HIPAA Clicks https://hipaaclicks.com Daily HIPAA News, HIPAA RSS Feeds, HIPAA Information Mon, 18 Dec 2017 00:12:38 +0000 en-US hourly 1 https://wordpress.org/?v=4.9.1 120316464 The HIPAA Security Rule and Cloud Computing – ThinkAdvisor http://news.google.com/news/url?sa=t&fd=R&ct2=us&usg=AFQjCNHRkT4WCS49U88ouR4m7ghP4DNMpA&clid=c3a7d30bb8a4878e06b80cf16b898331&ei=f8k2WsCWN4mUzQLDmo-QDw&url=http://www.thinkadvisor.com/2017/12/16/the-hipaa-security-rule-and-cloud-computing?t%3Dannuities?ref%3Dchannel-blogs Sat, 16 Dec 2017 11:54:05 +0000 https://hipaaclicks.com/?guid=632bfa93f7cd573c87926f9ede888554
ThinkAdvisor
The HIPAA Security Rule and Cloud Computing
ThinkAdvisor
The HIPAA Security Rule regarding electronic transactions requires administrative, physical, and technical safeguards detailed under eighteen standards to ensure the confidentiality, integrity, and availability of electronic protected health ...

]]>
281985
70% of Healthcare Organizations Have Adopted Off-Premises Computing https://www.hipaajournal.com/70-healthcare-organizations-adopted-off-premises-computing/ Fri, 15 Dec 2017 14:40:06 +0000 https://www.hipaajournal.com/?p=8766 A recent survey of 144 U.S-based healthcare organizations has shown the majority have already adopted off-premises computing for applications and IT infrastructure. The popularity of off-premises solutions is growing steadily. The KLAS Research study revealed 70% of healthcare organizations have moved at least some of their applications and IT infrastructure to the cloud. Out of […]

The post 70% of Healthcare Organizations Have Adopted Off-Premises Computing appeared first on HIPAA Journal.

]]>
A recent survey of 144 U.S-based healthcare organizations has shown the majority have already adopted off-premises computing for applications and IT infrastructure.

The popularity of off-premises solutions is growing steadily. The KLAS Research study revealed 70% of healthcare organizations have moved at least some of their applications and IT infrastructure to the cloud. Out of the organizations that have, almost 60% are using a cloud or hosting environment for EHR applications.

69% of healthcare organizations said they would consider utilizing off-premises cloud solutions, or are actively expanding the use of those solutions.

Cerner is the leader in off-premises computing for EHR applications, although Epic is attracting considerable interest, with many of its customers considering switching from its on-premises solutions to its data center.

One of the fastest growing areas is Infrastructure-as-a-Service (IaaS) as it enables healthcare organizations to leverage off-premise infrastructure rather than having to build a data center.

Amazon leads the way in this area and is the market leader and the most commonly considered provider for IaaS and PaaS, although Microsoft is a close second. Microsoft is also the most commonly considered provider for all off-premise options. Microsoft is also most commonly chosen by organizations that are just venturing into cloud computing, starting off with Office 365 before exploring other Microsoft cloud-based products.

The biggest driver that is pushing healthcare organizations to the cloud is the opportunity to reduce costs – both capital outlay and operational costs. Many healthcare organizations that having started transitioning to the cloud have done so to free up capital investments in on-premise hardware and infrastructure to allow them to invest in other areas.

51% of organizations are considering the cloud to reduce costs, 40% said the cloud was being researched to address resource constraints, 29% saw the cloud as a way to enhance services and capabilities, while 11% said the cloud could help them improve their system performance. Only 9% saw the cloud as a way to improve security.

It is security and privacy of off-premises solutions that is causing the most concern. 31% of provider organizations said they are concerned about cloud computing, especially security vulnerabilities that could place the privacy of data at risk.

Out of the organizations that are considering using the cloud, most are considering using the cloud for backups, email archives, storage, file sharing, and non-clinical applications. Most healthcare organizations were apprehensive about moving sensitive protected health information to the cloud.

One area that has seen significant growth is use of the cloud for enterprise resource planning (ERP) or human capital management (HCM) applications. 17% of surveyed companies had already moved ERP and/or HCM applications to the cloud with almost three quarters doing so through a hosted deployment model.

KLAS believes more healthcare organizations will choose to switch to the cloud in the future as more options become available. KLAS reports that most software vendors have started developing cloud-based solutions in addition to their on-premises solutions, and many healthcare organizations are likely to make the switch.

The post 70% of Healthcare Organizations Have Adopted Off-Premises Computing appeared first on HIPAA Journal.

