Properly Encrypting ePHI

The HIPAA Security Rule is Changing: Is Your Practice Ready?

January 23, 2025 Penelope Schweitzer No comments yet

January 23, 2025 The HIPAA Security Rule went into effect in 2003, and it’s an understatement to say that technology has changed quite a bit since then. The Office for Civil Rights has released proposed updates for the HIPAA Security Rule. After a historic year of breaches, this legislation comprehensively strengthens the current Rule. This is the first update of the legislation in a decade. Many of the new requirements simply reinforce existing recommendations within the Security Rule, which now makes best practices mandatory. This legislation is the result of the significant rise in cyber attacks and the OCR’s continuous noncompliant findings when investigating Covered Entities and Business Associates. Although the proposed rule has not yet been finalized, legislation will likely be enacted within the next year, given bipartisan support for protecting patient data. What is the HIPAA Security Rule? The Security Rule, a critical component of HIPAA, centers on stringent guidelines for managing electronic Protected Health Information (ePHI). These guidelines encompass a wide range of safeguards—including physical, administrative, and technical—all designed to ensure the protection of sensitive patient data. One of the most significant components of the Security Rule is completing a Security Risk Analysis (SRA). The SRA sets a benchmark for your practice and assesses what your practice currently does to protect patient data. This analysis includes safeguards ranging from physical measures, like door alarms, to technical precautions, like properly encrypting files. This analysis is a yearly procedure for the OCR and continues to be emphasized in this proposal. In this new proposal, the OCR strictly defines the SRA as a yearly requirement with more guidelines on specific questions. The OCR has introduced eight implementation specifications for risk analysis. This also includes a thorough analysis of potential natural disasters and the consequences if a Business Associate was breached. In fact, the government has introduced a Risk Analysis Initiative, fining practices and businesses that do not complete this analysis. While this assessment is a major component of this rule, once vulnerabilities are identified, it’s up to your practice to implement these safeguards to protect your patients. What’s Changing? This proposed rule mandates that Covered Entities and their Business Associates implement certain proactive measures that were previously only strongly recommended, such as multi-factor authentication. As technology has greatly advanced since the introduction of this rule, there are also more requirements focused on system management, including required anti-malware protection, disabling unused network ports, and a network map, highlighting what devices are connected to specific networks in an organization. Network segmentation is another advancement of the rule, requiring practices to use different networks based on access to specific information. New policies and procedures will also be required if this proposal goes into effect. For instance, contingency plans will be required, showing what a practice or business plans to do if it is breached within 72 hours. Additionally, practices need to have a transition plan when staff leaves, and they need to notify other regulated entities when a staff member’s access to ePHI is changed or terminated. Business Associates (BAs) will also face stricter requirements when working with Covered Entities. If breached, BAs must notify their Covered Entities within 24 hours. BAs will also now have to have their compliance program certified by a Subject Matter Expert in cybersecurity on a yearly basis, ensuring that the business is taking the right steps to protect patient data. What Can I Do? While this rule is still within its comment period until early March, it could be enacted this year. Being aware of upcoming HIPAA legislation and preparing your practice is vital. Working with a smart compliance solution can take the pressure off, with compliance experts updating their systems to ensure their users will be compliant with new laws. Looking to understand HIPAA compliance for your practice before new laws take effect? Schedule a consultation with one of our experts today.

Business Associates, Fines, HIPAA

Choose Your Business Associates Wisely: An $80K Mistake

January 8, 2025 Penelope Schweitzer No comments yet

January 8, 2025 As we ring in the new year, it’s important to remember that Business Associates (BAs) are just as responsible for protecting patient health data as their Covered Entity counterparts. A major misstep by a BA was highlighted recently on a federal level, and the first fine of 2025 was imposed. Elgon, a Massachusetts-based medical record and billing support company for Covered Entities, was levied a $80,000 fine due to numerous violations of the Security Rule, which were exposed by the fallout of a ransomware attack. As a proposed update to the Security Rule is currently open for public comment and may take effect in the spring, it is crucial for Covered Entities to select Business Associates (BAs) who prioritize compliance. BAs are just as responsible for ensuring that Protected Health Information (PHI) is kept secure. What Happened? Elgon was the victim of a ransomware attack on March 25, 2023. Unfortunately, the BA didn’t realize the intrusion of its firewalls for over a week until a ransom note was discovered. Elgon then reported the breach, which affected over 30,000 patients of a Covered Entity. Thousands of social security numbers, addresses, and other personally identifiable information were leaked from the attack. When Elgon was investigated, it was uncovered that the organization failed to recognize its risks in a Security Risk Analysis (SRA). The SRA is at the foundation of a successful practice or business, giving an organization a benchmark on how it handles PHI and how it can improve. This fine is also the second enforcement of the OCR’s Risk Analysis Initiative, highlighting the importance of completing and maintaining this assessment. How to Protect Your Organization Covered Entities and Business Associates need to uphold their commitment to protecting patient data. This recent fine is a stark reminder of what can happen when the proper procedures are not followed, exposing the personal information of thousands of patients. To avoid and mitigate situations like this, Covered Entities must carefully choose the right BA to work with, ensuring they also understand the importance of protecting patient data. For BAs, having the proper safeguards in place is vital, earning trust from Covered Entities that you can keep their patients’ PHI safe. A key document that establishes the liability of both parties is the Business Associate Agreement (BAA). The BAA is a written document required when working with Business Associates and vice versa. This signed agreement ensures both parties know their responsibilities when handling patient data. Proposed updates to the Security Rule expand on this, with BAs potentially having to verify they are enforcing the proper safeguards on a yearly basis, certified by a compliance expert. Overall, this fine sets the tone for a new year of significant changes and enforcement by the OCR. Covered Entities and Business Associates must both understand their critical role in protecting patients. To learn more about how you can become HIPAA compliant, schedule a consultation with our team of experts today.

