Chat with us, powered by LiveChat

HIPAA Security for Meaningful Use : Myths and Facts


After you spend enough time in one position, role or subject, it is human nature to assume for a fleeting moment others know what you are “geeking” about.  This is particularly true when it comes to Meaningful Use and to “Protect electronic health information created or maintained by the certified EHR technology (CEHRT) through the implementation of appropriate technical capabilities.” This is accomplished by doing the following: “Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a) (1)…”

Was that a good example?  Let me take it back out of the “geek” closet for a moment.

So we all know that this thing called a HIPAA Security Risk Analysis can be done using tools like spreadsheets, ONC’s Security Risk Assessment Tool, and NIST Questionnaires.  Ironically, none of these tools assure you are doing the right “thing” unless you have some sort of Auditor and Security designation (e.g. JD, CISA, CISSP, HCISPP, and CHPS among others), let alone provide any sort of guarantees.  But as the old saying goes, “You get what you pay for.”

Using a professional, third-party Audit, Legal, Security or IT Managed Service Provider (outsourced IT) usually provides good results as long as they are accredited (see above paragraph on basic credentials).  They go in to the organization interviewing, collecting some documentation, running scans on the networks and provide a comprehensive, detailed project plan to achieve compliance.  Somewhere between 4-6 weeks after the flurry of activity is over, and the world moves on, the final report appears.

The HIPAA Security Risk Analysis and Assessment (SRA) report is a combination of art, content, and most-importantly; it highlights serious risks to the organization.  Except there is one problem – you now need a project deployment team to convert this static SRA report into an ongoing risk management plan (prioritized by risk-level), get status reports on tasks, research Policies and Procedures, track progress, send email or meeting reminders, and track all of this towards HIPAA compliance.

This is a huge administrative burden!

Then there are the Myths…

Myth #1 – We will update the plan from last year’s SRA for Meaningful Use reporting and attestation.

HIPAA One® take:  False – this is called updating the progress of last year’s security risk management plan (see more in Myth #2 below).

Myth #2 – Each year, I’ll have to completely redo my security risk analysis.

HHS Guidance - Each year have to redo entire SRA Myth

False. Perform the full security risk analysis as you adopt an EHR.  Each year or when changes to your practice or electronic systems occur, review and update the prior analysis for changes in risks…

HIPAA One® take:  Things change on a constant-basis.  Roles change, network computer systems are changed to meet new requirements, and internal processes change too.

“Updating the prior analysis for changes in risks.” means conducting a gap assessment and risk analysis on any of those items that changed from last year.  Since tracking these changes is a near-impossible task (ITIL Change Management processes are being widely-adopted to tackle this), HIPAA One® will allow a full-import of last-year’s HIPAA Security Risk Analysis (SRA) allowing a review of each question to see what has changed.  Ongoing tracking is built-in after the SRA is over and automated documentation requirements simplify audit responses by pressing a “Print” button.

Myth #3 – I have to outsource the security risk analysis.

I have to outsource our Risk Analysis.

I have to outsource our Risk Analysis.

HHS Privacy and Security Guide of Health Information, page 6

False.  It is possible for small practices to do a competent risk analysis themselves using self-help tools.  However, doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional.”

HIPAA One® take:  If you haven’t had a third-party come in the past 3 years, or ever, then we would strongly recommend outsourcing one to ensure your efforts stand up to a compliance review.  The first year of compliance efforts are expensive however, year 2 should be roughly 50% of what year 1 is as investments are implemented.  The Security Risk Analysis should contribute to that 50% savings by automating the mundane, error-prone and labor-intensive steps to conduct the risk analysis.  HIPAA One® accomplishes this by accelerating each person’s efforts by a 5x factor; using automation vs any manual-based risk analysis while learning from the experience.  In year 2 this allows you, the non-certified auditor, to simply press the “Import Last Year’s Assessment” button and HIPAA One® allows you to insource, instead of outsource.

Org Info Import

We have tried to stay out of the geek-closet for this blog as much as possible and realize this is a very jargon-clad specification.  Let us at HIPAA One® along with our esteemed partners help provide the software, assurance and peace-of-mind for your organization.  Contact us today to get your Meaningful Use HIPAA Security Risk Analysis done before the Holidays!

