HIPAA

HIPAA in Eye care
Abyde News, Best Practices, HIPAA

HIPAA in Eye Care: Are You Doing Enough?

February 6, 2025 No comments yet

February 6, 2025 Running your eye care practice presents a unique set of challenges. From patient care to handling intricate technology, the workload can be demanding. Even though working in eye care keeps you busy, HIPAA compliance must be maintained.  While taking care of your patients’ vision is your first priority, their data health is also important.  HIPAA, or the Health Insurance Portability & Accountability Act, is a federal law that defines what Protected Health Information (PHI) is and what your eye care practice needs to do when ensuring data security.  The Office for Civil Rights enforces HIPAA compliance and has levied monetary fines and other penalties against eye care practices. In fact, an eye care center was fined $250,000 last year after a major ransomware attack revealed its inadequate compliance practices.  When getting your compliance program in order, knowing where to start is vital.    How Can I Achieve HIPAA Compliance for My Eye Care Practice?   HIPAA consists of several major rules and regulations, including the Security Rule, the Privacy Rule, and the Breach Notification Rule.  The Security Rule focuses on the administrative, technical, and physical safeguards a practice needs to deploy to secure patient data. Some common precautions examples include antivirus software, door alarms, and employee ID badges.  A significant component of the Security Rule is the Security Risk Analysis (SRA). The SRA is a comprehensive assessment of your eye care practice’s current efforts to protect patient data. This analysis is the foundation of a compliant practice and allows your practice to identify and address vulnerabilities. The OCR has also increased enforcement surrounding missing this document with the Risk Analysis Initiative.  This rule, as of January 2025, is currently being updated. The proposed Security Rule updates are focused on modernizing the legislation, requiring more safeguards to protect patient data. For an in-depth analysis of the updates, please read here.  The Privacy Rule focuses on limiting how patient data is shared. One part of this rule is the Minimum Necessary Standard, which requires practices to share only the necessary amount of information when handling PHI.  Another component of the Privacy Rule is the Right of Access standard. This requires practices to give patients access to their medical records within 30 days. In some states, this timeline is even shorter.  Lastly, the Breach Notification Rule dictates how affected patients and the OCR need to be notified after a breach. How a breach is handled can vary depending on the severity of the incident. The OCR must be notified of breaches affecting fewer than 500 people within 60 days of the end of the year. Breaches affecting 500 or more patients must be reported within 60 days of the incident. Affected individuals must be notified within 60 days. Depending on the state, some of these timelines may be shorter, and the state attorney may also need to be notified. These announcements are usually sent out as press releases and provide credit monitoring and more to impacted patients.    What’s Next?   While HIPAA compliance might feel overwhelming, there are ways to streamline compliance. Utilizing smart software solutions can alleviate the stress of compliance, allowing your practice to focus on providing quality eye care.  To learn more about how you can streamline HIPAA compliance in your eye care practice, schedule a consultation with one of our experts today. x

