October 20, 2023 The telehealth usage surge has revolutionized healthcare delivery, particularly amid the COVID-19 pandemic. While the technology offers numerous benefits, it also raises questions about the privacy and security of Protected Health Information (PHI). Addressing this, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) recently released two essential resources to educate healthcare providers and patients. In this article, we delve into the key takeaways from these resources and discuss their implications for HIPAA compliance. What Has Been Released? OCR has issued two resource documents: For Healthcare Providers Although HIPAA doesn’t mandate healthcare providers to educate patients about the risks involved in telehealth, the new resource provides valuable guidelines for those who choose to do so. Topics covered include: For Patients Patients are provided with recommendations to protect and secure their health information, such as: Why Is This Important? “Telehealth is a wonderful tool that can increase patients’ access to health care and improve health care outcomes,” says OCR Director Melanie Fontes Rainer. By educating patients and providers about privacy and security risks, OCR aims to build confidence and encourage the responsible use of telehealth technologies. Practical Tips for Health Care Providers Recommendations for Patients Final Thoughts The newly released resources by OCR offer a comprehensive guideline for navigating telehealth’s privacy and security aspects. Healthcare providers should seize this opportunity to improve their practices and educate their patients, enhancing the telehealth experience. For more information on how to stay compliant with HIPAA and other regulations in the healthcare sector, feel free to contact Abyde, your trusted partner in HIPAA and OSHA Compliance.
Navigating the Complex World of HIPAA Cybersecurity Compliance
September 27, 2023 Healthcare organizations handle a tremendous amount of sensitive data, from patient records to financial information. The Health Insurance Portability and Accountability Act (HIPAA) serves as the regulatory framework that outlines the need for stringent cybersecurity protocols to safeguard this data. Compliance with HIPAA isn’t just a legal obligation; it’s also a critical aspect of building trust with patients and stakeholders. This article will dive deep into the facets of HIPAA cybersecurity compliance, offering a comprehensive guide for healthcare organizations seeking to align with these standards. What is HIPAA? Enacted in 1996, the Health Insurance Portability and Accountability Act (HIPAA) aims to streamline healthcare transactions, reduce healthcare fraud and abuse, and ensure patient information remains confidential. Over time, HIPAA has evolved to address the modern complexities of digital healthcare data, most notably through the Privacy and Security Rules. HIPAA Security Rule The Security Rule outlines the guidelines that healthcare organizations must follow to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI). It is broken down into three main categories: Importance of Cybersecurity in HIPAA Compliance Cybersecurity in healthcare is not just about preventing unauthorized access; it’s about building a layered defense mechanism that addresses vulnerabilities across various entry points. Failing to comply can result in hefty fines, legal repercussions, and loss of reputation. Core Principles for Compliance Risk Analysis and Management HIPAA requires healthcare entities to conduct periodic risk analyses to identify potential vulnerabilities. Effective risk management plans should include a multi-layered security approach, such as the use of firewalls, antivirus programs, and encryption protocols. Abyde: Your HIPAA Compliance Partner Navigating the intricacies of HIPAA compliance can be daunting. That’s where Abyde comes in. As a leading HIPAA and OSHA Compliance SAAS Company, Abyde offers HIPAA-compliant software designed to simplify compliance, enabling healthcare organizations to focus on what they do best—providing quality care. With features like automated risk assessments, staff training modules, and continuous compliance monitoring, Abyde is the go-to solution for any organization seeking to secure its electronic healthcare data while adhering to regulatory standards. Employee Training Employees often serve as the first line of defense against cyberattacks. Organizations should provide regular training on recognizing phishing emails, using strong passwords, and securing mobile devices with ePHI access. Access Control Under HIPAA guidelines, only authorized individuals should have access to ePHI. This requires stringent access controls, including unique user identifications, emergency access procedures, and regular audits. Data Encryption Encrypting data in transit and at rest is crucial for protecting sensitive information. While HIPAA does not mandate encryption, it is considered a standard practice in safeguarding ePHI. Incident Response In case of a data breach or unauthorized access, healthcare organizations must have an incident response plan that outlines the steps for reporting the breach, identifying the scope, and taking corrective actions. Tools and Technologies Compliance Monitoring and Audits Maintaining continuous compliance requires ongoing monitoring. Regular internal and external audits can help identify areas of improvement and validate that existing safeguards are adequate. Conclusion HIPAA cybersecurity compliance is a complex but indispensable aspect of healthcare management. By understanding the intricacies of the HIPAA Security Rule and implementing a robust cybersecurity framework, healthcare organizations can protect sensitive data, avoid penalties, and, most importantly, earn the trust of their patients and stakeholders. Given the evolving nature of cybersecurity threats, compliance is not a one-time endeavor but an ongoing commitment. Organizations should always stay updated with the latest HIPAA amendments and cybersecurity best practices to ensure that they remain compliant and secure. Recommended Resources By keeping up-to-date with compliance requirements and embracing a culture of continuous improvement, healthcare organizations can confidently navigate the complicated landscape of HIPAA cybersecurity compliance. Contact Abyde today for a complimentary risk assessment consultation by clicking HERE.