Reference:  HHS Privacy and Security Guide of Health Information

Think PCI Can Replace HIPAA? 6 Points That Will Change Your Mind


  1. Health records are to be secured, exchanged and portable ,while credit card numbers are to be secured.
  2. Covered entities and their business associates (receiving any government reimbursements for healthcare treatment, payment or operations) are required to comply with HIPAA.
  3. Unlike finite PCI requirements, HIPAA encompasses security, privacy and rights, safety, quality improvement and eliminating fraud, waste and abuse.
  4. HIPAA security compliance may include risk analysis, remediation progress and periodic vulnerability scans.
  5. Meaningful Use helps address the most serious health care threats to electronic personal health information: theft, unauthorized access and loss.
  6. A health record with basic health insurance information is worth 10-20 times more than a U.S. credit card with a CVV code.

Steven Marco ( is the founder & CEO of Modern Compliance Solutions & HIPAA One® in Lindon, UT.

This is one of the questions that comes to mind when reading recent breaches in businesses that are PCI-compliant and HIPAA covered entities. According to a recent Identity Theft Resource Center data breach report for 2013, there were approximately 47,260,237 breaches for the business category and 4,659,965 breaches for the medical/healthcare category. Assuming the business category processes credit cards and the medical/healthcare category maintains protected health information, we have a case of PCI-compliant firms vs. organizations addressing HIPAA security compliance.

data breach chart

1. Health records are to be secured, exchanged and portable while credit card numbers are to be secured.

Health care covered entities (CE) and their business associates (BA) handle personal/protected health information (PHI) as part of an initiative to have a portable, secured and available electronic health record (EHR). PHI must be protected from unauthorized disclosure, yet be available on demand by the individual and shared (in some cases with and without the individual’s authorization such as treatment, payment and healthcare operations) appropriately but also restricted upon the individual’s request.

If hospitals and clinics adopt electronic PHI and shred their paper records, vast amounts of uniquely identifiable health records accumulate. According to the HIPAA One® security risk analysis database, even small clinics can acquire more than 10,000 patient records within 3 years.

The focus of the electronic health record revolution has traditionally been changing healthcare workflows using computers instead of paper charts. Now, information is freely exchanged between clinics, health plans, clearinghouses and health exchanges. Security has not been a focus. The top threat facing healthcare is loss and theft of ePHI, which is the No. 1 cause of breaches over 500 (according to the OCR’s current breach data reports as of July 2014).

Much like the example above referencing the number of patient records, aggregated data stemming from PHI can be used for valuable research improving health and raising ePHI security awareness.

If business and commerce — the exchange of goods and services for monetary enumeration — had adopted technology earlier, it would have more personal identifiable information (PII). The use of credit cards is globally adopted as a quick way to receive money electronically. As more merchants (businesses that accept credit cards) adopt e-commerce websites and connect their payment- processing systems (i.e. processors) to the Internet with growing consumer comfort with online purchasing, fraudsters are capitalizing on poorly protected systems to steal payment data, making payment care fraud more prevalent than ever before.

Unlike aggregated, de-identified PHI data, the approach to secure credit card numbers is to limit storage of credit card elements and make this information unavailable except in the event of a payment transaction.


Source: Payment Card Industry (PCI) Data Security Standard, November 2013

2. Covered entities and their business associates (receiving any government imbursements for healthcare treatment, payment or operations) are required to comply with HIPAA.

Covered entities (i.e. hospitals, clinics, doctors, health plans and healthcare clearinghouses that use ePHI) and business associates (i.e. vendors providing services to covered entities that access [even incidentally]), as of September 13, 2013, store, modify or transmit ePHI under the enforcement jurisdiction of Health and Human Services.

In summary, any organization that receives reimbursements from Centers for Medicaid and Medicare Services is a covered entity. And any vendor that provides services to covered entities are business associates. Accountants, legal counsel and consultants are examples of groups that may encounter PHI while working with covered entities and fall into the business associate category.

