Chat with us, powered by LiveChat

The Penalty for Non-Existent BAA’s

Can you say with confidence that your office has a business associate agreement (BAA) in place for each vendor you share information with? Regardless of whether you can answer that question with a resounding “Yes!” or a shrug, it is important that all healthcare providers take some time each year to evaluate (and if necessary, update) their BAA’s.

A recent email blast from HHS Office for Civil Rights (OCR), reminded us just how costly it can be for Covered Entities to do business with vendors without a BAA in place. Per the email, a Florida-based contractor physicians’ group, Advanced Care Hospitalists PL (ACH) has agreed to pay $500,000 to the OCR and adopt a substantial corrective action plan to settle potential violations of the HIPAA Privacy and Security Rules.

Between November 2011 and June 2012, ACH utilized the services of an individual that presented himself as a representative of a Florida-based company named Doctor’s First Choice Billings, Inc (First Choice.) This individual provided medical billing services to ACH using First Choice’s name and website (allegedly), without any knowledge or permission of First Choice’s owner.

Fast forward to February 11, 2014, a local hospital notified ACH staff members that protected patient information was viewable on the First Choice website, including names, DOB’s and social security numbers. Following the exposure, ACH was able to identify at least 400 affected individuals and asked First Choice to remove the information from their website. The breach report filed by ACH in April 2014 stated that 400 individuals were affected, however, further investigation prompted a supplemental breach report stating that an additional 8,855 patients may have been impacted.

Following the breach, OCR’s investigation revealed that ACH never entered into a business associate agreement with the individual providing medical billing services to ACH as required by HIPAA and failed to adopt a policy requiring business associate agreements until April 2014. To further add insult to injury, although ACH had been in operation since 2005, it had not conducted a risk analysis or implemented security measures or policies and procedures until April 2014. The full resolution agreement and corrective action plan can be found HERE.

In the example above, we see ACH’s failure to comply with the HIPAA Rules both in their delayed effort to complete a bona fide HIPAA Security Risk Analysis but also their negligence in issuing business associate agreements to their vendors. Whereas it is not ACH’s fault that this individual (allegedly) mis-represented himself, ACH should have entered into their business relationship under the correct protection and terms.


  • ACH did not have a business associate agreement in place with the subcontractor (First Choice contractor) prior to the work being completed
  • Covered Entity (ACH) did not have a valid HIPAA Security Risk Analysis on file
  • ACH was liable for the breach of their subcontractor
  • $500,000 fine imposed

At HIPAA One we understand that BAA management can be both a challenge and drain on your administrative resources. For this reason, we released a BAA management tool integrated with our automated software suite this past fall. All current HIPAA One software users can utilize this important software addition to both create and store their BAA agreements in one place with no additional cost. VIEW our brief informational video for more information.

If you are a current HIPAA One user and would like access to BAA, email our support team at: and ask to have BAA turned on for your organization.

Phishing Attacks – How to Protect & Prepare

This is the first blog in a new cybersecurity series focusing on ways to protect your organizations’ data from unauthorized access and safeguarding your personal ePHI. 

In life there are very few events that feel more personally invasive than being robbed. Whether it be a break-in, stolen purse/wallet and or a hacked email account, the victim is frequently left with a feeling of distrust and humility. Typically, while replaying the events associated with the robbery, the victim will realize the security oversight that left them vulnerable, “If I had done X or Y to safeguard myself or property, would this have happened?!”

In the remainder of this blog wewill review the “How To’s” on the very relevant and ongoing threat of phishing attacks. By definition, Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising as a trustworthy entity in an electronic communication. Modern day phishing attacks pose a serious risk to your virtual security, both in the workplace and at home. As these professional scam artists become increasingly savvy and sophisticated, it is important for all consumers to understand their risks and vulnerabilities.

To provide a real-life phishing example, view the email below. If you received this in your inbox would you open it and follow the instructions? The hook is American Express and the bait is the HTM attachment – later in this blog we will highlight many of the tell-tale signs this sloppy scammer included in their attempt to fool the recipient.

How To – Protect Yourself

Much like the saying, “The best defense is a good offense,” learning and adopting strong safety techniques is a smart decision for everyone. A great first step in building your security settings is installing a proper firewall with enabled content-filtering. Typically, by paying an annual subscription fee to your firewall manufacturer, you will receive safeguarding tactics to help block phishing attacks and reduce the risk of downloadable malware. However, no matter how secure the firewall, it only takes one untrained employee to compromise previously secured data. 

