July 22, 2021 While there might not be such a thing as a real-life fairy godmother, technology has granted us the power to access a whole world of information with just a click of a mouse. Anything from research, shopping, to chatting with friends is now so simple it almost seems like magic, but this “instant-access” ability is a double-edged sword when it comes to the privacy and security risks that follow in its reign. Now if there’s one industry that truly feels the weight of technologies twofold, it’s healthcare. While sharing, receiving, and storing electronic protected health information (ePHI) is now easier than it ever was before, the heightened number of healthcare data breaches and cyber attacks seen over recent years have identified the ‘Achilles’ heel’ of technology’s power of accessibility. This ongoing battle between ease of access and security risks has been the topic of several Office for Civil Rights (OCR) alerts shared over the past year, and most recently, the main focus of their Summer 2021 Cybersecurity Newsletter. The newsletter titled “Controlling Access to ePHI: For Whose Eyes Only?” highlights a recent report that found that “61% of analyzed data breaches in the healthcare sector were perpetrated by external threat actors.” So while most healthcare organizations know not to go and give the keys of the castle away to just anyone, technology has made access a possibility for really anyone who has a decent internet connection. But the even more striking statistic featured in the newsletter? It’s not just hackers that you have to worry about, the security incident report also uncovered that 39% of those data breaches were actually committed by insiders. Though most fairy-tales feature an evil villain, these insider breaches aren’t always the result of a malicious act. In addition to the multi-million dollar hacking schemes that we see all too often, are stories of staff impermissibly accessing ePHI or leaving sensitive data unattended. So if you’re wondering how you can best protect your practice, the answer is to have the proper authorization policies, procedures, and controls in place. When it comes to those necessary policies and controls, the HIPAA Security Rule identifies certain standards and specifications that healthcare organizations are required to implement. The two standards, Information Access Management and Access Control, are administrative and technical safeguards that work in tandem to protect and secure ePHI – but what exactly do they entail? Information Access Management This standard essentially defines how access to ePHI is authorized and requires HIPAA-covered entities and business associates to implement policies and procedures regarding information access. So, what do some of these specific policies include? Access Control In addition to the administrative requirement for access management, Access Control is a technical safeguard that actually limits the availability of that ePHI based on the organizations’ Information Access Management policy. The OCR’s newsletter describes the necessary controls to coincide with the “flexible, scalable, and technology-neutral nature of the Security Rule” and provides a wide range of control mechanisms for organizations to consider and implement where they see fit. They also provide four implementation specifications which include: So as complementary requirements of the HIPAA Security Rule, your organization is expected to have these standards in place to best prevent both outsider and insider threats. And while it would be nice if you could just have a knight in shining armor there to guard your practice from cyber threats and impermissible ePHI access – implementing the safeguards provided above, and ensuring all staff members are trained on proper access, is the next best thing.
What the Proposed 2022 HHS Budget Says About the Future of HIPAA & Cybersecurity
July 15, 2021 HIPAA compliance has seemed to be on the government’s radar more than ever before. In just the past year, we’ve seen record-breaking Office for Civil Rights (OCR) enforcement, proposed Privacy Rule updates and the implementation of the HIPAA Safe Harbor Law and the 21st Century Cures Act – two new sets of legislation centered around healthcare, technology, and patient rights. So with the spotlight set on protecting the privacy and security of health data during a time where reliance on technology is especially prevalent – it should come as no surprise that the government’s newly proposed budget features a heavy focus and increase in funding for this area specifically. What’s in the proposed budget? The Biden Administration recently released their proposed 2022 budget for the Department of Health and Human Services (HHS) in early June. The proposal calls for additional spending to better protect the healthcare industry from evolving cyber threats and support government efforts in enforcing compliance among covered entities. So exactly how much of a budget increase are they requesting and what does that tell us about the future of HIPAA compliance? While those dollar figures are already a good indicator of where we can expect the government to continue its focus – ensuring that patients’ health data is properly protected goes beyond those hefty price tags. Fiscal 2022 proposed budget also seeks to add 39 staff members to the OCR, bringing the employment total to 229, and acknowledges that the “OCR will engage in rulemaking to further strengthen individuals’ rights to access their own health information, improve information sharing for care coordination and case management and reduce administrative burdens.” So just as recent enforcement numbers have proven the governments’ awareness of noncompliance and influx of cyberthreats has shed light on a lack of proper security protections amongst healthcare providers – this proposed budget provides a ‘crystal-ball’ prediction of what we can expect to see moving forward. Adding in millions of dollars to the budget and expanding the task force in these relevant government agencies will produce even more resources available to ensure all covered entities are best protecting health data privacy and security. And although the new budget is not finalized as of yet, the upcoming changes to the Privacy Rule and commitment outlined within the proposal to improve upon government rulemaking is a clear sign that their emphasis on HIPAA and other health IT-related laws is not going away anytime soon. What does this mean for you? First off, meeting HIPAA and cybersecurity requirements is essential to protecting your practice and your patients from a data breach or HIPAA violation. While these are certainly things that should be prioritized regardless of the government’s spending plans, the proposal creates even more urgency in ensuring that you have these necessary safeguards in place. So as the government continues to hone in their focus on health data privacy and security, your practice should too – and having a complete compliance AND security program is the perfect place to start.
