Healthcare compliances training and discussion blog

Posts tagged ‘HIPAA’

$1.5M Fine Marks A New Era In HITECH Enforcement


Data breach at BlueCross BlueShield of Tennessee and subsequent penalty stands an example of the financial fallout from poor healthcare IT security practices

By Ericka Chickowski, Dark Reading
Contributing Writer

Enforcement actions from the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) just reached a new level of reality last week when the department announced a $1.5 million settlement with BlueCross BlueShield of Tennessee over a 2010 data breach, making the organization the first pay out penalties since the Health Information Technology for Economic and Clinical Health Act (HITECH) went live in 2009. The question now is whether such tangible examples of financial fallout will convince healthcare IT to invest in better security measures.”It’s certainly a warning shot for the healthcare industry,” says John Nicholson, counsel for the global sourcing practice at Washington, D.C.-based law firm Pillsbury Winthrop Shaw Pittman LLP. “But is that a sufficient amount to act as a deterrent? It’s hard to tell at this point. It’s at the upper end of what organizations can be penalized and when you break it down it equals about a buck a record lost. For companies that are dealing in millions of records, that penalty can add up. But that’s just at very large companies. And data breaches are becoming sufficiently routine that everyone sort of looks at it and goes, ‘Eh, it’s another one.'”

But Nav Ranajee, director of healthcare vertical for CoreLink Data Centers, believes that starting to hit the big organizations in the pocketbook and making a spectacle out of the process should have the desired effect. Many of these organizations have been deprioritizing security because there just hasn’t been enough financial incentive to push it up the stack on the IT to-do list, he says. The HHS making the risk of pecuniary damage a real risk of failing to comply with Health Insurance Portability and Accountability Act (HIPAA Training) security requirements changes that financial equation for these organizations, he says.

“What I’m seeing now when we talk to our clients, say a hospital or a business associate like a software company that services a hospital, is that when it comes to HIPAA, the first priority of a CIO has historically to allocate funds to get that new EMR in house or that new clinical system, because that’s going to pay off in revenue,” he says. “But when it comes to making sure HIPAA requirements are up to date, that’s usually the last line item on the budget because it’s really a sunk cost. Now they’re going to have to look at the risk involved and wonder ‘Do I risk having a million dollar lawsuit if I don’t put the right security protocols in place?'”

The settlement BlueCross BlueShield of Tennessee paid to HHS was a penalty for failing to prevent a breach that saw the theft of 57 unencrypted hard drives containing recordings of customer service phone calls. The drives were left behind in a data closet after the company stopped using a leased facility.

“This settlement sends an important message that OCR expects health plans and healthcare providers to have in place a carefully designed, delivered, and monitored HIPAA compliance program,” said Leon Rodriguez, director of HHS OCR. “The HITECH Breach Notification Rule is an important enforcement tool and OCR will continue to vigorously protect patients’ right to private and secure health information.”

According to Nicholson, the breach is a good lesson to healthcare organizations on how compliance really could have helped the security of the organization and maybe even prevented a breach. “One of the things that HIPAA and HITECH require is that you go through an assessment of your policies and procedures whenever your operations significantly change. I don’t know for sure, but it seems like BlueCross BlueShield of Tenessee may not have done that evaluation. If they had done it, they might have said, ‘We’ve got these hard drives containing this unencrypted PHI and it’s in a locked closet but that’s not sufficient in this leased space,'” he says. “That’s probably a lesson to healthcare organizations. You really need to do those evaluations anytime a significant aspect of your operation changes that has implications on PHI.”

For his part, Ranajee says the BlueCross BlueShield of Tennessee incident stands as yet another testament of the importance of encryption for healthcare data protection.

“Really, it’s all about making sure that if you have data servers in your office or workplace, they need to be locked down–they need to locks on them–and they need to be encrypted,” he says. “Those are two of the main things that are not commonplace but they should be.” Health Care Compliance

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

How to understand the new HIPAA requirements to make sure you’re in compliance


The American Recovery and Reinvestment Act of 2009 (ARRA), also known as the stimulus bill, contains the HITECH Act that amends the Health Insurance Portability and Accountability Act (HIPAA), which was enacted in 1996.

“When HIPAA was first enacted, the health care industry was paper driven,” says Jeff Porter, a director with Kegler, Brown, Hill & Ritter. “HITECH is addressing some long-standing issues with HIPAA, as well as some newer issues that have arisen as a result of the advent of electronic health records and the online transfer of health information.”

