Security Rule

NJ Attorney General Imposes HIPAA Fine
Fines, HIPAA

NJ Attorney General Imposes $425,000 Fine to Put out the Fire of HIPAA Violation

December 21, 2021 Comments Off on NJ Attorney General Imposes $425,000 Fine to Put out the Fire of HIPAA Violation

December 21, 2021 Handling sensitive information without having the right safeguards in place can be like playing with fire, and we’ve all seen enough headlines to know just how easily a data breach can send a healthcare organization up in smoke. Just last week, the New Jersey Office of the Attorney General and its Division of Consumer Affairs announced a $425,000 settlement with Regional Cancer Care Associates LLC (RCCA). Along with the payment, RCCA has agreed to strengthen data security and privacy practices to prevent further breaches. The investigation was sparked back in 2019 after RCCA reported two separate data breaches involving the protected health information (PHI) of 105,000 individuals. The first of the two breaches occurred after several RCCA employees fell victim to a targeted phishing scheme that gave unauthorized access to patient data stored on those accounts from April – June 2019. The phishing scheme exposed driver’s license, Social Security, and financial account numbers along with other health records. While the threat of a phishing scheme can be better avoided through proper cybersecurity measures and employee training, the even bigger problem began in RCCA’s attempt to put out the first set of flames. Following the Breach Notification Rule, the cancer care provider notified impacted patients in July of that same year. However, the third-party vendor they used to provide this notice, improperly mailed notification letters intended for 13,047 living patients by addressing the patients’ perspective next-of-kin. This mistake resulted in patients’ relatives being informed of their medical conditions without consent – essentially just adding even more fuel to the blaze that the initial breach set off. Now just one lit match wouldn’t ignite a settlement of this proportion, but rather RCCA’s failure to do all of the following:  So while the rising trend of healthcare data breaches won’t be easily extinguished, keeping your practice best-protected starts with having a complete HIPAA and cybersecurity program in place. Better staff education and compliance measures should be a top priority and the message from Acting Attorney General Bruck stating, “We require healthcare providers to implement adequate security measures to protect patient data, and we will continue to hold accountable companies that fall short,” is hopefully something that will spark some change. 

Security Risk Analysis Misconceptions
Best Practices, HIPAA

The Security Risk Analysis and its Many Misconceptions

August 13, 2021 Comments Off on The Security Risk Analysis and its Many Misconceptions

