HIPAA News for Small and Mid-Sized Practices

2017 HIPAA Enforcement Summary

Posted by HIPAA Journal

Our 2017 HIPAA enforcement summary details the financial penalties paid by healthcare organizations to resolve HIPAA violation cases investigated by the Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general.

2017 saw OCR continue its aggressive pursuit of financial settlements for serious violations of HIPAA Rules. There have been 9 HIPAA settlements and one civil monetary penalty in 2017.

In total, OCR received $19,393,000 in financial settlements and civil monetary penalties from covered entities and business associates to resolve HIPAA violations discovered during the investigations of data breaches and complaints.

Last year, there were 12 settlements reached with HIPAA-covered entities and business associates, and one civil monetary penalty issued. In 2016, OCR received $25,505,300 from covered entities to resolve HIPAA violation cases.

Summary of 2017 HIPAA Enforcement by OCR

Listed below are the 2017 HIPAA enforcement activities of OCR that resulted in financial penalties for HIPAA-covered entities and their business associates.

Covered Entity Amount Type Violation Type
Memorial Healthcare System $5,500,000 Settlement Insufficient ePHI Access Controls
Children’s Medical Center of Dallas $3,200,000 Civil Monetary Penalty Impermissible Disclosure of ePHI
Cardionet $2,500,000 Settlement Impermissible Disclosure of PHI
Memorial Hermann Health System $2,400,000 Settlement Careless Handling of PHI
21st Century Oncology $2,300,000 Settlement Multiple HIPAA Violations
MAPFRE Life Insurance Company of Puerto Rico $2,200,000 Settlement Impermissible Disclosure of ePHI
Presense Health $475,000 Settlement Delayed Breach Notifications
Metro Community Provider Network $400,000 Settlement Lack of Security Management Process
St. Luke’s-Roosevelt Hospital Center Inc. $387,000 Settlement Unauthorized Disclosure of PHI
The Center for Children’s Digestive Health $31,000 Settlement Lack of a Business Associate Agreement

OCR’s 2017 HIPAA enforcement activities have revealed covered entities are continuing to fail to comply with HIPAA Rules in key areas: Safeguarding PHI on portable devices, conducting an organization-wide risk analysis, implementing a security risk management process, and entering into HIPAA-compliant business associate agreements with all vendors.

Throughout 2016 and 2017, many covered entities have failed to issue breach notifications promptly. In 2017, OCR took action for this common HIPAA violation and agreed its first HIPAA settlement solely for delaying breach notifications to patients.

HIPAA Desk Audits Revealed Widespread HIPAA Violations

In late 2016, OCR commenced the much-delayed second phase of its HIPAA-compliance audit program. The first stage involved desk audits of 166 HIPAA-covered entities – 103 audits on the Privacy and Breach Notification Rules, and 63 audits on the Security Rule. 41 desk audits were conducted on business associates on the Breach Notification and Security Rules.

While the full results of the compliance audits have not been released, this fall OCR announced preliminary findings from the compliance audits.

Covered entities were given a rating from 1 to 5 for the completeness of compliance efforts on each control and implementation specification. A rating of 1 signifies full compliance with goals and objectives of the standards and implementation specifications that were audited. A rating of 5 indicates there was no evidence that the covered entity had made a serious attempt to comply with HIPAA Rules.

Preliminary Findings of HIPAA Compliance Audits on Covered Entities

Listed below are the findings from the HIPAA compliance audits. A rating of 5 being the worst possible score and 1 being the best.

Preliminary HIPAA Compliance Audit Findings (2016/2017)
HIPAA Rule Compliance Controls Audited Covered Entities Given Rating of 5 Covered Entities Given Rating of 1
Breach Notification Rule (103 audits) Timeliness of Breach Notifications 15 67
Breach Notification Rule (103 audits) Content of Breach Notifications 9 14
Privacy Rule (103 audits) Right to Access PHI 11 1
Privacy Rule (103 audits) Notice of Privacy Practices 16 2
Privacy Rule (103 audits) Electronic Notice 15 59
Security Rule (63 audits) Risk Analysis 13 0
Security Rule (63 audits) Risk Management 17 1

 

Almost a third of covered entities failed to issue breach notifications promptly and next to no covered entities were found to be fully compliant with the HIPAA Privacy and Security Rules.