No Practice Too Big
May 11, 2023 Small organizations are prime targets for cyberattacks because they are typically less likely to have robust cybersecurity systems if any at all. Yet Aspen Dental, with over 1,000 offices across the United States, recently fell victim to a cyberattack that disrupted its ability to access scheduling systems, phone systems, and other essential business applications. No organization of any size or industry is immune to cyberattacks. The Aspen Group has not confirmed whether or not patient information was compromised, and is still actively investigating the incident’s scope. The breach was first discovered on April 25 and if it turns out that sensitive, personal information was involved in the incident, Aspen Dental will notify the affected individuals in accordance with applicable laws. The healthcare industry is number one on the list of targets for cybercriminals due to the nature of the industry having massive amounts of sensitive personal data for patients ranging from medical records to credit card numbers to home addresses. Dr. Jay Wolfson, USF Associate Dean for Health Policy and Practice said, “Healthcare is the richest source of data for poor people looking to commit fraud and get data on people.” According to a report from healthcaredive.com, 385 million patient records have been exposed as a result of healthcare breaches from 2010 to 2022, emphasizing the critical need for comprehensive security measures like those provided by Abyde’s compliance solutions software. The insurmountable cost of a breach followed by investigations and legalities concerning HIPAA can be detrimental not only financially but also to the reputation of a healthcare entity. In light of Aspen Dental’s breach, it is evident that using a Compliance-as-a-Software like Abyde’s would have significantly reduced the risk of a cyber event. Abyde’s software offers a comprehensive solution to help healthcare organizations maintain compliance, safeguard sensitive patient information, and ensure the safety of business operations. Investing in such preventative measures allows healthcare organizations to protect themselves from devastating cybersecurity incidents and the endless headache that is sure to follow. This incident goes on to prove that there is no practice too big for compliance.
ChatGPT & HIPAA: A Quick Guide on What You Need to Know
April 26, 2023 If you haven’t heard about ChatGPT over the last few months, you might still be Googling everything! ChatGPT launched in November 2022 and has taken the internet by storm. Developed by OpenAI, using artificial intelligence (AI) technology, it can have human-like conversations while giving you all the details of whatever you may ask it. So we haven’t seen it be able to make you dinner just yet. Still, it has successfully written computer programming, passed a series of different exams, and written entire feature-length articles. (Wow, I feel like a doting parent!) AI language models are transforming how we approach everyday tasks or complete major projects, and the healthcare industry has even jumped on board the ChatGPT train. ChatGPT has assisted in scheduling appointments, treatment plan assistance, patient education, medical coding, and more! While this all sounds exciting and has the opportunity to improve patient care, protecting your patient’s data when using these types of tools will be imperative and should be approached with caution. So what are some of the red flags to be aware of when it comes to HIPAA compliance: • At this time, OpenAI does not sign a Business Associate Agreement. Therefore, it is not HIPAA compliant. HIPAA regulations require that covered entities only share PHI with vendors who have signed a BAA. This ensures that PHI is protected and that all parties comply with HIPAA laws and regulations. Prior to implementing any AI technology that processes or accesses PHI, covered entities must enter into a business associate agreement with the vendor of such technology. • Protect PHI when using the chat platform. OpenAI warns against inputting confidential information into the platform. As with many technology platforms, ChatGPT collects information and reviews conversations to improve systems and services. In other words, there is no telling where that data is being stored