So, what are the tell-tale signs than an email is fraudulent or falls under the phishing category? Ranging from elementary to most sophisticated, here’s a list of what to look out for when checking your inbox:

  • Identifying Spelling or Grammatical Mistakes
  • Senders Email Domain Does Not Match the Name of their Organization
    • For example: <- domain name is
    • Frequently the displayed name is forged to look legitimate (e.g. using a mainstream consumer brand like Amazon, American Express, Visa, FedEx, USPS, etc.) The goal is to receive emails from anyone who clicks the reply-button in hopes of fooling the victim into using their form.
    • TIP: Click on the sender’s email address to expand their actual domain name. If the domain name matches, that is further an indication the email address is real. If it is way off, then it is obviously phishing/spam email and should be deleted and reported to your internal HIPAA Compliance Officer or IT Department with a visible warning NOT TO OPEN.  
  • Salutation is a Generic Term Instead of your Actual Name
    • Fake examples include: Dear Sir/Madame, Hello, Friend, Member, Patient, etc.
  • Asking for Existing Login Credentials
    • Companies and people typically send attachments in emails. If the sender is sending a secured email, they would NEVER ask for any existing login credentials, rather ask you to create new account and password (if legitimate.) 
    • TIP:  Use a secured password vault like Keypass or Last Login to store unique passwords for all your sites (banking, work, personal apps like Facebook, etc.) This allows users to utilize different passwords for each site, unique to each login. 
  • Legitimate Companies Will Not Send an Email to Change Your Password and/or Never Request Sensitive Information Via Email
    • Ever notice we are made aware of password changes AFTER logging into a system? Passwords are always requested to be changed once logged in.  If anyone sends you a notice to change your password – BE SUSPECT.  
  • From: Field Actually Shows Someone You Know
    • Go beyond the “From” field and examine the entire email before taking any action! Some hackers will download all the email addresses in a previous victim’s mailbox and collect their contacts. In this especially sophisticated approach, the recipient has a greater likelihood of being fooled as it appears the email is being sent from a known contact.

This is the same email shown above with some of the fraudulent signs called-out:

How To – Avoid Falling Victim

  • Turn off Unused Email Services
    • Phishing attacks typically will use IMAP or POP3 to run scripts to quickly enumerate contacts and copy data. The technical term scripting refers to a series of commands you send to another computer. 
    • To turn off your unused email services, download all emails (including sub folders) using IMAP (email protocol.) View the image below for an example of how to disable the send/receive on Office365 Exchange server.
  • Complete Your HIPAA Security Risk Analysis with HIPAA One
    • Know where the holes in your boat are located, in other words – prepare for an attack instead of scrambling during an attack. Preparedness could be the difference between having to report a breach or not.
    • If your organization receives an audit notice following compromised records from a phishing attack, a Risk Analysis will be the first thing requested.
  • Turn On Email, File and ePHI Data-Logging
    • Verify file and email access logging is turned on so in the event of a phishing attack, your organization can quantitatively determine if ePHI was breached.
  • Always Be Skeptical When Receiving Emails
    • Take extra time and look for the signs listed above. It is unfortunate but true that we must stay vigilant and error on the side of caution. Phishing is an evolving trend that is not going away.
  • A Well-Trained Workforce
    • Any and all new employee/annual training should include cybersecurity best practices and provide direction on how to spot email attacks. Make employees aware of HR’s Sanction Policy and incident reporting should someone click on a phishing email.
    • TIP – Designate someone within your organization to forward “DO NOT OPEN” emails when necessary and explain to employees why the email is fraudulent. Additionally, hold meetings, put posters up in break rooms and remind people repeatedly to be suspicious and careful.
    • TIP – Launch periodic simulated phishing attacks. Any valid online training program will include the option to simulate these attacks where victims are required to take a cybersecurity training (this should follow your HR Sanction Policy.)
  • Complete Your HIPAA Security Risk Analysis with HIPAA One
    • Know where the holes in your boat are located, in other words – prepare for an attack instead of scrambling during an attack. Preparedness could be the difference between having to report a breach or not.
    • If your organization receives an audit notice following compromised records from a phishing attack, a Risk Analysis will be the first thing requested.

Additional questions about phishing attacks or want to speak with us about starting a HIPAA Security Risk Analysis!? Please get in touch. We’d love to start the conversation.

HHS SRA Tool V3.0 – The Good, Bad and Ugly

Earlier this month, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) released an updated version of their Security Risk Assessment Tool (SRAT) found on the website. Each time a new version is released, we circle up with a few trusted industry partners and review the changes/updates so that we may accurately counsel healthcare Providers, Payers and Business Associates on the pro’s and con’s of utilizing this free, government-issued application.

Before diving into our review of V3.0, it is important to remember that HHS in NO way states that by using SRAT, healthcare providers can be assured that they are compliant with the Security Risk Analysis requirement under HIPAA. Per the Health website: “Disclaimer: The Security Risk Assessment Tool at is provided for informational purposes only. Use of this tool is neither required by nor guarantees compliance with federal, state or local laws.”

This is not to say that SRAT does not have its merits. At HIPAA One, we firmly believe that SRAT can be an effective training tool for compliance professionals in training or a guideline for Certified Auditors.  Despite being a time-consuming process, SRAT does provide step-by-step instructions similar to a bona fide HIPAA Security Risk Analysis and there is certainly value in that. Healthcare professionals should merely be warned that without the guidance of a trained auditor, SRAT may or may not hold up in an audit scenario.