OCR has delayed the full compliance reviews until 2018. While some organizations will be randomly selected for a full review – including a site visit – OCR has stated that poor performance in the desk audits could trigger a full compliance review. Financial penalties may be deemed appropriate, especially when there has been no attempt to comply with HIPAA Rules.

Attorneys General Fines for Privacy Breaches

The HITECH Act gave state attorneys general the authority to pursue financial penalties for HIPAA violations and assist OCR with the enforcement of HIPAA Rules. Relatively few state attorneys general exercise this right. Instead they choose to pursue cases under state laws, even if HIPAA Rules have been violated.

Notable 2017 settlements with healthcare organizations and business associates of HIPAA covered entities have been listed below.

Covered Entity State Amount Individuals affected Reason
Cottage Health System California $2,000,000 More than 54,000 Failure to Safeguard Personal Information
Horizon Healthcare Services Inc., New Jersey $1,100,000 3.7 million Failure to Safeguard Personal Information
SAManage USA, Inc. Vermont $264,000 660 Exposure of PHI on Internet
CoPilot Provider Support Services, Inc. New York $130,000 221,178 Late Breach Notifications
Multi-State Billing Services Massachusetts $100,000 2,600 Failure to Safeguard Personal Information

The post 2017 HIPAA Enforcement Summary appeared first on HIPAA Journal.

Is Google Voice HIPAA Compliant?

Posted by HIPAA Journal

Google Voice is a popular telephony service, but is Google Voice HIPAA compliant or can it be used in a HIPAA compliant way? Is it possible for healthcare organizations – or healthcare employees – to use the service without risking a violation of HIPAA Rules?

Is Google Voice HIPAA Compliant?

Google Voice is a popular and convenient telephony service that includes voicemail, voicemail transcription to text, the ability to send text messages free of charge, and many other useful features. It is therefore unsurprising that many healthcare professionals would like to use the service at work, as well as for personal use.

In order for a service to be used in healthcare in conjunction with any protected health information (PHI) it must be possible to use it in a HIPAA compliant way.

That means the service must be covered by the conduit exemption rule – which was introduced when the HIPAA Omnibus Final Rule came into effect – or it must incorporate a range of controls and safeguards to meet the requirements of the HIPAA Security Rule.

As with SMS, faxing and email, Google Voice is not classed as a conduit which means that in order for Google Voice to be HIPAA compliant, the service would need to satisfy the requirements of the HIPAA Security Rule.

There would need to be access and authentication controls, audit controls, integrity controls, and transmission security for messages sent through the service. Google would also need to ensure that any data stored on its servers are safeguarded to the standards demanded by HIPAA. HIPAA-covered entities would also need to receive satisfactory assurances that is the case, in the form of a HIPAA-compliant business associate agreement (BAA).

Therefore, before Google Voice could be used in conjunction with any protected health information, the covered entity must obtain a BAA from Google.

Will Google Sign A BAA for Google Voice?

Google is keen to encourage healthcare organizations to adopt its services, and is happy to sign a business associate agreement for G Suite, but Google does not include its free consumer services in that agreement. Google does not recommend businesses use its free consumer services for business use, as they have been developed specifically for consumers for personal use.

Google Voice is a consumer product and is not included in G Suite, Google Apps, or Google Cloud and neither is it mentioned in its BAA.

So is Google Voice HIPAA compliant? No. Until such point that Google releases a version of Google Voice for businesses, and will include it in its business associate agreement, it should not be used by healthcare organizations or healthcare employees in a professional capacity.

The use of Google Voice with any protected health information would be a violation of HIPAA Rules.

The post Is Google Voice HIPAA Compliant? appeared first on HIPAA Journal.

Scrub Nurse Fired for Photographing Employee-Patient’s Genitals

Posted by HIPAA Journal

A scrub nurse who took photographs of a patient’s genitals and shared the images with colleagues has been fired, while the patient, who is also an employee at the same hospital, has filed a lawsuit seeking damages for the harm caused by the incident.

The employee-patient was undergoing incisional hernia surgery at Washington Hospital. She alleges in a complaint filed in Washington County Court, that while she was unconscious, a scrub nurse took photographs of her genitals on a mobile phone and shared the photographs with co-workers.