]]>
281353
Is Hotmail HIPAA Compliant? https://www.hipaajournal.com/hotmail-hipaa-compliant/ Fri, 15 Dec 2017 12:45:36 +0000 https://www.hipaajournal.com/?p=8763 Many healthcare organizations are unsure whether Hotmail is HIPAA compliant and whether sending protected health information via a Hotmail account can be considered a HIPAA compliant method of communication. In this post we answer the question is Hotmail HIPAA compliant, and whether the webmail service can be used to send PHI. Hotmail is a free […]

The post Is Hotmail HIPAA Compliant? appeared first on HIPAA Journal.

]]>
Many healthcare organizations are unsure whether Hotmail is HIPAA compliant and whether sending protected health information via a Hotmail account can be considered a HIPAA compliant method of communication. In this post we answer the question is Hotmail HIPAA compliant, and whether the webmail service can be used to send PHI.

Hotmail is a free webmail service from Microsoft that has been around since 1996. Hotmail has now been replaced with Outlook.com. In this post we will determine if Hotmail is HIPAA-complaint, but the same will apply to Outlook.com. For the purposes of this article, Hotmail and Outlook.com will be considered one and the same.

HIPAA, Email and Encryption

There is a common misconception that all email is HIPAA compliant. In order for any email service to be HIPAA compliant, it must incorporate security controls to prevent unauthorized individuals from gaining access to accounts and for any information sent via the email service to be secured to prevent messages from being intercepted. There must be access controls, integrity controls, and transmission security controls in place – See 45 CFR § 164.312(a), 45 CFR § 164.312(c)(1), and 45 CFR § 164.312(e)(1).

All email accounts are secured with a password, but not all email accounts securely send messages. If messages are not encrypted in transit, they could easily be intercepted and read by unauthorized individuals.

In order to be HIPAA-compliant, email messages should be encrypted in transit if they are sent outside the protection of an organization’s firewall. Encryption is not required if messages are sent internally and the messages are sent via a secure internal email server that sits behind a firewall.

Is Hotmail HIPAA Compliant?

Since Hotmail is a webmail service, it lies outside the protection of a firewall. In order to be HIPAA compliant, Hotmail would need to incorporate security controls to prevent messages from being intercepted. Hotmail uses HTTPS, so any information transferred between the browser and the Hotmail site is encrypted, and messages are also secured in transit.

However, while Microsoft says it does not scan the content of messages and will not sell that information to third-parties such as advertisers, Microsoft does have access to messages. Further, in order for an email service such as Hotmail to be HIPAA compliant, it would be necessary to first obtain a HIPAA-compliant business associate agreement with the email service provider.

Microsoft does offer business associate agreements for Office 365, but Office 365 does not include Hotmail or Outlook.com email accounts, which are free consumer email services. Microsoft does not offer any business associate agreements for its free consumer services.

Therefore, the answer to the question is Hotmail HIPAA compliant is no. Without a signed business associate agreement, Hotmail email accounts should not be used. The same applies to Gmail accounts and most other free consumer email services.

Can You Send PHI to a Patient’s Hotmail Account?

If your email system is secure and HIPAA-compliant, is it possible to send PHI to patients if they have a Hotmail account?

HIPAA does permit healthcare organizations to send PHI to patients via email, regardless of the email service provider the patient uses. However, it is not permitted to send emails to patients without first obtaining their consent to do so. When obtaining consent, you should communicate to patients that the sending of PHI via email is not secure and that their information could potentially be intercepted and viewed by individuals who are unauthorized to view that information.

If patients are informed of the risks, and confirm that they accept those risks, PHI can be sent via email, even if they have a Hotmail or Outlook.com email account. Covered entities should document that consent has been obtained and patients have opted in to receive information via email, including how you authenticated their identity.

The post Is Hotmail HIPAA Compliant? appeared first on HIPAA Journal.

]]>
281349
$2.3 Million 21st Century Oncology HIPAA Settlement Agreed with OCR https://www.hipaajournal.com/2-3-million-21st-century-oncology-hipaa-settlement-agreed-ocr/ Fri, 15 Dec 2017 11:12:05 +0000 https://www.hipaajournal.com/?p=8758 A 21st Century Oncology HIPAA settlement has been agreed with the Department of Health and Human Services’ Office for Civil Rights (OCR) to resolve potential HIPAA violations discovered during the investigation of a 2015 breach of 2.2 million patients’ PHI. The breach in question was discovered by the Federal Bureau of Investigation (FBI) in 2015. […]

The post $2.3 Million 21st Century Oncology HIPAA Settlement Agreed with OCR appeared first on HIPAA Journal.