The Good

In short, the newly updated Security Risk Assessment Tool (SRAT) tool has made improvements mainly related to user experience and follows the HIPAA Audit Protocol and NIST-based methodologies for calculating risk. For example, a new bulk asset upload feature has been added along with a multi-location option for larger entities. Although mostly a file repository, this feature does assist larger organizations with their assessment. Organizations seeking assistance with Business Associate Agreement management will find that HHS has added a BAA-type function, however, it is important to note that this does not actually produce a BAA agreement.

As users work through the tool they will find that questions now map back to the HIPAA citations (similar to our software) and there is a bit more guidance (in the way of tips) that have added throughout. Additionally, users will find they have the ability enter specific information around asset type and status relative to the different stages of ePHI systems. However, without having the ability to track or assign questions, the inexperienced end user will not be able to identify where some of the gaps come from. Probably the most significant update is related to the production of a Final Report which is arguably the most crucial component in completely a risk analysis and what you walk away with. Much like the rest of the tool, the newly created Final Report does have a flag attached as the results of this report are fairly arbitrary with a large margin of error based on how the user responds to the risk calculation.

The Bad

At HIPAA One, we frequently use the term “Free like a puppy” and that’s exactly what SRAT is. Although this tool does not cost a fee, SRAT still has a ways to go when comparing it to other software or solutions in the marketplace today (spreadsheets included.)  Aside from being labor-intensive, mundane and error-prone; each measure results in multiple questions that need to be individually selected by one who knows how to estimate impact and likelihood year-over-year.

SRAT takes a single-user approach meaning there is no way to collaborate on the assessment with others in the organization.  This approach can result in the need for additional committee meetings to oversee remediation of identified risks. For example, there is no option to delegate survey questions to employees in different roles so it would be totally possible to have someone in IT trying to answer HR related questions. Also, should users desire to go back to previous sections or revise a past answer while in the middle of the assessment, navigation is really difficult. Past sections are merely available through <BACK> and <NEXT>.

Being that SRAT does not save any historical data related to previous assessments, organizations who have completed risk assessments in past years are unable to import their old assessments and simply make updates reflective of the past year. Healthcare providers focused on creating a sustainable and long-lasting HIPAA compliant office, should seek out a tool that allows for previous year imports to greatly decrease the amount of administrative work in complete your risk analysis year over year.

The Ugly

When evaluating the accuracy and comprehensive nature of the tool, there are a few glaring issues that we would be remiss not to address. These are the aspects of SRAT that would require either the experience of a Certified Auditor or compliance professional in training to ensure the assessment is accurate.

Some of the large issues not remedied by the V3.0 update include:

  • No Calculation of Risk – Without an experienced Auditor who is qualified to answer and assess risk, the average user is required to assign a risk score to each question without guidance or training. For example, the generated gaps from the SRAT do not have a correlation or identify which HIPAA control requirement those policies need to be addressed.
  • No Remediation Planning or Guidance – One critical component to completing a risk analysis is addressing and re-mediating the deficiencies and findings after the fact. The re-mediating planning process gives providers a framework for next steps and continued compliance.
  • Final Report
    • Does not include an executive high-level overview
    • Unable to show if at least a partial requirement is met
    • No prescriptive recommendations on how to address any of the found risks
  • No Included Policies and Procedures – SRAT does not include PnP templates nor does it review any current, existing PnP’s. This leaves providers at risk for continuing to use potentially outdated PnP templates and minimizes the possibility for a yearly review of these templates.

In Summary

  • Bulk Asset Upload 
  • Multiple Location Option
  • Basic Business Associate Agreement (BAA) Utility
  • Questions Map to HIPAA Citation
  • Final Report
  • User Guide
  • No Roles
  • No Auto Calculation of Risk
  • No Remediation Planning or Guidance
  • No Ongoing Updates
  • No Vulnerability Scans

If your workplace is considering using the SRAT tool for your 2018 risk analysis, we encourage you to take a look at our industry-leading automated software before doing so.  Our software scales seamlessly based on the size of your organization and with tiered pricing accessible for even single-doc physician practices, HIPAA One is the only choice for a guaranteed to pass an audit.

What are your thoughts on the SRAT tool?  Feel free to enter your comments below or Contact Us anytime for a free consultation.

NOTE: We have been following the development of this toolkit since its inception in 2011 and reviewed the 2014 v2.0 version here:

State Departments Conducting Audits?!?

In recent years, healthcare audits have been a trending topic within the compliance world. Following the Phase II launch of the HHS Office for Civil Rights (OCR) Audit Protocol in March 2016, many members of the healthcare community equate audits with Meaningful Use, the federal government or other large accounting firms such as Figliozzi & Company. All too often, providers assume that due to their size, they can fly under the radar…After all, why would the OCR worry about a practice with two physicians?!? Unfortunately, as several of our clients recently learned, it is not just the federal government that is checking on gaps in compliance or incentive program participation, state departments are getting in on the action too.