Photographing patients without their consent is a violation of HIPAA Rules, and one that can attract a significant financial penalty. Last Year, New York Hospital settled a HIPAA violation case with the Department of Health and Human Services’ Office for Rights and paid a financial penalty of $2.2 million. In that case, a television crew had been authorized to film in the hospital, but consent from the patients in the footage had not been obtained.

In the Washington Hospital HIPAA breach, the patient, identified in the lawsuit only as Jane Doe, claims she became aware that photos had been shared the day after her operation. She also claims the scrub nurse showed her the photographs that had been taken. Horrified at the violation of her privacy, she reported the incident to her supervisors. The scrub nurse was subsequently fired for the HIPAA violation.

However, in the lawsuit Jane Doe claims that was not the end of the matter. She said, taking action against the scrub nurse resulted in her “being treated like the wrongdoer, not the victim.” As a result of the complaint she was “forced to endure harassment, humiliation and backlash,” and “extreme hostility” at work. That harassment has allegedly continued outside the hospital.

Jane Doe was given two weeks of paid leave as a healing period, and returned to her unit in the same position. However, she suffered migraines, anxiety, and insomnia as a result of the incident. She requested further paid leave of 3 months, as recommended by her physician, but the request was denied. She subsequently took unpaid leave under the Family Medical Leave Act and was terminated in October.

The lawsuit names the hospital, a doctor who was in the operating room but failed to stop the scrub nurse from taking photos and did not report the incident, and several other workers at the hospital. Jane Doe seeks in excess of $75,000 in damages for the “severe physical, emotional and psychological stress” caused. The patient’s husband is also a plaintiff and is suing for loss of consortium.

The post Scrub Nurse Fired for Photographing Employee-Patient’s Genitals appeared first on HIPAA Journal.

Is Facebook Messenger HIPAA Compliant?

Posted by HIPAA Journal

Is Facebook Messenger HIPAA compliant? Is it OK to use the messaging service to send protected health information without violating HIPAA Rules?

Many doctors and nurses communicate using chat platforms, but is it acceptable to use the platforms for sending PHI? One of the most popular chat platforms is Facebook Messenger. To help clear up confusion we will assess whether Facebook Messenger is HIPAA compliant and if the platform can be used to send PHI.

In order to use any service to send PHI, it must incorporate security controls to ensure information cannot be intercepted in transit. In sort, messages need to be encrypted. Many chat platforms, including Facebook Messenger, do encrypt data in transit, so this aspect of HIPAA is satisfied. However, with Facebook Messenger, encryption is optional and users have to opt in. Provided that setting has been activated, only the sender and the receiver will be able to view the messages. However, there is more to HIPAA compliance than simply encrypting data in transit.

There must be access and authentication controls to ensure only authorized individuals can access the program. Facebook Messenger could be accessed by unauthorized individuals if a phone was stolen, so it would be necessary for the device to have additional security controls to ensure apps such as Facebook Messenger could not be accessed in the event of loss or theft. Facebook Messenger users don’t have to login each time to view messages on the app.

HIPAA-covered entities must ensure there is an audit trail. Any PHI sent through a chat messaging platform would need to be retained and hardware, software or procedural mechanisms would be required to ensure any activity involving PHI could be examined. It would be difficult to maintain an audit trail on Facebook Messenger and there are also no controls to prevent messages from being deleted by users.

Is a Business Associate Agreement Required?

The HIPAA Conduit Exception allows HIPAA-covered entities to send information via certain services without the need for a business associate agreement. For example, it is not necessary to enter into a BAA with an Internet Service Provider (ISP) or the U.S. Postal Service. Those entities only act as conduits.

However, cloud service providers are not covered by that exception. HHS points this out on its website, saying “CSPs that provide cloud services to a covered entity or business associate that involve creating, receiving, or maintaining (e.g., to process and/or store) electronic protected health information (ePHI) meet the definition of a business associate, even if the CSP cannot view the ePHI because it is encrypted and the CSP does not have the decryption key.”

Facebook would therefore need to sign a BAA with a HIPAA-covered entity before Facebook Messenger could be used to communicate PHI, and at the time of writing, Facebook is not prepared to sign a BAA for its Messenger service.

