HIPAA Compliance News

Scrub Nurse Fired for Photographing Employee-Patient’s Genitals

Posted by HIPAA Journal

A scrub nurse who took photographs of a patient’s genitals and shared the images with colleagues has been fired, while the patient, who is also an employee at the same hospital, has filed a lawsuit seeking damages for the harm caused by the incident.

The employee-patient was undergoing incisional hernia surgery at Washington Hospital. She alleges in a complaint filed in Washington County Court, that while she was unconscious, a scrub nurse took photographs of her genitals on a mobile phone and shared the photographs with co-workers.

Photographing patients without their consent is a violation of HIPAA Rules, and one that can attract a significant financial penalty. Last Year, New York Hospital settled a HIPAA violation case with the Department of Health and Human Services’ Office for Rights and paid a financial penalty of $2.2 million. In that case, a television crew had been authorized to film in the hospital, but consent from the patients in the footage had not been obtained.

In the Washington Hospital HIPAA breach, the patient, identified in the lawsuit only as Jane Doe, claims she became aware that photos had been shared the day after her operation. She also claims the scrub nurse showed her the photographs that had been taken. Horrified at the violation of her privacy, she reported the incident to her supervisors. The scrub nurse was subsequently fired for the HIPAA violation.

However, in the lawsuit Jane Doe claims that was not the end of the matter. She said, taking action against the scrub nurse resulted in her “being treated like the wrongdoer, not the victim.” As a result of the complaint she was “forced to endure harassment, humiliation and backlash,” and “extreme hostility” at work. That harassment has allegedly continued outside the hospital.

Jane Doe was given two weeks of paid leave as a healing period, and returned to her unit in the same position. However, she suffered migraines, anxiety, and insomnia as a result of the incident. She requested further paid leave of 3 months, as recommended by her physician, but the request was denied. She subsequently took unpaid leave under the Family Medical Leave Act and was terminated in October.

The lawsuit names the hospital, a doctor who was in the operating room but failed to stop the scrub nurse from taking photos and did not report the incident, and several other workers at the hospital. Jane Doe seeks in excess of $75,000 in damages for the “severe physical, emotional and psychological stress” caused. The patient’s husband is also a plaintiff and is suing for loss of consortium.

The post Scrub Nurse Fired for Photographing Employee-Patient’s Genitals appeared first on HIPAA Journal.

New Bill Aims to Change HIPAA Rules for Healthcare Clearinghouses

Posted by HIPAA Journal

A new bill (H.R. 4613) has been introduced to the U.S House of Representatives by Congresswoman Cathy McMorris Rodgers (R-Washington) that proposes changes to the Health Information Technology for Economic and Clinical Health (HITECH) Act and HIPAA Rules for healthcare clearinghouses.

The Ensuring Patient Access to Healthcare Records Act of 2017 is intended to modernize the role of healthcare clearinghouses in healthcare, promote access to and the leveraging of health information, and enhance treatment, quality improvement, research, public health and other functions.

Healthcare clearinghouses are entities that transform data from one format to another, converting non-standard data to standard data elements or vice versa. Healthcare clearinghouses are considered HIPAA-covered entities, although in some cases they can be business associates. The bill – Ensuring Patient Access to Healthcare Records Act of 2017 – would see all healthcare clearinghouses treated as covered entities.

Healthcare clearinghouses gather health data from a wide range of sources, therefore they could hold a complete set of records for each patient. If patients are allowed to obtain copies of their health records from healthcare clearinghouses, it could make it easier for patients treated by multiple providers to obtain a full set of their health records.

“Whether it’s because of a move to a new state, switching providers, an unexpected visit to the emergency room, or a new doctor, patients must track down their own records from numerous different sources based on what they can or cannot remember. It shouldn’t be this burdensome,” said Rodgers. “Our bill gives patients the ability to see a snapshot of their health records at just a simple request, allowing them to make better, more informed healthcare decisions in a timely manner.”

While the bill could improve data access for patients, it has been suggested that patients are unlikely to benefit. Healthcare clearinghouses may have longitudinal health records from multiple sources, but in many cases, they only have claims data rather than a full set of clinical data. Even if patients could be provided with copies, it may not prove to be particularly useful.

