HIPAA Compliance News

OCR Offers Advice on Managing Malicious Insider Threats

Posted by HIPAA Journal

Healthcare organizations can implement robust defenses to prevent hackers from gaining access to sensitive data, but not all threats come from outside the organization. It is also important to implement policies, procedures, and technical solutions to detect and prevent attacks from within.

Healthcare employees require access to protected health information (PHI) to perform their work duties. While those individuals may be deemed trustworthy, providing access to PHI exposes the organization to risk. Workers can go rogue and access patient information without authorization and could easily abuse their access rights and steal patient data for financial gain.

There will always be the occasional bad apple, but the 2019 Verizon Data Breach Investigations Report suggests the problem is far more prevalent. According to the report, 59% of all security incidents and data breaches analyzed for the report were caused by insiders.

Many of those breaches were due to mistakes made by healthcare employees, but a significant percentage were caused by malicious insiders who stole patient information for financial gain. Common malicious insider attacks include accessing the medical records of celebrities for financial gain and stealing patient data to commit identity theft and fraud.

These attacks can have grave implications for patients, who may suffer huge losses from identity theft and other misuses of their PHI. The attacks can also cause financial and reputational harm to the healthcare organization and expose the organization to regulatory fines. Memorial Healthcare System was fined $5.5 million for HIPAA violations related to the inappropriate access and theft of health data by some of its employees in 2012.

This week, the Department of Health and Human Services’ Office for Civil Rights (OCR) has issued advice to healthcare organizations on how they can reduce the risk of insider breaches and ensure they are detected rapidly when they do occur.

In its 2019 Summer Cybersecurity Newsletter, OCR offers tips on overcoming the challenges associated with protecting patient data from attacks from within and explains how risk can be managed to comply with HIPAA Rules.

In order to protect patient data, healthcare providers must know all locations whether patient information is stored and how that information flows throughout the organization. Without such knowledge it is impossible to conduct a thorough and accurate risk analysis to determine all risks to the confidentiality, integrity, and availability of patient data and reduce those risks to a reasonable an appropriate level.

Physical, technical and administrative access controls must be implemented to protect patient data against unauthorized access from within. Role-based access controls can help to reduce risk by preventing employees from accessing resources they are not authorized to use. Those controls should limit access to the minimum necessary information required to perform that individuals work duties.

OCR also reminds covered entities that they should control what individuals are able to do with patient data. If view only access is required, users should not be able to modify, delete, or download data. Controls should be implemented to prevent access from certain devices such as smartphones and the copying of data to portable storage devices such as zip drives.

The complex nature of healthcare IT systems makes it hard to achieve total visibility into the entire network and see every device in use. However, without full visibility, it is difficult to identify unauthorized data access quickly. OCR reminds covered entities that they must overcome the challenges and gain visibility into what users are doing on the network. Security teams must regularly check system, event, application, and audit logs in order to quickly detect suspicious activity and unusual patterns of data access. It may not be possible to prevent insider breaches, but when they occur, they must be identified and rectified promptly. There have been many cases of insiders accessing patient records without authorization for several years before the breach is detected.

Safeguards can be implemented, and policies and procedures developed to reduce risk, but those measures may not remain effective forever. Security is a dynamic process. Safeguards, policies and procedures need to be regularly assessed to ensure they continue to be effective. Access rights should be monitored and changed as appropriate when employees change role or transfer to a different department, and physical and electronic access to data must be terminated quickly when employees leave the organization.

Preventing and detecting attacks by malicious insiders is certainly a challenge, but by recognizing the risks and implementing appropriate safeguards, the risk of a breach can be managed and reduced to an acceptable level.

The post OCR Offers Advice on Managing Malicious Insider Threats appeared first on HIPAA Journal.

July 2019 Healthcare Data Breach Report

Posted by HIPAA Journal

May 2019 was the worst ever month for healthcare data breaches with 46 reported breaches of more than 500 records. More breaches were reported in May than any other month since the HHS’ Office for Civil Rights started publishing breach summaries on its website in 2009. That record of 44 breaches was broken in July.