How About Workplace by Facebook?

Workplace by Facebook is a messaging service that can be used by businesses to communicate internally. Is Workplace by Facebook HIPAA compliant? The Workplace Enterprise Agreement states under its prohibited data section, “You agree not to submit to Workplace any patient, medical or other protected health information regulated by HIPAA or any similar federal or state laws, rules or regulations (“Health Information”) and acknowledge that Facebook is not a Business Associate or subcontractor (as those terms are defined in HIPAA) and that Workplace is not HIPAA compliant.”

Is Facebook Messenger HIPAA Compliant?

Is Facebook Messenger HIPAA compliant? Without a BAA, and without appropriate audit and access controls, we do not believe Facebook Messenger is HIPAA compliant. If you want to use a chat program for communicating PHI, we suggest you use a HIPAA-compliant messaging service that has been developed specifically for the healthcare industry. TigerText for example. These secure healthcare text messaging solutions incorporate all the necessary controls to ensure PHI can be sent securely, and include access controls, audit controls, and full end-to-end encryption.

The post Is Facebook Messenger HIPAA Compliant? appeared first on HIPAA Journal.

HIPAA Compliant Email Providers

Posted by HIPAA Journal

HIPAA-covered entities must ensure protected health information (PHI) transmitted by email is secured to prevent unauthorized individuals from intercepting messages, and many choose to use HIPAA compliant email providers to ensure appropriate controls are applied to ensure the confidentiality, integrity, and availability of PHI.

There are many HIPAA compliant email providers to choose from that provide end-to-end encryption for messages. Some of the solutions require software to be hosted on your own infrastructure; others take care of everything. Changing email provider does not necessarily mean you have to change your email addresses. Many services allow you to keep your existing email addresses and send messages as you normally would from your desktop.

All HIPAA compliant email providers must ensure their solution incorporates all of the safeguards required by the HIPAA Security Rule. The solutions need to have access controls 164.312(a)(1), audit controls 164.312(b), integrity controls 164.312(c)(1), authentication 164.312(d), and PHI must be secured in transit 164.312(e)(1).

Provided that an email service provider incorporates all of those controls, the service can be considered HIPAA-compliant. However, it is also necessary for an email service provider to enter into a contract with a HIPAA-covered entity in the form of a business associate agreement. Only then can the email service be used.

HIPAA-covered entities should bear in mind that HIPAA-compliant email is not the responsibility of the service provider. The service provider must only ensure appropriate safeguards are incorporated. It is the responsibility of the covered entity to ensure the solution is configured correctly, that staff are trained on the use of email and are made aware of the allowable uses and disclosures of PHI.

An email service alone will not satisfy all HIPAA requirements for email. Staff should also receive training on security awareness and be made aware of the threats that can arrive in inboxes. Technologies should also be implemented to reduce the risk of email-based attacks such as phishing. Some email service providers, but not all, scan inbound messages and block spam, malware and phishing emails.

Is Encryption for Email Mandatory?

That is a question asked by many healthcare organizations. While HIPAA compliant email providers encrypt all emails in transit, encryption is not mandatory. The HIPAA Security Rule only requires organizations to assess the need for encryption. A HIPAA-covered entity does not need to encrypt emails, if an alternative and equivalent control is used in its place.

One such control is the use of a secure email server located behind a firewall. In such cases, provided a risk assessment has been conducted and the reasons for not encrypting emails has been documented, encryption would not be required on all internal emails. Encryption would also not be necessary when sending emails to patients who have authorized a covered entity to communicate with them via email.

However, since most healthcare organizations need to submit payment claims via email, contact other healthcare organizations and refer patients, it is necessary to send emails outside the protection of the firewall. In such cases, encryption is necessary.

There are considerable risks sending sensitive information via email. Email is not a secure way of sending data. Emails must be created on one machine, be sent to an outbound email server, traverse the Internet, arrive at the recipient’s email server, before being delivered to the recipient’s device. Copies of emails can be on at least four different machines, and messages can easily be intercepted in transit.

The Department of Health and Human Services has already issued fines to covered entities that have used email services that are not HIPAA compliant. Phoenix Cardiac Surgery paid a $100,000 penalty for using insecure Internet-based email.

