healthcarecompliance101

Healthcare Compliance 101

Archive for the category “Uncategorized”

Phase Two HIPAA Audits Have Begun

July 12, 2016

OCR’s Phase Two HIPAA Audits Have Begun

Phase Two of OCR’s HIPAA audit program, which officially began a couple of months ago, has officially kicked into high gear.   Selected covered entities have now received notification letters regarding their inclusion in the desk audit portion of the audit program.  Letters were delivered on Monday, July 11, 2016 via email to 167 health plans, health care providers and health care clearinghouses (covered entities).  The desk audits will examine the selected entities’ compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules.

The desk audits are focused examinations of documentation of entity compliance with certain requirements of the HIPAA Rules (see table below).  OCR selected these provisions for focus during the desk audits because our pilot audits, as well as our enforcement activities, have surfaced these provisions as frequent areas of noncompliance.  Entities received two email communications, which were sent to the contact information confirmed by the entity during the pre-audit phase of the program. Nevertheless, these emails may be incorrectly classified as spam in the recipient’s email service.  Covered entities should monitor their spam filtering and junk mail folders for emails from OSOCRAudit@hhs.gov.   One e-mail includes a notification letter providing instructions for responding to the desk audit document request, the timeline for response, and a unique link for each organization to submit documents via OCR’s secure online portal. A second email contains an additional request to provide a listing of the entity’s business associates and also provides information about an upcoming webinar, where OCR will explain the desk audit process for auditees and take their questions.    Entities have 10 business days, until July 22, 2016, to respond to the document requests. Desk audits of business associates will follow this fall.

For more information, see http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html.

Requirements Selected for Desk Audit Review

Privacy Rule Notice of Privacy Practices & Content Requirements   [§164.520(a)(1) & (b)(1)]
Provision of Notice – Electronic Notice   [§164.520(c)(3)]
Right to Access  [§164.524(a)(1), (b)(1), (b)(2), (c)(2), (c)(3),  (c)(4), (d)(1), (d)(3)]
Breach Notification Rule Timeliness of Notification  [§164.404(b)]
Content of Notification  [§164.404(c)(1)]
Security Rule Security Management Process —  Risk Analysis  [§164.308(a)(1)(ii)(A)]
Security Management Process — Risk Management  [§164.308(a)(1)(ii)(B)]

 

From the Office of Civil Rights (OCR)

June  7, 2016

What’s in Your Third-Party Application Software?

Recently, it has been reported that third-party application software security vulnerabilities are on the rise.  Third-party application software is designed to work within operating systems and to assist users in executing tasks on computers and other devices.  For example, Microsoft Windows 7 is an operating system that controls the way computers work and how other programs function, but Acrobat Adobe is a third-party application that is utilized by computer users to create, modify, and read PDF files.  Many Covered Entities and Business Associates may think their computers and devices that utilize operating systems are secure because the Covered Entities and Business Associates are deploying operating-system updates, but many systems are still at risk from third-party software.

According to a recent study, a majority of companies use third-party applications or software, but less than 1 in 5 companies has performed verification on these third-party software.  Also, it was reported in companies that install their operating-system patches, a fair amount have third-party software that remain unpatched.

Furthermore, third-party software may have numerous security vulnerabilities that do not stem from the applications themselves.  Misconfigured servers, improper files settings, and outdated software versions may contribute to third-party software security vulnerabilities.

Covered Entities and Business Associates Should Consider:

Testing Software Prior to Installation

Covered Entities and Business Associates should define the criteria they are willing to accept for safe third-party applications, including open source and public domain applications. Applications should meet the corporate standards set by the entities and also satisfy compliance requirements, and entities should test against these criteria.

The purpose of conducting security testing on software is to reveal flaws in its security mechanisms and finding the vulnerabilities or weakness of software applications. For example, conducting testing may find out how vulnerable a system may be to flaws in applications and determine whether data and resources are protected from potential intruders.

Covered Entities and Business Associates should work with their Business Associate vendors to test their applications for security vulnerabilities prior to installation, and on a regular basis after the software has been installed.

Installing Software Patches or Updated Versions

Software patches repair “bugs” in applications and software programs.  Patches are updates that fix a particular problem or vulnerability within a program.  Covered Entities and Business Associates should be installing patches or updating the software versions promptly and on a continuous basis.  The majority of software developers disclose their security flaws to public; however, attackers exploit these known vulnerabilities if Covered Entities and Business Associates do not fix the security flaws in a timely manner.

Though applying patches is essential to ensure the security of information systems, patches should be assessed prior to deployment to determine the risk they pose to the Covered Entity’s information systems.

Reviewing Software License Agreements

A software license agreement (also known as end user license agreement (EULA)) highlights the risks that can make ePHI vulnerable. Data can be compromised if Covered Entities and Business Associates ignore the language in a software license agreement, as such behavior can expose a computer and its connected networks and systems to security risks.

