you by patients).
As you can see, the HIPAA Secure Now! Compliance Portal can be your “Book of Evidence” in the event OCR audits your organization. If you would like a live demo of our HIPAA Secure Now! Compliance Portal, fill out the form below and we will be happy to schedule a demo with you.
The Harvard Business Review has an excellent article on how some Boston companies handled the Boston metro lockdown situation. The article points out that proper planning for emergencies is the best way to prepare in the event of a real emergency.
The Cambridge-based company, HubSpot, had an emergency operations plan in place and executed the plan.
Making sure employees know what to do in a fast-breaking emergency isn’t as easy as just sending a text or an email. It takes preparation as well as rapid execution. One Cambridge-based company, HubSpot, talked to me about how they coordinated their response, with people in IT, security, and HR all working together to first identify employees in the Watertown area who might be in harm’s way, and then reaching out to those people “to make sure they had heard the news and didn’t plan to go outside,” said Katie Burke, from the company. They phoned, texted, and as a last resort, emailed them individually. Then, says Burke, “Our Chief Security Officer notified all employees early [Friday] morning that the office would be closed so people wouldn’t drive or try to train into work and get stranded.” Finally, they made sure everyone knew there’d be no penalty for staying home, and encouraged them to reach out if they needed help.
EHR vendor athenahealth highlighted that their emergency operations plans were critical being that they are a HIPAA regulated company.
“As a HIPAA-regulated organization, we have a heightened sense of responsibility for business continuity and crisis management,” she told me. Their crisis plan was enviable.
The HIPAA Security Rule states:
EMERGENCY ACCESS PROCEDURE (R) – § 164.312(a)(2)(ii)
This implementation specification requires a covered entity to:
“Establish (and implement as needed) procedures for obtaining necessary
electronic protected health information during an emergency.”
Let’s look at athenahealth’s emergency operations plan
Every employee, when they first join the company, is handed a wallet card with Reckman’s phone number and other emergency contact numbers. At 4:30 in the morning on Friday, Reckman was awoken by a Watertown-based employee who’d called the number on that card to tell her that he had heard gunshots outside his home, and was now following the unfolding events on the news and listening to a police scanner. It sounded, he said, like this might go on for a while. Reckman jumped out of bed and activated their emergency notification system. The first alert went out to the firm’s crisis-management team, a group of about 15 or 20 people from around the company. Closing for the day “was a no-brainer,” Reckman said. So within another few minutes, they’d activated the automated emergency contact system that goes out to all employees — reaching their home phones, cell phones, work phones, work email accounts, and personal email accounts. They got the message out by 5:30 am.
“I was asleep until 6 a.m.,” said Amanda Guisbond, who works in the communications department. “I woke up and had a voicemail on my cell phone telling me the offices were closed, and I also had an email in my gmail account, which was good because I wouldn’t have been checking work email right away.”
What worked and what didn’t work?
- Email was not the best way to contact all employees
- The use of SMS text messages were a quicker way to push information out to people
- Make sure it’s a system multiple people can activate, from any location. Don’t rely on one person to activate an emergency operations plan
- Review the plan and make sure you continue to refine it so it works as smoothly as possible
What is your organization’s emergency operations plan? Take a step back and run the scenario of a Boston metro lockdown. How would you notify your employees? What steps would you take? Start by ensuring that you have multiple contact information for each of your employees. Make sure that employees can contact management and other employees.
Emergency operations plans do not have to be complicated or technology sophisticated but they do need to be properly planned for.
We know you know about HIPAA security. HIPAA breaches are in the news on a weekly basis. The new HIPAA Omnibus Rule has been finalized and there is a lot of buzz about it. So the question is why haven’t you gotten serious about HIPAA security? We think we know some of the reasons.
- HIPAA security is confusing. HIPAA privacy is much easier compared to HIPAA security. HIPAA security focuses in on a lot of technology safeguards. These safeguards include the use of encryption for data at rest and in transit, auditing of user access, designing and implementing disaster recovery plans that assure continued access to patient information in the event of a disaster. None of these topics are easy and most physician practices do have the technical understanding or the IT support to properly implement them.
- HIPAA is just one of the many things on a long list of items that each physician practice has to worry about. Physician practices have to deal with a large amount of staff turnover, other government regulations such as OHSA, struggling with Medicare and private insurance reimbursements to name a few. Is it any wonder that HIPAA security keeps getting pushed down on the list?
- Recent enforcement of HIPAA. Let’s face it, for years HIPAA privacy and security have not been enforced. There was little to worry about in terms of being audited for HIPAA compliance. That has all changed recently but many physician practices are just starting to get the word and to put HIPAA compliance on their radar screens.
These are valid reasons for not addressing HIPAA security. But times are changing and it is more and more important to take HIPAA security seriously. HIPAA breaches and government regulatory fines can put you out of business.
Take the first step and find out 5 simple and inexpensive tips to protecting patient information. Our guide gives easy to understand and inexpensive tips for addressing HIPAA security. Learning what you need to do to protect patient information is the best first step. Download your guide now!