List of HIPAA Compliant Email Providers

Our list of HIPAA compliant email providers has been compiled to save you time in your search for a suitable email service provider. The list of HIPAA compliant email providers is not exhaustive. There are many other service providers that offer email services for healthcare organizations that meet the requirements of HIPAA. However, the list below is a good starting point.

All of the following providers offer a HIPAA-compliant email service and are willing to sign a business associate agreement.

  • Hushmail for Healthcare
  • VM Racks
  • NeoCertified
  • Paubox
  • Virtru
  • Atlantic
  • LuxSci
  • Apsida Mail
  • Protected Trust
  • MaxMD
  • EmailPros
  • MD OfficeMail
  • Delivery Trust from Identillect Technologies

The post HIPAA Compliant Email Providers appeared first on HIPAA Journal.

OCR Launches New Tools to Help Address the Opioid Crisis

Posted by HIPAA Journal

OCR has launched new tools and initiatives as part of its efforts to help address the opioid crisis in the U.S., and fulfil its obligations under the 21st Century Cures Act.

Two new webpages have been released – one for consumers and one for healthcare professionals – that make information relating to mental/behavioral health and HIPAA more easily accessible.

OCR resources have been reorganized to make the HHS website more user-friendly, and the new webpages serve as a one-stop resource explaining when, and under what circumstances, health information can be shared with friends, families, and loved ones to help them deal with, and prevent, emergency situations such as an opioid overdose or a mental health crisis.

OCR has also released new guidance on sharing information related to substance abuse disorder and mental health with individuals involved in the provision of care to patients. The new resources include fact sheets, decision charts, an infographic, and various scenarios that address the sharing of information when an individual has an opioid overdose.  Some of the materials have been developed specifically for parents of children suffering from a mental health condition.

OCR is also collaborating with partner agencies within the HHS to identify and develop further programs and training materials covering the permitted uses and disclosures of PHI when patients seek, or undergo, treatment for mental health disorders or substance abuse disorder.

“HHS is using every tool at its disposal to help communities devastated by opioids including educating families and doctors on how they can share information to help save the lives of loved ones,” said OCR Director, Roger Severino.

The Information Related to Mental and Behavioral Health can be accessed on the links below:

Webpage for consumers

Webpage for healthcare professionals and caregivers

Guidance on HIPAA and Research

OCR has also released updated guidance on HIPAA and research, as required by the 21st Century Cures Act. The new guidance explains how the HIPAA Privacy Rule applies to research, including when protected health information can be shared without first obtaining authorization from patients.

OCR explains that HIPAA-covered entities are always permitted to disclose PHI for research purposes if it has been de-identified in accordance with 45 CFR 164.502(d), and 164.514(a)-(c).

If PHI is not de-identified, authorization from patients is required unless the covered entity has obtained Documented Institutional Review Board (IRB) or Privacy Board Approval. In the guidance, OCR explains the criteria that must be satisfied to receive such approval.

The guidance can be viewed here.

OCR has also formed a working group that includes representatives of several federal agencies, patients, researchers, healthcare providers, privacy, security and technology experts. The working group will study uses and disclosures of PHI for research and the group will report on whether those uses and disclosures should be modified to facilitate research while ensuring individuals’ privacy rights are protected.

The post OCR Launches New Tools to Help Address the Opioid Crisis appeared first on HIPAA Journal.

Is Hotmail HIPAA Compliant?

Posted by HIPAA Journal

Many healthcare organizations are unsure whether Hotmail is HIPAA compliant and whether sending protected health information via a Hotmail account can be considered a HIPAA compliant method of communication. In this post we answer the question is Hotmail HIPAA compliant, and whether the webmail service can be used to send PHI.

Hotmail is a free webmail service from Microsoft that has been around since 1996. Hotmail has now been replaced with Outlook.com. In this post we will determine if Hotmail is HIPAA-complaint, but the same will apply to Outlook.com. For the purposes of this article, Hotmail and Outlook.com will be considered one and the same.

HIPAA, Email and Encryption

There is a common misconception that all email is HIPAA compliant. In order for any email service to be HIPAA compliant, it must incorporate security controls to prevent unauthorized individuals from gaining access to accounts and for any information sent via the email service to be secured to prevent messages from being intercepted. There must be access controls, integrity controls, and transmission security controls in place – See 45 CFR § 164.312(a), 45 CFR § 164.312(c)(1), and 45 CFR § 164.312(e)(1).