To help define who is covered under HIPAA, guidance from CMS provides charts to help define most scenarios and to determine qualification, per the below image:

covered entity charts

Source: CMS Covered Entity Charts

Fines under HIPAA typically come in two forms: the Office of Civil Rights (OCR — the enforcement division of CMS) fines through self-reported breaches or through HIPAA violations found as a result of a patient complaint registered on the HHS website. The OCR, under the HITECH Act, may use proceeds from fines (called Civil Money Penalties – or CMPs) to fund further enforcement. OCR fines and settlements start at $50,000 and can easily exceed $1.5 million per investigation where willful neglect to comply with HIPAA is determined. Some forgiveness in terms of reduced fines is allocated for actions taken during the OCR audit, and all settlements are public domain according to the Freedom of Information Act.

Organizations that process credit cards, even a single transaction per year, must become compliant with the PCI Data Security Standard. Covered entities that process credit cards also become merchants under Payment Card Industry and must comply with the Data Security Standard, or PCI DSS.

Merchants are required to, at a minimum, provide an annual attestation of PCI compliance statement through their processor. Failure to pass all the requirements will result in monthly fines that are proportional to the volume of credit card transactions processed annually. They start at about $50 per month for small companies, and we have seen non-compliance fines in upwards of $3,000 per month for larger covered entities providing healthcare services.

PCI enforcement audits are typically triggered by self-reported breaches. Fines stemming from breach investigations are not typically applied to merchants but are applied for other non-compliance factors. See the PCI Standard website for a more detailed guide.

3. Unlike finite PCI requirements, HIPAA encompasses security, privacy and rights, safety, quality improvement and eliminating fraud, waste and abuse.

The PCI Security Standards Council has released an updated standard, called v. 3.0, to the PCI DSS requirements, which emphasizes the need for in-house vulnerability assessments, adds flexibility to password requirements and highlights the growing importance of provider compliance, as well as many other notable changes.

PCI was pioneered in the late 1990s, as Visa became the first credit card company to develop security standards for merchants conducting online transactions. The need stemmed from vast amounts of credit card fraud, which would need to be paid for by the credit card companies.

According to SearchSecurity, Visa and MasterCard reported credit card fraud losses totaling $750 million between 1988 and 1998.

Per the PCI website, “The major credit card issuers created PCI (Payment Card Industry) compliance standards to ensure that all companies that process, store or transmit credit card information maintain a secure environment. This set of requirements is called the Payment Card Industry Data Security Standard (PCI DSS). All merchants (any entity that accepts payment cards from American Express, Discover, JCB, MasterCard or Visa as payment for goods and/or services) must comply with these standards. Failure to meet compliance standards can result in fines from credit card companies and banks and even the loss of the ability to process credit cards. The payment brands and acquirers are responsible for enforcing compliance, not the PCI council.

The Payment Card Industry Security Standards Council (PCI SSC) manages the PCI security standards.”

HIPAA was formed because of the following reasons:

  1. Growing numbers of uninsured
  2. Lack of rights for patients to obtain,review,amend and correct(if needed) their own health information (imagine mistakenly having an STD in your medical history entered by someone’s mistake)
  3. Rise of the Internet threatened privacy and confidentially
  1. Medical information could be used against individuals for non-medical reasons
  2. Healthcare dollars lost to fraud and waste
  3. Genetic information becoming available
  4. Different standards for medical record format sand PHI

It is also important to note that HIPAA has evolved and developed in many waves over the past 18 years to address the above concerns and is still very much a work in progress.

In terms of our ePHI data, there are 18+ elements that identify an individual which can be stored, shared and must be secured. Per 45 CFR 164.514 of the HIPAA Privacy Rule, they are:

(i) The following identifiers of the individual or of relatives, employers, or household members of the individual:

(A) Names;

(B) All geographic subdivisions smaller than a state, including street address, city, county, precinct, zip code and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census:

(1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and

(2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.

(C) All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;

(D) Telephone numbers;

(E) Fax numbers;

(F) Electronic mail addresses; (G) Social security numbers;

(H) Medical record numbers;

(I) Health plan beneficiary numbers;

(J) Account numbers;

(K) Certificate/license numbers;

(L) Vehicle identifiers and serial numbers, including license plate numbers;

(M) Device identifiers and serial numbers;

(N) Web Universal Resource Locators (URLs);

(O) Internet Protocol (IP) address numbers;

(P) Biometric identifiers, including finger and voice prints;

(Q) Full face photographic images and any comparable images; and

(R) Any other unique identifying number, characteristic, or code, except as permitted by paragraph (c) of this section

4. HIPAA security compliance may include risk analysis, remediation progress and periodic vulnerability scans.

We don’t want to jump in too deep in this area, as compliance and security are subjective topics that need to stay relevant to the size and complexity of each organization.