Software license agreements are legal binding agreements that can have restrictions on how the software can be used; the agreements can require entities to agree to certain conditions when using the software, and can also limit their ability to sue for damages.

To protect information systems and networks from security and privacy problems related to EULAs, US-CERT recommends that entities:

  1. Review the Software EULA – Before installing any software, take the time to read its EULA.
  2. Beware of Firewall Prompts When Installing Software – During installation, if your firewall generates a prompt asking whether you want to allow certain inbound or outbound connections, proceed with caution. Verify that the software requires changes to your firewall settings for normal operation and that you are comfortable with this operation.
  3. Consider the Software Publisher – If you are not familiar with the company or organization that published the software, review the software EULA with added scrutiny.

Resources:

United States Computer Emergency Readiness Team (US-CERT): www.us-cert.gov(Software guidance)

HIPAA Rights to Access Health Information

New Consumer Tools Explain HIPAA Right to Access Health Information

 

Earlier this year, the HHS Office for Civil Rights (OCR) released comprehensive guidance on the right of individuals under the Health Insurance Portability and Accountability Act (HIPAA) to access and receive copies of their health information.  Providing individuals with easy access to their health information empowers them to be more in control of decisions regarding their health and well-being.  Individuals who can access their health information are better able to monitor chronic conditions, adhere to treatment plans, find and fix errors, and directly contribute their information to research.

 

This guidance is available to all members of the public – but was initially aimed primarily at entities covered by HIPAA. In addition, individuals need tools to help them understand the right to access their health information.   To make OCR’s HIPAA access guidance more understandable for individuals, we teamed up with the HHS Office of the National Coordinator for Health IT to create easy-to-understand tools, including videos and an “infographic,” an illustrated fact sheet.  The videos have been recorded in English, but are available with a Spanish caption.

 

  1. Individuals’ Right under HIPAA to Access their Health Information

This video addresses the basics of the HIPAA access right.  For example, the video explains the individual’s right to access their medical records and that access may only be denied in very limited circumstances.

  1. HIPAA Access Associated Fees and Timing

This video explains that individuals may be charged reasonable fees for copies of their health information that include only certain labor, supply, and postage costs (where applicable) associated with making and delivering the copy requested by the individual.  The video also explains when access should be free, such as through a patient portal.

  1. HIPAA Access and Third Parties

This video focuses on the right of individuals to request that their health information be sent to a third party of their choice, such as a family member or even a mobile application.

  1. HIPAA Access Infographic

This one-page fact sheet, with illustrations, provides an overall summary of key aspects of the HIPAA right of individuals to access and receive a copy of their health information.

 

To learn more about individuals’ rights under HIPAA to access their health information, please visit:http://www.hhs.gov/blog/2016/01/07/understanding-individuals-right-under-hipaa-access-their.html

Unauthorized Filming of Your Patient Could Result in HIPAA Violation

Unauthorized Filming for “NY Med” Results in $2.2 Million Settlement with New York Presbyterian Hospital

 

Today, the Department of Health and Human Services, Office for Civil Rights (OCR) announced that it has reached a $2.2 million settlement with New York Presbyterian Hospital (NYP) for the egregious disclosure of two patients’ protected health information (PHI) to film crews and staff during the filming of “NY Med,” an ABC television series, without first obtaining authorization from the patients. In particular, OCR found that NYP allowed the ABC crew to film someone who was dying and another person in significant distress, even after a medical professional urged the crew to stop.

 

“This case sends an important message that OCR will not permit covered entities to compromise their patients’ privacy by allowing news or television crews to film the patients without their authorization,” said Jocelyn Samuels, OCR’s Director.  “We take seriously all complaints filed by individuals, and will seek the necessary remedies to ensure that patients’ privacy is fully protected.”

 

By allowing individuals receiving urgent medical care to be filmed without their authorization by members of the media, NYP’s actions blatantly violate the HIPAA Rules, which were specifically designed to prohibit the disclosure of individual’s PHI, including images, in circumstances such as these.

 

OCR also found that NYP failed to safeguard protected health information and allowed ABC film crews virtually unfettered access to its health care facility, effectively creating an environment where PHI could not be protected from impermissible disclosure to the ABC film crew and staff.  In addition to the $2.2 million, OCR will monitor NYP for two years as part of this settlement agreement, helping ensure that NYP will remain compliant with its HIPAA obligations while it continues to provide care for patients.