All email accounts are secured with a password, but not all email accounts securely send messages. If messages are not encrypted in transit, they could easily be intercepted and read by unauthorized individuals.

In order to be HIPAA-compliant, email messages should be encrypted in transit if they are sent outside the protection of an organization’s firewall. Encryption is not required if messages are sent internally and the messages are sent via a secure internal email server that sits behind a firewall.

Is Hotmail HIPAA Compliant?

Since Hotmail is a webmail service, it lies outside the protection of a firewall. In order to be HIPAA compliant, Hotmail would need to incorporate security controls to prevent messages from being intercepted. Hotmail uses HTTPS, so any information transferred between the browser and the Hotmail site is encrypted, and messages are also secured in transit.

However, while Microsoft says it does not scan the content of messages and will not sell that information to third-parties such as advertisers, Microsoft does have access to messages. Further, in order for an email service such as Hotmail to be HIPAA compliant, it would be necessary to first obtain a HIPAA-compliant business associate agreement with the email service provider.

Microsoft does offer business associate agreements for Office 365, but Office 365 does not include Hotmail or Outlook.com email accounts, which are free consumer email services. Microsoft does not offer any business associate agreements for its free consumer services.

Therefore, the answer to the question is Hotmail HIPAA compliant is no. Without a signed business associate agreement, Hotmail email accounts should not be used. The same applies to Gmail accounts and most other free consumer email services.

Can You Send PHI to a Patient’s Hotmail Account?

If your email system is secure and HIPAA-compliant, is it possible to send PHI to patients if they have a Hotmail account?

HIPAA does permit healthcare organizations to send PHI to patients via email, regardless of the email service provider the patient uses. However, it is not permitted to send emails to patients without first obtaining their consent to do so. When obtaining consent, you should communicate to patients that the sending of PHI via email is not secure and that their information could potentially be intercepted and viewed by individuals who are unauthorized to view that information.

If patients are informed of the risks, and confirm that they accept those risks, PHI can be sent via email, even if they have a Hotmail or Outlook.com email account. Covered entities should document that consent has been obtained and patients have opted in to receive information via email, including how you authenticated their identity.

The post Is Hotmail HIPAA Compliant? appeared first on HIPAA Journal.

Noncompliance with HIPAA Costs Healthcare Organizations Dearly

Posted by HIPAA Journal

Noncompliance with HIPAA can carry a significant cost for healthcare organizations, yet even though the penalties for HIPAA violations can be considerable, many healthcare organizations have substandard compliance programs and are violating multiple aspects of HIPAA Rules.

The Department of Health and Human Services’ Office for Civil Rights (OCR) commenced the much delayed second phase of HIPAA compliance audits last year with a round of desk audits, first on healthcare organizations and secondly on business associates of covered entities.

Those desk audits revealed many healthcare organizations are either struggling with HIPAA compliance, or are simply not doing enough to ensure HIPAA Rules are followed.

The preliminary results of the desk audits, released by OCR in September, showed healthcare organizations’ compliance efforts were largely inadequate. 94% of organizations had inadequate risk management plans, 89% were rated as inadequate on patients’ right to access their PHI, and 83% had performed inadequate risk analyses. It would appear that for many healthcare organizations, little has changed since the first phase of compliance audits were conducted in 2011/2012. Noncompliance with HIPAA is still widespread.

A few years ago, the risk of the discovery of a HIPAA violation was relatively low. Even when HIPAA violations were discovered, OCR rarely issued financial penalties. Similarly, even though the HITECH Act permits state attorneys general to issue fines for HIPAA violations, relatively few have exercised that right.

Today, the risk of HIPAA violations being discovered is significantly higher. Patients are now much more knowledgeable about their rights under HIPAA, and OCR has made it easy for them to file complaints about suspected HIPAA violations. HIPAA complaints are investigated by OCR.

The rise in cyberattacks on healthcare organizations mean data breaches are now far more likely to occur. A recent study by HIMSS Analytics/Mimecast showed 78% of healthcare organizations have experienced a ransomware or malware attack in the past 12 months, while an Accenture/AMA report showed 83% of physicians have experienced a cyberattack.

