Chat with us, powered by LiveChat

HIPAA One Releases Privacy Risk Analysis

After releasing the HIPAA One Security Risk Analysis, we received exceptional feedback on the product and how much our clients appreciated the simplicity and automation provided by the product. We have been committed to expanding our solutions and add products to be “all things HIPAA”. With the launch of the Privacy Risk Analysis, we now offer a full suite of products to address all citations and requirements related to HIPAA Security, Privacy and HITRUST.

Having implemented and performed the HIPAA One Security Risk Analysis at over 2000 locations, we know the importance of having a cloud-based process that is easy to understand and allows collaboration among different departments.   Furthermore, our Privacy Analysis, like our Security Risk Analysis, is offered in three different levels of engagement to meet the needs of not only the large practices, but also the small health and dental practices.

With the rise in hacking and breaches, our goal is to provide timely solutions to clients to ensure the patient information they keep is safe and secure. Furthermore, the OCR is accelerating the frequency and number of audits, with HIPAA One solutions, you are guaranteed to pass.


Windows 10 and HIPAA Security Officer Compliance

Windows 10 Settings

CIOs, IT Directors and IT Managers are often deputized as their organization’s HIPAA Security Officer.  In addition to being responsible for HIPAA security and compliance, there may be a push to upgrade to Windows 10.   After all, everyone in the organization is already using it at home.  But during testing and planning deployment, Cortana and the mobile-OS-like features of sending data to third-parties begs the question, “Does Windows 10 violate HIPAA Privacy?”

The short answer is that the default configuration of Windows 10 may violate HIPAA.  The Windows 10 Privacy Statement as part of the Microsoft License terms July 2015 provides very flexible language on how Personal Data is collected, used and shared.    Specifically this provision states:

“We will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary to protect our customers or enforce the terms governing the use of the services.”

As with any convenient features, there is always an impact on security.  Unfortunately, security and functionality are often inversely related.

Windows 10 Privacy Settings

The following Windows 10 features are new and cause concern for anyone responsible for maintaining HIPAA compliance in their organization:

  1. Cortana: Microsoft’s answer to Siri and Google Talk.  Cortana “learns” how each person speaks and writes by taking samples.  In addition, names, nicknames, recent calendar events and contacts are maintained.
  2. Data Sync: Default setting allows the operating system to sync settings and data into Microsoft’s servers. It is intended to sync passwords, website plugins, favorites, etc.; however it may lead to users’ credentials being vicariously breached by Microsoft.
  3. 3rd party Advertisers: The Advertising ID provides a unique identifier per user allowing collections of data to be shared with 3rd party advertisers.  This may help fund the “free” upgrade to Windows 10 from previous versions, and is provided to help provide more effective targeted ads when using 3rd party applications.  Turning this off will not block ads from appearing, but they may not be as targeted, as your users will remain more anonymous with this feature turned off.
  4. Bitlocker: Windows 10 will automatically backup your encryption key to OneDrive, unless you are using Active Directory Group Policy to manage this element.  Also, if you are using Bitlocker or planning to use Bitlocker, ensure you use the TPM+PIN option or turn off hibernation/sleep support to avoid having to report a breach if a Bitlocker-encrypted laptop is lost or stolen.
  5. Telemetry:  Those familiar with the Windows Pop-up sending diagnostic information after a program crashes to Microsoft for product improvement will want to know about Telemetry.  Telemetry is an enhanced diagnostics and tracking service which sends additional information to Microsoft for new features such as per-application updates, Windows 10 upgrade offers, etc.  This is a well-documented How-To disable Telemetry from our friends at Winaero.

Although it is still early to tell if specific HIPAA Privacy considerations are violated with Windows 10; HIPAA Privacy, at a high level, ensures individuals have the minimum protections which may be violated. Therefore depending on whether ePHI is released as these Windows 10 features are used; we believe the violation of the following laws may lead to HIPAA non-compliance:

  • Access to the health record – see patient rights §164.522, §164.524 §164.526
  • Minimum necessary uses of PHI – see use and disclosure §164.514
  • Content and right to an Accounting of Disclosures – see privacy management process §164.528
  • Business Associate Contracts – see privacy management process §164.504, §164.502, §164.524, §164.526,§164.528.

To ensure diligence with HIPAA Privacy, it is unclear whether Microsoft will be sending ePHI from PCs anytime soon, which may result in “collateral damage” for those Covered Entities using Windows 10.   And although the question on HIPAA Privacy violations is a tenuous answer, following some basic steps may significantly reduce your organization’s risk of violating HIPAA.

Windows 10 Cortana settings

To maintain your organization’s level of due-diligence under HIPAA and the HITECH act, there are items to configure in Windows 10 to help avoid long-term repercussions that result from upgrading to Windows 10.   By taking measures to test, configure and restrict information being sent outside your organization’s networks with Windows 10; you may request set of instructions below.

In conclusion, Windows 10 does send information back to Microsoft and does such on a per-feature, per-benefit basis.  Microsoft has provided a way to turn off these data-collecting features however, traditional system-level information will still be sent (as it always has been) to Microsoft.  We strongly recommend turning these data-collecting features off.  It is better to be safe than sorry!

To request your copy of the full whitepaper, which includes specific instructions on which Active Directory Group Policies to edit, along with sources of Microsoft Administrative Templates for Windows Server 2012 and the Windows 7 & 8 KB patches to avoid, please request it by contacting us now, and we will be happy to send you a full copy.


For a copy of the pcapng file replay of our tested Windows 10 Enterprise configuration in the updated version of this whitepaper, win10Run1.




