BillingTree Completes 2017 PCI-DSS 3.2, HIPAA(ePHI) & SSAE-16 Certification of Validation – Broadway World

BillingTree Completes 2017 PCI-DSS 3.2, HIPAA(ePHI) & SSAE-16 Certification of Validation
Broadway World
PHOENIX, Sept. 20, 2017 /PRNewswire/ BillingTree announced today it has successfully completed the PCI-DSS Level 1, version 3.2 audit. The attestation of certification (AOC) was issued August 30 th, 2017 by an authorized Third Party Assessor and a ...

and more »

BillingTree Completes 2017 PCI-DSS 3.2, HIPAA(ePHI) & SSAE-16 Certification of Validation – PR Newswire (press release)

BillingTree Completes 2017 PCI-DSS 3.2, HIPAA(ePHI) & SSAE-16 Certification of Validation
PR Newswire (press release)
PHOENIX, Sept. 20, 2017 /PRNewswire/ -- BillingTree® announced today it has successfully completed the PCI-DSS Level 1, version 3.2 audit. The attestation of certification (AOC) was issued August 30th, 2017 by an authorized Third Party Assessor and a ...

The Compliancy Group Helps Imperial Valley Family Care Medical Group Pass HIPAA Audit

The Department of Health and Human Services’ Office for Civil Rights commenced the second round of HIPAA compliance audits late last year. The audit program consists of desk-based audits of HIPAA-covered entities and business associates, followed by a round of in-depth audits involving site visits. The desk audits have been completed, with the site audits put on hold and expected to commence in early 2018.

Only a small number of covered entities have been selected to be audited as part of the second phase of compliance audits; however, covered entities that have escaped an audit may still be required to demonstrate they are in compliance with HIPAA Rules.

In addition to the audit program, any HIPAA-covered entities that experiences a breach of more than 500 records will be investigated by OCR to determine whether the breach was the result of violations of HIPAA Rules. OCR also investigates complaints submitted through the HHS website.

The first round of HIPAA compliance audits in 2011/2012 did not result in any financial penalties being issued, but that may not be the case for the second round of audits. Also, the past two years as seen an increase in financial penalties for noncompliance with HIPAA Rules that was discovered during investigations of complaints and data breaches.

There is now an elevated risk of an audit or investigation and OCR is issuing more fines for noncompliance. Consequently, covered entities cannot afford to take chances. Many healthcare organizations are turning to HIPAA compliance software and are seeking assistance from compliance experts to ensure their compliance programs are comprehensive and financial penalties are avoided.

Imperial Valley Family Care Medical Group Calls in HIPAA Compliance Experts

Imperial Valley Family Care Medical Group is a multi-specialty physician’s group with 16 facilities spread throughout California. IVFCMG was not selected for a desk audit, although following the theft of a laptop computer, OCR investigated the breach. IVFCMG was required to demonstrate compliance with HIPAA Rules and provide documentation to show the breach was not caused by the failure to follow HIPAA Rules.

Covered entities may fear a comprehensive HIPAA audit, but investigations into data breaches are also comprehensive. OCR often requires considerable documentation to be provided to assess compliance following any breach of protected health information. In the case of IVFCMG, OCR’s investigation was comprehensive.

Responding to OCR’s comprehensive questions in a timely manner was essential. IVFCMG, like many covered entities that are investigated or selected for an audit must be careful how they respond and all questions must be answered promptly and backed up with appropriate documentation.

As we have already seen this year, if HIPAA Rules are not followed to the letter after a data breach is experienced, fines can follow. Presense Health was fined $475,000 by OCR for potential violations of the HIPAA Breach Notification Rule following a breach of PHI.

Following the breach, IVFCMG turned to a third-party firm for assistance and contacted the Compliancy Group. By using the firm’s Breach Response Program, IVFCMG was able to ensure all of the required actions were completed, in the right time frame, and all of those processes were accurately documented.

The Breach Response Program is part of the Compliancy Group’s “The Guard” HIPAA compliance software platform. Compliancy Group simplifies HIPAA compliance, allowing healthcare professionals to confidently run their practice while meeting all the requirements of the HIPAA Privacy, Security and Breach Notification Rules. The Guard uses the “Achieve, Illustrate, and Maintain” methodology to ensure continued compliance, with covered entities guided by HIPAA compliance experts all the way.

IVFCMG’s Chief Strategic Officer, Don Caudill, said “Their experts provided us with a full report and documentation proving that our HIPAA compliance program satisfied the law – which ultimately helped us avoid hundreds of thousands of dollars in fines.” When OCR responded to the initial breach report asking questions about another aspect of HIPAA Rules, IVFCMG was able to respond in a timely fashion and provide the evidence to prove it was in compliance.

HIPAA compliance software helps covered entities pass a HIPAA audit, respond appropriately when OCR investigates data breaches and complaints, and avoid fines for non-compliance. OCR has increased its enforcement activity over the past two years and healthcare data breaches are on the rise. Non-compliance with HIPAA Rules is therefore much more likely to be discovered and result in financial penalties.