July saw 50 healthcare data breaches of more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights, which is 13 more breaches than the monthly average for 2019 and 20.5 more breaches than the monthly average for 2018.

July 2019 was the second worst month in terms of the number of healthcare records exposed. 25,375,729 records are known to have been exposed in July.

There are still 5 months left of 2019, yet more healthcare records have been breached this year than in all of 2016, 2017, and 2018 combined. More than 35 million individuals are known to have had their healthcare records compromised, exposed, or impermissibly disclosed this year.

Causes of July 2019 Healthcare Data Breaches

 

The main reason for the increase in reported data breaches in July is the colossal data breach at American Medical Collection Agency (AMCA). AMCA provides medical billing and collection services and its clients included some of the largest medical testing laboratories in the United States. Those clients have now been lost as a result of the breach.

The final victim count is not yet known, nor the number of records compromised in the breach. To date, 22 healthcare organizations have confirmed they have been affected and more than 24 million records are known to have been exposed. At least 8 healthcare organizations have not yet submitted their breach reports to OCR.

Healthcare Providers Impacted by the American Medical Collection Agency Data Breach

  Healthcare Organization Estimated Records Exposed Confirmed Victim Count
1 Quest Diagnostics/Optum360 11,900,000 11,500,000
2 LabCorp 7,700,000 10,251,784
3 Clinical Pathology Associates 2,200,000 1,733,836
4 Carecentrix 500,000 467,621
5 American Esoteric Laboratories 541,900 409,789
6 Inform Diagnostics 173,617 173,617
7 Laboratory Medicine Consultants 147,600 140,590
8 Integrated Regional Laboratories 29,644 29,644
21 Penobscot Community Health Center 13,000 13,299
9 West Hills Hospital and Medical Center / United West Labs 10,650 10,650
10 Seacoast Pathology, Inc 10,000 8,992
11 Arizona Dermatopathology 7,000 5,903
12 Western Pathology Consultants 4,550 4,079
13 Natera 3,000 3,035
14 Sunrise Medical Laboratories 427,000 TBC
15 BioReference Laboratories/Opko Health 422,600 TBC
16 CBLPath Inc. 148,900 TBC
17 CompuNet Clinical Laboratories 111,000 TBC
18 Austin Pathology Associates 46,500 TBC
19 South Texas Dermatopathology PLLC 16,100 TBC
20 Pathology Solutions 13,300 TBC
22 Laboratory of Dermatology ADX, LLC 4,240 TBC

 

Hacking and IT incidents dominated the breach reports in July with 35 incidents reported. Those breaches resulted in the exposure of 23,203,853 healthcare records. The average breach size was 662,967 records and the mean breach size was 4,559 records.

There were 9 unauthorized access/disclosure incidents in July involving 2,160,699 healthcare records. The average breach size was 240,077 records and the mean breach size was 3,881 records.

There were three theft incidents reported that involved 3,584 records, 2 loss incidents that exposed 4,593 records, and one improper disposal incident that exposed 3,000 records.

Largest Healthcare Data Breaches in July 2019

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached PHI
Optum360, LLC Business Associate 11,500,000 Hacking/IT Incident Network Server
Laboratory Corporation of America Holdings dba LabCorp Healthcare Provider 10,251,784 Hacking/IT Incident Network Server
Clinical Pathology Laboratories, Inc. Healthcare Provider 1,733,836 Unauthorized Access/Disclosure Network Server
CareCentrix, Inc. Healthcare Provider 467,621 Hacking/IT Incident Network Server
Bayamon Medical Center Corp. Healthcare Provider 422,496 Hacking/IT Incident Network Server
Memphis Pathology Laboratory d/b/a American Esoteric Laboratories Healthcare Provider 409,789 Unauthorized Access/Disclosure Network Server
Laboratory Medicine Consultants, Ltd. Healthcare Provider 140,590 Hacking/IT Incident Network Server
Imperial Health, LLP Healthcare Provider 116,262 Hacking/IT Incident Desktop Computer, Network Server
Puerto Rico Women And Children’s Hospital, LLC Healthcare Provider 99,943 Hacking/IT Incident Network Server
Ameritas Life Insurance Corp. Health Plan 39,675 Hacking/IT Incident Email

Location of Breached Protected Health Information

There was a major increase in network server incidents in July. The rise was due to the AMCA breach but also an uptick in ransomware attacks on healthcare providers. Phishing also continues to pose problems for healthcare organizations. 21 of the breaches reported in July involved PHI stored in email accounts.

