Archive for HIPAA News
On January 10, the U.S. House of Representatives passed H.R. 3811, the Health Exchange Security and Transparency Act of 2014. This bill would require the secretary of Health and Human Services to notify individuals of a health insurance exchange (HIE) security breach that results in the unlawful access of personally identifiable information (PII) within two business days.
In a January 9 statement, the Obama Administration opposed the bill because it would impose unrealistic and costly reporting requirements that would not improve the security of PII on HIEs. The bill was referred to the Senate.
Organizations responding to eFax’s Healthcare IT Pulse Survey ranked financial liability over HIPAA noncompliance (37%) as the biggest security concern related to sensitive data. Surprisingly, respondents were less concerned about exposing sensitive medical data (18%), according to the survey.
The majority of survey respondents (54%) say HIPAA compliance is the top concern related to the influx of paperwork attributable to the Affordable Care Act (ACA). The survey identified document management, organization, and record keeping (48%) as a secondary concern related to the ACA.
Online fax was identified by 42% of respondents as the most effective technology solution for HIPAA-compliant security for transmission of sensitive documents. Respondents also ranked the following technologies as the most valuable for ensuring HIPAA compliance:
- IT disaster recovery and offsite backup (48.5%)
- Private cloud (46.5%)
- Audit reports and tracking logs (44.4%)
- Online fax service (36.4%)
The Office for Civil Rights (OCR) is not adequately enforcing HIPAA, according to a report released by the U.S. Department of Health and Human Services Office of the Inspector General (OIG).
The OIG sought to determine whether OCR met the federal requirements for oversight and enforcement of the HIPAA Security Rule and whether the OCR computers used to oversee and enforce the Security Rule met federal cyber-security requirements. The OIG investigation found that OCR met the following Security Rule enforcement requirements:
- Providing covered entities (CE) with guidance to promote Security Rule compliance
- Establishing an investigation processes for reported Security Rule violations
- Following federal regulations for penalties for Security Rule violators
The report went on to state that OCR failed to do the following:
- Assess risks, establish priorities, or implement controls for periodic Security Rule audits of CEs, which is required by the HITECH Act.
- Maintain Security Rule investigation files that contain documentation to support key decisions. According to the report, this oversight is a result OCR’s inability to sufficiently review investigation documentation.
- Meet federal cyber-security requirements described in the National Institute of Standards and Technology Risk Management Framework.
The PHI of approximately 90,000 UW Medicine patients was compromised when a health system employee opened an email attachment containing malicious software (malware) in October, according to a statement on the UW Medicine website.
The malware accessed data from the health system’s Harborview Medical Center and University of Washington Medical Center patients. The files may have contained patient names, dates of birth, medical record numbers, addresses, telephone numbers, dates of service, amounts charged for services, Social Security numbers, and Medicare numbers where applicable, according to UW Medicine. The health system does not believe the breach was a targeted effort to obtain patient data, according to the statement.
With most of the provisions of the HIPAA omnibus rule now in effect, separating fact from fiction is important with respect to HIPAA compliance. HealthIT.gov recently published a list of the top 10 security risk analysis myths, and proceeded to set the record straight so covered entities and business associates can continue on their paths to compliance.
The following is a breakdown of the first five myths on the list:
- Myth: Security risk analysis is optional for small providers.
Reality: All HIPAA covered entities and providers who want to receive EHR incentive payments must conduct a risk analysis.
- Myth: By installing a certified EHR, you have fulfilled the security risk analysis meaningful use requirement.
Reality: You must perform a full security risk analysis of a certified EHR. Security requirements apply to all ePHI maintained by your organization, not just information stored in your EHR.
- Myth: Your EHR vendor took care of everything you need to do with regard to privacy and security.
Reality: Your organization is responsible for conducting a complete risk analysis. EHR vendors are not responsible for ensuring their products comply with the HIPAA Privacy and Security Rules.
- Myth: You must outsource the security risk analysis.
Reality: Small practices can often perform their own risk analysis by relying on self-help tools. However, a thorough risk analysis that stands up to a compliance review likely necessitates the assistance of expert knowledge outside your organization.
- Myth: A checklist will suffice for the risk analysis requirement.
Reality: Checklists can help you start your risk analysis, but cannot help you perform or document a systematic security analysis.