HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases

More»

E-learning

  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation

More»

Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


More»

Archive for March, 2015

questionsSubmit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide the information you need.

Q: Does HIPAA permit organizations to network computers internally or externally? For example, can a CE link two computer systems within the organization or between the organization and another CE or BA to exchange information? If so, what is the most secure way to accomplish this?

A: HIPAA is technology neutral and does not prohibit networking computers internally or externally. If networking internally, the organization should ensure it has a strong perimeter (i.e., installing and regularly updating a firewall and anti-malware). If networking to an external computer, the CE should establish a secure method of communication (e.g., using a virtual private network, secure web, or some other method of ensuring the patient data is encrypted when it travels outside of a closed or secure network).

Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Oregon, answered this question for HCPro’s Briefings on HIPAA. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Categories : HIPAA Q&A
Comments (0)

security (2)In the wake of the cyberattack that exposed the PHI of nearly 80 million current and former Anthem, Inc., subscribers, the health insurer is refusing to comply with requests for a security audit by the Office of Personnel Management’s (OPM) Inspector General, according to HealthData Management.

Anthem participates in the Federal Employees Health Benefits Program. The program provides health benefits to civilian government employees and annuitants in the U.S. The OPM oversees this program and conducts vulnerability scans and configuration compliance audits of participants’ computer servers. Anthem refused the audit as it is against its corporate policy, HealthData Management reported.

In 2013, the OPM Office of the Inspector General attempted to audit Anthem but the insurer implemented restrictions that prevented auditors from adequately testing the security of Anthem systems. The final 2013 report on Anthem (known as Wellpoint, Inc., at the time) states that the agency was unable to attest that the insurer’s servers were secure.

Categories : HIPAA News
Comments (0)

questionSubmit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide the information you need.

Q: My organization plans to begin offering tele-practice services via videoconferencing. What measures should we take to ensure this patient communication is secure?

A: Ensure the teleconference service you use is secure and the transmission is encrypted. If the teleconference vendor will store the appointment video, execute a BA agreement in advance. Creating patient training to let patients know what they can do to protect their own privacy is another good idea. For example, patients should be made aware that it is not a good idea to dial-in to the appointment in the local coffee shop. In addition, test the teleconference service prior to scheduling any remote patient appointments.

This approach is similar to any new technology that will be used for patient care and communication. CEs will need to vet vendors to ensure they are comfortable with the level of security the vendor provides.

Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Oregon, answered this question for HCPro’s Briefings on HIPAA. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Categories : HIPAA Q&A
Comments (0)

securitycomputerMedical identity theft has been on the rise for some time. In fact, medical identity theft incidents increased 21.7% between the Ponemon Institute’s 2014 survey and its “Fifth Annual Study on Medical Identity Theft” released in February 2015. All respondents were victims of some form of identity theft, while 86% were victims of medical identity theft.

While fraudulent credit card charges are often remedied by credit card companies, medical identity theft can actually cost the insured party a considerable amount of money. More than half (65%) of those responding to the Ponemon Institute’s survey revealed that they paid an average of $13,500 to resolve the crime. These costs are typically related to paying a healthcare provider, repaying the insurer for services obtained by the thief, or paying for identity protection or legal counsel.

Respondents listed reimbursement for costs associated with preventing future damages as the action most important following a medical identity theft incident. Victims who sought to resolve medical identity theft crimes spent an average of 200 hours doing so, according to the study.

Just 37% of respondents reported that their healthcare providers informed them of ways to prevent medical identity theft. More than half (67%) of those respondents said they do not feel confident that these measures will keep their records secure. However, half of all respondents agree or strongly agree that they would find another provider if they were not confident in the security practices of a provider. Similarly, 47% said if they would find another provider if their records were stolen or they were concerned about record security.

Categories : Uncategorized
Comments (0)

security (2)Hackers gained unauthorized access to Anthem’s information technology system and exposed the PHI of more than 80 million people who are currently or were previously covered by the insurance provider.

Kate Borten, CISSP, CISM, founder of The Marblehead Group in Marblehead, Massachusetts, notes that the breach appears to be related to multiple security vulnerabilities. Successful spear phishing attacks permitted unauthorized access and network protocols were likely outdated, says Borten.

Much can be learned by simply looking at the way Anthem reacted to the breach and began its breach notification process.

“They had a plan, they reacted quickly, they were on top of it,” says Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Oregon. “That’s something that I can’t say for many healthcare organizations.”

Having an incident response plan in place proves valuable regardless of the size of an organization or a breach, he says. This must be regularly tested and retested to ensure employees are aware of the plan and how the plan works so updates can be made, if necessary.

Although it is important to have an incident response plan in place, the Anthem breach highlights the fact that organizations need more to ensure PHI is secure, says Mac McMillan, FHIMSS, CISSM, co-founder and chief executive officer of CynergisTek, Inc., in Austin, Texas.

“Healthcare organizations have to invest in technology and services that enhance their detection capabilities,” McMillan says. “The bottom line we need to spend more attention on making it harder for hackers to exploit our enterprises and exfiltrate data.”

Stay tuned for the April issue of Briefings on HIPAA for more reactions to the breach.

Comments (0)