]]>
A 21st Century Oncology HIPAA settlement has been agreed with the Department of Health and Human Services’ Office for Civil Rights (OCR) to resolve potential HIPAA violations discovered during the investigation of a 2015 breach of 2.2 million patients’ PHI.

The breach in question was discovered by the Federal Bureau of Investigation (FBI) in 2015. The FBI informed 21st Century Oncology on November 13 and December 13, 2015, that an unauthorized individual accessed and stole information from one of its patient databases.

21st Century Oncology conducted an investigation with the assistance of a third-party computer forensics company and discovered the network SQL database was potentially first accessed on October 3, 2015. The database was accessed through Remote Desktop Protocol from an Exchange Server within 21st Century Oncology’s network. The database contained the protected health information of 2,213,597 individuals.

As occurs after all data breaches that impact more than 500 individuals, OCR conducted an investigation into the 21st Century Oncology data breach. That investigation uncovered multiple potential violations of HIPAA Rules.

OCR determined that 21st Century Oncology failed to conduct a comprehensive, organization-wide risk assessment to determine the potential risks to the confidentiality, integrity, and availability of electronic protected health information, as required by 45 C.F.R. § 164.308(a)(1)(ii)(A).

21st Century Oncology was also determined to have failed to implement sufficient measures to reduce risks to an appropriate and acceptable level to comply with 45 C.F.R. § 164.306(A).

21st Century Oncology also failed to implement procedures to regularly review logs of system activity, including audit logs, access reports, and security incident tracking reports, as required by 45 C.F.R. §164.308(a)(1)(ii)(D).

The breach resulted in the impermissible disclosure of the protected health information of 2,213,597 patients.

Further, protected health information of patients was disclosed to business associates without first entering into a HIPAA-compliant business associate agreement and obtaining satisfactory assurances that HIPAA requirements would be followed.

To resolve those potential HIPAA violations, 21st Century Oncology agreed to pay OCR $2.3 million. In addition to the financial settlement, 21st Century Oncology has agreed to adopt a comprehensive corrective action plan (CAP) to bring its policies and procedures up to the standards demanded by HIPAA.

Under the CAP, 21st Century Oncology must appoint a compliance officer, revise its policies and procedures with respect to system activity reviews, access establishment, modification and termination, conduct an organization-wide risk assessment, develop internal policies and procedures for reporting violations of HIPAA Rules, and train staff on new policies.

21st Century Oncology is also required to engage a qualified, objective, and independent assessor to review compliance with the CAP.

Separate $26 Million Settlement Resolves Meaningful Use, Stark Law, and False Claims Act Violations

In addition to the OCR settlement to resolve potential HIPAA violations, 21st Century Oncology has also agreed to a $26 million settlement with the Department of Justice to resolve allegations that it submitted false or inflated Meaningful Use attestations in order to receive incentive payments. 21st Century Oncology self-reported that employees falsely submitted information relating to the use of EHRs to avoid downward payment adjustments. Fabricated reports were also submitted, and the logos of EHR vendors were superimposed on reports to make them appear genuine.

The settlement also resolves allegations that the False Claims Act was violated by submitting or enabling the submission of claims that involved kickbacks for physician referrals, and also violations of the Stark Law, which covers physician self-referrals.

According to the Department of Justice, “The Stark Law prohibits an entity from submitting claims to Medicare for designated health services performed pursuant to referrals from physicians with whom the entity has a financial relationship unless certain designated exceptions apply.”

“We appreciate that 21st Century Oncology self-reported a major fraud affecting Medicare, and we are also pleased that the company has agreed to accept financial responsibility for past compliance failures,” said Middle District of Florida Acting U.S. Attorney Stephen Muldrow.

In addition to paying the settlement amount, 21st Century Oncology has entered into a 5-year Corporate Integrity Agreement with the HHS’ Office of Inspector General (OIG).

The post $2.3 Million 21st Century Oncology HIPAA Settlement Agreed with OCR appeared first on HIPAA Journal.

]]>
281308
Texas and Pennsylvania Data Breaches Exposed More than 5,000 Patients’ PHI https://www.hipaajournal.com/texas-pennsylvania-data-breaches-exposed-5000-patients-phi/ Fri, 15 Dec 2017 11:00:50 +0000 https://www.hipaajournal.com/?p=8756 Midland Memorial Hospital in Midland, TX, and Washington Health System Greene in Waynesburg, PA, have announced they have discovered patients’ protected health information has been exposed. Washington Health System Greene Discovers Hard Drive Missing Washington Health System Greene is alerting 4,145 patients that some of their protected health information has been exposed after a hard […]

The post Texas and Pennsylvania Data Breaches Exposed More than 5,000 Patients’ PHI appeared first on HIPAA Journal.