The number of reported phishing attacks strongly suggests multi-factor authentication has not yet been implemented by many healthcare organizations. If credentials are compromised, MFA can help prevent the email account from being remotely accessed.

July 2019 Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected covered entity in July with 39 breaches reported. Three health plans reported breaches and there were 8 breaches reported by business associates of HIPAA covered entities. A further 18 healthcare data breaches had some business associate involvement.

July 2019 Healthcare Data Breaches by State

July’s 50 data breaches were spread across 26 states and Puerto Rico. Typically, California experiences the most data breaches in any given month due to the number of healthcare organizations based in California; however, California only saw one healthcare data breach reported in July.

Minnesota was the worst affected state with 6 reported breaches. Four breaches were reported by healthcare organizations based in Michigan, Pennsylvania, and Texas. Three breaches were reported in Nevada and Tennessee, two breaches were reported in each of North Carolina, Ohio, Wisconsin, and Puerto Rico.

One breach was reported in each of Alabama, Arkansas, Arizona, California, Connecticut, Georgia, Kentucky, Louisiana, Massachusetts, Maryland, Maine, Missouri, Nebraska, New Hampshire, New York, Oregon, and South Carolina.

HIPAA Enforcement Activity in July 2019

It has been a relatively quiet year for HIPAA enforcement by the HHS’ Office for Civil Rights. While there were two settlements agreed in May 2019 to resolve HIPAA violations, no further financial penalties have been announced.

State Attorneys General also have the authority to take action against healthcare organizations that have violated HIPAA Rules. July saw one settlement reached between Premera Blue Cross and 30 state attorneys general over its 10.4 million-record data breach in 2014.

Under the terms of the settlement agreement, Premera Blue Cross is required to pay a financial penalty of $10,000,000 to resolve the HIPAA violations discovered during the Washington Attorney General-led investigation.

In addition to the $10 million penalty, Premera Blue Cross settled a class action lawsuit for $74 million. $32 million will cover claims from breach victims and $42 million will be directed toward improving cybersecurity.

The post July 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

HHS Proposes Rule Easing Restrictions on Substance Use Disorder Treatment Records

Posted by HIPAA Journal

The Substance Abuse and Mental Health Services Administration (SAMHSA) has proposed a new rule that loosens restrictions on substance use disorder (SUD) treatment records, aligning Part 2 regulations more closely with HIPAA.

The new rule, proposed on August 22, is the first element of the HHS’s Regulatory Sprint to Coordinated Care initiative, which will also see changes made to HIPAA, the Anti-Kickback Statute, and Stark Law.

SUD treatment records are covered by Confidentiality of Substance Use Disorder Patient Records regulations – 42 CFR Part 2 (Part 2). Part 2 pre-dates HIPAA by two decades and was introduced at a time when there were no broader privacy and security standards for health data. Part 2 regulations were required to protect the privacy of patients by severely restricting the allowable uses and disclosures of SUD treatment records. When Part 2 was introduced, there was a stigma associated with SUD and without privacy protections, many individuals suffering from the disorder may have avoided seeking treatment.

Since 1975, further privacy and security laws have been introduced. The HIPAA Security Rule requires all HIPAA-covered entities to implement safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI) and the HIPAA Privacy Rule restricts uses and disclosures of that information. However, Part 2 requires additional protections for SUD records than those for PHI and ePHI.

It is important to protect the privacy of patients and ensure that SUD information is safeguarded against unauthorized access as the information could be misused, but it is also essential for SUD treatment information to be made available to healthcare providers to better support care coordination.