Earlier in the summer, one of our clients reached out as that they had received a letter from Connecticut’s Department of Social Services. The letter explained that due to ongoing program monitoring efforts, Connecticut’s Department of Social Services would be conducting a review of Connecticut Medicaid Electronic Health Record (EHR) Incentive Program payments made to participating providers. Per the notice, federal regulations governing the Medicaid EHR Incentive Program requires States to conduct post-payment reviews. Much to the shock of our client, they were informed they had been selected for a Program Year 2014 desk review and they had just five business days to submit the requested documentation in a PHI secure manner.

Naturally, receiving such a letter would invoke a certain amount of panic in anyone, especially when considering the Program Year in question was FOUR years ago. As you can imagine, a list of concerns ran through their minds: “Did we conduct a risk analysis that year?” “What if we are unable to produce all the documentation required for this audit?” “How do we best respond?” To protect our client’s privacy, we will not share the results of the audit, however, all providers should heed this cautionary tale if they have ever participated in past or current government incentive programs.

Another recent audit scenario came out of the state of Washington. This entity was audited for Meaningful Use participation as part of larger state-funded initiative for eligibility audits. In this particular case, the Core Objective 1 – Protect ePHI, passed the HIPAA Security Risk Analysis review but came up short by failing to provide evidence of re-mediating risks.

So, what’s the takeaway from these real-life examples? Regardless of whether you performed risk analyses every year for the past six years (per HIPAA Citation 45 CFR 164.316(b)(2)(i)) or not, it is never too late to get your house in order. Auditing bodies respond much better to providers who have performed at least one risk assessment at some point in their past.  The majority of settlements and fines site either failure to have completed a risk analysis OR failure to take action on high-risk findings.

The above image above shows our SRA dashboard including periodic updates showing risks that are being remedied thereby proving due-diligence in protecting electronic Protected Health Information (PHI). This approach reduces the need for frequent compliance committee meetings as all employees understand their roles and assigned work.













At HIPAA One, we are deeply experienced at responding to a vast array of industry audits (we’ve now included State Department audits to this list) and frequently step in to hold our clients’ hands through the experience. Our software for example, can be configured to launch a campaign for individuals to login and update those risks in HIPAA One.

The above image shows how to quickly get your HIPAA compliance program moving, specific to quick-add features for Reviewers. This Reviewers feature sends instructional emails to those involved to login and update any changes to the assigned tasks associated with that risk.












One of the many benefits of being a HIPAA One client is the assurance that we will stand by any HIPAA risk analysis performed using our software so your organization is not shouldering that burden alone. Contact us today for assistance with on creating a HIPAA compliance program at your workplace.

Healthcare Continues to Dominate Breach Related Costs

A new study conducted by the Ponemon Institute on behalf of IBM Security confirmed the fears of so many healthcare information security professionals, no other personal information yields a higher value than compromised patient records.

Across the country, healthcare organizations have a Goliath size security problem. For an eight-straight year, healthcare has the highest breach-related costs of any industry at $408 per lost or stolen record, nearly three times the cross-industry average of $148. Without a commitment to cyber-security, healthcare entities and their valuable databases containing vast amounts of electronic patient health information (ePHI) are sitting ducks for hackers.

We all know that data breaches can cost organizations millions in lost business, reputation management, recovery remediation and year over year that number is exponentially rising. In 2018, the average cost of a data breach globally is roughly $3.86 million, up 10% from 2014. The Ponemon study, 2018 Cost of a Data Breach, is an extensive compilation of data based on interviews with 500 organizations that experienced data breaches.

Along with providing staggering breach stats, the study also referenced a new category of breaches, mega data breaches which refers to the theft or exposure of more than 1 million records. The number of mega data breaches has more than doubled in the past five years from 9 in 2013 to 16 in 2017. As you can imagine, these mega breaches are both extremely costly to resolve and can take up a year to detect and contain. The average cost of a mega data breach involving a “modest” 1 million records is hovering around $40 million.

So, What’s a Provider To Do?!

The findings from this year’s breach report beg the question, how can healthcare providers across the board strengthen their individual security programs and better protect ePHI? For starters, conduct a bona fide HIPAA Security Risk Analysis (SRA.) If your organization has not completed an SRA in the past calendar year, your data is vulnerable, plain and simple. An SRA does more than just help your office collect the largest amount of MIPS/MACRA reimbursement dollars, by identifying gaps in your organization’s compliance and security settings, the SRA is an invaluable tool in securing the safety of your ePHI. There are many SRA tools out in the marketplace today ranging from free spreadsheet templates to expensive consultants, at HIPAA One, we recommend utilizing our simple, automated and affordable software.

Upon completion of your SRA, there are two additional best-practices that can greatly decease the chance of an ePHI breach due to theft, loss, improper disposal and hacking incidents. Stick with us, we’re going to get a little bit “techy” in this next section and take a deeper dive into data classification and encryption:


Despite the fact that all data does not have PHI identifiers, (e.g. name, address, any other numerical or identifying information) it is paramount to identify where the data is located within your organization.  This effort will involve working directly with the architects and programmers of your data system.