Patients can choose which healthcare providers they use, but since a healthcare clearinghouse is not chosen by patients, they are unlikely to know which healthcare clearinghouses actually hold their data. Patients rarely have any dealings with healthcare clearinghouses.

The bill would “allow the use of claims, eligibility, and payment data to produce reports, analyses, and presentations to benefit Medicare, and other similar health insurance programs, entities, researchers, and health care providers, to help develop cost saving approaches, standards, and reference materials and to support medical care and improved payment models.”

This is not the first time that the Ensuring Patient Access to Healthcare Records Act has been introduced. None of the previous versions of the bill have made it to the floor and have attracted considerable criticism. In his Healthcare Blog, Adrian Gropper, MD expressed concern over a previous version of the bill (Senate bill S.3530).

“Extending Covered Entity status to data brokers seems like a quantitative shift and possibly a benefit to patients. But the deceptive part is that unlike today’s Covered Entities (hospitals, pharmacies, and insurance companies), data brokers do not have to compete for the patient’s business,” said Gropper. “By giving the infrastructure business the right to use and sell our data without consent or even transparency, we are enabling a true panopticon – an inescapable surveillance system for our most valuable personal data.”

The post New Bill Aims to Change HIPAA Rules for Healthcare Clearinghouses appeared first on HIPAA Journal.

Is Facebook Messenger HIPAA Compliant?

Posted by HIPAA Journal

Is Facebook Messenger HIPAA compliant? Is it OK to use the messaging service to send protected health information without violating HIPAA Rules?

Many doctors and nurses communicate using chat platforms, but is it acceptable to use the platforms for sending PHI? One of the most popular chat platforms is Facebook Messenger. To help clear up confusion we will assess whether Facebook Messenger is HIPAA compliant and if the platform can be used to send PHI.

In order to use any service to send PHI, it must incorporate security controls to ensure information cannot be intercepted in transit. In sort, messages need to be encrypted. Many chat platforms, including Facebook Messenger, do encrypt data in transit, so this aspect of HIPAA is satisfied. However, with Facebook Messenger, encryption is optional and users have to opt in. Provided that setting has been activated, only the sender and the receiver will be able to view the messages. However, there is more to HIPAA compliance than simply encrypting data in transit.

There must be access and authentication controls to ensure only authorized individuals can access the program. Facebook Messenger could be accessed by unauthorized individuals if a phone was stolen, so it would be necessary for the device to have additional security controls to ensure apps such as Facebook Messenger could not be accessed in the event of loss or theft. Facebook Messenger users don’t have to login each time to view messages on the app.

HIPAA-covered entities must ensure there is an audit trail. Any PHI sent through a chat messaging platform would need to be retained and hardware, software or procedural mechanisms would be required to ensure any activity involving PHI could be examined. It would be difficult to maintain an audit trail on Facebook Messenger and there are also no controls to prevent messages from being deleted by users.

Is a Business Associate Agreement Required?

The HIPAA Conduit Exception allows HIPAA-covered entities to send information via certain services without the need for a business associate agreement. For example, it is not necessary to enter into a BAA with an Internet Service Provider (ISP) or the U.S. Postal Service. Those entities only act as conduits.

However, cloud service providers are not covered by that exception. HHS points this out on its website, saying “CSPs that provide cloud services to a covered entity or business associate that involve creating, receiving, or maintaining (e.g., to process and/or store) electronic protected health information (ePHI) meet the definition of a business associate, even if the CSP cannot view the ePHI because it is encrypted and the CSP does not have the decryption key.”

Facebook would therefore need to sign a BAA with a HIPAA-covered entity before Facebook Messenger could be used to communicate PHI, and at the time of writing, Facebook is not prepared to sign a BAA for its Messenger service.

How About Workplace by Facebook?

Workplace by Facebook is a messaging service that can be used by businesses to communicate internally. Is Workplace by Facebook HIPAA compliant? The Workplace Enterprise Agreement states under its prohibited data section, “You agree not to submit to Workplace any patient, medical or other protected health information regulated by HIPAA or any similar federal or state laws, rules or regulations (“Health Information”) and acknowledge that Facebook is not a Business Associate or subcontractor (as those terms are defined in HIPAA) and that Workplace is not HIPAA compliant.”