The Number of HIPAA Data Breaches Jumps 138 Percent Since 2012

When it comes to HIPAA Security and HIPAA Privacy, numbers do most of the talking and according to recent reports, the number of HIPAA data breaches have increased by 138% since 2012.

Another mind boggling statistic is that 29.2 million patient health records have been compromised in HIPAA data breaches since 2009, according to Redspin, which compiled these numbers in a February 2014 breach report.

But these numbers are skewed since not all breaches are reported. Any breach that involves fewer than 500 people’s health records isn’t required to be publicly reported. According to Lisa Gallagher, the senior director of privacy and security for HIMSS, said at the 2012 Boston Privacy and Security Forum that it’s more likely that 40-45 million patient health care records have been compromised. While she said that’s a more accurate number, it can’t be confirmed since all the data isn’t there.

Redspin also found the percentages of what’s accounted for the HIPAA privacy and security breaches since 2009: 83 percent because of theft, 35 for theft or loss of encrypted devices, 22 due to unauthorized access and 6 from hacking. Many of these breaches could be more easily avoided with consistent risk analysis. Risk analysis failures top the list for the most prevalent security issues for business associates and covered entities based on complaints received by OCR.

While business associates were involved in most of the larger-scale breaches from 2009-2012, only 10 percent were involved in 2013. Business associates and covered entities that violate HIPAA privacy and security rules can face up to $1.5 million in annual fines under the HIPAA Final Omnibus Rule. Only 17 of the 90,000 HIPAA breach cases received by OCR since 2003 have resulted in fines, but it’s anticipated that those numbers will go up, especially since the official audit program goes live this year.


What’s The Difference Between A Covered Entity & Business Associate?

Knowing the distinction between a covered entity and a business associate is essential because the Health Insurance Portability and Accountability Act Privacy Rule is administered differently between the two. If you understand the difference, then you understand who has access to your medical data and what authority they possess to do with that medical information.

The HIPAA Privacy Rule protects a person’s medical records and their other personal health information, as well as gives that patient rights to their health information. But it also applies to covered entities and business associates, in that it requires each to follow specific rules and sets restrictions and conditions on the use and disclosure of certain patient information.

Legally, the HIPAA Privacy Rule just applies to covered entities. A covered entity can be health plans, health care clearinghouses or health care providers that electronically transmit any type of health information. Examples of these are your doctor, hospital, insurance company and health insurance plan — no matter if it’s a private, employee, state or federal plan.

But it’s common for a lot of health care providers and health plans to use the services of other individuals or a business to help carry out their health care functions. Thus we get business associates.

More specifically, a business associate is an individual or entity that executes particular responsibilities that include the use or disclosure of protected health information in support of, or as a service to, a covered entity. A health plan, health care clearinghouse or covered health care provider could be a business associate for another covered entity, but a member of the covered entity’s personnel is not considered a business associate.

Possible business associates are an attorney, a CPA firm, an independent medical transcriptionist or a pharmacy benefits manager. Services provided by business associates can be accounting, billing, claims processing or data management. And of course, these are just a few examples of each.

Covered entities hold the responsibility for guaranteeing its business associates are safeguarding protected health information. The contract between a covered entity and its business associate must be HIPAA compliant, and if a business associate breaches its contract, then it’s up to the covered entity to correct that breach or terminate the contract.

Walgreens Sued for Sharing Patient’s Private Medical Info

An Indiana woman was awarded $1.44 million by Walgreens Co. after a pharmacist illegally accessed and shared her private medical information. The lawsuit against Walgreens was for the violation of the Health Insurance Portability and Accountability Act (HIPAA).  HIPPA requires health care providers to observe strict guidelines for handling private information of patients but it does not provide for a “private cause of action,” which means that you can’t sue over a breach of privacy. This means, the Walgreens suit should never have made it to trial.

Audra Peterson, a pharmacist at Walgreens, used her authority to look up the private information of Abigail Hinchy. Abigail, a customer of the pharmacy; was Audra’s husband’s ex-girlfriend. Audra suspected that Abigail had given her husband a sexually transmitted disease, and looked up Abigail’s medical history. Peterson then shared that medical information with her husband, who sent Hinchy a text message explaining he knew of her medical history.

Abigail called the pharmacy to complain but no action was taken, and Peterson was allowed access to her information a second time. Walgreens Co was accused in the suit of negligence in their supervision of Peterson and a judge and jury found the company liable for 80 percent of the damages owed to Hinchy.

Although, the case should not have gone to trial, attorney Neal F. Eggeson mounted the suit and won. By taking these kinds of cases he hopes that “this opens eyes — both by lawyers like me and by the health care providers.”

You can read the full release here.

Ready or Not, Here Come HIPAA Audits!

After running a successful pilot program in 2012 The Department of Health and Human Services’ Office for Civil Rights (OCR) is looking to launch a national HIPAA compliance audit program by the end of this year to ensure that all health care providers and business associates are compliant with HIPAA privacy and HIPAA security rules and regulations.

This announcement is causing panic in many of the health I.T. leaders as data security and privacy has become such a complex undertaking and many know that holes still exist but can’t pinpoint where they are. What’s really troublesome is the fact that the feds have proven through their Recovery Audit Contractors (RAC) program, that they are not hesitating to use a take-no-prisoners approach, especially when there’s a lot of money on the line.

To read more about this program, check out this press release.

OCR gives an important 2013 update on their HIPAA Security and Privacy Enforcement status

The resumption of the HIPAA compliance audit program is on hold while regulators analyze pilot audit project results and implement the HIPAA Omnibus Rule, says Susan McAndrew of the HHS Office for Civil Rights.