Chat with us, powered by LiveChat

ALERT! Email Disguised as OCR Communication

In recent years, many of us have become familiar with email phishing scams. These fraudulent messages are designed to take the recipients money and/or identity under false pretenses. Often, phishing emails create confusion and are attached to familiar, trusted sources. Examples of these include:

  1. FedEx/UPS/USPS or other shipping notices
  2. Online banking
  3. Invoices sent from impersonated email addresses
  4. Facebook and social mediaHealth and Human Services

Yesterday, the Office for Civil Rights (OCR) issued a notice regarding a phishing email scam targeting employees of HIPAA covered entities and their business associates.

The email being circulated appears to be official government communication on mock U.S. Department of Health & Human Services (HHS) Departmental letterhead and includes the signatures of OCR’s Director, Jocelyn Samuels.

The fraudulent email prompts recipients to click a link regarding possible inclusion in the HIPAA Privacy, Security, and Breach Rules Audit Program.  Upon doing so, the link directs individuals to a non-governmental website marketing a firm’s cyber security services.

It is imperative that covered entities and their business associates understand that in no way is this cyber security firm associated with their audit communication and the email should not be acted upon if received.  We recommend training and awareness that includes this type of email phishing as part of the over-arching cyber security program.

In the event that you or your organization has a question as to whether it has received an official communication from OCR regarding a HIPAA audit, email: OSOCRAudit@hhs.gov.

Fighting Ransomware: A Success Story

When the HHS Office for Civil Rights released the HIPAA guidance on ransomware in the summer of 2016, collectively the health care community sat up and took notice. The guidance (found here) outlines various activities required by HIPAA that assist organizations in the prevention and detection of threats. One of the key activities listed in the guidance is completing an annual Security Risk Analysis.

As an Auditor at HIPAA One®, my goal is to dot every “i” and cross every “t” to ensure a comprehensive HIPAA Security Risk Analysis.  By utilizing the HIPAA One® Security Risk Analysis (SRA) tool, I am able to guarantee compliance, automate risk calculations and identify high-risk technical, administrative, physical and organizational vulnerabilities.

Recently, I was on-site with one of our clients, which I will call “Care Health” to preserve their confidentiality, working on organization-wide identity protection. Care Health utilizes our SRA to safeguard their critical data and provide security and protection from Ransomware, malware and the proverbial “sophisticated malware attacks”.

blogWhile at the Care Health office, two staff members in the Billing department were utilizing shared files in a network-mapped drive (e.g. N: drive). One of the staff members noticed new files were being spontaneously created and the file icons in the network folder were changing. By watching the changing file names, the staff member noticed one showed up as ransom.txt.

Acting quickly, she contacted the IT Helpdesk for assistance. The Helpdesk had been trained to triage all security-related service-desk requests immediately to the HIPAA Security Officer (HSO). Upon being notified of the issue, the HSO logged-into the N: shared drive and found their files were slowly being encrypted!

How do you stop a Ransomware attack?

blog-2Promptly, the HSO ran Bitdefender full-scans on the Billing department computers and found nothing. He then installed and ran Microsoft’s built-in Windows Defender, which has the most current malicious software removal utilities on Server 2012 and found Tescrypt.  Installing Windows Defender on the two desktops not only detected the encryption, but also removed it.

This specific Ransomware variant had somehow infected the system and was systematically encrypting these files.  Thankfully, the quick-acting team at Care Health recognized the attack and stopped the Tescrypt variant before any patient data was compromised. Following the incident, backups were used to restore the few-dozen encrypted files on the network-drive. Due to appropriate safeguards and training, the Care Health team was ready and a crisis was averted.

Upon a configuration review of Care Health’s security appliances, WebSense was configured to allow “zero-reputation” websites through.  Zero-reputation websites are new sites without a known reputation and are commonly used by hackers to send these types of attacks. At Care Health, the Ransomware apparently came from a valid website with an infected banner ad from a zero-reputation source. The banner ad was configured to trigger a client-browser download prior to the user being allowed to see the valid web page. This forced website visitors to download the executable virus from the banner-ad and unknowingly install the Ransomware on their local computer. Once downloaded, the Ransomware would begin encrypting files in high-lettered network-drives.

Next steps…

Unfortunately, Ransomware is here to stay and the number of attacks are rising.  Now more than ever, it is critical that health care organizations have updated policies and procedures in place to prevent these attacks and a comprehensive user training and awareness program. Let the Care Health incident be a reminder that a well-trained employee is an organization’s best defense against Ransomware, Phishing and sophisticated malware attacks.

