Chat with us, powered by LiveChat

Boy Scouts and Business…and HIPAA?

I come from a family with 6 boys, all of which are Eagle Scouts. I’ve used many skills I learned from Boy Scouts in my travels across the globe.    From Heli-skiing in Alaska, caribou hunting with a bow in the vast tundra of Quebec to roaming the streets of Jerusalem.  Each skill I learned in Scouting has been put to the test at one point or another in my life.

For the last 16 years I’ve served as a volunteer Scout leader in the Boy Scouts of America and have tried to give back to the youth by teaching them the lessons I feel will help them be successful in all facets of life. Sitting at the top of the list is being prepared. Whether it’s being prepared physically and mentally to weather a storm and build a shelter for safety or being prepared to communicate with someone in another language or being prepared to be honest in business dealings with others.

Being prepared is the Boy Scout motto. “Be prepared for what?” someone once asked Robert Baden-Powell, the founder of Scouts, to which he replied, “Why, for any old thing.”

I am shocked in my professional career that this simple mantra of being prepared is not more readily observed. I’ve had conversations — too many to list — with providers and CIOs making statements indicating they were comfortable participating in the CMS Meaningful Use incentive program and receiving large incentive funds without properly understanding what they’re committing to.  That is scary!

I recently became aware of a covered entity that received close to 1 million dollars from CMS as a participant of Meaningful Use, yet upon inquiry from Figliozzi to produce the Security Risk Analysis required by the HIPAA Security Rule they were unable to do so.

In an email addressed to them the concluding remarks stated, “If the aforementioned meaningful use criteria are not met, the incentive payment will be recouped.”  Yikes!  Our experience has shown that many hospitals and clinics are running on a 60 to 90 day cash runway. Returning funds of this magnitude with such minimal operating capital could result in unfortunate consequences.

When will the phase 2 audits begin?  OCR will begin phase 2 audits in October 2014 and will select approximately 350 covered entities, including 232 health care providers, 109 health plans and 9 health care clearinghouses as their focus.  These entities will have two weeks to respond to the OCR’s request.  OCR will only consider current documentation that is submitted on time.  Failure to respond could result in a more in depth compliance review.

In the spirit of being prepared, here are 2 simple steps to help get your organization started in its preparation for an audit.

#1 Dig up and dust off your Security Risk Analysis 

  • Can you find it?
  • Is it up to date?
  • Have you been working on the gaps in compliance identified for remediation?

If you checked the box and did not conduct a proper SRA, then beware! There are many who have simply checked the box that an assessment has been done at the facility without understanding the rigor and liability of what is being asked by CMS. We are finding that some providers would rather roll the dice when it comes to an audit of their HIPAA Security risk assessment. According to CMS, 68% of those audited fail because they have not conducted an SRA or have done it incorrectly. This is not a matter to be trifled with. If a provider fails even this one measure of HIPAA compliance, CMS will recoup the entire amount. It’s all or nothing.

#2 Designate a HIPAA Security Officer

Designate someone to be your HIPAA Security Officer to avoid confusion on who should own the responsibility for overseeing the risk assessment process and ensure HIPAA compliance protocols are followed in the organization. The former will include gathering and storing information from several parties. A typical Security Risk Analysis includes information gathered and aggregated from the HR Director, EMR Administrator, IT Network Manager, Facilities Manager, IT Server Manager and HIPAA Security Officer. Using this approach, specific role-related questions are answered by each of the parties aforementioned.

Here’s a good example: An IT Network Manager is asked, “Has your organization performed an external (i.e. Internet) server and network vulnerability scan on your Internet-facing devices in the past year?” If their answer is yes, then they are asked to supply supporting documentation. If their answer is no, then a threat, likelihood and impact are identified and a high, medium or low risk is associated to that question with a remediation task for later fulfilment. A follow-up question would be, “Were there any critical and/or high risk vulnerabilities discovered in the vulnerability scans?” CMS is not only looking to see that you completed a Security Risk Analysis, but that you are working on remediating items deemed high risk.

When it comes time to present on the current state of compliance in your organization, having one point of contact organizing this information helps keep all parties on task and working toward HIPAA compliance.

Be warned when a CMS, OCR or government-sponsored inquiry occurs and Security Risk Analysis documentation is requested. Answering the questions, “Where is it and who has it?” with “not me” won’t cut it and will result in your organization returning your incentive payment. The phrase “not me” isn’t just a fictional character in the family circus cartoon. It’s a human condition in the brain designed to absolve one’s self of any duty, accountability or responsibility in a particular situation one prefers not to be inserted into. Replying “not me” could cost your organization millions of dollars in fines and embarrassment.