August 13, 2021 HIPAA is kind of like a puzzle – without having each and every individual requirement in place, your practice can’t consider itself fully compliant. But much like building a jigsaw blindfolded, it’s a lot harder to piece together the big picture of compliance with all of the misconceptions out there masking what HIPAA’s requirements actually entail.  Now, the first piece in this so-called “HIPAA puzzle” is the Security Risk Analysis (SRA) which requires all covered entities to assess any potential risks and vulnerabilities to protected health information (PHI) based on the physical, technical, and administrative safeguards that their organization has in place. It’s essentially just a self-evaluation that helps lay the groundwork for a complete HIPAA program AND is the first thing a practice will be asked to provide in the case of an audit. But despite its importance, only 14% of entities actually fulfill the requirement – so what is causing this lack of compliance and why does the SRA seem like an unsolvable puzzle in itself? A large piece of the widespread noncompliance is all of the confusion that surrounds the ‘what, why, and how’ of the SRA. This is why in order to ensure all organizations know how to complete the first part of the big HIPAA puzzle, we need to break down the myths vs the facts.  Myth #1: Small practices and independent providers don’t need to worry about the SRA. False: All providers, no matter the size or specialty, are covered entities under HIPAA and are therefore obligated to perform a risk analysis along with all other requirements under HIPAA law. Myth #2: My Electronic Health Record (EHR) takes care of privacy and security, so I don’t need to complete an SRA. False: Even with a certified EHR, the risk analysis isn’t completed for you. The EHR vendor may provide information and training on the privacy and security aspects of their product but they are not responsible for privacy and security compliance within your practice. Additionally, an SRA involves all PHI within your organization, including what isn’t housed in your EHR like paper records and files.   Myth #3: My IT company handles a full SRA.  False: Similar to the confusion around your organization’s EHR, IT companies might help to assess technical safeguards and identify technical risks – but do not provide a comprehensive analysis of all aspects of your organization to cover the administrative and physical requirements.  Myth #4: I can use a templated checklist to complete my SRA.  False: While the government does provide some tools that can be used as helpful guidance for conducting an SRA, in order for the analysis to meet the requirements it must assess specific elements of your organization and practice operations which may differ from the types of things assessed in a template or generic checklist.  Myth #5: The SRA is a one-time thing and as long as I completed it once, I’m good to go! False: The HIPAA Security Rule specifically states, “the risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to e-PHI and detect security incidents, periodically evaluates the effectiveness of security measures put in place, and regularly reevaluates potential risks to e-PHI.” But although, your organization does need to be conducting an SRA on a continual basis – this doesn’t mean that each year you’ll need to start over from scratch. It’s important (and required) that you update your SRA annually at the very least as well as any time there are changes to your practice or systems to identify any changes in risks and maintain the necessary safeguards within your organization.  While we hope our little game of “myth busters” helped clarify any confusion around what goes into completing this requirement and why it’s so important, we know that it might’ve also caused some concern for how a small, independent practice is supposed to tackle all of this alone. Completing a comprehensive analysis (on an ongoing basis) along with the proper documentation and risk mitigation that’s required involves time, resources, and expertise that might seem unfeasible to a small or medium-sized organization. But luckily there are outside resources available to help debunk the other misconception that completing an SRA HAS to be challenging. So while your practice can tackle this requirement DIY-style, a software solution like Abyde makes it so you don’t have to – providing all the tools and support to guide you through the misconceptions and help to put the pieces into place so that your practice can easily complete the puzzle of HIPAA compliance. Schedule a one-on-one consultation today to see where your practice currently stands and how Abyde makes meeting the SRA – and all other HIPAA requirements – a breeze!

Peachstate Clinical Laboratory HIPAA Violation
Fines, HIPAA

OCR Announces HIPAA Settlement with Peachstate Clinical Laboratory for Security Rule Violations

May 25, 2021 Comments Off on OCR Announces HIPAA Settlement with Peachstate Clinical Laboratory for Security Rule Violations

May 25, 2021 No matter the time of year, HIPAA enforcement never goes out of season and we have today’s announcement from the Office for Civil Rights (OCR) to prove it. The latest HIPAA settlement and sixth of the year involves Peachstate Health Management, LLC – a Clinical Laboratory based out of Georgia who provides diagnostic and laboratory-developed tests. The violation stemmed from Peachstate’s failure to meet several of the HIPAA Security Rule requirements and led to a $25,000 fine and 3 year corrective action plan issued by the OCR – a result that probably didn’t leave the organization feeling too peachy afterall.  So what happened?  Well it may seem like comparing apples to oranges when looking at what triggered this settlement versus the ones we’ve recently seen centered around patient right of access violations and large cyberattacks. But the latest violation resulted from a variety of different and very relevant factors from data breaches to telehealth and business associates with systemic noncompliance at its core. It started back in 2015 after the U.S. The Department of Veterans Affairs (VA) reported a data breach involving their telehealth services program managed by its business associate, Authentidate Holding Corporation (AHC). A year later, the OCR initiated an investigation into the business associates’ compliance program where they uncovered that AHC and Peachstate had earlier entered into a reverse merger in January of 2016 whereby AHC acquired Peachstate. As a result of this finding, the OCR opened up another compliance review into Peachstate and found that the clinical laboratories were ripe for the picking in their ongoing noncompliance in the following key areas:   In addition to the fine and extensive corrective plan that the OCR issued, their response to the incident and message for other healthcare organizations is the cherry on top and should not be taken lightly. “Clinical laboratories, like other covered health care providers, must comply with the HIPAA Security Rule. The failure to implement basic Security Rule requirements makes HIPAA regulated entities attractive targets for malicious activity, and needlessly risks patients’ electronic health information,” said Robinsue Frohboese, Acting OCR Director. “This settlement reiterates OCR’s commitment to ensuring compliance with rules that protect the privacy and security of protected health information.”  So in other words – the only way to avoid being the low-hanging fruit for a HIPAA violation is ensuring that your healthcare organization has met these basic standards that Peachstate was missing. And while an apple a day might keep the doctor away, this latest settlement is yet another example of why having a complete compliance program in place is so essential to keeping your practice away from OCR scrutiny and avoiding a HIPAA fine like this one.   

