April 17, 2024 Imagine this: it’s a quiet Wednesday morning at the practice. As you’re watching the clock tick criminally slow to lunch hour, you check your email. It looks like your boss sent you an email! He wants you to print out the attached file. You absent-mindedly click on the file, and your once quiet morning is completely flipped on its head. The email was a phishing scam! If you looked a bit harder, you would have noticed it didn’t actually come from your boss, but an unknown suspicious email. The malware begins to infect your computer, starting to wreak havoc. What are you going to do? Email phishing scams are a common example of a breach, exposing patient data. Other forms of breaches include: stolen laptops, improper disposal of PHI, and overall, any time unauthorized access to sensitive patient data. Breaches, unfortunately, happen pretty often, affecting millions of patients. In 2023, over 133 MILLION patients’ information was exposed in breaches. What’s the HIPAA Breach Notification Rule? Now that we’ve painted a scary picture, let’s talk about what you can do. This is where HIPAA’s Breach Notification Rule comes in. The Breach Notification Rule is one of the pillars of HIPAA and guides Covered Entities (CEs) and Business Associates (BAs) when it comes to breaches. It mandates required information about a breach and how patients need to be notified of their exposed data. What Should I Do? Well, first, don’t panic! Time is of the essence when it comes to a breach. Here’s a step-by-step guide on what to do if you suspect a data breach: 1.Contain the Breach: First things first, stop the attack! If dealing with a cyber attack, like an email phishing scheme, disconnect the infected computer immediately, so it can’t spread the nasty virus to other computers on the network. Report the incident to your IT department or IT partner immediately. 2. Investigate the Breach: Time to play a bit of Sherlock Holmes and investigate the attack. What data was accessed or potentially accessed? How many individuals are potentially affected? How did the breach occur? All of these questions are vital when it comes to reporting this breach and notifying patients. In the Abyde software, we have our breach log, a quick questionnaire for you to organize your investigation.Notification Requirements: Depending on the severity of the breach, notifications may need to be sent to several parties: 3. Notification Requirements: Depending on the severity of the breach, notifications may need to be sent to several parties: 4. Mitigation and Prevention: Well, hopefully, that never happens again! Now, it’s time to take steps to prevent similar breaches in the future. This involves: How Abyde Can Help Mitigating breaches and protecting patient privacy can be daunting. Abyde can help! We offer a plethora of resources on compliance and data security best practices. As discussed above, Abyde assists with every step of the breach process, from proactively identifying risks and vulnerabilities with the Security Risk Analysis, to training, to breach logs. Want to learn more about how Abyde can help you Never Stress Over Compliance Again? Email info@abyde.com, and schedule a compliance consultation here and here for Business Associates.
Royal Blunder: What the Kate Middleton Breach Teaches Us About Patient Privacy
April 5, 2024 Today, we’re talking about some international news. Once again, get your passport ready, because we’re taking a trip to the land of Big Ben, Buckingham Palace, and of course, the British monarchy. The British monarchy, spanning over 1200 years, has long been a symbol of the United Kingdom. You might have heard a lot of buzz about Kate Middleton’s health concerns over the last several months, with intense interest and curiosity regarding her recent absence from the public. People searching for answers became pandemonium, and rumors flourished, with millions rabidly looking for answers. Weeks after the introduction of ‘KateGate’, the Princess of Wales addressed the public, in a heartfelt video message, revealing her recent cancer diagnosis. However, this personal update was unable to be done on her terms. Hospital staffers searched for her private medical records, violating the princess’s privacy. Today, we’re talking about a topic that hits close to home for everyone: that everyone, including royalty, deserves their Protected Health Information (PHI) to be secure. A Royally Big Problem As a result of the media frenzy regarding the princess’s whereabouts, there was an unfortunate breach of protocol, with her information being searched for by three hospital staffers at the London Clinic after her surgery in January. These staffers have received disciplinary action and have been suspended. The CEO of the London Clinic, Al Russell has released a statement on the matter, “There is no place at our hospital for those who intentionally breach the trust of any of our patients or colleagues.” The United Kingdom and Europe have similar legislation to HIPAA, protecting the privacy of its citizens, to learn more about their laws, read this linked article! An investigation was opened up by the Information Commissioner’s Office, or ICO. Similar to America’s Office for Civil Rights, or OCR, the ICO investigates data protection violations and has the power to enforce laws. They received a breach report at the end of March, and more information is soon to come. However, Kate Middleton is no stranger to healthcare breaches. A similar breach occurred over a decade ago when she was pregnant with her first child. When she was hospitalized for morning sickness, medical staff accidentally shared detailed medical information with callers they thought were Queen Elizabeth and (now King) Prince Charles. These callers weren’t royalty at all, but radio hosts! What can we learn from this? While we don’t have a monarchy stateside, it does serve the valuable lesson that even members in the public eye deserve their protected health information to be private. Ensure your practice has access controls set up, ensuring that information is only accessible to the ones that need it. Additionally, ensure staff is properly trained, knowing best practices in any situation. The Kate Middleton incident serves as a stark reminder of the constant vigilance required to safeguard patient privacy. By learning from past mistakes and implementing extensive security measures, like compliance software like Abyde, healthcare practices can create a culture of compliance. This culture of compliance empowers staff to make informed decisions and protect health information. To see how your compliance currently stands, email us at info@abyde.com and schedule a consultation here.
