HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases

More»

E-learning

  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation

More»

Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


More»

securitycomputerClay County Hospital in Flora, Illinois, received an anonymous email November 2 from someone threatening to release PHI to the public if the hospital did not agree to a ransom, according to a press release.

The email contained the stolen PHI that the sender threatened to release. The sender obtained names, addresses, Social Security numbers, and dates of birth of patients treated at Clark County Hospital clinics prior to February 2012, according to the press release.

The hospital launched its own breach investigation, notified law enforcement, and began notifying all affected patients after learning that the PHI of its patients had been compromised. The investigation revealed that the hospital’s servers were not hacked, although the hospital plans to strengthen its security measures by implementing additional logging and auditing systems, according to the press release.

Categories : HIPAA Violations
Comments (0)

questionSubmit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide the information you need.

Q: I am familiar with the HIPAA Security Rule requiring information system review audits. Are there any HIPAA Privacy Rule requirements—other than to perform audits—that require the examination of inappropriate access for an alleged breach? Currently, our security team performs monthly information system review audits and issues reports to leadership on a quarterly basis. Will this suffice, or are there audits that the privacy team should perform as well?

A: There are no specific HIPAA Privacy Rule requirements related to privacy audits. The rule does require organizations to implement administrative, physical, and technical safeguards to protect PHI no matter the form. The Privacy Rule does not give specifics, so it’s a good idea to implement similar safeguards as the HIPAA Security Rule requires. This would include monitoring logs of access to PHI such as logs generated by ­EHRs and picture archiving and communication systems.

Information system activity review audits are just one of the four audit activities that covered entities (CE) should undertake to comply with the HIPAA Security Rule and, by default, the HIPAA Privacy Rule. Information systems activity review audits focus on firewall activity, patches applied to applications, data loss prevention report reviews, and so forth. Generally, these audits do not involve determining whether patient records are being accessed appropriately.

CEs and business associates should also review user login audit logs to check for repeated failed login attempts and to verify employees are not accessing systems or data at times when they are off work and have no valid reason to access systems.

Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Oregon, answered this question for HCPro’s Briefings on HIPAA. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Comments (0)

securitycomputerExperian recently released its 2015 Second Annual Data Breach Industry Forecast, which highlights anticipated data breach trends for 2015.

Experian identified six data breach trends that are expected to be a threat in 2015, one of which specifically addressed threats to healthcare organizations. The report states that healthcare breaches are expected to increase in 2015 due to the shift to electronic medical records and the potential economic gain from hackers. Experian recommends that healthcare organizations enhance their security programs and data breach response plans.

Other data breach trends identified by Experian include:

  • Payment breaches. Card companies will be required to implement EMV “Chip and PIN” technology by October 2015, which is expected to decrease the likelihood of a point-of-sale attack by a hacker. Experian predicts that because the chip and PIN technology has been made public, hackers may have time to identify chip and PIN vulnerabilities before the technology is implemented. This may lead to a sense of false security among consumers.
  • Cloud breaches. Experian predicts an increase in cloud breaches in 2015, resulting in the loss of usernames, passwords, and other data stored on the cloud. To combat this, Experian recommends that organizations develop an incident response plan that provides for a means of resetting passwords on a large scale.
  • Shifting accountability. Cyber attacks have shifted from an IT issue to an enterprise-wide issue. Business leaders are now held responsible for breaches. As a result, Experian recommends that leaders in the C-suite get involved in data breach preparedness and response.
  • Employee errors. The report states that the majority of breaches are caused by a company’s employees, whether it be a malicious attack or human error. Experian urges organizations not to overlook the potential for breaches caused by employees and recommends implementing regular security training.
  • Third-party breaches via the Internet of Things (IoT). Vulnerabilities will increase as companies look to leverage the IoT to gather, store, and process data. Experian recommends that organizations using the IoT have sound risk management processes and assess the security of third-party vendors.
Categories : Data Breach
Comments (0)

DollarSignsThe Office for Civil Rights (OCR) announced December 8 that it fined an Alaska behavioral health service $150,000 for potential HIPAA violations, according to a press release.

OCR entered into a resolution agreement with Anchorage Community Mental Health Services (ACMHS), a nonprofit behavioral healthcare service. On March 12, 2012, ACMHS notified OCR of a breach affecting 2,743 individuals. The breach was the result of malware that compromised the security systems of the behavioral healthcare provider, according to OCR.

The resolution agreement states that ACMHS failed to:

  • Conduct an accurate and thorough risk assessment of ePHI from April 21, 2005, through March 12, 2012
  • Implement security policies and procedures to reduce risks and vulnerabilities to ePHI from April 21, 2005, through March 12, 2012
  • Implement technical security measures to safeguard against unauthorized access to ePHI by failing to ensure firewalls were in place and that information technology resources were supported and updated with patches from January 1, 2008, through March 29, 2012

In addition to the monetary settlement, as part of the corrective action plan with OCR, ACMHS agreed to:

  • Provide an updated version of its security policies and procedures
  • Adopt a revised version of OCR-approved security policies and procedures
  • Distribute revised security policies and procedures to workforce members who work with ePHI and provide security awareness training
  • Obtain signed written or electronic initial compliance certification from all workforce members stating that they read, understand, and will abide by security policies and procedures
Comments (0)

questionsSubmit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide the information you need.

Q: The hospital where I am employed conducts research. The research coordinators are hospital employees, and the screening is to find candidates who meet the study criteria, so no information is shared with the research sponsors unless the patient is enrolled and signs an informed consent form for the study. The consent explains in detail what information will be collected and with whom it is shared. We always include an institutional review board (IRB) waiver of authorization for our studies. Is the work done by research coordinators to find suitable candidates for a research study reasonably considered part of operations under HIPAA?

A: Research is not part of healthcare operations, but it is permitted. The preparatory research provision [45 CFR 164.512(i)(1)(ii)] permits covered entities (CE) to use or disclose PHI for purposes preparatory to research, such as to aid study recruitment. However, the researcher is not permitted to remove PHI from the CE’s site.

A researcher who is an employee or a member of the CE’s workforce may use PHI to contact prospective research subjects. In that instance, an IRB waiver of authorization is not required.

Researchers who are not part of the CE need a partial waiver of individual authorization by an IRB or privacy board to obtain contact information.

The OCR website provides answers to many practice questions, including those involving research. Visit the OCR website and type a keyword into the search bar or select a category (e.g., research) from the dropdown menu.

Editor’s note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, vice president of health information for Baylor Scott & White Health in Temple, Texas, answered this question for HCPro’s Briefings on HIPAA. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Categories : HIPAA Q&A
Comments (0)