Top HIPAA Questions
Best Practices, HIPAA

HIPAA Help: Your Top Compliance Questions Answered

January 29, 2025 No comments yet

January 29, 2025 Managing HIPAA compliance for your practice can be challenging. Given the overwhelming number of laws, requirements, and procedures to navigate, you likely have questions about ensuring compliance. Other practices likely have the same questions as yours. Learn more about the most common questions healthcare practices have and how you can ensure compliance. Who Needs to Do HIPAA Training? One of the most important HIPAA requirements is making sure staff members complete training. When facing a HIPAA investigation or audit, the Office for Civil Rights (OCR) will ask for documentation proving your practice has been properly trained. However, many questions might arise around this, including: How often should staff members train? How long should I keep training records? Who in my practice has to complete HIPAA training? First, HIPAA training is required for all staff that have access to Protected Health Information (PHI). PHI includes information like names, Social Security numbers, medical records, and more. Staff with access to sensitive data need to understand the foundation of HIPAA and how thorough data management protects patients. As staff members learn about vital skills such as breach management, compliant patient communication, and handling sensitive information, they become better equipped to manage PHI. Documentation of this training is required for each individual, such as each staff member receiving a completion certificate. This completion certification, or whatever proof that training has been completed, must be saved for at least six years. When being investigated, the OCR can and will ask for multiple years of training proof, so ensure your training program documentation is properly organized. This training needs to be completed at least annually, and it is recommended that new staff be trained as soon as possible before handling PHI. Staff should also be retrained should a breach occur, refreshing staff on proper procedures. What is a Business Associate Agreement? When entrusted with PHI, it is crucial that any third-party vendors working with your practice implement appropriate safeguards to protect sensitive data. This is where a Business Associate Agreement (BAA) comes in. The BAA is a document that holds both parties responsible for the protection of PHI. This document includes what PHI is defined as and how both parties have to uphold its protection. HIPAA requires this document to be signed by any Business Associate (BA) with access to PHI. Some common examples of BAs include shredding companies, billing companies, and more. If your BA doesn’t want to sign this agreement, that’s a bad sign, and it’s recommended that your practice works with another vendor. The OCR also recently proposed strengthened requirements for BAs. This would require businesses work with a cybersecurity expert to prove adequate safeguards for patient data are in place. What Should I Do with Patient Consent Forms? The HIPAA Authorization for Use or Disclosure of Health Information Patient Consent Form must be provided to the patient before you can work with them. Consent forms allow patients to understand and authorize how their health information is shared. This includes granting access to specific individuals. Patients can decline to sign this form and still be treated by the practice, but it must be noted in their records. It is also always best practice to review these consent forms with patients every three years, ensuring that the information is still current. What’s Next? From staff training and business associate agreements to patient consent forms, staying HIPAA compliant requires attention to detail. Smart software solutions with expert teams and simplified compliance can help alleviate this burden and allow you to easily check your compliance status. HIPAA compliance may seem daunting, but by taking these steps and utilizing the right tools, you can protect your practice and your patients. Ready to learn more? Watch our latest webinar, which addresses even more of the top questions healthcare professionals have when it comes to healthcare compliance.

HIPAA Security Rule Updates
HIPAA, Legislation

The HIPAA Security Rule is Changing: Is Your Practice Ready?

January 23, 2025 No comments yet

January 23, 2025 The HIPAA Security Rule went into effect in 2003, and it’s an understatement to say that technology has changed quite a bit since then. The Office for Civil Rights has released proposed updates for the HIPAA Security Rule. After a historic year of breaches, this legislation comprehensively strengthens the current Rule. This is the first update of the legislation in a decade. Many of the new requirements simply reinforce existing recommendations within the Security Rule, which now makes best practices mandatory. This legislation is the result of the significant rise in cyber attacks and the OCR’s continuous noncompliant findings when investigating Covered Entities and Business Associates. Although the proposed rule has not yet been finalized, legislation will likely be enacted within the next year, given bipartisan support for protecting patient data. What is the HIPAA Security Rule? The Security Rule, a critical component of HIPAA, centers on stringent guidelines for managing electronic Protected Health Information (ePHI). These guidelines encompass a wide range of safeguards—including physical, administrative, and technical—all designed to ensure the protection of sensitive patient data. One of the most significant components of the Security Rule is completing a Security Risk Analysis (SRA). The SRA sets a benchmark for your practice and assesses what your practice currently does to protect patient data. This analysis includes safeguards ranging from physical measures, like door alarms, to technical precautions, like properly encrypting files. This analysis is a yearly procedure for the OCR and continues to be emphasized in this proposal. In this new proposal, the OCR strictly defines the SRA as a yearly requirement with more guidelines on specific questions. The OCR has introduced eight implementation specifications for risk analysis. This also includes a thorough analysis of potential natural disasters and the consequences if a Business Associate was breached. In fact, the government has introduced a Risk Analysis Initiative, fining practices and businesses that do not complete this analysis. While this assessment is a major component of this rule, once vulnerabilities are identified, it’s up to your practice to implement these safeguards to protect your patients. What’s Changing? This proposed rule mandates that Covered Entities and their Business Associates implement certain proactive measures that were previously only strongly recommended, such as multi-factor authentication. As technology has greatly advanced since the introduction of this rule, there are also more requirements focused on system management, including required anti-malware protection, disabling unused network ports, and a network map, highlighting what devices are connected to specific networks in an organization. Network segmentation is another advancement of the rule, requiring practices to use different networks based on access to specific information. New policies and procedures will also be required if this proposal goes into effect. For instance, contingency plans will be required, showing what a practice or business plans to do if it is breached within 72 hours. Additionally, practices need to have a transition plan when staff leaves, and they need to notify other regulated entities when a staff member’s access to ePHI is changed or terminated. Business Associates (BAs) will also face stricter requirements when working with Covered Entities. If breached, BAs must notify their Covered Entities within 24 hours. BAs will also now have to have their compliance program certified by a Subject Matter Expert in cybersecurity on a yearly basis, ensuring that the business is taking the right steps to protect patient data. What Can I Do? While this rule is still within its comment period until early March, it could be enacted this year. Being aware of upcoming HIPAA legislation and preparing your practice is vital. Working with a smart compliance solution can take the pressure off, with compliance experts updating their systems to ensure their users will be compliant with new laws. Looking to understand HIPAA compliance for your practice before new laws take effect? Schedule a consultation with one of our experts today.