and, therefore, cannot be protected. Because this platform is not HIPAA compliant, it’s super important to remember not to input any identifiable patient information. When working with PHI, de-identifying or anonymizing data is key to minimizing the risk of a data breach. • Establish access controls and monitor chat logs. To minimize risk, access to chat logs should be restricted to those who need it as part of their job function. Don’t forget to implement written documentation of which employees can access chat logs, and be sure to revoke access if necessary. These chat logs are highly recommended to be monitored and audited to ensure they do not contain any PHI. • Establish Policies and Procedures and train employees. When implementing a new technology, such as ChatGPT, that potentially accesses PHI, policies, and procedures must be implemented to ensure that all appropriate safeguards are in place to support the use of the new technology. Training employees on properly using new technology is also super important. Training should include security best practices, data privacy importance, and incident reporting steps if necessary. • Create and implement an incident response policy. As with any security risk, having an incident response policy is super important to help mitigate risk in the case of a breach. This plan should include procedures for identifying and mitigating the incident, notifying affected individuals, and investigating the cause of the incident to prevent future incidents. By proactively prioritizing patient privacy and security, healthcare organizations can greatly benefit from ChatGPT and other AI language models. Streamlining administrative work and improving patient outcomes, sounds like a win-win. But, it’s critical that you carefully balance increased efficiency and elevated risks related to patient data privacy. This is new for everyone, so not making drastic changes to your business because of something ChatGPT can do should be considered. Your patients still want human experiences, and that is something ChatGPT can’t take away from you and your staff!How can you stay up to date on the latest compliance trends and news? Contact our compliance experts at Abyde today for guidance on this everchanging technical landscape and see how we can help you be successful in the years ahead! To book a demo with one of our Abyde specialists, click here or call us at (800) 594-0883
Big Fish, Big Fine
February 3, 2023 A hacker dropped a line and an Arizona-based nonprofit health system got baited, hook line and sinker. Yesterday, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights announced a settlement resolving a data breach. The breach, executed by a “threat actor”, disclosed the protected health information of 2.1 million consumers. Ouch! Outlined by the HHS, the HIPAA violations include: The investigation began back in 2016 after OCR received a receipt of a breach report. The hacker was able to access PHI such as patient names, physician names, dates of birth, addresses, Social Security numbers, clinical details, dates of service, claims information, lab results, medication, diagnoses and conditions, and health insurance information. As part of the settlement, the hospital paid $1,250,000 to OCR and agreed to a Corrective Action Plan. The plan highlights efforts to resolve their violations against the HIPAA Security Rule. Before you catch yourself becoming a victim of “here fishy fishy”, make sure all your ducks – or should we say fish – are in a row. As we continue to see the relevance and impact of cybersecurity incidents increase, you should be more alert and secure than ever. And if you’re thinking, well that was a hospital – that could never happen to me, be careful what your next Go Fish card is. Whether you’re a big fish in a little pond or a little fish in a big pond, hackers are targeting healthcare. This particular hospital is facing extensive hours of work to complete its Corrective Action Plan which includes conducting a risk analysis, developing a risk management plan, implementing and distributing policies and procedures, and regular follow-up with the HHS. Conveniently, these are all things Abyde can help with. Reach out today to find out how we can save you over 80 hours a year and a time-consuming Corrective Action Plan down the road.
