Category: Business Continuity

Business Continuity, Data Breach, Disaster Recovery, Education, HIPAA / HITECH Enforcement, Meaningful Use, News Events, OCR HIPAA Audits, Tip of the Week, Vulnerability Testing & Management

Omnibus Rule Compliance today!

Rose

Today September 23, 2013 marks the start of the Omnibus Rule enforcement date. 

It is important for providers to start working on compliance with the new requirements as soon as possible.  According to a statement from the Office for Civil Rights (OCR) of the Department of Health and Human Services, certain CLIA -exempt laboratories to revise their Notices of Privacy Practices until further notice. Here is the entire statement issued by OCR:

“The Office for Civil Rights (OCR) of the Department of Health and Human Services announces a delay in its enforcement of the requirement that certain HIPAA–covered laboratories revise their notices of privacy practices (NPPs) to comply with the modifications made to the HIPAA Rules published in the Federal Register on January 25, 2013 (78 FR 5566), commonly known as the “Omnibus Rule,” until further notice. This Enforcement Delay applies to HIPAA-covered laboratories that are subject to CLIA (i.e., CLIA-certified) or exempt from CLIA (i.e., CLIA-exempt) and that are not required to provide an individual with access to his or her laboratory test reports under § 164.524 of the HIPAA Privacy Rule because the information is subject to the exceptions to the right of access at § 164.524(a)(1)(iii)(A) or (B).  The Enforcement Delay does not apply to laboratories that operate as part of a larger legal entity, such as a hospital, and by virtue of that relationship, do not have their own, laboratory-specific, NPPs.”

This is one reprieve for a small part of the Omnibus Rule compliance. One tip for those struggling to comply is to modify existing Business Associate Agreements (BAA). This does not apply to existing BAAs entered into agreement on or before January 25, 2013 and  have been modified after March 26, 2013. For this group, the compliance date is extended until September 23, 2014. 

RISC Management & Consulting , is an organization specializing in data privacy and information security regulations and frameworks, focused on healthcare and financial sectors. RISC assists its clients in understanding the requirements of federal and state regulations and industry frameworks as they apply to sensitive information. RISC Consultants are experts in legal requirements, industry standards, and frameworks including HIPAA – HITECH Act – ISO 27001 & 27002, PCI-DSS, GLBA, FFIEC, State Level information security laws. All of our services are focused on getting you compliant with Privacy & Security requirements, quickly, completely, and affordably.

Enforcement Highlights of the HIPAA Privacy Rule 

HHS / OCR has investigated and resolved over 21,271 cases by requiring changes in privacy practices and other corrective actions by the covered entities as of August 31, 2013.

From the compliance date to the present, the compliance issues investigated most are, compiled cumulatively, in order of frequency:

  1. Impermissible uses and disclosures of protected health information;
  2. Lack of safeguards of protected health information;
  3. Lack of patient access to their protected health information;
  4. Uses or disclosures of more than the minimum necessary protected health information; and
  5. Lack of administrative safeguards of electronic protected health information.

The most common types of covered entities that have been required to take corrective action to achieve voluntary compliance are, in order of frequency:

  1. Private Practices;
  2. General Hospitals;
  3. Outpatient Facilities;
  4. Health Plans (group health plans and health insurance issuers); and,
  5. Pharmacies.

With regard to the subset of complaints specifically pertaining to the Security Rule, since OCR began reporting its Security Rule enforcement results in October 2009, HHS has received approximately 738 complaints alleging a violation of the Security Rule.  During this period, we closed 543 complaints after investigation and appropriate corrective action.  As of August 31, 2013, OCR had 260 open complaints and compliance reviews.

For more information please contact RISC Management and Consulting, www.RISCsecurity.com

Business Continuity, Data Breach, Education, Tip of the Week, Vulnerability Testing & Management

Financial institutions fight fraud with two-pronged approach that includes regulatory compliance and consumer education

Rose

As banking transactions occur in an evermore electronic realm, regulations, monitoring, and detection solutions are required to protect consumers from privacy breaches, cyber fraud and even faceless maliciousness executed by 21st century criminals such as botnets.

What is a botnet? Microsoft provided a breakdown of where the terminology came from: “The term bot is short for robot. Criminals distribute malicious software (also known as malware) that can turn your computer into a bot (also known as a zombie). When this occurs, your computer can perform automated tasks over the Internet, without you knowing it”.

Criminals typically use bots to infect large numbers of computers. These computers form a network, or a botnet. Criminals use botnets to send out spam email messages, spread viruses, attack computers and servers, and commit other kinds of crime and fraud. If your computer becomes part of a botnet, your computer might slow down and you might inadvertently be helping criminals.

This threatening new world requires vigilance not only by banking institutions by consumers themselves.

The Federal Financial Institutions Examination Council (FFIEC) was formed in 1979 to create standards for the federal examination of banks, credit unions and other financial institutions. A number of agencies in the financial industry are involved with the FFIEC including the Federal Reserve System, the Federal Deposit Insurance Corporation and representatives of several state regulatory associations.

Every U.S. financial institution is regulated by a relevant federal agency which has the power to oversee entities and take action against violations of laws, rules or regulations, unsafe practices and breaches of fiduciary duty. The FFIEC’s Consumer Help Center ( http://www.ffiec.gov/consumercenter/default.aspx ) helps consumers with complaints about their financial institution find the appropriate regulatory agency.

Among its compliance reporting initiatives, the FFIEC offers interpretation, technical reporting requirement and FAQs for financial institutions explaining a veritable alphabet soup of acronyms including the HMDA (Home Mortgage Disclosure Act), the CRA (Community Reinvestment Act) and the S.A.F.E. Act (Secure and Fair Enforcement for Mortgage Licensing Act). The FFEIC website also provides financial institutions with access to a rate spread calculator, census reports and a mapping system for geocoding loans to ensure institutions are meeting legal reporting requirements.

When it comes to fighting fraud, Users have power they may not be enabling to protect themselves including basic protocols like using strong passwords, protecting personal information and vigilance of personal accounts. Banking institutions that educate their consumers and correct user behavior do better at reducing and catching fraud schemes.  Users, including consumers, have a responsibility to ensure the security of the overall system.

RISC Management & Consulting can help financial institutions navigate the maze of privacy rules, security regulations and reporting requirements and create consumer education programs that ensure compliance and security. RISC can assist your organization in developing priorities, creating policies and procedures, identifying timelines, and we can even carry them out for you. RISC can assist you in preparing or assessing your systems, infrastructure and practices against the FFIEC IT Handbook.

Sources:

http://www.ffiec.gov/

http://ffiec.bankinfosecurity.com/

http://www.microsoft.com/security/resources/botnet-whatis.aspx