Privacy Rule Proposed Modifications | Public Comments Released
July 8, 2021 Remember those Privacy Rule modifications that the Department of Health and Human Services (HHS) proposed late last year? Well, after adding a 45-day extension on the public comment period back in March, the responses submitted have finally been made available – giving us some additional insight on what we can expect to see when the updates are officially finalized. For anyone looking for a light-read while they drink their morning coffee – diving into the official HHS document might not be for you. The proposal included a lengthy list of changes centered around increasing permissible disclosures of protected health information (PHI) and enhancing care coordination and case management. As the healthcare industry has evolved, so have the necessary requirements for protecting data privacy and security – and these modifications address several issues that have become the source of widespread non-compliance over recent years. One of the major areas of focus should come as no surprise considering the initiative that was declared in 2019 to enhance enforcement for patient right of access violations – and the 19 different settlements that have resulted from it so far. So in looking at how the Privacy Rule changes plan to improve this issue, some of the major proposed provisions include: In addition to addressing patients’ right of access, the proposed modifications also clarify certain definitions and phrasing that oftentimes leads to confusion and misunderstanding by providers and patients. Some of these updates include: While the examples provided are only a snapshot of the full list of proposed modifications, each update follows suit with the evolving environment in the healthcare industry and covers relevant concerns felt by both providers and patients. So much so, that the comment period extension was made due to such a “high degree of public interest” and amounted to a total of 1,391 comments submitted in response to the HHS’s proposal. So what can we expect? These proposed modifications take into consideration the public comments received on the OCR’s 2018 RFI that requested public input on how HIPAA rules could improve to better “support care coordination and case management and promote value-based care while preserving the privacy and security of PHI.” Each provision is a direct reflection of the key themes identified in the public opinion received back in 2018 and addresses issues like administrative burdens and the need for improving upon patient rights. So although we don’t have a time machine to jump ahead and see what exactly the final rule will entail, we can pretty confidently say that these concerns addressed in the HHS document will continue to be a focus in regulatory amendments and government enforcement. And the high volume of public interest clearly depicts the impact and value that enacting these changes will have on patients and providers. When will you need to comply As far as knowing the what and when of the final ruling – we don’t quite have a definitive answer. But it’s important for all covered entities to be aware and prepared for the expectations of complying with the modified Privacy Rule provisions when they are made official. According to the HHS, “The effective date of a final rule would be 60 days after publication.” Additionally, entities will still have 180 days from that effective date to update or implement policies and procedures to achieve compliance with these new standards. So when it comes to the timeframe for when the government will actually start enforcing the new compliance standards, you have 240 days of breathing room once the final rule is published. BUT based on the HHS’s acknowledgment that the impact of adhering to these new guidelines will involve “covered entities actions to re-train their employees on, and adopt policies and procedures to implement, the legal requirements of this proposed rule” we highly recommend taking an ‘early bird gets the worm’ approach for compliance. Having a complete HIPAA program in place along with a full understanding of the potential changes that could be coming your way is the best way to ensure that your patients’ data is best protected and your practice is best prepared for avoiding a HIPAA violation and fine.