Toothpaste, Baseball, and ePHI
December 2, 2022 Covered entities and business associates, like healthcare providers, that use online tracking technology should be aware of their ePHI management to HIPAA standards OCR Recently Released a Bulletin Outlining the Proper Use of Tracking Tech in Accordance with HIPAA Compliance Have you ever talked about being out of toothpaste at work, and then when you get home there’s an ad for Colgate on your tablet as you decide what to order for dinner? It’s creepy, but it’s efficient. You’ve been targeted and the Colgate marketing department is doing its job. In this example, the transmission of your tracked demographics and shopping habits is not as sensitive as the transmission of your patient’s data. Yesterday, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services issued a bulletin regarding the correlation between sharing electronic protected health information (ePHI) and online tracking technology. While we aren’t experts in targeted advertising, we are HIPAA experts. There are rules that apply to regulated entities, like you, when collecting information through tracking technologies or disclosing ePHI to vendors you may be working with. The OCR put it plainly, “Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of ePHI to tracking technology vendors or any other violations of the HIPAA rules.” Do you know if your PHI is being captured through online tracking? Are you monitoring what patient data is being shared with third-party vendors? Even more important, do you use Google Analytics or Meta Pixel – if so, you might want to listen up. Whether you set this tracking up yourself or a third-party agency did, without permissible disclosures from your patients, if their ePHI is shared through the tracking technology, you are putting your practice and patients at risk. Let’s head around the bases to make sure you’re covering your bases. Nice base hit – you made it to first. The first thing you can do is ensure you have Business Associate Agreements (BAA) in place with all third-party vendors, especially those who create, maintain, or receive ePHI. While you’re cross-checking if your vendors meet the definition of a business associate, make sure your agreements denote the permitted use case for ePHI. And the crowd goes wild – way to steal second. Before you think well I’ll just ask the vendor to delete any protected data before they use or save it, that’s not going to cut it. Per the OCR, “Any disclosure of PHI to the vendor without individuals’ authorizations…requires that there is an applicable Privacy Rule permission for disclosure.” Through the Privacy Rule, patients are empowered to have more control over their health information to access and make any changes as needed and boundaries are set on the use and release of health records, including the minimum necessary standard for information disclosures. A bunt from your teammate gets you over to third – nice work! Before we round out to home, ask yourself if the risk is worth the reward. And if you’re still unsure, check in with your Security Risk Analysis and scorecard – another benefit to Abyde’s ongoing compliance. We work with you to identify the potential risk and exposure associated. As we make our way to home base, we will summarize with this: if ePHI is involved in any of the data the tracking technology is sharing, HIPAA rules need to be followed. Here are the final words from the OCR, “all disclosures of PHI to tracking technology vendors are specifically permitted by the Privacy Rule and that, unless an exception applies, only the minimum necessary PHI to achieve the intended purpose is disclosed.”
Internal Communication Dos and Don’ts
October 6, 2022 Have you ever accidentally sent a text to the wrong person? Most of us have and it likely made your heart skip a beat! Now, imagine sending a text and thousands of patients’ health information gets leaked. Talk about a gut-wrenching moment! Speaking of leaks, did you know that over 1.14 million people have been impacted by a protected health information (PHI) breach just last month alone? The leaked data includes names, social security numbers, phone numbers, email addresses, and more. That’s 7% higher than last September! Internal communications are an efficient means of sharing and exchanging information within the practice. Employees communicate internally through channels like SMS, email, phone calls, and other means through the use of a third-party platform like Slack, Microsoft Teams, Zoom, and Cisco Webex. And while oftentimes we like the thought of quick and easy, it’s crucial to take that extra minute or two and double check that you are using a secure provider for all internal communication. First things first, if you haven’t already done so, take this as your sign to reach out to your communications provider and ask if they are HIPAA compliant. Many times, companies will have this information available on their website as well. Keep in mind that some providers, like Google and Microsoft, offer HIPAA compliant services in an upgraded package. If you are not using a secure platform, or you are unsure, then you should not be discussing ANY patient information through that method of communication (yes, that includes names!). If you are using a secure, HIPAA compliant provider or application for internal communication, great! The next very important step is to double check that you have a signed Business Associate Agreement. You may also be wondering about SMS/ text messaging within your organization. Staff members should not be texting each other with information related to patients, even if it is related to scheduling. Keep all work-related communication through your secure provider or application. Quick reminder! Just because you are communicating internally through a secure provider does not in fact mean you are compliant. You’ll also need to implement security policies and procedures in order to follow best practices. These policies and procedures should include: It is highly recommended that you consult with your IT professional for best practices on securing all applications in your practice. Lastly, It’s important to remember that HIPAA is not a barrier law and, in fact, is intended to help you share protected health information securely and efficiently. Being efficient within your practice can help the overall health of your patients and your organization. Having these best practices in place will help you and your team avoid the anxiety of sharing something that shouldn’t be shared.