Among the significant changes are the expansion of enforcement to states’ attorneys general and expansion of privacy and security provisions related to “business associates” and new breach notification provisions. In addition, penalties can now be imposed on individuals as well as entities.

Smart Business asked Porter for more information about the changes to HIPAA Training.

Who is covered by HIPAA?

You or a legal representative can determine whether you are a covered entity. The website for the U.S. Department of Health & Human Services (HSS.gov) and the Office of Civil Rights (OCR) provide good guidance in this regard. Covered entities typically include hospitals, nursing homes, medical offices that provide treatment and bill for those services, health insurance plans, and health care clearinghouses (e.g., companies that convert health records and other information into the coding necessary for billing and research). If you are a business associate of a covered entity (e.g., a medical billing firm or a home health care agency), and you are obtaining information for a purpose the covered entity might use it for, you fall under the HIPAA provisions which apply to business associates.

What changes have been made regarding penalties for noncompliance?

The penalties have changed in a couple of significant ways. First, in regard to enforcement, previously penalties could only be imposed on covered entities – now penalties can be imposed on individuals as well. If someone within an organization willingly neglects and doesn’t comply with the rules and makes wrongful disclosures, he or she will be subject to fines, as well as possible imprisonment. Second, in the past, enforcement and violations were addressed solely at the federal level by the Office of Civil Rights. Now, attorney generals are empowered to deal with enforcement and violations as well.

What is the impact on state privacy laws?

Although many believe that HIPAA is the sole controlling authority related to patient privacy, it does not however preempt state privacy laws and regulations. If provisions in the state privacy laws are more restrictive, then those provisions apply in addition to HIPAA. For example, Ohio has some of the stricter state privacy laws in regard to disclosure of protected health information. These laws have to be evaluated and reviewed to determine what additional actions might be needed in terms of notification and disclosures. The question for the future is whether states with these stricter privacy measures will impact exchange of health information with other states. In coming years, if we are going to have more free-flowing medical information, these issues will need to be addressed.

What is considered protected health information?

Protected health information is identifiable information related to treatment of a patient and that is maintained by a covered entity. In certain circumstances covered entities can release this information without authorization, for purposes of treatment, billing and health care operations. Covered entities can’t release information beyond those purposes without authorization of the patient. In addition, specific types of information are viewed as more sensitive (e.g., mental health and substance abuse information, information about certain diseases, such as HIV) in many states and more restrictions on disclosure exist at the state level.

What is a permissible disclosure?

Information can be disclosed if a patient authorizes it. Information must be disclosed by a protected entity if the HHS requests that information as part of an investigation. Permitted disclosures also include treatment information (to help treat a patient); information used to seek payment; or information used in the health care operations category if that information will improve the quality of care overall or part of the business overall.

Do patients have any new rights?

Patients will have a greater ability to try to find out who has accessed their protected health information. Past experience is that most patients never request such information. However, there will now be a greater ability for patients to request an accounting of disclosures. This means that covered entities and business associates could be asked to account for a good deal of information if they get a request. New regulations are being considered in this area, so it is an area to watch.

How can covered entities best keep up with the changes and protect themselves?

1) Keep an eye on releases from HSS about changes. 2) Consult with your legal representative. 3) Make sure your designated privacy officer is properly trained and that he or she is training your employees. 4) Keep open lines of communication with business associates and make sure any contracts you have with them include appropriate provisions that will require they comply with HIPAA and all other state laws which may come into play.

This article was originally posted at http://www.sbnonline.com/2012/03/how-to-understand-the-new-hipaa-requirements-to-make-sure-you%E2%80%99re-in-compliance/?full=1

 

HIPAA Activity on the Rise


HIPAA Audit Program

The HIPAA audit program mandated by the HITECH Act is underway. HHS recently awarded KPMG $9.2 million to commence the program. To date, HHS review of covered entities has been complaint driven. Audit protocols will be developed for covered entities and business associates. The audits will begin late this year or early 2012, and consist of as many as 150 on-site audits of entities varying in type, size, and location. These audits can result in enforcement action if violations are discovered.

To get prepared for a HIPAA audit, providers should perform an updated risk assessment and review their policies and procedures. HHS issued an audit checklist that identifies personnel who may be interviewed and documents that may be requested during an audit.

Accounting of Disclosures and Access Report

The long-anticipated rules regarding accounting of disclosures were proposed this May. There are two major changes covered entities and business associates will need to address: 1) accounting for treatment, payment, and health care operations disclosures, and 2) providing an access report.