HIPAA Compliance

For compliance, follow the Office for Civil Rights (OCR) as they are responsible for issuing periodic guidance on the provisions in the HIPAA Security Rule. (45 C.F.R. §§ 164.302 – 318.). For security, follow the National Institute of Standards and Technology (NIST) Special Publications. The OCR suggests methodology in their guidance materials is the NIST SP800-30.

Checklists that have workflows attached to each item are available in the form of spreadsheets, the OCR’s “SRAT” tool and, for more advanced collaboration, web-based solutions.

Based on our observations of the OCR, we have found, in summary, they look for the following in their audits:

  1. (Easy*)Performance of these checklists covering the 78 HIPAA Security Citations and provide the 9 steps identified in conducting a risk analysis in NIST SP800-30.
  2. (Difficult*)Ongoing updates to the results of the risk analysis conclusions (i.e. what risks were found, who is going to do what, by when to address the risk found) and risks results (i.e. tracking what activities have been performed since the risk analysis was performed)

*It is easier to identify HIPAA gaps in compliance and risk items to the organization. It is more difficult for organizations to react to the gaps and risks found as this requires resources, changes in process and increased administrative, technical and physical safeguards.

HIPAA Security

Like any other security assessment (gaps identified against an industry guidance) and risk analysis (calculating risk for the organization for any said gaps), security encompasses authorization (who is granted authorized access to

what data and reducing unauthorized access), integrity (timely and complete data), and availability (ability to restore damaged or lost ePHI and ability to continue operations during emergency scenarios).

To address common vulnerabilities and exploits (CVE), we recommend all security risk analysis include, as a base-requirement, the performance of an automated vulnerability analysis scan 164.308(a)(1)(ii)(A) from the Internet against any of the organization’s Internet-accessible systems.

The next level of this type of effort would include internal vulnerability scanning, which is like the external vulnerability scan but against all internal computers, servers and systems. We find most environments are like M&M candies — hard on the outside, but soft and easy to melt on the inside.

  1. a)  ePHI discovery and mapping (what databases, purpose and who is responsible)
  2. b)  Firewall configuration review (ensure only minimum ports are open, see if IPS/IDS is appropriate to detect malicious software communicating to the Internet from breached systems)
  3. c)  Penetration testing of all Internet-facing applications (especially if software is developed in-house)
  4. d)  Ethical hacking (such as testing various ways to gain administrative access to systems and firewalls)
  5. e)  Ongoing remediation consulting (having an external firm remind assignees of tasks to deadlines and update results documentation for potential audit response)

5. Meaningful Use helps address the most serious healthcare threats to electronic personal health information: theft, unauthorized access and loss.

The healthcare industry stores patient information for the treatment, payment and healthcare operations of medicine. This industry has historically been slow to adopt technology and computer systems. As such, the migration of our protected health information (PHI) from paper to electronic (ePHI) has been largely fueled by the Meaningful Use (MU) incentive program. To qualify for these MU funds, covered entities must adopt a certified electronic health record technology (CEHRT), or as the industry calls it, an “EMR program”, and use it in a meaningful way (e.g. complete demographics, allergy and prescription drug checks, make patient visits available to the patients, etc.).

Stage 1 of Meaningful Use was extended in December 2014, and stage 2 is being adopted for continued incentive payments. Part of the increased security measures for stage 2 includes the following CEHRT/EMR software features: additional audit logging capabilities (to combat unauthorized access), mandatory encryption/no temporary files being written that may contain ePHI and patient amendment tracking.

6. A health record with basic health insurance information is worth 10-20 times more than a U.S. credit card with a CVV code.

Dell SecureWorks recently uncovered numerous underground marketplaces where hackers are selling information packages that include bank account numbers and logins, social security numbers, health information and other PII. In the underground world, these electronic packages put together for identity theft and fraud are referred to as “fullz”. When “fullz” are sold along with counterfeit or custom manufactured physical documents relating to identity data, the packages are called “kitz”.