The HIPAA One® software suite offers an automated approach to implementing and maturing your organization’s HIPAA Security Compliance Program. To learn more, visit us at  https://www.hipaaone.com/contact/

OCR’s Updated HIPAA Audit Program – What you need to know

Health and Human ServicesWith the pinnacle of patient breaches hopefully behind us (e.g. Anthem/WellPoint breach, Premera, Blue Cross, and others in 2015), it is clear the industry has struggled with proper security of our electronic health information (ePHI).  As such, the federal government has stepped in to ensure measures are in place to secure ePHI, abide by privacy rules granting all of us access to our health information, and making it illegal to discover a breach and not take appropriate steps to notify those affected.

The Office for Civil Rights (OCR) is a division of Health and Human Services with the responsibility to ensure industry compliance with an individual’s rights to Privacy, safeguards to electronic PHI and to investigate an organization’s diligence when breaches occur.  Part of the OCR’s focus is also to develop audit rules in its activities ensuring the industry is adopting compliance efforts, reducing risk of breaches and improving health care.  This is called the HIPAA Audit Program, and leverages the instructions, called the Audit Protocol, to test compliance.

Phase 1 of the HIPAA Audit Program officially ended and Phase 2 of the HIPAA Audit program was announced on March 21, 2016 by Health and Human Services. In April 2016 they announced the updated HIPAA Audit Protocol.  To clarify, the HIPAA law itself has not changed since the Omnibus update in 2013, but the government’s auditing of compliance has been updated and expanded.

The HIPAA Audit Protocol is something the Healthcare Information Technology compliance and audit communities have been asking for a long time, which is more guidance on HIPAA regulations.  In addition to NIST-based risk analysis methodologies, this new set of protocols (instructions) are the most comprehensive guidance we have for HIPAA security (safeguards around electronic protected health information, or PHI), privacy (rights and restrictions to PHI) and breach notification requirements (what to do when a breach of PHI happens).  This graphic shows the number of top-level HIPAA citations covered under the OCR’s checklist, color-coded by discipline:

HIPAA Audit Protocol 2016

To summarize the changes between Phase 1 and Phase 2 of the Audit Program:

What it was – Phase 1 of the OCR’s Privacy, Security and Breach Notification Audit Program:
  1. HITECH added Breach Notification to HIPAA and endorsed the OCR‘s Audit Program.
  2. Contained 169 total protocols.
  3. Pilot program included 115 covered entities.
What it is now – the HIPAA Audit Program-Phase 2:
  1. OCR is implementing Phase 2 to include both CEs and business associates (every covered entity and business associate is eligible for an audit)
  2. Provides an opportunity for the OCR to identify best practices, risks and issues before they result in bigger problems (e.g. resulting in a breach) through the expanded random audit program.
  3. 180 Enhanced protocols (groups of instructions) which contain the following updates:
    1. Privacy – 708 updates (individual lines of instructions)
      1. Most notable changes are more policies and procedures surrounding the HIPAA Privacy Officer as well as some changes for Health Plans and Business Associates.
    2. Security – 880 updates (individual lines of instructions)
      1. Most notable changes are that Health Plans must have assurances from their plan sponsors and all companies now have to get proof of HIPAA compliance from their business associates, vendors and subcontractors.

HHS Spreadsheets Outdated?With so many recent changes, it is clear that checklists, spreadsheets, the ONC’s SRA tool , HITRUST and most commercial compliance software companies are now out of date with the new HIPAA Audit Protocol.   As we get to the end of the Meaningful Use incentive program, we risk having a high number of covered entities potentially using outdated software tools for modern HIPAA compliance requirements.

Regarding the HIPAA Audit Protocol’s compliance date, says Brad Trudell of MetaStar, “Remember it’s intended to detail the specific questions OCR plans to ask in Phase 2 audits to determine compliance with the previously existing HIPAA/HITECH requirements.  If possible, CEs/BAs should use the protocol as the basis for conducting their own internal audits to make sure compliance is whipped into shape before the REAL auditors come knocking.”

In other words, the compliance date would match the release date – April of 2016 (about 2 months before this article was written).

