Author Archives: HIPAA Journal

Electronic Records and HIPAA Compliance

Make sure you understand the relationship between electronic records and HIPAA compliance. It can be more complicated than many Covered Entities believe.

Security Officers in the healthcare industry with a responsibility for electronic records and HIPAA compliance have plenty to keep themselves occupied. In the majority of healthcare-related organizations across the country, thousands of electronic health records (ePHI) are being created every day before being used, transmitted and stored.

Maintaining the integrity of ePHI is a key element of compliance with HITECH and the HIPAA Security Rule; yet, when you look at the big picture, the scale of the requirement is staggering. Not only does ePHI created and used within an organization have to be safeguarded, but also ePHI transmitted outside of an organization´s network, and ePHI stored in the cloud.

Start by Conducting a Risk Analysis

One of the primary issues with electronic records and HIPAA compliance is that the technical, physical and administrative safeguards of the HIPAA Security Rule were published three years before Amazon´s cloud-based web services were launched, and four years before the first Apple iPhone was released. At the time, mHealth apps such as Fitbit were still many years into the future.

Therefore, in order to identify issues relating to electronic records and HIPAA compliance in a modern healthcare environment, Security Officers must conduct an accurate assessment of potential risks and vulnerabilities. The nature of risks typically falls into three categories:

  • Unauthorized disclosure, modification of deletion of ePHI (both malicious and accidental).
  • IT disruptions due to man-made or natural disasters.
  • Business Associates and the failure to conduct due diligence.

Each category has a huge scope for potential breaches of ePHI and covering everything related to electronic records and HIPAA compliance is a huge task. Some Covered Entities have inventoried and analyzed the use and disclosure of all PHI (not just ePHI) as part of their efforts to comply with the HIPAA Privacy Rule, and this level of data can be invaluable for risk analysis.

Assess Your Current Security Measures

Once the risks have been identified and documented, the next step is to assess the organization´s current security measures. Both technical and non-technical security measures have to be assessed in order to determine whether the security measures required by the HIPAA Security Rule are already in place and, if so, are they configured and used as intended.

This assessment will lead to a risk analysis, from which Security Officers will be able to establish whether certain risks need to be addressed immediately, and what additional security measures and policies need to be implemented in the future. It is not advisable to make too many changes to work practices at the same time, so the risk analysis can also be used to identify priorities.

HHS has Issued Guidance on Cloud Computing

As part of its “special topics for HIPAA professionals” series, the US Department of Health & Human Services (HHS) has issued guidance for Covered Entities and Business Associate on Cloud Computing. This area of electronic records and HIPAA compliance is evolving all the time and – as with the HIPAA Security Rule – HHS – does not endorse specific technologies to safeguard the integrity of ePHI.

The same rules apply for electronic records and HIPAA compliance as if a medical professional was sharing PHI in paper format. Covered Entities are expected to conduct due diligence on the Business Associate (in this case the Cloud Services Provider), a Business Associate Agreement must be in place, and the Business Associate is responsible for notifying the Covered Entity of any breach of ePHI.

Further Information about Electronic Records and HIPAA Compliance

For further information about electronic records and HIPAA compliance, it is recommended Security Officers download and review our “HIPAA Compliance Guide”. In the Guide, we elaborate on the information provided above, and include a section relating to “Secure Communications and HIPAA Compliance” which should assist all Security Officers with their risk assessments.

The post Electronic Records and HIPAA Compliance appeared first on HIPAA Journal.

HHS Pressed to Act on Cybersecurity Task Force Recommendations for Medical Device Security

The House Committee on Energy and Commerce has urged the HHS to act on all recommendations for medical device security suggested by the Healthcare Cybersecurity Task Force, calling for prompt action to be taken to address risks.

The Cybersecurity Act of 2015 required Congress to form the Healthcare Cybersecurity Task Force to help identify and address the unique challenges faced by the healthcare industry when securing data and protecting against cyberattacks.

While healthcare organizations are increasing their spending on technologies to prevent cyberattacks, medical devices remain a major weak point and could easily be exploited by cybercriminals to gain access to healthcare networks and data.

Earlier this year, the Healthcare Cybersecurity Task Force made a number of recommendations for medical device security. However, the Department of Health and Human Services has not yet acted on all of the recommendations. The House Committee on Energy and Commerce has now urged the HHS to take action on all the Cybersecurity Task Force’s recommendations.