$5.1 Million Dollar HIPAA Fine
Fines, HIPAA

OCR Announces 2nd HIPAA Settlement of 2021 with Health Insurer for $5.1 Million

January 15, 2021 Comments Off on OCR Announces 2nd HIPAA Settlement of 2021 with Health Insurer for $5.1 Million

January 15, 2021 Buckle your seatbelts – it’s only 15 days into 2021 and it’s already looking like this year will be a wild ride when it comes to HIPAA enforcement. The Office for Civil Rights (OCR) just announced another HIPAA settlement (and a doozy at that), bringing in not one but TWO fines just this week.   The latest (and greatest) HIPAA fine of 2021 was just awarded to Excellus Health Plan, Inc., a health insurance provider serving over 1.5 million people in New York. The settlement includes a whopping $5.1 million fine and a 2-year corrective action plan, the result of cyber attack affecting more than 9 million records along with a slew of other HIPAA Privacy and Security Rule violations. Fun fact: the OCR didn’t reach $5 million in total fines levied until September of last year, and today’s announcement means they’ve already exceeded the $5 million mark just 15 days into 2021 – talk about starting the year off strong!   Excellus’ story all started when the OCR received a breach report on September 9, 2015 that cyber-attackers had gained access to Excellus Health Plan’s information technology systems. Of note with this particular breach story is that the hackers in Excellus’ case were accessing their systems so long, they not only set up shop but practically built a whole mall to go with it – hanging out in the health plans’ database from December 23, 2013 allllll the way until May 11, 2015 – an entire year and a half.  Their overextended stay allowed the hackers to install malware in addition to other malicious activities that provided unauthorized access to the protected health information (PHI) of over 9.3 million individuals – improperly accessing everything from names, to addresses, social security numbers, financial information and clinical treatment information.  If having hackers in your IT system for almost 2 years wasn’t bad enough, the OCR also found that Excellus had violated some pretty important HIPAA rules, including:  As a great example of what NOT to do when it comes to your HIPAA and technical security programs, today’s fine also offered words of wisdom from the OCR: “Hacking continues to be the greatest threat to the privacy and security of individuals’ health information. In this case, a health plan did not stop hackers from roaming inside its health record system undetected for over a year which endangered the privacy of millions of its beneficiaries,” said OCR Director Roger Severino. “We know that the most dangerous hackers are sophisticated, patient, and persistent. Health care entities need to step up their game to protect the privacy of people’s health information from this growing threat.”    One positive when it comes to increasingly concerning cyberthreats? The recently passed HIPAA Safe Harbor Bill offers your practice the chance to receive smaller HIPAA fines (even more important with the whopping $5.1 million precedent just set) IF you have the necessary safeguards in place 12 months BEFORE a cyber event. Even though data breaches and hacking incidents aren’t always in your control, practice’s preparation beforehand is – and could mean the difference between a smaller, manageable fine and ranking among the top 10 greatest hits on the OCR’s fine list.    