Specific steps to take in light of the new HIPAA Audit Protocol:
  1. Check your “Clutter”, “Junk” or “Spam” folders to ensure that an email sent from OSOCRAudit@hhs.gov (OCR office) is forwarded to the appropriate person (e.g. Compliance Officer, legal counsel, etc.) and responded to accordingly. Example of the email is here.
  2. Conduct an accurate and thorough HIPAA Security Risk Analysis. Be sure to include Privacy and Breach notification assessments since these are often overlooked
  3. Review your organization’s policies and procedures along with the associated processes, compliance programs and other supporting documentation proving compliance. For gaps, update processes, policies and procedures to address identified issues.
  4. Address risks found in previous risk analysis efforts. This requires documented progress of gaps in compliance and associated vulnerabilities (e.g. installing enterprise-wide encryption, implementing a training and awareness program, updating policies and procedures).  This also includes having supporting documentation tracking these updates.
  5. Identify who your business associates (BA) are (or subcontractors a BA would give PHI to in order to facilitate a particular service for the upstream BA). Get a copy of each signed BA Agreement, ensure your agreements are updated per the HIPAA Omnibus update (after March, 2013), and collect proof (e.g. reasonable assurances) that the BA or Subcontractor actually has a HIPAA Security, Privacy and Breach Notification assessment and/or other proof of compliance (e.g. proof of encryption, training and awareness, policies and procedures).
  6. Ensure any software tools used are updated with the new release of the OCR’s updated HIPAA Audit Protocol (e.g. as part of OCR’s Phase 2 of their Audit Program); therefore, your risk management and compliance program will become compliant today (not months from now).

Why invest in yesterday’s Audit Protocol?  HIPAA One® announced on June 15, 2016 they are current with the OCR’s Phase 2 of the Audit Program.  To learn more on how your organization can simplify and automate HIPAA Security, Privacy and Breach Notification Assessments, Mock-Audits and Risk Analysis in compliance with the HIPAA Audit Protocol, HITECH and NIST-based methodologies contact us or email info@hipaaone.com.

 

Meaningful Use Attestation Extended!

Instead of “hoping” not to get audited, consider this:  your organization can have guaranteed compliance with HIPAA One® because CMS has extended the Meaningful Use attestation period to February 29, 2016!

HIPAA Isn't Going Away

HIPAA Isn’t Going Away

Good news – with the mixed-bag of recent news from CMS, the boat has not yet left the dock!  If you conducted a “last-minute” spreadsheet or checklist to meet December 2015 deadline, the odds of passing an audit are not good.  Take advantage of the extension and guarantee compliance with HIPAA One®.

Both Meaningful Use Stage 1 and Stage 2 require that a Security Risk Analysis be completed as part of the Medicare and Medicaid EHR Incentive Programs.  In spite of the recent proclamation from CMS that MU will end in 2016; any Eligible Provider (EP) or Eligible Hospital (EH) must still file for 2015.  The specific requirements to “Protect Electronic Health Information” are described by CMS as listed in the following table:

table1The filing period for Meaningful Use Attestation and reporting is from January 4 through February 29, 2016.  This means that if you were not able to complete your Security Risk Analysis (SRA) during calendar year 2015; there is still time!  The SRA will need to be for 2015 and cannot be used for the 2016 reporting year.

HIPAA One® has a simple and automated solution for the SRA process; using a cloud-based, step-by-step- approach (see quick video here:  https://youtu.be/9G_B7U_pnuo).  As such, you will be able to comprehensively address the HIPAA required safeguards (listed below) in an efficient, logical and clear fashion:

table2A “new program” is slated to be announced by CMS on or about March 25, 2016 that will replace (some think “augment”) the current MU program.  It will focus less on technology adoption and more on clinical outcomes and value-based reimbursement.  There will also be special attention paid to APIs and interoperability.  That said; data security will still be of paramount concern.

The new MACRA (Medicare Access and CHIP Reauthorization Act of 2015) program will still include some version of the EHR incentive (not yet defined) and certainly will still include the Security Risk Assessment.  The key elements are The Merit-Based Incentive Payment System (MIPS) and Alternative Payment Models (APMs).

HIPAA One®’s take:

With respect to the MU Program:

  • Current participants still need to complete attestation / reporting:
    • By 02/29/2016
    • HIPAA Security Risk Analysis (SRA) is always required
  • A “new program” is slated to be announced on or about 03/25/2016
    • There will still be quality and process measures
    • The SRA is still a requirement – ePHI Systems/Assets always need to be secured
    • The new program will focus on “patient outcomes rather than technology use”
  • The new MACRA program will still include some version of the EHR incentive (not yet defined)

With respect to DHHS OCR:

Common Sense:

  • HIPAA Security Risk Analysis is the benchmark for any Risk Management Program
  • Reducing risk to patient breaches is saving goodwill, time and money
  • HIPAA One® provides operational clarity for staff to know what is needed to maintain a great code of conduct
  • Keep your Meaningful Use Incentives and avoid payment discounts by maintaining automated documentation proving compliance

Prevent HIPAA Violations
Get Started by Contacting Us Today

HIPAA One® has over 1600 sites leveraging the streamlined, best-of-breed cloud-based HIPAA Security Risk Analysis Software (SRA) and has a fully-certified Audit Support Team (AST) to provide support & consulting solutions.   We have a full-service package for awareness training, Privacy, Breach Notification, Policies and Procedures, and more.