Leap into Action: Important Data Breach Reporting Deadline Approaches
February 26, 2024 Happy Leap Year! Now, let’s celebrate the once-in-every-four-years event with the most exhilarating and entertaining activity: notifying the OCR of small breaches your practice faced in 2023. Alright, I’m kidding I’m kidding, while reporting these breaches might not be the most exciting activity, it is very important to notify the OCR of these breaches to ensure proper procedure was followed when things didn’t go as planned. This notification to the OCR is due 60 days after the end of the following year, according to the Breach Notification Rule. So, for 2024, it will be February 29th or Leap Day. So, what is a small breach? You might be asking, what constitutes a small breach? Thankfully, the OCR has specified this for us, and it’s any breach that affects 500 or fewer patients. Anything more than this requires faster reporting, needing to notify the OCR of the breach within 60 days of the discovery of the breach. While smaller breaches don’t need to be reported to the OCR as quickly, patients must be aware of their data being affected in a breach, and patients must be notified within 60 days of the practice finding the breach, or even sooner depending on the state. So, how do I report my small breaches to the OCR? Another great question! Once again, the OCR has a reporting system in place online here. Each small breach has to be reported separately through the website. Abyde makes breach reporting easy, with our HIPAA breach logs, which will allow you to log when you experience a breach in your software. After filling out the breach log, we have a Breach Risk Assessment for you to take, and will then generate a report with all the information you need for the OCR breach report. If you want some help filling out the breach report, you can turn to us, your compliance crew. For Abyde users, call us at 1-800-594-0883 or hit the Help! Alarm button under the gear icon in your Abyde software. We’ll get connected with you immediately and help you navigate the breach. Then, just make sure you notify the OCR by the due date for those smaller breaches! So, what else do I need to do? I’m glad that you’re still interested! Having assigned roles when breaches occur. The reporting of breaches usually falls under the HIPAA Compliance Officer’s list of responsibilities. Having a designated HIPAA Compliance Officer, and in general, having assigned roles in order when a breach or disaster occurs ensures accountability. So, what now? Make sure that you have all of your small breaches reported to the OCR by February 29th, 2024. Abyde is here to make this process easy with our easy-to-use software. To learn more about how Abyde simplifies compliance, reach out to info@abyde.com or schedule a demo here.
MedEvolve Pays $350k Settlement Following HIPAA Violations
May 16, 2023 The Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services disclosed a settlement concerning potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Rules. The settlement was with MedEvolve, Inc., a business associate offering practice management, revenue cycle management, and practice analytics software services to health care entities. This settlement brings an end to the OCR’s probe into a data breach incident where a server containing the protected health information of 230,572 individuals was left vulnerable and accessible on the internet. The potential HIPAA violations included the absence of an analysis to identify risks and vulnerabilities to electronic protected health information throughout the organization, and the failure to establish a business associate agreement with a subcontractor. These agreements typically outline the permissible uses and disclosures of protected health information, implementation of appropriate safeguards, and the procedure for notifying the covered entity of any breaches. As a part of the settlement, MedEvolve paid a $350,000 monetary settlement to the OCR and consented to implement a corrective action plan to address these potential violations and enhance the security of electronic patient health information. OCR Director, Melanie Fontes Rainer, emphasized the importance of securing electronic protected health information, stating, “Ensuring that security measures are in place to protect electronic protected health information where it is stored is an integral part of cybersecurity and the protection of patient privacy.” The investigation into MedEvolve began in July 2018 after a breach notification report highlighted that an FTP server containing electronic protected health information was openly accessible on the internet. The exposed information included patient names, billing addresses, telephone numbers, primary health insurer and doctor’s office account numbers, and in some instances, Social Security numbers. The OCR investigates every report of breaches affecting 500 or more people. In 2022, the most common type of large breach reported to the OCR was hacking/IT incidents, accounting for 79% of cases. It’s therefore essential for HIPAA-covered entities and their business associates to ramp up their efforts to identify and tackle cybersecurity threats. Under the settlement agreement, MedEvolve will be under OCR’s scrutiny for two years to ensure compliance with the HIPAA Security Rule. They have agreed to take measures such as conducting a comprehensive risk analysis, developing a risk management plan, revising policies and procedures as necessary, enhancing their HIPAA and Security Training Program, and reporting non-compliance within their workforce to the HHS within sixty days. In today’s world where data breaches are increasingly common, Abyde takes a proactive stance in ensuring that healthcare providers maintain the highest standards of compliance. Our comprehensive software solution is designed to alleviate the burden of HIPAA compliance for healthcare professionals, and mitigate the risk of a costly incident like MedEvolve’s.