Business Associate HIPAA Fine
Business Associates, Fines, HIPAA

Choose Your Business Associates Wisely: An $80K Mistake

January 8, 2025 No comments yet

January 8, 2025 As we ring in the new year, it’s important to remember that Business Associates (BAs) are just as responsible for protecting patient health data as their Covered Entity counterparts. A major misstep by a BA was highlighted recently on a federal level, and the first fine of 2025 was imposed. Elgon, a Massachusetts-based medical record and billing support company for Covered Entities, was levied a $80,000 fine due to numerous violations of the Security Rule, which were exposed by the fallout of a ransomware attack. As a proposed update to the Security Rule is currently open for public comment and may take effect in the spring, it is crucial for Covered Entities to select Business Associates (BAs) who prioritize compliance. BAs are just as responsible for ensuring that Protected Health Information (PHI) is kept secure. What Happened? Elgon was the victim of a ransomware attack on March 25, 2023. Unfortunately, the BA didn’t realize the intrusion of its firewalls for over a week until a ransom note was discovered. Elgon then reported the breach, which affected over 30,000 patients of a Covered Entity. Thousands of social security numbers, addresses, and other personally identifiable information were leaked from the attack. When Elgon was investigated, it was uncovered that the organization failed to recognize its risks in a Security Risk Analysis (SRA). The SRA is at the foundation of a successful practice or business, giving an organization a benchmark on how it handles PHI and how it can improve. This fine is also the second enforcement of the OCR’s Risk Analysis Initiative, highlighting the importance of completing and maintaining this assessment. How to Protect Your Organization Covered Entities and Business Associates need to uphold their commitment to protecting patient data. This recent fine is a stark reminder of what can happen when the proper procedures are not followed, exposing the personal information of thousands of patients. To avoid and mitigate situations like this, Covered Entities must carefully choose the right BA to work with, ensuring they also understand the importance of protecting patient data.  For BAs, having the proper safeguards in place is vital, earning trust from Covered Entities that you can keep their patients’ PHI safe. A key document that establishes the liability of both parties is the Business Associate Agreement (BAA). The BAA is a written document required when working with Business Associates and vice versa. This signed agreement ensures both parties know their responsibilities when handling patient data. Proposed updates to the Security Rule expand on this, with BAs potentially having to verify they are enforcing the proper safeguards on a yearly basis, certified by a compliance expert. Overall, this fine sets the tone for a new year of significant changes and enforcement by the OCR. Covered Entities and Business Associates must both understand their critical role in protecting patients. To learn more about how you can become HIPAA compliant, schedule a consultation with our team of experts today.