Contact us today at www.hipaaone.com/contact to learn more. HIPAA One® guarantees compliance for your 2015 Meaningful Use Security Risk Assessment for 164.308(a)(1)(ii)(A) so you be assured you are compliant.

AHCCCS Audit Notice Announced

Department of Health and Human Services (DHHS) Office of the Inspector General (OIG) Audit for IT System Security Notifies of AHCCCS Audits

Courtesy of DHHS

Courtesy of DHHS

 

HIPAA One® works with several Health Plans and Clinics that operate a Managed Care Organization (MCO)  in the great state of Arizona providing AHCCCS Audits pursuant to Policy 108 and HIPAA.  As such, we have helped these clients respond to several audits since Policy 108 took place back in 2013.

Yesterday the Arizona Health Care Cost Containment System (AHCCCS) was notified by the DHHS OIG they will be performing on-site audits of three Managed Care Organizations regarding IT system security.  To summarize the notice:

  1. The MCOs may begin the audits as soon as November 2, 2015.
  2. One MCO will be audited this year, and two more MCOs will likely be performed in 2016.
  3. DHHS OIG will provide a draft report with the combined findings to AHCCCS.
  4. A final report of the combined audit findings will be published with non-identifying information.
  5. The first MCO will be contacted Monday, October 19, 2015.

As of October 2013, the state of Arizona has joined forces with the federal Medicaid funding program to manage distribution of reimbursements. The Arizona Health Care Cost Containment System (AHCCCS) is the name of the Medicaid program in the state of Arizona. As with all Medicaid programs, this is a joint program between the state and the Centers for Medicare and Medicaid Services (CMS).

What this means, is any Covered Entities involved with Medicaid reimbursements, must use a third-party service to conduct a Data Security Audit.

In March of 2015, we posted an update to our AHCCCS blog with a responses to the annual guidance request by AHCCCS:

“Every standard should be reviewed every year.  We do the exact same thing ourselves.  Even those that were identified as the compliant ones should be reviewed to make sure there haven’t been any changes and they are still compliant…”

You can find the updated Policy 108 compliance guidance here, that states the audit needs to be done every year, and must be submitted using third-party attestation by June 1st:

 Policy 108 – AHCCCS SECURITY RULE COMPLIANCE

In Audit and Security circles, this is a HIPAA Security Risk Analysis update, which entails performing a full risk analysis on items that have changed and re-validating compliant items.

Using HIPAA One®, an update is significantly “easier” than last year’s full SRA because we can import last year’s work, including remediation updates, directly into this year’s interview questions.  This greatly reduces the effort needed on the user’s side because the survey questions are already pre-filled including attachments proving compliance/functional controls.  For those who need a full SRA report that has proven compliance for other AHCCCS Contractors, Modern Compliance Solutions can provide the third-party attestation with full documentation in HIPAA One®.

For more information, contact your AHCCCS representative, or us at info@hipaaone.com.

HIPAA One partners with athenahealth

athenahealth

Lindon, UT – August 28, 2015 HIPAA One, a provider of HIPAA Security and Privacy Compliance software, today announced that it has partnered with athenahealth, Inc. through athenahealth’s More Disruption Please (MDP) program, making HIPAA One part of the athenahealth Marketplace offerings. Together, the companies will work to link athenahealth’s growing network of more than 67,000 healthcare providers with the capabilities of HIPAA One to make healthcare providers more successful, profitable, and responsive to patient needs.