The Security Rule HIPAA
Abyde News, HIPAA

HIPAA Building Blocks: The Security Rule

November 12, 2020 Comments Off on HIPAA Building Blocks: The Security Rule

November 12, 2020 Even with a law as complex as HIPAA, there are a few building blocks that form the base of all HIPAA requirements. One of those blocks – often referred to as the first step in HIPAA compliance – is the Security Rule. Essentially, the Security Rule ensures protected health information (PHI) is only accessible to those who should have access. Think of it almost like a personal bodyguard there to protect your PHI. In this case, that ‘bodyguard’ is made up of specific safeguards – covering physical, administrative, and technical access – that ensure the protection and confidential handling of patient information. Administrative Safeguards  Covering more than just paperwork (though, there is a lot of that), administrative safeguards include documentation of the actions, policies, and procedures used by your practice to protect PHI. These requirements cover:  Physical Safeguards  Beyond the obvious (we hope things like locking your doors are already in place), physical safeguards cover the measures taken to protect your information systems, physical infrastructure, and equipment from unauthorized access as well as natural hazards. Key requirements include:  Technical Safeguards  It’s impossible to avoid technology in the healthcare world today, and technical safeguards cover the ways your practice secures electronic protected health information (ePHI) and controls access to it. These requirements are a bit more difficult that simply installing antivirus software, and cover:  These safeguards are just a few pieces of the HIPAA compliance puzzle, but can make or break a practice when it comes to HIPAA. Often, practices slapped with HIPAA fines are missing one (or in most cases, a lot) of these requirements that could have prevented HIPAA violations and better protected their patient data. So how do you start actually implementing all these requirements? There’s no easy instruction manual handy, but the next best thing is working with HIPAA experts that can not only assess where your program is at, but help guide you through recommended updates to fix any high risk areas. However you manage HIPAA, meeting the Security Rule requirements is just the first step – make sure you review your entire HIPAA program, not just one or two pieces, to be compliant. 

City of New Haven Reaches HIPAA Settlement
Fines, HIPAA

City of New Haven Reaches HIPAA Settlement After Former Employee Steals Patient Information

October 30, 2020 Comments Off on City of New Haven Reaches HIPAA Settlement After Former Employee Steals Patient Information

October 30, 2020 Just when we thought the month was over, the Office for Civil Rights (OCR) decided to sneak one more HIPAA fine in at the last minute. Earlier today the OCR announced October’s FOURTH fine – this time with the City of New Haven, Connecticut who has agreed to pay a $202,400 fine and complete 2-year corrective action plan after violating the HIPAA Privacy and Security Rules.  The 15th settlement of the year came as a result of HIPAA violation back in January 2017 that sounds almost like a TV drama. Back in 2017, the incident began when the New Haven Health Department notified the OCR that a former employee appeared to have accessed a file on a computer containing protected health information (PHI).  After some OCR sleuthing, it was revealed that 8 days after being fired in July 2016, the same employee returned to the health department and logged into her old computer with still-active credentials (we’re picturing her with a large hat, sunglasses and a trench coat) and downloaded the PHI of 498 individuals to a USB drive. The malicious download included patient names, addresses, and other personal medical information. And as if this really was a binge-worthy TV show (grab the popcorn) the former employee then shared her login ID and password with an intern – who continued to do the dirty work for her.  On top of the drama-filled breach, the OCR investigation also uncovered major gaps in the health department’s HIPAA program, including:  We’ve seen a number of recent HIPAA settlements centering around improper access, but in this case the unauthorized access came as a result of the New Haven Health Departments’ failure to have proper employee offboarding procedures. The simplest task of deactivating the employee’s login credentials could have saved the organization a huge chunk of change, and kept 498 patients’ information better protected.  You can never really predict when an employee will ‘go rogue’, and not having a termination system in place – or even just waiting a few days to disable access – can be a costly mistake. Having a comprehensive plan from an employee’s first day to their last is an important aspect of general operations, but especially your HIPAA compliance program. OCR Director Roger Severino said it best: “Medical providers need to know who in their organization can access patient data at all times. When someone’s employment ends, so must their access to patient records.”  

Million Dollar HIPAA Settlement
Fines, HIPAA

OCR Announces $1,000,000 Settlement With Aetna for Multiple HIPAA breaches

October 28, 2020 Comments Off on OCR Announces $1,000,000 Settlement With Aetna for Multiple HIPAA breaches