2025 HIPAA Compliance
Best Practices, HIPAA

New Year, New Compliance Program

December 31, 2024 No comments yet

December 31, 2024 After a year of record-breaking breaches and fines in 2024, starting the new year with your HIPAA compliance buttoned up is crucial. A compliance program is a comprehensive plan to ensure compliance with HIPAA guidelines. It’s much more than yearly training; it’s what you do daily to uphold your commitment to patient data safety.  The new year is about implementing new routines and actions for improvement. That’s why now is the time to get the right compliance program in place. Here are three key goals to help you start on the right track in 2025.   Complete a Security Risk Analysis  The first step to HIPAA compliance is completing a Security Risk Analysis (SRA).  The SRA is an assessment of the administrative, technical, and physical safeguards your practice has in place to protect patient data.  While the SRA might seem like a simple requirement to adhere to HIPAA regulations, it is actually one of the most overlooked, with only 14% of practices able to present documentation of a compliant SRA.  The SRA helps your practice identify vulnerabilities and creates a roadmap for HIPAA compliance, guiding your practice on what needs to be addressed. This documented analysis of your practice is the foundation of a compliant practice.    Establish a Culture of Compliance  A culture of compliance is the understanding that everyone—from leadership to staff—recognizes the importance of protecting patient data.  To achieve a compliant practice, it’s vital that all staff understand and continuously commit to following HIPAA. The culture of compliance involves much more than just training; it encompasses every decision employees make when dealing with data. This includes using the appropriate encryption measures when sending emails to patients and ensuring that staff members discuss only the minimum necessary amount of Protected Health Information (PHI) when required. To cultivate a culture of compliance in your practice, staff must have access to comprehensive resources to train, learn, and document anything regarding PHI. This could include interactive training portals, required access logs, and easy access to all learning materials. By providing streamlined compliance, your practice not only establishes a culture of compliance but also enforces it, holding all staff accountable if they don’t adhere to HIPAA guidelines.    Get Organized – Digitize Documentation In the new year, do a self-audit of your HIPAA documentation. If asked, could you easily find specific policies?  While meeting HIPAA requirements is essential for a compliant practice, you must also be able to present documentation as proof. The year is about embracing change. While most might picture their HIPAA manual as an overflowing binder, this is not the only option for managing documentation. It’s time for a change.  Cloud-based compliance programs allow you to access your HIPAA manual easily by logging into your account. Gone are the days of rifling through a binder to find a specific policy or procedure—a web-based HIPAA manual easily generates and organizes your documentation, saving you time and keeping all versions of your documentation in a centralized location.    Sticking to Resolutions If achieving streamlined HIPAA compliance has been a long-avoided New Year’s Resolution, this is the year to begin. With the right program, you can simplify compliance and have complete visibility into what is necessary to remain compliant. To learn more about how to get compliant this new year, schedule a consultation with a compliance expert today. 