Last week, Greg Walden (D-Or), Chair of the House Committee on Energy and Commerce, wrote to the HHS, explaining one of the main problems with new technologies is a lack of understanding of their hardware, software, and components.

In the letter, Walden explained, “Stakeholders do not know, and often have no way of knowing, exactly what software or hardware exist within the technologies on which they rely to provide vital medical care.”

As Walden explained, the NotPetya and WannaCry ransomware attacks proved that to be the case. Those attacks leveraged a vulnerability in Windows Server Message Block (SMBv1), and following the attacks, healthcare organizations were scrambling to determine which technologies within their networks leveraged SMBv1 to allow them to mitigate risk. That task was made all the more difficult, as information on technologies that leveraged SMBv1 was lacking or was simply unavailable.

Those ransomware/wiper attacks are just two examples. It was the same situation for the SamSam ransomware attacks that leveraged a vulnerability in JBoss, while in 2015, vulnerabilities in the Telnet protocol were discovered. Telnet was used in many medical devices, although the devices that used Telnet was not abundantly clear.

“The existence of insecure or outdated protocols and operating systems within medical technologies is a reality of modern medicine. At the same time, however, this leaves healthcare organizations vulnerable to increasingly sophisticated and rapidly evolving cyber threats,” wrote Walden.

Walden pointed out that the Cybersecurity Task Force has called for a Bill of Materials as a possible solution to the problem. The Bill of Materials would exist for all medical technologies, which detail all the components, software, hardware and protocols used, and any known risks associated with those components. Such a Bill of Materials would make it much easier for healthcare organizations to make security decisions, and mitigate risk when new vulnerabilities are identified.

Having a Bill of Materials for all technologies would not completely protect the healthcare industry, but Walden explains it is a “common sense step” to improving cybersecurity in the industry as a whole.

The HHS has been urged to convene a sector-wide effort to develop a plan for the creation and deployment of BOMs. Walden called for a plan of action be provided by the HHS no later than December 15, 2017.

The post HHS Pressed to Act on Cybersecurity Task Force Recommendations for Medical Device Security appeared first on HIPAA Journal.

HIPAA Compliance for Self-Insured Group Health Plans

HIPAA compliance for self-insured group health plans – or self-administered health group plans – is one of the most complicated areas of HIPAA legislation.

The Administrative Simplification Rule of the Health Insurance Portability and Accountability Act (HIPAA) imposed obligations on health care clearinghouses, certain healthcare providers and health plans (collectively known as “Covered Entities”) to comply with national standards for electronic health care transactions, unique health identifiers, and data security.

The standards were developed by the U.S. Department of Health & Human Services and published in 2000 (the HIPAA Privacy Rule) and 2003 (the HIPAA Security Rule). Subsequent amendments, guidelines and companion Rules have shaped HIPAA compliance for self-insured group health plans to account for advances in technology and changes in working practices.

Definition of a Self-Insured Group Health Plan

Due to the complicated nature of HIPAA, and to better understand what HIPAA compliance for self-insured group health plans involves, it is practical to define what a self-insured group health plan is. A self-insured group health plan is one in which an employer assumes the financial risk for providing healthcare benefits to its employees as opposed to purchasing a “fully-insured” plan from an insurance carrier.

Typically, a self-insured employer will set up a special trust fund to earmark money (corporate and employee contributions) to pay incurred claims and either administer the plan themselves or – more commonly for larger employers – retain the services of an outside third-party administrator. A self-insured group health care plan can also include medical expense reimbursement flexible spending account plans (medical FSAs) and health reimbursement account plans (HRAs).

Exemptions from HIPAA Compliance for Self-Insured Companies

Exemptions from HIPAA compliance for self-insured companies are rare. Only if a group health plan is self-insured, self-administered and the employer has fewer than fifty employees is the company exempt from HIPAA compliance – provided medical FSAs and HRAs are also administered by the employer and not an outside third-party administrator. Providing an employee assistance plan or wellness plan can also trigger HIPAA compliance for self-insured companies.

Not surprisingly, there is a gray area of HIPAA compliance for self-insured companies known as “partial compliance”. Partial compliance is applicable when neither the sponsor of a group health plan nor its insurance agent has any access to or transmits Protected Health Information (PHI) electronically. These “hands off” group health plans only occur in specific circumstance, and generally most self-insured group health plans will be subject to HIPAA compliance.