Is Facebook Messenger HIPAA Compliant?

Is Facebook Messenger HIPAA compliant? Without a BAA, and without appropriate audit and access controls, we do not believe Facebook Messenger is HIPAA compliant. If you want to use a chat program for communicating PHI, we suggest you use a HIPAA-compliant messaging service that has been developed specifically for the healthcare industry. TigerText for example. These secure healthcare text messaging solutions incorporate all the necessary controls to ensure PHI can be sent securely, and include access controls, audit controls, and full end-to-end encryption.

The post Is Facebook Messenger HIPAA Compliant? appeared first on HIPAA Journal.

HIPAA Compliant Email Providers

Posted by HIPAA Journal

HIPAA-covered entities must ensure protected health information (PHI) transmitted by email is secured to prevent unauthorized individuals from intercepting messages, and many choose to use HIPAA compliant email providers to ensure appropriate controls are applied to ensure the confidentiality, integrity, and availability of PHI.

There are many HIPAA compliant email providers to choose from that provide end-to-end encryption for messages. Some of the solutions require software to be hosted on your own infrastructure; others take care of everything. Changing email provider does not necessarily mean you have to change your email addresses. Many services allow you to keep your existing email addresses and send messages as you normally would from your desktop.

All HIPAA compliant email providers must ensure their solution incorporates all of the safeguards required by the HIPAA Security Rule. The solutions need to have access controls 164.312(a)(1), audit controls 164.312(b), integrity controls 164.312(c)(1), authentication 164.312(d), and PHI must be secured in transit 164.312(e)(1).

Provided that an email service provider incorporates all of those controls, the service can be considered HIPAA-compliant. However, it is also necessary for an email service provider to enter into a contract with a HIPAA-covered entity in the form of a business associate agreement. Only then can the email service be used.

HIPAA-covered entities should bear in mind that HIPAA-compliant email is not the responsibility of the service provider. The service provider must only ensure appropriate safeguards are incorporated. It is the responsibility of the covered entity to ensure the solution is configured correctly, that staff are trained on the use of email and are made aware of the allowable uses and disclosures of PHI.

An email service alone will not satisfy all HIPAA requirements for email. Staff should also receive training on security awareness and be made aware of the threats that can arrive in inboxes. Technologies should also be implemented to reduce the risk of email-based attacks such as phishing. Some email service providers, but not all, scan inbound messages and block spam, malware and phishing emails.

Is Encryption for Email Mandatory?

That is a question asked by many healthcare organizations. While HIPAA compliant email providers encrypt all emails in transit, encryption is not mandatory. The HIPAA Security Rule only requires organizations to assess the need for encryption. A HIPAA-covered entity does not need to encrypt emails, if an alternative and equivalent control is used in its place.

One such control is the use of a secure email server located behind a firewall. In such cases, provided a risk assessment has been conducted and the reasons for not encrypting emails has been documented, encryption would not be required on all internal emails. Encryption would also not be necessary when sending emails to patients who have authorized a covered entity to communicate with them via email.

However, since most healthcare organizations need to submit payment claims via email, contact other healthcare organizations and refer patients, it is necessary to send emails outside the protection of the firewall. In such cases, encryption is necessary.

There are considerable risks sending sensitive information via email. Email is not a secure way of sending data. Emails must be created on one machine, be sent to an outbound email server, traverse the Internet, arrive at the recipient’s email server, before being delivered to the recipient’s device. Copies of emails can be on at least four different machines, and messages can easily be intercepted in transit.

The Department of Health and Human Services has already issued fines to covered entities that have used email services that are not HIPAA compliant. Phoenix Cardiac Surgery paid a $100,000 penalty for using insecure Internet-based email.

List of HIPAA Compliant Email Providers

Our list of HIPAA compliant email providers has been compiled to save you time in your search for a suitable email service provider. The list of HIPAA compliant email providers is not exhaustive. There are many other service providers that offer email services for healthcare organizations that meet the requirements of HIPAA. However, the list below is a good starting point.