Accounting for Disclosures

While the proposed rules broaden the accounting requirement to treatment, payment, and health care operations, HHS proposes to limit the accounting to information maintained in a designated record set for three years prior to the date of the request. There are also proposed exemptions, including, disclosures in which 
breach notice was provided; abuse or neglect reports; patient safety work product, and disclosures for research, health oversight activities, decedents, and others required by law. Keep 
in mind these exemptions may still 
be subject to the Access Report. 
Other proposed changes include decreasing response time to 30 days 
and specifically including business associates.

Access Report

This rule proposes that an individual may request a report describing who has accessed their PHI maintained in an electronic designated record set, including the date and time of access, the person or entity accessing the information, a description of the information, and what was done with the information.

Covered Entities must revise their Notice of Privacy Practices to notify individuals of their right to an accounting and an access report.

Monetary Penalties

For the first time this year, there were three major monetary penalties issued for HIPAA violations. These include a $4.3 million penalty involving failure to provide access, a $1 million penalty involving loss of PHI, and most recently an $865,500 penalty involving unauthorized employee access to electronic PHI. Another reason to update your HIPAA program!

Joy Kosiewicz is an attorney in the Health Care Group at Brouse McDowell in Akron.

The Criticality of Risk Assessments: FISMA, HIPAA, and other regs


 By Richard E. Mackey, Jr.
Dark Reading

One of the most important components in any security program is the risk assessment process. Regulations like FISMA, HIPAA, Red Flag Rules, and state privacy regulations require organizations to methodically assess risk and select security controls based on that assessment. The problem is that many organizations do not understand what it means to assess risk through a formal method. Worse yet, many IT people have a hard time understanding the practicality of formal assessments.What is a formal risk assessment?

Formal risk assessments are processes that consider the value of the assets that are at risk, the business and technical threats to the assets, and the effectiveness of the business and technical controls that are designed to protect the asset. In the end, a risk assessment gives the organization an objective measure of the risk to an asset. The process forces the organization to acknowledge and accept the risk, eliminate the risk by terminating a business practice (e.g., stop offering access to the asset via the web), transfer the risk by outsourcing or insurance, or, more often than not, select additional more effective business or technical controls to reduce the risk.

The benefits of formal risk assessments

Conducting formal assessments within a risk management program a number of benefits.

Formal assessments: 1. Require business and technical representatives to reason about risk in an objective, repeatable, way 2. Require consistent terminology and metrics to discuss and measure risk 3. Justify funding for needed controls 4. Identify controls that provide can be eliminated 5. Provide documentation of threats that were considered and risks that were identified 6. Require business and IT to acknowledge the responsibility for ownership of risk 7. Require organizations to track risks and reassess them over time and as conditions change

Why are risk assessments so important in compliance?

There is a good reason for so many regulations to include a requirement for risk assessment. It is only sensible that a regulatory body cannot dictate the controls that are necessary in every environment. What might be appropriate for a large company with a significant web presence could be overkill for small organization with a few customers. If the threats are different and the environment is different, it stands to reason that the controls may be different.

It is interesting to note that even the most prescriptive standards (e.g., PCI DSS) require risk assessments to determine the need for and effectiveness of controls. On the less prescriptive side of the regulatory spectrum, HIPAA and FISMA have very few required controls but expect the entire program to be risk based. This approach makes sense when one standard needs to apply to everyone.

Choosing a risk management framework

If your organization needs to comply with FISMA, your risk management approach should be based on NIST Special Publication 800-39. This document provides an overall description of the risk management lifecycle. Risk assessment, which is one part of the risk management program, is described in NIST Special Publication 800-30 (which is being revised). SP 800-30 provides a stepwise method for assessing risk that can be customized for a given organization.

Another good source of risk management documentation is provided by the OCTAVE project developed at Carnegie Mellon University. Both NIST and OCTAVE provide excellent sources for building a risk management program that help organizations meet their security and regulatory requirements.

This article was originally posted at http://www.darkreading.com/blog/231600781/the-criticality-of-risk-assessments-fisma-hipaa-and-other-regs.html

Feds impose first civil fine ever in HIPAA case


The Department of Health and Human Services’ Office for Civil Rights hit Cignet Health with a $4.3 million civil penalty for violating the HIPAA Privacy Rule and failing to cooperate during the subsequent probe even after a federal subpoena was issued, according to an HHS announcement.