What Does HIPAA Compliance for Self-Insured Group Health Plans Consist Of?

As mentioned above, HIPAA compliance for self-insured group health plans is one of the most complicated areas of HIPAA legislation. This is not only because it can be difficult to determine whether a company is subject to the legislation, but also because compliance requirements will vary from company to company depending on factors such as its size, the nature of its business and its internal organization.

Appoint a Privacy and Security Officer

Companies with self-insured group health plans should start by appointing a HIPAA Privacy Officer and a HIPAA Security Officer. These positions can be performed by the same person and/or an existing employee, and their first role is to identify where, why, and to what extent PHI is created, received, maintained or transmitted by the group health plan. This will likely involve many different departments such as IT, legal, payroll and HR.

Develop HIPAA-Compliant Privacy Policies

Once the discovery of PHI is completed, the next stage of HIPAA compliance for self-insured group health plans is to develop HIPAA-compliant privacy policies establishing the permitted uses and disclosures of PHI. This should take into account third-party administrators who – as a Business Associate – will also have to comply with HIPAA, and with whom it will be necessary to enter into a HIPAA Business Associate Agreement.

Develop HIPAA-Compliant Security Policies

One of the requirements of the HIPAA Security Rule is for Covered Entities to implement administrative, physical and technical safeguards to ensure the integrity of electronic PHI. In order to fulfil this requirement, Security Officers should conduct a risk assessment to identify any vulnerabilities that may lead to the unauthorized disclosure of electronic PHI, and – following a risk analysis – implement suitable measures and policies to address the vulnerabilities.

Develop a Breach Notification Policy

Despite a company´s best efforts to achieve HIPAA compliance for self-insured group health plans, they may be a time when an unauthorized disclosure of PHI occurs. Self-insured companies need to be prepared for such occurrences, and should develop a breach notification policy in order to advise employees that personal information may have been compromised, and the HHS Office for Civil Right when necessary.

Employee Training is Essential

In order to enforce the policies and ensure HIPAA compliance for self-insured companies, employee training is essential. As members of a self-insured group health plan, each employee should be given a notice of the plan´s privacy practices which can be used to explain why maintaining the integrity of PHI is essential. Each employee should also be given a copy of the company´s sanction policy explaining the consequences of failing to comply with the privacy, security and breach notification policies.

Further Information about HIPAA Compliance for Self-Insured Companies

Further information about HIPAA compliance for self-insured companies can be found in our “HIPAA Compliance Guide”. Our free-to-download guide provides more detailed information about the HIPAA Privacy Rule, the administrative, physical and technical safeguards of the HIPAA Security Rule, and the process for conducting risk assessments and risk analyses. You will also be able to find more information on Business Associates and Business Associate Agreements – an essential part of HIPAA compliance for self-insured group health plans if your company uses the services of an outside third-party administrator.

The post HIPAA Compliance for Self-Insured Group Health Plans appeared first on HIPAA Journal.

Endpoint Security Trends and the Rising Threat of Fileless Malware Attacks

A recent study conducted by the Ponemon Institute has highlighted current endpoint security trends, details the ever-present threat from ransomware, and shows that fileless malware attacks are on the rise.

Each year, endpoint attacks cost the healthcare industry more than $1 billion. The high cost of mitigating attacks and the growing threat means endpoint security should be a priority for healthcare organizations. Unfortunately, many healthcare organizations are continuing to rely on traditional cybersecurity technologies, which fail to adequately protect against new threats. Further, investment in cybersecurity defenses often involves doubling down on existing technologies, rather than strategic spending on new technologies that are far more effective at reducing the risk of endpoint attacks.

The Barkly-sponsored study was conducted on 665 IT and security professionals. 54% of respondents said they had experienced at least one successful endpoint attack in the past 12 months. Ransomware attacks are rife. More than half of respondents said they had experienced at least one successful ransomware attack this year, while 40% of respondents said they had experienced multiple ransomware attacks.

Oftentimes, organizations pay the ransom to quickly regain access to their data, others are faced with no alternative but to pay the ransom. 65% of surveyed companies reported that they had paid a ransom demand to regain access to their files. The average ransom payment was $3,675.