No Practice Too Big
May 11, 2023 Small organizations are prime targets for cyberattacks because they are typically less likely to have robust cybersecurity systems if any at all. Yet Aspen Dental, with over 1,000 offices across the United States, recently fell victim to a cyberattack that disrupted its ability to access scheduling systems, phone systems, and other essential business applications. No organization of any size or industry is immune to cyberattacks. The Aspen Group has not confirmed whether or not patient information was compromised, and is still actively investigating the incident’s scope. The breach was first discovered on April 25 and if it turns out that sensitive, personal information was involved in the incident, Aspen Dental will notify the affected individuals in accordance with applicable laws. The healthcare industry is number one on the list of targets for cybercriminals due to the nature of the industry having massive amounts of sensitive personal data for patients ranging from medical records to credit card numbers to home addresses. Dr. Jay Wolfson, USF Associate Dean for Health Policy and Practice said, “Healthcare is the richest source of data for poor people looking to commit fraud and get data on people.” According to a report from healthcaredive.com, 385 million patient records have been exposed as a result of healthcare breaches from 2010 to 2022, emphasizing the critical need for comprehensive security measures like those provided by Abyde’s compliance solutions software. The insurmountable cost of a breach followed by investigations and legalities concerning HIPAA can be detrimental not only financially but also to the reputation of a healthcare entity. In light of Aspen Dental’s breach, it is evident that using a Compliance-as-a-Software like Abyde’s would have significantly reduced the risk of a cyber event. Abyde’s software offers a comprehensive solution to help healthcare organizations maintain compliance, safeguard sensitive patient information, and ensure the safety of business operations. Investing in such preventative measures allows healthcare organizations to protect themselves from devastating cybersecurity incidents and the endless headache that is sure to follow. This incident goes on to prove that there is no practice too big for compliance.
The Road to Meeting HIPAA Breach Reporting Requirements
February 23, 2022 Accidents happen, no matter how careful you try to be. That’s why a safe driver can find themselves in a fender bender and a “cyber-secured” healthcare practice can fall victim to a data breach. Without complete control over everything and everyone, there’s a risk we take just by connecting to the internet or getting behind the wheel. But while the 89% of providers who’ve experienced a cyberattack (and vast-majority of Florida drivers) have proven that you can’t always put the breaks on unpredictability – having an incident response plan in place helps to reduce the impact should an incident occur. So just as you wouldn’t flee the scene to turn a minor rear-end into a major hit and run, meeting HIPAA’s reporting requirements are key in preventing a minor breach from having major implications on your organization. Now whether you’re amongst last year’s 71% increase in healthcare data breaches, or just looking to take your breach response plan for a test drive, steering your practice in the right direction starts with understanding your responsibilities under the HIPAA Breach Notification Rule. Assessing the Breach Anything from an accidental mass email to a targeted ransomware attack can trigger a potential data breach. But the same way backing into a curb doesn’t necessarily warrant a police report, not every disclosure of protected health information (PHI) qualifies as a reportable breach. According to the Department of Health and Human Services (HHS), an impermissible use or disclosure of PHI is presumed to be a breach unless the organization can determine that there is a low risk of the patient information being compromised. Properly assessing the scope of the situation helps in figuring out what type of data was exposed, who exactly was impacted, and how you should best handle the next steps. Determining the risk level can be done with the help of our related article: What to Assess in a Possible HIPAA Breach Notifying the Right People Once you’ve assessed the breach, it’s time to get your apology letters en-route to the impacted patients. HIPAA requires covered entities to provide individual notifications “without unreasonable delay and in no case later than 60 days following the discovery of a breach.” The specifics of what should be included in individual breach notifications can be found in our related article: What is the Breach Notification Rule? Reporting in a Timely Manner Considering the fact that 60-80% of data breaches go unreported, notifying the HHS (and any additional state-specific parties if applicable) is an essential step that is too often missed. HIPAA law drives home some pretty specific reporting timeframes that require: The HHS has made it clear just how important timely notification is in reducing penalties resulting from a breach and has levied several fines, including a $2 million settlement with a hospital, for failing to report on time. So regardless of the number of people impacted, once a breach has been assessed and individual notifications