All of the following providers offer a HIPAA-compliant email service and are willing to sign a business associate agreement.

  • Hushmail for Healthcare
  • VM Racks
  • NeoCertified
  • Paubox
  • Virtru
  • Atlantic
  • LuxSci
  • Apsida Mail
  • Protected Trust
  • MaxMD
  • EmailPros
  • MD OfficeMail
  • Delivery Trust from Identillect Technologies

The post HIPAA Compliant Email Providers appeared first on HIPAA Journal.

OCR Launches New Tools to Help Address the Opioid Crisis

Posted by HIPAA Journal

OCR has launched new tools and initiatives as part of its efforts to help address the opioid crisis in the U.S., and fulfil its obligations under the 21st Century Cures Act.

Two new webpages have been released – one for consumers and one for healthcare professionals – that make information relating to mental/behavioral health and HIPAA more easily accessible.

OCR resources have been reorganized to make the HHS website more user-friendly, and the new webpages serve as a one-stop resource explaining when, and under what circumstances, health information can be shared with friends, families, and loved ones to help them deal with, and prevent, emergency situations such as an opioid overdose or a mental health crisis.

OCR has also released new guidance on sharing information related to substance abuse disorder and mental health with individuals involved in the provision of care to patients. The new resources include fact sheets, decision charts, an infographic, and various scenarios that address the sharing of information when an individual has an opioid overdose.  Some of the materials have been developed specifically for parents of children suffering from a mental health condition.

OCR is also collaborating with partner agencies within the HHS to identify and develop further programs and training materials covering the permitted uses and disclosures of PHI when patients seek, or undergo, treatment for mental health disorders or substance abuse disorder.

“HHS is using every tool at its disposal to help communities devastated by opioids including educating families and doctors on how they can share information to help save the lives of loved ones,” said OCR Director, Roger Severino.

The Information Related to Mental and Behavioral Health can be accessed on the links below:

Webpage for consumers

Webpage for healthcare professionals and caregivers

Guidance on HIPAA and Research

OCR has also released updated guidance on HIPAA and research, as required by the 21st Century Cures Act. The new guidance explains how the HIPAA Privacy Rule applies to research, including when protected health information can be shared without first obtaining authorization from patients.

OCR explains that HIPAA-covered entities are always permitted to disclose PHI for research purposes if it has been de-identified in accordance with 45 CFR 164.502(d), and 164.514(a)-(c).

If PHI is not de-identified, authorization from patients is required unless the covered entity has obtained Documented Institutional Review Board (IRB) or Privacy Board Approval. In the guidance, OCR explains the criteria that must be satisfied to receive such approval.

The guidance can be viewed here.

OCR has also formed a working group that includes representatives of several federal agencies, patients, researchers, healthcare providers, privacy, security and technology experts. The working group will study uses and disclosures of PHI for research and the group will report on whether those uses and disclosures should be modified to facilitate research while ensuring individuals’ privacy rights are protected.

The post OCR Launches New Tools to Help Address the Opioid Crisis appeared first on HIPAA Journal.

Is Hotmail HIPAA Compliant?

Posted by HIPAA Journal

Many healthcare organizations are unsure whether Hotmail is HIPAA compliant and whether sending protected health information via a Hotmail account can be considered a HIPAA compliant method of communication. In this post we answer the question is Hotmail HIPAA compliant, and whether the webmail service can be used to send PHI.

Hotmail is a free webmail service from Microsoft that has been around since 1996. Hotmail has now been replaced with Outlook.com. In this post we will determine if Hotmail is HIPAA-complaint, but the same will apply to Outlook.com. For the purposes of this article, Hotmail and Outlook.com will be considered one and the same.

HIPAA, Email and Encryption

There is a common misconception that all email is HIPAA compliant. In order for any email service to be HIPAA compliant, it must incorporate security controls to prevent unauthorized individuals from gaining access to accounts and for any information sent via the email service to be secured to prevent messages from being intercepted. There must be access controls, integrity controls, and transmission security controls in place – See 45 CFR § 164.312(a), 45 CFR § 164.312(c)(1), and 45 CFR § 164.312(e)(1).