A Risk Assessment is a Necessary Requirement of a HIPPA Compliance Program

December 14, 2015

$750,000 HIPAA SETTLEMENT UNDERSCORES THE NEED FOR ORGANIZATION WIDE RISK ANALYSIS

 The University of Washington Medicine (UWM) has agreed to settle charges that it potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule by failing to implement policies and procedures to prevent, detect, contain, and correct security violations.  UWM is an affiliated covered entity, which includes designated health care components and other entities under the control of the University of Washington, including University of Washington Medical Center, the primary teaching hospital of the University of Washington School of Medicine.  Affiliated covered entities must have in place appropriate policies and processes to assure HIPAA compliance with respect to each of the entities that are part of the affiliated group.   The settlement includes a monetary payment of $750,000, a corrective action plan, and annual reports on the organization’s compliance efforts.

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) initiated its investigation of the UWM following receipt of a breach report on November 27, 2013, which indicated that the electronic protected health information (e-PHI) of approximately 90,000 individuals was accessed after an employee downloaded an email attachment that contained malicious malware. The malware compromised the organization’s IT system, affecting the data of two different groups of patients:  1) approximately 76,000 patients involving a combination of patient names, medical record numbers, dates of service, and/or charges or bill balances; and 2) approximately 15,000 patients involving names, medical record numbers, other demographics such as address and phone number, dates of birth, charges or bill balances, social security numbers, insurance identification or Medicare numbers.

OCR’s investigation indicated UWM’s security policies required its affiliated entities to have up-to-date, documented system-level risk assessments and to implement safeguards in compliance with the Security Rule. However, UWM did not ensure that all of its affiliated entities were properly conducting risk assessments and appropriately responding to the potential risks and vulnerabilities in their respective environments.

The Resolution Agreement and Corrective Action Plan can be found on the OCR website at:http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/uwm/index.html

The HHS Press Release can be found at:  http://www.hhs.gov/about/news/2015/12/14/750000-hipaa-settlement-underscores-need-for-organization-wide-risk-analysis.html

HHS offers guidance on how your organization can conduct a HIPAA Risk Analysis:  http://www.healthit.gov/providers-professionals/security-risk-assessment

To learn more about non-discrimination and health information privacy laws, your civil rights, and privacy rights in health care and human service settings, and to find information on filing a complaint, visit us at http://www.hhs.gov/ocr/office

Understanding Individuals Rights Under HIPPA

January 7, 2016

 

Understanding Individuals’ Right under HIPAA to Access their Health Information

The HIPAA Privacy Rule has always provided individuals with the right to access and receive a copy of their health information from their doctors, hospitals and health insurance plans.  This right is critical to enabling individuals to take ownership of their health and well-being.  Individuals with access to their health information are better able to monitor chronic conditions, adhere to treatment plans, find and request fixes to errors in their records, track progress in wellness or disease management programs, and directly contribute their information to research.  As the health care system evolves and transforms into one supported by rapid, secure exchange of electronic health information and more targeted treatments discovered through the new precision medicine model of patient-powered research, it is more important than ever for individuals to have ready access to their health information. Unfortunately, based on recent studies and our own enforcement experience, far too often individuals face obstacles to accessing their health information, even from entities required to comply with the HIPAA Privacy Rule.  This must change.

Today, we took an important step toward ensuring that individuals can take advantage of their HIPAA right of access. We released a fact sheet and the first in a series of topical Frequently Asked Questions (FAQs) to further clarify individuals’ core right under HIPAA to access and obtain a copy of their health information.  This set of FAQs addresses the scope of information covered by HIPAA’s access right, the very limited exceptions to this right, the form and format in which information is provided to individuals, the requirement to provide access to individuals in a timely manner, and the intersection of HIPAA’s right of access with the requirements for patient access under the HITECH Act’s Electronic Health Record (EHR) Incentive Program.

We will continue to develop additional guidance and other tools as necessary to ensure that individuals understand and can exercise their right to access their health information.  In addition, the Office for Civil Rights will work with the White House Social and Behavioral Sciences Team and the Department of Health and Human Services Office of the National Coordinator for Health Information Technology (ONC) to produce consumer-friendly resources, including sample communications tools to encourage patients to access their digital health information.

The first set of materials may be found on OCR’s website at: http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html

To learn more about non-discrimination and health information privacy laws, your civil rights, and privacy rights in health care and human service settings, and to find information on filing a complaint, visit us at http://www.hhs.gov/ocr/

Congresswoman Mary Bono Mack

Congresswoman Mary Bono Mack.

Breach Notification Obligations In All 50 States?

Breach Notification Obligations In All 50 States?.

5 Trends Affecting the Future of Physician Compensation | Compensation Issues

5 Trends Affecting the Future of Physician Compensation | Compensation Issues.

amednews: EMRs a risky investment, say some small practices :: June 10, 2011 … American Medical News

amednews: EMRs a risky investment, say some small practices :: June 10, 2011 … American Medical News.

Post Navigation