The proposed rule does not change the privacy framework of Part 2, it just eases restrictions on SUD treatment records and removes some of the complexity of Part 2 regulations. While there is closer alignment with HIPAA, the proposed changes fall short of full harmonization with HIPAA Rules.

One on the most important changes concerns the separation of SUD treatment records from an individual’s medical record. The proposed rule would allow a healthcare provider to record SUD information in that individual’s medical record, provided the SUD information was willingly given by the patient. SUD treatment records created by federally assisted substance use disorder (SUD) treatment programs still need to be segregated.

The language of Part 2 has been changed to clarify that, with written consent, SUD records can be shared for payment and healthcare operations. Another clarification has been made on procedures during emergency situations, when additional protections for SUD records are suspended.

Under the proposed rule, providers who do not provide opioid treatments would be permitted to access a central registry of patients who have enrolled in treatment programs. Enrollment in an opioid treatment program would involve consent to have treatment information shared with the central registry. This update is intended to help prevent accidental overdoses.  Opioid treatment programs will be permitted to sign up with a state prescription drug monitoring program and report on the Schedule II to V drugs that have been dispensed or prescribed.

Changes have also been proposed that make it easier for patients to share their SUD records with non-medical entities such as the Social Security Administration. Currently, a patient would need to provide the name of a person within a non-medical entity who is authorized to receive their records. Under the proposed rule, a patient could give consent to share the records with the entity as a whole.

Business associates that have been provided with SUD records for research purposes will be permitted to disclose that information to entities not covered by HIPAA for similar purposes.

Part 2 requires providers to sanitize devices containing SUD treatment records. Under the proposed rule, the information would only need to be deleted as sanitization typically involves the destruction of the device.

A restriction has been removed that prevented the courts from disclosing substance use records as part of an investigation into a serious crime that was not believed to have been committed by the patient. The time that undercover agents can stay in a Part 2 program has also been extended from 6 months to one year.

There have been calls from many healthcare associations and healthcare provider groups calling for Part 2 regulations to be aligned with HIPAA. Such a change would require approval on Capitol Hill. Recently, the National Association of Attorneys General (NAAG) called for leaders in the House and Senate to support changes to Part 2, and support is required. As HHS Secretary Alex Azar explained in a press meeting on Thursday, the HHS can only propose changes. In order to align Part 2 with HIPAA, House and Senate approval is required. Secretary Azar has expressed support for such changes.

“We do believe the proposed changes are very common sense, responsive changes to concerns by both patients and providers,” said Azar. While important changes have been made, many will feel the HHS has not done enough. Azar accepts that the proposed rule will not satisfy all calls for Part 2 reform, “We believe we’re going as far as we can.”

The post HHS Proposes Rule Easing Restrictions on Substance Use Disorder Treatment Records appeared first on HIPAA Journal.

Study Raises Awareness of Threat of Lateral Phishing Attacks

Posted by HIPAA Journal

A recent study by the University of San Diego, University of California Berkeley, and Barracuda Networks has shed light on a growing threat to healthcare organizations – Lateral phishing.

In a standard phishing attack, an email is sent containing an embedded hyperlink to a malicious website where login credentials are harvested. The emails contain a lure to attract a click. That lure is often tailored to the organization being attacked. These phishing emails are relatively easy to identify and block because they are sent from outside the organization.

Lateral phishing is the second stage in the attack. When an email account is compromised, it is then used to send phishing emails to other employees within the organization. Phishing emails are also sent to companies and individuals with a relationship with the owner of the compromised account.

This tactic is very effective. Employees are trained to be suspicious of emails from unknown senders. When an email is received from a person in the organization that usually corresponds with the employee via email, there is a much higher chance of a requested action being taken.

Lateral phishing is one of several types of email account takeover attacks. One of the most common is Business Email Compromise (BEC). With BEC, the aim of the attack is to gain access to the credentials of the CEO. The account is then used to request fraudulent wire transfers. Lateral phishing is primarily concerned with credential theft rather than financial fraud. The goal is to compromise as many accounts as possible within an organization.

For the study, the researchers took a detailed look at phishing and lateral phishing attacks at 100 organizations and identified the strategies being used, the sophistication of the attacks, and which techniques were the most successful.