The threat from ransomware is unlikely to go away. As long as the attacks are profitable, they will continue. A recent report from Cybersecurity Ventures suggests worldwide ransomware damages will reach $5 billion this year and will rise to $11.5 billion in 2019. To put those figures into perspective, the cost of ransomware attacks in 2015 was $325 million.

One of the most worrying endpoint security trends highlighted in the Ponemon Institute report was fileless malware.  Fileless malware attacks have increased considerably in the past 12 months. Out of all organizations that reported experiencing at least one endpoint attack, 77% said at least one of those attacks involved an exploit or fileless malware. Overall, 29% of organizations have experienced a fileless malware attack, a rise of 20% from last year. Ponemon also reports that fileless malware attacks are also 10 times more likely to succeed than other types of malware attacks.

The cost of endpoint attacks is considerable. On average, it costs $301 per employee to mitigate an attack – or $5,010,600 per company, per year, on average. The healthcare industry alone has spent $1.3 billion in the past year mitigating endpoint attacks. Those costs are broken down as 30% due to loss of productivity, 25% due to system downtime, and 23% due to theft of information assets.

Preventing endpoint attacks is seen as a major problem, with more than half of respondents (54%) not believing that endpoint attacks can actually be stopped. Antivirus solutions are necessary to prevent malware infections, although they are rarely effective against current threats such as fileless malware.

“This survey reveals that ignoring the growing threat of fileless attacks could be costly for organizations,” said Ponemon Institute Chairman and Founder Dr. Larry Ponemon. “The cost of endpoint attacks in the companies represented in this study could be as much as $5 million, making an enterprise-wise endpoint security strategy more important than ever.”

The shortfalls of AV software have led many companies to invest in new technologies such as endpoint detection and response solutions, although those solutions do not prevent attacks, only limit the harm caused when they do occur.

50% of companies said they are planning to replace or augment their current endpoint security systems with new tools, although many respondents said they are experiencing problems with endpoint security systems, such as a high false positive rate, complex management of the solutions, and even when solutions are deployed, there are many protection gaps.

The post Endpoint Security Trends and the Rising Threat of Fileless Malware Attacks appeared first on HIPAA Journal.

HIPAA Compliance for HR Departments

Businesses not directly involved in the healthcare or healthcare insurance industries should none-the-less pay close attention to HIPAA compliance for HR departments. It has been estimated a third of all workers and their dependents who receive occupation healthcare benefits do so through a self-insured group health plan.

Although this does not mean a self-insuring business automatically becomes a HIPAA-Covered Entity – and thereby subject to HIPAA regulations – the likelihood is the HR department will have some involvement with insurance-related tasks. During the execution of the insurance-related tasks, HR personnel will undoubtedly come into contact with Protected Health Information.

Why HIPAA Compliance for HR Departments is Important

The original purpose of the Healthcare Insurance Portability and Accountability Act (HIPAA) was to improve the portability and continuity of health insurance coverage. As the Act progressed through Congress, amendments were added with the intention of combating waste, fraud and abuse in the health insurance and healthcare industries.

As a result of these amendments, the HIPAA Privacy and Security Rules were introduced. The Rules restrict access to and use of Protected Health Information (PHI), primarily to give patients and members of group healthcare plans control over how their personal information is used. For example, healthcare organizations can no longer use a patient´s PHI for marketing activities without the patient´s consent.

A further purpose of restricting access to PHI is to prevent one person using somebody else´s PHI to obtain free healthcare – effectively identity theft. As the costs of medical treatment have increased, so has the value of healthcare data. A 2014 report calculated a full dossier of healthcare data on the black market is worth upwards of $1,200. By comparison, a stolen Visa card is worth $4.

Major Areas of HIPAA Compliance for HR Departments

There are four major areas of HIPAA compliance in which HR personnel should be well-versed. These relate to understanding the key components of the Privacy and Security Rules, helping employees understand their rights under HIPAA legislation, safeguarding the PHI of employees, and working with Covered Entities and Business Associates with whom PHI is shared.

These areas of HIPAA compliance for HR departments are comprehensively covered in our “HIPAA Compliance Guide” – a free booklet summarizing the law and its implications. However, there are some areas of HIPAA compliance which – although not unique to HR – sometimes get overlooked in the effort to achieve HIPAA compliance:

Don´t Assume the IT Department is Responsible for Security Rule Compliance

An IT manager is usually delegated as the HIPAA Security Officer, and it is their responsibility to ensure every department within the company is compliant with the Security Rule. But this is not always the case, and HR personnel should not assume the responsibility for security is not theirs.