Small to medium sized HIPAA-covered entities with limited resources to dedicate to HIPAA compliance can benefit the most from using HIPAA compliance software and receiving external assistance from HIPAA compliance experts.

“Responding to a HIPAA audit requires sensitivity and expertise,” Bob Grant, Chief Compliance Officer of Compliancy Group, told HIPAA Journal. “As a former auditor, I’ve developed The Guard and our Audit Response Program to satisfy the full extent of the HIPAA regulatory requirements. Giving federal auditors everything they need to assess the compliance of your organization is our number one goal. Our Audit Response Program is the only program in the industry to give health care professionals the power to illustrate their compliance so they can get back to running their business in the aftermath of a HIPAA audit.”

The post The Compliancy Group Helps Imperial Valley Family Care Medical Group Pass HIPAA Audit appeared first on HIPAA Journal.

1,081 St. Louis Patients Alerted About Improper PHI Disclosure

1,081 patients of the MS Center of Saint Louis and Mercy Clinic Neurology Town and Country are being informed that they may be contacted for marketing and research purposes by pharmaceutical companies and other third-parties, even though they may not have given their permission to be contacted.

HIPAA Rules do not permit patients to be contacted for marketing or research purposes unless consent to do so has first been obtained. However, an error has resulted in patients’ information being disclosed to third parties in error and patients may be contacted by telephone, mail or email as a result.

The MS Center and Mercy Clinic Neurology Town and Country report that medication onboarding forms were accidentally provided to pharmaceutical companies, even though the forms had not been signed by patients. The error also means patients’ protected health information has been impermissibly disclosed.

Protected health information detailed on the forms includes names, email addresses, telephone numbers, home addresses, health insurance information, and in some cases, treatment and prescription information and Social Security numbers.

Due to the sensitive nature of the information disclosed, there is a possibility that the information could be used inappropriately, although MS Center and Mercy Clinic Neurology Town and Country believe the information has not been used for any other purpose other than marketing and research. However, out of an abundance of caution, all affected individuals have been given the opportunity to register for 12 months of credit monitoring and identity theft protection services without charge.

Upon discovery of the error, an internal investigation was launched and staff potentially involved were interviewed about the incident. Policies and procedures have now been changed to prevent similar incidents from occurring in the future.

The post 1,081 St. Louis Patients Alerted About Improper PHI Disclosure appeared first on HIPAA Journal.

Florida Healthy Kids Corporation Announces 2,000 Patients’ Impacted by Phishing Scam

Reports of phishing attacks on healthcare organizations are arriving thick and fast. The latest HIPAA-covered entity to announce it has fallen victim to a phishing scam is Florida Healthy Kids Corporation, an administrator of the Florida KidCare program.

On July 25, 2017, phishing emails started to arrive in the inboxes of members of staff, some of whom responded and inadvertently gave the attackers access to the sensitive information of members of the KidCare program. The phishing attack was identified the following day and access to the compromised email accounts was immediately blocked. While the incident was mitigated promptly, the attackers had access to email accounts and data contained in those accounts for approximately 24 hours.

During that time, it is possible that the emails were accessed and sensitive information copied, although no reports of abuse of that information have been received and it is not clear whether any information was actually stolen.

An analysis of the compromised email accounts revealed the personal information of 2,000 individuals was potentially accessed. On September 7, 2017, 1,700 individuals were notified by mail that their information had potentially been compromised. The remaining 300 could not be contacted as no valid contact information was held. A substitute breach notice has been uploaded to the healthykids.org website, and a notice added to all online accounts to alert affected individuals when they next login to their accounts.

The types of information exposed includes names, addresses, phone numbers, family account numbers, and Social Security numbers. Since passwords were not exposed, Florida KidCare online family accounts could not be accessed by the attackers. Individuals impacted by the breach have been offered credit monitoring services for 12 months without charge through LifeLock.

Florida Healthy Kids Corporation said policies and procedures will be updated to prevent similar breaches from occurring in the future.

The post Florida Healthy Kids Corporation Announces 2,000 Patients’ Impacted by Phishing Scam appeared first on HIPAA Journal.

Compliancy Group’s HIPAA Audit Response Program™ Helps Client Pass HIPAA Audit – PR Web (press release)

Compliancy Group's HIPAA Audit Response Program™ Helps Client Pass HIPAA Audit
PR Web (press release)
In this case, the HIPAA experts behind Compliancy Group's Audit Response Program responded as soon as the client called to report the potential violation. Compliancy Group is here to help our clients satisfy the law because we believe that patients ...

WEDI: HIPAA compliance, payment recoupment concerns inhibit electronic payment adoption – FierceHealthcare


FierceHealthcare
WEDI: HIPAA compliance, payment recoupment concerns inhibit electronic payment adoption
FierceHealthcare
HIPAA noncompliance among payers and concerns about overpayment recovery among providers are among the issues identified by a national health IT workgroup that has limited the adoption of electronic payments designed to streamline administrative ...