All email accounts are secured with a password, but not all email accounts securely send messages. If messages are not encrypted in transit, they could easily be intercepted and read by unauthorized individuals.

In order to be HIPAA-compliant, email messages should be encrypted in transit if they are sent outside the protection of an organization’s firewall. Encryption is not required if messages are sent internally and the messages are sent via a secure internal email server that sits behind a firewall.

Is Hotmail HIPAA Compliant?

Since Hotmail is a webmail service, it lies outside the protection of a firewall. In order to be HIPAA compliant, Hotmail would need to incorporate security controls to prevent messages from being intercepted. Hotmail uses HTTPS, so any information transferred between the browser and the Hotmail site is encrypted, and messages are also secured in transit.

However, while Microsoft says it does not scan the content of messages and will not sell that information to third-parties such as advertisers, Microsoft does have access to messages. Further, in order for an email service such as Hotmail to be HIPAA compliant, it would be necessary to first obtain a HIPAA-compliant business associate agreement with the email service provider.

Microsoft does offer business associate agreements for Office 365, but Office 365 does not include Hotmail or Outlook.com email accounts, which are free consumer email services. Microsoft does not offer any business associate agreements for its free consumer services.

Therefore, the answer to the question is Hotmail HIPAA compliant is no. Without a signed business associate agreement, Hotmail email accounts should not be used. The same applies to Gmail accounts and most other free consumer email services.

Can You Send PHI to a Patient’s Hotmail Account?

If your email system is secure and HIPAA-compliant, is it possible to send PHI to patients if they have a Hotmail account?

HIPAA does permit healthcare organizations to send PHI to patients via email, regardless of the email service provider the patient uses. However, it is not permitted to send emails to patients without first obtaining their consent to do so. When obtaining consent, you should communicate to patients that the sending of PHI via email is not secure and that their information could potentially be intercepted and viewed by individuals who are unauthorized to view that information.

If patients are informed of the risks, and confirm that they accept those risks, PHI can be sent via email, even if they have a Hotmail or Outlook.com email account. Covered entities should document that consent has been obtained and patients have opted in to receive information via email, including how you authenticated their identity.

The post Is Hotmail HIPAA Compliant? appeared first on HIPAA Journal.

$2.3 Million 21st Century Oncology HIPAA Settlement Agreed with OCR

Posted by HIPAA Journal

A 21st Century Oncology HIPAA settlement has been agreed with the Department of Health and Human Services’ Office for Civil Rights (OCR) to resolve potential HIPAA violations discovered during the investigation of a 2015 breach of 2.2 million patients’ PHI.

The breach in question was discovered by the Federal Bureau of Investigation (FBI) in 2015. The FBI informed 21st Century Oncology on November 13 and December 13, 2015, that an unauthorized individual accessed and stole information from one of its patient databases.

21st Century Oncology conducted an investigation with the assistance of a third-party computer forensics company and discovered the network SQL database was potentially first accessed on October 3, 2015. The database was accessed through Remote Desktop Protocol from an Exchange Server within 21st Century Oncology’s network. The database contained the protected health information of 2,213,597 individuals.

As occurs after all data breaches that impact more than 500 individuals, OCR conducted an investigation into the 21st Century Oncology data breach. That investigation uncovered multiple potential violations of HIPAA Rules.

OCR determined that 21st Century Oncology failed to conduct a comprehensive, organization-wide risk assessment to determine the potential risks to the confidentiality, integrity, and availability of electronic protected health information, as required by 45 C.F.R. § 164.308(a)(1)(ii)(A).

21st Century Oncology was also determined to have failed to implement sufficient measures to reduce risks to an appropriate and acceptable level to comply with 45 C.F.R. § 164.306(A).

21st Century Oncology also failed to implement procedures to regularly review logs of system activity, including audit logs, access reports, and security incident tracking reports, as required by 45 C.F.R. §164.308(a)(1)(ii)(D).

The breach resulted in the impermissible disclosure of the protected health information of 2,213,597 patients.