Remember to Send Updates and Reminders of Privacy Practice Notices

Employees enrolled in a self-insured group health plan must be given a Privacy Practice Notice informing them of their HIPAA-related rights. Most HR departments remember to do this, but some forget to send updates when privacy practices are revised, and a reminder at least once every three years.

Maintain a Written Policy for Investigating and Resolving Complaints

Although not required by HIPAA, a policy should be in place to record privacy complaints, investigations and resolutions. This will be of significant benefit to the company – and the HR department in particular- if an employee pursues their complaint to the Department of Health & Human Services.

Don´t Overlook State Privacy Law Compliance

The relationship between HIPAA and state privacy laws is a source of confusion for some people. HIPAA pre-empts any state privacy laws with weaker privacy protection, but not those that provide stronger privacy protection. In the quest for HIPAA compliance, HR departments should not overlook state requirements.

The post HIPAA Compliance for HR Departments appeared first on HIPAA Journal.

Patches Released to Address Critical Intel Firmware Vulnerabilities

Patches have been released to address several Intel firmware vulnerabilities that affect 6th, 7th and 8th Generation Intel Core processors, and Xeon, Atom, Apollo Lake, and Celeron processors.

While the patches have been released by Intel, it is likely to take days or weeks before they can be applied. Intel processors are used by a wide variety of PC and laptop manufacturers, which are now required to customize the patches to ensure they are compatible with their systems.

The patches were released late on Monday to fix vulnerabilities that could potentially be exploited by attackers to load and run arbitrary code outside the operating system, unbeknown to users.

If exploited, attackers could crash systems, cause system instability, or gain access to privileged system information. Millions of PCs and servers around the world have these vulnerabilities and require the patches to be applied. Most organizations around the world will have at least one device containing one of the Intel firmware vulnerabilities.

The vulnerabilities have been assigned eight CVEs, four affect Intel Manageability Engine Firmware (CVE-2017-5705, CVE-2017-5708, CVE-2017-5711, CVE-2017-5712) two affect Server Platform Service 4.0.x.x (CVE-2017-5706, CVE-2017-5709), and two affect Intel Trusted Execution Engine 3.0.x.x (CVE-2017-5707. CVE-2017-5710). The ME, SPS, and ITE systems are embedded firmware that provide management and code integrity checks on intel powered hardware.

Four of the bugs were identified by security researchers at Positive Technologies, prompting Intel to conduct a full review, which revealed a further four Intel firmware vulnerabilities.

The good news is that in order for the vulnerabilities to be exploited, access to the device would be required. While insiders could run any code on the Management Engine by exploiting the vulnerabilities, it is possible that if other vulnerabilities exist, they could be leveraged by external actors to exploit the vulnerabilities without the need for a local user at a vulnerable device.

The flaws in the Management Engine (ME) are serious because ME is the basis for trust on a system. The ME performs checks on devices to ensure firmware hasn’t been updated or tampered with, so vulnerabilities in the Management Engine could be exploited to change the way the checks are performed.

For example, if a firmware update is attempted, the ME could report that the update has been applied, when it hasn’t. System administrators would believe that devices have been patched, when they remain vulnerable.

Further, since the ME is never switched off, unless power is totally cut to a device, even if the operating system is rebooted, the ME may remain compromised.

Unfortunately, there are no real workarounds other than applying the patches. Manufacturers are now working on customizing Intel’s patches, although since the vulnerabilities affect multiple processors, the process of customizing patches, testing them, and rolling them out could take several weeks.

Lenovo and Dell have already published lists with more than 100 affected systems, with the former expecting to roll out its patched by the end of the month.

Currently it is not believed that any of the vulnerabilities are being actively exploited, although that is almost certain to change over the coming weeks.

A tool has been released to check for the Intel firmware vulnerabilities detailed in security bulletin INTEL-SA-00086, which can be downloaded from the Intel website on this link.

The post Patches Released to Address Critical Intel Firmware Vulnerabilities appeared first on HIPAA Journal.

3 Year Jail Term for UK Man Linked to The Dark Overlord Hacking Group

A man linked to the hacking group TheDarkOverlord has been sentenced to serve three years in jail for fraud and blackmail offenses, although not for any cyberattacks or extortion attempts related to the The Dark Overlord gang.

