HIPAA / HITECH Enforcement – Page 13 – RISC Management and Consulting

An unencrypted thumb drive.

Physically, a thumb drive is a small thing. But financially and organizationally, an unencrypted thumb drive had huge ramifications to a Massachusetts-based dermatology firm.

Why?

Because the thumb drive held the health information of 2,200 patients, and it was stolen from the unattended vehicle of one of the firm’s staff members. Electronic health information is protected by the Health Insurance Portability and Accountability Act of 1996. (Read more about the security lapse here http://www.hhs.gov/news/press/2013pres/12/20131226a.html)

The firm notified its patients, the media and the U.S. Department of Health and Human Services (HHS), but that was just the beginning. To remedy for the lost information, the firm was required to pay a $150,000 fine and complete a detailed and effort-intensive corrective action plan that takes at least 18 months to complete.

Interested in what a corrective action plan might entail? Here’s what the dermatology firm’s resolution plan looks like:

— The agreement with HHS obligates the firm to conduct within one year a comprehensive, organization-wide risk analysis that incorporates all electronic media and systems. In this example, the analysis covers six offices, 10 dermatologists, one surgeon, five nurse practitioners, one physician assistant, three aestheticians plus at least six managers and unknown number of records.

— Then, within 60 days of the analysis, the firm is required to develop a risk management plan to address risks and vulnerabilities and submit the plan to HHS’s Office of Civil Rights.

— If the Office of Civil Rights has any changes to the plan, the firm has 30 days to incorporate those revisions and provide a revised risk management plan and, if changes to the firm’s policies and procedures manual are required, the firm must distribute the new policies, train staff on the revisions and implement the new procedures.

— Meanwhile, the firm must monitor its own compliance and report deficiencies back to Office of Civil Rights. Each report must describe event, staff or persons involved and describe actions taken to address matter. Even if there are no “reportable events,” the firm must report that to the Office of Civil Rights.

Overwhelmed yet?

The corrective action is not yet complete. Once the Office of Civil Rights approves the risk analysis, the plan and the revisions, the firm has 60 days to submit an implementation report. The implementation report must include the following:

— The firm must describe how it implemented its security management process and updated its policies and procedures.

— An officer of firm must attest that revised policies and procedures have been implemented and that staff has been informed of them and, if necessary, trained on them.

–The report must contain a summary of all reportable events and corrective and preventative actions.

The correction action plan also requires the firm to retain related documents for three years.

All because of an unencrypted thumb drive.

For a look at the actual resolution agreement involved in this case, you can find it here http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/apderm-resolution-agreement.pdf .

If you’re interested in improving your company’s security so you can avoid fines and corrective action like those experienced by the dermatology firm or if you need assistance in navigating a corrective action plan, RISC Management can help. RISC deals with privacy and security issues, workforce training, protected health information and electronic protected health information, and our firm is well-versed in risk analysis and compliance issues. Contact us today: Sales@RISCsecurity.com or 630-264-1472

RISC Happy New Year 2014 Silver

There’s nothing like a fresh, new calendar to inspire new initiatives and renewed emphasis on business improvements. So it is with information security, too, and we here at RISC Management & Consulting offer a few ideas for your business resolutions – or in some cases, revolutions — in the New Year.

Prepare a Plan B: One of the best parts about the beginning of the new year is the excitement in the potential of the future. Right now, while you are reveling in the open road of the future and its upside, consider how you’d weather a storm. Do some planning for business continuity and disaster recovery. Don’t just jump headlong requiring these plans of employees who haven’t done this before. Base your plans on sound fundamentals such as relative impact determined by a Business Impact Analysis (BIA).

Review your firm’s security policies: If your policy manual hasn’t been updated within the last year, it’s time.

Create a workforce privacy and security training program for staff: Such a program would be offered regularly, included in the training for new hire and updated whenever new infrastructure or applications are implemented, or when legal requirements change. Don’t start from scratch; get help and referrals from others in your business. RISC has been educating regulated workforce members regularly delivering programs to industry and accreditation bodies. Already have a good staff training program? A RISC Management policy effectiveness assessment can identify whether your staff is knowledgeable about the content, requirements, and location of your organization’s policies. Are team members following your policy requirements when nobody is looking? RISC can help you to find out.

Invest in a data loss prevention solution: There are many ways to protect regulated, sensitive or confidential employee, customer or company information and safeguard intellectual property across electronic communications channels, including email (SMTP), Web (HTTP), Secure Web (HTTPS) and File Transfer Protocol (FTP) plus online applications and services such as WebMail, social networks, blogs and Wikis. Various tools offered by RISC Management enable healthcare organizations, financial institutions, banks, universities, and any concerned, responsible, business of any size, to effectively monitor, enforce and audit the loss of confidential data.

Spend two minutes learning more about the latest Omnibus Rule Changes to improve privacy protections and security safeguards in the Health Insurance Portability and Accountability Act of 1996 and how RISC Management can help you tackle those changes head-on. Click on https://riscconsulting.com/2013/09/23/final-omnibus-rule-changes-and-how-risc-can-help/ for the video.

Don’t let fear of a data breach keep you awake at night: Schedule a vulnerability test and learn ways you can protect your systems from the bad guys. Run a data breach response drill to practice on a scenario so there is less panic when responding to the real thing.

Create a formal process to document and approve changes to your computer applications and operating systems: Sounds simple, but in practice, such a process can prevent chaos and unintentional security problems. Need help? RISC Management can start with a risk analysis to identify and document potential gaps, and help build a change management program.

Brush up on innovations in health information technology: Why does this matter? Modern systems typically provide better security protocols and often result in financial benefits to stakeholders. Consider attending the Healthcare Information and Management Systems Society annual conference, more commonly known as HIMSS14. It’s Feb. 23-27, 2014, in Orlando, Florida, and former Secretary of State Hillary Rodham Clinton and Aetna CEO Mark Berollini are among keynote speakers. Visit http://www.himssconference.org/ for more information.

Best wishes from RISC Management & Consulting on a Prosperous, Secure, and Compliant New Year!