Multi-Location HIPAA Security Risk Analysis
Best Practices, HIPAA

Location-Specific SRAs: A Must-Have for Healthcare Organizations

December 17, 2024 No comments yet

December 17, 2024 Keeping all locations in line with HIPAA regulations can be quite a challenge, especially when managing a multi-location practice. It’s a complex puzzle that requires careful attention to detail and a proactive approach to ensure compliance across the board. And we hate to break it to you, but a blanket Security Risk Analysis for your organization isn’t enough. A Security Risk Analysis, or SRA, is a thorough review of your organization’s physical, administrative, and technical safeguards to protect patient data. Even when you’re managing compliance at a single location within a multi-location organization, you are responsible for ensuring an SRA is completed for your location. The Office for Civil Rights (OCR) is serious about this requirement, as indicated by a recent significant fine. A penalty of over $500,000 was recently announced for the Children’s Hospital of Colorado system. While this investigation was sparked by a phishing attack, one of the major findings was missing SRAs for all locations. Completing this SRA is imperative. As the OCR spearheads new enforcement and initiatives, it’s time to get compliant. What is a SRA? The SRA is an in-depth review of everything your practice does to ensure patient data is safe. This means everything from whether your practice utilizes alarms and codes on doors to the servers you use and even how your staff handles patient intake, like how the sign-in sheet process works. The SRA is the first step of a compliant practice because it allows you to review your vulnerabilities and make changes to uphold your commitment to keeping data safe. The SRA is also a requirement for MIPS. Unfortunately, the SRA is a commonly missed requirement for medical practices. In fact, 86% of all practices could not show an adequate SRA in the last round of random HIPAA audits. Completing a sufficient Security Risk Assessment (SRA) is essential for maintaining a compliant medical practice. This process is closely linked to the Office for Civil Rights (OCR) Risk Analysis Initiative, which mandates that medical practices and organizations carry out this required assessment. Recently, the Bryan County Ambulance Authority was fined $90,000 for failing to conduct an SRA, marking the first enforcement action under this new initiative. This incident demonstrates the OCR’s commitment to this initiative and its dedication of resources to ensure compliance. Importance of Location-Specific SRAs When conducting a SRA, assessing every location within your organization is vital. While performing a single SRA for the entire entity might seem easier, compliance is more intricate and requires ongoing attention rather than being a one-off endeavor. Each location has distinct vulnerabilities that must be acknowledged and addressed. For instance, one location might have different vendors than another, and another location might be in an older building, with different security to keep Protected Health Information (PHI) safe. Although some overarching requirements may come from the main location, capturing each site’s specific conditions is essential. This thorough documentation demonstrates that every location takes compliance seriously, addresses vulnerabilities, and keeps patient data safe. How to Complete an SRA With the right resources, managing and completing an SRA for a multi-location practice can be simplified. Organization is key: ensuring each location completes all SRAs and can be easily accessed in a centralized location. Your organization can efficiently complete this requirement by having a tailored set of questions for each location. To learn more about streamlining your multi-location SRAs for your organization, schedule a consultation with a HIPAA expert today.

Security Risk Analysis for MIPS
Best Practices, HIPAA

The Security Risk Analysis: Setting the Pace for MIPS and HIPAA Compliance

December 4, 2024 No comments yet

December 4, 2024 As a healthcare provider, tackling your daily to-do list probably feels like running a marathon without a finish line at times. You’re tasked with managing a successful business, keeping up with ever-changing legislation and new technology while ensuring that your top priority of patient care never falls behind. Despite the challenging course, there’s a benefit to keeping pace with both quantity and quality. Providers are rewarded for going the extra mile thanks to Value-Based payment programs like MIPS and other government incentives like the HIPAA Safe Harbor Law. What is MIPS? You’ve most likely heard of the Merit-based Incentive Payment System (MIPS) and might already be a participant in it. Whether it’s a Quality Payment Program or new legislation passed into law, the government continually emphasizes the importance of being proactive rather than reactive and providing incentives for doing so. This is why it’s valuable to know whether your organization is eligible to participate in government programs (you can check here). Many of these different program requirements align with the standards your practice already has to meet under HIPAA law—protecting your patients, checking off compliance requirements, and receiving incentives can often be done all in one stride. To take a quick step back, MIPS is one of two payment tracks under the Medicare Quality Payment Program. The Centers for Medicare and Medicaid Services (CMS) uses this system to measure eligible clinician performance and reward high-value, low-cost care. MIPS participants can receive a payment adjustment to their Medicare reimbursements based on their performance scores across four different categories: Quality: The type of care you deliver based on specific measures of performance. Promoting Interoperability: Focuses on patient engagement and electronic exchange of information using Electronic Health Record (EHR) technology to improve patient access to their health information and exchange of information between providers. Improvement Activities: Your participation in clinical activities that work towards improving care coordination and patient engagement and safety. Cost: Assesses the cost of care you provide in relation to your Medicare claims. The Importance of the Security Risk Analysis (SRA) Before you can engage with the various performance measures, you must first meet a prerequisite for participating in the MIPS Promoting Interoperability performance category. This requirement is crucial not only for achieving HIPAA compliance but also for benefiting from other government incentives: the Security Risk Analysis (SRA). Conducting an SRA involves evaluating any potential risks to your organization’s electronic Protected Health Information (ePHI) and implementing necessary security updates and safeguards to address any identified vulnerabilities. Your organization must complete an SRA at least once a year to comply with MIPS and HIPAA standards. Additionally, it’s important to review and update the assessment regularly throughout the year to reflect any changes in your processes. Getting Compliant for MIPS Beginning your compliance journey can be overwhelming, but it is essential to take advantage of government initiatives such as MIPS. Intelligent software solutions can help keep your practice on track by outlining the requirements for HIPAA compliance and offering a streamlined SRA that meets MIPS standards. To learn more about how to become compliant for MIPS, schedule a meeting with a compliance expert today.  

