Data Breach, HIPAA / HITECH Enforcement, News Events

An Employee Mistake Leads to a HIPAA Data Breach

Just last month, a Pennsylvania-based hospital suffered a breach of patient data caused by unauthorized access and transmission of PHI by an employee. The 551-bed Penn State Milton S. Hershey hospital discovered through an internal investigation that a lab technician accessed and transmitted protected health data outside of the hospital’s secure network. The key in this breach was that the employee was authorized to work with PHI but in this case did not access and transmit the PHI securely. He used his own USB device and sent patient data through his own personal email address to two physicians.

The important thing to note in this situation is what your organization can do to avoid a situation like this: train your workforce. Not only is workforce training required by HIPAA, it is a prudent means of improving efficiency and confidence in your workforce. Many organizations believe that their biggest threat lies outside their walls. While it is a smart business decision to implement security controls to prevent intrusions from external threats, your organization should also prioritize properly training your workforce. Below is a list of the most investigated issues as noted in the OCR Enforcement highlights.

 

From OCR Enforcement highlights:

From the compliance date to the present, the compliance issues investigated most are, compiled cumulatively, in order of frequency:

  1. Impermissible uses and disclosures of protected health information;
  2. Lack of safeguards of protected health information;
  3. Lack of patient access to their protected health information;
  4. Uses or disclosures of more than the minimum necessary protected health information; and
  5. Lack of administrative safeguards of electronic protected health information.

Security Rule Enforcement Results as of the Date of This Summary

With regard to the subset of complaints specifically pertaining to the Security Rule, since the OCR began reporting its Security Rule enforcement results in October 2009, HHS has received approximately 880 complaints alleging a violation of the Security Rule. During this period, HHS closed 644 complaints after investigation and appropriate corrective action. As of May 31, 2014, OCR had 301 open complaints and compliance reviews.

 

Penn Breach Table

Here is the direct link to the Breaches Affecting 500 or More Individuals: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

Advertisements
Data Breach, HIPAA / HITECH Enforcement, News Events, OCR HIPAA Audits, Risk Analysis/Risk Management

Dermatology Practice Settles Potential HIPAA Violations $150,000 Plus Corrective Action Plan

Adult & Pediatric Dermatology, P.C., of Concord, Mass., (APDerm) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy,  Security, and Breach Notification Rules with the Department of Health and Human Services, agreeing to a $150,000 payment. APDerm will also be required to implement a corrective action plan to correct deficiencies in its HIPAA compliance program.  APDerm is a private practice that delivers dermatology services in four locations in Massachusetts and two in New Hampshire. This case marks the first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of American Recovery and Reinvestment Act of 2009 (ARRA).

The HHS Office for Civil Rights (OCR) opened an investigation of APDerm upon receiving a report that an unencrypted thumb drive containing the electronic protected health information (ePHI) of approximately 2,200 individuals was stolen from a vehicle of one its staff members. The thumb drive was never recovered.  The investigation revealed that APDerm had not conducted an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI as part of its security management process.  Further, APDerm did not fully comply with requirements of the Breach Notification Rule to have in place written policies and procedures and train workforce members.

In addition to a $150,000 resolution amount, the settlement includes a corrective action plan requiring AP Derm to develop a risk analysis and risk management plan to address and mitigate any security risks and vulnerabilities, as well as to provide an implementation report to OCR.

The resolution agreement and press release can be found on the OCR website at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/apderm-agreement.html.

For assistance please contact RISC Management.

 

Data Breach, Education, HIPAA / HITECH Enforcement, Meaningful Use, News Events, OCR HIPAA Audits, Tip of the Week, Upcoming Events

Gazzang and RISC Management Announce Upcoming Webinar to Help Companies Minimize Risk of Sensitive Data Exposure

The HIPAA Omnibus Rule enhances requirements and penalties for covered entities and business associates alike. As organizations rush to comply with the new rules, many are turning to Gazzang, the big data security experts, for help securing protected health information (PHI) and partner RISC Management to assess, document, and achieve compliance.

Join Chris Heuman- Practice Leader of RISC Management & Consulting along with David Tishgart-Senior Director of Marketing at Gazzang as they present information to understand what constitutes a breach and how best to protect regulated data such as electronic Protected Health Information (ePHI). Discover the best route for navigating the breach risk assessment requirements and minimize your chances of having to report a breach!

Chris Heuman
Chris Heuman
David Tishgart
David Tishgart

Gazzang zNcrypt™ for Health Care can be applied easily, quickly, and economically as a solution for data privacy and security requirements defined within HIPAA and HITECH. Through AES-256 encryption, advanced key management, and process-based access controls, zNcrypt provides transparent data encryption for any database or application running on Linux, including big data environments. Additionally, Gazzang zTrustee™ protects the Gazzang encryption keys with several layers of advanced techniques to ensure the key is only accessible by authorized parties. In the event of a data breach, encryption can help organizations protect sensitive PHI and may enable them to claim “Safe Harbor.”