Nathan Wyatt, 36, from Wellingborough, England, known online as the Crafty Cockney, pleaded guilty to 20 counts of fraud by false representation, a further two counts of blackmail, and one count of possession of a false identity document with intent to deceive.

Last week, at Southwark Crown Court, Wyatt was sentenced to serve three years in jail by Judge Martin Griffiths. At the sentencing hearing, Judge Griffiths suggested Wyatt was responsible for many more crimes other than those pursued via the courts. Some of those offenses are related to the TheDarkOverlord.

In September last year, Wyatt was arrested for attempting to broker the sale of photographs of Pippa Middleton, which had been obtained from a hack of her iPhone. Pippa Middleton is the sister of the Duchess of Cambridge. The charges in relation to that incident were dropped and Wyatt maintains he was not responsible for the hack.

During the course of that investigation, Wyatt’s computer was seized. An analysis of the device revealed he had been involved in other crimes. Initially, Wyatt was arrested for using a false identity document and fraud offenses in January this year, and was arrested a second time in March for blackmail offenses.

Police discovered that Wyatt had used stolen credentials to apply for a payment card, although the application was denied. Wyatt had also used his deceased step father’s credit card to make a string of online purchases, including purchases of computer games and mobile phones. Wyatt racked up debts in the region of £4,750 on the card, according to the Northamptonshire Telegraph.

An extortion attempt saw Wyatt use the name “The Dark Overlords” on a ransom demand in which he attempted to obtain a payment of €10,000 in Bitcoin from a UK legal firm. Wyatt stole around 10,000 files from the unnamed Humberside law firm using malware to gain access to the files on the law firm’s server.

In that extortion attempt, Wyatt said that he was planning to sell the stolen files to buyers in Russia and China if the ransom demand wasn’t paid. The files included scans of driver’s licenses and passports. It is unclear whether Wyatt hacked the law firm or if he used stolen credentials to gain access to its system to install malware.

Wyatt’s partner, Kelly Walker, 35, was also arrested and charged with handling stolen goods and encouraging or assisting offenses, but she was acquitted when prosecutors failed to provide any evidence to support the charges.

It is unclear whether Wyatt was a core member of the Dark Overlord hacking group, a fringe player, or if he was a copycat that used the group’s name. Dissent from Databreaches.net pointed out in a recent blog post that Wyatt was allegedly supposed to make a call to one of the Dark Overlord’s victims in Georgia to put pressure on the clinic to pay the ransom demand. Wyatt was also allegedly responsible for opening back accounts in the UK on behalf of the Dark Overlord to take payments sent from hacking victims in the United States.

Wyatt is likely to be released in 18 months. In the UK, prisoners serving between 1 and 4-year jail terms are usually released after they have served half of their sentence, with the rest of the sentence served on probation. Wyatt has not been charged for any offenses in the United States.

The post 3 Year Jail Term for UK Man Linked to The Dark Overlord Hacking Group appeared first on HIPAA Journal.

HIPAA Compliance for Community Health Centers

There is an argument there should be a different level of HIPAA compliance for community health centers, due to community health centers having fewer resources available to them than other Covered Entities. Unfortunately, due to the complexity of the Healthcare Insurance Portability and Accountability Act (HIPAA), introducing different levels of HIPAA compliance for community health centers would be logistically complex and lead to demands for other “special interest groups” to be taken into account.

A list of “special interest groups” could be extensive. Should charity-funded hospices, for example, have the same level of HIPAA compliance as privately-owned, for-profit medical centers? It may not seem fair, but the answer is “Yes”. This is because a breach of Protected Health Information (PHI) from any source is still a breach of PHI, and the potential consequences of a breach (identity theft, insurance fraud, etc.) will be no different, regardless of how, where or when the breach occurred.

The Purpose of HIPAA Compliance for Community Health Centers

The purpose of HIPAA compliance for community health centers is to safeguard the privacy of patients and protect against the misuse of their PHI. In order to achieve this, the Department of Health & Human Services has published Privacy and Security Rules and a Breach Notification Rule which Covered Entities (healthcare providers, healthcare plans and healthcare clearinghouses) have to comply with. These Rules cover the use, disclosure, storage and transmission of all forms of PHI (i.e. paper, electronic, etc.).