The Price of Delay: A Costly HIPAA Lesson
Fines, HIPAA

The Price of Delay: A Costly HIPAA Lesson

December 2, 2024 No comments yet

December 2, 2024 Over a million dollars in HIPAA fines have been levied in the past few months, and like this winter’s snow, the fines continue to pile up, with a $100,000 fine recently announced. Last week, Rio Hondo Community Mental Health Center, an outpatient program managed by the Los Angeles Department of Health, was fined for a Right of Access violation. This marks the 51st enforcement of the Right of Access rule, highlighting the importance of handling patient records in a timely manner. What Happened? A patient requested a copy of their records on March 18, 2020. As we all know, March 2020 was marked by the beginning of the unprecedented COVID-19 virus, which led to the mental health center’s closure after the Governor of California put into action a “stay-at-home” order. However, the center reopened at the beginning of May 2020, allowing some staff to return to the facility. While the patient was told her records would be ready at this time, she was misinformed and began the summer with a flurry of calls and other forms of contact to request her medical records. After her requests were unfulfilled several times, the patient filed a complaint with the Office for Civil Rights (OCR) at the end of August 2020. The OCR then began investigating the Rio Hondo at the beginning of October. The medical records were finally sent on October 20, 2020, 216 days after the first request. The Right of Access rule requires Covered Entities to provide patients with their medical records within 30 days of the initial request. While the medical center was under a “stay-at-home” order during those 30 days, this was still significantly longer than the extension period of an additional 30 days and could have been handled when it was first deemed safe for staff to return to the medical center. This fine comes after a series of Right of Access fines, including another significant fine of $70,000 imposed at the end of October. The numerous fines issued this past year regarding the Right of Access initiative demonstrate the government’s commitment to this important aspect of patients’ rights. Protect Your Practice from Costly Mistakes Even during the peak of the global health crisis, HIPAA regulations stayed in effect. Implementing software solutions can help safeguard your practice. To ensure your staff remains compliant, it is highly recommended to use automated software that keeps you and your team in check, regardless of the circumstances. Schedule a consultation today to learn more about automated compliance for your practice.