have been sent, we recommend setting the HHS Breach Reporting Web Portal as your next destination. Documenting in Entirety Another step that practices too often speed past is documenting their breach response in entirety. With documentation usually taking the driver’s seat when it comes to proving the action your practice has taken in handling an incident, it’s important to keep a record of the breach analysis and reporting process for up to six years following the incident. Mitigating Further Risk And finally, whether it’s enhancing staff training, implementing stronger safeguards or just ensuring that your patient’s security remains a top priority moving forward – handling a data breach means mitigating whatever fueled it in the first place and taking measures to prevent any future incidents from happening down the road. Some final words of advice? If you have experienced a breach in 2021 and have yet to report it – you should probably get the pedal to the metal before the deadline passes. And if you haven’t experienced a breach and want to keep it that way, having a complete HIPAA and security program are great places to start. So while accidents aren’t always predictable or preventable, having safety measures in place – whether it’s a seatbelt or technical controls – can reduce your risk of an incident and help minimize the damage if there is. Because when it comes to protection, it pays to go the extra mile – especially when there’s a solution out there like Abyde that puts your practice’s compliance on cruise control.
2020 HIPAA Breaches Reporting Deadline is March 1st
February 5, 2021 2020 was certainly not the year anyone planned, and despite your best intentions, the transition to remote operations and reliance on new technologies may have led your practice to experience a (hopefully minor) HIPAA breach last year. If you had a major breach (500+ patients affected) you’re a little late to the reporting party (breaches affecting over 500 patients should be reported within 60 days, or sooner depending on your state). If fewer patients were affected and you only had a minor breach on your hands, mark your calendars for the upcoming small breach reporting deadline on March 1st. What types of incidents are HIPAA breaches, and how do I know if I have to report it? Any instance in which protected health information (PHI) was exposed in violation of the HIPAA Privacy Rule or HIPAA Security Rule counts as a breach of HIPAA. This could be as small as sending an email containing PHI to the wrong person, or as big as a hacking incident affecting hundreds of patient records. While we wish there was a ringing alarm to signal a breach has occured, many breaches aren’t as easy to detect. If you just aren’t sure, first assess the scenario to help make that determination – particularly what the risk is that the PHI possibly exposed would be used for ‘malicious intent’. We’re big believers in the “better safe than sorry” mentality, and recommend reporting any incident that could be a breach to meet all the necessary reporting requirements. What qualifies as a ‘small’ HIPAA breach? HIPAA classifies minor breaches as incidents impacting 500 individuals or less. Even if the breach only involved a single patient, it still counts as a breach and should be reported no later than 60 days after the end of the calendar year (aka, March 1st). The ONLY case in which a breach of this kind might not need to be reported is if you can determine with absolute certainty that the data exposed won’t be misused or has been permanently deleted. (P.S., if your breach fell into that 500+ patients bucket, while you’re a little behind we still recommend submitting a late report, instead of no report at all, to reduce the penalties you might face.) What if my business associate experienced the breach, do I have to report it? While the Office for Civil Rights (OCR) does encourage business associates to report breaches themselves, the responsibility of getting the report in correctly and on time ultimately falls on the practice. If one of your third-party vendors experienced a breach in 2020, it’s best to check with them to ensure that the breach was reported or report the breach yourself to make sure you’re covered (again – better safe than sorry!). Even if you have a Business Associate Agreement (BAA) in place with the vendor and an incident is completely out of your hands, failing to report the breach by the deadline can still result in HIPAA fines. Reporting HIPAA breaches of any kind is extremely important to avoiding further fines and penalties. If you do have to make a report – you’re not alone. Only 44% of healthcare organizations actually meet cybersecurity standards, meaning a LOT of organizations wind up with data breaches even if they have solid HIPAA programs in place. There is some good news however with the new HIPAA Safe Harbor Law. You could qualify for reduced HIPAA fines if and only if you can prove that your practice has had the necessary technical safeguards and HIPAA requirements in place for 12 months before the breach. So, the short version? Make sure you report ANY possible or confirmed small breaches that occurred in 2020 by March 1st to avoid further penalties. If you DON’T have a HIPAA program in place but still have a breach to report we highly recommend getting a program in place ASAP to help reduce possible fines or other penalties.