]]>
Midland Memorial Hospital in Midland, TX, and Washington Health System Greene in Waynesburg, PA, have announced they have discovered patients’ protected health information has been exposed.

Washington Health System Greene Discovers Hard Drive Missing

Washington Health System Greene is alerting 4,145 patients that some of their protected health information has been exposed after a hard drive was discovered to be missing.

A portable hard drive used with a bone densitometry machine in the Radiology department was discovered to be missing on October 11, 2017. While it is possible that the hard drive may have been misplaced, a search of the hospital did not uncover the device, and the missing device has been reported to the Pennsylvania State Police Department as a potential theft.

The device contained information on patients who visited the hospital for bone density scans between 2007 and October 11, 2017. The information stored on the device was limited to names, height, weight, race, and gender, while some patients also had details of health issues, the name of their prescribing physician, and medical record numbers stored on the device. No financial information, Social Security numbers, insurance details, or other highly sensitive information was exposed.

As required by HIPAA, patients have been notified of the breach. Due to the limited nature of data exposed, even if the device has been stolen, Washington Health Greene does not believe patients are at risk of identity theft or fraud.

Midland Memorial Hospital Discovers Email Account Compromise

Midland Memorial Hospital has experienced a breach of a limited amount of patients’ protected health information. More than 1,000 patients are understood to have been affected.

Midland Memorial Hospital discovered an unauthorized individual gained access to the email account of an employee at the hospital, in what appears to be an attempted Business Email Compromise (BEC) attack. The aim of the attacker appeared to be to fool employees into making bank account transfers to an inappropriate bank account.

The breach was discovered on October 13, 2017, with access to the email account believed to have been gained on or around October 10.  Upon discovery of the security breach, access the email account was terminated and a full investigation was conducted. The email account was determined to contain some protected health information including first and last names, medical record numbers, account numbers, and information relating to radiology procedures that had been performed at the hospital between August and September 2017. No financial information, driver’s license numbers, or Social Security numbers were exposed, and no evidence has been uncovered to suggest any patient information has been used inappropriately.

Midland Memorial Hospital has taken steps to prevent further incidents of this nature from occurring, including revising policies and procedures and retraining staff.

The post Texas and Pennsylvania Data Breaches Exposed More than 5,000 Patients’ PHI appeared first on HIPAA Journal.

]]>
281310
Comprehensive Health Services Completes HIPAA Data Security Compliance Audit – GovConWire http://news.google.com/news/url?sa=t&fd=R&ct2=us&usg=AFQjCNG-GdQRv0V5dieTWmVWeBnAviaf-g&clid=c3a7d30bb8a4878e06b80cf16b898331&cid=52779718552163&ei=5NwyWoDuBYuKzgLCypLIBg&url=https://www.govconwire.com/2017/12/comprehensive-health-services-completes-hipaa-data-security-compliance-audit/ Thu, 14 Dec 2017 20:12:11 +0000 https://hipaaclicks.com/?guid=beda2076661bd8e00fbcb8a2c903e1ce
Comprehensive Health Services Completes HIPAA Data Security Compliance Audit
GovConWire
TYSONS CORNER, VA, Dec. 14, 2017 — Comprehensive Health Services Inc. has undergone an assessment of its compliance with the Health Insurance Portability and Accountability Act data security requirements as part of an annual audit by GuidePoint ...

and more »
]]>
281152
Coalfire Validates Deep Instinct Endpoint Protection for HIPAA Compliance – SYS-CON Media (press release) http://news.google.com/news/url?sa=t&fd=R&ct2=us&usg=AFQjCNH7BmyoPZlj81HGjO4uWp8rA5aQIA&clid=c3a7d30bb8a4878e06b80cf16b898331&cid=52779718470929&ei=XeQyWrW5LpCHzgLoj5rgBA&url=http://news.sys-con.com/node/4210926 Thu, 14 Dec 2017 18:05:39 +0000 https://hipaaclicks.com/?guid=cfeb181975a1d121549f4815427e24df
Coalfire Validates Deep Instinct Endpoint Protection for HIPAA Compliance
SYS-CON Media (press release)
Healthcare organizations must comply with the stringent requirements of the Health Insurance Portability and Accountability Act (HIPAA), a US legislation passed in 1996 to protect the security and privacy of individually identifiable health information ...
Coalfire Validates Deep Instinct Endpoint Protection for Use in PCI DSS EnvironmentsBusiness Wire (press release)