OCR investigates all breaches of more than 500 records to determine whether HIPAA Rules are being followed. When a breach occurs, organizations’ HIPAA compliance programs will be scrutinized.

OCR has also stepped up enforcement of HIPAA Rules and financial penalties are far more common. Since January 1, 2016, there have been 20 settlements reached between OCR and HIPAA covered entities and their business associates, and two civil monetary penalties issued.

OCR has yet to state whether financial penalties will be pursued as a result of the HIPAA audits, but OCR is not expected to turn a blind eye to major HIPAA failures. Multiple violations of HIPAA Rules could well see financial penalties pursued.

The higher likelihood of a data breach occurring or a complaint being filed means noncompliance with HIPAA is likely to be discovered. But what are the costs of noncompliance with HIPAA? What are the incentives for ensuring all HIPAA Rules are followed?

The Cost of Noncompliance with HIPAA

The high cost of HIPAA noncompliance has been summarized in the infographic below:

 

The Cost of Noncompliance with HIPAA

The post Noncompliance with HIPAA Costs Healthcare Organizations Dearly appeared first on HIPAA Journal.

AMA Study Reveals 83% of Physicians Have Experienced a Cyberattack

Posted by HIPAA Journal

Following the HIMSS Analytics/Mimecast survey that revealed 78% of healthcare organizations have experienced a ransomware or malware attack in the past 12 months, comes a new report on healthcare cybersecurity from the American Medical Association (AMA) and Accenture.

The Accenture/AMA survey was conducted on 1,300 physicians across the United States and aimed to take the ‘physician’s pulse on cybersecurity.’ The survey confirmed that it is no longer a case of whether a cyberattack will be experienced, it is just a matter of when cyberattacks will occur and how frequently.

83% of physicians who took part in the survey said they had previously experienced a cyberattack. When asked about the nature of the cyberattacks, the most common type was phishing. 55% of physicians who had experienced a cyberattack said the incident involved phishing – A similar finding to the HIMSS Analytics survey which revealed email was the top attack vector in healthcare.

48% of physicians who experienced a cyberattack said computer viruses such as malware and ransomware were involved. Physicians at medium to large practices were twice as likely to experience those types of cyberattacks than those at small practices.

When cyberattacks occur, they can result in considerable downtime. 64% of physicians said they experienced up to 4 hours of downtime following an attack, while 29% of physicians at medium-sized practices experienced downtime of up to one day.

Given the frequency of cyberattacks and the difficulty physician practices have at preventing those attacks, it is not surprising that the threat of attack is a major cause of concern. 55% of physicians were very or extremely worried about further cyberattacks at their practice. 74% said they were most concerned that future attacks would disrupt clinical practices and the same percentage were concerned that cyberattacks would result in breaches of patients’ protected health information. 53% were concerned that cyberattacks would have an impact on patient safety.

Physicians are aware that HIPAA compliance is important for cybersecurity, but simply doing the minimum and ensuring HIPAA requirements are met is not sufficient to prevent attacks. 83% of physicians said a more holistic approach to prioritizing risks is required than simply complying with HIPAA.

Kaveh Safavi, head of Accenture’s global practice said “Physician practices should not rely on compliance alone to enhance their security profile. Keeping pace with the sophistication of cyberattacks demands that physicians strengthen their capabilities, build resilience and invest in new technologies to support a foundation of digital trust with patients.”

Interestingly, while 87% of physicians believed their practice was compliant with HIPAA Rules, two thirds of physicians still have basic questions about HIPAA, suggesting their compliance programs may not be quite as comprehensive as they believe.

While the sharing of ePHI can introduce new risks, 85% believed PHI sharing was important, and 2 in 3 physicians thought that more access to patient data could improve the care provided to patients.

“New research shows that most physicians think that securely exchanging electronic data is important to improve health care. More support from the government, technology and medical sectors would help physicians with a proactive cybersecurity defense to better ensure the availability, confidentially and integrity of health care data,” said AMA President David. O. Barbe.

The post AMA Study Reveals 83% of Physicians Have Experienced a Cyberattack appeared first on HIPAA Journal.