Community health centers not only have to comply with these Rules themselves, they have to make sure any “Business Associate” they share PHI with are also HIPAA-compliant. Business Associates are best described as entities who do not encounter PHI in their normal or primary business, but who may have access to it in the course of providing a service for a community health center. The list of potential Business Associates is extensive and can include lawyers, accountants, and cloud service providers.

Where to Start with HIPAA Compliance for Community Health Centers

The first stage of achieving HIPAA compliance for community health centers is to appoint a HIPAA Privacy Officer and a HIPAA Security Officer. These roles can be fulfilled by the same person, and can either be somebody brought in to oversee HIPAA compliance or an existing member of the health center team. It is possible to appoint a company to assist with HIPAA compliance during the preliminary stages, and then have an existing member take over the positions once the basic requirements are met

The Officer(s) responsible for HIPAA compliance should first conduct a risk assessment in order to identify areas of the community health center´s operations in which vulnerabilities exist in that may result in the unauthorized disclosure of PHI. The Officer(s) should evaluate existing privacy and security policies in order to determine whether they are configured and used as necessary, and then perform a risk analysis to draw up an action plan of the measures required to achieve HIPAA compliance.

Develop HIPAA-Compliant Policies and Train (and Re-Train) Employees

The action plan will help Privacy and Security Officers prioritize the most crucial vulnerabilities preventing HIPAA compliance for community health centers. Measures need to be implemented to mitigate the risks of a data breach and policies developed to make sure the measures are understood and adhered to. This will involve employee training and the development of a sanctions policy informing employees of the consequences of failing to comply with the new policies.

Employee training should not be regarded as an item to tick off a HIPAA compliance checklist. It should be ongoing and, due to the complexity of HIPAA, more frequent than the annual training suggested by the Department of Health & Human Services. In order to be effective, training about HIPAA compliance for community health centers should address different issues in short sessions. The content of a day´s compressed training is unlikely to be remembered until the next training session one year later.

Further Information about HIPAA Compliance for Community Health Centers

Further information about HIPAA compliance for community health centers can be found in our free-to-download “HIPAA Compliance Guide” – an invaluable review of the legislation that includes more about what constitutes PHI, the contents of the Privacy, Security and Breach Notification Rules, and how relationships with Business Associates should proceed.

There are multiple benefits of achieving and maintaining HIPAA compliance for community health centers. Eligibility for HRSA Section 330 grants and Meaningful Use incentive payments can depend on HIPAA compliance, plus patients will feel happier knowing the integrity of their personal data is being safeguarded. Make sure the community health center under your care is HIPAA compliant. Download our guide today.

The post HIPAA Compliance for Community Health Centers appeared first on HIPAA Journal.

Second Unencrypted Laptop Stolen from Rocky Mountain Health Care Services

Rocky Mountain Health Care Services of Colorado Springs has discovered an unencrypted laptop has been stolen from one of its employees. This is the second such incident to be discovered in the space of three months.

The latest incident was discovered on September 28. The laptop computer was discovered to contain the protected health information of a limited number of patients. The types of information stored on the device included first and last names, addresses, dates of birth, health insurance information, Medicare numbers, and limited treatment information.

The incident has been reported to law enforcement and patients impacted by the incident have been notified by mail.

Rocky Mountain Health Care Services, which also operates as Rocky Mountain PACE, BrainCare, HealthRide, and Rocky Mountain Options for Long Term Care, also discovered on June 18, 2017 that a mobile phone and laptop computer were stolen from a former employee. The devices contained names, dates of birth, addresses, limited treatment information, and health insurance details.

To date, only one of those incidents has appeared on the Department of Health and Human Services’ Office for Civil Rights breach portal. That incident, reported on November 16, indicates 909 patients were impacted. It is unclear whether this is the first or second laptop theft.

In response to the breaches, Rocky Mountain Health Care Services has been reviewing its policies and procedures with respect to the security of patient information and portable electronic devices, and is considering incorporating mobile device management technologies and data encryption for its portable electronic devices.

As the Office for Civil Rights breach portal shows, the loss and theft of unencrypted portable electronic devices is still a major cause of healthcare data breaches, and one that the use of data encryption technologies can easily prevent. So far in 2017, there have been 31 breaches reported by covered entities and business associates that have involved the loss or theft of unencrypted laptop computers and other portable electronic devices.

The post Second Unencrypted Laptop Stolen from Rocky Mountain Health Care Services appeared first on HIPAA Journal.