1 in 7 of the organizations studied had experienced a lateral phishing attack and 180 lateral phishing attacks were identified. In 11% of attacks, further email accounts within the organization were compromised. The researchers note that in 42% of cases, the lateral phishing emails were not reported to the IT department or security team. This failure to report could mean an account breach remains undetected and the compromised email account can continue to be used.

55% of the attacks targeted individuals with a personal or work relationship with the company and almost all emails were sent during regular working hours.

The attackers followed four main strategies when conducting attacks. The most common, used in 45% of attacks, was the sending of generic phishing messages. The most common lures were “shared document” and “account problem.” 63% of all lateral phishing emails were commonplace messages, 30% were refined messages, and 7% were highly targeted.

In 29% of attacks, the email account was used to send tailored messages to close and recent contacts. 25% of attacks involved sending messages to dozens to hundreds of employees. Only 1% of attacks were on business associates of the organization.

In 31% of cases, the phishers use stealth tactics to add realism to their campaigns and evade detection. It is common for emails to be deleted from the sent folder in the compromised account to ensure an account compromise is not detected by the account owner. The researchers found that emails were also deleted from the recipient’s account. This tactic was used in 19.5% of hijacked accounts. In 17.5% of cases, the attackers responded to replies from the recipient of the phishing email to convince them that the request was genuine.

Defending against these attacks requires a three-pronged approach. Security awareness training for employees is essential. All employees should be made aware of the threat of phishing from within the organization.

Two-factor authentication will help to ensure that even in the event that credentials are obtained, they cannot be used to remotely access an email account.

Finally, organizations should invest in advanced detection techniques and solutions that can identify and delete phishing emails before they reach end users’ inboxes.

The post Study Raises Awareness of Threat of Lateral Phishing Attacks appeared first on HIPAA Journal.

32% of Healthcare Employees Have Received No Cybersecurity Training

Posted by HIPAA Journal

There have been at least 200 breaches of more than 500 records reported since January and 2019 looks set to be another record-breaking year for healthcare data breaches.

The continued increase in data breaches prompted Kaspersky Lab to conduct a survey to find out more about the state of cybersecurity in healthcare. Kaspersky Lab has now published the second part of its report from the survey of 1,758 healthcare professionals in the United States and Canada.

The study provides valuable insights into why so many cyberattacks are succeeding. Almost a third of surveyed healthcare employees (32%) said they have never received cybersecurity training in the workplace.

Security awareness training for employees is essential. Without training, employees are likely to be unaware of some of the cyber threats that they will encounter on a daily basis. Employees must be trained how to identify phishing emails and told of the correct response when a threat is discovered. The failure to provide training is a violation of HIPAA.

Even when training is provided, it is often insufficient. 11% of respondents said they received cybersecurity training when they started work but had not received any training since. 38% of employees said they were given cybersecurity training each year, and a fifth (19%) of healthcare employees said they had been provided with cybersecurity training but did not feel they had been trained enough.

32% of respondents said they had been provided with a copy of their organization’s cybersecurity policy but had only read it once and 1 in 10 managers were not aware if their company had a cybersecurity policy.  40% of healthcare workers in the United States were unaware of the cybersecurity measures protecting IT devices at their organization.

Training on HIPAA also appears to be lacking. Kaspersky Lab found significant gaps in employees’ knowledge of regulatory requirements. For instance, 18% of respondents were unaware what the Security Rule meant and only 29% of respondents were able to identify the correct meaning of the HIPAA Security Rule.

Kaspersky Lab researchers recommend hiring a skilled IT team that understands the unique risks faced by healthcare organizations and has knowledge of the tools that are required to keep protected health information safe and secure.

It is also essential to address data security and regulatory knowledge gaps. IT security leaders must ensure that every member of the workforce receives regular cybersecurity training and is fully aware of the requirements of HIPAA.

It is also important to conduct regular assessments of security defenses and compliance. Companies that fail to regularly check their cyber pulse can identify and address vulnerabilities before they are exploited by hackers and cause a costly data breach.