Further, protected health information of patients was disclosed to business associates without first entering into a HIPAA-compliant business associate agreement and obtaining satisfactory assurances that HIPAA requirements would be followed.

To resolve those potential HIPAA violations, 21st Century Oncology agreed to pay OCR $2.3 million. In addition to the financial settlement, 21st Century Oncology has agreed to adopt a comprehensive corrective action plan (CAP) to bring its policies and procedures up to the standards demanded by HIPAA.

Under the CAP, 21st Century Oncology must appoint a compliance officer, revise its policies and procedures with respect to system activity reviews, access establishment, modification and termination, conduct an organization-wide risk assessment, develop internal policies and procedures for reporting violations of HIPAA Rules, and train staff on new policies.

21st Century Oncology is also required to engage a qualified, objective, and independent assessor to review compliance with the CAP.

Separate $26 Million Settlement Resolves Meaningful Use, Stark Law, and False Claims Act Violations

In addition to the OCR settlement to resolve potential HIPAA violations, 21st Century Oncology has also agreed to a $26 million settlement with the Department of Justice to resolve allegations that it submitted false or inflated Meaningful Use attestations in order to receive incentive payments. 21st Century Oncology self-reported that employees falsely submitted information relating to the use of EHRs to avoid downward payment adjustments. Fabricated reports were also submitted, and the logos of EHR vendors were superimposed on reports to make them appear genuine.

The settlement also resolves allegations that the False Claims Act was violated by submitting or enabling the submission of claims that involved kickbacks for physician referrals, and also violations of the Stark Law, which covers physician self-referrals.

According to the Department of Justice, “The Stark Law prohibits an entity from submitting claims to Medicare for designated health services performed pursuant to referrals from physicians with whom the entity has a financial relationship unless certain designated exceptions apply.”

“We appreciate that 21st Century Oncology self-reported a major fraud affecting Medicare, and we are also pleased that the company has agreed to accept financial responsibility for past compliance failures,” said Middle District of Florida Acting U.S. Attorney Stephen Muldrow.

In addition to paying the settlement amount, 21st Century Oncology has entered into a 5-year Corporate Integrity Agreement with the HHS’ Office of Inspector General (OIG).

The post $2.3 Million 21st Century Oncology HIPAA Settlement Agreed with OCR appeared first on HIPAA Journal.

Noncompliance with HIPAA Costs Healthcare Organizations Dearly

Posted by HIPAA Journal

Noncompliance with HIPAA can carry a significant cost for healthcare organizations, yet even though the penalties for HIPAA violations can be considerable, many healthcare organizations have substandard compliance programs and are violating multiple aspects of HIPAA Rules.

The Department of Health and Human Services’ Office for Civil Rights (OCR) commenced the much delayed second phase of HIPAA compliance audits last year with a round of desk audits, first on healthcare organizations and secondly on business associates of covered entities.

Those desk audits revealed many healthcare organizations are either struggling with HIPAA compliance, or are simply not doing enough to ensure HIPAA Rules are followed.

The preliminary results of the desk audits, released by OCR in September, showed healthcare organizations’ compliance efforts were largely inadequate. 94% of organizations had inadequate risk management plans, 89% were rated as inadequate on patients’ right to access their PHI, and 83% had performed inadequate risk analyses. It would appear that for many healthcare organizations, little has changed since the first phase of compliance audits were conducted in 2011/2012. Noncompliance with HIPAA is still widespread.

A few years ago, the risk of the discovery of a HIPAA violation was relatively low. Even when HIPAA violations were discovered, OCR rarely issued financial penalties. Similarly, even though the HITECH Act permits state attorneys general to issue fines for HIPAA violations, relatively few have exercised that right.

Today, the risk of HIPAA violations being discovered is significantly higher. Patients are now much more knowledgeable about their rights under HIPAA, and OCR has made it easy for them to file complaints about suspected HIPAA violations. HIPAA complaints are investigated by OCR.

The rise in cyberattacks on healthcare organizations mean data breaches are now far more likely to occur. A recent study by HIMSS Analytics/Mimecast showed 78% of healthcare organizations have experienced a ransomware or malware attack in the past 12 months, while an Accenture/AMA report showed 83% of physicians have experienced a cyberattack.