The National Institute of Standards and Technology (NIST) Updates Guidance on HIPAA Compliance Rules
July 29, 2022 You know that exciting feeling when apps have an update that adds awesome new features?! It’s like Christmas morning over here for us at Abyde. The National Institute of Standards and Technology (NIST) just updated its guidelines and added an awesome new feature! After six years, NIST made a significant update by providing guidance to HIPAA-covered entities to follow the HIPAA Security Rule in order to better safeguard patients’ personal and protected health information. Read below to find out what changes were made to the guidelines. The revised guidance connected HIPAA Security Rule items to NIST Cybersecurity Framework subcategories. The advice remains mostly unchanged, with a few minor structural changes and a renewed emphasis on risk assessments and risk management. NIST Cybersecurity Specialist, Jeff Marron states, “We provide a resource that can assist you with implementing the Security Rule in your own organization, which may have particular needs. Our goal is to offer guidance and resources you can use in one readable publication.” NIST recommended the following guidelines for practices: NIST Cybersecurity Specialist, Jeff Marron also stated, “The identification of vulnerabilities or conditions that a threat could use to cause impact is an important component of risk assessment. While it is necessary to review threats and vulnerabilities as unique elements, they are often considered at the same time,”. It is important to note that HIPAA and cybersecurity operate best as a team, and a practice with both will operate smoothly. We all understand the need of HIPAA compliance, but practices must also understand the importance of cybersecurity. The more funding and resources allocated to IT security employees, the better off the firm will be when cyber dangers eventually arise. Satisfying HIPAA and cybersecurity regulations is critical to safeguarding your practice and patients from a data breach or HIPAA violation. While these are undoubtedly items that should be emphasized regardless of the government’s spending intentions, the suggestions by the government and NIST add a sense of urgency to ensuring that these vital protections are in place. With the increasing frequency of cyberattacks going on nowadays, ensuring HIPAA compliance is more important than ever. We were chatting with our Partner, Darkhorse Tech, and they talked about how HIPAA compliance services provide a framework for security (essential for any dental business), but they do not provide a proactive response to cyber threats. Instead, they provide preventative methods to safeguard your data and keep you in compliance. So in order to have everything covered your practice needs to adopt an additional layer of security, you should no longer rely exclusively on low-quality anti-virus software to defend you. By enlisting the help of specialists who are actively working to prevent an attack before it occurs, reacting to any threats in real-time, and staying up to speed on the current and impending dangers, you can shift your security measures from preventative and reactive to proactive. Darkhorse Tech CMO, Brian Ash, states, “The latest updates to HIPAA make compliance, reporting, and cyber security even more vital for our clients. While we have been recommending the addition of Abyde for HIPAA compliance for some time, the new guidelines make now the time to commit. Along with Abyde’s software we are making the addition of a Security Operations Center (SOC) our top priority. We vetted many options but are recommending Blackpoint Cyber as our SOC of choice.” As we can see, the NIST provided a great update to their Quizlet so that your practice can maintain a good grade in compliance school. So, I think it is time to take a step back and review that NIST guidance so that your practice can always pass the exam! So ensuring that you’re adequately securing this data begins with a thorough knowledge of what needs to be secured and that’s why we have the ideal study partner for you (Abyde) to assist you with all of your compliance needs!
How Are You Controlling Access to Your ePHI?