This marks the first time the feds have imposed a civil money penalty for violations of HIPAA since it went into effect in 2003, the Washington Post reports. In earlier cases, offenders such as Rite Aid Corp. agreed to correct their practices or pay fines to settle the case. The fine is based on the violation categories and increased penalty amounts authorized by the Health Information Technology for Economic and Clinical Health (HITECH) Act.

An OCR investigation found that Cignet, which operates two clinics in Maryland, violated the rights of 41 patients who requested their medical records between Sept. 2008 and Oct. 2009 by not producing their records. The patients each filed separate complaints with OCR, which initiated investigations. Under the HIPAA privacy rule, records must be made available within 60 days of a request.

Cignet’s experience is a cautionary tale. Besides violating the HIPAA privacy rule, it failed to respond to OCR’s demands to produce the records. When OCR ratcheted up the pressure and issued a subpoena, Cignet still did not product records. Only after OCR filed a petition to get a federal court to order Cignet to produce the records did the company stir. Eight days later, the boxes arrived at the DOJ. But Cignet did not make any effort to resolve the complaints through informal means, according to HHS.

OCR imposed $3 million of the $4.3 million fine for the company’s failure to cooperate with OCR’s investigations for nearly 13 months. In the case of Cignet Health, “this was really willful neglect,” Rachel Seeger, a spokeswoman for the OCR, told the Post. “They would not respond to the department.”

What’s more, when the health center finally delivered 59 boxes of records to the Justice Department, the boxes contained not only medical records for the 41 patients, but also records for about 4,500 other patients, whose information Cignet should not have been disclosing, because the records were not part of the probe.

Screen Time For Kids: Is it Learning or a Brain Drain?


When it comes to video games and apps, what’s a parent to do? On one hand, we’re bombarded with messages about the perils of letting kids play with computer games and gadgets. On the other, we’re seduced by games and apps marketed to us as “educational.”

It’s a tricky line to navigate. The spectrum of kids’ apps ranges from “baking” cupcakes to crushing war demons. Most of them have some educational aspect — at the very least kids learn what ingredients are used in cupcake baking, and the physics of launching Angry Birds at just the right angle to kill the piggies. That’s learning, isn’t it?

To clump them all into one category is to miss out on a huge treasure trove of learning opportunities.

Therein lie the vague boundaries. Not all games are educational, and not all are shallow forms of entertainment. Many are marketed as educational tools, but in fact, most have some elements of both. The trick is to figure out what we want kids to learn and to experience. To clump them all into one category is to miss out on a huge treasure trove of learning opportunities. Real learning apps have a set of criteria that qualifies them as educational, so rather than writing them all off as a waste of time, parents can figure out what their kids are exposed to.

“We don’t ever want to separate engagement from the purposes of learning,” said Daniel Edelson, Executive Director and Vice President of Education and Children’s Programs at the National Geographic Society at a cyberlearning conference last week. “When you’re engaged with activities that have learning goals, you can connect the dots between engagement and learning. If you use engagement in its broadest possible sense when people are paying attention because of bright lights and activity, then you don’t find that connection.”

Enter the parent. A young child is not necessarily going to figure out if she’s learning or having fun. And in the best cases, that line is blurred without the child even knowing it. She’s collecting information about bugs and plantlife with apps like Project NOAH. She’s creating original stories — complete with exposition and denouement and background music — with digital storytelling apps like Toontastic.

So should parents feel guilty allowing their kids to play games on mobile gadgets?

“Most parents don’t understand the need for their participation,” said Dr. Gwenn O’Keeffe, a pediatrician who says she specializes in children’s media use. “It’s a small population who gets it.”

Simply put: “No,” says Dr. Michael Levine of the Joan Ganz Cooney Center, which recently released a study called Learning: Is There an App For That. “Kids see their parents using mobile phones all the time. It’s only natural for them to want to use them too. And from the data in our study it looks like many parents are letting their children use them responsibly – with restrictions and in moderation. We recommend a balanced media diet that consists of content that is fun, educational, and doesn’t take up too much time in a given day.”

That said, Levine cautioned parents to stay vigilant about screen time. “We would be quite concerned if young children, especially preschoolers, began to dramatically increase their mobile screen time,” he said.

A screen is not just a screen, though. The one-way interaction between TV and the couch potato is far different than an absorbing Scrabble play-off with a friend on a mobile phone.

“Nobody’s saying, ‘Give your kid a Gameboy, so he can be quiet and go sit in the corner,” said Andy Russell, co-creator of Toontastic at a digital media and learning conference. “We’re giving them tools to actually help them create content. The new devices allow us to do new things that we haven’t ever been able to do. But the world of ‘edutainment’ has dug us into a hole where most people think games only create a solitary experience.”