A good place for your programmers to start is by reviewing any and all data mapping and data flow diagrams. To gain further insight into what’s already been completed in this area, a thorough review of existing data cryptography or sequence database schema will be conducted. Following data cyptography, a sensitive data analysis is performed – if using external consultants to augment IT staff, there should be no hands-on access needed as long as the data flow diagram and data mapping is available. It is also important to note that these mappings can also be performed through remote workshops.

The work flow outlined above will result in a data inventory (e.g. email, name, home address and system data such as session ID’s, IP addresses, etc.).  Side note, an analysis at this point should identify any EU-citizens needed for the new GDPR mandates. Any application mapping exercise should augment the data classification by determining why a user or application would need to see information that may or may not be required for the intended purpose.  Sometimes applications will bypass database encryption and give a user excessive access to ePHI that is not necessary, opening the chances for unauthorized-access breaches.


Disclaimer: We understand that turning on global encryption to databases can be unacceptable – and we do not recommend doing this.

As a best practice, only encrypt data inside specific tables and employ best-practices for key generation, management and entry. For example, at deployment, a password is used for decryption of the master encryption key. The master encryption key is provided on a one-time  basis by a singular person (or portions of the password shared between people) who knows the password.  The master password should also be stored in RAM strictly for performance and security purposes. From an electronic media standpoint (e.g. laptops, desktops, thumb drives, smartphones, tablets, etc.), encryption of the entire hard-drive or volume is recommended. Most SSD drives (high-speed hard drives) and computer hardware come equipped with processors to handle the overhead of encryption/decryption as needed on these devices.

Next Steps

We specialize in HIPAA Security Risk Analysis and data security projects.  If your organization has not yet completed an SRA for this calendar year, Contact Us to get started today.


Similar but Different: Gap Assessment vs Risk Analysis

If you’ve heard the terms gap assessment and risk analysis used interchangeably before in privacy or security conversations, you are not alone. At HIPAA One, we have found that there are quite a few misconceptions about these two approaches and how to differentiate between them. So much so that we addressed the topic on a recent webinar with our trusted partners and advisers, Crowe Horwath. Click here for a link to the recorded version. In this post, we’ll define the key characteristics of a gap assessment and risk analysis and debunk a few myths along the way.

High-level overview slide from our webinar with Crowe Horwath 

As the more well known of the two, a HIPAA security risk analysis is a comprehensive assessment of all risks to ePHI (Electronic Protected Health Information) as required by HIPAA for healthcare providers and their business associates. By calculating risk based on threat, vulnerability, likelihood and impact, providers can gauge their compliance with HIPAA’s required administrative, physician and technical safeguards. A risk analysis assesses how ePHI is created, received, maintained and stored within an organization. Every bona fide HIPAA risk analysis will produce a remediation plan which creates a road map for “fixing” any security vulnerabilities as found by the risk analysis. For additional information and guidance on HIPAA risk analyses, visit The U.S. Department of Health & Human Services Office for Civil Rights (OCR) website.

Risk Analysis Pro

A gap assessment (also commonly called a HIPAA Compliance Program Review or Audit) is a method of assessing the differences in performance between an organization’s information systems or software applications to determine if there are any existing vulnerabilities in their network security settings. This high-level review of an organization’s controls can be completed using various controls and frameworks based on the target objectives of the gap assessment. Essentially a gap assessment compares what safeguards an organization has in place vs the reality of how well those safeguards are working.

Question within the HIPAA One software regarding Gap Assessment and the HIPAA OCR Audit Protocol

HIPAA Gap Assessment IN HIPAA One

While a gap assessment is without question an effective tool at locating vulnerabilities, OCR clearly states that that a gap assessment is never a substitute for a bona fide risk analysis as required by the HIPAA Security Rule. Think of a gap assessment as an introduction, not a replacement to a risk analysis. When facing the decision of whether your workplace should focus on a risk analysis or gap assessment, our recommendation is always to comply with HIPAA first and tackle your HIPAA risk analysis. Then, once your risk analysis has been completed and remediation has begun, HIPAA One presents the gap assessment in the final report (below). Bottom line, never put your organization at risk by not complying with HIPAA or completing a risk analysis.

At HIPAA One, we offer industry-leading, automated HIPAA risk analysis software and professional services to help your organization “check the box” on this mandatory requirement and be audit-ready. Click here to learn more and speak with a member of the team to hear about new software feature, Automated Templates which measure compliance controls at a corporate level then validating and updated by the field office staff.

GDPR and the Impact on U.S. Healthcare Providers

A new acronym has begun popping up within the healthcare technology community and is slowly beginning to gain momentum in the way of media coverage and industry articles. If you’ve heard the term GDPR in the past few months and did not understand what it was referring to, know that you’re not alone. In fact, we conducted a recent webinar poll with over 300 registrants and found that 81% of providers did not know what GDPR was referring to, let alone its potential impact on the U.S. healthcare industry.