Below are the average fees for these packages:

“Kitz” — $1,200 – $1,300, which includes PII and faked papers

“Fullz” — $500, which includes PII faked documents

There are additional fees for health insurance credentials and U.S. credit cards with CVV codes.

Health insurance credentials cost $20 each, while credit cards are only $1 – $2 each. This tells us that people are willing to pay more for your health insurance information than for your credit card information — about 10-20 times more. Therefore, your health information is way more valuable than your credit card information, and it’s extremely important that your health information is kept safe and secure from hackers.

So what is the motivation of enforcing PCI and HIPAA? In the case of PCI – it is clearly the credit card companies suffering financial loss from fraud. In the case of HIPAA – the motivation is to ensure our rights to protect and have our health information secured, reduce waste and hold covered entities, as well as their business associates, accountable for providing basic security, privacy and breach notification requirements.

At the end of the day, after conducting thousands of risk analysis and security projects, a new question pops up from this discussion, “If security and compliance are too difficult for organizations, then why does it seem so easy for hackers to get into their systems?”

Meaningful Use Stage 2 – What You Need To Know!

The Centers for Medicare and Medicaid Services have EHR Incentive Programs that provide financial incentives to health providers who prove they are meaningfully using certified EHR (electronic health record) technology. These monetary enticements are only given to those providers who meet the required objectives in each stage of participation.

The Medicare and Medicaid Incentive Programs are arranged into three different steps. CMS set up a timeline for when providers need to meet the criteria for each stage. Eligible hospitals, critical access hospitals and healthcare professionals must meet their specific core set and menu set of objectives in Stage 1 before they can move on to Stage 2.

meaningful use stage 2

Stage 2 objectives are divided up between eligible professionals and eligible hospitals and critical access hospitals. EPs have 17 core objectives they must meet and then three menu objectives they select and meet out of a list of six. The eligible hospitals and CAHs have 16 core objectives to meet, as well as three menu objectives they select from six options and then are required to meet.

It’s extremely important for providers to meet the meaningful use requirements in order to receive the EHR financial incentives. With the Medicare program the eligible providers can receive up to $44,000, while they can receive up to $63,750 with the Medicaid program. It’s also important because EHR technology is so beneficial to healthcare providers. EHR systems make patient health records and information instantly and securely available to approved users, whenever they need it and wherever they might be. EHRs also improve care coordination among all clinicians involved with a patient’s care, increase cost savings and help build a healthier, better future for our world.

Photo Courtesy of

HIPAA Privacy Audits begin – 20 “initial” audits to 150 audits by end of 2012

Is attestation means to hold providers accountable for expenditure of public funds and protect against fraud and abuse?

The Office for Civil Rights has engaged KPMG using $9M of their $52M budget for this year enforcing HIPAA compliance and investigating breaches for the CMS.  The covered entities in scope for KPMG audits are those that have received CMS Incentives under Meaningful Use and can expect a minimum of 30 business day process with 3-10 days of on site visit.

As you register and attest for Meaningful Use funds, be aware the risks associated with protecting ePHI are elevated in terms of IMPACT to your hospital.

For press release, click here.  For the HHS press release, click here.

I have worked for Deloitte & Touche ERS and understand the big accounting firm audit strategies with legal implications.  If you would like to discuss how to mitigate your clinic’s risks with attestation and be fully prepared for an OCR Audit, please do not hesitate to contact me anytime.

CMS to Again Explain Medicare/Medicaid Meaningful Use Programs

Very useful information for Medical Practice Offices and Eligible Providers looking to acheive Meaningful Use and get their first payment for Stage 1:

They should also discuss Stage 2 set for release this week.

National Provider Call – September 9, 2011 Slide Deck and Q&A Summary

The CMS held an informative call on how to realize Meaningful Use incentives. Here is a post for those who were unable to make it.

Here is the slide-deck:

If you would like to request a summary of the Q&A discussion including useful information on dates, Dental, Optometrist qualifications, Audit strategies, etc., please contact me using the form here.

Note: Stage 2 slated to be released at end of October 2011 (previously announced this week).