In fact, many apps invite multiple players, social interaction with peers, and a call to go outdoors, either with specific instructions or with the child’s own imagination. When my daughter and her friend were deciding how to spend their Saturday afternoon last week, their indoor play turned into an outdoor movie that they scripted, and that I filmed and edited for them with my iPhone.

“Most parents don’t understand the need for their participation,” said Dr. Gwenn O’Keeffe, a pediatrician who says she specializes in children’s media use. “It’s a small population who do gets it.”

Russell says game designers should also take responsibility in guiding parents on how to interact with the games and their kids. “The failure is not the technology, but how we communicate to parents,” he said.

BEYOND SCREENS

Regardless of how educational or engaging a screen can be, O’Keeffe says emotional connections are lost without face-to-face contact. “If they’re looking at a screen, they can’t see the emotional response,” said O’Keeffe, who believes screens should be kept out of the hands of kids under five years old. “It’s about empathy and they’re having trouble learning that. Do you really need to turn on the DVD in the car? Do kids really need the Gameboy in the grocery store? We all have to use the screen as babysitter sometimes. But to always use a screen that often is a problem.”

But gaming advocates argue that social connections are built into most games. That sharing tactics and strategies help cement the learning experience — and connect players to each other in ways that haven’t been done before.

As researchers dig deeper into the ramifications of games and apps on young minds, parents will have to navigate the gray areas between absentminded parenting and the smart use of technology.

This article was originally posted at http://mindshift.kqed.org/2011/03/screen-time-for-kids-is-it-learning-or-a-brain-drain/

 

New HIPAA rules need more clarification


When it comes to the new HIPAA privacy and security standards, it seems like everybody has an opinion. Quite a few organizations are spreading the word about the comments they’ve filed in response to the changes HHS proposed in July.

The American Health Information Management Association wants the HHS Office for Civil Rights to add some detail to the stewardship role providers must play in determining the “minimum necessary” use and disclosure of patient-specific protected health information, Health Data Management reports. Specifically, AHIMA wonders whether one alternative in a forthcoming final rule on HIPAA attachment standards would effectively force providers to violate the “minimum necessary” standard.

OCR should “include a prohibition on health plan access to an individual’s PHI under guardianship of a healthcare provider,” AHIMA writes in its comments.

Similarly, the Healthcare Information and Management Systems Society would like OCR to provide some guidance on the “minimum necessary standard.” HIMSS also wonders whether business associate agreements will still be necessary, because the proposed rules would treat business associates as covered entities.

“It is common for healthcare providers, such as a community hospital, to have hundreds of business associate relationships, and large complex academic medical centers can have over 1,000 business associate relationships to manage,” HIMSS says in arguing that a such agreements would be unfairly burdensome on its members under the new regulations.

The National Community Pharmacists Association also wants some clarification, particularly over how pharmacists should handle privacy requests from customers who pay cash, since the proposed regulations would allow self-paying patients to ask providers to limit disclosure of some types of data to payers. “In some cases, such action would violate the pharmacy’s contract obligations to third-party payers such as pharmacy benefit managers,” the NCPA says.

On the consumer side, the Coalition for Patient Privacy, led by Dr. Deborah Peel’s Patient Privacy Rights Foundation, is lobbying hard for the final rule to restore the right to patient consent for PHI disclosure that HHS stripped from the HIPAA privacy rule in 2002.

“We strongly recommend that HHS require the use of the consent and segmentation technologies showcased June 29 at the Consumer Choices Technology hearing sponsored by HHS/ONC for all HIT systems, HIE and the NHIN,” the coalition says in its letter. “The innovative, low-cost, effective privacy‐enhancing technologies available that can empower patients to have ‘maximal control over PHI’ should be viewed as what is possible now, not 10 years from now.”

Meanwhile, consulting firm Computer Sciences Corp. has published a white paper to explain the proposed changes to HIPAA privacy, security and enforcement rules called for by the American Recovery and Reinvestment Act.

For more information:
– see this Health Data Management story about AHIMA’s comments
– read the AHIMA letter (.pdf)
– take a look at this HDM story about the NCPA’s comments
– and here is the actual NCPA letter (.pdf)
– read what HIMSS has to say about the HHS proposal (.pdf)
– take a look at these comments from the Coalition for Patient Privacy (.pdf)
– download the CSC report

Source: fiercehealthit.com

Tag Cloud