OCR investigates all breaches of more than 500 records to determine whether HIPAA Rules are being followed. When a breach occurs, organizations’ HIPAA compliance programs will be scrutinized.

OCR has also stepped up enforcement of HIPAA Rules and financial penalties are far more common. Since January 1, 2016, there have been 20 settlements reached between OCR and HIPAA covered entities and their business associates, and two civil monetary penalties issued.

OCR has yet to state whether financial penalties will be pursued as a result of the HIPAA audits, but OCR is not expected to turn a blind eye to major HIPAA failures. Multiple violations of HIPAA Rules could well see financial penalties pursued.

The higher likelihood of a data breach occurring or a complaint being filed means noncompliance with HIPAA is likely to be discovered. But what are the costs of noncompliance with HIPAA? What are the incentives for ensuring all HIPAA Rules are followed?

The Cost of Noncompliance with HIPAA

The high cost of HIPAA noncompliance has been summarized in the infographic below:

 

The Cost of Noncompliance with HIPAA

The post Noncompliance with HIPAA Costs Healthcare Organizations Dearly appeared first on HIPAA Journal.

AMA Study Reveals 83% of Physicians Have Experienced a Cyberattack

Posted by HIPAA Journal

Following the HIMSS Analytics/Mimecast survey that revealed 78% of healthcare organizations have experienced a ransomware or malware attack in the past 12 months, comes a new report on healthcare cybersecurity from the American Medical Association (AMA) and Accenture.

The Accenture/AMA survey was conducted on 1,300 physicians across the United States and aimed to take the ‘physician’s pulse on cybersecurity.’ The survey confirmed that it is no longer a case of whether a cyberattack will be experienced, it is just a matter of when cyberattacks will occur and how frequently.

83% of physicians who took part in the survey said they had previously experienced a cyberattack. When asked about the nature of the cyberattacks, the most common type was phishing. 55% of physicians who had experienced a cyberattack said the incident involved phishing – A similar finding to the HIMSS Analytics survey which revealed email was the top attack vector in healthcare.

48% of physicians who experienced a cyberattack said computer viruses such as malware and ransomware were involved. Physicians at medium to large practices were twice as likely to experience those types of cyberattacks than those at small practices.

When cyberattacks occur, they can result in considerable downtime. 64% of physicians said they experienced up to 4 hours of downtime following an attack, while 29% of physicians at medium-sized practices experienced downtime of up to one day.

Given the frequency of cyberattacks and the difficulty physician practices have at preventing those attacks, it is not surprising that the threat of attack is a major cause of concern. 55% of physicians were very or extremely worried about further cyberattacks at their practice. 74% said they were most concerned that future attacks would disrupt clinical practices and the same percentage were concerned that cyberattacks would result in breaches of patients’ protected health information. 53% were concerned that cyberattacks would have an impact on patient safety.

Physicians are aware that HIPAA compliance is important for cybersecurity, but simply doing the minimum and ensuring HIPAA requirements are met is not sufficient to prevent attacks. 83% of physicians said a more holistic approach to prioritizing risks is required than simply complying with HIPAA.

Kaveh Safavi, head of Accenture’s global practice said “Physician practices should not rely on compliance alone to enhance their security profile. Keeping pace with the sophistication of cyberattacks demands that physicians strengthen their capabilities, build resilience and invest in new technologies to support a foundation of digital trust with patients.”

Interestingly, while 87% of physicians believed their practice was compliant with HIPAA Rules, two thirds of physicians still have basic questions about HIPAA, suggesting their compliance programs may not be quite as comprehensive as they believe.

While the sharing of ePHI can introduce new risks, 85% believed PHI sharing was important, and 2 in 3 physicians thought that more access to patient data could improve the care provided to patients.

“New research shows that most physicians think that securely exchanging electronic data is important to improve health care. More support from the government, technology and medical sectors would help physicians with a proactive cybersecurity defense to better ensure the availability, confidentially and integrity of health care data,” said AMA President David. O. Barbe.

The post AMA Study Reveals 83% of Physicians Have Experienced a Cyberattack appeared first on HIPAA Journal.