The best way to be prepared to survive a Meaningful Use audit or other government inquiry is to show compliance through organized documentation, processes, policies and procedures.  Resources are readily available, so find the best Boy Scout in your office, dub them with the title of HIPAA Security Officer and get to work! And remember, compliance is NOT a destination but a journey. Enjoy the journey!

Why Dentists Should Be Concerned about HIPAA Laws and the Security of Their Patient Records

dental officeBack in 1996, HIPAA (Health Insurance Portability and Accountability Act) became federal law. The United States government acknowledged the need for people and businesses in healthcare fields to better protect patients’ healthcare records because they are sensitive documents and every patient has a right to privacy and security.

The Healthcare community, health insurance plans and subcontractors were not taking measures to ensure basic security controls and privacy protocols were in place.  Much like PCI established the PCI Security Council to oversee credit card account numbers were protected, the federal government established governance and protocols as a baseline to oversee patient rights to their records, disclosures and securing their personal identities contained in the health and dental records.

The Office of Civil Rights (OCR) is a division of Health and Human Services.  The OCR was placed in charge of enforcing HIPAA Security and Privacy laws starting in 2009 as part of the HITECH Act to ensure those storing health records are taking basic care to ensure confidentiality, authorization, availability and appropriate disclosures of personal health information (PHI).  The OCR is incentivized to enforce HIPAA through Civil Money Penalties (CMP) and publishing investigations and resulting settlements under the Freedom of Information Act.

Dentists can fall in the radar of a Security and Privacy audit in the following ways:

  1. A patient complains their data isn’t secured or reports a suspected violation of their privacy rights on the HHS website (i.e. Whistleblower complaints).
    1. The OCR is required to investigate each complaint.
    2. OCR’s continuing random audit program into 2014-2015.
    3. A Dental Office could be randomly selected for Meaningful Use audits.

HIPAA has four rules outlined below:

HIPAA Privacy Rule

Every patient has the right to control their personal health records, and each business and its employees are responsible for keeping any unauthorized person from viewing patient files. These health files are now written, stored and shared orally, electronically and on paper, so a lot has to be done to keep these records out of the wrong hands.

HIPAA Security Rule

This rule relates directly to electronic patient files and states each covered entity—which includes Dentists—must keep them safe from any unauthorized access during transit and storage.

HIPAA Breach Notification Rule

The breach notification rule requires all covered entities and business associates to give notification when a breach has occurred in relation to unsecured protected patient health information

Patient Safety Rule

The final rule protects identifiable patient health information from being used to analyze and improve patient safety and events relating to patient safety.

If Dentists don’t comply with HIPAA rules then are audited, they get penalized.

Dental records, in paper or electronic format, are considered Protected Health Information and are subject to the same Federal scrutiny for privacy and security as full medical records.

Dental records contain minimal medical information.  Demographic information such as:  name plus any numerical identifiers related to Dental health includes.  These include: address, birth date, phone numbers, insurance status, patient ID number, SSN,  etc.

Penalties vary and are determined by the seriousness of the security or privacy breach. Also taken into consideration are whether you knowingly or accidentally released patient records and private information. Either way, you’re held accountable. Penalties range from fines to being fired from your job to closing an office to potential jail time (in the event of knowingly losing 500+ PHI records and failing to report to HHS within 60 days).

So how can you and your dental office steer clear of these penalties?

First, you must understand and keep up-to-date with all HIPAA rules and regulations. You can also set up a HIPAA program in your office, perform consistent employee trainings, and conduct and document regular HIPAA risk analyses to evaluate and fix any potential problems.

Second, you must make sure that your dental practice management software is HIPAA compliant. Since this is where your patients’ dental records are stored, a breach can be detrimental to your office and can bring several fines.

If your practice is currently running on a practice management system, penetration testing can help you identify different threats and openings that hackers could exploit to gain access into your system. If you’re currently shopping for a software, make sure you choose a platform that is guaranteed to be HIPAA secure.

Complying with HIPAA laws and regulations is crucial so you and your dental practice don’t have to face penalties and to keep the trust and satisfaction of your patients by keeping their healthcare records safe and secure.

About the Authors

This post was co-authored by Steven Marco, the President of HIPAA One® and Modern Compliance Solutions as well as Trevor James, the marketing manager for Viive, a Mac-based dental practice management system, and Dentrix Ascend, a cloud-based dental practice management system.