Heritage Valley Health System HIPAA Fine

Fines, HIPAA

A Nearly Million Dollar Mistake: Heritage Valley Health System

July 3, 2024 Gaurav Modi Comments Off

July 3, 2024 Did you know that ransomware attacks are becoming increasingly common in healthcare? Since 2018, there has been a whopping 264% increase in large ransomware breaches. The devastating impact of a ransomware breach on an organization is wide-reaching, regardless of its size, as seen with the Change Healthcare breach. It’s imperative to take the proper precautions to ensure that Protected Health Information (PHI) is secure against hacking attempts. At the center of the latest fine, Heritage Valley Health System (HVHS), which operates in Pennsylvania, Ohio, and West Virginia, fell victim to ransomware attacks. These attacks infected HVHS systems, affecting sensitive patient information. As the Office for Civil Rights (OCR) reviewed the major data breach, several pieces of required documentation, such as a Security Risk Analysis (SRA) and an emergency plan, were absent. This missing documentation has led to a $950,000 fine and three years of corrective monitoring. Let’s explore what you can do to prevent this nearly million-dollar mistake. Importance of an SRA The purpose of the SRA is to review your risks and vulnerabilities regarding the management of ePHI (electronic Protected Health Information). This comprehensive analysis notes the physical, technical, and administrative controls to protect your patient’s PHI. Your SRA is documented proof that your organization understands its weaknesses and is making strides to address them and better protect patient data. While the SRA is a very important document, it is frequently missed. From the last round of random HIPAA audits, which have resumed recently, only 83% of practices and Business Associates could produce a sufficient SRA. SRAs are vital for practice compliance, showcasing growth, and best practices in safeguarding patient data. Check out our recent blog post here to learn more about the SRA. Why do I need plans in place? When running a medical practice, it’s important to be prepared for any situation that could arise. That’s why policies and procedures are so important. If your practice faces a scenario that may compromise PHI, your team needs easy access to a plan for handling the situation calmly. By addressing potential challenges well in advance, your team will feel empowered and confident in their ability to respond. Moreover, as part of your preventive measures, it’s beneficial to designate specific roles and responsibilities for your staff. This ensures that everyone is aware of their duties in any given situation. Cybersecurity Measures Unfortunately, healthcare practices have become very common victims of ransomware attacks. To prepare your organization for this, follow best cybersecurity practices, such as encryption, reviewing access controls, and creating unique sign-ons for all employees. Healthcare organizations should prioritize technical safeguards like encryption, access controls, and multi-factor authentication. However, security goes beyond technology. Implement security awareness training for staff, establish a data breach response plan, and maintain regular backups. Regularly conduct risk assessments and evaluate the security practices of third-party vendors. It’s important to consider partnering with an IT company offering valuable expertise. They can recommend the right tools, update you on evolving threats, and monitor your systems for suspicious activity. This layered approach will strengthen your systems and prepare you for potential attacks. How Smart Software Can Help Fines for HIPAA non-compliance can be staggering, but there are alternatives to the manual tracking and paper binders you may be used to. Intelligent software systems are designed to save you time and headaches and ultimately protect your practice to avoid audits and fines. Software empowers your team to manage your program easily and enables a culture of compliance in the office. It streamlines commonly overlooked requirements such as the SRA with dynamically created documentation and develops comprehensive plans, policies, and procedures so you stay current with the latest requirements. Better yet, when using cloud-based software solutions, you get 24/7 secure access and real-time updates when compliance regulations change. Schedule an educational consultation today to learn more about how software solutions can protect your practice.