Tag: OCR

Business Continuity, Data Breach, Disaster Recovery, Education, HIPAA / HITECH Enforcement, Meaningful Use, News Events, OCR HIPAA Audits, Tip of the Week, Vulnerability Testing & Management

Omnibus Rule Compliance today!

Rose

Today September 23, 2013 marks the start of the Omnibus Rule enforcement date. 

It is important for providers to start working on compliance with the new requirements as soon as possible.  According to a statement from the Office for Civil Rights (OCR) of the Department of Health and Human Services, certain CLIA -exempt laboratories to revise their Notices of Privacy Practices until further notice. Here is the entire statement issued by OCR:

“The Office for Civil Rights (OCR) of the Department of Health and Human Services announces a delay in its enforcement of the requirement that certain HIPAA–covered laboratories revise their notices of privacy practices (NPPs) to comply with the modifications made to the HIPAA Rules published in the Federal Register on January 25, 2013 (78 FR 5566), commonly known as the “Omnibus Rule,” until further notice. This Enforcement Delay applies to HIPAA-covered laboratories that are subject to CLIA (i.e., CLIA-certified) or exempt from CLIA (i.e., CLIA-exempt) and that are not required to provide an individual with access to his or her laboratory test reports under § 164.524 of the HIPAA Privacy Rule because the information is subject to the exceptions to the right of access at § 164.524(a)(1)(iii)(A) or (B).  The Enforcement Delay does not apply to laboratories that operate as part of a larger legal entity, such as a hospital, and by virtue of that relationship, do not have their own, laboratory-specific, NPPs.”

This is one reprieve for a small part of the Omnibus Rule compliance. One tip for those struggling to comply is to modify existing Business Associate Agreements (BAA). This does not apply to existing BAAs entered into agreement on or before January 25, 2013 and  have been modified after March 26, 2013. For this group, the compliance date is extended until September 23, 2014. 

RISC Management & Consulting , is an organization specializing in data privacy and information security regulations and frameworks, focused on healthcare and financial sectors. RISC assists its clients in understanding the requirements of federal and state regulations and industry frameworks as they apply to sensitive information. RISC Consultants are experts in legal requirements, industry standards, and frameworks including HIPAA – HITECH Act – ISO 27001 & 27002, PCI-DSS, GLBA, FFIEC, State Level information security laws. All of our services are focused on getting you compliant with Privacy & Security requirements, quickly, completely, and affordably.

Enforcement Highlights of the HIPAA Privacy Rule 

HHS / OCR has investigated and resolved over 21,271 cases by requiring changes in privacy practices and other corrective actions by the covered entities as of August 31, 2013.

From the compliance date to the present, the compliance issues investigated most are, compiled cumulatively, in order of frequency:

  1. Impermissible uses and disclosures of protected health information;
  2. Lack of safeguards of protected health information;
  3. Lack of patient access to their protected health information;
  4. Uses or disclosures of more than the minimum necessary protected health information; and
  5. Lack of administrative safeguards of electronic protected health information.

The most common types of covered entities that have been required to take corrective action to achieve voluntary compliance are, in order of frequency:

  1. Private Practices;
  2. General Hospitals;
  3. Outpatient Facilities;
  4. Health Plans (group health plans and health insurance issuers); and,
  5. Pharmacies.

With regard to the subset of complaints specifically pertaining to the Security Rule, since OCR began reporting its Security Rule enforcement results in October 2009, HHS has received approximately 738 complaints alleging a violation of the Security Rule.  During this period, we closed 543 complaints after investigation and appropriate corrective action.  As of August 31, 2013, OCR had 260 open complaints and compliance reviews.

For more information please contact RISC Management and Consulting, www.RISCsecurity.com

Data Breach, Education, HIPAA / HITECH Enforcement, OCR HIPAA Audits, Social Media

Small healthcare provider pays huge security fine after the theft of an unencrypted laptop

Rose

If you think your organization is too small to attract the attention of the U.S. Department of Health and Human Services, think twice.
The department recently settled a security dispute with a hospice in Idaho for $50,000. The potential violation of the Security Rule of the Health Insurance Portability and Accountability Act of 1996 involved a data breach of health information affecting 441 patients.

Mobile devices collage
The Hospice of North Idaho agreed to pay $50,000 to settle potential violations after an unencrypted laptop computer containing the electronic protected health information of the patients had been stolen in June 2010.
Field workers for the hospice use laptops containing patient information as a regular component of their workflow. In an investigation by the Department of Human Services’ Office for Civil Rights, it was revealed the hospice had not conducted a risk analysis to safeguard the electronic patient information and didn’t have policies or procedures to address mobile device security. The lack of a risk analysis has become a regular theme in the publicly available settlement agreements published by the OCR.
The HIPAA Security Rule and HITECH Act Data Breach requirements mandate the existence policies and the reporting of inappropriate or unauthorized access to PHI or ePHI called breaches. The Health Information Technology for Economic and Clinical Health Breach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information of 500 individuals or more to the government and the media within 60 days after the discovery of the breach, or when the breach should have been discovered. Smaller breaches affecting less than 500 individuals must be reported to the secretary of Health and Human Services on an annual basis.
“This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information,” Office for Civil Rights Director Leon Rodriguez said in a press release from the Department of Health and Human Services. “Encryption is an easy method for making lost information unusable, unreadable and undecipherable.” RISC Management’s stance on encryption is that implementation has become easy enough, and cost has been reduced enough, that choosing not to implement encryption is difficult to justify. With the exception of “legacy systems” that were developed long before data encryption was readily available, there are few relational database platforms or operating systems that don’t support encryption today. And even for those systems, there are third party applications and technology that can implement encryption in such a manner that it both provides safe harbor, and, does not require the rewriting of legacy applications.
The Idaho hospice has taken steps to remedy its compliance since the 2010 theft.
The Department of Health and Human Services provides tips to physicians, health care providers and other healthcare professionals who use smartphones, laptops and tablets in their work here (visit http://www.HealthIT.gov/mobiledevices).
RISC Management and Consulting can help assess your encryption capabilities, identify supported encryption options, and assist you in implementing standards-based encryption that may provide safe harbor under the HITECH rules.