HIPAAOne statement on Heartbleed

HIPAA One Heartbleed update:

You are probably aware of the Heartbleed Bug. This vulnerability is in the OpenSSL cryptographic software library (CVE-2014-0346 / CVE-2014-0160).  There has been a tremendous amount of media coverage due to the severity of this bug.

This bug enables someone to read the memory of systems protected by vulnerable versions of OpenSSL software

. More details can be found here: http://heartbleed.com.  In summary, an information disclosure flaw was found in the way OpenSSL handled TLS and DTLS Heartbeat Extension packets. A malicious TLS or DTLS client or server could send a specially crafted TLS or DTLS Heartbeat packet to disclose a limited portion of memory per request from a connected client or server. Note that the disclosed portions of memory could potentially include sensitive information such as private keys. (CVE-2014-0160)

HeartbleedAfter analyzing our cloud infrastructure at https://secure.hipaaone.com, we found that no production servers were impacted by this bug.

We conduct regular vulnerability scans and are commencing with periodic ethical hacking.  This helps provide assurances we are current with vulnerabilities and managing risk in our production platforms.
Thank you for your attention to this matter.

For anyone else who is running Linux, and and are running OpenSSL it internally, we recommend you apply the security patch issued by RedHat or equivalent against affected servers and restart the OpenSSL service. For example, you can issue “openssl version” from the command line to determine if it is running a version susceptible to the bug. The RedHat security advisory is included here for your reference.

https://rhn.redhat.com/errata/RHSA-2014-0376.html

Steven Marco

HIPAA One® President

Will You Be In Violation of HIPAA Laws By Running Windows XP?

windows xpWe are getting a lot of calls with respect to XP patch support ending April 8, 2014. This is mostly due to articles claiming HIPAA Violations for using Windows XP. Violation is a strong word, especially considering we find in almost all cases there are other devices that are end of life. The bigger issue is to ensure a holistic process to track patches for computer systems and network devices, particularly putting plans in place to replace end of life information system and network components.

The risk has to do with the particular environment, acceptable risk, mitigating controls and levels of due diligence in meeting the requirements of the OCR’s guidance on the HIPAA Security Rule. This means performing a risk analysis, identifying vulnerabilities and assessing the risk for all gaps in compliance.

For a reasonable amount of time, it’s our opinion that organizations can put mitigating controls in place, such as vendor-supported anti-virus and encryption, on XP machines. In the short term, compensating controls, like anti-virus, spam filters, web filters, patch management procedures, continuous monitoring, etc., will provide an acceptable level of risk for most organizations. In the long term, organizations should put a plan in place to upgrade these systems to Windows 7 or newer considering you cannot simply ignore the unsupported platforms.

In other words, don’t feel you are up on the edge of a cliff with respect to the April 8th deadline on XP support ending. Instead, perform a HIPAA Security Analysis based on the change in your environment (i.e. XP end of life), and for this particular item at 164.308(a)(5)(ii)(B), capture workstation updates, as well as firewalls, switches, routers, wireless access points, servers, mobile devices, etc.

And most importantly, plan an XP migration project with a reasonable and appropriate due date and a responsible person to ensure the project is implemented.

We at MCS have spent years automating and simplifying the HIPAA Gap Assessment and Security Risk Analysis process for a turbo-tax-like software solution called HIPAA One. HIPAA One can be used to self assess your own HIPAA Environment, perform a mock audit and provide training for staff on the HIPAA Security Officer’s responsibilities. Please contact us for a free review of your previous HIPAA Security Risk Analysis reporting.

UPDATE: Risks beyond ARRA, HITECH and HIPAA: PHI = $1,000 per individual = $4.9 Billion charge to TriCare

This is an example of a “hole” allowing unencrypted backup tapes to leave the facility and led to one of the largest ePHI breaches in history.

Had they a solid HIPAA Risk Analysis covering encryption and ePHI disclosure policies, this breach would not had been a breach.  Or shown due diligence to help convince the judge of their intent on protecting those ePHI records.

Tricare in Texas has a class action lawsuit filed last week initiated by a solder on the list for a total of $4.9 Billion!!  They claim the average cost of fraud per person (i.e. breached file) is $1,000 per person.  1,000 times $4.9 Million breached records is $4.9 Billon.

Click here to view media press.

The backup tapes would require specific hardware and software to be used however, “security by obscurity” apparently doesn’t hold up in society.