Abyde and Smile Source partner to deliver leading HIPAA compliance solutions to private practice dental professionals
July 7, 2021 July 7, 2021, Tampa, FL – Abyde, the industry leading HIPAA compliance software solution for dental practices, announced a new partnership with Smile Source to deliver a complete and quality HIPAA compliance program to their network of over 700 independently-owned dental practices. Abyde’s collaboration with Smile Source as a preferred partner showcases mutual efforts to provide Smile Source members with essential HIPAA compliance programs. The partnership will help dental practices meet government-mandated HIPAA needs and better protect their practice and patient’s health information by identifying and correcting key security safeguards. Abyde’s software solution is the easiest way for any sized dental practice to implement and sustain comprehensive HIPAA compliance programs. The revolutionary approach to HIPAA compliance guides providers through mandatory HIPAA requirements such as the Security Risk Analysis, HIPAA training for doctors and staff, managing Business Associate Agreements, customized policies, and more. “Together with Smile Source, we are excited to show the value and simplicity providers have found with Abyde,” said Matt DiBlasi, President of Abyde. “With the ever-changing legislative environment coupled with increased government enforcement, HIPAA compliance is essential for a dental practice’s success and we are honored to be a part of Smile Sources’ platform.” “Smile Source is focused on not only ensuring the quality of dental care but the importance of maintaining a relationship between the patient and provider – and having a solution in place to protect the privacy and security of patient health information does just that,” said Dan Walker, COO of Smile Source. “We’re thrilled to partner with Abyde and know that our members will find great value in the peace of mind and simplicity their revolutionary software solution offers. About Abyde Abyde (Tampa, FL) is a technology company dedicated to revolutionizing HIPAA compliance for medical professionals. Launched in January 2017, Abyde was formed with the idea that there could exist an easier, more cost-effective way for healthcare providers to comply with government-mandated HIPAA regulations. For more information on Abyde visit abyde.com. About Smile Source Smile Source is a family of over 1,000 dentists & 600 private dental practices working together to provide world-class patient care. When a Dentist joins Smile Source, they are not just getting direct access to the top technology, training, and mentors in the industry. They’re also gaining a network of like-minded colleagues who are thrilled to welcome you into our family. For more information on Smile Source visit smilesource.com. Read the full press release here.
Latest OCR Cybersecurity Updates
July 1, 2021 With Cyber Security Awareness Month right around the corner, the multiple cyber alerts issued by the Office for Civil Rights (OCR) in the month of June serve as a perfect preamble for the importance of prioritizing data protection all year round. These government-issued Cyber Alerts have become all too familiar in the healthcare industry, with the past year seemingly filled with emergency directives and scam tactics to be aware of. So with healthcare data breaches on the rise and the most recent warnings of a heightened risk of ransomware and IT system vulnerabilities – ensuring your organization has the necessary programs in place is essential to avoid falling victim. What did the most recent Cyber Alerts cover? In early June, the White House and Cybersecurity and Infrastructure Agency (CISA) released a memo titled “What We Urge You to Do to Protect Against the Threat of Ransomware.” This alert urged healthcare organizations to take appropriate action in protecting against ransomware threats and covered several best practices that providers can take to enhance cybersecurity including: While keeping up with the above steps should be done on a regular basis, the more recent OCR notice covers additional vulnerabilities organizations should be aware of. According to the memo shared on June 25, 2021 – Eclypsium Security Researchers have discovered a vulnerability in the Dell BIOSConnect feature available on over 180 models of consumer and business devices. Dell urges all customers to ensure that their devices are updated to the latest version and provided a full list of impacted devices and steps to address the vulnerability that can be found here. Additionally, this memo also included an advisory from CISA due to the multiple vulnerabilities found in the ZOLL Defibrillator Dashboard. The agency warns that these vulnerabilities may allow a remote user to take control of an affected system and emphasizes that all organizations should review the ICS Medical Advisory and apply the recommended mitigations. So now what? Well, for any healthcare organization of any size – data breaches and cyberattacks are becoming more and more of a concern. Implementing the necessary technical safeguards, following guidance on ransomware prevention, and keeping all devices and IT systems up to date with the latest version is key to steering clear of heightened vulnerabilities like the ones outlined in recent government memos. Unfortunately, as technology and threat actor tactics continue to evolve, these new and increasing threats don’t seem to be going away anytime soon. So keeping your practice and your patients’ data protected in the long run starts with having both a security AND compliance program in place now.