October 28, 2020 Thought we’d be able to skate through the rest of October without another HIPAA fine? Not so fast. The Office for Civil Rights (OCR) just announced another $1,000,000 settlement to add to October’s tab, settling with Aetna on not one, not two, but three separate HIPAA violations.  Aetna Life Insurance Company, as well as the affiliated covered entity (Aetna), agreed to a million-dollar payout in addition to a two year corrective action plan as a result of multiple HIPAA incidents experienced back in 2017.  The first violation occurred in April 2017, after Aetna discovered that two web services used to display plan-related documents to their members did not have the necessary login protections and were accessible through regular internet search engines. Aetna’s report noted that the incident exposed the protected health information (PHI) of over 5,000 individuals.  Violation number two came just a few months later in July, when Aetna received complaints that sensitive health information was made visible through benefit notice mailers. The 11,887 affected individuals’ medication information could be seen through the window of the envelope below the member’s name and address, clearly exposing their PHI to anyone who happened across the mailings.  Last but not least, the third violation occurred in September 2017, after a similar mailer was sent to 1,600 individuals displaying the name and logo of a research study on atrial fibrillation (irregular heartbeat) that some members were participating in. Because the logo on the envelope clearly conveyed the type of study the recipients were a part of, it was automatically an impermissible disclosure of PHI. Three HIPAA violations in one year is already enough to get you on the OCR’s bad side, but after further investigation, they found other aspects of Aetna’s HIPAA compliance program missing, including:  2017 was certainly a bad year for Aetna, and 2020 has now been a very bad year for all covered entities – practices, insurance companies and business associates alike – without a complete HIPAA compliance program in place. This latest settlement brings this year’s total to a whopping $13,186,500 – almost a million dollars over last year’s total fines, with 2 months still left on the clock in 2020.  We know you’re sick of hearing us harp on the importance of being compliant before an incident happens (seriously, we’re turning into our own mothers) but in the OCR Director, Roger Severino’s own words, “Aetna’s failure to follow the HIPAA Rules resulted in three breaches in a six-month period, leading to this million dollar settlement.” 

$1.5 million HIPAA Fine
Cybersecurity, Fines, HIPAA

OCR Announces $1.5 Million Dollar Settlement for Systemic Non-compliance after a Hacking Incident Sparked Investigation

September 21, 2020 Comments Off on OCR Announces $1.5 Million Dollar Settlement for Systemic Non-compliance after a Hacking Incident Sparked Investigation

September 21, 2020 The OCR is certainly seeing $$$ this September. On top of the record five fines announced last week, the Office for Civil Rights (OCR) has just announced the latest settlement of a whopping $1,500,000 fine and 2-year corrective action plan for an orthopedic clinic out of Georgia. Athens Orthopedic Clinic found themselves in the HIPAA violation hot seat after a hacking incident sparked an OCR investigation beginning in 2016. The OCR found Athens Orthopedic had longstanding noncompliance with HIPAA rules, especially required technical safeguards, that led to the breach incident.   On June 26, 2016, the orthopedic clinic was notified that their database of patient records had been posted online for sale. Two days later, a hacker contacted the clinic demanding money in return for the stolen database. After investigation, Athens Orthopedic determined that the hacker was able to gain access through a vendor’s credentials on June 14, 2016, and the hacker continued to access protected health information (PHI) for a month after the initial breach. On July 29, 2016, Athens Orthopedic filed a breach report with the OCR noting all of the sensitive PHI that had been hacked: names, dates of birth, social security numbers, and other personal medical information of the 208,557 patients affected. The breach initiated a full-scale investigation into the clinic’s HIPAA program, where the OCR discovered a laundry list of key compliance elements that the practice was missing: Cyber threats are an ongoing and rising threat to the healthcare industry. When practices lack the proper safeguards to secure their patients’ PHI, they put themselves at the top of hackers ‘easy target’ list (would your practice be posted if such a list existed?). Along with the fine, OCR Director Roger Severino emphasized that “Hacking is the number one source of large healthcare data breaches. Healthcare providers that fail to follow the HIPAA Security Rule make their patients’ health data a tempting target for hackers.” So how do you ‘hack proof’ your business? Well, you probably can’t completely prevent a hack given how quickly hackers adapt to new security measures, but your practice CAN go a long way to avoid being targeted (and getting slapped with a HIPAA fine) by ensuring your HIPAA compliance program – especially your technical safeguards – is up to scratch.