Defining GDPR

GDPR stands for General Data Protection Regulation, a new set of rules drafted by the European Union (EU) to give citizens more control over their personal data. Think of a “stricter” HIPAA compliance for EU countries. Back in January 2012, the European Commission began working on plans to create data protection reform across the EU so that European countries would have greater controls in place to manage information in the digital age. Additionally, GDPR aims to simplify the regulatory environment for businesses so both European citizens and businesses can benefit from a digital economy. Fast forward six years and now in just a few short weeks GDPR will take effect internationally (May 2018.)

The Stateside Implications

The primary question we are asking ourselves at HIPAA One is how will this framework impact U.S. based healthcare providers? Here’s what we know, U.S. companies do not need to have business operations in one of the 28-member states of the EU to be impacted by GDPR. The new set of rules will require organizations around the world that hold data belonging to individuals who live in the EU to a high level of protection and must be able to account for where every bit of data is stored.

The good news is a large majority of U.S. based healthcare providers will be relatively safe in terms of complying with GDPR. If your organization is not actively marketing your services in the EU or practicing in the EU, a data breach where an EU citizen’s PHI is compromised would most likely be your most realistic brush with GDPR. For instance, a walk-clinic in New York City seeing many international tourists has a much higher chance of being impacted than say a rural clinic treating mostly local residents. Providers in larger cities with more diverse patient groups will need to be extra vigilant regarding their breach notification standards and security posture.

Controller vs. Processor

An important concept for healthcare entities to grasp when thinking about GDPR is controllers vs processors which can be defined similar to the way we view covered entities and business associates. A processor (business associate) processes data on behalf of a data controller (covered entity) and is required to protect the data just as a controller would. Much like the HIPAA regulations, GDPR requires controllers/data processes to ensure a level of security appropriate to the risk by implementing technical and organizational measures to mitigate the risk. One way that controllers or processors can demonstrate such compliance is adopting existing leading practices such as COBIT, ITIL, NIST or ISO standards.

How to Prepare

With still many unknowns about the true implications of GDPR on the American provider, there are few ways your organization can prepare now to ensure a proper level of readiness.

  • Conduct HIPAA Security and Privacy and Breach Notification Risk Analysis – The HIPAA One SRA and PRA software addresses most of the recommended GDPR controls and checks the box on an important mandatory HIPAA requirement. Double win!
  • Review your current risk governance – An evaluation of your organization’s security posture is a great step in preparing for the growing international cybersecurity climate.
  • Conduct a GDPR Assessment – Our internal research concludes GDPR encompasses approximately 60% of the same standards and regulations as OCR’s HIPAA Audit Protocol (e.g. performing a HIPAA Security Risk Analysis per 45 CFR §164.308(a)(1)(ii)(A)). A complete and comprehensive set of Policies and Procedures can be used to bridge the gap of the remaining 40% of standards covered by GDPR.

Just as we try to do with all cybersecurity and HIPAA related happenings in both the U.S. and aboard, the team at HIPAA One is committed to closely monitoring GDPR requirements and providing our readers with the most up-to-date information we have. As with all aspects of healthcare, sometimes it feels like the only constant is change. By getting your house in order now, your workplace will be well equipped to navigate any changes brought on by GDPR in the months and years to come.

Learn more about how your practice can get started with a bona fide HIPAA risk analysis today.

Cloud Security in Healthcare

Guest Blog by Yiannis Koukouras, TwelveSec in collaboration with HIPAA One

In our culture, something or someone is always trending. Whether it be bell-bottom jeans in the ’70’s, playing Nintendo in the ’80’s or watching stock market go up and down (whenever!), trends are a lenses through which we see the world. Much like trends in fashion or entertainment, our workplaces showcase various trends as well and the healthcare information technology (HIT) community is no different. Currently, organizations migrating their data to cloud based systems is a trend which shows no signs of slowing down anytime soon. The migration of healthcare records from being placed “in the closet down the hall” to the cloud, is becoming commonplace for both single doc practices and large health plans alike. The cloud allows organizations of all sizes to compete effectively in the new digital era and stabilize costs.

As this IT shift occurs, we can’t help but wonder, is Cloud Security truly secure? After all, an organization may transfer their security risks to an external provider, however does that organization understand the responsibility for safeguarding the data cannot be transferred? For example, under HIPAA/HITECH it is the responsibility of the data-owner to report the breach and assume costs even if the breach occurred by the Business Associate (45 CFR §§ 164.400-414.)

Is Your Cloud Provider Really Secure?

Currently the marketplace is saturated in cloud service providers. Public providers like Amazon Web Services (AWS), Microsoft Azure or Google cloud, dominate the landscape and offer cloud services at very competitive prices. Despite their brand recognition and reputation, do we have any assurances AWS or Microsoft Azure are secure? Is the feeling of security with these companies real or a convenient illusion?