true price of a HIPAA Audit
Audits, Fines, HIPAA

What Money Doesn’t Cover: The True Price of HIPAA Non-Compliance

November 19, 2024 No comments yet

November 19, 2024 Did you know that the average cost of a healthcare data breach is $9.77 million? When HIPAA investigations can lead to millions of dollars in expenses for rebuilding IT systems, legal fees, fines, and other costs, it’s easy to overlook the non-monetary consequences of an investigation in which you are found liable. When a practice is found liable, it indicates that it failed to demonstrate that it took the necessary precautions to prevent a breach. This could include not adhering to proper procedures, such as promptly providing a patient’s healthcare records to the Office for Civil Rights (OCR) or a State Attorney General. This liability can significantly impact your practice’s reputation. The investigation can take months and make your practice subject to scrutiny. Reputation: A Cost To Your Business  When your practice is found liable for a HIPAA violation, it can unfortunately haunt your practice. Once a HIPAA fine is announced, it is posted on the HHS website and reported by numerous compliance news sources. This news release can become a notorious stain on your practice’s reputation, as it is one of the first websites to appear when your practice is searched. This can directly impact your organization’s success. In the digital age, over 75% of all patients search for a new provider online, and this fine will likely be one of the first things they see. Time: The Unease of Waiting  Waiting for a response from the OCR or the state during an investigation can be overwhelming and stressful. HIPAA investigations often take several months and require hundreds of pages of documentation, and waiting for a response is an additional non-monetary cost associated with them.  In some cases, the fines related to HIPAA violations can take years to finalize. For example, a recent HIPAA fine imposed in 2024 resulted from a breach in 2017. This illustrates that investigating such breaches can take years before any resolution is reached. Even after a fine is levied, time is spent trying to recover and restore one’s reputation, which is just as challenging to manage. Scrutiny: Monitored by the Government Many HIPAA fines include a Corrective Action Plan (CAP) or a set of requirements and years of monitoring before a practice officially completes its payment for a fine. A CAP keeps your healthcare practice under government scrutiny for an extended period. This means that government authorities will closely monitor your practice’s operations, data security measures, and compliance with HIPAA regulations. This nonmonetary cost is another frustrating burden for practice, as it is subject to scrutiny and oversight by authorities. Protecting Your Practice Don’t let a mistake become a detriment to the success of your practice. Ideally, once a HIPAA fine is paid, the practice can return to normal. Unfortunately, the nonmonetary costs of an audit can continue to detriment a practice’s success. That’s why it’s vital to put precautions in place before a significant breach can occur, and if it still occurs, the right documentation is in place to defend your practice. Utilizing a smart software solution for compliance can prepare your practice for a HIPAA investigation. Watch our webinar, featuring compliance experts with a 100% pass rate, to learn more about the audit process and its necessary steps.

Ransomware HIPAA Fines
Cybersecurity, Fines, HIPAA

The Price of Neglect: Ransomware Fines Hit Healthcare Practices

November 7, 2024 No comments yet

November 7, 2024 Healthcare practices felt quite a scare on Halloween, with over half a million dollars in fines levied on medical practices. These practices were fined for not taking the necessary precautions against ransomware breaches. The two practices impacted on this day of significant fines include Plastic Surgery Associates of South Dakota in Sioux Falls (PSASD), a multi-location organization, and the Bryan County Ambulance Authority (BCAA), an Oklahoma emergency medical services provider. PSASD was fined $500,000, and BCAA was fined $90,000. These significant fines are just the precipice of the future of healthcare breaches, with ransomware breaches increasing 264% since 2018. What Happened? Major ransomware attacks unfortunately impacted both of these healthcare providers. For PSASD, a breach was discovered that infected nine workstations and two servers in July 2017. This breach impacted over ten thousand patients, putting their data at risk. The malicious actors utilized trial and error to hack into the organization’s system. The data was unable to be restored. The investigation revealed significant gaps in their compliance program, including a missing Security Risk Analysis, inadequate policies and procedures for data handling and breach reporting, and insufficient training. This $500,000 penalty also includes two years of monitoring by the Office For Civil Rights (OCR). For the BCAA, its ransomware attack began in November 2021, but wasn’t reported until May of the following year. After a breach, depending on the severity, you must notify the OCR within 60 days. Since this breach impacted over 14,000 patients or over 500 people, it is considered a large breach. Similar requirements, such as a Security Risk Analysis, adequate policies, a risk management plan, and other safeguards, were missing as found in this investigation. It’s $90,000 fine includes a Corrective Action Plan as well. Protecting Your Practice from Ransomware Ransomware attacks will continue to affect our healthcare system. Although complete immunity is impossible, there are many precautions you can take to protect your practice. Implementing the right technical safeguards, such as firewalls, antivirus software, and a qualified IT team is crucial. Additionally, you can streamline your HIPAA compliance by using intelligent software solutions that help identify your compliance needs unique to your practice. In the event of an attack, these solutions can also guide you on how to respond effectively. To learn more about these smart solutions, meet with a compliance expert today.

How can HIPAA & HR non-compliance affect your practice? Join our live webinar with HR for Health on April 15.

REGISTER TODAY
X