The post 32% of Healthcare Employees Have Received No Cybersecurity Training appeared first on HIPAA Journal.

Webinar: Aug 21, 2019: Why Your Organization Needs More Than Just Training If You Want To Be HIPAA Compliant?

Posted by HIPAA Journal

On August 21, 2019. HIPAA Journal Sponsor, Compliancy Group, will be hosting a webinar entitled “Why your organization needs more than just training if you want to be HIPAA compliant?”

If you are a HIPAA covered entity or business associate, compliance with the Health Insurance Portability and Accountability Act is mandatory. All employees must be trained on HIPAA and should understand how the legislation applies to their role in the organization.

With the workforce trained on privacy and security and aware of the allowable uses and disclosures permitted by the HIPAA Privacy Rule, employees will be able to complete their work duties in full compliance with HIPAA and avoid financial penalties.

HIPAA compliance requires an ongoing commitment to achieve the required standards for privacy and security and ensure those standards are maintained.

To find out more about what’s entailed, Compliancy Group is holding a webinar.

During this webinar, Compliancy Group President and CEO Marc Haskelson will explain:

  • How to meet all federal requirements for effective HIPAA training
  • How your organization can avoid breaches and fines
  • What you can you be doing right now to protect your organization
  • How to keep your name off the HHS ‘Wall of Shame’
  • How your patients feel about HIPAA and why this is important for your business.

Tune into this exclusive webinar to learn how you can become HIPAA compliant. You can sign up for this and future webinars on the following link: https://compliancy-group.com/webinar/

Date: Wednesday, August 21, 2019

Start Time: 2:00 pm ET/11:00 am PT

The post Webinar: Aug 21, 2019: Why Your Organization Needs More Than Just Training If You Want To Be HIPAA Compliant? appeared first on HIPAA Journal.

Report Provides Insights into Recent HIPAA Enforcement Activity

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights is the main enforcer of HIPAA compliance. Up until 2016, financial penalties for HIPAA violations were rare. Then there was a doubling of financial penalties in 2016 and enforcement actions continued at an elevated level in 2017.

2018 got off to a slow start with few penalties issued and there was speculation that OCR was scaling back its enforcement activities. However, there was a flurry of announcements about settlements in the latter half of the year, including the largest ever HIPAA penalty.

The recently published Beazley Breach Insights Report includes an analysis of OCR enforcement activities in 2018 and confirms that OCR is not easing up on healthcare organizations. In 2018, settlements and civil monetary penalties ranged from $100,000 to $16 million, with an average penalty of $2.8 million, up from $1.9 million in 2017,

The Beazley Breach Response (BBR) team also found it is taking much longer for OCR to close its investigations and settle HIPAA cases. Cases now take an average of 4.3 years to close compared to 3.6 years in 2018.

The Beazley report contains a warning for healthcare organizations. It doesn’t require a major breach to trigger an OCR investigation.  OCR is now scrutinizing all breach reports and is attempting to identify patterns that could indicate non-compliant behavior.

In the case of Fresenius Medical Care, five breaches were experienced, but each involved fewer than 250 records. The pattern was identified, noncompliance was discovered, and the case was finally settled for $3.5 million.

There were many common themes in 2018 HIPAA enforcement actions, one of the most prevalent being risk analysis failures. Covered entities must regularly perform and document security risk analyses and develop risk management plans to address vulnerabilities and reduce them to an acceptable level.

Access controls must be set appropriately and maintained, and encryption must be considered for all ePHI. If the decision is taken not to encrypt, that decision must be documented and alternative measures must be implemented in its place. The settlements also highlight how important it is to have business associate agreements in place with all vendors who are provided with access to PHI.

While there were many Security Rule failures, the HIPAA settlements in 2018 also highlight the importance of respecting patient rights and complying with the HIPAA Privacy Rule. Multiple settlements resolved privacy violations such as filming patients and disclosing PHI without consent.

The post Report Provides Insights into Recent HIPAA Enforcement Activity appeared first on HIPAA Journal.