The truth is these public providers are by-design very secure, however, they are also delicate and susceptible to common, simple and unintentional configuration errors that can lead to data leakage and/or data loss. Like safety belts in automobiles are statistically-proven to save lives, it is up to the driver and passengers to fasten before embarking on the next drive.   Within the last two years, over 1.5 million private medical records have become publicly available through Amazon Web Services due to mis-configurations on the security settings of the latter. The exposed data, impacted organizations like Kansas’ State Self Insurance Fund, CSAC Excess Insurance Authority, and the Salt Lake County Database.

Cloud Security Impacts Everyone

The common misconception is only small organizations pay little regard on Cloud Security. However, recently two stories became publicly known regarding military data exposed on the Internet. The first included “dozens of terabytes” of social media posts identifying and profiling persons of interest for the U.S. Intelligence, while the other one, included a classified toolkit for potentially accessing U.S. military intelligence networks. Both examples were found on an open Amazon-hosted data silo, due to misconfigured access rights.

A large number of other data leakage stories have also made headlines recently including major international players like Accenture, Verizon and Viacom. All of these stories have the same underlying theme, the affected companies where all placed in the awkward position of having to comment on misconfigured cloud accounts. These data breaches revealed that every cloud deployed solution is not bullet-proof and can only be as safe as their privileged users / administrators (the weakest link of this chain) allow them to be.

In an attempt to address cases like the aforementioned misconfigurations, in the 4th quarter of 2017 Amazon announced new security features and safeguards. These new features, which include data encryption and user warnings when data is publicly accessible, are a step in the right direction. However, due to the fact that cloud services become more and more complex with new features added every day, no one can solely rely upon these new features to secure their cloud infrastructure.

Tip of the Iceberg

Due to the fact these cases were discovered on large public cloud providers, like AWS, Microsoft Azure and Google cloud, one can easily assume that any organization regardless of size is at risk. As IT professionals, we can only speculate about the cloud security vulnerabilities of private cloud environments as not many cases have been analyzed in the international literature. In private cloud systems, functionality is prioritized over security. Irrelevant but interdependent configurations are to be sorted out in limited amount of time, using different and possibly incompatible software vendors. These characteristics showcase just some of the potential misconfiguration threats for the confidentiality of your data in private cloud storages.

It is important to remember that all the aforementioned risks, are placed on healthcare providers while they try to remain HIPAA compliant and does not take into any account the usual risks imposed for all online content. Negligent user activity or becoming a target of cyber-criminals remain a valid risk that requires urgent mitigation.

Cloud Security in Healthcare

Whether public or private, all cloud systems should be tested in order to identify vulnerabilities in an effort to become “cyber-proof.” Any exposure of sensitive data heavily impacts the image and reputation of healthcare providers. Cloud security testing is truly a necessity and should be implemented from the very first day your organization begins saving sensitive data on a cloud system. After weighing the cost of a data exposure, the value of investment in external IT security services absolutely increases.

At TwelveSec and HIPAA One, our group of certified consultants can offer your organization a thorough assessment of your cloud systems’ security posture. By identifying gaps and vulnerabilities that may harm your enterprise and customer data, we are able to work together to secure your systems and address the following:

  • Assess the security of your cloud infrastructure,
  • Review your cloud security policies and
  • Test your cloud Applications against unauthorized usage.

As a team at HIPAA One, we understand through first hand experience Platform-as-a-Service security concerns.  Contact us today for a free application security consultation to find the most effective way to assure the risks of unauthorized access to your organization’s data are minimized.

Missed your SRA in 2017? Here’s How to Avoid a MIPS Penalty

First, do your HIPAA Security Risk Analysis immediately to reduce chances of a breach while maintaining compliance with all Federal reimbursement programs. With just mere days left before the March 31st MIPS submission deadline, if you have not already pulled together the necessary documentation for the previous calendar year, it is the time to do so! For all those last “minute’ers,” we have some guidance to assist in your efforts.

One of the most important concepts to understand about the 2017 MIPS program is the grace that is being extended by CMS.  In fact, 2017 is being considered a “transitional year” meaning providers do not need to have all three measurements in place to avoid penalties and gain incentives – GOOD NEWS! As a reminder, these measurements include: Quality Measures, Advancing Care Information (security risk analysis required) and Improvement Activities.