July 22, 2021 While there might not be such a thing as a real-life fairy godmother, technology has granted us the power to access a whole world of information with just a click of a mouse. Anything from research, shopping, to chatting with friends is now so simple it almost seems like magic, but this “instant-access” ability is a double-edged sword when it comes to the privacy and security risks that follow in its reign. Now if there’s one industry that truly feels the weight of technologies twofold, it’s healthcare. While sharing, receiving, and storing electronic protected health information (ePHI) is now easier than it ever was before, the heightened number of healthcare data breaches and cyber attacks seen over recent years have identified the ‘Achilles’ heel’ of technology’s power of accessibility. This ongoing battle between ease of access and security risks has been the topic of several Office for Civil Rights (OCR) alerts shared over the past year, and most recently, the main focus of their Summer 2021 Cybersecurity Newsletter. The newsletter titled “Controlling Access to ePHI: For Whose Eyes Only?” highlights a recent report that found that “61% of analyzed data breaches in the healthcare sector were perpetrated by external threat actors.” So while most healthcare organizations know not to go and give the keys of the castle away to just anyone, technology has made access a possibility for really anyone who has a decent internet connection. But the even more striking statistic featured in the newsletter? It’s not just hackers that you have to worry about, the security incident report also uncovered that 39% of those data breaches were actually committed by insiders. Though most fairy-tales feature an evil villain, these insider breaches aren’t always the result of a malicious act. In addition to the multi-million dollar hacking schemes that we see all too often, are stories of staff impermissibly accessing ePHI or leaving sensitive data unattended. So if you’re wondering how you can best protect your practice, the answer is to have the proper authorization policies, procedures, and controls in place. When it comes to those necessary policies and controls, the HIPAA Security Rule identifies certain standards and specifications that healthcare organizations are required to implement. The two standards, Information Access Management and Access Control, are administrative and technical safeguards that work in tandem to protect and secure ePHI – but what exactly do they entail? Information Access Management This standard essentially defines how access to ePHI is authorized and requires HIPAA-covered entities and business associates to implement policies and procedures regarding information access. So, what do some of these specific policies include? Access Control In addition to the administrative requirement for access management, Access Control is a technical safeguard that actually limits the availability of that ePHI based on the organizations’ Information Access Management policy. The OCR’s newsletter describes the necessary controls to coincide with the “flexible, scalable, and technology-neutral nature of the Security Rule” and provides a wide range of control mechanisms for organizations to consider and implement where they see fit. They also provide four implementation specifications which include: So as complementary requirements of the HIPAA Security Rule, your organization is expected to have these standards in place to best prevent both outsider and insider threats. And while it would be nice if you could just have a knight in shining armor there to guard your practice from cyber threats and impermissible ePHI access – implementing the safeguards provided above, and ensuring all staff members are trained on proper access, is the next best thing.
Latest OCR Cybersecurity Updates
July 1, 2021 With Cyber Security Awareness Month right around the corner, the multiple cyber alerts issued by the Office for Civil Rights (OCR) in the month of June serve as a perfect preamble for the importance of prioritizing data protection all year round. These government-issued Cyber Alerts have become all too familiar in the healthcare industry, with the past year seemingly filled with emergency directives and scam tactics to be aware of. So with healthcare data breaches on the rise and the most recent warnings of a heightened risk of ransomware and IT system vulnerabilities – ensuring your organization has the necessary programs in place is essential to avoid falling victim. What did the most recent Cyber Alerts cover? In early June, the White House and Cybersecurity and Infrastructure Agency (CISA) released a memo titled “What We Urge You to Do to Protect Against the Threat of Ransomware.” This alert urged healthcare organizations to take appropriate action in protecting against ransomware threats and covered several best practices that providers can take to enhance cybersecurity including: While keeping up with the above steps should be done on a regular basis, the more recent OCR notice covers additional vulnerabilities organizations should be aware of. According to the memo shared on June 25, 2021 – Eclypsium Security Researchers have discovered a vulnerability in the Dell BIOSConnect feature available on over 180 models of consumer and business devices. Dell urges all customers to ensure that their devices are updated to the latest version and provided a full list of impacted devices and steps to address the vulnerability that can be found here. Additionally, this memo also included an advisory from CISA due to the multiple vulnerabilities found in the ZOLL Defibrillator Dashboard. The agency warns that these vulnerabilities may allow a remote user to take control of an affected system and emphasizes that all organizations should review the ICS Medical Advisory and apply the recommended mitigations. So now what? Well, for any healthcare organization of any size – data breaches and cyberattacks are becoming more and more of a concern. Implementing the necessary technical safeguards, following guidance on ransomware prevention, and keeping all devices and IT systems up to date with the latest version is key to steering clear of heightened vulnerabilities like the ones outlined in recent government memos. Unfortunately, as technology and threat actor tactics continue to evolve, these new and increasing threats don’t seem to be going away anytime soon. So keeping your practice and your patients’ data protected in the long run starts with having both a security AND compliance program in place now.