Study Reveals Widespread Noncompliance with HIPAA Right of Access

Posted by HIPAA Journal

A recent study conducted by the health manuscript archiving company medRxiv has revealed widespread noncompliance with the HIPAA right of access.

For the study, the researchers sent medical record requests to 51 healthcare providers and assessed the experience of obtaining those records. The companies were also assessed on their response versus the requirements of HIPAA.

In each case, the record request was a legitimate request for access to patient data. The requests were made to populate a new consumer platform that helps patients obtain their medical records. Record requests were sent for 30 patients at a rate of 2.3 medical requests per patient.

Each of the providers was scored based on their response to the request and whether they satisfied four requirements of HIPAA – Accepting a request by email/fax, sending the records in the format requested by the patient, providing records within 30 days, and only charging a reasonable fee.

Providers were given a 1-star rating for simply accepting a patient record request. Providers received a second star for satisfying the request and meeting all four requirements of HIPAA, but only after the researchers had escalated the request to a supervisor on more than one occasion.

A three-star rating was given to providers that required a single escalation phone call to a supervisor. A four-star rating was given to providers that were fully compliant with the HIPAA right of access. A five-star rating was given to providers that went above and behind the requirements of HIPAA by sending copies of records within 5 days, accepting non-standard forms, and providing patients with copies of their records at no cost.

More than half (51%) of the providers assessed were either not fully compliant with the HIPAA right of access or it too several attempts and referrals to supervisors before requests were satisfied in a fully compliant manner. 27%  of providers were given a one-star rating, 24% received a 2-star rating, and 20% received a 3-star rating. Only 30% of providers were fully compliant. 12% were given a 4-star rating and 18% received 5-stars.

The researchers also conducted a telephone survey on 3,003 healthcare providers and asked about policies and procedures for releasing patient medical records. The researchers suggest as many as 56% of healthcare providers may not be fully compliant with the HIPAA right of access. 24% did not appear to be fully aware of the fee limitations for providing copies of medical records.

The main area of noncompliance was the failure to send medical records electronically, even if it was specifically requested by the patient. 12 of the 14 providers who received a 1-star rating did not email medical records, one refused to send the records to the patient’s nominated representative, and one charged an unreasonable fee.

The researchers note that had they not escalated the requests to supervisors, 71% of all requests would not have been satisfied in a way that was fully compliant with HIPAA.

The post Study Reveals Widespread Noncompliance with HIPAA Right of Access appeared first on HIPAA Journal.

Direct Connect Computer Systems Inc. Recognized as HIPAA Compliant

Posted by HIPAA Journal

The Cleveland, OH-based technology solution provider, Direct Connect Computer Systems, Inc., has demonstrated the company is fully compliant with Health Insurance Portability and Accountability Act (HIPAA) Rules.

Companies that provide technology solutions and services to healthcare clients that require contact with electronic protected health information (ePHI) are classed as ‘business associates’ under HIPAA.

Business associates of HIPAA covered entities must ensure they are fully compliant with the HIPAA Privacy, Security, Omnibus, and Breach Notification Rules, and must ensure the confidentiality, integrity, and availability of ePHI at all times. Business associates face substantial fines if they are discovered not to be compliant with HIPAA Rules.

In order to start providing products and services to healthcare organizations, companies must be able to provide reasonable assurances that they are fully compliant with HIPAA Rules. To help provide those assurances and demonstrate the company’s commitment to privacy and security, Direct Connect Computer Systems, Inc., partnered with Compliancy Group and completed its Six Stage Risk Analysis and remediation process.

Using Compliancy Group’s proprietary software, The Guard, and assisted by Compliancy Group Compliance Coaches, Direct Connect Computer Systems successfully completed the program and was awarded Compliancy Group’s HIPAA Seal of Compliance.

The HIPAA Seal of Compliance recognizes Direct Connect’s good faith efforts to comply with all HIPAA and HITECH Act requirements and confirms the company has met its regulatory obligations as a HIPAA business associate.

The post Direct Connect Computer Systems Inc. Recognized as HIPAA Compliant appeared first on HIPAA Journal.