Properly Encrypting ePHI
Best Practices, Cybersecurity, HIPAA

Properly Encrypting ePHI: What Your Practice Should Know

August 20, 2020 Comments Off on Properly Encrypting ePHI: What Your Practice Should Know

August 20, 2020 Even before COVID-19, electronic solutions were transforming the way practices work and communicate with patients and other providers. As technology continues to evolve within the healthcare industry, it’s important to understand how to properly secure sensitive protected health information (PHI) when stored or transmitted. What does encryption actually mean? Protecting patient data from cyberthreats goes beyond having appropriate passwords. It means having the right technical safeguards in place including properly encrypting any PHI created, stored, sent, or received by your practice. So what exactly is encryption?  Encryption means that content containing sensitive data is made unreadable for anyone except those authorized to view the information. This process essentially uses a software or algorithm to ‘lock’ the data or written text and requires an encryption key to make the information decipherable again.  What should be encrypted? So what should be encrypted? Simply put, the answer to this question is pretty much anything containing PHI. This includes data that is being sent to someone else such as a patient, business associate, or another provider. Examples of this include:  Why does encryption matter? For a typical practice, your EHR system is likely already encrypted – but your EHR isn’t all that matters. All other laptops, external hard drives, servers, and communication systems are at high risk if they are not also properly encrypted to protect from cyberthreats. In fact, failing to encrypt devices has been the cause of various HIPAA violations. Recently, a covered entity in Rhode Island faced a $1,040,000 fine from the OCR on top of a 2 year corrective action plan. The violation resulted from a stolen unencrypted laptop, leading to over 20,000 patients data being exposed. Part of the reason for the hefty fine was the organization’s “systemic non-compliance” when it came to proper encryption of devices. The entire incident could have been avoided if the entity had the proper technical safeguards in place.  With cybersecurity threats on the rise and electronic communication becoming more commonplace, it’s all the more important to ensure the protection of your patients’ information. Implementing encryption services is a great way to best protect your practice and prevent HIPAA violations. If using an external vendor for encryption, make sure to have the appropriate business associate agreement in place as well.

What is a HIPAA Security Risk Analysis
Best Practices, HIPAA

So, What Exactly is a Security Risk Analysis?

June 2, 2020 Comments Off on So, What Exactly is a Security Risk Analysis?

June 2, 2020 You might be aware that all practices need to complete a ‘Security Risk Analysis’ as a part of their HIPAA compliance program, but do you know exactly what this analysis covers? While this is the first step and among the most important aspects of a complete HIPAA program, it is often missed or not properly completed – in fact, during the latest round of OCR audits, 86% of covered entities could not show a properly documented Security Risk Analysis for their practice.  The HIPAA Security Rule defines a Security Risk Analysis (SRA) as an “accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronically protected health information held by the covered entity or business associate.” In layman’s terms, the risk analysis is a systematic review of your processes and policies that is ultimately designed to shed light on any aspects of your practice that could be considered weaknesses in protecting the privacy and security of your practice and the protected health information (PHI) it holds. Not having a properly documented analysis leaves potential risks unidentified and is a huge red flag for your overall compliance efforts. What questions does an SRA need to include? There is no specific checklist to follow when it comes to performing a risk analysis for your practice. The OCR does however provide specific elements that should be included. Your assessment should:  Completing a risk analysis for your organization is not just a one-time thing. Assessments should be reviewed periodically, especially as new work processes are implemented or technologies are updated. After events such as COVID-19, addressing any changes your practice made regarding remote operations, utilizing telehealth services, or receiving/providing more information electronically rather than in a physical exchange are all things that will need to be addressed for any additional vulnerabilities or threats they brought on.  What’s the best way to tackle an SRA? If your organization hasn’t completed an SRA before or has done so in a more basic or incomplete manner, using an outside organization will help to ensure all areas of the SRA are fully completed and documented accordingly. A third party can also help add new areas and questions to the SRA that reflect changing regulations as well as technology enhancements that present new threats or vulnerabilities to your organization.

Concerned about HIPAA & OSHA compliance requirements in 2025? Join our live webinar for expert answers to the most common questions to ensure your practice is protected.

REGISTER TODAY
X