While at HIMSS last week, we reached out to CMS and received the following guidance for providers:

The provider does not need to submit to the advancing care category at all if they did not perform the SRA.  They can optionally do so but they will not be able to earn a advancing care performance category score if they select no to the measure. Here is a link to our 2017 Quality Payment Program Resource Library  which includes many guides on the Quality Payment Program.  Included in the Resource Library, there is the MIPS 101 Guide which includes the pick your pace test option on page 15 and 17 and describes the submission of 1 quality measure OR 1 improvement activity will ensure that the provider will avoid a negative payment adjustment. Some key information on the process of submission is included in the Data submission fact sheet  and a Merit-based Incentive Payment System (MIPS) data submission video.” – CMS Division of Health Information Technology

Additionally, if the provider is in an Alternative Payment Model (APM) group, CMS broke down the groups below:

For Shared Savings Program Participants

“ACOs in the Shared Savings Program submit quality measures to the CMS Web Interface on behalf of their participating providers and MIPS eligible clinicians.  The Shared Savings Program measures and corresponding benchmarks will also be used to determine the MIPS quality performance category score for all MIPS eligible clinicians in each ACO. Therefore as long as your ACO submits all of the required Shared Savings Program Web Interface measures, then you do not need to report the MIPS quality performance category separately.”

For Next Generation ACO Model Participants

“ACOs in the Next Generation ACO Model submit quality measures to the CMS Web Interface on behalf of their participating clinicians.  The Next Generation ACO measures and corresponding benchmarks will also be used to determine the MIPS quality performance category score for all MIPS eligible clinicians in each ACO.”

For All Other MIPS APMs

“Under the Quality Payment Program, the APM Entity group in these APMs will not be required to report  quality in the first MIPS performance period.  This does not change any CMS requirements to report quality measures as part of your participation in the APM.”

A few important FYI’s related to penalties:
  • To Avoid the 4% Penalty – Providers must submit something, at least one item from one of the measurements listed above
  • To Avoid the Penalty and ATTEMPT to Earn a Positive Payment Adjustment – Providers can participate partially and CMS determines payment based on what is submitted
  • To Avoid the Penalty and RECEIVE a positive payment adjustment – Providers will need to participate for the full year and complete all measurements
  • If No Participation or Action is Taken – A 4% penalty will be applied

In the event your workplace did not conduct a HIPAA security risk analysis in 2017, you can still avoid the 4% penalty by submitting something from the other measurement categories (Quality or Improvement Activities.)

Finally, there is no time like the present to complete a bona fide HIPAA Security Risk Analysis! Checking this box will immediately reduce your changes of a breach while maintaining compliance with all Federal reimbursement programs. Get started today!

Consequences for HIPAA Violations

A recent HHS Office for Civil Rights email blast outlined a story that many of us have heard before, another business closed with significant monies paid out in fines. Filefax, Inc. has agreed to pay $100,000 in order to settle potential violations of the HIPAA Privacy Rule. Once a medical records storage company for covered entities, Filefax shut their doors during the OCR investigation yet could not escape additional fines and penalties that followed after their doors were closed. The bottom line, HIPAA violations do not stop just because a business closes.

The consequences of HIPAA violations are significant and far reaching. Beyond the financial ramifications, organizations stand to lose their good standing reputation, client/patient trust and their ability to operate a business. It can take organizations months, even years to recover from penalties if they ever do, so why have so many of us read the headlines but not heeded the warnings?

What Qualifies as a HIPAA Violation?

A HIPAA violation occurs when either a covered entity (CE) or business associate (BA) fails to comply with one of more provisions of the HIPAA Security, Privacy or Breach Notification Rules. Violations may result for a number of reasons and may be deliberate or unintentional.

  • Example of a Deliberate Violation – Inadequate Privacy training for clinical staff which results in a patient complaint regarding disclosing their full identity through a verbal announcement in a waiting area or hospital emergency room.
  • Example of a Unintentional Violation – Commonly this is a symptom of negligence such as: failure to complete a Security Risk Analysis, failure to employ encryption for laptops/electronic media resulting in loss/theft or failure to maintain policies and procedures instructing staff members on how to appropriately handle protected health information (PHI.)
Penalties and Fines

The penalties and/or fines administered by OCR are based on the severity of each HIPAA violation. Some HIPAA violations can be expensive and vary greatly in cost based on the level of negligence displayed. Contrary to what the headlines may lead you to believe, OCR will first strive to resolve violations using non-punitive measures such as issuing guidance to help the provider fix the areas without issuing a fine however that is not always possible.

If a penalty is issued, it can range in cost from $100 to $50,000 per violation (or record) with a maximum penalty of $1.5 million per year of violations of an identical provision. OCR takes many different factors into account when determining what is the appropriate financial penalty and uses a four tiered approach as shown in the image below. A few of these factors include: number of patients affected, what specific data was exposed and for how long, etc. Along with the financial ramifications, HIPAA violations can also carry criminal charges that may result in jail time if warranted.

Avoidance is Key

Being that the stakes are high and much is on the line, how does a practice or organization protect themselves against HIPAA violations? Show due-diligence.  The best task to start with is complete a comprehensive, organization wide HIPAA risk analysis to determine any gaps in compliance. Without a baseline knowledge about their security, privacy and breach-notification posture, both CE’s and BA’s operate day to day unaware of their security vulnerabilities which can directly lead to HIPAA violations and data breaches.

Unsure where your organization stands? Take our short 5-minute HIPAA compliance quiz designed to quickly outline your organization’s basic level of compliance.