“HIPAA one delivers a powerful tool for Covered Entities and Business Associates,” said Steven Marco, President of HIPAA One. “We have disrupted the HIPAA Audit space by automating 78% of the mundane, labor-intensive and error-prone activities of the risk analysis and documentation.  Thousands of sites are already using HIPAA One.  Through our partnership with athenahealth, we can leverage our experience in HIPAA compliance and help athenahealth clients more easily identify real risk to their organizations, reduce costs and make the sometimes intimidating process of responding to an audit as simple as clicking the “download report” button. We guarantee HIPAA compliance with the Security Rule when using HIPAA One and will be offering discounted pricing for athenahealth providers.”

athenahealth is a cloud-based services company with a vision to build an information backbone to help make health care work as it should. Through the MDP program, athenahealth is accelerating high-value innovation via the cloud, offering new services to help providers thrive in the face of industry change and pressure.  MDP partners with innovators, entrepreneurs, companies, and individuals who are passionate about disrupting established approaches in health care that simply aren’t working, aren’t good enough, or aren’t advancing the industry.

To learn more about athenahealth’s MDP program and partnership opportunities please visit www.athenahealth.com/disruption.

About HIPAA One

We work tirelessly to provide the best HIPAA compliance software and professional services in the industry.  Owned and professional services provided by Modern Compliance Solutions, HIPAA One® was designed from the ground-up to be the most simple, automated and affordable solution.

Our goal is to establish long-term relationships with our clients and partners to be “everything HIPAA” under one roof.  To be the resource for seasoned audit professionals looking for 3rd party assurances and those who seek a solid foundation in HIPAA Compliance for their organizations.

To learn more about HIPAA One, please visit https://www.hipaaone.com.

Contact Info

Bobby Seegmiller

HIPAA One

bobby@hipaaone.com

801.770.1199

HIPAA One Makes UVEF’s Top 25 Under 5 List

UVEF Top 25 List The Utah Valley Entrepreneurial Forum annually recognizes and awards Utah companies that have been in business for five years or less, and HIPAA One came in at No. 14 on this year’s UVEF’s Top 25 Under 5 list.

Besides being less than 5 years old, Utah business wanting to apply also have to demonstrate financial growth and employment opportunity. After applying, UVEF ranks and awards companies based on an algorithmic analysis of their revenue, economic impact and scalability for the year.

This is HIPAA One’s first UVEF award, earning the No. 14 spot with their top-of-the-line and easy-to-use cloud based HIPAA Security software.

Steve Marco, President and Founder of HIPAA One, made the following statement after receiving the award,

We at HIPAA One are honored to receive this award.  It is a sign we are growing and working with the right people.  Thank you UVEF!

HIPAA One’s software is beneficial for healthcare providers and their business associates. It’s made for employees who are seasoned HIPAA Security experts and for those who have a limited knowledge of HIPAA Security. It allows each type of employee to quickly identify any of their vulnerabilities or gaps in HIPPA compliance and then formulate their own plan of action to remediate these risks.

HIPPA One’s Security software saves healthcare companies from having to pay millions of dollars in fines and having to spend weeks or months on a process that only needs to take a few hours to complete. Their software is simple, affordable and guaranteed to provide compliance and peace of mind to each of its users.

 

Data Security Audits Required For Covered Entities Involved With Medicaid Reimbursements

arizona mapUPDATED 3/9/2015

For those who are unaware, as of October 2013, the state of Arizona has joined forces with the federal Medicaid funding program to manage distribution of reimbursements. The Arizona Health Care Cost Containment System (AHCCCS) is the name of the Medicaid program in the state of Arizona. As with all Medicaid programs, this is a joint program between the state and the Centers for Medicare and Medicaid Services (CMS).

What this means, is any Covered Entities involved with Medicaid reimbursements, must use a third-party service to conduct a Data Security Audit.

As part of the AHCCCS Security Rule Compliance steps, Contractors must conduct a Data Security Audit then submit an AHCCCS Security Compliance Report to the Division of Healthcare Management (DHCM) for review and approval by June 1.  This security audit needs to be performed by an independent third party on an annual basis.

We at MCS believe this is for purposes of accountability and segregation of duties.  We use the most simple, automated and affordable cloud-based HIPAA Security Compliance and Risk Analysis solution called HIPAA One®.  HIPAA One® provides several benefits including preparing for an OCR/OIG audit, HIPAA Security Officer training checklist/interviews, and ongoing remediation planning with reporting.

We can help conduct the Data Security Audit and attest per the AHCCCS Contractor Operations Manual, Chapter 100 – Administration, fill out Attachment A:  AHCCCS Security Rule Compliance Summary Checklist as part of our service.  We are already covering these items as part of the 78 HIPAA Security Citations in the OCR Audit Protocol, OCR’s Guidance on HIPAA Security, and for Meaningful Use Stage 2 requirements.

HIPAA One® can help – please contact us at 801-770-1199, email at support@hipaaone.com, or visit us at www.hipaaone.com for more information.