all 2 news articles »
]]>
281156
Coalfire Validates Deep Instinct Endpoint Protection for HIPAA Compliance – Digital Journal http://news.google.com/news/url?sa=t&fd=R&ct2=us&usg=AFQjCNHAgqRPEqEGenhd5o8YbupUFCOpWA&clid=c3a7d30bb8a4878e06b80cf16b898331&cid=52779718470929&ei=V-gyWpjaCYPOzQLk2a2wDg&url=http://www.digitaljournal.com/pr/3595859 Thu, 14 Dec 2017 18:02:58 +0000 https://hipaaclicks.com/?guid=f05c304512c9431d1c6a946b66944f9b
Coalfire Validates Deep Instinct Endpoint Protection for HIPAA Compliance
Digital Journal
Healthcare organizations must comply with the stringent requirements of the Health Insurance Portability and Accountability Act (HIPAA), a US legislation passed in 1996 to protect the security and privacy of individually identifiable health information ...
Coalfire Validates Deep Instinct Endpoint Protection for Use in PCI DSS EnvironmentsBusiness Wire (press release)

all 2 news articles »
]]>
281167
Coalfire Validates Deep Instinct Endpoint Protection for HIPAA Compliance – Business Wire (press release) http://news.google.com/news/url?sa=t&fd=R&ct2=us&usg=AFQjCNFZk21KPmc6TlX70Y5r4FF2LkOSpA&clid=c3a7d30bb8a4878e06b80cf16b898331&cid=52779718470929&ei=6sAyWsCZNoadzQKxuIJg&url=https://www.businesswire.com/news/home/20171214006054/en/Coalfire-Validates-Deep-Instinct-Endpoint-Protection-HIPAA Thu, 14 Dec 2017 18:00:34 +0000 https://hipaaclicks.com/?guid=8d9e203613f77976002bc1e5740ceecb
Coalfire Validates Deep Instinct Endpoint Protection for HIPAA Compliance
Business Wire (press release)
Healthcare organizations must comply with the stringent requirements of the Health Insurance Portability and Accountability Act (HIPAA), a US legislation passed in 1996 to protect the security and privacy of individually identifiable health information ...
Coalfire Validates Deep Instinct Endpoint Protection for Use in PCI DSS EnvironmentsDigital Journal

all 2 news articles »
]]>
281146
Illinois Physicians Network Discovers Paper Records Missing from Storage Facility https://www.hipaajournal.com/illinois-physicians-network-discovers-paper-records-missing-storage-facility/ Thu, 14 Dec 2017 14:35:49 +0000 https://www.hipaajournal.com/?p=8754 Over the past two months there have been several data breaches reported by HIPAA-covered entities involving the loss or theft of physical records. In November, 7 breaches involving paper records were reported to the HHS’ Office for Civil Rights, and a further 5 incidents were reported the previous month. Now another incident has been reported […]

The post Illinois Physicians Network Discovers Paper Records Missing from Storage Facility appeared first on HIPAA Journal.

]]>
Over the past two months there have been several data breaches reported by HIPAA-covered entities involving the loss or theft of physical records. In November, 7 breaches involving paper records were reported to the HHS’ Office for Civil Rights, and a further 5 incidents were reported the previous month.

Now another incident has been reported in Illinois. Franciscan Physician Network of Illinois and Specialty Physicians of Illinois LLC have discovered payment records that were kept in a storage facility are missing. The storage facility in Chicago Heights was shared by both physician groups.

The loss/theft of the paperwork is one of the largest breaches of the past few months, potentially impacting as many as 22,000 patients. The payment records were from 2015-2017 and 2010.

The boxes of files were confirmed as missing on November 21, 2017, with notifications issued on December 13, 2017. The loss of files was discovered following a routine records request, but the records could not be located. An inventory of the storage facility was conducted, and 40 boxes of files were determined to be missing and potentially stolen.

The records only contained a limited amount of patient information related to payments received, and included names and addresses, payment methods, payment amounts, office location, and the last four digits of credit card numbers. For a limited number of patients who paid their bill by check, their routing number, bank account number and Social Security number were also present in the files.

Some of the records from 2010 may also have included insurance ID numbers, facility-assigned account numbers, dates of birth, type of visit, diagnoses, provider names and addresses, dates of service, descriptions of services provided, and procedure codes.

While it is a possibility that the files have been stolen, foul play is not suspected. Out of an abundance of caution, individuals impacted by the incident have been offered two years of identity theft protection services without charge.

The post Illinois Physicians Network Discovers Paper Records Missing from Storage Facility appeared first on HIPAA Journal.

]]>
281095