“Data breaches such as the one experienced by Advocate Health Group affecting more than four million patients, and the subsequent huge class action lawsuit need not occur. A thorough risk analysis, as required by HIPAA, and implementation of stable, supportable encryption technology could have saved the organization a great deal of cost and time, and more than four million patients a lot of stress.” said Chris Heuman, Practice Leader at RISC Management.

Gazzang and RISC Management are hosting a webinar titled, “Are You Ready for the Final HIPAA Omnibus Rule Changes?” on Wednesday, November 6 at 12:00 p.m. ET. Click here to register and learn what constitutes a breach and how best to protect regulated data such as ePHI.

 About RISC Management

RISC Management is an organization dedicated to data privacy and information security, focused primarily on healthcare, banking and finance, and higher education. RISC helps to protect the regulated and sensitive data of our clients and their customers. RISC provides a wide array of compliance and security services to help ensure our clients understand legal and industry requirements. Our experts identify, analyze, document, and remediate risks and vulnerabilities to protect sensitive information. For more information visit www.RISCsecurity.com .

Media Contact

RISC Management
Rose Rienton, MSN, RN

Rose.Rienton@RISCsecurity.com

 About Gazzang

Gazzang provides data security solutions and expertise to help enterprises protect sensitive information and maintain performance in big data and cloud environments. Our technology enables SaaS vendors, health care organizations, financial institutions, public sector agencies and more to meet regulatory compliance initiatives, secure personally identifiable information and prevent unauthorized access to sensitive data and systems. The company is headquartered in Austin, Texas and backed by Austin Ventures and Silver Creek Ventures. For more information, visit www.gazzang.com.

Media Contact

Gazzang
Cybele Diamandopoulos

(512) 535-4422

cybele@foliocom.com

 

Data Breach, Education, HIPAA / HITECH Enforcement, News Events, OCR HIPAA Audits, Upcoming Events

Are You Ready for the Final HIPAA Omnibus Rule Changes?

Upcoming Webinar addressing the Final Omnibus Rule now in effect, requiring businesses to make changes within their organization such as revising their Business Associate Agreement (BAA), training their workforce on the updated obligations, but most importantly perform a four-step risk assessment of potential breaches of Protected Health Information (PHI).

Join Chris Heuman – Practice Leader of RISC Management and Consulting along with David Tishgart – Senior Director of Marketing at Gazzang as they present information to understand what constitutes a breach and how best to protect regulated data such as electronic Protected Health Information (ePHI). Discover the best route for navigating the breach risk assessment requirements and minimize your chances of having to report a breach.

Date and Time:
Wednesday, November 6, 11am CT

Click to Register Now! 

 

Tip of the Week, Trends & Technology

The Role of Security Controls in a Security Program

When your organization is building a security program, clear direction must come from the Executive level to guide management and staff in implementing the right solutions. Without a greater understanding of the organization’s direction, management lacks the proper knowledge to make decisions in the best interests of the organization. In much the same way, a security program needs the proper structure of controls in place to guide the organization at the lower levels of the workforce.

A security control is “any administrative, management, technical or legal method that is used to manage risk.”1 Once your organization has identified areas of need, whether because of security or compliance concerns, controls are the tools used to correct the problem or fill the gap. These tools can consist of staff members, physical or technical measures, procedures, or governance. As Kim Sassaman explains, “Implementation of information technology security controls is how the Security Program is put into operation.”1 When deciding on a control to deploy, the decision needs to be part of a risk analysis or risk management process; each type of control must exist for a specific reason, hopefully filling multiple needs at once.

Some examples of controls include door locks, ID badges, firewalls, encryption, policies, procedures, and oversight committees. One of the most glaring results of the OCR KPMG Audit Program was that nearly 80% of Covered Entities were lacking a formal risk analysis, the very first step in determining the proper controls for your organization!2 And if you haven’t heard about some of the most recent data breaches, many of them have been caused by a lack of encryption or media disposal controls. These issues and more can be resolved with a proper security program supported by security controls outlined in organization policies.

Contact RISC Management if you need help developing a security program or implementing controls. Remember, the first step is always a Risk Analysis. If you don’t identify, analyze, and document your risk, you’ll never effectively manage it.

 

References

  1. Implementing Information Security in Healthcare: Building a Security Program
  2. “Preparing for HIPAA Compliance Audits.” Healthcare Info Security Website