UPDATED 3/9/2015

MCS has just received word from AHCCCS in response to a 2015 guidance request:

Every standard should be reviewed every year.  We do the exact same thing ourselves.  Even those that were identified as the compliant ones should be reviewed to make sure there haven’t been any changes and they are still compliant…

You can find the updated Policy 108 compliance guidance here, that states theaudit needs to be done every year, and must be submitted using third-party attestation by June 1st:

108 – AHCCCS SECURITY RULE COMPLIANCE

In Audit and Security circles, this is a Security Risk Analysis update, which entails performing a full risk analysis on items that have changed and re-validating compliant items.

Using HIPAA One®, an update is significantly “easier” than last year’s full SRA because we can import last year’s work, including remediation updates, directly into this year’s interview questions.  This greatly reduces the effort needed on the user’s side because the survey questions are already pre-filled including attachments proving compliance/functional controls.  For those who need a full SRA report that has proven compliance for other AHCCCS Contractors, Modern Compliance Solutions can provide the third-party attestation with full documentation in HIPAA One®.

For more information, contact your AHCCCS representative, or us at info@hipaaone.com.

HIPAA One® 2.0 Is Live

bobby-hippoAs of February 14, 2014 we are live with 2.0!  After 3 months of full-time beta testing, we felt confident in HIPAA One® 2.0’s ability to function without bugs and pushed it into production on http://login.hipaaone.com.

The following audiences can take advantage of HIPAA One®:

  1. Healthcare Clinic and Administrative staff
  2. HIPAA Compliance, Security and Privacy Officers
  3. Audit and Healthcare Consultants
  4. Business Associates
  5. Fraud and Abuse Professionals

Our new features in 2.0 include:

  1. Executive dashboards for remediation tracking progress.
  2. Added subjective “Risk Remediated” checkbox for remediation plan updates.
  3. Parent-Child relationship for regional and affiliated Clinic and Hospital organizations.
  4. Import/convert historical HIPAA One® Risk Analysis data for simple Risk Analysis updates.
  5. ePHI System Administrator role added to better handle multi-EHR, EPM, PACS, RIS, and ePHI system environments.
  6. Can marry ePHI System to existing or new location – avoiding redundant questions.
  7. Improved workflow for cloud or hosted systems.
  8. Compliant with Meaningful Use Stage 2 (CM 7/9 for EH/EP) and Stage 1 (CM 14/15 for EH/E.P.) requirements.
  9. Added ASTM_E2147-01,  and 45 CFR 170.314(d)(4), (d)(2), (d)(3), (d)(7), (d)(1), (d)(5), (d)(6), (d)(8), and (d)(9).
  10. Automated Shopping cart functionality for customized product quotes.

Valentine’s Day 2014 was a big day both for the Healthcare Industry and Bobby – the HIPAA One® Mascot!

The Number of HIPAA Data Breaches Jumps 138 Percent Since 2012

When it comes to HIPAA Security and HIPAA Privacy, numbers do most of the talking and according to recent reports, the number of HIPAA data breaches have increased by 138% since 2012.

Another mind boggling statistic is that 29.2 million patient health records have been compromised in HIPAA data breaches since 2009, according to Redspin, which compiled these numbers in a February 2014 breach report.

But these numbers are skewed since not all breaches are reported. Any breach that involves fewer than 500 people’s health records isn’t required to be publicly reported. According to Lisa Gallagher, the senior director of privacy and security for HIMSS, said at the 2012 Boston Privacy and Security Forum that it’s more likely that 40-45 million patient health care records have been compromised. While she said that’s a more accurate number, it can’t be confirmed since all the data isn’t there.

Redspin also found the percentages of what’s accounted for the HIPAA privacy and security breaches since 2009: 83 percent because of theft, 35 for theft or loss of encrypted devices, 22 due to unauthorized access and 6 from hacking. Many of these breaches could be more easily avoided with consistent risk analysis. Risk analysis failures top the list for the most prevalent security issues for business associates and covered entities based on complaints received by OCR.

While business associates were involved in most of the larger-scale breaches from 2009-2012, only 10 percent were involved in 2013. Business associates and covered entities that violate HIPAA privacy and security rules can face up to $1.5 million in annual fines under the HIPAA Final Omnibus Rule. Only 17 of the 90,000 HIPAA breach cases received by OCR since 2003 have resulted in fines, but it’s anticipated that those numbers will go up, especially since the official audit program goes live this year.

Source: HealthCareITNews.com